Security Profiles Operator release notes
The Security Profiles Operator provides a way to define secure computing (seccomp) and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace.
These release notes track the development of the Security Profiles Operator in OKD.
For an overview of the Security Profiles Operator, see Security Profiles Operator Overview.
Security Profiles Operator 0.7.1
The following advisory is available for the Security Profiles Operator 0.7.1:
New features and enhancements
Security Profiles Operator (SPO) now automatically selects the appropriate
selinuxd
image for RHEL 8- and 9-based RHCOS systems.Users that mirror images for disconnected environments must mirror both
selinuxd
images provided by the Security Profiles Operator.You can now enable memory optimization inside of an
spod
daemon. For more information, see Enabling memory optimization in the spod daemon.SPO memory optimization is not enabled by default.
The daemon resource requirements are now configurable. For more information, see Customizing daemon resource requirements.
The priority class name is now configurable in the
spod
configuration. For more information, see Setting a custom priority class name for the spod daemon pod.
Deprecated and removed features
- The default
nginx-1.19.1
seccomp profile is now removed from the Security Profiles Operator deployment.
Bug fixes
- Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template. If you selected another template, such as net_container, the policy would not work because it required low-level policy definitions that only existed in the container template. This issue occurred when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (OCPBUGS-12879)
Known issue
- When uninstalling the Security Profiles Operator, the
MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete theMutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)
Security Profiles Operator 0.5.2
The following advisory is available for the Security Profiles Operator 0.5.2:
This update addresses a CVE in an underlying dependency.
Known issue
- When uninstalling the Security Profiles Operator, the
MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete theMutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)
Security Profiles Operator 0.5.0
The following advisory is available for the Security Profiles Operator 0.5.0:
Known issue
- When uninstalling the Security Profiles Operator, the
MutatingWebhookConfiguration
object is not deleted and must be manually removed. As a workaround, delete theMutatingWebhookConfiguration
object after uninstalling the Security Profiles Operator. These steps are defined in Uninstalling the Security Profiles Operator. (OCPBUGS-4687)