3.2.0.azl4

Release notes

• Use Azl3 as default for node builder recipes
• Addressed CVEs: CVE-2024-43806, CVE-2024-24786, CVE-2023-45288, CVE-2023-39325, CVE-2024-43806
• Improved agent logging verbosity
• Faster confidential pod startup
• Allow pods with larger memory requests to start by increasing the timeout for CreateVM
• Reduced memory usage for the guest image
• Improved memory overhead management
• Remove unused VMM options for memory allocation
• Assign a default number of vcpus (1) to the VM when no limits are given
• Added policy state support to agent

What's Changed

• tools: Align AGENT_POLICY_FILE check in rootfs-builder with upstream by @ms-mahuber in #244
• node-builder: Use Azure Linux 3 as default path by @ms-mahuber in #251
• libs:logging: Fix logger by @danmihai1 in #248
• Fix logging verbosity comment to accurately reflect clh behavior by @Camelron in #249
• node-builder: Deploy-only recipe for AzL3 VMs by @ms-mahuber in #254
• runtime: skip logging some of the dial errors by @danmihai1 in #253
• build(deps): bump rustix from 0.37.3 to 0.37.27 in /src/agent by @dependabot in #246
• build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.33.0 in /src/runtime by @dependabot in #243
• build(deps): bump dependency golang.org/x/net to v0.23.0 by @Sumynwa in #261
• build(deps): bump rustix from 0.37.19 to 0.37.27 in /src/tardev-snapshotter by @dependabot in #262
• runtime: Set memory config shared=false when shared_fs=None in CLH by @Sumynwa in #265
• runtime: relax timeout for CreateVM + BootVM in CLH by @Sumynwa in #268
• agent: fix make test by @Sumynwa in #266
• reduce the memory usage for the guest image by @danmihai1 in #280
• runtime: improved memory overhead management by @danmihai1 in #281
• runtime: Remove unused VMM options for mem alloc by @ms-mahuber in #283
• runtime: Allocate default workload vcpus by @ms-mahuber in #282
• policy: cherry pick state policy changes from upstream by @Redent0r in #273

Full Changelog: 3.2.0.azl3...3.2.0.azl4

3.2.0.azl3.genpolicy3

Release notes

• Strengthen validation for bundle path annotation received from agent

What's Changed

• policy: strengthen bundle id validation by @Redent0r in #285

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy2...3.2.0.azl3.genpolicy3

3.2.0.azl3.genpolicy2

Release notes

• Improve ExecProcess request validation by validating the Process field from the input
• Improve CopyFile request validation by matching specific regexp patterns against symlink sources

What's Changed

• genpolicy: tighter symlink source rules by @danmihai1 in #278

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy1...3.2.0.azl3.genpolicy2

3.2.0.azl3.genpolicy1

Release notes

• Strengthen validation for copyFile request by blocking self symlink paths

What's Changed

• genpolicy: block self paths for copyFile requests by @Redent0r in #271

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy0...3.2.0.azl3.genpolicy1

3.2.0.azl3.genpolicy0

Release notes

• Support dynamic SMB storage class options
• Updated Dockerfile to build genpolicy tool on Azure Linux and link openssl statically. This makes it easy to build and use genpolicy tool in other distros through Docker
• Support securityContext.runAsUser field on other K8s YAML resources, besides just pods
• Fixed deserialization error by ignoring optional metadata.uid field

What's Changed

• genpolicy: update Dockerfile by @danmihai1 in #234
• genpolicy: get UID from PodSecurityContext by @danmihai1 in #233
• genpolicy: support dynamic SMB storage class options by @arc9693 in #245
• policy: ignore optional metadata uid field by @Redent0r in #260

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl1.genpolicy1...3.2.0.azl3.genpolicy0

3.2.0.azl3

Release notes

• Build: Added igvm-builder and node-builder/azure-linux build and deployment recipes
• Policy: Fix the regressed AllowRequestsFailingPolicy functionality
• Storage: Added guide to install new CSI drivers

Note: This release is intended for Azure Linux 3 only.

What's Changed

• tools: Add initial igvm-builder and node-builder/azure-linux scripting by @ms-mahuber in #188
• virtcontainers: update sev_snp param serialization by @Redent0r in #197
• Cherry-pick upstream PR kata-containers#9825: osbuilder: allow rootfs builds w/o git or version file deps by @ms-mahuber in #206
• tools: Improve igvm-builder and node-builder/azure-linux scripting by @ms-mahuber in #204
• tardev: update tardev-snapshotter.service by @miz060 in #209
• agent: fix the AllowRequestsFailingPolicy functionality by @danmihai1 in #212
• docs: add guide to install new CSI drivers by @sprt in #214
• tools: Add package-tools-install functionality by @ms-mahuber in #215
• tools: Enable setting IGVM SVN by @ms-mahuber in #224
• node-builder: introduce BUILD_TYPE variable by @sprt in #216
• node-builder: introduce SHIM_REDEPLOY_CONFIG by @sprt in #226
• node-builder: Use image for Pod Sandboxing by @ms-mahuber in #227

Limitations and important notes

• This release requires genpolicy release 3.2.0.azl0.genpolicy1 and onwards

Full Changelog: 3.2.0.azl2...3.2.0.azl3

3.2.0.azl1.genpolicy1

Release notes

• Added support for Cronjob Kubernetes manifest.
• Enhanced policy validation by rejecting untested values coming from CreateContainerRequest

What's Changed

• genpolicy: add support for cron jobs by @Redent0r in #218
• genpolicy: reject untested CreateContainer field values by @Redent0r in #219

Limitations and important notes

• This release is only compatible with Kata components based on release 3.2.0.azl0 and onwards
• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl1.genpolicy0...3.2.0.azl1.genpolicy1

3.2.0.azl1.genpolicy0

Release Notes

• Added support new confidential CSI driver types (cc-managed-csi, cc-local-csi driver, cc-azurefile-csi drivers)
• Added support for pulling container image layers using containerd (-d). This enables:
  • Managed identity authentication to private registries
  • Support for images with v1 manifest and prettyjws media type
• Added support for read-only hostPath in pod spec
• Updated caching mechanism for image layers to allow to run in parallel
• Added version flag (-v)
• Added support for non-default namespace names. It may now be specified in the genpolicy-settings.json file.
• You may now also specify persistent volume claims (PVCs) using -c param (for e.g. CSI driver)
• Improved handling of images that have layers with special symlinks (tarfsindex crate)
• Added persistent storage support for statefulsets

What's Changed

• genpolicy sync with upstream [1/3] by @Redent0r in #171
• genpolicy sync upstream [2/3] by @Redent0r in #172
• genpolicy sync upstream [3/3] by @Redent0r in #173
• genpolicy: use containerd_client by @Redent0r in #163
• genpolicy: support read-only hostPath by @Redent0r in #175
• genpolicy: add support for cc-managed-csi by @sprt in #174
• genpolicy: add --version flag by @Redent0r in #176
• genpolicy: add support for cc-local-csi by @sprt in #178
• genpolicy: add missing cache improvements by @Redent0r in #181
• genpolicy: add support for cc-azurefile-csi driver by @arc9693 in #180
• genpolicy: add persistent storage support for stateful sets by @arc9693 in #199

Limitations and important notes

• This release is only compatible with Kata components based on release 3.2.0.azl0 and onwards
• Building method has been updated from cargo build to LIBC=gnu BUILD_TYPE= make
• Removed -i option. Simplify path handling with explicit flags for rules.rego (-p) and genpolicy-settings.json (-j)
• Authentication to private registries is not supported on Windows
• Windows support will be deprecated next release
• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods that use IPv4 addresses

Full Changelog: 3.2.0.azl0.genpolicy1...3.2.0.azl1.genpolicy0

3.2.0.azl2

This release only applies #197 over 3.2.0.azl1. This is needed to upgrade to LSG release v2405.9.2
Full Changelog: 3.2.0.azl1...3.2.0.azl2

3.2.0.azl1

Release Notes

• Reliability fixes for tarfs driver (ex. support for directories with many files in container images)
• Improved handling of images that have layers with special symlinks (tarfsindex crate)
• Add support to handle SMB mounts in the guest VM to work with the cc-azurefile-csi driver
• Improved agent shutdown behavior
• Use PCI segments 1+ for blk devices. This adds support for container images with more than 31 layers
• Remove opa and replaced with regorus
  • Improves policy diagnosis and debugging
• Improved cleanup behavior of clh process where sometimes the process would occasionally linger after requesting to kill it

What's Changed

• tarfs reliability fixes by @wedsonaf in #160
• Adapt code for vanilla Kata by @sprt in #154
• tarindex: Add special symlink name handling by @miz060 in #159
• Add support to handle SMB mounts by @arc9693 in #169
• agent: shutdown vm on exit when agent is used as init process by @Redent0r in #179
• runtime: agent: use PCI segments 1+ for blk devices by @danmihai1 in #183
• agent: use regorus instead of opa by @danmihai1 in #184
• clh: isClhRunning waits for full timeout when clh exits by @Redent0r in #182
• rootfs: Stop building and shipping OPA by @Redent0r in #187

Full Changelog: 3.2.0.azl0...3.2.0.azl1

Limitations and important notes

• This release requires genpolicy release 3.2.0.azl0.genpolicy1 and onwards