v1.4.4

Added

• Experimental support for limiting the number of SVIDs in the agent's cache (#3181)
• Support for attesting Envoy proxy workloads when Istio is configured with holdApplicationUntilProxyStarts (#3460)

Changed

• Improved bundle endpoint misconfiguration diagnostics (#3395)
• OIDC Discovery Provider endpoint now has a timeout to read request headers (#3435)
• Small documentation improvements (#3443)

v1.4.3

Security

• Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME

v1.3.5

Security

• Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME

v1.4.2

Added:

• The X509-SVID Subject field now contains a unique ID to satisfy RFC 5280 requirements (#3367)
• Agents now shut down when banned (#3308)

Changed:

• Small documentation improvements (#3309, #3377)

v1.4.1

Security:

• Updated to Go 1.18.6 to address CVE-2022-27664

v1.3.4

Security:

• Updated to Go 1.18.6 to address CVE-2022-27664

v1.4.0

Added

• Support for Windows workload attestation on Kubernetes (#3191)
• Support for using RSA keys with Workload X509-SVIDs (#3237)
• Support for anonymous authentication to the Kubelet secure port when performing workload attestation on Kubernetes (#3273)

Deprecated

• The Node Resolver plugin type (#3272)

Fixed

• Persistence of the can_reattest flag during agent SVID renewal (#3292)
• A regression in behavior preventing an agent from re-attesting when it has been evicted (#3269)

Changed

• The Azure Node Attestor to optionally provide selectors (#3272)
• The Docker Workload Attestor now fails when configured with unknown options (#3243)
• Improved CRI-O support with Kubernetes workload attestation (#3242)
• Agent data stored on disk has been consolidated to a single JSON file (#3201)
• Agent and server data directories on Windows no longer inherit permissions from parent directory (#3227)
• Endpoints exposed using named pipes explicitly deny access to remote callers (#3236)
• Small documentation improvements (#3264)

Removed

• The deprecated webhook mode from the k8s-workload-registrar (#3235)
• Support for the configmap leader election lock type from the k8s-workload-registrar (#3241)

v1.3.3

Security

• Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.

v1.2.5

Security

• Updated to Go 1.17.12 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.

v1.3.2

Added

• Support for K8s workload attestation when the Kubelet is run as a standalone component (#3163)
• Optional health check endpoints to the OIDC Discovery Provider (#3151)
• Pagination support to the server entry show command (#3135)

Fixed

• A regression in workload SVID minting that caused DNS names not to be set in the SVID (#3215)
• A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (#3166)

Changed

• Directories for UDS endpoints are no longer created by SPIRE on Windows (#3192)