Security Fixes
- Fixed HelperPod Template Injection, a high-severity HelperPod template injection vulnerability. A user with permission to edit the
local-path-configConfigMap could manipulatehelperPod.yamland cause the provisioner to create unsafe HelperPods during PVC provisioning or cleanup operations. This release adds HelperPod template validation to reject unsafe security-sensitive fields such as privileged containers,hostPathvolumes, and dangerous pod security settings.
What's Changed
- chore(ci): bump aquasecurity/trivy-action to v0.35.0 by @macedogm in #563
- chore: remove trivy-scan.yaml by @derekbit in #565
- chore: pin GH actions to commit sha by @c3y1huang in #564
- chore: use registry.suse.com/bci/golang by @derekbit in #566
- chore: remove dapper by @derekbit in #567
- chore: revert to golang:1.26.1-alpine image by @derekbit in #568
- chore: update to golang 1.26.2 by @derekbit in #570
- fix: update dockerfile by @derekbit in #574
- chore: pin kind, kubectl and kustomize versins by @derekbit in #575
- fix: qualify image references to avoid short-name resolution and Docker Hub rate limits by @bejaratommy in #573
- helm: make debug logging configurable via values by @bejaratommy in #572
- fix: add helper pod template validation by @derekbit in #576
- fix: relax helper pod template validation by @derekbit in #577
New Contributors
- @c3y1huang made their first contribution in #564
- @bejaratommy made their first contribution in #573
Full Changelog: v0.0.35...v0.0.36
Contributors
derekbit, macedogm, and 2 other contributors