Skip to content

lagoon-core v2.2.0

Compare
Choose a tag to compare
@github-actions github-actions released this 29 Oct 09:47
· 2454 commits to main since this release
6068c29

This release is built on the https://github.com/uselagoon/lagoon-images/releases/tag/21.10.0 images

Three important Alpha stability features here:

Add default Kubernetes network policy support by @smlx in #2536

In order to better provide namespace isolation, a NetworkPolicy has been implemented to prevent inter-namespace communication. This can be enabled in a number of fashions:

  • Forced for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_FORCE_ISOLATION_NETWORK_POLICY=true)
  • Individually per project or environment (via variable LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY=true)
  • Set as default for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_DEFAULT_ISOLATION_NETWORK_POLICY=true)

Implement rootless workloads by @smlx in #2481

In order to better provide protection against workloads running as root, a SecurityContext has been set for services, along with an init container that will ensure namespaces have the correct permissions in their file storage. This can be enabled in a number of fashions:

  • Forced for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_FORCE_ROOTLESS_WORKLOAD=true)
  • Individually per project or environment (via variable LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD=true)
  • Set as default for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD=true)

Validate ingress annotation snippets against an allow-list by @tobybellwood in #2889

There is now a lagoon-linter step that runs as part of the build & deploy process that will inspect defined routes for correct configuration of nginx annotation snippets (in response to CVE-2021-25742. Instead of disallowing snippets entirely (which is the current recommended remediation), Lagoon has opted to utilise a linter (https://github.com/uselagoon/lagoon-linter) to process an allowlist of defined snippets. The catch here is that the linter will not lint files that are not valid YAML.

To check a .lagoon.yml file yourself, download and extract the binary from https://github.com/uselagoon/lagoon-linter/releases and run it against your .lagoon.yml file locally. If the linter exits successfully (no output), the file is ok.

What's Changed

New Contributors

Full Changelog: v2.1.0...v2.2.0