Releases: edgelesssys/contrast
Releases · edgelesssys/contrast
v1.14.0
What's Changed
🛠 Breaking changes
- tdx: fix --version output of RTMRs by @burgerdev in #1821
- kata: upgrade to 3.21, switch to initdata by @burgerdev in #1833
🐛 Bug fixes
- kata: support podSecurityContext.fsGroup by @burgerdev in #1850
- imagepuller: fix error propagation by @burgerdev in #1870
🔧 Other changes
- kata: upgrade to 3.19.1 by @burgerdev in #1752
- kata: reject pods without policy by @burgerdev in #1781
- kata-runtime: upgrade to 3.20.0 by @burgerdev in #1796
- cli/verifier: add
VersionsMatchby @charludo in #1797 - nixos/nvidia-driver: 570.172.08 -> 580.95.05 by @katexochen in #1817
- internal: use CDI instead of guest-hook for GPU support by @charludo in #1835
📖 Documentation
- docs: remove references to incorrect vm size calculation by @davidweisse in #1773
- docs: some clarifications and minor refactors in vault howto by @charludo in #1777
- docs: refactor encrypted storage tutorial into how-to by @charludo in #1758
- docs: quote numerical annotation values to prevent parsing as int by @charludo in #1832
- docs: reference registry auth in sidebar by @burgerdev in #1836
- docs: dedup 'connect to coordinator' sections by @charludo in #1837
- docs: describe initdata flow by @burgerdev in #1863
- docs: remove all references to the coco project by @katexochen in #1868
- docs/runtime: update podvm image sec by @katexochen in #1867
Full Changelog: v1.13.0...v1.14.0
Contributors
burgerdev, charludo, and 2 other contributors
Assets 11
v1.13.0
What's Changed
⚠️ Security fixes
- Fixes GHSA-f5p4-p5q5-jv3h.
🛠 Breaking changes
- node-installer: target configuration via configMap; remove K3s and RKE2 platforms by @katexochen in #1692
- platforms: remove AKS-CLH-SNP by @katexochen in #1701
- kuberesource: change annotation position to pod template by @davidweisse in #1707
- cryptsetup: detached header verification, refactor by @katexochen in #1731
🎁 New features
- internal/cryptsetup: use integrity by @katexochen in #1734
- service-mesh: allow egress without ingress by @burgerdev in #1725
- secure image store: init by @charludo in #1685
🐛 Bug fixes
- initializer: don't log NewMeshCert response by @katexochen in #1735
- kata.kata-runtime: pass imagepuller error to kata by @charludo in #1745
- cli/verify: unzip policy files by @katexochen in #1755
🔧 Other changes
- overlays/cryptsetup: 2.8.0 -> 2.8.1 by @katexochen in #1712
- meshapi: add pod ip to mesh cert SANs by @davidweisse in #1708
- cli/verifier: add
NoSharedFSMountverifier by @miampf in #1696 - cli/verifier: ensure that image references are pinned by @charludo in #1727
- cli/verifier: check servicemesh-egress annotation isn't empty by @miampf in #1717
📖 Documentation
- docs: update runtime graphic for bare metal by @katexochen in #1709
- docs: describe imagepuller by @charludo in #1718
- docs: remove manual cryptsetup via initializer by @katexochen in #1720
- docs: clarify significance of mesh annotations by @burgerdev in #1662
- docs: warn about usage of kubectl apply -n by @katexochen in #1751
Full Changelog: v1.12.0...v1.13.0
Contributors
burgerdev, charludo, and 3 other contributors
Assets 11
v1.12.2
What's Changed
⚠️ Security fixes
- Fixes GHSA-vxg3-w9rv-rhr2
Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.12.2 or apply the workarounds described in the advisory.
🐛 Bug fixes
- [release/v1.12] initializer: don't log NewMeshCert response by @edgelessci in #1736
Full Changelog: v1.12.1...v1.12.2
Contributors
edgelessci
Assets 15
v1.12.1
What's Changed
⚠️ Security fixes
- [release/v1.12] overlays/cryptsetup: 2.8.0 -> 2.8.1 by @edgelessci in #1714
Fixes GHSA-f5p4-p5q5-jv3h.
Full Changelog: v1.12.0...v1.12.1
Contributors
edgelessci
Assets 15
v1.12.0
What's Changed
🛠 Breaking changes
- manifest: remove TDX SVNs by @katexochen in #1661
🔧 Other changes
- gpu/nvidia-driver: 570.158.01 -> 570.172.08 by @katexochen in #1648
- logger: configure google/logger by @katexochen in #1653
- kata: gzip policy annotation by @burgerdev in #1651
- genpolicy: support AddARPNeighbors by @burgerdev in #1674
- snp: add support for attestation report v5 by @katexochen in #1688
📖 Documentation
- docs: add page for aTLS by @burgerdev in #1647
- docs: install tdx-module from intel GitHub release; how to retrieve reference values on TDX by @katexochen in #1656
- docs: fix broken platformInfo struct table by @katexochen in #1680
Full Changelog: v1.11.0...v1.12.0
Contributors
burgerdev and katexochen
Assets 15
v1.11.0
What's Changed
🐛 Bug fixes
- attestation/certcache: always fetch for TDX requests by @davidweisse in #1599
🔧 Other changes
- release: fix node-installer-kata-gpu image name by @katexochen in #1572
- microsoft.kata-runtime: 3.2.0.azl5 -> 3.15.0.aks0 by @katexochen in #1566
- kata.kata-runtime: 3.17 -> 3.18 by @katexochen in #1558
- initializer: wait less between cert requests by @katexochen in #1624
- docs: how to retrieve reference values on SNP by @katexochen in #1632
📖 Documentation
- docs: restructuring by @david-crypto in #1436
- docs/architecture: remove FAQ from attestation by @flxflx in #1536
- docs: remove v1.0, v1.1, v1.2 by @katexochen in #1577
- docs: revise features and limitations by @katexochen in #1578
- docs: warn about containerd config modifications by @katexochen in #1586
- docs: clarify expectations on Coordinator readiness by @burgerdev in #1581
- docs: expand peer recovery description and how-to by @burgerdev in #1587
- docs: move supported kinds to policy page by @burgerdev in #1588
- docs: add supported processor families by @katexochen in #1590
- docs: list supported GPU models by @katexochen in #1589
- docs: add network usage recommendations by @burgerdev in #1607
- docs: warn about leaks through policy by @burgerdev in #1616
- docs: volume support by @burgerdev in #1611
- docs: CPU limit usage by @miampf in #1610
- docs: update manifest history description by @burgerdev in #1621
- docs: integrate Vault docs into new structure by @burgerdev in #1605
Full Changelog: v1.10.0...v1.11.0
Contributors
flxflx, burgerdev, and 4 other contributors
Assets 15
v1.10.0
What's Changed
⚠️ Security fixes
- Fixes GHSA-phhq-63jg-fp7r
Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.10.0 or apply the workarounds described in the advisory.
🎁 New features
🐛 Bug fixes
- cli: first invocation of
generateshould fail if resource does not have a coordinator by @charludo in #1507 - generate: allow ConfigMaps and Secrets in separate files by @3u13r in #1273
- fix: correct policy generation for
ReplicationControllerby @miampf in #1516 - kata: add patch preventing corruption of genpolicy's layer cache file by @charludo in #1519
- coordinator: don't fail liveness probe if Kubernetes API server is unavailable by @burgerdev in #1542
- kata.genpolicy: fix EphemeralVolumeSource by @katexochen in #1544
🔧 Other changes
- nixos: unpin nvidia driver by @katexochen in #1545
- node-installer: disable config overrides via annotations by @katexochen in #1555
- nixos: enforce cgroupv2 by @katexochen in #1556
- coordinator: don't allow user recovery when ready peers are present by @burgerdev in #1563
- kata: don't add storage for implicit VOLUME mounts by @burgerdev in d42ebbd
📖 Documentation
- docs: add --no-ssh-key flag to AKS cluster create by @charludo in #1514
- docs: update links to canonical/tdx by @katexochen in #1534
- docs: Vault deployment by @jmxnzo in #1503
New Contributors
Full Changelog: v1.9.0...v1.10.0
Contributors
burgerdev, 3u13r, and 4 other contributors
Assets 15
v1.9.1
What's Changed
⚠️ Security fixes
- Fixes GHSA-phhq-63jg-fp7r
Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.9.1 or apply the workarounds described in the advisory.
🐛 Bug fixes
- [release/v1.9] kata: don't add storage for implicit VOLUME mounts by @burgerdev in #1574
Full Changelog: v1.9.0...v1.9.1
Contributors
burgerdev
Assets 15
v1.9.0
What's Changed
🛠 Breaking changes
- coordinator: consider instances with stale or no manifests unready by @burgerdev in #1467
🎁 New features
- coordinator: distributed deployment with auto-recovery by @burgerdev in #1373
🐛 Bug fixes
- cli: correct manifest generation for CronJob by @miampf in #1452
- microsoft.genpolicy: fix sandbox-name policy for pod controllers by @burgerdev in #1477
- initializer: safer data handling for encrypted mount by @burgerdev in #1490
- kata.kata-runtime: genpolicy fix svc_name by @katexochen in #1491
🔧 Other changes
- attestation: add cached HTTPSGetter to TDX validator by @davidweisse in #1439
- relicense with BUSL-1.1; remove enterprise by @katexochen in #1472
- coordinator: remove state volume by @katexochen in #1486
- kata.kata-runtime: 3.16.0 -> 3.17.0 by @katexochen in #1479
- attestation/certcache: treat malformed cache entries as cache miss by @davidweisse in #1505
📖 Documentation
- docs: link to DCAP setup for TDX bare metal hosts by @katexochen in #1458
- docs: multiple CPUs are not supported on bare metal by @burgerdev in #1511
Full Changelog: v1.8.0...v1.9.0
Contributors
burgerdev, katexochen, and 2 other contributors
Assets 14
v1.8.1
What's Changed
⚠️ Security fixes
- Fixes GHSA-h5f8-crrq-4pw8
Please read the advisory to check if your existing Contrast deployment is affected. If so, upgrade to v1.8.1 or apply the workarounds described in the advisory.
🐛 Bug fixes
- [release/v1.8] cli: correct manifest generation for CronJob by @edgelessci in #1454
- [release/v1.8] microsoft.genpolicy: fix sandbox-name policy for pod controllers by @edgelessci in #1478
- [release/v1.8] initializer: safer data handling for encrypted mount by @edgelessci in #1492
- [release/v1.8] kata.kata-runtime: genpolicy fix svc_name by @edgelessci in #1494
- [release/v1.8] initializer: don't log full response by @burgerdev in 5041d52
Full Changelog: v1.8.0...v1.8.1
Contributors
burgerdev and edgelessci