Releases: spiffe/spire
Releases · spiffe/spire
v1.4.2
v1.4.1
Security:
- Updated to Go 1.18.6 to address CVE-2022-27664
v1.3.4
Security:
- Updated to Go 1.18.6 to address CVE-2022-27664
v1.4.0
Added
- Support for Windows workload attestation on Kubernetes (#3191)
- Support for using RSA keys with Workload X509-SVIDs (#3237)
- Support for anonymous authentication to the Kubelet secure port when performing workload attestation on Kubernetes (#3273)
Deprecated
- The Node Resolver plugin type (#3272)
Fixed
- Persistence of the can_reattest flag during agent SVID renewal (#3292)
- A regression in behavior preventing an agent from re-attesting when it has been evicted (#3269)
Changed
- The Azure Node Attestor to optionally provide selectors (#3272)
- The Docker Workload Attestor now fails when configured with unknown options (#3243)
- Improved CRI-O support with Kubernetes workload attestation (#3242)
- Agent data stored on disk has been consolidated to a single JSON file (#3201)
- Agent and server data directories on Windows no longer inherit permissions from parent directory (#3227)
- Endpoints exposed using named pipes explicitly deny access to remote callers (#3236)
- Small documentation improvements (#3264)
Removed
v1.3.3
Security
- Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.
v1.2.5
Security
- Updated to Go 1.17.12 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.
v1.3.2
Added
- Support for K8s workload attestation when the Kubelet is run as a standalone component (#3163)
- Optional health check endpoints to the OIDC Discovery Provider (#3151)
- Pagination support to the server
entry showcommand (#3135)
Fixed
- A regression in workload SVID minting that caused DNS names not to be set in the SVID (#3215)
- A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (#3166)
Changed
- Directories for UDS endpoints are no longer created by SPIRE on Windows (#3192)
v1.3.1
Added
- The
windowsworkload attestor gained a newsha256selector that can attest the SHA256 digest of the workload binary (#3100)
Fixed
- Database rows related to registration entries are now properly removed (#3127, #3132)
- Agent reduces bandwidth use by requesting only required information when syncing with the server (#3123)
- Issue with read-modify-write operations when using PostgreSQL datastore in hot standby mode (#3103)
Changed
v1.3.0
Added
- Experimental Windows support (https://github.com/spiffe/spire/projects/12)
- Ability to revert SPIFFE cert validation to standard X.509 validation in Envoy (#3009, #3014, #3020, #3034)
- Configurable leader election resource lock type for the K8s Workload Registrar (#3030)
- Ability to fetch JWT SVIDs and JWT Bundles on behalf of workloads via the Delegated Identity API (#2789)
- CanReattest flag to NodeAttestor responses to facilitate future features (#2646)
Fixed
- Spurious message to STDOUT when there is no plugin_data section configured for a plugin (#2927)
Changed
- SPIRE entries with malformed parent or SPIFFE IDs are removed on server startup (#2965)
- SPIRE no longer prepends slashes to paths passed to the API when missing (#2963)
- K8s Workload Registrar retries up to 5 seconds to connect to SPIRE Server (#2921)
- Improved error messaging when unauthorized resources are requested via SDS (#2916)
- Small documentation improvements (#2934, #2947, #3013)
Deprecated
- The webhook mode for the K8s Workload Register has been deprecated (#2964)