Skip to content

v0.58.0
Compare
Choose a tag to compare
@github-actions github-actions released this 26 Oct 22:37
· 244 commits to main since this release
v0.58.0
69a381c

NOTES:

  • All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
    there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases.
    This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
    either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

  • cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#2562) authored by @johanfylling
  • cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#6307) authored by @anderseknert
  • cmd/fmt: Don't format functions without a value to include = true as it is implied (#6323) authored by @anderseknert
  • server: Remove deprecated partial query parameter from REST API. This option has been deprecated since v0.23.0 (#2266) authored by @ashutosh-narkar
  • Add support for configurable prometheus buckets for the http_request_duration_seconds metric (#6238) authored by @AdrianArnautu
  • plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#6311) authored by @asadk12
  • internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#6277) authored by @ashutosh-narkar

Topdown and Rego

  • topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#6338) authored by @johanfylling
  • topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#6339) authored by @johanfylling
  • topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#6021) authored by @ashutosh-narkar
  • ast+rego: Disable compiler stages for IR-based eval paths (#6335) authored by @srenatus
  • built-in/walk: Skip path creation if path is assigned a wildcard to achieve faster walk-ing (#6267) authored by @anderseknert
  • ast: Add regression test for edge case where partial rule hides recursion cycle (#6318) authored by @johanfylling

Docs

  • Drop EXPERIMENTAL status of reported prom metrics (#6298) authored by @ashutosh-narkar
  • Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#6264) authored by @dennisg
  • Provide a more clear description of negation in the policy language section (#6275) authored by @gusega

Website + Ecosystem

  • Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#6269) authored by @charlieegan3

Miscellaneous

  • ci: Remove hub tool in GitHub workflows in favor of GitHub CLI tool (#6326) authored by @ashutosh-narkar
  • Dependency updates; notably:
    • bump go.opentelemetry.io modules (#6292) authored by @cksidharthan
    • aquasecurity/trivy-action from 0.12.0 to 0.13.0
    • github.com/containerd/containerd from 1.7.6 to 1.7.7
    • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
    • golang.org/x/net from 0.15.0 to 0.17.0
    • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerability GHSA-m425-mq94-257g)
    • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
    • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

Contributors

dennisg, gusega, and 8 other contributors
Assets 14