29.2.24
2.28.0: GitHub Registry, reduce URLs for Image Assurance
Type: New Feature + improvements
Description:
Image Assurance 2.29.0:
Release Github Container Registry Scanning support
Reduced the number of URLs that need to be accessed by the agents (relevant for Scan Engine Version 2.0.0 only). CloudGuard agents must have connectivity to these region-specific URLs:
Region | URLs accessed by Image Assurance agent |
|---|---|
United States (US) | |
Europe (EU) | |
Australia (AU) | |
Canada (CA) | |
India (IN) | |
Singapore (SG) |
Security enhancements - all agents:
Image Assurance 2.29.0
Admission Control: Enforcer 2.11.0 & Policy 1.8.0
Inventory 1.14.0
Flow-logs 0.14.0
Runtime Policy 1.8.0
Affected Components: CloudGuard Workload Protection agents
15.1.23
Workload Protection for Kubernetes:
Description:
UI changes-
Workload Protection Menu
◦ Rename “Image Assurance” -> “Vulnerabilities”, “Vulnerabilities” -> “Findings”
GSL Builder
◦ Rename “Image Assurance” to "Workload Vulnerability"
◦ Add Package, Malware and Insecure content
◦ Mark "Finding" and "ImageScan" as Deprecated
Notification
◦ Rename "Image Assurance - Image Scan only" to "Vulnerability Scanning"
19.11.23
Workload Protection for Kubernetes: helm 2.24.3
Description:
Image Assurance 2.25.0
support Sonatype Nexus Registry scan
All features: Inventory 1.13.0; Image Assurance 2.25.0; Admission Control: enforcer 2.9.0, policy 1.7.0; Runtime Protection: policy 1.7.0; Flow Logs 0.12.0
improved telemetry
security enhancements
Affected Components: CloudGuard Workload Protection agents
24.10.23
Workload Protection for Kubernetes: helm 2.23.0
Description:
Admission Control: enforcer 2.8.0, policy 1.6.0
Enforcer server receives requests on port 8443 instead of port 8080
Image Assurance 2.23.0
When scanning an ECR Container Registry from an EKS cluster, a custom IAM Role can be used for access control (within the same AWS account or across accounts)
Runtime Protection: policy 1.5.0
Adjust support for Pod Security Policy
Flow Logs 0.10.0
Improved telemetry
Inventory 1.11.1
GKE Autopilot support
All features
Support for GKE Autopilot (except for Runtime Protection)
Do not attempt to run Daemonset pods on Fargate nodes that are not supported
Affected Components: CloudGuard Workload Protection agents
12.9.23
Fix agent status for GKE autopilot in compliance
Agent Status Support for GKE Autopilot Clusters
30.7.23
Helm 2.22.0 release-
Workload Protection for Kubernetes: helm 2.22.0
Runtime Protection daemon 1.8.8
added some security enhancements
25.6.23
Helm 2.21.0 release-
Support for GKE Autopilot (except for Runtime Protection)
Configure agents with node-critical and cluster-critical priority classes by default (improved support for clusters with small nodes)
Helm installation speedup
Support multiple DaemonSet configurations per node pool
Runtime Protection: keep running if EBPF probe can't be built/loaded; multiple optimizations
Inventory: Improved support for large inventory of Kubernetes resources
Change imageScan.mountPodman default to false (reduce dependencies on node configuration)
1.6.23
Return time zone-
Due to a wrong timezone that was presented at the UI,
we should send the timezone (in iso date format) from the APIs
...
The following features have been added to the Helm EA branch:Support GKE Autopilot clusters (version 1.25 and above) via helm flag: --set platform=gke.autopilot
Allow specifying priority class per agent. Set 'cluster-critical' and 'node-critical' priority class for agents by default
...