Releases: kubescape/synchronizer
Release list
Release v0.0.149
Release v0.0.148
Summary
Bumps indirect Go dependencies to address fixable container image vulnerabilities found in quay.io/kubescape/synchronizer@sha256:e247d1263daf749e2cec03840b7c178ec43478bda6ea20949ca0261e6a21be99.
| CVE | Severity | Package | From | To |
|---|---|---|---|---|
| CVE-2026-34040 | HIGH | github.com/docker/docker |
v28.5.0 | v28.5.2 |
| CVE-2026-33997 | MEDIUM | github.com/docker/docker |
v28.5.0 | v28.5.2 |
| CVE-2026-33481 | MEDIUM | github.com/anchore/syft |
v1.32.0 | v1.44.0 |
Both are indirect dependencies. Build verified with make build after the update.
Note: Trivy reports the docker/docker fix version as v29.3.1, which is not yet available in the Go module proxy. v28.5.2 is the latest available patch release on the v28 line.
Test plan
-
go mod tidyran cleanly -
make buildpasses - CI passes
🤖 Generated with Claude Code
Release v0.0.147
Summary
- Split
ReadTimeout: 5sintoReadHeaderTimeout: 5s+ReadTimeout: 30s - The previous 5s
ReadTimeoutcovered the full request (headers + body). Node-agent POSTs a full network stream snapshot every interval; on busy nodes the body read was racing with the timeout, causing the server to close the connection before sending a response. Node-agent then loggedcontext deadline exceeded (Client.Timeout exceeded while awaiting headers). ReadHeaderTimeoutkeeps protection against slow-header attacks; the higherReadTimeoutgives body reads enough headroom.
Deploy note: deploy together with the matching
kubescape/node-agentchange that raises the client timeout to 30s.
Test plan
- Verify no
context deadline exceedederrors in node-agent logs after deploying both PRs together - Confirm
/healthzand normal synchronizer flows are unaffected
🤖 Generated with Claude Code
Release v0.0.146
Summary by CodeRabbit
- Chores
- Updated core libraries and infrastructure components to newer versions.
- Synchronized Kubernetes ecosystem libraries and transitive dependencies to ensure compatibility and stability.
- Refreshed third-party integrations and client libraries to maintain alignment with latest upstream releases.
Release v0.0.144
Summary by CodeRabbit
-
New Features
- Service discovery now reads the API host from an API_URL environment variable (defaults to api.armosec.io).
-
Tests
- Service discovery tests switched to an HTTP mock server with the newer response format.
- Integration test database wiring updated to use a single-postgres router.
-
Chores
- Bumped many dependencies and adjusted CI to skip Git LFS smudge.
Release v0.0.141
Discover Azure ResourceGroup from the node providerID and send it via X-RESOURCE-GROUP, then include it in ConnectedClients payloads (initial and keepalive) so downstream persistence can store it.
Also fixes keepalive payload to preserve ClusterUID.
Made-with: Cursor
Overview
Summary by CodeRabbit
New Features
- Azure resource group information is now automatically detected and included in client identity and telemetry tracking for better resource organization visibility.
Release v0.0.140
Merge pull request #149 from kubescape/bump2 chore(deps): update docker/cli to v29.2.0
Release v0.0.138
- Updated armoapi-go dependency from v0.0.673 to v0.0.700.
- Introduced ClusterUID field in ClientIdentifier and ConnectedClient structures.
- Enhanced message handling to include ClusterUID in connected clients messages.
- Added tests for ClusterUID handling in authentication middleware and client message sending.
- Implemented GetClusterUID function to retrieve the cluster UID from the kube-system namespace.
Overview
Summary by CodeRabbit
-
New Features
- Added cluster unique identifier tracking to enable better cluster identification and distinguish clients connecting from different clusters.
-
Tests
- Added comprehensive test coverage for cluster identifier functionality.
-
Chores
- Updated dependencies to latest versions.
Release v0.0.136
Bumps github.com/cilium/cilium from 1.16.17 to 1.17.14.
Release notes
Sourced from github.com/cilium/cilium's releases.
1.17.14
Summary of Changes
Bugfixes:
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR cilium/cilium#44709, Upstream PR cilium/cilium#44658,
@smagnani96)- Fix envoy admin socket being created as world-accessible (Backport PR cilium/cilium#44591, Upstream PR cilium/cilium#44512,
@0xch4z)- l7lb: fix bypassing ingress policies for local backends (Backport PR cilium/cilium#44805, Upstream PR cilium/cilium#44693,
@smagnani96)CI Changes:
- pkg: Mark node_linux_test.go as unparallel (Backport PR cilium/cilium#44591, Upstream PR cilium/cilium#38172,
@jschwinger233)Misc Changes:
cilium/cilium#44752@sayboras)cilium/cilium#44376@cilium-renovate[bot])cilium/cilium#44485@cilium-renovate[bot])cilium/cilium#44583@cilium-renovate[bot])cilium/cilium#44687@cilium-renovate[bot])cilium/cilium#44794@cilium-renovate[bot])cilium/cilium#44373@cilium-renovate[bot])cilium/cilium#44811@cilium-renovate[bot])cilium/cilium#44345@cilium-renovate[bot])cilium/cilium#44402@cilium-renovate[bot])cilium/cilium#44552@cilium-renovate[bot])cilium/cilium#44684@cilium-renovate[bot])cilium/cilium#44584@cilium-renovate[bot])cilium/cilium#44685@cilium-renovate[bot])cilium/cilium#44481@cilium-renovate[bot])cilium/cilium#44798@cilium-renovate[bot])cilium/cilium#44581@cilium-renovate[bot])cilium/cilium#44686@cilium-renovate[bot])cilium/cilium#44374@cilium-renovate[bot])cilium/cilium#44483@cilium-renovate[bot])cilium/cilium#44682@cilium-renovate[bot])cilium/cilium#44792@cilium-renovate[bot])cilium/cilium#44808@cilium-renovate[bot])cilium/cilium#44375@cilium-renovate[bot])cilium/cilium#44484@cilium-renovate[bot])cilium/cilium#44683@cilium-renovate[bot])cilium/cilium#44793@cilium-renovate[bot])cilium/cilium#44508@cilium-renovate[bot])cilium/cilium#44582@cilium-renovate[bot])cilium/cilium#44482@cilium-renovate[bot])- Include the results of
find /sys/fs/bpfin bugtool output (Backport PR cilium/cilium#44591, Upstream PR cilium/cilium#38980,@ti-mo)Other Changes:
cilium/cilium#44558@Artyop)cilium/cilium#44325@cilium-release-bot[bot])
... (truncated)
Changelog
Sourced from github.com/cilium/cilium's changelog.
v1.17.14
Summary of Changes
Bugfixes:
- bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR cilium/cilium#44709, Upstream PR cilium/cilium#44658,
@smagnani96)- Fix envoy admin socket being created as world-accessible (Backport PR cilium/cilium#44591, Upstream PR cilium/cilium#44512,
@0xch4z)- l7lb: fix bypassing ingress policies for local backends (Backport PR cilium/cilium#44805, Upstream PR cilium/cilium#44693,
@smagnani96)CI Changes:
- pkg: Mark node_linux_test.go as unparallel (Backport PR cilium/cilium#44591, Upstream PR cilium/cilium#38172,
@jschwinger233)Misc Changes:
cilium/cilium#44752@sayboras)cilium/cilium#44376@cilium-renovate[bot])cilium/cilium#44485@cilium-renovate[bot])cilium/cilium#44583@cilium-renovate[bot])cilium/cilium#44687@cilium-renovate[bot])cilium/cilium#44794@cilium-renovate[bot])cilium/cilium#44373@cilium-renovate[bot])cilium/cilium#44811@cilium-renovate[bot])cilium/cilium#44345@cilium-renovate[bot])cilium/cilium#44402@cilium-renovate[bot])cilium/cilium#44552@cilium-renovate[bot])cilium/cilium#44684@cilium-renovate[bot])cilium/cilium#44584@cilium-renovate[bot])cilium/cilium#44685@cilium-renovate[bot])cilium/cilium#44481@cilium-renovate[bot])cilium/cilium#44798
Release v0.0.134
Bumps google.golang.org/grpc from 1.74.0 to 1.79.3.
Release notes
Sourced from google.golang.org/grpc's releases.
Release 1.79.3
Security
- server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like
grpc/authz. Any request with a non-canonical path is now immediately rejected with anUnimplementederror. (#8981)Release 1.79.2
Bug Fixes
- stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (grpc/grpc-go#8874)
Release 1.79.1
Bug Fixes
- grpc: Remove the
-devsuffix from the User-Agent header. (grpc/grpc-go#8902)Release 1.79.0
API Changes
- mem: Add experimental API
SetDefaultBufferPoolto change the default buffer pool. (#8806)
- Special Thanks:
@vanja-p- experimental/stats: Update
MetricsRecorderto require embedding the newUnimplementedMetricsRecorder(a no-op struct) in all implementations for forward compatibility. (#8780)Behavior Changes
- balancer/weightedtarget: Remove handling of
Addressesand only handleEndpointsin resolver updates. (#8841)New Features
- experimental/stats: Add support for asynchronous gauge metrics through the new
AsyncMetricReporterandRegisterAsyncReporterAPIs. (#8780)- pickfirst: Add support for weighted random shuffling of endpoints, as described in gRFC A113.
- This is enabled by default, and can be turned off using the environment variable
GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING. (#8864)- xds: Implement
:authorityrewriting, as specified in gRFC A81. (#8779)- balancer/randomsubsetting: Implement the
random_subsettingLB policy, as specified in gRFC A68. (#8650)
- Special Thanks:
@marek-szewsBug Fixes
- credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (#8726)
- Special Thanks:
@Atul1710- xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in
CONNECTINGstate. (#8813)- health: Fix a bug where health checks failed for clients using legacy compression options (
WithDecompressororRPCDecompressor). (#8765)
- Special Thanks:
@sanki92- transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (#8769)
- Special Thanks:
@joybestourous- server: Propagate status detail headers, if available, when terminating a stream during request header processing. (#8754)
- Special Thanks:
@joybestourousPerformance Improvements
... (truncated)
Commits
dda86dbChange version to 1.79.3 (#8983)72186f1grpc: enforce strict path checking for incoming requests on the server (#8981)97ca352Changing version to 1.79.3-dev (#8954)8902ab6Change the version to release 1.79.2 (#8947)a928670Cherry-pick #8874 to v1.79.x (#8904)06df363Change version to 1.79.2-dev (#8903)782f2deChange version to 1.79.1 (#8902)850eccbChange version to 1.79.1-dev (#8851)765ff05Change version to 1.79.0 (#8850)68804beCherry pick #8864 to v1.79.x (#8896)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.