v0.15.0

Version v0.15.0 released!

This release contains optional manifest changes. This release may cause injected resources to shift after upgrading the operator.

Improvements

• When AgentInjectors do not map to any known entities, the operator will now emit a log message, as this may be an undesired state.
• Improved documentation defined in the CRD's.
• Improved handling of failures during TLS webhook secret generation.
• Injected Init Containers now drop all non-essential capabilities/permissions.
• Injected Init Containers now define resource requests/limits.
• Injected Init Containers now can execute as Non-Root. This behavior can be forced by the new CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true flag. The operator will enable this feature-flag by default in a future release. Note that this feature requires the support of the injected agent images, required versions are defined below.
• The operator's installation manifests no longer forces a container UID, reducing installation friction in OpenShift.
• Within K8s clusters, the operator now officially supports executing and injecting pods that have the Restricted policy applied (if CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is set). This feature requires K8s v1.25. Pod Security Policies, deprecated in K8s v1.21, are not supported.
• Within OpenShift clusters, the operator now officially supports executing and injecting pods that have the restricted SCC policy applied. Note that in some OpenShift versions where setting the seccomp policy is disallowed, the CONTRAST_SUPPRESS_SECCOMP_PROFILE=true flag must be set.

Bug Fixes

• Bug and security updates to our dependencies.
• During generation/updates of templated entities, the K8s API server could return an invalid result. If this occurred during the creation of a new entities, the operator could be left in an invalid state preventing a retry from occurring. The only work-around was to restart the operator. This has been fixed.
• During pod deletions, the operator could return a new mutation patch that was empty. This would cause an error to be emitted by the API server "webhook returned response.patchType but not response.patch". This has been fixed.
• When an explicit AgentConfiguration was specified in an AgentInjector, but did not exist in the same namespace, the operator wouldn't mark the AgentInjector as invalid. This state is now correctly handled and is logged.

Breaking Changes

• The operator will now consider missing explicitly AgentConfiguration specified in an AgentInjector as invalid (previously, the missing AgentConfiguration was ignored).
• If CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is specified, previous container images will no-longer work. The minimum versions are specified in the table below:

Type	Minimum Version
dotnet-core	2.4.4
java	4.11.0
nodejs	4.30.0
nodejs-protect	5.2.0
php	1.8.0

contrast/agent-operator:0.15.0
contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

quay.io/contrast/agent-operator:0.15.0
quay.io/contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

v0.14.0

Version v0.14.0 released!

This release contains updates to our dependencies, changes the default log level from Trace to Info, and adds official support for K8s v1.26.

contrast/agent-operator:0.14.0
contrast/agent-operator@sha256:2da854dcf7bb6d43c1265732ec684280126bbab962df09c653f2f4fb1db31f2c

quay.io/contrast/agent-operator:0.14.0
quay.io/contrast/agent-operator@sha256:2da854dcf7bb6d43c1265732ec684280126bbab962df09c653f2f4fb1db31f2c

v0.13.1

Version v0.13.1 released!

This release contains security related bug fixes against our dependencies.

contrast/agent-operator:0.13.1
contrast/agent-operator@sha256:ec7b4d8f0d6af7c8be1302e3bedc075fec7c72158ec7d0163bd61c1c6d90f9ce

quay.io/contrast/agent-operator:0.13.1
quay.io/contrast/agent-operator@sha256:ec7b4d8f0d6af7c8be1302e3bedc075fec7c72158ec7d0163bd61c1c6d90f9ce

v0.13.0

Version v0.13.0 released!

This release adds QoL improvements when deploying read-only containers, as well as standardizing logging and disk-cache locations across agents types. Internal dependencies were also upgraded.

A new EmptyDir volume is now automatically created and mounted to /contrast/data and agent cache and logs are redirected to this folder. The agent files are now mounted to the read-only directory /contrast/agent (for agents whose files were previously mounted to /contrast). This change will be lazily applied on next workload deployment or workload restart after upgrading the operator.

contrast/agent-operator:0.13.0
contrast/agent-operator@sha256:6310625f9a77d36f9abd4a2e9f07645b44be7b08e71ae40a263cab3bfe248283

quay.io/contrast/agent-operator:0.13.0
quay.io/contrast/agent-operator@sha256:6310625f9a77d36f9abd4a2e9f07645b44be7b08e71ae40a263cab3bfe248283

v0.12.0

Version v0.12.0 released!

This release is the first release supporting the NodeJS V5 (Protect mode only) agent. No other changes are contained.

contrast/agent-operator:0.12.0
contrast/agent-operator@sha256:8db1874900774574a52f8cb4594d33d01bce391c4bfc1a29fb085f877bbaa65b

quay.io/contrast/agent-operator:0.12.0
quay.io/contrast/agent-operator@sha256:8db1874900774574a52f8cb4594d33d01bce391c4bfc1a29fb085f877bbaa65b

v0.11.1

Version v0.11.1 released!

This release is a bug fix release, resolving the "Known Issues" discovered during internal dogfooding. If upgrading was failing upon upgrading to v0.11, this release should allow the upgrade to succeed.

contrast/agent-operator:0.11.1
contrast/agent-operator@sha256:a9f9e4521d198ee1f2dfe99c054790d7a783ec4156472c0176bd5184ba20887b

quay.io/contrast/agent-operator:0.11.1
quay.io/contrast/agent-operator@sha256:a9f9e4521d198ee1f2dfe99c054790d7a783ec4156472c0176bd5184ba20887b

v0.11.0

Version v0.11.0 released!

This release continues to improve performance and memory usage in large K8s clusters (> 5000 pods) as well as providing some quality of life improvements. This release was tested against a large stress testing cluster of 10,000 active pods.

• Updated internal dependencies.
• Improve logging at Info level (Info level will become default in a future release). Monitored injection status is now logged at Info level to aid in tracking pods in-which injection is pending.
• Reduced default operator event queue size, aimed at reducing retained memory during operator lag in huge clusters (> 30,000 tracked entities). In effect, this reduces Gen2 retained allocations, reducing the need for expensive Gen2 GC sweeps.
• Improved internal state indexing of data, reducing desired state calculations from a O(N^3) problem to a O(N) problem. This change also reduces memory complexity significantly, while also reducing cluster lag in large clusters (> 5000 pods). In effect, this increases calculation throughput by a factor of 50+ in large clusters, while also reducing allocation traffic.
• Reduced allocations by improving data structure re-use and reducing closure usage along hot paths. In extreme cases, these changes significantly reduce promotion of objects from Gen0 to Gen2, reducing the need for expensive Gen2 GC sweeps.
• Increased the event stream watcher timeout (not user configurable) from 60 seconds to 10 minutes - reducing full-sync network traffic against the backplane. This may improve the load of the backplane in large clusters.
• Fixed TLS key usage attributes of internally generated certificates to match the TLS 1.3 specification. Operator installations, with incorrect certificates, will automatically generate new certificates upon upgrading. This bug was found during internal testing and is not user facing as the backplane does not appear to validate key usage at this time.
• Speculative fix around the Agent Operator Helm chart to work around a bug found in AWS's K8s implementation, preventing installation in 1.21 clusters.

Known Issues

During dogfooding against our internal K8s clusters, we've discovered that the TLS certificate fix could prevent newer instances of the operator from coming online during the K8s rolling deployment (due to failing health checks). This will be fixed in the next, soon to be released, release. Two workarounds can be used to continue upgrading:

• Scale down an update deployment to 0 replicas, and scale back to your standard replica count.
• Delete and then recreate the deployment.

Upon starting and gaining a leader lock, the operator will update the TLS certificate and continue running. It is the policy of the Agent Operator to not require human intervention during point releases such as v0.10 to v0.11.

contrast/agent-operator:0.11.0
contrast/agent-operator@sha256:c298eb61975c82060b799c1b96390ab2d7087f60e64f8fc76a0a4a3cb4214bf9

quay.io/contrast/agent-operator:0.11.0
quay.io/contrast/agent-operator@sha256:c298eb61975c82060b799c1b96390ab2d7087f60e64f8fc76a0a4a3cb4214bf9

v0.10.0

Version v0.10.0 released!

This release adds the ability to merge with an existing JAVA_TOOL_OPTIONS environment variable when defined in the K8s workload, which is commonly used for Java apps.

contrast/agent-operator:0.10.0
contrast/agent-operator@sha256:dac7bac7cde56391582b4cf03d6a9462ea594adf5a6bdb9d917736158e6f6337

quay.io/contrast/agent-operator:0.10.0
quay.io/contrast/agent-operator@sha256:dac7bac7cde56391582b4cf03d6a9462ea594adf5a6bdb9d917736158e6f6337

v0.9.1

Version v0.9.1 released!

This release contains security related bug fixes against our dependencies.

contrast/agent-operator:0.9.1
contrast/agent-operator@sha256:36cce4402f7c8f9ed0606fca2f107189cc4dd1c9c45b5991a823dbbb3ec38d36

quay.io/contrast/agent-operator:0.9.1
quay.io/contrast/agent-operator@sha256:36cce4402f7c8f9ed0606fca2f107189cc4dd1c9c45b5991a823dbbb3ec38d36

v0.9.0

Version v0.9.0 released!

This release contains changes aimed at improving the performance and reducing memory usage of the Agent Operator in large K8s clusters.

• The operator will no longer drop events from the K8s event stream upon reaching 10,000 events queued, but rather apply back pressure to watchers. This mode is now configured with CONTRAST_EVENT_QUEUE_FULL_MODE. The queue size is now controlled with CONTRAST_EVENT_QUEUE_SIZE.
• The operator will now compress modification events within a 10 second window. This greatly improves catch up performance after a restart. This window size is now controlled with CONTRAST_EVENT_QUEUE_MERGE_WINDOW_SECONDS.
• Memory allocations has been reduced across the board by a factor of 4.
  • Improved byte-array to string conversions using modern techniques - this can significantly reduce allocations with clusters with large number of secrets.
  • Improved performance of caching cluster state used to reconcile changes after losing connection with the K8s API Server. This significantly reduces allocations in clusters with a large number of entities.
  • Improved caching of the compare plan. This provides a minor improvement to performance with a minor decrease in allocations.
  • Migrated to the new ValueTask for more async operations. This provides a minor reduction in allocations with a large number of injectors.
• The performance of pod status updates with clusters with a large number of pods has been improved.
• The /get-info.sh script is now included by default in images - used for diagnostics in permission constrained environments.
• The log level can now be configured with CONTRAST_LOG_LEVEL (the default continues to be Trace). Large clusters will benefit from reducing this to Info.

contrast/agent-operator:0.9.0
contrast/agent-operator@sha256:8805b634139a9112fa20388bc1ff8776c0b8016f1675cffec055791ba5bf8089

quay.io/contrast/agent-operator:0.9.0
quay.io/contrast/agent-operator@sha256:8805b634139a9112fa20388bc1ff8776c0b8016f1675cffec055791ba5bf8089