CloudGuard Workloads
- Tal Ben Or
29.2.24
2.28.0: GitHub Registry, reduce URLs for Image Assurance
Type: New Feature + improvements
Description:
Image Assurance 2.29.0:
Release Github Container Registry Scanning support
Reduced the number of URLs that need to be accessed by the agents (relevant for Scan Engine Version 2.0.0 only). CloudGuard agents must have connectivity to these region-specific URLs:
Region | URLs accessed by Image Assurance agent |
|---|---|
United States (US) | |
Europe (EU) | |
Australia (AU) | |
Canada (CA) | |
India (IN) | |
Singapore (SG) |
Security enhancements - all agents:
Image Assurance 2.29.0
Admission Control: Enforcer 2.11.0 & Policy 1.8.0
Inventory 1.14.0
Flow-logs 0.14.0
Runtime Policy 1.8.0
Affected Components: CloudGuard Workload Protection agents
15.1.23
Workload Protection for Kubernetes:
Description:
UI changes-
Workload Protection Menu
◦ Rename “Image Assurance” -> “Vulnerabilities”, “Vulnerabilities” -> “Findings”
GSL Builder
◦ Rename “Image Assurance” to "Workload Vulnerability"
◦ Add Package, Malware and Insecure content
◦ Mark "Finding" and "ImageScan" as Deprecated
Notification
◦ Rename "Image Assurance - Image Scan only" to "Vulnerability Scanning"
19.11.23
Workload Protection for Kubernetes: helm 2.24.3
Description:
Image Assurance 2.25.0
support Sonatype Nexus Registry scan
All features: Inventory 1.13.0; Image Assurance 2.25.0; Admission Control: enforcer 2.9.0, policy 1.7.0; Runtime Protection: policy 1.7.0; Flow Logs 0.12.0
improved telemetry
security enhancements
Affected Components: CloudGuard Workload Protection agents
24.10.23
Workload Protection for Kubernetes: helm 2.23.0
Description:
Admission Control: enforcer 2.8.0, policy 1.6.0
Enforcer server receives requests on port 8443 instead of port 8080
Image Assurance 2.23.0
When scanning an ECR Container Registry from an EKS cluster, a custom IAM Role can be used for access control (within the same AWS account or across accounts)
Runtime Protection: policy 1.5.0
Adjust support for Pod Security Policy
Flow Logs 0.10.0
Improved telemetry
Inventory 1.11.1
GKE Autopilot support
All features
Support for GKE Autopilot (except for Runtime Protection)
Do not attempt to run Daemonset pods on Fargate nodes that are not supported
Affected Components: CloudGuard Workload Protection agents
12.9.23
Fix agent status for GKE autopilot in compliance
Agent Status Support for GKE Autopilot Clusters
30.7.23
Helm 2.22.0 release-
Workload Protection for Kubernetes: helm 2.22.0
Runtime Protection daemon 1.8.8
added some security enhancements
25.6.23
Helm 2.21.0 release-
Support for GKE Autopilot (except for Runtime Protection)
Configure agents with node-critical and cluster-critical priority classes by default (improved support for clusters with small nodes)
Helm installation speedup
Support multiple DaemonSet configurations per node pool
Runtime Protection: keep running if EBPF probe can't be built/loaded; multiple optimizations
Inventory: Improved support for large inventory of Kubernetes resources
Change imageScan.mountPodman default to false (reduce dependencies on node configuration)
1.6.23
Return time zone-
Due to a wrong timezone that was presented at the UI,
we should send the timezone (in iso date format) from the APIs
RP partial profiling code-
Resolved issue of Workloads' profiles getting stuck on “Waiting for startup”
Enabled the creation and enforcement of Partial Profiles
Agent status report CSV api-
path: kubernetes/account/agentStatusReportCSV
Added API that returns status of all the agents in the account (that user has permission to their clusters)
Allow offboarding through old controller (Terraform)-
align the code in the old controller API to the new one, so disabling TI will work the same, and therefore, also offboarding with terraform
UI- Containers Improvements - 1.6.23
Workloads Images redesign
In our commitment to enhancing the efficiency and usability of our platform, we have successfully migrated our old protected assets to a React-based infrastructure. This new development brings better performance, faster load times, and improved user experience.
Kubernetes Version in Environment Table:
To provide more detailed information about each environment, we've added a new column to the Environments table that shows the version of Kubernetes (K8s) running in each environment. This enhancement will give users a better understanding of their infrastructure and help them plan upgrades more effectively.
Kubernetes - Helm 2.20.1 EA branch: GKE Autopilot Support, priority class enhancements
Type: New Feature
Description:
The following features have been added to the Helm EA branch:
Allow specifying priority class per agent. Set 'cluster-critical' and 'node-critical' priority class for agents by default
Autopilot Supported Blades: Inventory, Compliance, Image Assurance, Admission Controller and Threat Intelligence
Known limitations:
Auto-detection of Autopilot is not supported (i.e., installation may fail if platform is not set explicitly)
Autopilot versions prior to 1.25 are not supported
Helm 2.20.0 Release Content
Image Assurance 2.21.0:
Improvements for slow networks and large images
Runtime Protection | runtime-daemon 1.6.2, runtime-probe 0.30.2-cp-3, runtime-cos-compat 0.0.9
Google COS support for File Reputation engine
Security enhancements
Profiling engine improvements - better detection of startup event
Reduced Memory & CPU footprint
All features
FluentBit removal
2.19.1: IA: Artifactory auto-discovery, CRI v1 etc.; RP: enhancement.
Image Assurance 2.20.1
Support JFrog Artifactory auto-discovery
When onboarding an Artifactory instance to CloudGuard you should provide the FQDN of the Artifactory server. CloudGuard will scan images of all discovered sub-registries
Agents load updated registry credentials and CA bundle without requiring a restart
CRI: support v1 API following v1alpha2 removal
CRI-O/Openshift: support nodes without podman, do not use podman if possible
Runtime Protection - daemon 1.0.0, probe 0.28.0-cp-7
Logging enhancements
Telemetry enhancements
Security enhancements