Skip to content

Releases: microsoft/kata-containers

3.2.0.azl0.genpolicy0

21 Mar 20:45
Compare
Choose a tag to compare

Release notes

  • Added support for following fields: envFrom, shareProcessNamespace, runAsUser, seccompProfile, priorityClassName, and podDisruptionBudget
  • Fixed error where policy generation panics if cache file doesn't exists
  • Block symlinks with directory traversal in CopyFileRequest

What's Changed

  • genpolicy: Add support for envFrom by @Redent0r in #128
  • genpolicy: pick up improvements from upstream by @danmihai1 in #149
  • genpolicy: add shareProcessNamespace support by @danmihai1 in #150
  • genpolicy: don't panic without cache file by @danmihai1 in #151
  • genpolicy: add support for runAsUser by @danmihai1 in #153
  • genpolicy: Add support for seccompProfile field by @Redent0r in #152
  • genpolicy: add priorityClassName as a field in PodSpec interface by @arc9693 in #145
  • genpolicy: add support for PodDisruptionBudget spec by @arc9693 in #156
  • genpolicy: block all relative paths for copyFile requests by @Redent0r in #166

Limitations and Important Notes

  • Doesn't support CronJob deployment
  • Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
  • Only supports pods the use IPv4 addresses
  • Doesn't support identity token based authentication for private registries

Full Changelog: genpolicy-0.6.2-5...genpolicy-0.6.2-6

3.2.0.azl0

15 Feb 16:44
Compare
Choose a tag to compare
  • Aligning with the latest vanilla Kata release, both packages now use the same sources based on upstream v3.2.0 plus some Microsoft changes for AKS
  • osbuilder: use Azure Linux PMC UVM build meta-package

There is no new release of genpolicy with this version, please keep using genpolicy 0.6.2-5.

genpolicy-0.6.2-5

08 Jan 22:00
7da3655
Compare
Choose a tag to compare

Release notes

  • Policy generation improvements

What's Changed

Full Changelog: genpolicy-0.6.2-4...genpolicy-0.6.2-5

Limitations and Important Notes

  • Doesn't support CronJob deployment
  • Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
  • Only supports pods the use IPv4 addresses
  • subPath field in the volume mount is not supported
  • Pod Disruption Budget is not supported
  • Priority Classes are not supported
  • User managed identity based ACR authentication is not supported

cc-0.6.3

08 Jan 19:51
3083bf9
Compare
Choose a tag to compare
  • merge upstream 3.2 code base
  • utarfs: implement the enumeration of xattrs
  • enforce restrictive policy
  • alignment of memory allocation between vanilla Kata and Kata-CC

genpolicy-0.6.2-4

21 Dec 22:54
684477e
Compare
Choose a tag to compare

Release notes

  • Add support for images with application/vnd.oci.image.index.v1+json manifest media type, such as latest versions of docker.io/library/busybox and docker.io/library/ubuntu

What's Changed

  • genpolicy: Update oci_distribution to 0.10.0 by @Redent0r in #129
  • lib: Add type definition for Windows support by @Redent0r in #134

Full Changelog: https://github.com/microsoft/kata-containers/commits/genpolicy-0.6.2-4

Limitations and Important Notes

  • Doesn't support CronJob deployment
  • Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
  • Only supports pods the use IPv4 addresses
  • subPath field in the volume mount is not supported
  • Pod Disruption Budget is not supported
  • Priority Classes are not supported

genpolicy-0.6.2-3

19 Dec 19:52
da40e41
Compare
Choose a tag to compare

Release notes

  • Add support for running genpolicy concurrently
  • Update default configuration to deny UpdateEphemeralMountsRequest by default

What's Changed

Full Changelog: genpolicy-0.6.2-2...genpolicy-0.6.2-3

Limitations and Important Notes

  • Doesn't support CronJob deployment
  • Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
  • Only supports pods the use IPv4 addresses
  • subPath field in the volume mount is not supported
  • Pod Disruption Budget is not supported
  • Priority Classes are not supported

genpolicy-0.6.2-2

08 Dec 18:18
b5c4f51
Compare
Choose a tag to compare

Release Notes

  • Update default genPolicy settings to allow the host to read guest stdout/stderr
  • Add support for Kubernetes topologySpreadConstraints feature in pod YAML files
  • Update default genPolicy settings to support empty AZURE_TENANT_ID and AZURE_CLIENT_ID environment variables
  • Fixed ttrpc compilation issue on Windows

What's Changed

  • policy: allow the Host to read Guest stdout/stderr by @danmihai1 in #109
  • tools: pick up genpolicy improvements by @danmihai1 in #114
  • policy: add topologySpreadConstraints support by @danmihai1 in #115
  • policy: re add agent type definitions by @Redent0r in #118
  • policy: allow AZURE_TENANT_ID and AZURE_CLIENT_ID to be empty by @Redent0r in #120

Full Changelog: genpolicy-0.6.2-1...genpolicy-0.6.2-2

Limitations and Important Notes

  • Doesn't support CronJob deployment
  • Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
  • Only supports pods the use IPv4 addresses
  • subPath field in the volume mount is not supported
  • Pod Disruption Budget is not supported
  • Priority Classes are not supported

genpolicy-0.6.2-1

09 Nov 22:46
3a97c2b
Compare
Choose a tag to compare
Merge pull request #105 from microsoft/saulparedes/add_update_samples…

Updates to tardev-snapshotter and genpolicy

19 Oct 16:15
2795dae
Compare
Choose a tag to compare

It allows the snapshotter to populate its store not just when an image
pulled but also when containerd tries to unpack images that exist in its
own store but for which there are no snapshots in the tardev
snapshotter.

This addresses issues running the same image with different
snapshotters.

Signed-off-by: Wedson Almeida Filho [email protected]

Genpolicy Updates and Bug Fixes

10 Oct 21:43
Compare
Choose a tag to compare
Pre-release
tardev: use containerd's local store to fetch images

So tardev-snapshotter is not a "remote" snapshotter anymore (so we can't
do lazy-pulling) but this allows containerd to be the one downloading
images, which means the snapshotter doesn't have to get credentials
before it can use authenticated registries.

Signed-off-by: Wedson Almeida Filho <[email protected]>