v0.7.0

Major Changes

• Operator rewritten from Python to Rust — The Kubernetes operator has been completely replaced with a Rust implementation using kube-rs 3.0. This brings significantly lower memory usage (~5MB vs ~50MB), faster startup, and compile-time type safety. The operator container now uses a distroless base image (chainguard/static).

• TCP probe type — New tcp probe for testing raw socket connectivity. Available as a CLI command (netcheck tcp --host <host> --port <port>) and in NetworkAssertion rules. Useful for verifying non-HTTP services and network policy enforcement.

Features

• Status conditions on NetworkAssertion — The operator now writes reconciliation status back to the NetworkAssertion resource. Visible via kubectl get nas (Ready/Reason columns) and kubectl describe. Conditions report Reconciled=True with probe result summaries, or Reconciled=False with error details for invalid specs or API errors.

• Event-driven CronJob processing — The controller now watches CronJob changes (.owns(cronjobs)), so scheduled assertion results are processed via events rather than polling. The periodic safety-net requeue interval has been relaxed from 60s to 300s.

• Structured JSON logging — Operator logs are emitted as structured JSON via the tracing crate, with configurable log levels via RUST_LOG environment variable.

• OTLP metrics export — Optional OpenTelemetry metrics (reconciliation duration, probe duration, assertion counts, PolicyReport updates) exported when OTEL_EXPORTER_OTLP_ENDPOINT is set.

• Health endpoints — New /livez and /readyz endpoints (with /healthz compatibility) for Kubernetes probes.

Bug Fixes

• PolicyReport server-side apply — Removed invalid scope.apiGroup field from PolicyReport data that caused 500 errors with the v1alpha2 CRD schema. Extended fallback to handle both 422 and 500 responses.

• PolicyReport summary format — Summary now omits zero-valued counts (e.g. no fail key when all probes pass), matching the original operator behavior and integration test expectations.

• Multi-platform Docker build — Fixed BuildKit cache mount collisions between amd64 and arm64 builds by using platform-specific cache IDs.

Operator / Helm Chart

• Helm chart version bumped to 0.2.1.
• CRD updated with subresources: status: {} to enable the status subresource endpoint.
• New printer columns on kubectl get networkassertions: Schedule, Ready, Reason, Status.
• Tighter RBAC — removed Kopf-specific permissions.
• Operator configuration via environment variables: PROBE_IMAGE_REPOSITORY, PROBE_IMAGE_TAG, PROBE_IMAGE_PULL_POLICY, POLICY_REPORT_MAX_RESULTS.

Breaking Changes

• CRD upgrade required — The NetworkAssertion CRD now includes the status subresource. Existing clusters must re-apply the CRD (kubectl apply -f crds/networkassertions.yaml) since Helm does not update CRDs on helm upgrade.
• Operator image changed — The operator container image is now built from Rust instead of Python. The image name (ghcr.io/hardbyte/netchecks-operator) is unchanged.
• Removed Kopf peering CRDs — The operator no longer uses ClusterKopfPeering or NamespacedKopfPeering resources.

Full Changelog: v0.6.0...v0.7.0

netchecks-0.2.1

Netchecks proactively verifies whether your security controls are working as intended.

v0.6.0

Highlights

• Rust CEL engine: Switched from Python celpy to the Rust-based common-expression-language (0.5.6) for CEL expression evaluation — better performance and native dict subclass support
• Pydantic v2: Migrated both CLI and operator from Pydantic v1 to v2
• Operator dependency updates: All operator dependencies upgraded to latest compatible versions (kopf, kubernetes, structlog, OpenTelemetry, etc.)

Changes

CEL Library Migration

• Replaced cel-python with common-expression-language 0.5.6
• New API: cel.Context and cel.evaluate (replaces celpy.Environment)
• Custom functions (parse_json, parse_yaml, b64decode, b64encode) continue to work identically
• LazyFileLoadingDict now works directly with CEL (dict subclass support in 0.5.6)

Pydantic 2.x Migration

• Upgraded pydantic to ^2.0 in both CLI and operator
• Added pydantic-settings ^2.0 to operator
• Migrated operator config to SettingsConfigDict and PydanticBaseSettingsSource

Security & Robustness

• Added path traversal protection to LazyFileLoadingDict
• Added filtering of Kubernetes ConfigMap metadata files (symlinks like ..data)
• Improved CEL error handling: parse errors raise ValueError, runtime errors return False

Testing

• New test suites: CEL validation (12 tests), LazyFileLoadingDict (8 tests), operator config (11 tests)
• Integration test debugging: pod logs captured on failure
• All CI checks green across Python 3.11/3.12 on Linux, macOS, Windows

Other

• CLI dependencies updated to latest versions
• Added AGENTS.md with architecture docs and local development instructions
• Dockerfile fix: re-enabled VIRTUAL_ENV for package discovery
• US spelling standardization throughout codebase

Breaking Changes

None — all changes are internal. The external CLI and operator APIs remain unchanged.

Full Changelog: v0.5.6...v0.6.0

v0.5.6: Include submodules in setuptools build (#301)

Minor release to fix setuptools/uv packaging of CLI wheel

netchecks-0.1.19

Netchecks proactively verifies whether your security controls are working as intended.

V0.5.5

What's Changed

• 🚀 Switched from Poetry to UV by @hardbyte in #282
• Configure probe resources at deployment time by @hardbyte in #148
• fix typos on CI by @TheDen in #235

Dependency Updates

• Bump urllib3 from 2.2.1 to 2.2.2 by @dependabot in #176
• Bump requests from 2.31.0 to 2.32.0 by @dependabot in #153
• Bump docker/login-action from 2 to 3 by @dependabot in #133
• Bump urllib3 from 2.2.1 to 2.2.2 in /operator by @dependabot in #175
• Bump certifi from 2024.6.2 to 2024.7.4 in /operator by @dependabot in #185
• Bump next from 13.5.6 to 14.1.1 in /docs by @dependabot in #146
• Bump actions/download-artifact from 3 to 4.1.7 in /.github/workflows by @dependabot in #219
• Bump docker/metadata-action from 4 to 5 by @dependabot in #197

Full Changelog: v0.5.4...v0.5.5

netchecks-0.1.18

Netchecks proactively verifies whether your security controls are working as intended.

v0.5.4: Switch to opentelemetry sdk for metrics (#170)

* Switch to opentelemetry sdk for metrics
* Bump version to 0.5.4

netchecks-0.1.17

Netchecks proactively verifies whether your security controls are working as intended.

0.5.3

Adds support to update NetworkAssertion's created resources (CronJobs etc) on operator update or restart.