CloudGuard Workloads

29.2.24

2.28.0: GitHub Registry, reduce URLs for Image Assurance

Type: New Feature + improvements

Description:

Image Assurance 2.29.0:

• Release Github Container Registry Scanning support

• Reduced the number of URLs that need to be accessed by the agents (relevant for Scan Engine Version 2.0.0 only). CloudGuard agents must have connectivity to these region-specific URLs:

Security enhancements - all agents:

• Image Assurance 2.29.0

• Admission Control: Enforcer 2.11.0 & Policy 1.8.0

• Inventory 1.14.0

• Flow-logs 0.14.0

• Runtime Policy 1.8.0

Affected Components: CloudGuard Workload Protection agents

15.1.23

Workload Protection for Kubernetes:

Description:

UI changes-

• Workload Protection Menu

• GSL Builder

• Notification

19.11.23

Workload Protection for Kubernetes: helm 2.24.3

Description:

Image Assurance 2.25.0

• support Sonatype Nexus Registry scan

All features: Inventory 1.13.0; Image Assurance 2.25.0; Admission Control: enforcer 2.9.0, policy 1.7.0; Runtime Protection: policy 1.7.0; Flow Logs 0.12.0

• improved telemetry

• security enhancements

Affected Components: CloudGuard Workload Protection agents

24.10.23

Workload Protection for Kubernetes: helm 2.23.0

Description:

• Admission Control: enforcer 2.8.0, policy 1.6.0

  • Enforcer server receives requests on port 8443 instead of port 8080

• Image Assurance 2.23.0

  • When scanning an ECR Container Registry from an EKS cluster, a custom IAM Role can be used for access control (within the same AWS account or across accounts)

• Runtime Protection: policy 1.5.0

  • Adjust support for Pod Security Policy

• Flow Logs 0.10.0

  • Improved telemetry

• Inventory 1.11.1

  • GKE Autopilot support

• All features

  • Support for GKE Autopilot (except for Runtime Protection)

  • Do not attempt to run Daemonset pods on Fargate nodes that are not supported

Affected Components: CloudGuard Workload Protection agents

12.9.23

Fix agent status for GKE autopilot in compliance

Agent Status Support for GKE Autopilot Clusters

30.7.23

Helm 2.22.0 release-

Workload Protection for Kubernetes: helm 2.22.0

Runtime Protection daemon 1.8.8

• added some security enhancements

25.6.23

Helm 2.21.0 release-

• Support for GKE Autopilot (except for Runtime Protection)

• Configure agents with node-critical and cluster-critical priority classes by default (improved support for clusters with small nodes)

• Helm installation speedup

• Support multiple DaemonSet configurations per node pool

• Runtime Protection: keep running if EBPF probe can't be built/loaded; multiple optimizations

• Inventory: Improved support for large inventory of Kubernetes resources

• Change imageScan.mountPodman default to false (reduce dependencies on node configuration)

1.6.23

Return time zone-

Due to a wrong timezone that was presented at the UI,
we should send the timezone (in iso date format) from the APIs

RP partial profiling code-

• Resolved issue of Workloads' profiles getting stuck on “Waiting for startup”

• Enabled the creation and enforcement of Partial Profiles

Agent status report CSV api-

path: kubernetes/account/agentStatusReportCSV

Added API that returns status of all the agents in the account (that user has permission to their clusters)

Allow offboarding through old controller (Terraform)-

align the code in the old controller API to the new one, so disabling TI will work the same, and therefore, also offboarding with terraform

UI- Containers Improvements - 1.6.23

Workloads Images redesign

In our commitment to enhancing the efficiency and usability of our platform, we have successfully migrated our old protected assets to a React-based infrastructure. This new development brings better performance, faster load times, and improved user experience.

Kubernetes Version in Environment Table:

To provide more detailed information about each environment, we've added a new column to the Environments table that shows the version of Kubernetes (K8s) running in each environment. This enhancement will give users a better understanding of their infrastructure and help them plan upgrades more effectively.

Kubernetes - Helm 2.20.1 EA branch: GKE Autopilot Support, priority class enhancements

Type: New Feature

Description:

The following features have been added to the Helm EA branch:

Allow specifying priority class per agent. Set 'cluster-critical' and 'node-critical' priority class for agents by default

Autopilot Supported Blades: Inventory, Compliance, Image Assurance, Admission Controller and Threat Intelligence

Known limitations:

Auto-detection of Autopilot is not supported (i.e., installation may fail if platform is not set explicitly)

Autopilot versions prior to 1.25 are not supported

Helm 2.20.0 Release Content

• Image Assurance 2.21.0:

  • Improvements for slow networks and large images

• Runtime Protection | runtime-daemon 1.6.2, runtime-probe 0.30.2-cp-3, runtime-cos-compat 0.0.9

  • Google COS support for File Reputation engine

  • Security enhancements

  • Profiling engine improvements - better detection of startup event

  • Reduced Memory & CPU footprint

• All features

  • FluentBit removal

2.19.1: IA: Artifactory auto-discovery, CRI v1 etc.; RP: enhancement.

• Image Assurance 2.20.1

  • Support JFrog Artifactory auto-discovery

    • When onboarding an Artifactory instance to CloudGuard you should provide the FQDN of the Artifactory server. CloudGuard will scan images of all discovered sub-registries

  • Agents load updated registry credentials and CA bundle without requiring a restart

  • CRI: support v1 API following v1alpha2 removal

  • CRI-O/Openshift: support nodes without podman, do not use podman if possible

• Runtime Protection - daemon 1.0.0, probe 0.28.0-cp-7

  • Logging enhancements

  • Telemetry enhancements

  • Security enhancements