mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
cmp3405 adding SPO 090 bugs to release notes
This commit is contained in:
Daniel Chadwick
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
53edc41a84
commit
3d755a1aa0
@@ -6,18 +6,33 @@ include::_attributes/common-attributes.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
The Security Profiles Operator provides a way to define secure computing (https://kubernetes.io/docs/tutorials/security/seccomp/[seccomp]) and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace.
|
||||
The Security Profiles Operator provides a way to define secure computing (http://kubernetes.io/docs/tutorials/security/seccomp/[seccomp]) and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace.
|
||||
|
||||
These release notes track the development of the Security Profiles Operator in {product-title}.
|
||||
|
||||
For an overview of the Security Profiles Operator, see xref:../../security/security_profiles_operator/spo-overview.adoc#spo-overview[Security Profiles Operator Overview].
|
||||
|
||||
[id="spo-release-notes-0-9-0"]
|
||||
== Security Profiles Operator 0.9.0
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.9.0:
|
||||
link:http://access.redhat.com/errata/RHBA-2025:15655[RHBA-2025:15655 - OpenShift Security Profiles Operator update]
|
||||
|
||||
This update manages security profiles as cluster-wide resources rather than namespace resources. To update Security Profiles Operator to a version later than 0.8.6 requires manual migration. For migration instructions, see link:http://access.redhat.com/articles/7130594[Security Profiles Operator 0.9.0 Update Migration Guide].
|
||||
|
||||
[id="spo-0-9-0-bug-fixes"]
|
||||
=== Bug fixes
|
||||
|
||||
* Before this update, the spod pods could fail to start and enter into a `CrashLoopBackOff` state due to an error in parsing the semanage configuration file. This issue is caused by a change to the RHEL 9 image naming convention beginning in {product-title} 4.19. (link:http://issues.redhat.com/browse/OCPBUGS-55829[*OCPBUGS-55829*])
|
||||
|
||||
* Before this update, the Security Profiles Operator would fail to apply a `RawSelinuxProfile` to newly added nodes due to a reconciler type mismatch error. With this update, the operator now correctly handles `RawSelinuxProfile` objects and policies are applied to all nodes as expected. (link:http://issues.redhat.com/browse/OCPBUGS-33718[*OCPBUGS-33718*])
|
||||
|
||||
[id="spo-release-notes-0-8-6"]
|
||||
== Security Profiles Operator 0.8.6
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.8.6:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2024:10380[RHBA-2024:10380 - OpenShift Security Profiles Operator update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2024:10380[RHBA-2024:10380 - OpenShift Security Profiles Operator update]
|
||||
|
||||
This update includes upgraded dependencies in underlying base images.
|
||||
|
||||
@@ -26,12 +41,12 @@ This update includes upgraded dependencies in underlying base images.
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.8.5:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2024:5016[RHBA-2024:5016 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2024:5016[RHBA-2024:5016 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
[id="spo-0-8-5-bug-fixes"]
|
||||
=== Bug fixes
|
||||
|
||||
* When attempting to install the Security Profile Operator from the web console, the option to enable Operator-recommended cluster monitoring was unavailable for the namespace. With this update, you can now enabled Operator-recommend cluster monitoring in the namespace. (link:https://issues.redhat.com/browse/OCPBUGS-37794[*OCPBUGS-37794*])
|
||||
* When attempting to install the Security Profile Operator from the web console, the option to enable Operator-recommended cluster monitoring was unavailable for the namespace. With this update, you can now enabled Operator-recommend cluster monitoring in the namespace. (link:http://issues.redhat.com/browse/OCPBUGS-37794[*OCPBUGS-37794*])
|
||||
|
||||
* Previously, the Security Profiles Operator would intermittently be not visible in the OperatorHub, which caused limited access to install the Operator via the web console. With this update, the Security Profiles Operator is present in the OperatorHub.
|
||||
|
||||
@@ -40,7 +55,7 @@ The following advisory is available for the Security Profiles Operator 0.8.5:
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.8.4:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2024:4781[RHBA-2024:4781 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2024:4781[RHBA-2024:4781 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
This update addresses CVEs in underlying dependencies.
|
||||
|
||||
@@ -54,16 +69,16 @@ This update addresses CVEs in underlying dependencies.
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.8.2:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2023:5958[RHBA-2023:5958 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2023:5958[RHBA-2023:5958 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
[id="spo-0-8-2-bug-fixes"]
|
||||
=== Bug fixes
|
||||
|
||||
* Previously, `SELinuxProfile` objects did not inherit custom attributes from the same namespace. With this update, the issue has now been resolved and `SELinuxProfile` object attributes are inherited from the same namespace as expected. (link:https://issues.redhat.com/browse/OCPBUGS-17164[*OCPBUGS-17164*])
|
||||
* Previously, `SELinuxProfile` objects did not inherit custom attributes from the same namespace. With this update, the issue has now been resolved and `SELinuxProfile` object attributes are inherited from the same namespace as expected. (link:http://issues.redhat.com/browse/OCPBUGS-17164[*OCPBUGS-17164*])
|
||||
|
||||
* Previously, RawSELinuxProfiles would hang during the creation process and would not reach an `Installed` state. With this update, the issue has been resolved and RawSELinuxProfiles are created successfully. (link:https://issues.redhat.com/browse/OCPBUGS-19744[*OCPBUGS-19744*])
|
||||
* Previously, RawSELinuxProfiles would hang during the creation process and would not reach an `Installed` state. With this update, the issue has been resolved and RawSELinuxProfiles are created successfully. (link:http://issues.redhat.com/browse/OCPBUGS-19744[*OCPBUGS-19744*])
|
||||
|
||||
* Previously, patching the `enableLogEnricher` to `true` would cause the `seccompProfile` `log-enricher-trace` pods to be stuck in a `Pending` state. With this update, `log-enricher-trace` pods reach an `Installed` state as expected. (link:https://issues.redhat.com/browse/OCPBUGS-22182[*OCPBUGS-22182*])
|
||||
* Previously, patching the `enableLogEnricher` to `true` would cause the `seccompProfile` `log-enricher-trace` pods to be stuck in a `Pending` state. With this update, `log-enricher-trace` pods reach an `Installed` state as expected. (link:http://issues.redhat.com/browse/OCPBUGS-22182[*OCPBUGS-22182*])
|
||||
|
||||
* Previously, the Security Profiles Operator generated high cardinality metrics, causing Prometheus pods using high amounts of memory. With this update, the following metrics will no longer apply in the Security Profiles Operator namespace:
|
||||
+
|
||||
@@ -71,26 +86,26 @@ The following advisory is available for the Security Profiles Operator 0.8.2:
|
||||
** `rest_client_request_size_bytes`
|
||||
** `rest_client_response_size_bytes`
|
||||
+
|
||||
(link:https://issues.redhat.com/browse/OCPBUGS-22406[*OCPBUGS-22406*])
|
||||
(link:http://issues.redhat.com/browse/OCPBUGS-22406[*OCPBUGS-22406*])
|
||||
|
||||
[id="spo-release-notes-0-8-0"]
|
||||
== Security Profiles Operator 0.8.0
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.8.0:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2023:4689[RHBA-2023:4689 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2023:4689[RHBA-2023:4689 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
[id="spo-0-8-0-bug-fixes"]
|
||||
=== Bug fixes
|
||||
|
||||
* Previously, while trying to install Security Profiles Operator in a disconnected cluster, the secure hashes provided were incorrect due to a SHA relabeling issue. With this update, the SHAs provided work consistently with disconnected environments. (link:https://issues.redhat.com/browse/OCPBUGS-14404[*OCPBUGS-14404*])
|
||||
* Previously, while trying to install Security Profiles Operator in a disconnected cluster, the secure hashes provided were incorrect due to a SHA relabeling issue. With this update, the SHAs provided work consistently with disconnected environments. (link:http://issues.redhat.com/browse/OCPBUGS-14404[*OCPBUGS-14404*])
|
||||
|
||||
[id="spo-release-notes-0-7-1"]
|
||||
== Security Profiles Operator 0.7.1
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.7.1:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHSA-2023:2029[RHSA-2023:2029 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHSA-2023:2029[RHSA-2023:2029 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
[id="spo-0-7-1-new-features-and-enhancements"]
|
||||
=== New features and enhancements
|
||||
@@ -121,20 +136,20 @@ SPO memory optimization is not enabled by default.
|
||||
[id="spo-0-7-1-bug-fixes"]
|
||||
=== Bug fixes
|
||||
|
||||
* Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template. If you selected another template, such as net_container, the policy would not work because it required low-level policy definitions that only existed in the container template. This issue occurred when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (link:https://issues.redhat.com/browse/OCPBUGS-12879[*OCPBUGS-12879*])
|
||||
* Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template. If you selected another template, such as net_container, the policy would not work because it required low-level policy definitions that only existed in the container template. This issue occurred when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (link:http://issues.redhat.com/browse/OCPBUGS-12879[*OCPBUGS-12879*])
|
||||
|
||||
|
||||
[id="spo-0-7-1-known-issue"]
|
||||
=== Known issue
|
||||
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:https://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:http://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
|
||||
[id="spo-release-notes-0-5-2"]
|
||||
== Security Profiles Operator 0.5.2
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.5.2:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2023:0788[RHBA-2023:0788 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2023:0788[RHBA-2023:0788 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
This update addresses a CVE in an underlying dependency.
|
||||
|
||||
@@ -142,17 +157,17 @@ This update addresses a CVE in an underlying dependency.
|
||||
[id="spo-0-5-2-known-issue"]
|
||||
=== Known issue
|
||||
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:https://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:http://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
|
||||
[id="spo-release-notes-0-5-0"]
|
||||
== Security Profiles Operator 0.5.0
|
||||
|
||||
The following advisory is available for the Security Profiles Operator 0.5.0:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHBA-2022:8762[RHBA-2022:8762 - OpenShift Security Profiles Operator bug fix update]
|
||||
* link:http://access.redhat.com/errata/RHBA-2022:8762[RHBA-2022:8762 - OpenShift Security Profiles Operator bug fix update]
|
||||
|
||||
|
||||
[id="spo-0-5-0-known-issue"]
|
||||
=== Known issue
|
||||
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:https://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
* When uninstalling the Security Profiles Operator, the `MutatingWebhookConfiguration` object is not deleted and must be manually removed. As a workaround, delete the `MutatingWebhookConfiguration` object after uninstalling the Security Profiles Operator. These steps are defined in xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]. (link:http://issues.redhat.com/browse/OCPBUGS-4687[*OCPBUGS-4687*])
|
||||
|
||||
Reference in New Issue
Block a user