Kyverno - v1.10.1-rc.1
π§ Under Construction π§
Kyverno 1.10.1-rc.1 is the first release candidate for the 1.10.1 patch version. It addresses many issues reported in the 1.10.0 release, both app and v3 Helm chart, and also enables a migration to 1.10 for users of clone-type generate rules. Thank you to all users and contributors who tested 1.10.0 and provided feedback!
β¨ Added β¨
- Added the ability to assign custom labels to policy reports (#7416)
- All release artifacts are now signed (#7478)
- Added a new environment variable, settable on the background controller, called
BACKGROUND_SCAN_INTERVALwhich can override the background scan interval from its default of one hour (#7504)
Helm
- Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs (#7331, #7337, #7366)
- Added missing
deleteverb to the admission reports cleanup job ClusterRole (#7375) - Added the ability to set verbs for the
additionalresourcesClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles (#7380)
β οΈ Changed β οΈ
- The new
orderfield available underforeachloops will now be respected when the mutation method ispatchStrategicMerge(#7336) - Changed the message returned from a failed permissions check so it's more general in nature (#7362)
- Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate (#7388)
- Performed some internal refactoring of the generate rule type (#7417)
- Make it so that setting
--webhookTimeoutaffects all of Kyverno's webhooks and not just the resource webhooks (#7435) - Made it so that the
namefield for a rule is required (#7464) - Log kind, namespace, and name in processed resources (#7498)
Helm
π Fixed π
- Fixed a panic when a user installs a policy with an invalid schema (#6526)
- Fixed an issue where the
defaultfield in avariable-type context variable was not being used when the result wasnil(#7251) - Fixed a panic in the reports controller when it encounters an invalid image (#7332)
- Fixed an issue when
--protectManagedResourceswas enabled which prevented generation of bindings (#7363) - Fixed a panic when environment variables weren't passed (#7383)
- Fixed an inability to use the
target.*variable in a mutate existing rule (#7387) - Fixed a sync issue if an array element was removed from a clone source (#7417)
- Fixed an issue preventing background reports from being created if an empty response is received for a given API group (#7428)
- Fixed an issue where Policy Exceptions weren't being considered for deletes (#7433)
- Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets (#7436)
- Fixed an issue with generate rules failing when the trigger resource kind used a forward slash (#7436)
- Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD (#7439)
- Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation (#7455)
- Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly (#7466)
- Fixed a panic when the background controller substitutes a variable with
nil(#7473) - Fixed the scope validation check for a generate rule so it detects the correct resource kind (#7479)
- Fixed an issue preventing generated resources from being removed when preconditions no longer matched (#7496)
- Fixed a slightly misleading error message in deny conditions (#7503)
Helm
- Fixed missing environment variables in the admission controller (#7383)
- Fixed missing
extraEnvVarson all controllers (#7403) - Fixed an issue templating the new reports cleanup job image (#7430)
- Fixed a typo when enabling anti-affinity (#7440)
- Fixed missing imagePullSecrets (#7474)
Click to expand all PRs
7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick #7597) 7692 fix: image verification (cherry-pick #7652) 7691 feat: add lazy loading feature flag (cherry-pick #7680) 7690 refactor: migrate context loaders (part 2) from #7597 (cherry-pick #7677) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick #7669) 7678 refactor: migrate context loaders (part 1) from #7597 (cherry-pick #7676) 7677 refactor: migrate context loaders (part 2) from #7597 7676 refactor: migrate context loaders (part 1) from #7597 7675 refactor: add specific loaders from #7597 (cherry-pick #7671) 7671 refactor: add specific loaders from #7597 7669 fix: cleanup controller rbac 7666 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for⦠7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: [Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panicDetails
date
June 29, 2023, 12:42 p.m.
name
v1.10.1-rc.1
type
Pre-release
π
Register or login to:
- πView and search all Kyverno releases.
- π οΈCreate and share lists to track your tools.
- π¨Setup notifications for major, security, feature or patch updates.
- πMuch more coming soon!