Release Note
Dalim 4.5.9
Release date: 2024-06-19
Feature :
- [New] Export control support
Service Stability & Improvements:
- [Improvement] Stack deployment improvements
Dalim 4.4.4
Release date: 2024-04-02
Service Stability & Improvements:
- [Improvement] Stack deployment improvements
Dalim 4.3.4
Release date: 2024-03-21
Feature :
- [New] Datadog integration
Dalim 4.2.3
Release date: 2024-02-29
Feature :
- [New] Conditional access on corporate clusters
Service Stability & Improvements:
- [Improvement] k8saas-controller to dynamically support multiple aks version
Dalim 4.1.8
Release date: 2024-02-16
Service Stability & Improvements:
- [Improvement] Migrated terraform module into gitops
Dalim 4.0.1
Release date: 2023-11-27
Feature :
- [New] Support ofGitops As service with flux in EA
Copernic 3.9.8
Release date: 2023-11-27
Feature :
- [New] Stop/Start our AKS Cluter
Service Stability & Improvements:
- [Improvement] Simplified deployment process
- [Improvement] NGINX: fix CVE-2023-5044 and CVE-2023-5043
- [Improvement] Change defautl DBAAS postgresql to burstable
- [Improvement] COST update cert-manager, velero, external-dns and implement workloadId
Copernic 3.8
Release date: 2023-11-06
Feature :
- [New] Support of Azure natGateway
- [New] DBAAS Vnet integration
Service Stability & Improvements:
- [Improvement] Move nginx to gitops
- [Improvement] Move fluentbit to gitops
- [Improvement] Move hnc to gitops
Copernic 3.7.5
Release date: 2023-10-02
Feature :
- [New] Support ofData encryption with Confidential Addon (by Ciphertrust)
- [New] Support of Trustest IAM Service Account. Public documentation on How to deploy an image on K8SaaS with TrustNest IAM Service Account
Service Stability & Improvements:
- [Improvement] Public documentation: features detailed by service offer
Copernic 3.4.6
Release date: 2023-07-31
Feature :
- [New] Integrate usage of Azure AD Workload Identity by providing a default/single Workload Id with K8saas intances: https://doc.kaas.thalesdigital.io/docs/Features/workload_identity
Service Stability & Improvements:
- [Improvement] Support AKS version 1.26
- [Improvement] Upgrade keda to 20.10.1
- [Improvement] Upgrade prometheus to 48.1.0
Copernic 3.3.4
Release date: 2023-07-14
Feature :
- [New] Facilitate onboarding by granting access natively to the cluster grafana to user in the reader/developer/devops groups.
Service Stability & Improvements:
- [Improvement] (internal) Add additional internal test cases for Kubernetes Hierarchical namespaces, storage classes and ArtiFactory images
- [Improvement] (internal) Improve our secret management to easily initialize and udpate all service account credentials in all the subscriptions keyvault
- [Improvement] (internal) Dynamically run all our release test case and generate our test case junit and markdown reports.
Deprecated:
- [Deprecated] Kube event exporter logs removed
Copernic 3.2.3
Release date: 2023-06-21
Feature :
- [New] Support Grafana Alerting: https://doc.kaas.thalesdigital.io/docs/GettingStarted/grafana_alerting
Service Stability & Improvements:
- [New] Security improvement on kubernetes deployment: Added policy to warn about deprecated storage class
Copernic 3.1.4
Release date: 2023-06-06
Feature :
- [New] Support Storage Class ZRS. List of storage classes supported by k8saas: https://doc.kaas.thalesdigital.io/docs/Features/persistency#storage-classes-available-in-k8saas-offer
Service Stability & Improvements:
- [Improvement] Upgrade: Velero to 1.10.2
- [Improvement] Upgrade: Kube-event-exporter to 1.1.0
- [Improvement] Upgrade: Cert-manager to 1.5.3
Security:
- [New] Support of azure workload identity (https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview) for internal use cases
Copernic 3.0.5
Release date: 2023-05-15
New Major! New major release to support AKS 1.25 and the API depreciations that comes with it: https://kubernetes.io/blog/2022/08/04/upcoming-changes-in-kubernetes-1-25/ As usual, the major name is dedicated to a star: https://fr.wikipedia.org/wiki/55_Cancri
Breaking changes:
- [New] Api depreciations in AKS 1.25:
- CronJob - batch/v1beta1
- EndpointSlice - discovery.k8s.io/v1beta1
- Event - events.k8s.io/v1beta1
- HorizontalPodAutoscaler - autoscaling/v2beta1
- PodDisruptionBudget - policy/v1beta1
- PodSecurityPolicy - policy/v1beta1
- RuntimeClass - node.k8s.io/v1beta1
Service Stability & Improvements:
- [New] API depreciation: Add policies to send warning about depreciations in the next AKS versions 1.26 and 1.27
- [Improvement] Upgrade: Linkerd upgraded to stable-2.12.4
- [Improvement] Upgrade: Nginx upgraded to 1.6.4
- [Improvement] Upgrade: Gatekeeper upgraded to 3.11.0
- [Improvement] Upgrade: Prometheus Operator upgraded to 0.63.0
- [Improvement] Upgrade: Grafana upgraded to 9.3.6
Security:
- [New] Security improvement on kubernetes deployment: Added policy to validate the ingress domain name
Babel 2.14.1
Release date: 2023-05-15 Keep support of AKS 1.24 and facilitate migration towards Copernic 3.0.5 and AKS 1.25.
Service Stability & Improvements:
- [New] API depreciation: Add policies to send warning about depreciations in the next AKS versions 1.25
Babel 2.13.2
Release date: 2023-04-17
Service Stability & Improvements:
- [Fixed] Restrict stop-start right to be only available to Devops role
Babel 2.12
Release date: 2023-03-07
Features:
- [New] Onboarding: Automatic process to add user as reader of k8saas resources when they are enrolled on a new project (enrolled on a TDF Account ID).
- [New] Self-service: Create Azure AD “devops” and “reader” group by default with service owner as owner and member of both groups.
Operations:
- [Process] Customer communication emails are now by TDF entity
Babel 2.11
Release date: 2023-02-10
Features:
- [New] Add a Windows node poolto your cluster! To understand this feature and its limitation, have a look to the K8SAAS public documentation “Add a Windows node pool”
Service Stability & Improvements:
- [Improvement] Support AKS version 1.24
- [Improvement] Upgrade Grafana to 9.2.4
- [Improvement] Upgrade kube-state-metrics to 2.6.0
- [Improvement] Upgrade prometheus to 2.39.1
Babel 2.10
Release date: 2023-01-16
Service Stability & Improvements:
- [Improvement] Improve Grafana dashboards.
- [Improvement] Improve Corporate Addon (certificate management)
Security:
- [New] Security improvement on kubernetes deployment: Added policy to prevent service of type loadbalancer and nodeport
Operations:
- [Process] Add preferred customer maintenance schedules for cluster upgrades
Babel 2.9
Release date: 2022-12-12
Service Stability & Improvements:
- [Improvement] Improve Corporate Addon (monitoring, Software Factory c3 access)
Security:
- [Improvement] Reduce secret lifecycle on internal technical accounts to 6 months
Operations:
- [Milestone] 100% clusters migrated to AKS 1.22
- [Milestone] 100% clusters migrated to k8saas Babel
Babel 2.8
Release date: 2022-11-21
Features:
- [New] Expose your containers only to Thales corporate networks using the new Corporate Addon (user doc coming soon…). To understand what are the differences between c3 and corporate addon, have a look to Corporate Addon Feature page
Service Stability & Improvements:
- [Improvement] Improve billing API performances using cache
- [Improvement] Collect SSO v2 (based on Pomerium) metrics
Babel 2.7
Release date: 2022-10-31
Community:
- [New] Discover how to collect & parse logs using the Punch language (Thales Technology uses in multiple CSOC). Tutorial
Features:
- [New] K8SAAS log collection supports new outputs: Opensearch and EventHub. Discover how to enable the feature & access to your logs in Opensearch or EventHub
- [New] Log Reduction. All verbosity levels have been reviewed to reduce the CPU & Memory consumption of the log collection (fluentbit).
Service Stability & Improvements:
- [Improvement] Internal k8saas alerting is now connected to serviceNow/postIT to update the support level 2 team more quickly.
- [Fixed] Grafana dashboard deployment issue in babel 2.5.4
- [Fixed] Developer Role is now officially supported in babel
Breaking changes:
- [New] Only nginx error logs will be collected by default (production mode). Breaking change doc
- [New] FTP is no longer supported in k8saas. blog
Babel 2.6
Release date: 2022-09-29
Features:
- [New] Visualize your k8saas cloud cost within Grafana! user doc
Service Stability & Improvements:
- [Improvement] Improve billing API to avoid conflict with malformed configuration file
- [Improvement] AKS version is now 1.23. detailed release note
Babel 2.5
Release date: 2022-09-07
Features:
- [New] Discover the detailed consumption of k8saas using the new billing API endpoint. doc
Service Stability & Improvements:
- [Improvement] Promote SSO new generation based on pomerium to General Available
- [Improvement] To avoid conflict between hierarchical namespace and classic namespace, self-service namespace creation is now limited under
customer-namespaces
. doc - [Improvement] Security improvement of storage account use for backup. Details: use TLS 1.2 minimum + restrict access from AKS vnet only.
Documentation:
- [New] Use SSO v2 based on pomerium using Azure AD groups. doc
- [New] Use service account and hierarchical namespace. doc
Babel 2.4
Release date: 2022-08-18
Features:
- [New] Look at your reserved instance using the updated billing API. doc
Service Stability & Improvements:
- [New] kubernetes policy limiting the length of ingress hostnames of 64 char (due to cert-manager limitations). limitation doc and policy doc
- [Improvement] SSO new generation (based on Pomerium) upgrade to 32.0.5
Breaking changes:
- [New] New k8saas will be deployed using
.k8saas.thalesdigital.io domain name (by default) rather than kaas.thalesdigital.io. doc - [New] Grafana dashboard will be deployed for new cluster with the URL: grafana.<short_instance_name>.
.k8saas.thalesdigital.io - [New] kubernetes policy forbidding the usage of node selector. Rational: High risk of outage during migration. Use taints&tolerations or affinity pattern instead. policy doc
Bonus:
- [Blog] Thales K8SAAS contributes to Pomerium. link
Babel 2.3 Beta
Release date: 2022-07-28
Features:
- [New] Manage your service accounts (with pre-defined roles) in self service. doc
- [New] Stop & Start your AKS in self service. doc
Service Stability & Improvements:
- [Improvement] Flux migration from 0.26 to 0.30.2
- [Improvement] Restore the capacity to grant readonly permissions
- [Improvement] Remove integration with Zendesk (legacy)
Babel 2.2 Beta
Release date: 2022-07-07
Service Stability & Improvements:
- [Improvement] Fix bugs for “Manage k8saas namespaces in self-service”. doc
Documentation:
- [Improvement] Hello world documentation update. Discover our 9 use cases
Babel 2.1 Beta
Release date: 2022-06-16
Features:
- [New] Manage k8saas namespaces in self-service. doc
- [New] k8saas Observability Stack Homepage to facilitate the navigation between the dashboards. doc
Service Stability & Improvements:
- [Improvement] Prometheus upgrade to 2.34.0
- [Improvement] Raise an alert when certificates used outside NGINX are about to expire. doc
Breaking changes:
- [Deprecated] RBAC microservice is no longer available with Babel. doc
Babel 2.0 Beta
Release date: 2022-05-26
Features:
- [New] Manage k8saas accesses in self-service. doc
- [New] Backup are now done using incremental snapshots. Impact: Cost reduction
- [New] Backup Dashboard in Grafana. Look at “K8SAAS / Velero” in your observability stack
Service Stability & Improvements:
- [Improvement] Use AKS 1.22. Microsoft AKS change log
- [Improvement] Nginx ingress controller upgrade to 1.1.3. release note
Breaking changes:
- [WARNING] kubernetes.io/ingress.class annotation is no longer accepted. Please update your configuration using our k8saas helper: here
Atik 1.33
Release date: 2022-05-05
Features:
- [Improvement] New search engine for online documentation + Add tags to improve SEO
Service Stability & Improvements:
- [Improvement] Improve Nginx Controller to avoid having 2 replicas on the same physical nodes.
- [Improvement] Patch CVE-2022-24797 for SSO v2
- [Fixed] Enable Prometheus Service Monitor for fluentbit (used for log collection)
Documentation:
- [New] Discover our first edge use case on K8SAAS: Combat Digital Platform
- [New] Kubernetes alternatives to docker commands: here
- [Improvement] Increase your WAF paranoia level + perform an audit of your WAF. here. Example of reports
- [Improvement] Discover how to deploy and use GeaMap series using Warp10 here
- [Improvement] Learn step by step how to enable WAF, SSO, persistent storage and more using our hello world projects
Atik 1.32
Released date: 2022-04-14
Features:
- [New] Discover the kubernetes CRD k8saas supports here
Service Stability & Improvements:
- [Improvement] Use AKS 1.21. Microsoft AKS change log
- [Improvement] Backup mechanism based on Velero upgrade to 1.8.1
- [Improvement] Industrialize the deletion of inactive users / departure users
- [Improvement] Minimum size of clusters is now 6vCPU & 24G of Memory (3xB2ms) to better support transversal services (monitoring, logging, backup, CSI driver, policy management)
- [Improvement] Move few transversal services into gitops mechanisms (backup mechanism, monitoring, service mesh)
Atik 1.31
Released date: 2022-03-24
Features:
- [New] Built-in SSO new generation. doc
- [New] Collect kubernetes events and discover them in the observability stack. doc
- [New] North Europe is now available. (name: prod-eu2)
- [New] Query time range on Billing API v2. doc
Service Stability & Improvements:
- [Improvement] Optimize Cpu/Memory for internal components (prometheus, grafana, fluentbit)
- [Improvement] Randomize the cronjob when performing automatic backup
- [Improvement] Support Thales Eyes Only Whitelisting officially (industrialization)
Documentation:
- [New] Use k8saas with Gitlab CI & Artifactory doc
Deprecated:
- [Deprecated] Billing v1 has been removed from k8saas API Portal
Atik 1.30
Released date: 2022-03-03
Features:
- [New] Archive all applicatives logs in cold storage for 365 days. (required by Trustnest Blue Team / CSOC). doc
- [New] New Design, new search capability and a dark mode for https://doc.kaas.thalesdigital.io
Service Stability & Improvements:
- [Improvement] Grafana upgrade to 8.3.5. Release note
- [Improvement] Exclude internal components from the backup mechanism to optimize internal costs (linkerd and gatekeeper-system)
- [Improvement] Limit memory and cpu consumption for internal rbac-service. doc
Atik 1.29
Released date: 2022-02-17
Features:
- [New] Size dynamically your workloads (by Keda). doc
Service Stability & Improvements:
- [Improvement] Use AKS 1.20.15
- [Improvement] Add helm-codes to innersource code. here
- [Improvement] Technical Architecture and Security Document Update (TASD). doc
Documentation:
- [New] Learn from Thomas Ehling how to scale dynamically your workloads blog
Atik 1.28
Released date: 2022-02-03
Features:
- [New] Optimise your log management pricing by enabling a daily cap. doc
- [New] Private access to your billing API to get your cloud consumption. doc
Service Stability & Improvements:
- [Improvement] Grafana upgrade to 8.3.4. Release note
Breaking changes:
- [WARNING] kubernetes.io/ingress.class annotation is deprecated. Please update your configuration using our k8saas helper: here
Atik 1.27
Released date: 2022-01-20
Features:
- [New] Optimise cost by disabling log collection for specific containers. doc
- [New] Monitor the malicious activity blocked by your WAF using our new builtin dashboard. doc
- [New] Added a priority class for customer customer-high-priority. doc
- [New] FTPS (port TCP/989 and TCP990) are now denied by default in outbound. doc
Service Stability & Improvements:
- [Improvement] Granted permission to devops role for certificates deletion
- [Improvement] Updated cluster security report to support AD groups (fix regression from 1.25)
- [Improvement] Fixed certificate renewal date issue
- [Improvement] fix log4j2 vulnerability on Billing API v1
Documentation:
- [New] c3* documentation. doc
Atik 1.26
features:
- [New] All new clusters will be deployed in AKS 1.20
- [New] Restrict container images to trusted registries (provide your own). doc
Service Stability & Improvements:
- [Improvement] Adapt default Azure Availability Zones for AKS cluster containing less than 3 nodes
- [Improvement] Remove unused Prometheus metrics
Atik 1.25
features:
- [New] Access to Azure Graph with Grafana
Service Stability & Improvements:
- [Improvement] Billing API v2 improvement (tagging)
- [Improvement] Managed users using AAD Groups
- [Improvement] Rename AzureMonitoringDashboard to Azure Log Analytics
Documentation:
- [New] Container Best Practices / Build your own helm chart link
Atik 1.24
features:
- [New] API Portal for Trustnest managed kubernetes: https://k8saas-internal-tooling-apim.developer.azure-api.net
- [New] Billing API v2 will show the trustnest 2022 pricing model
- [New] GPU compatibility - High compute processing. doc
- [New] Contribution to TrustNest FAQ - https://answers.thalesdigital.io/
Service Stability & Improvements:
- [Improvement] Support level 1 can now perform backup of your cluster
- [Improvement] NSG and RDP are now blocked by default on all clusters
Atik 1.23 STABLE
features:
- [New] Migration to Grafana 8. Please look at the full grafana release note
- [New] Remove header from logs using cri parser on fluentbit
- [New] New blog design link
- [New] New Professional Services activities. We are now able to assist projects helping them for migration or gotoproduction gates
- [New] Dashboard: Cluster / Overview used to show you alerts, certificates expiration, capacity planning
- [New] Fluxcdv2 Dashboard. Discover the k8saas internal services deployed in your cluster.
Service Stability & Improvements:
- [Improvement] Robustness of Billing API
Documentation:
- [New] Choose your AKS node type. doc
- [New] Vulnerability Management page. doc
- [New] Access to Transversal Resources. doc
Atik 1.22 STABLE
features:
- [New] New type of AKS node available: High Memory type! (4vCPU with 32G of memory)
- [New] Configuration Reporting Feature. Look at the doc
Service Stability & Improvements:
- [Improvement] Update tagging convention with the accountID
- [Improvement] Add pods/attach rights to developer-role
- [Improvement] Trial/Discover is now able to manage both UPN and ObjectID for new users
- [Improvement] Improve Nginx ingress Controller robustness (spread controller by azure zone)
Documentation:
Atik 1.21 STABLE
features:
- [New] Multi region supported (transversal components are migrating to per region deployment)
- [Alpha] RBAC microservice is now part of the Atik. This microservice is used to display the k8saas rights.
Service Stability & Improvements:
- [New] Provide us some feedback on the website and online documentation using the “feedback button” (on the right)
- [Improvement] Compatibility with gitlab runner using chart 0.30.0
- [Improvement] Cert-manager migration from 1.1.0 to 1.5.0
- [Improvement] Add kubernetes events in the k8saas logging capability. doc
Atik 1.20 STABLE
features:
- [Preview] Enabled automatic AKS node upgrades only on sandbox clusters
- [New] Compatibility with kubelogin command (skip MFA)
Service Stability & Improvements:
- [New] Doc for automatic backup - doc
- [New] Doc to skip MFA - doc
- [New] k8saas use cases documentation: BYOD, k8saas & azure bastion, k8saas & azure cosmoDB : link
- [New] Document automatic backup with velero - doc
- [Improvement] Migration to Terraform 14, enable prometheus compression, Observability Stack has been migrated to Cortex, Deploy a tagging strategy on cloud resources
- [New] Provide a Shared Responsibility Model - SRM
Atik 1.19 STABLE
Features:
- [New] Use a custom DNS domain with k8saas
- [Preview] Scheduled AKS scaling (weekend vs weekday / day vs night)
Service Stability & Improvements:
- [New] Add AccountID in Billing API
Atik 1.18 STABLE
Features:
- [New] Policy enforced. Privileged containers are now forbidden by default
- [New] Internal RBAC API (summarize the k8saas accesses)
- [New] Thales Employees App registration on demand
Service Stability & Improvements:
- [Improvement] Bug fixes for k8saas trial (UPN with capital letters)
Atik 1.17 STABLE
Features:
- [Preview] Trial version available for all @thalesdigital.io email address
- [New] 4 builtin grafana dashboards: Nginx, Linkerd, fluentbit, coreDNS
- [New] Manage your own dashboard with infrastructure as code - link
- [New] Automatic malicious IP blacklisting (ips provided by the trustnest blueteam)
- [New] DNS isolation between clusters
- [New] Support of @thalesgroup.com email address for admin
Service Stability & Improvements:
- [Improvement] AKS migration version from 1.19.7 to 1.19.11
- [Improvement] Linkerd migration version from 2.9.1 to 2.10.2
- [Improvement] fluentd & fluentbit migration version from 1.11.5 to 1.12.3
- [Improvement] Allow the support level 1 to get/list aks nodes
Documentation:
Atik 1.16.3 STABLE
Product Owning:
- [New] Start using Customer Evaluation Plan to drive PoC
Features:
- [Preview] Trial version in self service
Service Stability & Improvements:
- [New] Add Service Monitor to nginx controllers
- [Improvement] Security Alerting on service account usage outside the TDP
Atik 1.16 STABLE
Product Owning:
- [New] New website
- [Preview] New Security Report - send on demand. example
- [New] Add references in the documentation
Documentation:
- [New] Get service accounts by the end user link
Service Stability & Improvements:
- [New] Add option to use Ephemeral disks for AKS nodes
- [New] Configuration to configure the size of the OS disk for AKS nodes (previously 30G by default)
- [Fix] Nginx-ingress-controller internal and external didn’t get the default values (HSTS, TLS cipher etc…)
- [Improvement] Prometheus: configuration to expose API using ingress controller
- [Improvement] Grafana: persist dashboards on persistent storage
- [Improvement] Fluent: exclude tunnelfront logs
Atik 1.13 STABLE
Product Owning:
- [Preview] New Elasticsearch as a Service in Atik release here
Documentation:
- [New] Nginx ingress controller annotation link
Service Stability & Improvements:
- [Improvement] Dedicated nginx ingress controller per namespace (for reliability)
- [Preview] New terraform module for peering
- [Improvement] Clean deployment scripts
- [Improvement] Linkerd, Prometheus fixes
- [Improvement] Grafana rights on Log Analytics
- [Improvement] Disable Auto scaling by default for AKS (azure limitation)
Atik 1.12 STABLE
Product Owning:
- [New] Chatbot when asking for a cluster creation
- [New] Documentation to raise a ticket using the TDP portal here
- [Preview] Contribute to TDP documentation portal
- [New] Service Review Meeting Organization for continuous improvements
- [New] Terragrunt Modules move in InnerSource
Features:
- [New] BYOK for storage (C3 requirement)
- [New] Customer based security detection rules (ask us to implement security or business alerts)
- [Improvement] Grafana integration (still in preview)
Security:
- [New] ISSC C3 preparation / Cybersecurity documentation (TASD)
Service Stability & Improvements:
- [Improvement] Backup architecture evolution (velero)
- [New] Give reader access to NSG and impersonate rights for support level 1
- [Improvement] Remove internal default unused namespaces
- [Improvement] Update Hello world project with new kubernetes networking API
- [Improvement] Increase the prometheus local retention from 2h to 2 days
Atik 1.8 STABLE
Features:
- [Preview] Discover Pack (Shared Cluster) now available in Atik 1.8
- [GA] Access to your applicatives logs across a dedicated log analytics workspace
Security:
- [Preview] Automatic backups (every 2 hours)
- [Preview] WAF documentation + default nginx logs routing to customer log analytics
Service Stability & Improvements:
- [Improvement] Monitoring Contributor Role for Dedicated Log Analytics
- [Improvement] TDP Checkmarx default NSG rules
- [Improvement] AKS migration version from 1.19.6 to 1.19.7
Atik 1.6 STABLE
Product Owning:
- [New] public documentation portal - https://doc.kaas.thalesdigital.io/
- [New] internal documentation portal
- [New] K8saas terraform modules innerSourced
Features:
- [Preview] Azure Spot Compatibility
- [Preview] Multiple AKS node pools compatibility
- [Preview] Access to your applicatives logs across a dedicated log analytics workspace
- [Preview] Access to your applivatives metrics across a dedicated grafana and prometheus
- [Improvement] Billing API update
Security:
- [Improvement] Increase retention period to 365days for terraform states
- [Improvement] Store AKS public and private SSH keys into Azure Keyvault
- [Improvement] Allow only TCP/443 & 80 by default + be protected against vnet peering
- [Improvement] No clear secrets on any laptop - SOPS integration
Service Stability & Improvements:
- [Improvement] Reduce the cooldown of the AKS autoscaler to 60m.
- [Preview] Support Level 1 in Follow the Sun