Releases: microsoft/kata-containers
Releases · microsoft/kata-containers
3.2.0.azl0.genpolicy0
Release notes
- Added support for following fields: envFrom, shareProcessNamespace, runAsUser, seccompProfile, priorityClassName, and podDisruptionBudget
- Fixed error where policy generation panics if cache file doesn't exists
- Block symlinks with directory traversal in CopyFileRequest
What's Changed
- genpolicy: Add support for envFrom by @Redent0r in #128
- genpolicy: pick up improvements from upstream by @danmihai1 in #149
- genpolicy: add shareProcessNamespace support by @danmihai1 in #150
- genpolicy: don't panic without cache file by @danmihai1 in #151
- genpolicy: add support for runAsUser by @danmihai1 in #153
- genpolicy: Add support for seccompProfile field by @Redent0r in #152
- genpolicy: add priorityClassName as a field in PodSpec interface by @arc9693 in #145
- genpolicy: add support for PodDisruptionBudget spec by @arc9693 in #156
- genpolicy: block all relative paths for copyFile requests by @Redent0r in #166
Limitations and Important Notes
- Doesn't support CronJob deployment
- Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
- Only supports pods the use IPv4 addresses
- Doesn't support identity token based authentication for private registries
Full Changelog: genpolicy-0.6.2-5...genpolicy-0.6.2-6
3.2.0.azl0
- Aligning with the latest vanilla Kata release, both packages now use the same sources based on upstream v3.2.0 plus some Microsoft changes for AKS
- osbuilder: use Azure Linux PMC UVM build meta-package
There is no new release of genpolicy with this version, please keep using genpolicy 0.6.2-5.
genpolicy-0.6.2-5
Release notes
- Policy generation improvements
What's Changed
- genpolicy: reject some of the CopyFile requests by @danmihai1 in #136
- genpolicy: block some symlink create requests by @danmihai1 in #137
- genpolicy: reject kernel_modules by @danmihai1 in #139
- genpolicy: validate create sandbox storages by @danmihai1 in #139
- genpolicy: reject create custom hook settings by @danmihai1 in #140
Full Changelog: genpolicy-0.6.2-4...genpolicy-0.6.2-5
Limitations and Important Notes
- Doesn't support CronJob deployment
- Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
- Only supports pods the use IPv4 addresses
- subPath field in the volume mount is not supported
- Pod Disruption Budget is not supported
- Priority Classes are not supported
- User managed identity based ACR authentication is not supported
cc-0.6.3
genpolicy-0.6.2-4
Release notes
- Add support for images with
application/vnd.oci.image.index.v1+json
manifest media type, such as latest versions ofdocker.io/library/busybox
anddocker.io/library/ubuntu
What's Changed
- genpolicy: Update oci_distribution to 0.10.0 by @Redent0r in #129
- lib: Add type definition for Windows support by @Redent0r in #134
Full Changelog: https://github.com/microsoft/kata-containers/commits/genpolicy-0.6.2-4
Limitations and Important Notes
- Doesn't support CronJob deployment
- Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
- Only supports pods the use IPv4 addresses
- subPath field in the volume mount is not supported
- Pod Disruption Budget is not supported
- Priority Classes are not supported
genpolicy-0.6.2-3
Release notes
- Add support for running genpolicy concurrently
- Update default configuration to deny UpdateEphemeralMountsRequest by default
What's Changed
- Update caching mechanism to allow for concurrent genpolicy runs by @SethHollandsworth in #113
- genpolicy: deny UpdateEphemeralMountsRequest by @danmihai1 in #126
Full Changelog: genpolicy-0.6.2-2...genpolicy-0.6.2-3
Limitations and Important Notes
- Doesn't support CronJob deployment
- Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
- Only supports pods the use IPv4 addresses
- subPath field in the volume mount is not supported
- Pod Disruption Budget is not supported
- Priority Classes are not supported
genpolicy-0.6.2-2
Release Notes
- Update default genPolicy settings to allow the host to read guest stdout/stderr
- Add support for Kubernetes
topologySpreadConstraints
feature in pod YAML files - Update default genPolicy settings to support empty AZURE_TENANT_ID and AZURE_CLIENT_ID environment variables
- Fixed ttrpc compilation issue on Windows
What's Changed
- policy: allow the Host to read Guest stdout/stderr by @danmihai1 in #109
- tools: pick up genpolicy improvements by @danmihai1 in #114
- policy: add topologySpreadConstraints support by @danmihai1 in #115
- policy: re add agent type definitions by @Redent0r in #118
- policy: allow AZURE_TENANT_ID and AZURE_CLIENT_ID to be empty by @Redent0r in #120
Full Changelog: genpolicy-0.6.2-1...genpolicy-0.6.2-2
Limitations and Important Notes
- Doesn't support CronJob deployment
- Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
- Only supports pods the use IPv4 addresses
subPath
field in the volume mount is not supported- Pod Disruption Budget is not supported
- Priority Classes are not supported
genpolicy-0.6.2-1
Merge pull request #105 from microsoft/saulparedes/add_update_samples…
Updates to tardev-snapshotter and genpolicy
It allows the snapshotter to populate its store not just when an image
pulled but also when containerd tries to unpack images that exist in its
own store but for which there are no snapshots in the tardev
snapshotter.
This addresses issues running the same image with different
snapshotters.
Signed-off-by: Wedson Almeida Filho [email protected]
Genpolicy Updates and Bug Fixes
tardev: use containerd's local store to fetch images So tardev-snapshotter is not a "remote" snapshotter anymore (so we can't do lazy-pulling) but this allows containerd to be the one downloading images, which means the snapshotter doesn't have to get credentials before it can use authenticated registries. Signed-off-by: Wedson Almeida Filho <[email protected]>