Cluster Shield Release Notes
1.16.1 October 17, 2025
Supported shield chart version: 1.21.2
Defect Fixes
- Fixed an issue that could cause the Admission Control and Vulnerability Management features to ignore the
container_vulnerability_management.local_cluster.registry_secretsconfiguration option.
1.16.0 September 29, 2025
Supported shield chart version: 1.20.0
Enhancements
Certificate Hot Reload
Admission Control can now hot reload updated certificates. You don’t have to restart the application.
Init Container Support for Vulnerability Scanning
Sysdig now scans init containers as part of Kubernetes workloads and returns vulnerability scan results for affected resources.
For more information see Sysdig Vulnerability Management.
Improved CronJob Scanning
Improved vulnerability scanning for Kubernetes CronJobs to retain CronJobs that run during the Cluster Shield discovery period. CronJobs executed within a cluster during this time now appear as running workloads in Vulnerability Findings, providing more accurate visibility.
For more information, see Sysdig Vulnerability Management.
Defect Fixes
- Fixed an issue that could cause the Cluster Shield’s Vulnerability Management feature to behave unexpectedly when using Redis as a remote cache for intermediate results.
Fixed Vulnerabilities
This release addresses the following vulnerabilities:
1.15.0 August 28, 2025
Supported shield chart version: 1.17.0
Defect Fixes
- Fixed a bug where Cluster Shield ignored the value of
features.container_vulnerability_management.registry_ssl.verifysetting. - Fixed a bug that could prevent customers from seeing posture results.
- Services could fail to restart if their cgroup was deleted during the backoff delay. Cluster Shield now checks for the serviceβs cgroup and recreates it if missing before starting the service.
- Removed an incorrect error log message that some on-premises customers could encounter.
Fixed Vulnerabilities
This release addresses the following vulnerabilities:
- CVE-2025-5914
- CVE-2025-5994
- CVE-2025-6965
- CVE-2025-7425
- CVE-2025-32414
- CVE-2025-32415
- CVE-2025-47907
- CVE-2025-54388
- CVE-2025-8058
- CVE-2022-29458
1.14.0 July 31, 2025
Supported shield chart version: 1.15.1
Enhancements
Improved Memory Reservation in Cluster Shield
Refined Cluster Shield memory reservation logic to maximize resource efficiency and improve overall reliability.
For additional information on how to fine-tune your Cluster Shield memory configuration, contact your Sysdig account representative.
Docker Mirrors Authentication
Added support for authenticating against Docker mirrors.
Enhanced Scanner Events Metadata
Updated source info in Scanner Events to include Cluster Shield version and the feature generating events.
Improved Logging for Unsupported K8s Resources
Container Vulnerability Management now logs the type of unsupported Kubernetes resources it detects.
Defect Fixes
- Fixed authentication issue in Container Vulnerability Management when using Google credential helper (for example, Workload Identity Federation).
- Added logs for NATS reconnection failures.
- Namespace entities now correctly populate the
namespaceproperty to avoid no-name entries in Inventory. - Fixed OS package detection issues in Wolfi-based images.
- Resolved incorrect classification of RHEL-EUS as standard RHEL.
- Initialized logger correctly in Container Vulnerability Management Controller for Admission Controller image scans.
- Fixed an issue during SBOM extraction for Container Vulnerability Management that could cause a misconfiguration for on-prem customers.
- Updated the image loader to use the same configuration as Container Vulnerability Management component.
Fixed Vulnerabilities
This release addresses the following vulnerabilities:
- CVE-2024-12718
- CVE-2025-4138
- CVE-2025-4517
- CVE-2025-49794
- CVE-2025-49796
- CVE-2024-52533
- CVE-2025-25724
- CVE-2025-3576
- CVE-2025-4330
- CVE-2025-4373
- CVE-2025-4435
- CVE-2025-47273
- CVE-2025-5702
- CVE-2025-6021
1.13.0 June 26, 2025
Supported shield chart version: 1.12.2
Enhancements
- You can now monitor Shield health metrics of Cluster Shield on Sysdig Secure and Monitor.
- The
shieldandsysdig-deploycharts now support the creation and management of Pod Disruption Budgets for Cluster Shield.
Defect Fixes
- Fixed an issue that prevented the reporting of the Kubernetes distribution when using vanilla Kubernetes.
Fixed Vulnerabilities
1.12.1 June 11, 2025
Supported shield chart version: 1.8.1
Defect Fixes
- Fixed an issue where legacy Kubernetes metrics were unexpectedly missing from some namespaces.
Fixed Vulnerabilities
1.12.0 June 5, 2025
Supported shield chart version: 1.8.0
Enhancements
Improved Audit Logging Efficiency
- Enhanced Kubernetes Audit Logging to reduce API server noise caused by idle connection handling and to improve request logic, helping to prevent API rate limit issues.
Expanded Support for Kubernetes Distributions
- Extended support for Kubernetes distributions to include Oracle Kubernetes Engine (OKE), Rancher Kubernetes Engine (RKE2), and Mirantis Kubernetes Engine (MKE).
Added Support for Network Security.
You can enable Network Security by configuring the existing investigations section under features.
Fixed Vulnerabilities
1.11.0 May 07, 2025
Enhancements
The audit feature now detects when certificates have been updated and reloads them automatically, so there is no need to restart the application.
Added support for reporting the
kube_job_spec_active_deadline_secondsmetric for Kubernetes Job objects.Added the following configuration to enable the collection of Kubernetes State Metrics (KSM), which were previously collected by default when you enabled the
kubernetes_metadatafeature.features: monitor: kube_state_metrics: enabled: trueAdded the following configuration to enable the collection of Kubernetes events for Sysdig Monitor, previously enabled by default with the
kubernetes_metadatafeature. For more details, see Process Kubernetes Events.features: monitor: kubernetes_events: enabled: true
The kube_state_metrics and kubernetes_events features now replace the functionality previously provided by the kubernetes_metadata feature in Sysdig Monitor, which is a breaking change.
If you were using kubernetes_metadata to collect Kubernetes state metrics (KSM) and events, you must now explicitly enable the new features to continue collecting this data.
For example,
features:
monitor:
kube_state_metrics:
enabled: true
kubernetes_events:
enabled: true
Fixed Vulnerabilities
Defect Fixes
Fixed an issue in Container Vulnerability Management that could cause the component to be terminated by the operating system when interacting with Amazon ECR on EKS clusters.
1.10.0 April 03, 2025
Enhancements
Detections of Vulnerabilities on Operating Systems
We have added detections for the following Operating system level vulnerabilities
- PhotonOS
- CBL Mariner
- Azure Linux
- Suse Enterprise Linux 12 and 15
- Suse Micro Linux
For additional information please refer to our Vulnerability Feeds documentation.
New Metrics for Cluster Shield
| Metric Name | Description |
|---|---|
num_of_workloads_detected | Number of all detected workloads obtained by interacting with the K8s API, including filtered, running and stopped workloads. |
num_of_workloads_filtered | Number of filtered workloads, i.e., that will not be scanned. |
num_of_workloads_running | Number of currently running workloads. |
num_of_workloads_stopped | Number of currently stopped workloads. |
num_of_workloads_with_a_SBOM_extracted | Number of workloads for which a SBOM has been extracted at least once. |
num_of_workloads_with_a_SBOM_fresh | Number of workloads for which a SBOM has been extracted recently and is still valid. |
num_of_workloads_without_SBOM | Number of workloads for which a SBOM has never been extracted. |
num_of_workloads_in_SBOM_extraction_queue | Number of workloads in queue for SBOM extraction. |
num_of_workloads_with_SBOM_extraction_error | Number of workloads for which the last SBOM extraction attempt failed. These workloads may include entries for which the SBOM has been extracted in the past. |
num_of_workloads_sent_to_collector | Number of workloads successfully sent to collector in the last cycle (including running, stopped and short-lived workloads). |
is_last_send_to_collector_successful | Boolean value indicating whether the last send to collector was successful. |
agent_kube_metadata_state_objects_count | Tracks the number of Kubernetes resources sent in each message, categorized by resource type. |
agent_kube_metadata_connected | Indicates the current connection state with the Sysdig backend (0 = Disconnected, 1 = Connected). |
agent_kube_metadata_connection_attempts_total | Tracks the total number of connection attempts to the Sysdig backend. |
Fixed Vulnerabilities
Defect Fixes
In certain registry implementations, the registry returns a 400 status code rather than standard HTTP error codes for Authentication Failures when attempting to authenticate. Cluster Shield will now retry authentication with alternative credentials provided as dockerconfigjson K8s Secrets or acquired via the integrated support for Credential Helpers for AWS, GCP, and Azure.
1.9.1 Mar 21, 2025
Fixed Vulnerabilities
Defect Fixes
- Fixed an issue causing cluster-shield components to restart upon failure without applying the expected exponential backoff delay.
- Fixed a timing issue in Cluster Shield that caused the SBOM extractor to trigger excessive SBOM extractions that the Runtime component could not process.
1.9.0 Mar 11, 2025
Feature Enhancements
Added a gauge metric
sysdig_cluster_shield_component_health_statusto represent the health status of each enabled component. This is now available through the/metricsendpoint on port8080A metric value of
1indicates a healthy component, while0signifies an unhealthy one.Cluster Shield now attempts to restart unhealthy components after 100 seconds.
1.8.2 Feb 28, 2025
Fixed Vulnerabilities
1.8.1 Feb 25, 2025
Defect Fixes
- Fixed an issue that prevented the Container Vulnerability Management feature to authenticate to the registry and process the images as expected.
- Fixed an issue where Cluster Shield reported invalid prometheus metrics.
1.8.0 Feb 4, 2025
Feature Enhancements
- Optimized memory usage of the
container-vulnerability-management-controllercomponent. - Added support for multiple candidate pull-strings per workload to resolve scanning failures caused by alias references from non-pullable locations.
- Added the ability to filter the images for scanning as part of the container vulnerability management feature. See Container Filtering for more details.
Defect Fixes
- Resolved an issue in which Kubernetes metadata inaccurately reported parent service links when a pod was exposed by multiple services. The pod is now correctly associated with all relevant services.
- Fixed a bug that caused unexpected lags when pulling images. The issue occurred because
features.container_vulnerability_management.registry_ssl.verifywas set to true, enforcing SSL certificate verification.
1.7.1 Jan 10, 2025
Fixed Vulnerabilities
1.7.0 Jan 07, 2025
Feature Enhancements
- The Container Vulnerability Management feature now supports mirrors and insecure registries configurations for image scanning.
Defect Fixes
- Fixed an issue that prevented the Container Vulnerability Management feature to correctly authenticate and process the image when candidate pull secrets have been found.
