Cluster Shield Release Notes
1.11.0 May 07, 2025
Enhancements
The audit feature now detects when certificates have been updated and reloads them automatically, so there is no need to restart the application.
Added support for reporting the
kube_job_spec_active_deadline_seconds
metric for Kubernetes Job objects.Added the following configuration to enable the collection of Kubernetes State Metrics (KSM), which were previously collected by default when you enabled the
kubernetes_metadata
feature.features: monitor: kube_state_metrics: enabled: true
Added the following configuration to enable the collection of Kubernetes events for Sysdig Monitor, previously enabled by default with the
kubernetes_metadata
feature. For more details, see Process Kubernetes Events.features: monitor: kubernetes_events: enabled: true
The kube_state_metrics
and kubernetes_events
features now replace the functionality previously provided by the kubernetes_metadata
feature in Sysdig Monitor, which is a breaking change.
If you were using kubernetes_metadata
to collect Kubernetes state metrics (KSM) and events, you must now explicitly enable the new features to continue collecting this data.
For example,
features:
monitor:
kube_state_metrics:
enabled: true
kubernetes_events:
enabled: true
Fixed Vulnerabilities
Defect Fixes
Fixed an issue in Container Vulnerability Management
that could cause the component to be terminated by the operating system when interacting with Amazon ECR on EKS clusters.
1.10.0 April 03, 2025
Enhancements
Detections of Vulnerabilities on Operating Systems
We have added detections for the following Operating system level vulnerabilities
- PhotonOS
- CBL Mariner
- Azure Linux
- Suse Enterprise Linux 12 and 15
- Suse Micro Linux
For additional information please refer to our Vulnerability Feeds documentation.
New Metrics for Cluster Shield
Metric Name | Description |
---|---|
num_of_workloads_detected | Number of all detected workloads obtained by interacting with the K8s API, including filtered, running and stopped workloads. |
num_of_workloads_filtered | Number of filtered workloads, i.e., that will not be scanned. |
num_of_workloads_running | Number of currently running workloads. |
num_of_workloads_stopped | Number of currently stopped workloads. |
num_of_workloads_with_a_SBOM_extracted | Number of workloads for which a SBOM has been extracted at least once. |
num_of_workloads_with_a_SBOM_fresh | Number of workloads for which a SBOM has been extracted recently and is still valid. |
num_of_workloads_without_SBOM | Number of workloads for which a SBOM has never been extracted. |
num_of_workloads_in_SBOM_extraction_queue | Number of workloads in queue for SBOM extraction. |
num_of_workloads_with_SBOM_extraction_error | Number of workloads for which the last SBOM extraction attempt failed. These workloads may include entries for which the SBOM has been extracted in the past. |
num_of_workloads_sent_to_collector | Number of workloads successfully sent to collector in the last cycle (including running, stopped and short-lived workloads). |
is_last_send_to_collector_successful | Boolean value indicating whether the last send to collector was successful. |
agent_kube_metadata_state_objects_count | Tracks the number of Kubernetes resources sent in each message, categorized by resource type. |
agent_kube_metadata_connected | Indicates the current connection state with the Sysdig backend (0 = Disconnected, 1 = Connected). |
agent_kube_metadata_connection_attempts_total | Tracks the total number of connection attempts to the Sysdig backend. |
Fixed Vulnerabilities
Defect Fixes
In certain registry implementations, the registry returns a 400 status code rather than standard HTTP error codes for Authentication Failures when attempting to authenticate. Cluster Shield will now retry authentication with alternative credentials provided as dockerconfigjson
K8s Secrets or acquired via the integrated support for Credential Helpers for AWS, GCP, and Azure.
1.9.1 Mar 21, 2025
Fixed Vulnerabilities
Defect Fixes
- Fixed an issue causing cluster-shield components to restart upon failure without applying the expected exponential backoff delay.
- Fixed a timing issue in Cluster Shield that caused the SBOM extractor to trigger excessive SBOM extractions that the Runtime component could not process.
1.9.0 Mar 11, 2025
Feature Enhancements
Added a gauge metric
sysdig_cluster_shield_component_health_status
to represent the health status of each enabled component. This is now available through the/metrics
endpoint on port8080
A metric value of
1
indicates a healthy component, while0
signifies an unhealthy one.Cluster Shield now attempts to restart unhealthy components after 100 seconds.
1.8.2 Feb 28, 2025
Fixed Vulnerabilities
1.8.1 Feb 25, 2025
Defect Fixes
- Fixed an issue that prevented the Container Vulnerability Management feature to authenticate to the registry and process the images as expected.
- Fixed an issue where Cluster Shield reported invalid prometheus metrics.
1.8.0 Feb 4, 2025
Feature Enhancements
- Optimized memory usage of the
container-vulnerability-management-controller
component. - Added support for multiple candidate pull-strings per workload to resolve scanning failures caused by alias references from non-pullable locations.
- Added the ability to filter the images for scanning as part of the container vulnerability management feature. See Container Filtering for more details.
Defect Fixes
- Resolved an issue in which Kubernetes metadata inaccurately reported parent service links when a pod was exposed by multiple services. The pod is now correctly associated with all relevant services.
- Fixed an issue where the Admission Controller did not honor the
features.container_vulnerability_management.registry_ssl.verify
configuration parameter. - Fixed a bug that caused unexpected lags when pulling images. The issue occurred because
features.container_vulnerability_management.registry_ssl.verify
was set to true, enforcing SSL certificate verification.
1.7.1 Jan 10, 2025
Fixed Vulnerabilities
1.7.0 Jan 07, 2025
Feature Enhancements
- The Container Vulnerability Management feature now supports mirrors and insecure registries configurations for image scanning.
Defect Fixes
- Fixed an issue that prevented the Container Vulnerability Management feature to correctly authenticate and process the image when candidate pull secrets have been found.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.