UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • fix-charts
  • test-main
  • kaymonty-crd-test
  • dax/update-tests
  • update-metadata-annotations
  • branch-3.4.0-bb.13 protected
  • 3.18.2-bb.5 protected
  • 3.18.2-bb.4 protected
  • 3.18.2-bb.3 protected
  • 3.18.2-bb.2 protected
  • 3.18.2-bb.1 protected
  • 3.18.2-bb.0 protected
  • 3.18.1-bb.0 protected
  • 3.17.1-bb.2 protected
  • 3.17.1-bb.1 protected
  • 3.17.1-bb.0 protected
  • 3.17.0-bb.0 protected
  • 3.16.3-bb.1 protected
  • 3.16.3-bb.0 protected
  • 3.16.2-bb.1 protected
  • 3.16.2-bb.0 protected
  • 3.16.0-bb.1 protected
  • 3.16.0-bb.0 protected
  • 3.15.0-bb.7 protected
  • 3.15.0-bb.6 protected
  • 3.15.0-bb.5 protected
27 results
Blame Permalink
6
To find the state of this project's repository at the time of any of these versions, check out the tags.
CHANGELOG.md 17.13 KiB

Changelog

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[3.18.2-bb.0] 2025-01-13

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.18.1 -> 3.18.2
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.18.1 -> 3.18.2
  • updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl from v1.29.8 -> v1.29.12

[3.18.1-bb.0] 2024-12-17

Changed

  • Synced upstream chart changes to address missing labels
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.17.1 -> 3.18.1
  • Updated gluon from 0.5.4 to 0.5.12

[3.17.1-bb.2] 2024-10-21

Changed

  • container.apparmor.security.beta.kubernetes.io annotations are now deprecated replaced by the securityContext.appArmorProfile field for pods and containers
  • Added the maintenance track annotation and badge

[3.17.1-bb.1] 2024-09-27

Changed

  • Fixed linting

[3.17.1-bb.0] 2024-09-27

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.17.0 -> 3.17.1
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.17.0 -> 3.17.1
  • Updated gluon from 0.5.3 to 0.5.4

[3.17.0-bb.0] 2024-08-22

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.16.3 -> v3.17.0
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.16.3 -> v3.17.0
  • updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl from v1.29.6 -> v1.29.8
  • Update gluon from 0.50 to 0.5.3

[3.16.3-bb.1] 2024-07-11

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.5 -> v1.29.6

[3.16.3-bb.0] 2024-06-04

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.16.2 -> v3.16.3
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.16.2 -> v3.16.3

[3.16.2-bb.1] 2024-05-31

Changed

  • Revert disableAudit to false

[3.16.2-bb.0] 2024-05-24

Changed

  • Updated Chart appVersion to v3.16.2

[3.16.0-bb.1] 2024-05-24

Changed

  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.16.0 -> v3.16.2
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.4 -> v1.29.5

[3.16.0-bb.0] 2024-05-14

Changed

  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.15.1 -> v3.16.0
  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.15.1 -> v3.16.0
  • Updated to latest gluon 0.4.9 -> 0.5.0
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.3 -> v1.29.4

[3.15.0-bb.7] 2024-04-26

Added

  • Add support for additional custom network policies through the values yaml

[3.15.0-bb.6] 2024-04-17

Changed

  • Updated gluon 0.4.8 -> 0.4.9
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.7 -> v1.29.3

[3.15.0-bb.5] 2024-04-16

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.6 -> v1.28.7
  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.15.0 -> v3.15.1

[3.15.0-bb.4] 2024-04-10

Changed

  • Changed cypress test yaml files for k8s 1.29 compliance

[3.15.0-bb.3] 2024-04-01

Changed

  • Revert K8sPSPSELinuxV2.yaml and selinux-policy update.

[3.15.0-bb.2] 2024-04-01

Changed

  • Updated Development Maintenance doc

[3.15.0-bb.1] 2024-03-25

Changed

  • Updated K8sPSPSELinuxV2.yaml and selinux-policy violation.

[3.15.0-bb.0] 2024-02-07

Changed

  • Updated gluon 0.4.7 -> 0.4.8
  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.14.0 -> v3.15.0

[3.14.0-bb.8] 2024-01-31

Changed

  • Updated K8sPSPSeccomp constraint to check for spec.securityContext.seccompProfile.type instead of seccomp.security.alpha.kubernetes.io/pod & container.seccomp.security.alpha.kubernetes.io/[name] as they were removed in Kubernetes 1.25

[3.14.0-bb.7] 2024-01-29

Changed

  • Added keys to allowedSELinuxOptions to fix policy violation on empty seLinuxOptions in values.yaml
  • Removed duplicate image property in values.yaml

[3.14.0-bb.6] 2024-01-24

Changed

  • Added non-root securityContext to crd-cleanup containers

[3.14.0-bb.5] 2024-01-22

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.5 -> v1.28.6

[3.14.0-bb.4] 2024-01-12

Changed

  • Updated gluon 0.4.6 -> 0.4.7
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.4 -> v1.28.5

[3.14.0-bb.3] 2024-01-09

Changed

  • Updated gluon 0.4.4 -> 0.4.6
  • Updated Chart appVersion to v3.14.0

[3.14.0-bb.2] 2023-12-11

Changed

  • Updating OSCAL Component File.

[3.14.0-bb.1] 2023-11-28

Changed

  • updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.3 -> v1.28.4

[3.14.0-bb.0] 2023-11-08

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
  • Updated registry1.dso.mil/ironbank/big-bang/base 2.0.0 -> 2.1.0

[3.13.3-bb.3] 2023-11-02

Changed

  • Hardened gatekeeper-admin ServiceAccount with automountServiceAccountToken: false (overriden at Pod spec-level due to app requirements)
  • Hardened ServiceAccounts in various Jobs with automountServiceAccountToken: false (overriden at Pod spec-level due to app requirements)
  • Disabled bb tests by default

[3.13.3-bb.2] 2023-11-02

Changed

  • Update gluon resource

[3.13.3-bb.1] 2023-11-01

Changed

  • Updated gluon 0.4.3 -> 0.4.4

[3.13.3-bb.0] 2023-11-01

Changed

  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
  • Updated gluon 0.4.1 -> 0.4.3
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.2 -> v1.28.3

[3.13.2-bb.0] 2023-10-11

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.6 -> 1.28.2
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.0 -> v3.13.2

[3.13.0-bb.2] 2023-10-11

Removed

  • OSCAL version update from 1.0.0 to 1.1.1

[3.13.0-bb.1] 2023-10-02

Removed

  • Removed duplicate strategy

[3.13.0-bb.0] 2023-09-19

Changed

  • Updated gluon 0.4.0 -> 0.4.1
  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.3 -> 1.27.6
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0

[3.12.0-bb.4] 2023-06-20

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.4 -> v1.27.3
  • Updated to latest gluon 0.3.2 -> 0.4.0

[3.12.0-bb.0] 2023-04-18

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0.
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.3 -> v1.26.4
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0

[3.11.0-bb.3] 2023-04-07

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.2 -> v1.26.3

[3.11.0-bb.2] 2023-03-09

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.1 -> v1.26.2
  • Updated to latest gluon 0.3.2

[3.11.0-bb.1] 2023-02-23

Changed

  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.6 -> v1.26.1

[3.11.1-bb.0]

Changed

  • Updated ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0.
  • Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.4 -> v1.25.6
  • Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0

[3.10.0-bb.2]

Changed

  • Updated to work on OpenShift out of the box

[3.10.0-bb.1]

Changed

  • Updated to latest kubectl v1.25.4

[3.10.0-bb.0]

Changed

  • Updated to latest kubectl v1.25.3
  • Updated to latest gatekeeper v3.10.0
  • Updated chart to v3.10.0

[3.9.0-bb.3]

Changed

  • Updated to latest kubectl v1.25.2
  • Updated to latest gluon 0.3.1

[3.9.0-bb.2]

Changed

  • Updated to latest kubectl v1.24.4
  • Updated to latest gluon 0.3.0

[3.9.0-bb.1]

Changed

  • Remove old Ingress API's

[3.9.0-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.9.0

[3.8.1-bb.5] - 2022-07-25

Changed

  • Removed ProcMount from Helm test to avoid conflicts with PodSecurityPolicy in some K8S distributions

[3.8.1-bb.4] - 2022-07-22

Changed

  • Fixed PodDisruptionBudget to default to the v1 API when neither v1 or v1beta1 are found. This should prevent it from being flagged as deprecated.

[3.8.1-bb.3]

Changed

  • Add Openshift SCCs

[3.8.1-bb.2]

Changed

  • Re-disabled PSP due to issues fixed in RKE2

[3.8.1-bb.1]

Changed

  • Updated to latest gluon 0.2.10

[3.8.1-bb.0]

Changed

  • Updated to latest IB image 3.8.1
  • Updated to latest gluon 0.2.9

[3.8.0-bb.1]

Changed

  • Added OSCAL component file

[3.8.0-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.8.0

[3.7.1-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.7.1

[3.7.0-bb.9]

Changed

  • Updated kubectl images to 1.22.2
  • Updated renovate to monitor all images including kubectl test and crd images

[3.7.0-bb.8]

Changed

  • Updated kubectl image

[3.7.0-bb.7]

Changed

  • Reenabled PSP due to issues on RKE2

[3.7.0-bb.6]

Changed

  • Disabled PSP due to deprecation warning

[3.7.0-bb.5]

Fixed

  • Update Chart.yaml to follow new standardization for release automation
  • Added renovate check to update new standardization

[3.7.0-bb.4]

Fixed

[3.7.0-bb.3]

Changed

  • Relocated bbtest values

[3.7.0-bb.2]

Changed

  • Refactoring helm tests

[3.7.0-bb.1]

Fixed

  • Fixed missing kpt updates from 3.7.0 upgrade

[3.7.0-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.7.0
  • Updated kubectl image

[3.6.0-bb.2]

Changed

  • Enable OPA to log denies by default

[3.6.0-bb.1]

Changed

  • Set validatingWebhookTimeoutSeconds to 15 seconds.

[3.6.0-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.6.0

[3.5.2-bb.2]

Added

  • ConstraintTemplate CRD v1 version. Storage set to false.

[3.5.2-bb.1]

Changed

  • Updated upgrade job to remove orphan or disabled constraints.

[3.5.2-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.5.2

[3.5.1-bb.16]

Changed

  • Changed resource limits and requirements for manager pods

[3.5.1-bb.15]

Changed

  • Changed names of several Constraint Templates to workaround upgrade problem when changing CRD schema

[3.5.1-bb.14]

Changed

  • Fixed problems with K8sPSPHostNetworkingPorts template
  • Added fine grained control of excluded resources using namespace and resource name
  • Added chart label to controller to force reroll on chart upgrades
  • Renamed constraint template K8sRequiredPod to K8sQualityOfService and removed deprecated violations

Removed

  • Deprecated constraint templates removed
    • K8sRequiredLabels (use K8sRequiredLabelValues instead)
    • K8sIstioInjection (use K8sRequiredLabelValues instead )
    • K8sPSPFSGroup (use K8sPSPAllowedUsers instead)

[3.5.1-bb.13]

Changed

  • Updated Post-upgrade job to use imagePullSecrets

[3.5.1-bb.12]

Changed

  • Removed Big Bang overrides from default values. Look in Big Bang repo under chart/templates/gatekeeper/values.yaml for overrides.

[3.5.1-bb.11]

Added

  • Post-upgrade job to remove disabled constraints

Changed

  • Moved constraint kind and name to values.yaml

[3.5.1-bb.10]

Changed

  • Removed rule for unique-service-selector

[3.5.1-bb.9]

Changed

  • Changed the resource requests and limits to be equal

[3.5.1-bb.8]

Changed

  • Excluded kube-system from all constraints through config
  • Reverted values to no longer include kube-system as excluded

[3.5.1-bb.7]

Changed

  • Set batch mode default to process 500 entries to reduce memory footprint
  • Turned on match kind only to reduce memory footprint
  • Increased audit interval to every 5 minutes

[3.5.1-bb.6]

Changed

  • Updated constraint no-host-namespace enforcement to default deny
  • Removed monitoring namespace exception for constraint host-networking

[3.5.1-bb.5]

Changed

  • Remove duplicate keys in Chart.yaml

[3.5.1-bb.4]

Changed

  • Updated constraint https-only enforcement to default deny

[3.5.1-bb.3]

Changed

  • Updated constraint volume-types enforcement to default deny

[3.5.1-bb.2]

Changed

  • Updated constraint allowed-docker-registries enforcement to default deny
  • Excluded kube-system namespace for constraint allowed-docker-registries

[3.5.1-bb.1]

Changed

  • Updated constraint restrictedTaint enforcement to default deny, added exception for monitoring namespace for to allow prometheus-node-exporter pods

[3.5.1-bb.0]

Changed

  • Updated application and corresponding helm chart to v3.5.1

[3.4.0-bb.19]

Changed

  • Disabled app-armor-profiles constraint by default

[3.4.0-bb.18]

Changed

  • Align Cluster Auditor default constraint values to Kubernetes Pod Security Standard

[3.4.0-bb.17]

Changed

  • Updated constraint selinux-policy enforcement to default deny
  • added exception for logging namespace to selinux policy

[3.4.0-bb.16]

Changed

  • Updated constraint unique-ingress-hosts enforcement to default deny

[3.4.0-bb.15]

Changed

  • Updated constraint host-networking enforcement to default deny
  • added exemption for monitoring namespace, this will prevent the K8sPSPHostNetworkingPorts from reporting a violation on monitoring namespace.

[3.4.0-bb.14]

Changed

  • Updated constraint no-privileged-containers enforcement to default deny
  • added exception for logging namespace to no-privileged-containers constraint

[3.4.0-bb.13]

Changed

  • Updated constraint banned-image-tags enforcement to default deny
  • added violation to constraintTemplate k8sbannedimagetags to not allow containers with no specified tag

[3.4.0-bb.12]

Changed

  • Changed nosysctls policy to deny

[3.4.0-bb.11]

Changed

  • Reverted constraint pods-have-istio enforcement to default dryrun
  • Fixed podsHaveIstio disallowed regex sidecar.istio.io/inject to false and exclude istio-system namespace

[3.4.0-bb.10]

Changed

  • Remove flexVolume and hostPath as default allowable for allowedFlexVolume constraint

[3.4.0-bb.9]

Changed

  • Updated constraint pods-have-istio enforcement to default deny

[3.4.0-bb.8]

Modified

  • Modified the default enforcement action of allowed-flex-volumes to deny

[3.4.0-bb.7]

Added

  • Added network policies to lock down egress/ingress

Changed

  • Move tests from bb-test-lib to gluon

[3.4.0-bb.6]

Modified

  • Modified the default enforcement action of allowProcMount to deny.

[3.4.0-bb.5]

Changed

  • Changed allowed-ips constraint to deny

[3.4.0-bb.4]

Changed

  • Changed names of all constraints so that during upgrade, cluster-auditor will not delete them.

[3.4.0-bb.3]

Changed

  • Updated CI values to only include 'default' namespace for deny actions

[3.4.0-bb.2]

Added

  • K8sDenySADefault constraint template.
  • K8sDenySADefault constraint
  • Added ServiceAccount for good pod testing

Changed

  • Removed K8sDenyServiceAccountTokentAutoMount constraint template
  • Updated test script to account for added SA.

[3.4.0-bb.1]

Added

  • Constraints were moved from cluster-auditor to OPA gatekeeper package

Changed

  • Constraint template library split into individual files
  • Constraints renamed to match values.yaml
  • Constraint Templates renamed to match kind

[3.4.0-bb.0]

Added

  • Common labels on Big Bang created components

Changed

  • Updated helm chart to upstream v3.4.0, which included the following notable items:
    • Removal of Helm v2 support. See upgrade instructions
    • Experimental use of Mutation
    • Use of helm specified namespace vs. hardcoded gatekeeper-system
  • Update docs/ConstraintTemplates list with latest templates

[3.3.0-bb.5]

Changed

  • Remove constraint templates K8sRequiredDeploymentLabels & K8sRequiredIronBankImages.
  • The constraint templates are replaced with K8sRequiredLabelValues & K8sAllowedRepos

[3.3.0-bb.4]

Fixed

  • Typo in K8sDenyServiceNodePort message
  • Typo in K8sNoAnnotationValues message
  • Missing "service" in gatekeeper config

[3.3.0-bb.3]

Changed

  • More Constraint Templates

UNCLASSIFIED - NO CUI