chore: Prepare v1.0.0-rc.2 release (#624)

Co-authored-by: pmengelbert <[email protected]>

Author: github-actions[bot]

Makefile

@@ -1,4 +1,4 @@
-VERSION := v1.0.0-rc.1
+VERSION := v1.0.0-rc.2
 
 MANAGER_TAG ?= ${VERSION}
 TRIVY_SCANNER_TAG ?= ${VERSION}

charts/eraser/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: eraser
 description: A Helm chart for Eraser
 type: application
-version: 1.0.0-rc.1
-appVersion: v1.0.0-rc.1
+version: 1.0.0-rc.2
+appVersion: v1.0.0-rc.2
 home: https://github.com/Azure/eraser
 sources:
   - https://github.com/Azure/eraser.git

charts/eraser/values.yaml

@@ -34,7 +34,7 @@ runtimeConfig:
       enabled: true
       image:
         # repo: ""
-        tag: "v1.0.0-rc.1"
+        tag: "v1.0.0-rc.2"
       request: {}
         # mem: ""
         # cpu: ""
@@ -45,7 +45,7 @@ runtimeConfig:
       enabled: true
       image:
         # repo: ""
-        tag: "v1.0.0-rc.1"
+        tag: "v1.0.0-rc.2"
       request: {}
         # mem: ""
         # cpu: ""
@@ -71,7 +71,7 @@ runtimeConfig:
     eraser:
       image:
         # repo: ""
-        tag: "v1.0.0-rc.1"
+        tag: "v1.0.0-rc.2"
       request: {}
         # mem: ""
         # cpu: ""
@@ -84,7 +84,7 @@ deploy:
     repo: ghcr.io/azure/eraser-manager
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: "v1.0.0-rc.1"
+    tag: "v1.0.0-rc.2"
   additionalArgs: []
   priorityClassName: ""
 

deploy/eraser.yaml

@@ -458,7 +458,7 @@ data:
         enabled: true
         image:
           repo: ghcr.io/azure/collector
-          tag: v1.0.0-rc.1
+          tag: v1.0.0-rc.2
         request:
           mem: 25Mi
           cpu: 7m
@@ -470,7 +470,7 @@ data:
         enabled: true
         image:
           repo: ghcr.io/azure/eraser-trivy-scanner # supply custom image for custom scanner
-          tag: v1.0.0-rc.1
+          tag: v1.0.0-rc.2
         request:
           mem: 500Mi
           cpu: 1000m
@@ -502,7 +502,7 @@ data:
       eraser:
         image:
           repo: ghcr.io/azure/eraser
-          tag: v1.0.0-rc.1
+          tag: v1.0.0-rc.2
         request:
           mem: 25Mi
           # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
@@ -545,7 +545,7 @@ spec:
               fieldPath: metadata.namespace
         - name: OTEL_SERVICE_NAME
           value: eraser-manager
-        image: ghcr.io/azure/eraser-manager:v1.0.0-rc.1
+        image: ghcr.io/azure/eraser-manager:v1.0.0-rc.2
         livenessProbe:
           httpGet:
             path: /healthz

docs/versioned_docs/version-v1.0.0-rc.2/architecture.md

@@ -0,0 +1,21 @@
+---
+title: Architecture
+---
+At a high level, Eraser has two main modes of operation: manual and automated.
+
+Manual image removal involves supplying a list of images to remove; Eraser then
+deploys pods to clean up the images you supplied.
+
+Automated image removal runs on a timer. By default, the automated process
+removes images based on the results of a vulnerability scan. The default
+vulnerability scanner is Trivy, but others can be provided in its place. Or,
+the scanner can be disabled altogether, in which case Eraser acts as a garbage
+collector -- it will remove all non-running images in your cluster.
+
+## Manual image cleanup
+
+<img title="manual cleanup" src="/eraser/docs/img/eraser_manual.png" />
+
+## Automated analysis, scanning, and cleanup
+
+<img title="automated cleanup" src="/eraser/docs/img/eraser_timer.png" />

docs/versioned_docs/version-v1.0.0-rc.2/code-of-conduct.md

@@ -0,0 +1,11 @@
+---
+title: Code of Conduct
+---
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [[email protected]](mailto:[email protected]) with questions or concerns

docs/versioned_docs/version-v1.0.0-rc.2/contributing.md

@@ -0,0 +1,16 @@
+---
+title: Contributing
+---
+
+There are several ways to get involved with Eraser
+
+- Join the [mailing list](https://groups.google.com/u/1/g/eraser-dev) to get notifications for releases, security announcements, etc.
+- Participate in the [biweekly community meetings](https://docs.google.com/document/d/1Sj5u47K3WUGYNPmQHGFpb52auqZb1FxSlWAQnPADhWI/edit) to disucss development, issues, use cases, etc.
+- Join the `#eraser` channel on the [Kubernetes Slack](https://slack.k8s.io/)
+- View the [development setup instructions](https://azure.github.io/eraser/docs/development)
+
+This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.

docs/versioned_docs/version-v1.0.0-rc.2/custom-scanner.md

@@ -0,0 +1,12 @@
+---
+title: Custom Scanner
+---
+
+## Creating a Custom Scanner
+To create a custom scanner for non-compliant images, use the following [template](https://github.com/Azure/eraser-scanner-template/).
+
+In order to customize your scanner, start by creating a `NewImageProvider()`. The ImageProvider interface can be found can be found [here](../../pkg/scanners/template/scanner_template.go). 
+
+The ImageProvider will allow you to retrieve the list of all non-running and non-excluded images from the collector container through the `ReceiveImages()` function. Process these images with your customized scanner and threshold, and use `SendImages()` to pass the images found non-compliant to the eraser container for removal. Finally, complete the scanning process by calling `Finish()`.
+
+When complete, provide your custom scanner image to Eraser in deployment.

docs/versioned_docs/version-v1.0.0-rc.2/customization.md

@@ -0,0 +1,11 @@
+---
+title: Customization
+---
+
+By default, successful jobs will be deleted after a period of time. You can change this behavior by setting the following flags in the eraser-controller-manager:
+
+- `--job-cleanup-on-success-delay`: Duration to delay job deletion after successful runs. 0 means no delay. Defaults to `0`.
+- `--job-cleanup-on-error-delay`: Duration to delay job deletion after errored runs. 0 means no delay. Defaults to `24h`. 
+- `--job-success-ratio`: Ratio of successful/total runs to consider a job successful. 1.0 means all runs must succeed. Defaults to `1.0`.  
+
+For duration, valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

docs/versioned_docs/version-v1.0.0-rc.2/exclusion.md

@@ -0,0 +1,30 @@
+---
+title: Exclusion
+---
+
+## Excluding registries, repositories, and images
+Eraser can exclude registries (example, `docker.io/library/*`) and also specific images with a tag (example, `docker.io/library/ubuntu:18.04`) or digest (example, `sha256:80f31da1ac7b312ba29d65080fd...`) from its removal process.
+
+To exclude any images or registries from the removal, create configmap(s) with the label `eraser.sh/exclude.list=true` in the eraser-system namespace with a JSON file holding the excluded images.
+
+```bash
+$ cat > sample.json <<EOF
+{"excluded": ["docker.io/library/*", "ghcr.io/azure/test:latest"]}
+EOF
+
+$ kubectl create configmap excluded --from-file=sample.json --namespace=eraser-system
+$ kubectl label configmap excluded eraser.sh/exclude.list=true -n eraser-system
+```
+
+## Exempting Nodes from the Eraser Pipeline
+Exempting nodes with `--filter-nodes` is added in v0.3.0. When deploying Eraser, you can specify whether there is a list of nodes you would like to `include` or `exclude` from the cleanup process using the `--filter-nodes` argument. 
+
+_See [Eraser Helm Chart](https://github.com/Azure/eraser/blob/main/charts/eraser/README.md) for more information on deployment._
+
+Nodes with the selector `eraser.sh/cleanup.filter` will be filtered accordingly. 
+- If `include` is provided, eraser and collector pods will only be scheduled on nodes with the selector `eraser.sh/cleanup.filter`. 
+- If `exclude` is provided, eraser and collector pods will be scheduled on all nodes besides those with the selector `eraser.sh/cleanup.filter`.
+
+Unless specified, the default value of `--filter-nodes` is `exclude`. Because Windows nodes are not supported, they will always be excluded regardless of the `eraser.sh/cleanup.filter` label or the value of `--filter-nodes`.
+
+Additional node selectors can be provided through the `--filter-nodes-selector` flag.