Skip to content

v3.4.0
Compare
Choose a tag to compare
@phbelitz phbelitz released this 15 Mar 17:44
· 63 commits to master since this release
v3.4.0
d510385
This commit was signed with the committer’s verified signature.
phbelitz Philipp Belitz
GPG key ID: 85B6EED7ECB78BD5
Learn about vigilant mode.

Connaisseur v3.4.0

Big news: We are switching programming languages from Python to Golang! 🎉💯
See #1513

Notable features

  • The policy rules now support a with.mode option that can be set to mutate or insecureValidateOnly, allowing the mutation of the image reference to be toggled on and off (the default is mutate, meaning references will be mutated; the alternative is considered insecure since it implies that while a trusted image is available, its use is not guaranteed 🤷).
  • A caching mechanism in the form of a Redis key-value store now stores the results of a validation for 30 seconds.
  • A new feature flag, resourceValidationMode, with supported values all and podsOnly. all is the default, causing Connaisseur to block all resources if they fail validation and mutate them if they pass. podsOnly will still validate all resources but only block and mutate Pod resources, while others are passed through with a warning (similar to PSA). This enhances compatibility with GitOps solutions like ArgoCD by preventing diffs on each reconciliation.
  • Notary now supports all TUF compliant keys.
  • Setting the with.trustRoot to * for a policy is now supported across all validators, allowing AND conjunctions for all defined trust roots within a validator.
  • Custom labels can be added (thanks to @jimonthebarn)

Contributors

jimonthebarn
Assets 2
Loading