lagoon-core v2.2.0
This release is built on the https://github.com/uselagoon/lagoon-images/releases/tag/21.10.0 images
Three important Alpha stability features here:
Add default Kubernetes network policy support by @smlx in #2536
In order to better provide namespace isolation, a NetworkPolicy has been implemented to prevent inter-namespace communication. This can be enabled in a number of fashions:
- Forced for all namespaces in the controller (via variable
LAGOON_FEATURE_FLAG_FORCE_ISOLATION_NETWORK_POLICY=true
) - Individually per project or environment (via variable
LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY=true
) - Set as default for all namespaces in the controller (via variable
LAGOON_FEATURE_FLAG_DEFAULT_ISOLATION_NETWORK_POLICY=true
)
Implement rootless workloads by @smlx in #2481
In order to better provide protection against workloads running as root, a SecurityContext has been set for services, along with an init container that will ensure namespaces have the correct permissions in their file storage. This can be enabled in a number of fashions:
- Forced for all namespaces in the controller (via variable
LAGOON_FEATURE_FLAG_FORCE_ROOTLESS_WORKLOAD=true
) - Individually per project or environment (via variable
LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD=true
) - Set as default for all namespaces in the controller (via variable
LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD=true
)
Validate ingress annotation snippets against an allow-list by @tobybellwood in #2889
There is now a lagoon-linter step that runs as part of the build & deploy process that will inspect defined routes for correct configuration of nginx annotation snippets (in response to CVE-2021-25742. Instead of disallowing snippets entirely (which is the current recommended remediation), Lagoon has opted to utilise a linter (https://github.com/uselagoon/lagoon-linter) to process an allowlist of defined snippets. The catch here is that the linter will not lint files that are not valid YAML.
To check a .lagoon.yml file yourself, download and extract the binary from https://github.com/uselagoon/lagoon-linter/releases and run it against your .lagoon.yml file locally. If the linter exits successfully (no output), the file is ok.
What's Changed
- update refs in makefile by @tobybellwood in #2884
- docs: make clear where .env files are loaded from by @pmelab in #2886
- Add default Kubernetes network policy support by @smlx in #2536
- Additional SSH service changes by @shreddedbacon in #2881
- Validate ingress annotation snippets against an allow-list by @tobybellwood in #2889
- Document new feature flags by @smlx in #2541
- Add fastly configuration to autogenerated routes if enabled by @shreddedbacon in #2883
- Implement rootless workloads by @smlx in #2481
New Contributors
Full Changelog: v2.1.0...v2.2.0