Skip to content

v0.9.2
Compare
Choose a tag to compare
@pinniped-ci-bot pinniped-ci-bot released this 15 Jun 14:41
v0.9.2
e06c696
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release v0.9.2

Release Images

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.2 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.2 DockerHub

Changes

Pinniped v0.9.2 is a small security hardening release on top of the recent v0.9.1 release.

Minor Changes

  • We've made several changes to harden the impersonation proxy against potential future security vulnerabilities. These changes are proactive based on our understanding of potential issues:

    • The impersonation proxy now always authorizes every request, rather than deferring authorization to the Kubernetes API.

    • The impersonation proxy now uses a distinct service account with no RBAC privileges other than impersonation.

    • On clusters where anonymous authentication is disabled (such as AKS), the impersonation proxy now refuses anonymous requests. The Pinniped TokenCredentialRequest API is still allowed, since it is necessarily a pre-authentication API.

  • Upgraded Go from 1.16.4 to 1.16.5.

Diffs

A complete list of changes (16 commits, 15 changed files with 1,197 additions and 210 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

Assets 9
Loading