v1.0.0

Version v1.0.0 released! This is the first operator version released as GA and is the accumulation of 9 months of efforts. We would like to thank our technical partners in their incredible feedback during our beta phase.

This release signifies our commitment in the stability of the operator API. No breaking changes will be introduced until the next major version, following our versioning documentation.

Changes

No changes since v0.16.0.

Upgrading from Beta

When applying this release on an existing beta installation, please ensure that the latest manifests are applied.

contrast/agent-operator:1.0.0
contrast/agent-operator@sha256:29bcfc6862507b96789fffbc968048bd245aa4bf0c6ae67fc5d9697bb89b63ff

quay.io/contrast/agent-operator:1.0.0
quay.io/contrast/agent-operator@sha256:29bcfc6862507b96789fffbc968048bd245aa4bf0c6ae67fc5d9697bb89b63ff

v0.16.0

Version v0.16.0 released!

This release contains optional manifest updates. It is recommended to update manifests in K8s v1.25+ clusters if using Pod Security Admission.

Improvements

• Added logging of non-default options to aid in diagnostics.
• Added the ability to detect when SAN's, specified via CONTRAST_WEBHOOK_HOSTS are modified so that new TLS certificates may be generated.
• Removed superfluous case-sensitivity in TLS certificate SAN's generation.
• Improved handling of namespaces of different cases.
• Improved logging when Secrets are referenced, but with incorrect casing.

Bug Fixes

• Upgraded project dependencies which included security fixes.
• Due to a bug in the Helm chart, TLS certificates may be incorrectly generated. This was fixed in v0.15.1, but upgrading could leave the operator in an invalid state. The operator will now correct these problems upon upgrading.

Internal Changes

• Removed the feature flag CONTRAST_USE_SLOW_COMPARER. First introduced in v0.11.0 defaulting False, no regressions have been reported since.

contrast/agent-operator:0.16.0
contrast/agent-operator@sha256:0c82e963c1578923d12625823415c4960f419e232cceb703bb814b0ee4d370ba

quay.io/contrast/agent-operator:0.16.0
quay.io/contrast/agent-operator@sha256:0c82e963c1578923d12625823415c4960f419e232cceb703bb814b0ee4d370ba

v0.15.1

Version v0.15.1 released!

This release may cause injected resources to shift after upgrading the operator.

Improvements

• Improved the error message when an AgentInjector is ignored due to a missing AgentConnection.

Bug Fixes

• Fixed incorrect TLS certificate generation when installing the operator using Helm and defaults. If webhook communication is failing, please re-install the helm chart (ensure the contrast-agent-operator namespace is deleted).

contrast/agent-operator:0.15.1
contrast/agent-operator@sha256:5bc8b7102e1fbb84851451b8636af97379cc228c33900fcd31384ef7e69a75c4

quay.io/contrast/agent-operator:0.15.1
quay.io/contrast/agent-operator@sha256:5bc8b7102e1fbb84851451b8636af97379cc228c33900fcd31384ef7e69a75c4

v0.15.0

Version v0.15.0 released!

This release contains optional manifest changes. This release may cause injected resources to shift after upgrading the operator.

Improvements

• When AgentInjectors do not map to any known entities, the operator will now emit a log message, as this may be an undesired state.
• Improved documentation defined in the CRD's.
• Improved handling of failures during TLS webhook secret generation.
• Injected Init Containers now drop all non-essential capabilities/permissions.
• Injected Init Containers now define resource requests/limits.
• Injected Init Containers now can execute as Non-Root. This behavior can be forced by the new CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true flag. The operator will enable this feature-flag by default in a future release. Note that this feature requires the support of the injected agent images, required versions are defined below.
• The operator's installation manifests no longer forces a container UID, reducing installation friction in OpenShift.
• Within K8s clusters, the operator now officially supports executing and injecting pods that have the Restricted policy applied (if CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is set). This feature requires K8s v1.25. Pod Security Policies, deprecated in K8s v1.21, are not supported.
• Within OpenShift clusters, the operator now officially supports executing and injecting pods that have the restricted SCC policy applied. Note that in some OpenShift versions where setting the seccomp policy is disallowed, the CONTRAST_SUPPRESS_SECCOMP_PROFILE=true flag must be set.

Bug Fixes

• Bug and security updates to our dependencies.
• During generation/updates of templated entities, the K8s API server could return an invalid result. If this occurred during the creation of a new entities, the operator could be left in an invalid state preventing a retry from occurring. The only work-around was to restart the operator. This has been fixed.
• During pod deletions, the operator could return a new mutation patch that was empty. This would cause an error to be emitted by the API server "webhook returned response.patchType but not response.patch". This has been fixed.
• When an explicit AgentConfiguration was specified in an AgentInjector, but did not exist in the same namespace, the operator wouldn't mark the AgentInjector as invalid. This state is now correctly handled and is logged.

Breaking Changes

• The operator will now consider missing explicitly AgentConfiguration specified in an AgentInjector as invalid (previously, the missing AgentConfiguration was ignored).
• If CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is specified, previous container images will no-longer work. The minimum versions are specified in the table below:

Type	Minimum Version
dotnet-core	2.4.4
java	4.11.0
nodejs	4.30.0
nodejs-protect	5.2.0
php	1.8.0

contrast/agent-operator:0.15.0
contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

quay.io/contrast/agent-operator:0.15.0
quay.io/contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

v0.14.0

Version v0.14.0 released!

This release contains updates to our dependencies, changes the default log level from Trace to Info, and adds official support for K8s v1.26.

contrast/agent-operator:0.14.0
contrast/agent-operator@sha256:2da854dcf7bb6d43c1265732ec684280126bbab962df09c653f2f4fb1db31f2c

quay.io/contrast/agent-operator:0.14.0
quay.io/contrast/agent-operator@sha256:2da854dcf7bb6d43c1265732ec684280126bbab962df09c653f2f4fb1db31f2c

v0.13.1

Version v0.13.1 released!

This release contains security related bug fixes against our dependencies.

contrast/agent-operator:0.13.1
contrast/agent-operator@sha256:ec7b4d8f0d6af7c8be1302e3bedc075fec7c72158ec7d0163bd61c1c6d90f9ce

quay.io/contrast/agent-operator:0.13.1
quay.io/contrast/agent-operator@sha256:ec7b4d8f0d6af7c8be1302e3bedc075fec7c72158ec7d0163bd61c1c6d90f9ce

v0.13.0

Version v0.13.0 released!

This release adds QoL improvements when deploying read-only containers, as well as standardizing logging and disk-cache locations across agents types. Internal dependencies were also upgraded.

A new EmptyDir volume is now automatically created and mounted to /contrast/data and agent cache and logs are redirected to this folder. The agent files are now mounted to the read-only directory /contrast/agent (for agents whose files were previously mounted to /contrast). This change will be lazily applied on next workload deployment or workload restart after upgrading the operator.

contrast/agent-operator:0.13.0
contrast/agent-operator@sha256:6310625f9a77d36f9abd4a2e9f07645b44be7b08e71ae40a263cab3bfe248283

quay.io/contrast/agent-operator:0.13.0
quay.io/contrast/agent-operator@sha256:6310625f9a77d36f9abd4a2e9f07645b44be7b08e71ae40a263cab3bfe248283

v0.12.0

Version v0.12.0 released!

This release is the first release supporting the NodeJS V5 (Protect mode only) agent. No other changes are contained.

contrast/agent-operator:0.12.0
contrast/agent-operator@sha256:8db1874900774574a52f8cb4594d33d01bce391c4bfc1a29fb085f877bbaa65b

quay.io/contrast/agent-operator:0.12.0
quay.io/contrast/agent-operator@sha256:8db1874900774574a52f8cb4594d33d01bce391c4bfc1a29fb085f877bbaa65b

v0.11.1

Version v0.11.1 released!

This release is a bug fix release, resolving the "Known Issues" discovered during internal dogfooding. If upgrading was failing upon upgrading to v0.11, this release should allow the upgrade to succeed.

contrast/agent-operator:0.11.1
contrast/agent-operator@sha256:a9f9e4521d198ee1f2dfe99c054790d7a783ec4156472c0176bd5184ba20887b

quay.io/contrast/agent-operator:0.11.1
quay.io/contrast/agent-operator@sha256:a9f9e4521d198ee1f2dfe99c054790d7a783ec4156472c0176bd5184ba20887b

v0.11.0

Version v0.11.0 released!

This release continues to improve performance and memory usage in large K8s clusters (> 5000 pods) as well as providing some quality of life improvements. This release was tested against a large stress testing cluster of 10,000 active pods.

• Updated internal dependencies.
• Improve logging at Info level (Info level will become default in a future release). Monitored injection status is now logged at Info level to aid in tracking pods in-which injection is pending.
• Reduced default operator event queue size, aimed at reducing retained memory during operator lag in huge clusters (> 30,000 tracked entities). In effect, this reduces Gen2 retained allocations, reducing the need for expensive Gen2 GC sweeps.
• Improved internal state indexing of data, reducing desired state calculations from a O(N^3) problem to a O(N) problem. This change also reduces memory complexity significantly, while also reducing cluster lag in large clusters (> 5000 pods). In effect, this increases calculation throughput by a factor of 50+ in large clusters, while also reducing allocation traffic.
• Reduced allocations by improving data structure re-use and reducing closure usage along hot paths. In extreme cases, these changes significantly reduce promotion of objects from Gen0 to Gen2, reducing the need for expensive Gen2 GC sweeps.
• Increased the event stream watcher timeout (not user configurable) from 60 seconds to 10 minutes - reducing full-sync network traffic against the backplane. This may improve the load of the backplane in large clusters.
• Fixed TLS key usage attributes of internally generated certificates to match the TLS 1.3 specification. Operator installations, with incorrect certificates, will automatically generate new certificates upon upgrading. This bug was found during internal testing and is not user facing as the backplane does not appear to validate key usage at this time.
• Speculative fix around the Agent Operator Helm chart to work around a bug found in AWS's K8s implementation, preventing installation in 1.21 clusters.

Known Issues

During dogfooding against our internal K8s clusters, we've discovered that the TLS certificate fix could prevent newer instances of the operator from coming online during the K8s rolling deployment (due to failing health checks). This will be fixed in the next, soon to be released, release. Two workarounds can be used to continue upgrading:

• Scale down an update deployment to 0 replicas, and scale back to your standard replica count.
• Delete and then recreate the deployment.

Upon starting and gaining a leader lock, the operator will update the TLS certificate and continue running. It is the policy of the Agent Operator to not require human intervention during point releases such as v0.10 to v0.11.

contrast/agent-operator:0.11.0
contrast/agent-operator@sha256:c298eb61975c82060b799c1b96390ab2d7087f60e64f8fc76a0a4a3cb4214bf9

quay.io/contrast/agent-operator:0.11.0
quay.io/contrast/agent-operator@sha256:c298eb61975c82060b799c1b96390ab2d7087f60e64f8fc76a0a4a3cb4214bf9