From ffa50c4a44b6348275cffb521c19c7bc9e0c9c02 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Mon, 5 Jun 2023 16:30:13 -0400 Subject: [PATCH] Release notes for v0.6.0 Create new release notes file with content for v0.6.0. Signed-off-by: Tobin Feldman-Fitzthum --- releases/v0.6.0.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 releases/v0.6.0.md diff --git a/releases/v0.6.0.md b/releases/v0.6.0.md new file mode 100644 index 0000000..e88fa14 --- /dev/null +++ b/releases/v0.6.0.md @@ -0,0 +1,59 @@ +# Release Notes for v0.6.0 +Release Date: June 7th, 2023 + +Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential +Containers. + +Please refer to our [Acronyms](https://github.com/confidential-containers/documentation/wiki/Acronyms) +and [Glossary](https://github.com/confidential-containers/documentation/wiki/Glossary) pages for a +definition of the acronyms used in this document. + +## What's new +- Support for attesting pod VMs with Azure vTPMs on SEV-SNP +- Support for using Project Amber as an attestation service +- Support for Cosign signature validation with s390x +- Pulling guest images with many layers can no longer cause guest CPU starvation. +- Attestation Service upgraded to avoid several security issues in Go packages. + +## Hardware Support +Confidential Containers is tested with attestation on the following platforms: +- Intel TDX +- AMD SEV(-ES) +- Intel SGX + +The following platforms are untested or partially supported: +- IBM Secure Execution (SE) on IBM zSystems (s390x) running LinuxONE +- AMD SEV-SNP + +The following platforms are in development: +- ARM CCA + +## Limitations +The following are known limitations of this release: + +- Platform support is rapidly changing + * Image signature validation with AMD SEV-ES is not covered by CI. +- SELinux is not supported on the host and must be set to permissive if in use. +- The generic KBS does not yet supported all platforms. +- The format of encrypted container images is still subject to change + * The [oci-crypt](https://github.com/containers/ocicrypt) container image format itself may still change + * The tools to generate images are not in their final form + * The image format itself is subject to change in upcoming releases + * Not all image repositories support encrypted container images. +- CoCo currently requires a custom build of `containerd`, which is installed by the operator. + * Codepath for pulling images will change significantly in future releases. + * `crio` is only supported with `cloud-api-adaptor`. +- Complete integration with Kubernetes is still in progress. + * OpenShift support is not yet complete. + * Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/community/issues/53) + * Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host + * Container images must be downloaded separately (inside guest) for each pod. [More info](https://github.com/confidential-containers/community/issues/66) +- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet. + * We track our status with the OpenSSF Best Practices Badge, which increased from 49% to 64% at the time of this release. + * All CoCo repos now have automated tests, including linting, incorporated into CI. + * Vulnerability reporting mechanisms still need to be created. Public github issues are still appropriate for this release until private reporting is established. + + +## CVE Fixes + +None