This is the changelog of Kritis releases
v0.2.2:
- Update Helm chart to work with Kubernetes 1.16.
v0.2.1:
- Treat the signature in an Attestation Occurrence as base64 encoded.
- Bump kubectl version in helm hook container images.
v0.2.0:
- Added support for separating image and Attestor into different GCP projects.
- Improvements for highly available Kritis:
namespaceSelectorto allowlist critical namespaces, e.g.kube-system, in the event Kritis is unavailable.
- No-op refactoring to use two new interfaces to work with attestations:
ValidatedAttestation-- a trusted, verified attestion.ValidatingTransport-- allows caller to obtainValidatedAttestationfor a given image.
- Added clarifications for guarantees in
ListNoteOccurrenceswhen retrieving attestations. - Cleanup:
- removed API version from NoteReference.
- s/Occurence/Occurrence where applicable.
v0.1.1:
- Fixed memory leak due to unused connections
v0.1.0:
- Kritis supports two policies for pod admission:
ImageSecurityPolicywhich allows users to secure their clusters by specifying the vulnerability threshold for containers above which they cannot be deployed;GenericAttestationPolicywhich allows users to only deploy pods for which they explicitly stored an attestation.
- Kritis has the allow-all fallback policy if neither of the policies is specified.
- Kritis uses Grafeas API to get vulnerability and attestation information via:
- standalone Grafeas server running locally in k8s cluster;
- Container Analysis API on GCP.
- Kritis has an ability to continuously monitor the pods in the cluster and add labels and annotation to the pods out of policy.