The Security Profiles Operator provides a way to define secure computing (seccomp) and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace.
These release notes track the development of the Security Profiles Operator in OKD.
For an overview of the Security Profiles Operator, see Security Profiles Operator Overview.
The following advisory is available for the Security Profiles Operator 0.8.5:
When attempting to install the Security Profile Operator from the web console, the option to enable Operator-recommended cluster monitoring was unavailable for the namespace. With this update, you can now enabled Operator-recommend cluster monitoring in the namespace. (OCPBUGS-37794)
Previously, the Security Profiles Operator would intermittently be not visible in the OperatorHub, which caused limited access to install the Operator via the web console. With this update, the Security Profiles Operator is present in the OperatorHub.
The following advisory is available for the Security Profiles Operator 0.8.4:
This update addresses CVEs in underlying dependencies.
You can now specify a default security profile in the image
attribute of a ProfileBinding
object by setting a wildcard. For more information, see Binding workloads to profiles with ProfileBindings (SELinux) and Binding workloads to profiles with ProfileBindings (Seccomp).
The following advisory is available for the Security Profiles Operator 0.8.2:
Previously, SELinuxProfile
objects did not inherit custom attributes from the same namespace. With this update, the issue has now been resolved and SELinuxProfile
object attributes are inherited from the same namespace as expected. (OCPBUGS-17164)
Previously, RawSELinuxProfiles would hang during the creation process and would not reach an Installed
state. With this update, the issue has been resolved and RawSELinuxProfiles are created successfully. (OCPBUGS-19744)
Previously, patching the enableLogEnricher
to true
would cause the seccompProfile
log-enricher-trace
pods to be stuck in a Pending
state. With this update, log-enricher-trace
pods reach an Installed
state as expected. (OCPBUGS-22182)
Previously, the Security Profiles Operator generated high cardinality metrics, causing Prometheus pods using high amounts of memory. With this update, the following metrics will no longer apply in the Security Profiles Operator namespace:
rest_client_request_duration_seconds
rest_client_request_size_bytes
rest_client_response_size_bytes
The following advisory is available for the Security Profiles Operator 0.8.0:
Previously, while trying to install Security Profiles Operator in a disconnected cluster, the secure hashes provided were incorrect due to a SHA relabeling issue. With this update, the SHAs provided work consistently with disconnected environments. (OCPBUGS-14404)
The following advisory is available for the Security Profiles Operator 0.7.1:
Security Profiles Operator (SPO) now automatically selects the appropriate selinuxd
image for RHEL 8- and 9-based RHCOS systems.
Users that mirror images for disconnected environments must mirror both |
You can now enable memory optimization inside of an spod
daemon. For more information, see Enabling memory optimization in the spod daemon.
SPO memory optimization is not enabled by default. |
The daemon resource requirements are now configurable. For more information, see Customizing daemon resource requirements.
The priority class name is now configurable in the spod
configuration. For more information, see Setting a custom priority class name for the spod daemon pod.
The default nginx-1.19.1
seccomp profile is now removed from the Security Profiles Operator deployment.
Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template. If you selected another template, such as net_container, the policy would not work because it required low-level policy definitions that only existed in the container template. This issue occurred when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (OCPBUGS-12879)
When uninstalling the Security Profiles Operator, the MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete the MutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)
The following advisory is available for the Security Profiles Operator 0.5.2:
This update addresses a CVE in an underlying dependency.
When uninstalling the Security Profiles Operator, the MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete the MutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)
The following advisory is available for the Security Profiles Operator 0.5.0:
When uninstalling the Security Profiles Operator, the MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete the MutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)