Cluster Shield Release Notes

Here are the most recent release notes for Cluster Shield. Review the entries to learn about the latest features, defect fixes, and known issues.

1.11.0 May 07, 2025

Enhancements

The audit feature now detects when certificates have been updated and reloads them automatically, so there is no need to restart the application.
Added support for reporting the kube_job_spec_active_deadline_seconds metric for Kubernetes Job objects.
Added the following configuration to enable the collection of Kubernetes State Metrics (KSM), which were previously collected by default when you enabled the kubernetes_metadata feature.
```
features:
  monitor:
    kube_state_metrics:
      enabled: true
```
Added the following configuration to enable the collection of Kubernetes events for Sysdig Monitor, previously enabled by default with the kubernetes_metadata feature. For more details, see Process Kubernetes Events.
```
features:
  monitor:
    kubernetes_events:
      enabled: true
```

The kube_state_metrics and kubernetes_events features now replace the functionality previously provided by the kubernetes_metadata feature in Sysdig Monitor, which is a breaking change. If you were using kubernetes_metadata to collect Kubernetes state metrics (KSM) and events, you must now explicitly enable the new features to continue collecting this data. For example,

features:
  monitor:
    kube_state_metrics:
      enabled: true
    kubernetes_events:
      enabled: true

Fixed Vulnerabilities

Defect Fixes

Fixed an issue in Container Vulnerability Management that could cause the component to be terminated by the operating system when interacting with Amazon ECR on EKS clusters.

1.10.0 April 03, 2025

Enhancements

Detections of Vulnerabilities on Operating Systems

We have added detections for the following Operating system level vulnerabilities

PhotonOS
CBL Mariner
Azure Linux
Suse Enterprise Linux 12 and 15
Suse Micro Linux

For additional information please refer to our Vulnerability Feeds documentation.

New Metrics for Cluster Shield

Metric Name	Description
`num_of_workloads_detected`	Number of all detected workloads obtained by interacting with the K8s API, including filtered, running and stopped workloads.
`num_of_workloads_filtered`	Number of filtered workloads, i.e., that will not be scanned.
`num_of_workloads_running`	Number of currently running workloads.
`num_of_workloads_stopped`	Number of currently stopped workloads.
`num_of_workloads_with_a_SBOM_extracted`	Number of workloads for which a SBOM has been extracted at least once.
`num_of_workloads_with_a_SBOM_fresh`	Number of workloads for which a SBOM has been extracted recently and is still valid.
`num_of_workloads_without_SBOM`	Number of workloads for which a SBOM has never been extracted.
`num_of_workloads_in_SBOM_extraction_queue`	Number of workloads in queue for SBOM extraction.
`num_of_workloads_with_SBOM_extraction_error`	Number of workloads for which the last SBOM extraction attempt failed. These workloads may include entries for which the SBOM has been extracted in the past.
`num_of_workloads_sent_to_collector`	Number of workloads successfully sent to collector in the last cycle (including running, stopped and short-lived workloads).
`is_last_send_to_collector_successful`	Boolean value indicating whether the last send to collector was successful.
`agent_kube_metadata_state_objects_count`	Tracks the number of Kubernetes resources sent in each message, categorized by resource type.
`agent_kube_metadata_connected`	Indicates the current connection state with the Sysdig backend (0 = Disconnected, 1 = Connected).
`agent_kube_metadata_connection_attempts_total`	Tracks the total number of connection attempts to the Sysdig backend.

Fixed Vulnerabilities

Defect Fixes

In certain registry implementations, the registry returns a 400 status code rather than standard HTTP error codes for Authentication Failures when attempting to authenticate. Cluster Shield will now retry authentication with alternative credentials provided as dockerconfigjson K8s Secrets or acquired via the integrated support for Credential Helpers for AWS, GCP, and Azure.

1.9.1 Mar 21, 2025

Fixed Vulnerabilities

CVE-2025-22870

Defect Fixes

Fixed an issue causing cluster-shield components to restart upon failure without applying the expected exponential backoff delay.
Fixed a timing issue in Cluster Shield that caused the SBOM extractor to trigger excessive SBOM extractions that the Runtime component could not process.

1.9.0 Mar 11, 2025

Feature Enhancements

Added a gauge metric sysdig_cluster_shield_component_health_status to represent the health status of each enabled component. This is now available through the /metrics endpoint on port 8080
A metric value of 1 indicates a healthy component, while 0 signifies an unhealthy one.
Cluster Shield now attempts to restart unhealthy components after 100 seconds.

1.8.2 Feb 28, 2025

Fixed Vulnerabilities

1.8.1 Feb 25, 2025

Defect Fixes

Fixed an issue that prevented the Container Vulnerability Management feature to authenticate to the registry and process the images as expected.
Fixed an issue where Cluster Shield reported invalid prometheus metrics.

1.8.0 Feb 4, 2025

Feature Enhancements

Optimized memory usage of the container-vulnerability-management-controller component.
Added support for multiple candidate pull-strings per workload to resolve scanning failures caused by alias references from non-pullable locations.
Added the ability to filter the images for scanning as part of the container vulnerability management feature. See Container Filtering for more details.

Defect Fixes

Resolved an issue in which Kubernetes metadata inaccurately reported parent service links when a pod was exposed by multiple services. The pod is now correctly associated with all relevant services.
Fixed an issue where the Admission Controller did not honor the features.container_vulnerability_management.registry_ssl.verify configuration parameter.
Fixed a bug that caused unexpected lags when pulling images. The issue occurred because features.container_vulnerability_management.registry_ssl.verify was set to true, enforcing SSL certificate verification.

1.7.1 Jan 10, 2025

Fixed Vulnerabilities

CVE-2024-45338

1.7.0 Jan 07, 2025

Feature Enhancements

The Container Vulnerability Management feature now supports mirrors and insecure registries configurations for image scanning.

Defect Fixes

Fixed an issue that prevented the Container Vulnerability Management feature to correctly authenticate and process the image when candidate pull secrets have been found.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.