Merge pull request #320 from fluxcd/release-v0.21.0

Release v0.21.0
fluxcd · Jan 28, 2022 · 402e029 · 402e029
2 parents ecd5df6 + 3162e0b
commit 402e029
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,54 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.21.0
+
+**Release date:** 2022-01-28
+
+This prerelease comes with security improvements for multi-tenant clusters.
+
+Platform admins can disable cross-namespace references with the
+`--no-cross-namespace-refs=true` flag.
+When this flag is set, alerts can only refer to event sources in the same namespace
+as the alert object, preventing tenants from subscribing to another tenant's events.
+
+Starting with this version, the controller deployment conforms to the
+Kubernetes [restricted pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted):
+- all Linux capabilities were dropped
+- the root filesystem was set to read-only
+- the seccomp profile was set to the runtime default
+- run as non-root was enabled
+- the user and group ID was set to 65534
+
+**Breaking changes**:
+- The use of new seccomp API requires Kubernetes 1.19.
+- The controller container is now executed under 65534:65534 (userid:groupid).
+  This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
+
+Features:
+* Pass headers to generic provider through secretRef
+  [#317](https://github.com/fluxcd/notification-controller/pull/317)
+
+Improvements:
+* Allow disabling cross-namespace event sources
+  [#319](https://github.com/fluxcd/notification-controller/pull/319)
+* Drop capabilities, enable seccomp and enforce runAsNonRoot
+  [#313](https://github.com/fluxcd/notification-controller/pull/313)
+* Publish SBOM and sign release artifacts
+  [#314](https://github.com/fluxcd/notification-controller/pull/314)
+* Add fuzz testing for notifiers
+  [#306](https://github.com/fluxcd/notification-controller/pull/306)
+* Add documentation for gitea
+  [#308](https://github.com/fluxcd/notification-controller/pull/308)
+* Update development documentation
+  [#309](https://github.com/fluxcd/notification-controller/pull/309)
+
+Fixes:
+* Fix(Provider/Matrix): Load CA from CertSecretRef
+  [#318](https://github.com/fluxcd/notification-controller/pull/318)
+* Fix the missing protocol for the first port in manager config
+  [#315](https://github.com/fluxcd/notification-controller/pull/315)
+
 ## 0.20.1
 
 **Release date:** 2022-01-11

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -6,4 +6,4 @@ resources:
 images:
   - name: fluxcd/notification-controller
     newName: fluxcd/notification-controller
-    newTag: v0.20.1
+    newTag: v0.21.0
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/Azure/azure-amqp-common-go/v3 v3.1.0
 	github.com/Azure/azure-event-hubs-go/v3 v3.3.7
 	github.com/containrrr/shoutrrr v0.4.4
-	github.com/fluxcd/notification-controller/api v0.20.1
+	github.com/fluxcd/notification-controller/api v0.21.0
 	github.com/fluxcd/pkg/apis/meta v0.11.0-rc.3
 	github.com/fluxcd/pkg/runtime v0.13.0-rc.8
 	github.com/fluxcd/pkg/ssa v0.11.1