Release Note for CTE for Kubernetes
Release Note Version | Date |
---|---|
1.3.0.33 | 2023-11-10 |
Container Image Digest
Verify that the Container Image Digest matches the version that you are installing.
New Features and Enhancements
-
Added support for CTE for Kubernetes ARM architecture on AWS Graviton environment and Azure
CTE for Kubernetes v1.3.0, and subsequent versions, support the ARM architecture for an AWS Graviton environment on any linux distribution supported by Kubernetes.
-
Rancher Kubernetes Management Platform can integrate with CTE for Kubernetes
Rancher is an open source software platform that enables Enterprise Kubernetes Container Management.
See Integrating CTE for Kubernetes with Rancher Kubernetes Management Platform.
-
Support for Dynamic PVC
Dynamic provisioning allows the administrator to define Storage Classes. Each Storage Class has a specific storage pool from which PVs can be provisioned automatically to meet an application’s requirements. Dynamic PVC is supported on:
-
AWS (Amazon Web Services)
-
GCP (Google Cloud Platform)
-
MS Azure (Microsoft Azure)
-
Standard Kubernetes clusters
-
Resolved Issues
-
AGT-39143: EBS volumes are not attaching to the Kubernetes cluster when using dynamic provisioning for a second time
This issue is solved with the new Dynamic PVC feature.
-
AGT-46880 [CS1431227]: CTE Policy Process Not available
For a file that was opened with writeback, if the process(or thread) which opened the file has exited, then CTE for Kubernetes was unable to find any process associated with the IO. In this case, CTE for Kubernetes was only able to use the original UID/GID from the opening thread, and was not able to calculate any group name, process name or process signature, which caused access checks to fail. If CTE for Kubernetes detects this scenario and has already granted access to the file, CTE for Kubernetes prevents the access check from failing.
Known Issues
-
AGT-39000: CipherTrust Manager may not report all pods using the same CTE PVC on the same node
Work-around:
CTE PVCs with the following access modes: ReadWriteOnce, ReadWriteMany or ReadOnlyMany, may fail to report to CipherTrust Manager all of the pods using the same volume on the same node. This anomaly is due to how Kubernetes handles a single volume used across multiple pods in the same node. This reporting anomaly in CipherTrust Manager does not mean that the CTE PVC is not attached to the pod. It is recommended that the user describe the CTE PVC (
# kubectl describe pvc
) to find the list of all of the pods that are using a particular CTE PVC. -
AGT-48396: CTE-CSI | Container Attestation Issue | CM2.13, CM2.14
The Trusted Pods feature currently only works with CipherTrust Manager v2.14 and subsequent versions.