Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

15.1.23

Workload Protection for Kubernetes:

Description:

UI changes-

  • Workload Protection Menu

◦ Rename “Image Assurance” -> “Vulnerabilities”, “Vulnerabilities” -> “Findings”

  • GSL Builder

◦ Rename  “Image Assurance”  to "Workload Vulnerability"
◦ Add Package, Malware and Insecure content
◦ Mark "Finding" and "ImageScan" as Deprecated

  • Notification

◦ Rename "Image Assurance - Image Scan only" to "Vulnerability Scanning"

3.12.23

Workload Protection for Kubernetes: helm 2.25.0

Description:

Image Assurance 2.27.0

  • Fix “Internal error” image scan errors: on nodes with containerd Container runtime configured to discard compressed image layers once they were unpacked. Affects GKE 1.27+ and all EKS with AMIs released after July 28 2023 

Admission Control Enforcer 2.10.0

  • Fix escaping in GSL if regular expression defined.

Affected Components: CloudGuard Workload Protection agents

19.11.23

Workload Protection for Kubernetes: helm 2.24.3

Description:

Image Assurance 2.25.0

  • support Sonatype Nexus Registry scan

All features: Inventory 1.13.0; Image Assurance 2.25.0; Admission Control: enforcer 2.9.0, policy 1.7.0; Runtime Protection: policy 1.7.0; Flow Logs 0.12.0

  • improved telemetry

  • security enhancements

Affected Components: CloudGuard Workload Protection agents

24.10.23

Workload Protection for Kubernetes: helm 2.23.0

Description:

  • Admission Control: enforcer 2.8.0, policy 1.6.0

    • Enforcer server receives requests on port 8443 instead of port 8080

  • Image Assurance 2.23.0

    • When scanning an ECR Container Registry from an EKS cluster, a custom IAM Role can be used for access control (within the same AWS account or across accounts)

  • Runtime Protection: policy 1.5.0

    • Adjust support for Pod Security Policy

  • Flow Logs 0.10.0

    • Improved telemetry

  • Inventory 1.11.1

    • GKE Autopilot support

  • All features

    • Support for GKE Autopilot (except for Runtime Protection)

    • Do not attempt to run Daemonset pods on Fargate nodes that are not supported

Affected Components: CloudGuard Workload Protection agents

12.9.23

Fix agent status for GKE autopilot in compliance

Agent Status Support for GKE Autopilot Clusters

30.7.23

Helm 2.22.0 release-

Workload Protection for Kubernetes: helm 2.22.0

Runtime Protection daemon 1.8.8

  • added some security enhancements

25.6.23

Helm 2.21.0 release-

  • Support for GKE Autopilot (except for Runtime Protection)

  • Configure agents with node-critical and cluster-critical priority classes by default (improved support for clusters with small nodes)

  • Helm installation speedup

  • Support multiple DaemonSet configurations per node pool

  • Runtime Protection: keep running if EBPF probe can't be built/loaded; multiple optimizations

  • Inventory: Improved support for large inventory of Kubernetes resources

  • Change imageScan.mountPodman default to false (reduce dependencies on node configuration)

1.6.23

Return time zone-

Due to a wrong timezone that was presented at the UI,
we should send the timezone (in iso date format) from the APIs

RP partial profiling code-

  • Resolved issue of Workloads' profiles getting stuck on “Waiting for startup”

  • Enabled the creation and enforcement of Partial Profiles

Agent status report CSV api-

path: kubernetes/account/agentStatusReportCSV

Added API that returns status of all the agents in the account (that user has permission to their clusters)

Allow offboarding through old controller (Terraform)-

align the code in the old controller API to the new one, so disabling TI will work the same, and therefore, also offboarding with terraform

UI- Containers Improvements - 1.6.23

Workloads Images redesign

In our commitment to enhancing the efficiency and usability of our platform, we have successfully migrated our old protected assets to a React-based infrastructure. This new development brings better performance, faster load times, and improved user experience.

Kubernetes Version in Environment Table:

To provide more detailed information about each environment, we've added a new column to the Environments table that shows the version of Kubernetes (K8s) running in each environment. This enhancement will give users a better understanding of their infrastructure and help them plan upgrades more effectively.

Kubernetes - Helm 2.20.1 EA branch: GKE Autopilot Support, priority class enhancements

Type: New Feature

Description:

The following features have been added to the Helm EA branch:

Allow specifying priority class per agent. Set 'cluster-critical' and 'node-critical' priority class for agents by default

Autopilot Supported Blades: Inventory, Compliance, Image Assurance, Admission Controller and Threat Intelligence

Known limitations:

Auto-detection of Autopilot is not supported (i.e., installation may fail if platform is not set explicitly)

Autopilot versions prior to 1.25 are not supported

Helm 2.20.0 Release Content

  • Image Assurance 2.21.0:

    • Improvements for slow networks and large images

  • Runtime Protection | runtime-daemon 1.6.2, runtime-probe 0.30.2-cp-3, runtime-cos-compat 0.0.9

    • Google COS support for File Reputation engine

    • Security enhancements

    • Profiling engine improvements - better detection of startup event

    • Reduced Memory & CPU footprint

  • All features

    • FluentBit removal

2.19.1: IA: Artifactory auto-discovery, CRI v1 etc.; RP: enhancement.

  • Image Assurance 2.20.1

    • Support JFrog Artifactory auto-discovery

      • When onboarding an Artifactory instance to CloudGuard you should provide the FQDN of the Artifactory server. CloudGuard will scan images of all discovered sub-registries

    • Agents load updated registry credentials and CA bundle without requiring a restart

    • CRI: support v1 API following v1alpha2 removal

    • CRI-O/Openshift: support nodes without podman, do not use podman if possible

  • Runtime Protection - daemon 1.0.0, probe 0.28.0-cp-7

    • Logging enhancements

    • Telemetry enhancements

    • Security enhancements

  • No labels