From 0a8f2d82fc76ffd8e322e52c80bdae78e10ca8d7 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:44:19 +0000 Subject: [PATCH 1/9] add v1.6.8 release notes placeholder --- getting-started/release-notes/v1.6.md | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/getting-started/release-notes/v1.6.md b/getting-started/release-notes/v1.6.md index 4dd4db43b8..39c1135784 100644 --- a/getting-started/release-notes/v1.6.md +++ b/getting-started/release-notes/v1.6.md @@ -1,5 +1,37 @@ # KubeArmor v1.6 Release Notes +## KubeArmor v1.6.8 + +**Title:** KubeArmor v1.6.8 patch release + +**Date:** 2026-02-25 + +**Version:** v1.6.8 + +```json +{ + "πŸ†• New Features": [ + "Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups. The system now caches UIDβ†’username resolution and propagates usernames through internal types and protobuf APIs into host logs and alerts.", + "Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint. The Helm chart now plumbs a `--socket-file` flag into snitch with validation and tests, and runtime detection derives the runtime via `determineRuntimeFromSocket` from the matched socket path." + ], + "🎁 Misc": [ + "Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version. The CI pipelines were adjusted to reference the updated Helm value key for the operator image tag.", + "Improved test configuration flexibility so runs can match the intended LSM setup. The test harness now accepts an LSM order flag and forwards it to KubeArmor execution.", + "Improved host-only runs and USB logging so local operation is easier to diagnose. The host-only run target now disables Kubernetes mode via `k8s=false`, and USB logs now include timestamps.", + "Updated dependencies and release metadata to keep builds current and supported. The stable version was bumped to **v1.6.8**, Go was updated to **1.24.13**, and `github.com/cilium/cilium` was bumped to **v1.18.4**.", + "Hardened security-scanner compliance and aligned secret naming for better operational consistency. The Kubernetes secret field was renamed and gosec suppression comments were added around specific file checks and HTTP call sites.", + "Added default resource sizing so workloads behave more predictably under scheduling pressure. Resource requests/limits were added to relay, KubeArmor controller, the DaemonSet, and snitch workloads." + ], + "🐜 Bug Fixes": [ + "Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load. The code now copies slices under read locks, updates originals via keyed lookup under write locks, adds missing endpoint locking in the containerd update path, and includes race-condition tests (later updated to randomize endpoint removal and shorten runtime).", + "Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing. AlertMap is now protected by an `RWMutex` and used consistently across throttling operations.", + "Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be. The build system now defines `RHEL9_BUILD_GTE_400` only when the detected RHEL9 build number is `\u003e= 400`.", + "Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments. The manifests now enforce the CRI socket argument in generated DaemonSets, including snitch-related workloads." + ] +} + +``` + We are excited to announce the release of **KubeArmor v1.6**, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments. This release reflects major advancements in policy enforcement, system monitoring, and ecosystem integrations while addressing important stability and performance improvements. From a82e27aa67c53142f10a39171cf67618e901cde2 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:45:31 +0000 Subject: [PATCH 2/9] shorten v1.6.8 notes to one sentence --- getting-started/release-notes/v1.6.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/getting-started/release-notes/v1.6.md b/getting-started/release-notes/v1.6.md index 39c1135784..5692fa8e20 100644 --- a/getting-started/release-notes/v1.6.md +++ b/getting-started/release-notes/v1.6.md @@ -11,22 +11,22 @@ ```json { "πŸ†• New Features": [ - "Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups. The system now caches UIDβ†’username resolution and propagates usernames through internal types and protobuf APIs into host logs and alerts.", - "Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint. The Helm chart now plumbs a `--socket-file` flag into snitch with validation and tests, and runtime detection derives the runtime via `determineRuntimeFromSocket` from the matched socket path." + "Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups.", + "Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint." ], "🎁 Misc": [ - "Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version. The CI pipelines were adjusted to reference the updated Helm value key for the operator image tag.", - "Improved test configuration flexibility so runs can match the intended LSM setup. The test harness now accepts an LSM order flag and forwards it to KubeArmor execution.", - "Improved host-only runs and USB logging so local operation is easier to diagnose. The host-only run target now disables Kubernetes mode via `k8s=false`, and USB logs now include timestamps.", - "Updated dependencies and release metadata to keep builds current and supported. The stable version was bumped to **v1.6.8**, Go was updated to **1.24.13**, and `github.com/cilium/cilium` was bumped to **v1.18.4**.", - "Hardened security-scanner compliance and aligned secret naming for better operational consistency. The Kubernetes secret field was renamed and gosec suppression comments were added around specific file checks and HTTP call sites.", - "Added default resource sizing so workloads behave more predictably under scheduling pressure. Resource requests/limits were added to relay, KubeArmor controller, the DaemonSet, and snitch workloads." + "Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version.", + "Improved test configuration flexibility so runs can match the intended LSM setup.", + "Improved host-only runs and USB logging so local operation is easier to diagnose.", + "Updated dependencies and release metadata to keep builds current and supported.", + "Hardened security-scanner compliance and aligned secret naming for better operational consistency.", + "Added default resource sizing so workloads behave more predictably under scheduling pressure." ], "🐜 Bug Fixes": [ - "Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load. The code now copies slices under read locks, updates originals via keyed lookup under write locks, adds missing endpoint locking in the containerd update path, and includes race-condition tests (later updated to randomize endpoint removal and shorten runtime).", - "Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing. AlertMap is now protected by an `RWMutex` and used consistently across throttling operations.", - "Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be. The build system now defines `RHEL9_BUILD_GTE_400` only when the detected RHEL9 build number is `\u003e= 400`.", - "Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments. The manifests now enforce the CRI socket argument in generated DaemonSets, including snitch-related workloads." + "Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load.", + "Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing.", + "Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be.", + "Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments." ] } From f5a03ad04cb5649167192fb716af30044e98f7d9 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:45:49 +0000 Subject: [PATCH 3/9] format v1.6.8 release notes sections --- getting-started/release-notes/v1.6.md | 43 +++++++++++++-------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/getting-started/release-notes/v1.6.md b/getting-started/release-notes/v1.6.md index 5692fa8e20..a436b04107 100644 --- a/getting-started/release-notes/v1.6.md +++ b/getting-started/release-notes/v1.6.md @@ -8,29 +8,26 @@ **Version:** v1.6.8 -```json -{ - "πŸ†• New Features": [ - "Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups.", - "Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint." - ], - "🎁 Misc": [ - "Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version.", - "Improved test configuration flexibility so runs can match the intended LSM setup.", - "Improved host-only runs and USB logging so local operation is easier to diagnose.", - "Updated dependencies and release metadata to keep builds current and supported.", - "Hardened security-scanner compliance and aligned secret naming for better operational consistency.", - "Added default resource sizing so workloads behave more predictably under scheduling pressure." - ], - "🐜 Bug Fixes": [ - "Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load.", - "Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing.", - "Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be.", - "Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments." - ] -} - -``` +### πŸ†• New Features + +- Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups. +- Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint. + +### 🐜 Bug Fixes + +- Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load. +- Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing. +- Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be. +- Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments. + +### 🎁 Misc + +- Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version. +- Improved test configuration flexibility so runs can match the intended LSM setup. +- Improved host-only runs and USB logging so local operation is easier to diagnose. +- Updated dependencies and release metadata to keep builds current and supported. +- Hardened security-scanner compliance and aligned secret naming for better operational consistency. +- Added default resource sizing so workloads behave more predictably under scheduling pressure. We are excited to announce the release of **KubeArmor v1.6**, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments. From 2d06852b7a6b7cf87f0ed2644d79f71518f24462 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:46:24 +0000 Subject: [PATCH 4/9] align v1.6.8 notes with style guide --- getting-started/release-notes/v1.6.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/getting-started/release-notes/v1.6.md b/getting-started/release-notes/v1.6.md index a436b04107..fcb4d4a99e 100644 --- a/getting-started/release-notes/v1.6.md +++ b/getting-started/release-notes/v1.6.md @@ -15,10 +15,10 @@ ### 🐜 Bug Fixes -- Fixed several concurrency issues to make endpoint and host security policy handling more reliable under load. +- Fixed several concurrency issues so endpoint and host security policy handling is more reliable under load. - Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing. - Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be. -- Fixed chart-generated DaemonSets to always pass a CRI socket argument so runtime connectivity is consistent across environments. +- Fixed chart-generated DaemonSets so they always pass a CRI socket argument for consistent runtime connectivity. ### 🎁 Misc From b0ce4512015553edac32b163e46d8bd3417e76b6 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:46:35 +0000 Subject: [PATCH 5/9] enforce thesaurus choices in v1.6.8 notes From a0350fbb28fd84e6677010b53ef730e08071595b Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:49:40 +0000 Subject: [PATCH 6/9] match v1.6.8 notes to existing layout --- getting-started/release-notes/v1.6.md | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/getting-started/release-notes/v1.6.md b/getting-started/release-notes/v1.6.md index fcb4d4a99e..0a7da5ef4b 100644 --- a/getting-started/release-notes/v1.6.md +++ b/getting-started/release-notes/v1.6.md @@ -1,6 +1,15 @@ # KubeArmor v1.6 Release Notes -## KubeArmor v1.6.8 +We are excited to announce the release of **KubeArmor v1.6**, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments. + +This release reflects major advancements in policy enforcement, system monitoring, and ecosystem integrations while addressing important stability and performance improvements. + +### [Watch the KubeArmor v1.6 Release Overview](https://www.youtube.com/watch?v=lNXBwXRH-TQ) +KubeArmor v1.6 Release + +## Patch Releases + +### KubeArmor v1.6.8 **Title:** KubeArmor v1.6.8 patch release @@ -8,19 +17,19 @@ **Version:** v1.6.8 -### πŸ†• New Features +#### πŸ†• **New Features** - Added faster username reporting in host events so operators can understand who triggered an alert without extra lookups. - Added an option to explicitly choose the container runtime socket so deployments can target the correct CRI endpoint. -### 🐜 Bug Fixes +#### 🐜 **Bug Fixes** - Fixed several concurrency issues so endpoint and host security policy handling is more reliable under load. - Fixed alert throttling race conditions so alerts are not corrupted or mis-throttled during concurrent processing. - Fixed RHEL9 build gating so the compatibility macro is only enabled when it should be. - Fixed chart-generated DaemonSets so they always pass a CRI socket argument for consistent runtime connectivity. -### 🎁 Misc +#### 🎁 **Misc** - Updated CI to use the correct Helm values key for the kubearmor-operator image tag so automated workflows set the intended image version. - Improved test configuration flexibility so runs can match the intended LSM setup. @@ -29,12 +38,7 @@ - Hardened security-scanner compliance and aligned secret naming for better operational consistency. - Added default resource sizing so workloads behave more predictably under scheduling pressure. -We are excited to announce the release of **KubeArmor v1.6**, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments. - -This release reflects major advancements in policy enforcement, system monitoring, and ecosystem integrations while addressing important stability and performance improvements. - -### [Watch the KubeArmor v1.6 Release Overview](https://www.youtube.com/watch?v=lNXBwXRH-TQ) -KubeArmor v1.6 Release +**Changelog:** https://github.com/kubearmor/KubeArmor/releases/tag/v1.6.8 ## Key Features & Enhancements From 7c5712903064c92453a6c31bb7e981d4ed1583f0 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:52:19 +0000 Subject: [PATCH 7/9] document operator helm resource and runtime settings --- getting-started/deployment_guide.md | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/getting-started/deployment_guide.md b/getting-started/deployment_guide.md index 1a9a26b8fc..c2149ee927 100644 --- a/getting-started/deployment_guide.md +++ b/getting-started/deployment_guide.md @@ -12,7 +12,32 @@ helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubear kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml ``` -You can find more details about helm related values and configurations [here](https://github.com/kubearmor/KubeArmor/tree/main/deployments/helm/KubeArmorOperator). +You can find more details about helm related values and configurations in the upstream chart sources at [deployments/helm/KubeArmorOperator](https://github.com/kubearmor/KubeArmor/tree/main/deployments/helm/KubeArmorOperator). + +### Configure operator Pod resources (optional) + +The Helm chart supports setting container resources for the `kubearmor-operator` deployment via `kubearmorOperator.resources`. + +1. Create a values override file. +2. Set `kubearmorOperator.resources`. +3. Re-run `helm upgrade --install`. + +Example: + +```yaml +kubearmorOperator: + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi +``` + +{% hint style="info" %} +The upstream chart defaults `kubearmorOperator.resources` to `{}`. +{% endhint %} ## Install kArmor CLI (Optional) From 23804ca65ac85de56dbcbe4513f0e693dbbea102 Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:53:19 +0000 Subject: [PATCH 8/9] add note on snitch runtime socket detection --- getting-started/deployment_guide.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/getting-started/deployment_guide.md b/getting-started/deployment_guide.md index c2149ee927..6897e199a0 100644 --- a/getting-started/deployment_guide.md +++ b/getting-started/deployment_guide.md @@ -51,6 +51,22 @@ curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin ## Deploy test nginx app +## Verify node runtime detection (optional) + +The KubeArmor operator deploys a `kubearmor-snitch` Job that detects node information. The snitch detects the runtime by checking known runtime socket locations under the configured path prefix (default: `/rootfs`) and then patches the node with labels that include the detected runtime and socket. + +To see the detection logs: + +```bash +kubectl logs -n kubearmor job/ +``` + +To see labels patched on a node: + +```bash +kubectl get node --show-labels +``` + ``` kubectl create deployment nginx --image=nginx POD=$(kubectl get pod -l app=nginx -o name) From a1385fad0bf3b3dc5f9d9cdd6fc166b5373406bc Mon Sep 17 00:00:00 2001 From: "sg-doc-holiday[bot]" <219201796+sg-doc-holiday[bot]@users.noreply.github.com> Date: Wed, 25 Feb 2026 16:55:50 +0000 Subject: [PATCH 9/9] update operator helm value key docs --- getting-started/deployment_guide.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/getting-started/deployment_guide.md b/getting-started/deployment_guide.md index 6897e199a0..10f59af663 100644 --- a/getting-started/deployment_guide.md +++ b/getting-started/deployment_guide.md @@ -12,6 +12,18 @@ helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubear kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml ``` +### Override the kubearmor-operator image tag (optional) + +To override the `kubearmor-operator` image tag during install/upgrade, set the Helm value `kubearmorOperator.image.tag`. + +Example: + +```bash +helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator \ + -n kubearmor --create-namespace \ + --set kubearmorOperator.image.tag=latest +``` + You can find more details about helm related values and configurations in the upstream chart sources at [deployments/helm/KubeArmorOperator](https://github.com/kubearmor/KubeArmor/tree/main/deployments/helm/KubeArmorOperator). ### Configure operator Pod resources (optional)