3.19.1.kata2

What's Changed

• runtime: clh: Use msft/v41.0.139 API YAML by @Redent0r in #410

Full Changelog: 3.19.1.kata1...3.19.1.kata2

3.19.1.kata1

What's Changed

• Revert "runtime: fix error when using the debug console" 49d3683
• runtime: Enforce that OCI memory limit exceeds 128MB baseline 601d543
• runtime: Set disable_image_nvdimm=true to disable pmem 0c4c69a
• network: preseed default-gateway neighbor 9fa7bbf

Full Changelog: 3.19.1.kata0...3.19.1.kata1

3.15.0.aks0.genpolicy0

What's Changed

• Syncing with upstream v3.15
• samples: write test settings to /tmp by @Redent0r in #340
• Added support for containerd2

Limitations and important notes

This release requires >= 3.2.0.azl4 kata-cc version (Azl3) and containerd version >= 2
UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
Only supports pods that use IPv4 addresses

Full Changelog: 3.2.0.azl5.genpolicy0...3.15.0.aks0.genpolicy0

3.19.1.kata0

• Syncing with upstream v3.19.1

Full Changelog: https://github.com/microsoft/kata-containers/commits/3.19.1.kata0

3.18.0.kata0

• Syncing with upstream v3.18.0

Full Changelog: https://github.com/microsoft/kata-containers/commits/3.18.0.kata0

3.2.0.azl5.genpolicy0

Release notes

• Improve validation of certain fields in CreateContainer such as: sandbox-name, and sandbox-namespace
• Remove the need for specifying default_namespace in genpolicy settings
• Fixed bug where kubectl log hangs if ReadStream requests are blocked
• Remove special cases of variables that are always allowed. Instead, force the user to define validation in the settings for variables we can't validate safely without knowing the user's intent
• Improve validation for storage and mount objects
• Improve command line validation by shifting the command line expansion from policy generation time to runtime

What's Changed

• policy: cherry pick state policy changes from upstream by @Redent0r in #273
• policy: validate namespace env var by @Redent0r in #295
• agent: clear log pipes if denied by policy by @sprt in #315
• genpolicy: fix env variables that are always allowed by @Redent0r in #316
• genpolicy: Harden storage validation by @sprt in #320
• policy: improve args and env variables validation by @Redent0r in #308

Limitations and important notes

• This release requires >= 3.2.0.azl4 kata-cc version (Azl3)
• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy3...3.2.0.azl5.genpolicy0

3.15.0.aks0

What's Changed

• Syncing with upstream v3.15
• samples: write test settings to /tmp by @Redent0r in #340

Full Changelog: https://github.com/microsoft/kata-containers/commits/3.15.0.azl0

3.2.0.azl5

Release notes

• Prevent hanging when ReadStreamRequest is blocked by policy
• Have the agent reformat CreateContainer requests in order to improve policy validation
• Fix for CVE-2023-44487

Full Changelog: 3.2.0.azl4...3.2.0.azl5

• This release requires corresponding genpolicy release 3.2.0-azl5.genpolicy0 or higher

3.2.0.azl4

Release notes

• Use Azl3 as default for node builder recipes
• Addressed CVEs: CVE-2024-43806, CVE-2024-24786, CVE-2023-45288, CVE-2023-39325, CVE-2024-43806
• Improved agent logging verbosity
• Faster confidential pod startup
• Allow pods with larger memory requests to start by increasing the timeout for CreateVM
• Reduced memory usage for the guest image
• Improved memory overhead management
• Remove unused VMM options for memory allocation
• Assign a default number of vcpus (1) to the VM when no limits are given
• Added policy state support to agent
• Fix mount OverlayFS with multiple lowdir entries after kernel update

What's Changed

• tools: Align AGENT_POLICY_FILE check in rootfs-builder with upstream by @ms-mahuber in #244
• node-builder: Use Azure Linux 3 as default path by @ms-mahuber in #251
• libs:logging: Fix logger by @danmihai1 in #248
• Fix logging verbosity comment to accurately reflect clh behavior by @Camelron in #249
• node-builder: Deploy-only recipe for AzL3 VMs by @ms-mahuber in #254
• runtime: skip logging some of the dial errors by @danmihai1 in #253
• build(deps): bump rustix from 0.37.3 to 0.37.27 in /src/agent by @dependabot in #246
• build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.33.0 in /src/runtime by @dependabot in #243
• build(deps): bump dependency golang.org/x/net to v0.23.0 by @Sumynwa in #261
• build(deps): bump rustix from 0.37.19 to 0.37.27 in /src/tardev-snapshotter by @dependabot in #262
• runtime: Set memory config shared=false when shared_fs=None in CLH by @Sumynwa in #265
• runtime: relax timeout for CreateVM + BootVM in CLH by @Sumynwa in #268
• agent: fix make test by @Sumynwa in #266
• reduce the memory usage for the guest image by @danmihai1 in #280
• runtime: improved memory overhead management by @danmihai1 in #281
• runtime: Remove unused VMM options for mem alloc by @ms-mahuber in #283
• runtime: Allocate default workload vcpus by @ms-mahuber in #282
• policy: cherry pick state policy changes from upstream by @Redent0r in #273
• agent: add back rego error logs by @Redent0r in #292
• agent: avoid "unknown mount flag" for tardev by @danmihai1 in #294
• runtime: skip empty Guest console output lines by @danmihai1 in #296
• overlay: use nix::mount for OverlayFS to overcome mounting limitations by @miz060 in #293
  Full Changelog: 3.2.0.azl3...3.2.0.azl4

3.2.0.azl3.genpolicy3

Release notes

• Strengthen validation for bundle path annotation received from agent

What's Changed

• policy: strengthen bundle id validation by @Redent0r in #285

Limitations and important notes

• UDP protocol for Services, LoadBalancers, and EndpointSlices is not supported
• Only supports pods that use IPv4 addresses
• Windows is not supported

Full Changelog: 3.2.0.azl3.genpolicy2...3.2.0.azl3.genpolicy3