Cluster Shield Release Notes
1.3.1 Sep 10, 2024
Defect Fixes
- Fixed a defect where the
container_vulnerability_managementparameter used incorrect credentials to pull an image from a registry. This occurred when the image pull string resolved by the container runtime differed from the one set in the Kubernetes workload manifest.
1.3.0 Sep 03, 2024
Breaking Changes
- Renamed internal component names to complete the transition to features. Now log groups and metric contain the feature names instead.
Feature Enhancements
The helm chart now supports to set an existing secret for TLS Certificates used by the application.
Added a new prometheus metric that expose the enablement status of each feature.
The
container_vulnerability_managementparameter now detects GO runtime vulnerabilities.The
kubernetes_metadataparameter now allows to setannotations_allowlist.The
annotations_allowlistparameter lets you specify a list of annotations to be included for each resource. This configuration is particularly useful for generating KSM annotation metrics.
Defect Fixes
- Fixed a defect that causes existing secret credentials to be injected as environment variables
- Fixed a defect that caused the
admission_controlparameter to use IPs instead of FQDN when a proxy is configured
1.2.0 Aug 05, 2024
Breaking Changes
- The helm chart value
image.repositoryhas been split into two different values:image.registryandimage.repository. These two values are then concatenated to create the image pull string. Ifglobal.imageRegistryis provided, it will overrideimage.registry. If you currently have the settingimage.repositoryshould update your values to this new structure.
Feature Enhancements
- Added support for
in1SaaS region. - Added support for
podsevents inadmission_controlparameter. - Allow to tune up the configuration for
container_vulnerability_managementparameter to properly manage the file size for processed files. - Improve manifests parsing on Java packages detection.
Fixed Vulnerabilities
Defect Fixes
- Fixed a defect that could cause truncated log lines.
- Fixed a defect that could cause the helm chart generated Configmap to not be properly formatted.
- Fixed a defect that could cause the helm chart to generate an uneeded empty
ValidatingWebhookConfiguration. - Fixed a defect that could cause the
admission_controland thepostureparameter to ignore thessl.verifyconfiguration. - Fixed a defect that could cause the
admission_controland thepostureparameter to not properly use a proxy connection. - Fixed a defect that could cause the
container_vulnerability_managementparameter to incorrectly handle responses from older versions of Sysdig On-premises Backend. - Fixed a defect that could cause the helm chart to not use CA Certificates when defined in the
globalsection. - Fixed a defect that could cause the helm chart installation to fail if the
kubernetes_metadataparameter is enabled and theglobal.sysdig.regionis defined. - Fixed a defect that could cause communication issues with the
auditand theadmission_controlparameter on clusters using custom CNI. - Fixed a defect that define namespace in
ValidatingWebhookConfigurationresource created by the helm chart
1.1.2 Jul 18, 2024
Defect Fixes
- Fixed a defect that could cause the
container_vulnerability_managementparameter to scan images using the x86_64 architecture in arm64 clusters.
1.1.1 July 09, 2024
Defect Fixes
- Fixed a defect that prevented the
container_vulnerability_managementparameter to properly manage the file size for processed files.
1.1.0 July 03, 2024
Feature Enhancements
Ability to run on GKE when the cluster is configured to run with the Autopilot functionality. To enable this feature, add the flag
--set global.gke.autopilot=trueto the configuration while installation.Added support for Windows worker nodes. Once installed with the kubernetes Metadata feature enabled, it pair with the Windows Agent to include kubernetes information in the events reported by the Sysdig backend.
1.0.1 June 17, 2024
Feature Enhancements
Added the ability to configure ports used by Admission Control and Audit
1.0.0 June 12, 2024
Fixed Vulnerabilities
0.11.0 June 5, 2024
Feature Enhancements
- Ability to configure external distributed cache
- Introduced Container Vulnerability Management feature through Admission Control
- Secure API token is no longer required to configure Cluster Shield for Sysdig SaaS
- Posture feature now collects information about secrets for Inventory
Fixed Vulnerabilities
Defect Fixes
- Fixed a defect that was preventing already existing credential secrets to be correctly loaded
- Fixed a defect causing some components to panics due to a missing message keys in their logs
- Set exit code correctly when the application ends with an error
- Fixed a memory leak when the Kubernetes Metadata feature was enabled
- Fixed a memory leak issue when the Container Vulnerability Management feature was enabled
- Fixed a defect that was blocking the application while starting Admission Control
- Fixed a defect preventing to display DEBUG-level logs
- Fixed a defect which could cause long-running workloads to disappear from the UI for Container Vulnerability Management
0.10.1 May 3, 2024
Fixed an issue preventing Cluster Shield to read access_key and secure_api_token from already existing secrets.
0.10.0 May 2, 2024
Feature Enhancements
- Improved communication with the Sysdig backend by reducing the network footprint for Container Vulnerability Management feature
- Improved pull secrets retrieval, reducing the memory footprint by filtering supported secret types and adding support for pagination for Container Vulnerability Management feature
- Decreased the time required to see preliminary container vulnerability results in the UI
- Ability to configure
sysdig_endpointusing region - Introduced liveness and readiness probes in the helm chart
Fixed Vulnerabilities
Defect Fixes
- Fixed a defect that could cause Container Vulnerability Management feature to ignore the image digest, running the risk of analyzing an incorrrect image
- Set correct exit code for sub-processes when running in multi-process mode
- Fixed TLS certificate generation that was causing issues on AKS clusters
0.9.0 April 15, 2024
Enhancements
- Supports sending the
k8s_metadatamessage. The agent retrieves the tags used for the Cost Advisor feature fromk8s_metadata.
0.8.0 April 4, 2024
Enhancements
- You can now use an already existing secret (managed from outside the cluster-shield helm chart) to deploy informations like Secure API Token and Access Key.
- Internal comunication use TLS by default.
- The
kubernetes_metadataparameter now support monitor events - The
kubernetes_metadataparameter now support short lived resources
0.7.0 March 19, 2024
Enhancements
- Added the Kubernetes Metadata feature lets you collect cluster metadata replacing the Delegated Agent functionality.
- The Cluster Shield can now be executed as single process.
- Added
onPremCompatibilityVersionin the helm chart that can be used to specify the on-prem version used.
Breaking changes
- Configuration for the
container_vulnerability_managementparameter:offline_analyzeris not longer avilable, if you set it please remove it from the configuration.platform_services_enabledis now enabled by defaultregistry_verify_certificateis now replaced byregistry_ssl
March 07, 2024
Sysdig Cluster Shield Released as Controlled Availability
Sysdig is delighted to announce the controlled availability of Sysdig Cluster Shield. This solution consolidates multiple agent deployments into a single containerized component, marking a significant advancement in simplifying the deployment, management, and configuration of the Sysdig suite of security and compliance tools at the cluster level. By streamlining operations for Kubernetes environments, Cluster Shield makes it easier than ever to maintain your security and compliance posture.
For more information, see Sysdig Cluster Shield.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.