Release date: 2023-05-09
This prerelease comes with updates to the OCI related packages.
Improvements:
- Update dependencies #372
Release date: 2023-03-31
This prerelease adds support for Azure Workload Identity when using
provider: azure
in ImageRepository
objects.
In addition, the controller now supports horizontal scaling using sharding based on a label selector.
The new --watch-label-selector
lets operators provide a label to the controller manager
which in turn uses it to reconcile only those resources
(ImageRepositories
and ImagePolicies
) that match the given label expression.
This way operators can deploy multiple instances of IRC, each reconciling a distinct set of resources based on their labels and effectively scale the controller horizontally.
If sharding is enabled, all ImagePolicy
resources can only refer
to those ImageRepository
resources that are captured by the exact
same label selector as the ImagePolicies
.
Improvements:
- Add reconciler sharding capability based on label selector #365
- Enable Workload Identity for Azure #363
- Move
controllers
tointernal/controllers
#362
Release date: 2023-03-20
This prerelease fixes a bug in the reconcilers due to which an error log due to some failure may contain previous successful reconciliation message.
Fixes:
- Fix error logs with stale success message #357
Improvements:
- chore: migrate from k8s.gcr.io to registry.k8s.io #358
Release date: 2023-03-08
This prerelease re-instantiates the --aws-autologin-for-ecr
,
--gcp-autologin-for-gcr
and --azure-autologin-for-acr
flags which became
deprecated in v0.25.0
, after receiving feedback of it complicating
upgrading gradually. The flags will now be removed in the future, and at least
one minor version after this release. We are sorry for any inconvenience this
may have caused.
In addition, klog
is now configured to log using the same logger as the rest
of the controller (providing a consistent log format).
Lastly, the controller is now built with Go 1.20, and the dependencies have been updated to their latest versions.
Improvements:
- Update Go to 1.20 #347
- Update dependencies #349 #351
- Use
logger.SetLogger
to also configureklog
#350 - Fallback to autologin flags if no provider is specified #353
Release date: 2023-02-16
This prerelease graduates the ImageRepository
and ImagePolicy
APIs to
v1beta2.
After upgrading the controller to v0.25.0, please update the ImageRepository
and ImagePolicy
Custom Resources in Git by replacing
image.toolkit.fluxcd.io/v1beta1
with image.toolkit.fluxcd.io/v1beta2
in all
YAML manifests.
The specifications for the v1beta2
API
have been written in a new format with the aim to be more valuable to a user.
Featuring separate sections with examples, and information on how to write
and work with them.
ImageRepository
and ImagePolicy
resources will now advertise more explicit
Condition types, provide Reconciling
and Stalled
Conditions where applicable
for better integration with
kstatus
,
and record the Observed Generation on the Condition.
The ImageRepository
objects will now show the ten latest scanned tags, which
can be helpful in troubleshooting to see a sample of the tags that have been
scanned.
status:
...
lastScanResult:
latestTags:
- latest
- 6.3.3
- 6.3.2
- 6.3.1
- 6.3.0
- 6.2.3
- 6.2.2
- 6.2.1
- 6.2.0
- 6.1.8
scanTime: "2023-02-07T19:18:01Z"
tagCount: 41
The ImagePolicy
objects will now keep a record of the previous image in the
status and include it in the update message in the events and notifications.
Status:
status:
...
latestImage: ghcr.io/stefanprodan/podinfo:6.2.1
observedPreviousImage: ghcr.io/stefanprodan/podinfo:6.2.0
Event/notification message:
Latest image tag for 'ghcr.io/stefanprodan/podinfo' updated from 6.2.0 to 6.2.1
The autologin flags (--aws-autologin-for-ecr
, --gcp-autologin-for-gcr
and
--azure-autologin-for-acr
) have been deprecated to bring the Image API closer
to the Source API, where cloud provider contextual login is configured at object
level with .spec.provider
. Usage of these flags will result in a logged error.
Please update all the ImageRepository
manifests that require contextual login
with the new field .spec.provider
and the appropriate cloud provider value;
aws
, gcp
, or azure
. Refer the
docs for
more details and examples.
Improvements:
Release date: 2023-02-01
This prerelease disables caching of Secrets and ConfigMaps to improve memory
usage. To opt-out from this behavior, start the controller with:
--feature-gates=CacheSecretsAndConfigMaps=true
.
In addition, the controller dependencies have been updated to Kubernetes v1.26.1 and controller-runtime v0.14.2. The controller base image has been updated to Alpine 3.17.
Improvements:
- ImagePolicy: Add predicates to filter events #334
- Update dependencies #335
- build: Enable SBOM and SLSA Provenance #336
- Disable caching of Secrets and ConfigMaps #337
Release date: 2022-12-20
This prerelease comes with dependency updates and improvements to the fuzzing.
Improvements:
- Update dependencies #331
- fuzz: Use build script from upstream #330
- fuzz: Improve fuzz tests' reliability #329
Release date: 2022-11-18
This prerelease comes with the removal of the v1alpha1
and v1alpha2
API versions which were deprecated in 2021.
Improvements:
- Use Flux Event API v1beta1 #321
- Remove deprecated alpha APIs #323
- Remove nsswitch.conf creation #326
- Update dependencies #327
Release date: 2022-10-28
This prerelease comes with dependency updates to patch upstream CVEs.
The controller dependencies have been updated to Kubernetes v1.25.3.
The golang.org/x/text
package has been updated to v0.4.0 (fix for CVE-2022-32149).
Improvements:
- Update dependencies #319
Release date: 2022-09-27
This prerelease comes with strict validation rules for API fields which define a
(time) duration. Effectively, this means values without a time unit (e.g. ms
,
s
, m
, h
) will now be rejected by the API server. To stimulate sane
configurations, the units ns
, us
and µs
can no longer be configured, nor
can h
be set for fields defining a timeout value.
In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.13.
ImageRepository.spec.interval
new validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
ImageRepository.spec.timeout
new validation pattern is"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
Improvements:
- api: add custom validation for v1.Duration types #314
- Update dependencies #315
- Dockerfile: Build with Go 1.19 #317
Release date: 2022-09-09
This prerelease comes with improvements to fuzzing. In addition, the controller dependencies have been updated to Kubernetes controller-runtime v0.12.
Improvements:
- Align controller logs to Kubernetes structured logging #306
- Refactor Fuzzers based on Go native fuzzing #308
- Fuzz optimisations #307
Release date: 2022-08-29
This prerelease comes with panic recovery, to protect the controller from crashing when reconciliations lead to a crash.
In addition, the controller dependencies have been updated to Kubernetes v1.25.0.
Improvements:
Release date: 2022-08-08
This prerelease replaces the cloud provider registry auto-login code with the new github.com/fluxcd/pkg/oci package. It also comes with some minor improvements and updates dependencies to their latest versions.
Improvements:
- tests: Move common provider helpers to tftestenv #288
- tests/integration: Use terraform modules and test-infra/tftestenv #292
- Use fluxcd/pkg/oci #293
- Update pkg/oci to v0.2.0 #295
- Add flags to configure exponential back-off retry #297
- Update dependencies #298
- Skip error policy reconciliation if no tags are found #300
Release date: 2022-07-26
This prerelease comes with fix for a bug introduced in the last release during the refactoring of the cloud provider registry auto-login. When a cloud provider registry is identified, but is not configured for auto-login, to continue attempting scan as public repository, an unconfigured provider error is ignored.
Fixes:
- imagerepo: Continue scan for unconfigured provider #290
Improvements:
Release date: 2022-07-13
This prerelease comes with some minor improvements and updates dependencies to patch upstream CVEs.
Fixes:
- Fix spelling mistake in azure/exchanger.go #265
Improvements:
- build: Upgrade to Go 1.18 #281
- Add native registry login tests for EKS, AKS and GKE #275
- Introduce registry package #276
- tests/int: ECR force delete and use go 1.18 #282
- Update dependencies #280 #283
Release date: 2022-06-24
This prerelease comes with finalizers to properly record the reconciliation metrics for deleted resources.
Improvements:
- Add finalizers to
ImagePolicy
andImageRepository
resources #266
Fixes:
Release date: 2022-06-08
This prerelease comes with improvements to the ImageRepository
validation.
In addition, the controller dependencies where update to Kubernetes v1.24.1.
Improvements:
Release date: 2022-05-27
This prerelease adds support for excluding certain tags when defining ImageRepositories
.
The spec.exclusionList
field can be used to specify a list of regex expressions.
If the exclusion list is empty, by default the regex "^.*\\.sig$"
is used
to exclude all tags ending with .sig
, since these are
cosign OCI artifacts and not container
images which can be deployed on a Kubernetes cluster.
Features:
- Add
exclusionList
to ImageRepository API #256
Improvements:
Release date: 2022-05-03
This prerelease adds support for defining a .spec.serviceAccountName
in
ImageRepository
objects. When specified, the image pull secrets attached to
the ServiceAccount are used to authenticate towards the registry.
Features:
Improvements:
- Update dependencies #254
Other notable changes:
- Rewrite all the tests to testenv with gomega #249
Release date: 2022-04-19
This prerelease updates dependencies to their latest versions.
Improvements:
- Update dependencies #247
Fixes:
- Align version of dependencies when Fuzzing #243
Release date: 2022-03-23
This prerelease ensures the API objects fully adhere to newly introduced
interfaces, allowing them to work in combination with e.g. the
conditions
package.
Improvements:
- Implement
meta.ObjectWithConditions
interfaces #241
Release date: 2022-03-21
This prerelease updates various dependencies to their latest versions, thereby eliminating at least 13 OSVs, and preparing the code base for more standardized controller runtime operations.
In addition, the Azure Scope has been fixed to work correctly with Azure Environment Credentials.
Improvements:
- Refactor logging to be more consistent #232
- Update dependencies #234 #236 #238
- Update
pkg/runtime
andapis/meta
#235
Fixes:
- Invalid Azure Scope #231
- Refactor registry test code and fix fuzz integration #233
- Run tidy before Go test #240
Release date: 2022-01-31
This prerelease comes with support for automatically getting credentials from Azure and Google Cloud when scanning images in ACR and GCR. To configure autologin for ACR, ECR or GCR please see the cloud providers authentication guide.
Platform admins can disable cross-namespace references with the
--no-cross-namespace-refs=true
flag. When this flag is set,
image policies can only refer to image repositories in the same namespace
as the policy object, preventing tenants from accessing another tenant's repositories.
Starting with this version, the controller deployment conforms to the Kubernetes restricted pod security standard:
- all Linux capabilities were dropped
- the root filesystem was set to read-only
- the seccomp profile was set to the runtime default
- run as non-root was enabled
- the user and group ID was set to 65534
Breaking changes:
- The use of new seccomp API requires Kubernetes 1.19.
- The controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
Features:
- Get credentials from GCP/Azure when needed #194
- Allow disabling cross-namespace references to image repositories #228
Improvements:
- Publish SBOM and sign release artifacts #227
- Drop capabilities, enable seccomp and enforce runAsNonRoot #223
- Refactor Fuzz implementation #221
- Clarifications for auto-login feature #219
Fixes:
- Fix scheme validation check when using host:port #222
- Fix makefile envtest and controller-gen usage #218
Release date: 2022-01-07
This prerelease comes with an update to the Kubernetes and controller-runtime dependencies to align them with the Kubernetes 1.23 release.
In addition, the controller is now built with Go 1.17 and Alpine 3.15.
Improvements:
Release date: 2021-11-23
This prerelease updates Alpine to v3.14, and several dependencies to their latest
version. Solving an issue with rest_client_request_latency_seconds_.*
high
cardinality metrics.
To enhance the experience of consumers observing the ImagePolicy
and ImageRepository
objects using kstatus
, a default of -1
is now configured for the observedGeneration
to ensure it does not report a false positive in the time the controller has not marked
the resource with a Ready
condition yet.
Improvements:
- Set default observedGeneration to -1 #189
- Update Alpine to v3.14 #203
- Update dependencies #204
- Update github.com/opencontainers/image-spec to v1.0.2 #205
Release date: 2021-11-12
This prerelease comes with a regression bug fix for when policies reference repositories in the same namespace.
Fixes:
- Fix watched same-ns image repos trigger reconcile #199
Release date: 2021-11-11
This prerelease comes with a bug fix for when policies reference repositories across namespaces.
Fixes:
- Watched cross-ns image repos trigger reconcile #196
Release date: 2021-10-19
This prerelease adds experimental support for automatically getting credentials from AWS when scanning an image in Elastic Container Registry (ECR).
Improvements:
- Get credentials from AWS ECR when needed #174
Release date: 2021-10-08
This prerelease comes with an (experimental) introduction of ACLs for allowing cross-namespace
access to ImageRepository
resources. You can read more about how they work in the
pull request that
introduced them.
In addition, a bug has been fixed that caused the controller to segfault when a malformed SemVer was defined.
Improvements:
- [RFC] Add ACL support for allowing cross-namespace access to image repository #162
Fixes:
- policy: Handle failure due to invalid semver range #172
Release date: 2021-08-05
This prerelease comes with an update to the Kubernetes and controller-runtime
dependencies to align them with the Kubernetes v1.21.3
release, including an update
of Badger to v3.2103.1
.
Improvements:
- Update dependencies #160
Release date: 2021-06-28
This prerelease promotes the API version from v1alpha2
to v1beta1
.
v1alpha2
and v1beta1
APIs.
You may wish to migrate v1alpha2
YAML files to v1beta1
, in
preparation for v1alpha2
being deprecated (eventually; there is no
date set at the time of writing). This is simply a case of setting the
apiVersion
field value:
`apiVersion: image.toolkit.fluxcd.io/v1beta1`
Improvements:
- Let people set the number of controller workers with a flag #153
Release date: 2021-06-10
This prerelease comes with an update to the Kubernetes and controller-runtime
dependencies to align them with the Kubernetes 1.21 release, including an update
of Badger to v3.2103.0
.
Improvements:
- Better error reporting for image policy evaluation #144
- Update Go and Badger #149
- Update dependencies #150
- Add nightly builds workflow and allow RC releases #151
Release date: 2021-04-29
This prerelease comes with improvements to error reporting.
Fixes:
Release date: 2021-04-21
This prerelease comes with breaking changes to the image.toolkit.fluxcd.io
APIs.
The v1alpha1
APIs have been promoted to v1alpha2
, while the version has
changed the API definitions have not, and upgrading can be done by changing
the version in your manifests for the ImageRepository
and ImagePolicy
kinds.
Improvements:
Fixes:
- Parse docker auths and use only hostname #119
Release date: 2021-04-06
This prerelease comes with a breaking change to the leader election ID
from e189b2df.fluxcd.io
to image-reflector-controller-leader-election
to be more descriptive. This change should not have an impact on most
installations, as the default replica count is 1
. If you are running
a setup with multiple replicas, it is however advised to scale down
before upgrading.
The controller exposes a gauge metric to track the suspended status
of ImageRepository
objects: gotk_suspend_status{kind,name,namespace}
.
Improvements:
- Set leader election deadline to 30s #125
- Record suspension metrics #123
Release date: 2021-03-16
This prerelease comes with updates to the runtime packages.
Improvements:
- Update dependencies #121
Fixes:
- Fix
last scan
print column forImageRepository
#119
Release date: 2021-02-24
This prerelease comes with various updates to the controller's
dependencies; most notable the go-containerregistry
library
was upgrade from v0.1.1
to v0.4.0
.
The Kubernetes custom resource definitions are packaged as a multi-doc YAML asset and published on the GitHub release page.
Improvements:
Release date: 2021-02-12
This prerelease comes with support for defining policies with numerical ordering.
Features:
Improvements:
Release date: 2021-02-01
This prerelease comes with support for supplying a client cert, key and CA (self-singed TLS) to be used for authentication with container image registries.
Release date: 2021-01-22
This prerelease comes with a new argument flag to set the database's
memory mapped value log file size in bytes (--storage-value-log-file-size
),
with a 32bit ARMv7 friendly default of 1<<28
(256MiB
).
Release date: 2021-01-21
This prerelease comes with two new argument flags,
introduced to support configuring the QPS
(--kube-api-qps
) and burst (--kube-api-burst
) while communicating
with the Kubernetes API server.
The LocalObjectReference
from the Kubernetes core has been replaced
with our own, making the name
a required field. The impact of this
should be limited to direct API consumers only, as the field was
already required by controller logic.
Release date: 2021-01-16
This prerelease comes with updates to Kubernetes and Badger dependencies. The Kubernetes packages were updated to v1.20.2 and Badger to v3.2011.0.
Release date: 2021-01-13
This is the second MINOR prerelease, adding support for selecting images using regular expressions.
Other notable changes:
controller-runtime
dependency has been upgraded tov0.7.0
.- The container image for ARMv7 and ARM64 that used to be published
separately as
image-reflector-controller:*-arm64
has been merged with the AMD64 image.
Release date: 2020-12-10
This is the first prerelease of image-reflector-controller and its API. The purpose of the controller is to scan image repositories, and calculate a "latest image" according to some specification. Automation (e.g., the image-automation-controller) can use that information to run updates, so that the latest image is deployed.
The controller and API conform to the conventions of the GitOps
Toolkit, so will be compatible with (and soon, included in) the flux
CLI and dashboards and so on.
This release supports:
- supplying a docker-registry secret as credentials for accessing an image repository
- selecting images according to a semver range.
- selecting images according to alphabetical order (ascending or descending)
- keeping the database on a volume (e.g., a PersistentVolumeClaim) so that it survives restarts