3.11 Release notes
August 20, 2019
The Aporeto enforcer now requires an
"X-Aporeto-Metadata: secrets" header on all API requests.
curl http://169.254.254.1/certificate -H "X-Aporeto-Metadata: secrets"
Update your scripts before upgrading your enforcers. The 3.11 enforcer rejects requests without the required header.
New production features
New table views in the Aporeto web interface
Most panes in the Aporeto web interface now feature a new table view, making it easier to locate specific information, especially in larger deployments. You can select which columns to display and sort by. We've also added a search option.
Change requests added to the Aporeto web interface
This release adds a Change Requests pane to the Aporeto web interface. The Change Requests pane implements the import requests resource of the Aporeto API that was introduced in 3.9. This brings the change requests feature out of beta.
Users desiring access to a namespace can use the Change Requests pane to expedite the grant by creating the policy and sending it to the namespace editor for approval.
Increased access to OIDC and LDAP configuration
Configuration of OIDC and LDAP identity providers no longer requires company account administrator credentials.
- The Authentication Sources section has been moved from the Accounts page to the App page.
LDAPProvidersresource in the Aporeto API has moved to
apoctl --accountflag has been renamed to
--namespace. Requests that include
--accountwill fail. Use
Destination protocol and port in network policies
You can now specify the destination protocol and port of a network policy. For this value to have any effect, both the source and destination of the network policy must be processing units. Otherwise, the protocol and port specified in the external network definition takes precedence.
Support for OpenShift 4
This release adds support for OpenShift 4.
Per namespace exclusion
You can now annotate Kubernetes/OpenShift namespaces that you wish to exclude from Aporeto.
kubectl annotate namespace exclude-me aporeto.io/disable-sync="true"
Dropped packet reporting
The Aporeto enforcer now reports dropped packets.
You can access this information using
apoctl stats query packets or
apoctl stats info packets
Platform pane time selector
We've added a drag-and-drop time selector to the top of the Platform pane. It includes red and green lines to help you identify which intervals include denied and accepted flows. To improve reliability for all tenants, the selected time interval cannot exceed 24 hours.
Groups in the Platform pane
The Platform pane now accepts view expressions, allowing you to use system tags to establish groups as follows.
|Groups all external networks together.|
|Groups all external networks together with the legend "external networks".|
|Groups all external networks together with a red background.|
|Groups all external networks together and all processing units together.|
The Platform pane also offers a new Collapse groups by default option under the three dot menu, allowing you to control whether the group just appears as a single block or contains the details of its individual members.
External networks added to platform analysis
External networks have been added to the Analysis option of the Platform pane, providing better visibility into the potential effects of your network policies.
Improved notifications experience
A notifications icon has been added to the top bar of the web interface. A red dot indicates one or more important events that require your attention. You can click the icon to review the notifications.
Status website for Aporeto-hosted control plane
If you use the control plane hosted by Aporeto, we now provide a website describing its status. You can subscribe via RSS for updates.
App credentials pane moved to Authentication sources
The App Credentials pane has been moved from the Namespace Settings section to the Authentication Sources section.
AWS account bindings pane removed
After a period of deprecation, the AWS Account Bindings pane has been removed from the App page. Aporeto has offered automated AWS account binding since 3.7. For more information, refer to Installing the enforcer on an EC2 instance.
Disable creation of Aporeto custom resource definitions
We now support disabling the creation of Aporeto custom resource definitions. This ensures a complete Aporeto uninstall.
kubectl annotate namespace aporeto aporeto.io/disable-aporeto-ctrls="true"
New beta features
Web hook automations
You can now write automations to respond to Aporeto web hooks, relieving you of the need to set up a separate server.
Immediate execution of scheduled automations
You can now set your scheduled automations to run immediately after being created or updated. Read more about this option in the API documentation.
Enhancements to SSH access control
While the SSH access control feature remains in beta, this release adds the following.
The Aporeto web interface now offers detailed logs of users' SSH sessions.
sudoplugin allows you to control whether users can execute
sudocommands or not.
You no longer have to manually enable SSH certificate authorities in each namespace. An SSH certificate authority is enabled for each account by default.
You can now rotate Aporeto SSH certificate authority keys on demand, such as in the event of a compromise or as part of a regular practice.
We've added the option to include a
forceCommandin the OpenSSH certificate to the Aporeto web interface.
This release of Aporeto features a new recipes feature. Recipes make it easier to accomplish common procedures. Aporeto provides the following recipes out of the box.
- Configure an alert for disconnected enforcers.
- Allow all DNS traffic.
- Automatically block blacklisted IPs.
- Quickstart your SSH certificates.
- Secure a Kubernetes cluster.
- Secure a Linux host.
- Secure a simple application.
- Synchronize with AWS subnets.
- Synchronize with Cloudflare subnets.
You can also create your own recipes.
This release introduces infrastructure policies. Infrastructure policies represent the AWS security groups, firewalls, and other access control list (ACL) mechanisms of your underlying infrastructure.
Aporeto's AWS Integration App automatically creates:
- External network objects to represent AWS security group rules
- Node objects to represent elastic network interfaces (ENIs)
You can view these objects and other infrastructure policies by clicking Analysis and Infra in the Platform pane of the Aporeto web interface.
Red Hat Enterprise Linux 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.