3.27.0.preview2

What's Changed

• msft-preview: runtime: upgrade to CH v51.1 by @Redent0r in #440

Full Changelog: 3.27.0.preview1...3.27.0.preview2

3.19.1.kata3

What's Changed

• ci: Delete codeql.yml by @manuelh-dev in #390
• Re-add codeql.yml with proper branches by @manuelh-dev in #391
• Revert "runtime: fix error when using the debug console" by @manuelh-dev in #388
• node-builder: fix typo in string comparison by @sprt in #392
• docs: node-builder: fix static check error by @sprt in #394
• runtime: fix make test by @sprt in #393
• docs: node-builder: Remove references to moby-containerd-cc by @manuelh-dev in #399
• Cherry pick static-checks fixes from upstream by @sprt in #398
• runtime: Enforce that OCI memory limit exceeds configurable 128MB baseline by @Camelron in #389
• runtime: Set disable_image_nvdimm=true to disable pmem by @Camelron in #402
• cherry-pick: ci: static-checks: Don't hardcode default repo branch by @sprt in #403
• network: preseed default-gateway neighbor by @Redent0r in #407
• Cherry-pick upstream CI hardening commits and eliminate pull_request_target by @sprt in #411
• cherry-pick: ci: Run Zizmor on pushes to any branch by @sprt in #413
• runtime: clh: Use msft/v41.0.139 API YAML by @Redent0r in #414
• ci: security: Cherry-pick all Zizmor fixes from upstream by @sprt in #416
• webhook: enforce min memory limits and allow privileged containers by @Redent0r in #418
• cherry-pick: agent/rustjail: Fix double free in TTY handling by @sprt in #420
• agent: disable detect_initdata_device by @danmihai1 in #422
• version: Bump sirupsen/logrus by @Sumynwa in #426
• msft-main: runtime: upgrade to CH v51.1 by @Redent0r in #439

Full Changelog: 3.19.1.kata2...3.19.1.kata3

3.27.0.preview1

Release Notes:

First preview release based on upstream 3.27.0

What's Changed:

• Added GPU cold plug support

3.2.0.azl3.genpolicy4

Release Notes:

Update policy engine to use new AKS pause image

What's Changed:

genpolicy: use newer AKS pause container image

Full Changelog: 3.2.0.azl3.genpolicy3...3.2.0.azl3.genpolicy4

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

3.19.1.kata2

What's Changed

• runtime: clh: Use msft/v41.0.139 API YAML by @Redent0r in #410

Full Changelog: 3.19.1.kata1...3.19.1.kata2

3.19.1.kata1

What's Changed

• Revert "runtime: fix error when using the debug console" 49d3683
• runtime: Enforce that OCI memory limit exceeds 128MB baseline 601d543
• runtime: Set disable_image_nvdimm=true to disable pmem 0c4c69a
• network: preseed default-gateway neighbor 9fa7bbf

Full Changelog: 3.19.1.kata0...3.19.1.kata1

3.15.0.aks0.genpolicy0

What's Changed

• Syncing with upstream v3.15
• samples: write test settings to /tmp by @Redent0r in #340
• Added support for containerd2

Limitations and important notes

This release requires >= 3.2.0.azl4 kata-cc version (Azl3) and containerd version >= 2
UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
Only supports pods that use IPv4 addresses

Full Changelog: 3.2.0.azl5.genpolicy0...3.15.0.aks0.genpolicy0

3.19.1.kata0

• Syncing with upstream v3.19.1

Full Changelog: https://github.com/microsoft/kata-containers/commits/3.19.1.kata0

3.18.0.kata0

• Syncing with upstream v3.18.0

Full Changelog: https://github.com/microsoft/kata-containers/commits/3.18.0.kata0

3.2.0.azl5.genpolicy0

Release notes

• Improve validation of certain fields in CreateContainer such as: sandbox-name, and sandbox-namespace
• Remove the need for specifying default_namespace in genpolicy settings
• Fixed bug where kubectl log hangs if ReadStream requests are blocked
• Remove special cases of variables that are always allowed. Instead, force the user to define validation in the settings for variables we can't validate safely without knowing the user's intent
• Improve validation for storage and mount objects
• Improve command line validation by shifting the command line expansion from policy generation time to runtime

What's Changed

• policy: cherry pick state policy changes from upstream by @Redent0r in #273
• policy: validate namespace env var by @Redent0r in #295
• agent: clear log pipes if denied by policy by @sprt in #315
• genpolicy: fix env variables that are always allowed by @Redent0r in #316
• genpolicy: Harden storage validation by @sprt in #320
• policy: improve args and env variables validation by @Redent0r in #308

Limitations and important notes

• This release requires >= 3.2.0.azl4 kata-cc version (Azl3)
• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy3...3.2.0.azl5.genpolicy0