# Release Notes for v0.7.0 Release Date: July 24th, 2023 Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential Containers. Please refer to our [Acronyms](https://github.com/confidential-containers/documentation/wiki/Acronyms) and [Glossary](https://github.com/confidential-containers/documentation/wiki/Glossary) pages for a definition of the acronyms used in this document. ## What's new - Flexible instance types/profiles support for peer-pods - Ability to use CSI Persistent Volume with peer-pods on Azure and IBM Cloud - EAA-KBC/Verdictd support removed from enclave-cc - Baremetal SNP without attestation available via operator - Guest components (`attestation-agent`, `image-rs` and `ocicrypt-rs`) merged into [one repository](https://github.com/confidential-containers/guest-components/) - Documentation and community repositories merged together ## Hardware Support Confidential Containers is tested with attestation on the following platforms: - Intel TDX - AMD SEV(-ES) - Intel SGX The following platforms are untested or partially supported: - IBM Secure Execution (SE) on IBM zSystems (s390x) running LinuxONE - AMD SEV-SNP The following platforms are in development: - ARM CCA ## Limitations The following are known limitations of this release: - Platform support is rapidly changing * Image signature validation with AMD SEV-ES is not covered by CI. - SELinux is not supported on the host and must be set to permissive if in use. - The generic KBS does not yet supported all platforms. - The format of encrypted container images is still subject to change * The [oci-crypt](https://github.com/containers/ocicrypt) container image format itself may still change * The tools to generate images are not in their final form * The image format itself is subject to change in upcoming releases * Not all image repositories support encrypted container images. - CoCo currently requires a custom build of `containerd`, which is installed by the operator. * Codepath for pulling images will change significantly in future releases. * `crio` is only supported with `cloud-api-adaptor`. - Complete integration with Kubernetes is still in progress. * OpenShift support is not yet complete. * Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/confidential-containers/issues/53) * Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host * Container images must be downloaded separately (inside guest) for each pod. [More info](https://github.com/confidential-containers/confidential-containers/issues/66) - The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet. * We track our status with the OpenSSF Best Practices Badge, which remained at 64% at the time of this release. * Vulnerability reporting mechanisms still need to be created. Public github issues are still appropriate for this release until private reporting is established. ## CVE Fixes None