January 24, 2020
New production features
Increased visibility
This release of Aporeto features logging of DNS lookup requests. You can locate the DNS lookup logs report under Logs in the Aporeto web interface.
To assist in identifying and removing stale objects, you can now view the number of times a network policy or external network has been hit from the web interface.
Aporeto now provides dropped packet metrics for debugging purposes. Use
apoctl stats query packets
to retrieve dropped packets that didn’t hit any Aporeto rules. Useapoctl stats query counters
to obtain a count of dropped packets. Refer to theapoctl
reference documentation for more information.
More flexible external network definitions
You can use fully qualified domain names to define external networks. Aporeto also supports wildcards on the leftmost part of the domain. For example, you can define an external network as
*.google.com
. However, you cannot define an external network as*google.com
orgoogle*.com
.You can now define protocol-independent external networks via the Control Plane API, using
any
as aservicePorts
value.
Namespace in token derived from app credential
Aporeto now uses the namespace of the app credential as the value of audience
in Aporeto tokens retrieved via apoctl auth appcred
.
You can use the --audience
flag to override this behavior and set the audience to a different value.
Support for booleans and arrays from identity providers
Aporeto no longer ignores boolean and array claim values returned by OpenID Connect (OIDC) identity providers.
New beta features
Integrates with Istio 1.2 and later
This release of Aporeto integrates with Istio 1.2 and later.
Enhancements to SSH
You can now use Aporeto’s SSH access control features with enforcers deployed as standalone containers.
The enforcer offers a new
sshdconfig
subcommand that makes it easier to set up SSH access controls.The logs of the SSH commands issued by users include the arguments.
The SSH authorization resource offers a new
requireSystemAccountMatching
option. Enable it to require users to specify the name of a Linux user account on the remote host when requesting an SSH certificate. Refer to SSH authorization for more information.
New GCP monitoring app
The new GCP instance monitoring app allows you to ensure that your GCP instances have running enforcers. If the app locates an instance without an operational enforcer, it triggers an alarm in the Aporeto web interface. If you have instances that you wish to exclude from monitoring, you can identify these using tags. To check out this app, visit Integrations > Apps in the Aporeto web interface.
PCI compliance reports
Aporeto offers a new apoctl report compliance
command to help you achieve and retain PCI compliance.
Refer to the apoctl
reference documentation for more information.
Identity federation for applications
Aporeto can now serve as an identity broker, providing applications with credentials to access third-party services such as AWS, Vault, and others. Refer to the Enforcer API section to learn more.
Known issue
Red Hat Enterprise Linux 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.