Skip to content

Release Notes

Compliant Kubernetes

Note

For a more detailed look check out the full changelog.

v0.30.0

Released 2023-05-16

Added

  • Kubernetes Jobs will now have a default TTL of 7 days if unset to ensure resources are cleaned up.

Updated

  • kube-prometheus-stack chart to v45.2.0.
  • the portName for alertmanager and prometheus have been renamed from web to http-web. If this port names are used by you application or to port-forward to prometheus/alertmanager, you will need to update them to http-web or use the port numbers instead (e.g 9090 for prometheus and 9093 for alertmanager);
  • added default metric relabeling for cAdvisor and apiserver metrics to reduce cardinality;
  • alertmanager, using regex field from the Matcher type is deprecated and it will be removed in a future version.

Changed

  • Kubernetes PodSecurityPolcies have been replaced with Kubernetes Pod Security Standards and additional Gatekeeper Constraints and Mutations.
  • This should not affect user applications as the default behavior is kept, and the new default restricted Pod Security Standard is slightly less restricted than the previous restricted PodSecurityPolicy following the upstream changes;
  • You might see warnings generated by PodSecurity while deploying manifests into your Kubernetes cluster, if fields are unset or do not follow the Restricted policy for the Pod Security Standards. If fields are unset, the new Gatekeeper mutations will set defaults, that follow the restricted Pod Security Standards, as the Pods get scheduled.
  • Trivy Operator has replaced Starboard Operator as the online security scanning tool.
  • This includes a new Trivy Operator dashboard and the deprecation of the old Image vulnerabilities dashboard.
  • Both responseObject and requestObject are no longer dropped in Fluentd from Kubernetes audit events.
  • Changed timekey to stageTimestamp for Kubernetes audit logs. Use auditID to correlate stages of the same request

Removed

  • Remove HNC admin-rbac from admin (attached to user admins)
  • User admins will now only have the HNC user-rbac instead.
  • Removed the ability to edit HierarchyConfiguration for users
  • HierarchyConfiguration controls the Pod Security Standard level, and as such should not be allowed to be changed by a user.
  • Disable Non sudo setuid falco rule

v0.29.0

Released 2023-03-16

Added

  • Static users can now be added in OpenSearch.

Changed

  • The Fluentd deployment has changed considerably and users must ensure that their custom filters continue to work as expected.

Updated

  • Cert-manager updated to v1.11.0
  • The containers in pods created by cert-manager have been renamed to better reflect what they do. This can be breaking for automation that relies on these names being static.
  • The cert-manager Gateway API integration now uses the v1beta1 API version. ExperimentalGatewayAPISupport alpha feature users must upgrade to v1beta of Gateway API.

v0.28.1

Released 2023-03-02

Added

  • Added falco rules to ignore redis operator related alerts.

v0.28.0

Released 2023-01-30

Changed

  • Updated Rook alerts to v1.10.5.
  • Nginx ingress controller service can now have multiple annotations instead of just one.
  • Synced all grafana dashboards to use the default organization timezone.
  • Several default resource requests and limits have changed for the included services.

Fixed

  • Use FQDN for services connecting from the workload cluster to the service cluster to prevent resolve timeouts.
  • Fixed KubeletDown alert rule not alerting if a kubelet was missing.
  • Added permissions to the alerting_full_access role in Opensearch to be able to view notification channels.
  • Added fluent-plugin-record-modifier to the fluentd image to prevent mapping errors.
  • Various fixes to network policies.

Added

  • Improved security posture by adding network policies for some of the networking and storage components.
  • Added alert for less kubelets than nodes in the cluster.
  • Added alert for object limits in buckets.

v0.27.0

Released 2022-11-17

Updated

  • Updated Dex helm chart to v0.12.0, which also upgrades Dex to v2.35.1.
  • Updated Falco helm chart to 2.2.0, which also upgrades Falco to 0.33.0 and Falco Sidekick to 2.26.0.
  • Updated Falco Exporter helm chart to 0.9.0, which also upgrades Falco Exporter to 0.8.0.
  • Updated Velero helm chart to v2.31.8, which also upgrades Velero to v1.9.2.
  • Updated Grafana helm chart to v6.43.4, which also upgrades Grafana to v9.2.4.

Changed

  • Improved Network security by adding Network policies to a lot of the included services.
  • NetworkPolicies are now automatically propagated from a parent namespace to its subnamespaces in HNC.
  • Several default resource requests and limits have changed for the included services.
  • Lowered the default retention age for Kubernetes logs in the prod flavor down to 30 days.
  • Made dex ID Token expiration time configurable.
  • User alertmanager is now enabled by default.

Fixed

  • Fixed an issue with the "Kubernetes cluster status" Grafana dashboard not loading data for some panels
  • Rclone can now be configured to run every x minutes/hours/days/week/month/year.

Added

  • Added RBAC for admin users to view Gatekeeper constraints.
  • New section in the welcoming dashboards, displaying the most relevant features and changes for the user added in the last two releases.
  • Added an option to configure alerts for growing indices in OpenSearch.
  • The settings for this might need to be tweaked to better suit the environment.
  • Added an alert for failed evicted pods (KubeFailedEvictedPods).

v0.26.0

Released 2022-09-19

Updated

  • Harbor upgraded to v2.6.0
  • Upgraded Opensearch helm chart to 2.6.0, this upgrades Opensearch to 2.3.0. For more information about the upgrade, check out their 2.3 Launch Announcement.

Fixed

  • Fixed the welcome dashboard template for OpenSearch Dashboards

Added

  • Option to create custom solvers for letsencrypt issuers, including a simple way to add secrets
  • Kube-bench runs on every node Automated CIS tests are performed on each node using kube-bench Added a CIS kube-bench Grafana dashboard
  • Added option for kured to notify to slack when draning and rebooting nodes
  • Allow users to proxy and port-forward to prometheus running in the workload cluster

v0.25.0

Released 2022-08-25

Added

  • Added Hierarchical Namespace Controller
    Allowing users to create and manage subnamespaces, namespaces within namespaces. You can read more about this in our FAQ.
  • Added support for custom solvers in cluster issuers
    Allowing DNS01 challenges for certificate requests.
  • Added support for running Harbor in High Availability

Updated

  • Updated cert-manager from v1.6.1 to v1.8.2
    API versions v1alpha2, v1alpha3, and v1beta1 have been removed from the custom resource definitions (CRDs), certificate rotation policy will now be validated. See their changelog for more details.

  • Updated OpenSearch with new usability improvements and features
    Checkout their launch announcement.

Changed

  • New additions to the Kubernetes cluster status Grafana dashboard
    It now shows information about resource requests and limits per node, and resource usage vs request per pod.

v0.24.1

Released 2022-08-01

  • Required patch to be able to use release v0.24.0

Fixed

  • Fixed a formatting issue with harbor s3 configuration.

v0.24.0

Released 2022-07-25

Updated

  • Upgraded Helm stack
    Upgrades for Helm, Helmfile and Helm-secrets.

  • Image upgrade to node-local-dns

Changed

  • Improved stability to automatic node reboots

Added

  • Further configurability to ingress-nginx

v0.23.0

Released 2022-07-06

Updated

  • Updated the ingress controller ingress-nginx to image version v1.2.1
  • You can find the changelog here.

Changed

  • Added support for accessing Alertmanager via port-forward

Added

  • Backups can now be encrypted before they are replicated to an off-site S3 service.
  • Improved metrics and alerting for OpenSearch.

Fixed

  • The deployment of Dex is now properly configured to be HA, ensuring that the Dex instances are placed on different Kubernetes worker nodes.

v0.22.0

Released 2022-06-01

Added

  • Added support for Elastx and UpCloud!

  • New 'Welcoming' dashboard in OpenSearch and Grafana.
    Users can now access public docs and different urls to the services provided by Compliant Kubernetes.

  • Improved availability of metrics and alerting.
    Alertmanager now runs with two replicas by default, Prometheus can now be run in HA mode.

  • Added Falco rules to reduce alerts for services in Compliant Kubernetes.
    Falco now alerts less on operations that are expected out of these services.

Fixed

  • Fixed a bug where users couldn't silence alerts when portforwarding to alertmanager.

  • Improved logging stack and fixed a number of issues to ensure reliability.

v0.21.0

Released 2022-05-04

Changed

  • Users can now view ClusterIssuers.

  • User admins can now add users to the ClusterRole user-view.
    This is done by adding users to the ClusterRoleBinding extra-user-view.

  • User can now get ClusterIssuers.

  • Ensured all CISO dashboards are available to users.
    All the grafana dashboards in our CISO docs are now available.

  • Better stability for dex
    Dex now runs with two replicas and has been updated.

Updated

  • Image upgrades to reduce number of vulnerabilities
    Upgrades for fluentd, grafana, and harbor chartmuseum.

v0.20.0

Released 2022-03-21

Added

  • Added kured - Kubernetes Reboot Daemon.
    This enables automatic node reboots and security patching of the underlying base Operating System image, container runtime and Kubernetes cluster components.

  • Added fluentd grafana dashboard and alerts.

  • Added RBAC for admin users.
    Admin users can now list pods cluster wide and run the kubectl top command.

  • Added containerd support for fluentd.

Changed

  • Added the new OPA policy.
    To disallow the latest image tag.

  • Persist Dex state in Kubernetes.
    This ensure the JWT token received from an OpenID provider is valid even after security patching of Kubernetes cluster components.

  • Add ingressClassName in ingresses where that configuration option is available.

  • Thanos is now enabled by default.

Updated

  • Upgraded nginx-ingress helm chart to v4.0.17
    This upgrades nginx-ingress to v1.1.1. When upgrading an ingressClass object called nginx will be installed, this class has been set as the default class in Kubernetes. Ingress-nginx has been configured to still handle existing ingress objects that do not specify any ingressClassName.

  • Upgraded starboard-operator helm chart to v0.9.1
    This is upgrading starboard-operator to v0.14.1

Removed

  • Removed influxDB and dependent helm charts.

v0.19.1

Released 2022-03-01

Fixed

  • Fixed critical stability issue related to Prometheus rules being evaluated without metrics.

v0.19.0

Released 2022-02-01

Added

  • Added Thanos as a new metrics backend.
    Provides a much more efficient and reliable platform for long-term metrics, with the capabilities to keep metrics for much longer time periods than previously possible.
    InfluxDB will still be supported in this release.

  • Added a new feature to enable off-site replication of backups.
    Synchronizes S3 buckets across regions or clouds to keep an off-site backup.

  • Added a new feature to create and log into separate indices per namespace.
    Currently considered to be an alpha feature.

Changed

  • Replacing Open Distro for Elasticsearch with OpenSearch.
    In this release, since the Open Distro project has reached end of life, Elasticsearch is replaced with OpenSearch and Kibana with OpenSearch Dashboards. OpenSearch is a fully open source fork of Elasticsearch with a compatible API and familiar User Experience.
    Note that recent versions of official Elasticsearch clients and tools will not work with OpenSearch as they employ a product check, compatible versions can be found here.

  • Enforcing OPA policies by default.
    Provides strict safeguards by default.

  • Allowing viewers to inspect and temporarily edit panels in Grafana.
    Gives more insight to the metrics and data shown.

  • Setting Fluentd to log the reason why when it can't push logs to OpenSearch.

Updated

  • Large number of application and service updates, keeping up to date with new security fixes and changes.

v0.18.2

Released 2021-12-16.

Changes:

v0.17.2

Released 2021-12-16.

Changes:

v0.18.1

Released 2021-12-08.

Changes:

v0.17.1

Released 2021-12-08.

Changes:

v0.18.0

Released 2021-11-04.

Changes:

  • Ingress-nginx-controller has been updated from v0.28.0 to v0.49.3, bringing various updates.
    • Additionally, the configuration option allow-snippet-annotations has been set to false to mitigate known security issue CVE-2021-25742
  • Fixes, minor version upgrades, improvements to resource requests and limits for applications, improvements to stability.

v0.17.0

Released 2021-06-29.

Changes:

  • The dashboard tool Grafana has been updated to a new major version of 8.x.x. This introduces new features and fixes, as well as some possibly breaking changes. See their release notes for more information.
  • The single-sign-on service Dex has been updated, bringing small changes and better consistency to the UI.
  • Fixes, improvements to resource limits, resource usage, and stability.

v0.16.0

Released 2021-05-27.

Changes:

  • The default retention values have been changed and streamlined for authlog* and other*. The former will be kept for a longer period of time while the latter for shorter, both have reduced sized according to their actual usage.
  • Updates, fixes, and features to improve the security of the platform.