Boundary 0.18.0 release notes
GA date: October 15, 2024
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
Change | Description |
---|---|
Role creation | In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. |
Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget , which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk .Learn more: Known issues and breaking changes |
Go version 1.23 TLS handshake behavior changes | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. Learn more: Known issues and breaking changes |
New features
Feature | Update | Description |
---|---|---|
Transparent sessions | BETA | Transparent sessions allows users to eliminate steps in their current workflows using Boundary’s Client Agent, a component that operates in the background to intercept network traffic and automatically route this traffic through a session if the user is authenticated and authorized. Platform teams and access management teams that administer Boundary can now build much faster, simpler secure remote access workflows that feel more intuitive and invisible to their developer customers. Learn more: Transparent sessions and Client Agent. |
Backblaze B2 support for storage buckets | GA | Backblaze B2 is now supported as a storage provider for session recording storage buckets. Learn more: Configure an S3-compliant storage provider. |
AssumeRole support for AWS dynamic host catalogs | GA | AWS host plugins now support AssumeRole. AssumeRole returns a set of temporary security credentials that you can use to access AWS resources. Learn more: AWS dynamic host catalogs. |
Known issues and breaking changes
Version | Issue | Description |
---|---|---|
0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget . You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wget If your workflow depends on having curl in the image, you can dynamically install it using apk . Refer to the following commands for examples of using apk to install curl :<CONTAINER-ID> apk add curl or kubectl exec -ti <NAME> -- apk add curl |
0.18.0 (Fixed in 0.18.1) | Users are incorrectly removed from managed groups | If your organization has over 10,000 managed groups, Boundary may incorrectly remove users from the managed group memberships. In version 0.18.0 and earlier, there was a maximum number of managed groups supported for an auth method. If you had over 10,000 managed groups, Boundary may have incorrectly removed a user from a group during authentication. This issue is fixed in version 0.18.1. There is no longer a maximum number of managed groups. Learn more: Managed groups Upgrade to the latest version of Boundary |
0.18.0 (Fixed in 0.18.2) | Session recordings fail with an error | When large numbers of sessions were created around the same time using the AssumeRole API, the AWS STS (Security Token Service) credentials sometimes failed to refresh and session recordings would fail. The failure occurred due to throttling from AWS. Version 0.18.2 adds a cache for Amazon S3 clients to store temporary credentials and prevent AWS resources from being overwhelmed. This issue is now resolved. Learn more: Configure Amazon S3 as a storage provider Upgrade to the latest version of Boundary |
0.8.0 - 0.18.1 (Fixed in Boundary Community Edition and Boundary Enterprise 0.18.2) | Boundary controller incorrectly handles HTTP requests and stops prematurely (HCSEC-2024-28) | Boundary Community Edition and Boundary Enterprise incorrectly handle HTTP requests while the Boundary controller is starting up, which may cause the controller to stop prematurely. Boundary is only vulnerable to this flaw during the controller's initialization, which usually occurs in milliseconds during Boundary's startup process. This vulnerability, HCSEC-2024-28, is fixed in Boundary Community Edition and Boundary Enterprise versions 0.16.4, 0.17.3, and 0.18.2. Learn more: HCSEC-2024-28: Boundary controller incorrectly handles http requests on initialization which may lead to a denial of service Upgrade to the latest version of Boundary |
0.18.x | Boundary version 0.18.x CLI is unable to establish connections using the boundary connect command | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID> Learn more: Go issue #70047 and Go 1.23 Release Notes |