Kyverno - v1.11.0
🚧 Release Notes Under Construction! 🚧
Kyverno 1.11.0 is another huge release which brings may new capabilities and significant enhancements to existing ones. The main features of Kyverno 1.11.0 include:
- ValidatingAdmissionPolicy support (alpha)
- Write validate rules using CEL
- Generate VAPs from compatible Kyverno validate rules when authored in CEL
- Generate Policy Reports from VAPs
- Test VAPs using the Kyverno CLI
- Policy Reports now per-resource rather than per policy
- Updates to Cosign and Notary including OCI 1.1 support and Cosign 2.0 support
- Cleanup resources using a special Kyverno label
- Major CLI refactoring and new test schema
As with all significant releases, PLEASE READ THESE RELEASE NOTES CAREFULLY!
❗ Breaking ❗
✨ Added ✨
⚠️ Changed ⚠️
🐛 Fixed 🐛
Click to expand all PRs
#8855 chore: bump cosign version to v2.2.1 #8819 Revert "fix: add VAP and VAPB to reports controller ClusterRole" #8809 chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0 #8793 chore: upgrade docker/docker to v24.0.7 #8786 Changes to correctly run delete operation in kyverno11beta4 #8785 fix: rename vap logging name to ValidatingAdmissionPolicy #8784 fix: display helm warnings together #8783 fix: generate events for scanning VAPs in reports controller #8779 feat: update verify images types with better descriptions #8778 fix: print the number of VAPs being applied to the resources in test command #8777 fix: add VAP and VAPB to reports controller ClusterRole #8776 fix: display a message when the controller has no permissions for VAPs #8770 feat: update descriptions of image verify cache flags #8768 add VAP and VAPB to admission controller ClusterRole #8752 Revert "feat: add secrets name in background-controller's role" #8751 fix: grafana dashboard to support replicas #8748 feat: disable validate maintainer for helm gha (cherry pick: #8747) #8747 feat: disable validate maintainer for helm gha #8744 fix: fetch correct branch name in helm-release workflow #8737 fix: revert maintainers in helm charts #8736 fix: replace base_ref with ref_name in helm test GHA (Cherry Pick #8735) #8735 fix: replace base_ref with ref_name in helm test GHA #8732 fix: dynamically get branch name in helm test #8721 feat: add secrets name in background-controller's role #8708 [Helm] AdmissionReport cleanup job tag bump #8707 fix: use correct k8s version in custom sigstore tuf kuttl test #8692 fix: add codegen-cli-crds target to codegen-crds-all #8690 fix: add permissions to secrets for background controller role #8688 feat: fix outdated description of imageregistrycredentials #8681 fix: allow cleanup controller to update the policy status #8679 chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.59.0 #8673 remove duplicated log messages #8666 fix typo #8660 feat: add support for days in ttl labels #8652 fix(helm): add values for declaratively enabling PDBs #8648 fix(helm): add missing policyexceptions RBAC to background-controller #8637 deps: bump to Go 1.21.3 #8626 chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 #8625 feat: Implement global values for image registry in Kyverno Helm chart #8623 feat: move crds to a subchart #8621 chore: bump cleanup policies to v2beta1 #8619 feat: move grafana dashboard to a subchart #8609 Revert "chore: bump cleanup policies to v2beta1" #8594 chore: bump cleanup policies to v2beta1 #8587 fix: use v2beta1 of policy exceptions #8569 fix: allow dropping metrics, labels and configuring histogram bucket boundaries to avoid high cardinality #8565 refactor: use GetKind() from the cleanup policy interface #8564 feat: generate events for CEL policies that generate VAPs #8555 Refactor fuzzing utils and add 3 fuzzers #8549 release: v1.11.0-beta.4 #8548 chore: bump kubectl-validate #8545 chore: enable policy exceptions by default #8542 fix: make tuf feature in chart consistent with others #8539 fix(helm): skip deployment replicas validation in non-int value #8538 refactor: remove openapi package #8531 refactor: get the last execution time from the cleanup policy interface #8530 fix: creating ClusterAdmissionReports fails for resources with colon in name #8529 fix: remove cronjobs from cleanup controller rbac #8527 release: v1.11.0-beta.3 #8526 feat: remove the creation of cronjobs in cleanup controller #8521 fix: only fetch pub keys when tlogs and scts are not ignored #8517 release: 1.11.0-beta.2 #8512 fix: image cache panic and cleanup #8509 fix: disables TUF by default #8508 feat: add cli package to load policy exceptions #8502 fix: make sure we don't modify reports not owned by kyverno #8501 fix: return gvk when loading resource #8499 feat: add resource load funcs in cli #8494 refactor: common remote authenticator for notary and cosign #8493 fix: webhookTimeout flag not clear #8489 feat: improve assertion and error messages in ivcache tests #8488 feat: add cli resource loader package #8484 feat: add a package to convert unstructured into typed #8483 fix: deep copy before validaitng #8482 chore: fix release #8478 fix: make free disk space action configurable #8476 release: fix chart versions for 1.11.0-beta.1 #8475 fix: release archive name template #8473 fix: publish images workflow #8471 fix: release workflow #8470 refactor: check subjects func #8468 chore: free disk space before running jobs #8466 fix: generate policy fails if triggered resource name exceeds 63 characters limit #8464 chore: add a required job to simplify branch protection #8462 fix: image verify cache test #8459 fix: custom-sigstore conformance job #8458 fix: use vap map in report aggregation #8454 fix: linter #8453 chore: bump a couple of deps #8452 fix: use go 1.21 new packages #8450 chore: bump golang to 1.21 #8449 chore: fix policies #8444 style: improve descriptions in notary verifier #8443 feat: add check for digest mismatch #8442 chore: improve log messages #8439 chore: embed cli schemas in cli #8438 feat: fix variables used in tests #8436 feat: add a new wrapper logger for debugging #8430 fix: add missing omitempty tag #8429 feat: fix user infos used in tests #8428 Check payload counts and limits for image verification data returned from registries #8427 chore: apply policy fixes #8426 refactor: add per resource reports aggregation #8425 chore: apply policy fixes #8423 chore: apply policy fixes #8422 feat: add cli api schemas #8420 feat: detect duplicate resources in cli fix test #8419 refactor: move per namespace reports aggregator in a sub package #8418 chore: fix cli test files #8411 fix: names not formatted correctly in cli output #8410 chore: bump kubectl-validate #8408 fix: bump golang exp lib #8407 chore: add workflow to test cli with kubectl-validate enabled #8406 chore: use upstream kubectl-validate #8404 feat: fix policy command #8403 fix: load policies #8400 refactor: add cli fix package #8399 fix typo #8398 fix: cli output improvements #8397 fix: cli test manifests #8396 chore: bump kuttl version #8389 fix: replace fmt.Print calls by fmt.Fprint ones #8388 chore: lint test files #8387 feat: CLI test command should validate the policy under test #8386 fix: cli test policy #8385 feat: add support for custom sigstore using TUF #8384 feat: use kubectl-validate to load policies #8381 fix: helm pre-delete-hook #8379 refactor: move cli path utils package #8378 chore: move policy exceptions to beta #8377 fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots #8376 fix generate VAPs kuttl tests #8375 fix: Result not correct when testing a mutate rule and foreach with add anchor #8374 chore: kuttl tests enhancement #8373 fix: Testing a generate rule for a custom resource fails #8367 refactor: cli commands tests and error handling #8366 chore: add cli commands unit tests #8365 chore: add cli unit tests #8364 [Fix]: Wrong Field in the test #8363 fix: kyverno test are applying previous mutation rules to subsequent test cases causing failures #8362 fix: kyverno test wrongly finds 'patchedResource mismatch' due to wrong order in array #8361 fix: Overridden request.operation is not considered by match/exclude with operations #8360 refactor: cli proper error handling #8358 fix: Kyverno apply produces false positives when validating 'empty dangling" tags #8357 fix: verifyImages w/ multiple entries is not consistent #8356 fix: ignore generating backgroundscan reports for Kyverno policies in case VAPs are generated #8354 fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude #8352 refactor: simplify cli processor #8350 chore: add gofiber/fiber/v2@v2.43.0 to nancy ignore #8349 fix: Kyverno test fails to load resources #8348 fix: kyverno test ignores namespace of resources in resource.yaml #8345 chore: add --compress to cli test files verification #8343 feat: compress test results in cli fix test command #8342 chore: validate test files are up to date #8341 fix: all tests fails when use mutiple results with generate-clone #8339 fix: Kyverno test ignores variables.yaml file unless context is present #8338 chore: switch back to official policies repo #8337 fix: Auto-gen rules can not get variables from test input values #8336 chore: improve cli version command and add tests #8335 fix: disable cli logs when level is 0 #8333 fix: TODOs in cli #8332 fix: generate empty kind #8329 chore: bump kuttl version #8327 fix: cli engine invocation order #8326 chore: add cli unit tests #8325 fix: simplify cli autogen and labels selector check #8324 skip other checks if operations do not match #8319 fix: vap processor in cli #8318 feat: update condition in image verify cache tests #8316 fix: cache invalidation in FindResources #8310 chore: add validationAction in kuttl tests #8308 fix: add matchConditions and variables when generating VAPs #8307 feature(charts): resourceNames on extraResources for cleanup-controller #8305 fix: allow any type in cli test global values #8304 chore: improve unit tests in cli #8301 chore: improve unit tests in cli #8300 chore: improve unit tests in cli #8296 chore: improve unit tests in cli #8295 refactor: move utils report cli package #8294 chore: remove validating admission policy support from v1.26 #8293 refactore: move utils store package #8292 feat: add kuttl tests for validating admission policy reports #8291 refactor: move utils cobra to command package #8287 fix: add generate VAPs test suite to v1.28 #8286 feat: update ivcache `Set()` to use `Wait()` #8285 refactor: introduce cli variables package #8281 refactor: introduce cli processor package #8280 fix: cli dependency to controller-runtime logger #8279 refactor: cli policy package #8276 refactor: combine unstructured and resource packages #8275 refactor: introduce api package in cli #8274 refactor: remove dependency from validation to cli #8272 refactor: introduce userinfo package in the cli #8271 [Bug] Fix nil-dereference in pss validation #8269 fix: Remove os.exit calls in apply command #8267 fix: cli exit cleanly #8266 refactor: cli test command test execution #8259 docs: improve cli commands docs #8258 fix: bad test file causes all tests to pass with success #8257 refactor: cli packages structure #8256 refactor: introduce resource package in cli #8255 refactor: add a cobra utils package to build commands doc #8254 refactor: cli packages structure #8253 [Fix] flakes in e2e tests #8251 fix: return engine responses without checking TestResult.rule since it is empty in case of VAPs #8250 fix: add cli test from #6463 #8249 chore: add cli test utils unit tests #8248 fix test flake: update assertion in image verify cache test #8247 feat: add multiple paths support to cli test command #8244 refactor: cli test loading #8243 chore: add more cli utils unit tests #8234 fix: return error in `LoadMatching` #8233 chore: add gh action to the cli readme #8232 chore: improve test coverage of cli utils package #8231 refactor: move all cli commands in a commands package #8227 chore: name all cli command files the same #8226 refactor: introduce source package in cli #8224 refactor: CLI oci commands #8223 chore: add cli readme #8222 refactor: introduce experimental cli package #8219 fix: check if VAPs are registered in the API server or not #8218 fix: remove unused struct in cli #8216 feat: add support for wildcard in CLI filters #8215 fix: revert rekor upgrade #8213 feat: add fix test cli command #8212 refactor: cli test command #8211 fix: logger calls #8210 chore: build cli only once for conformance tests #8209 chore: fix vscode launch.json for cli #8203 refactor: introduce report utils package and use it in cli apply #8201 refactor: introduce cli annotations utils package #8200 feat: add experimental commands docs #8199 chore: add a couple unit tests #8197 fix: multiple test cases for generate policy lead to wrong test results #8196 fix flakes found in CEL kuttl tests #8195 chore: monitor helm secret size #8193 fix: verification of cli docs breaks CI (for real) #8192 fix: propagate registration and error in controllerutils pkg #8191 fix: verification of cli docs breaks CI #8189 fix: kyverno test generated resource inconsistency #8188 fix: mutation unit test not working as expected #8187 chore: increase setup-build-env timeout #8186 feat: remove description from deprecated fields #8183 fix: kyverno test doesn't fail when mutated YAML != patchedResource YAML #8182 feat: support validating admission policy variables in the CLI #8181 fix: website docs generation #8180 chore: improve verification of generated docs #8179 feat: add cli docs command #8177 refactor: refactor cli filters and add unit tests #8175 chore: merge go.mod indirect deps #8169 fix: use controller utils package in ttl controller #8168 feat: allow kyverno test variables directly in test #8167 chore: add cli path utils unit tests #8166 feat: migrate ignoreSCT from rekor to ctlog #8165 fix: remove cli manifest commands #8164 chore: create cli pathutils package #8163 fix: support fully-qualified file paths in cli test command #8161 chore: bump kuttl to use stopOnFirstFailure feature #8160 fix: add description to CLI create command #8159 feat: bump otel libs #8157 refactor: remove logger from tls package #8156 fix cel/parameter-resources/clusterscoped kuttl test #8155 fix: check caSecretName and tlsSecretName flags #8154 chore: enable admissionregistration v1alpha1 in kind config #8153 chore: add a timeout to setup-build-env action #8145 fix: validate the YAML test file syntactically and schematically #8143 fix: build cli in conformance tests #8142 chore: remove old comment from helm chart #8139 chore: add kind config file for v1beta1 of validating admission policies #8138 fix: vscode debug config #8137 feat: allow overriding ca and tls secret names #8136 chore: add .helmignore to .helmignore #8135 feat: generate backgroundscan reports for validating admission policies #8134 feat: add ttl manager metric for tracked resources #8132 fix: nancy ignore file #8131 [update] The nancy-ignore file is not updated #8130 feat: add CTLogs verification to cosign #8129 fix: update certmanager and config to take common name and namespace as arguments #8128 [Feat]: Perform permissions check when TTL label is observed #8127 fix: misleading warning about matching on status #8126 chore: bump kustomize #8125 chore: bump a couple of deps #8116 fix: cli tests scenarios_to_cli/other #8115 fix: conditions v2beta1 help #8114 fix: renew tls cert when ca cert is deleted #8113 fix: cel-variables kuttl test #8110 fix: cli logs not working #8109 fix: reduce tls package dependencies (part 2) #8108 refactor: create cel package for compiling expressions #8107 fix: reduce tls package dependencies #8106 chore: add otel collector to dev lab #8105 chore: add kind config with kubelet and apiserver tracing #8104 fix: context propagation in tracing #8103 feat: support variables for CEL in Kyverno policies #8102 chore: add mocks to mutate fuzzer #8100 fix: extend retry function to mutate rules #8099 fix: check if client is set in CEL validations #8098 refactor CEL validation in Kyverno policies #8096 [Feat]: added ttl-metrics #8090 chore: improve performance of engine fuzzers #8088 fix: mutate existing kuttl tests #8087 fix: generate/clusterpolicy kuttl tests #8085 fix: generate/validation kuttl tests #8084 feat: support namespaced parameter resources for CEL expressions in Kyverno policies #8083 refactor: background controller permissions #8082 chore: replace usage of v1beta1 with v1alpha1 for cel subrule #8081 fix: crash when applying unquoted null #8080 fix: allow mutation of policy reports #8079 chore: add support for different kind config #8077 fix: stop hiding flags in the cli #8075 chore: replace usage of v1alpha1 with v1beta1 for cel subrule #8072 feat: use kyverno/action-install-cli action for conformance workflow #8071 feat: support namespaceObject variable in CEL expressions #8068 feat: support wildcard in subjects statements #8067 fix: image pull policy missing #8066 chore: bump a couple of deps #8064 chore: bump a couple of deps #8057 test: move OSS-Fuzz build script from cncf-fuzzing #8056 chore: use fuzzers own cfg variable #8055 Migrated scenario based tests to CLI #8054 chore: bump a couple of deps #8053 fix: server name without port to generated certificate #8052 chore: use k8s 1.27 by default #8043 chore: remove tests for k8s v1.24 #8042 feat: add match conditions support in webhooks #8040 fix: image logger #8039 chore: add 1.28 to issue template #8038 chore: bump codegen tools #8037 feat: use k8s 1.28 libs #8036 chore: add k8s 1.28 testing #8027 feat: add fuzzers from cncf-fuzzing #8024 feat: support authorizer variable in CEL expressions #8016 Add an abstraction interface for Kyverno policies and validating admission policies #7995 Refactor Kyverno CLI #7988 fix, enhancement #7984 Remove length restriction in --set #7981 fix: Fixed issue with AddVariable that prevented certain variables #7974 fix:Add Missing Severity Cases in SeverityFromString Function #7972 test: add tests for isAnyNotIn function and lazy evaluate it #7970 feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup #7969 added verify image ristretto cache implementation #7966 fix: ttl manager stop informer on error #7965 test: add test to cleanup the same resource twice #7964 fix: ttl cleanup controller events processing #7963 chore: fix cleanup controller debug in vscode #7960 refactor: ttl label validation #7958 chore: move ttl formats to constants #7957 chore: rename ttl controller package #7955 chore: move kyverno.io/verify-images constant #7949 chore: move cache enabled label #7945 fix: Kyverno cli apply duplicate result counts #7944 chore: move more constants #7943 Fixes kyverno cli container reorder #7942 chore: move cert.kyverno.io/managed-by label in constants #7941 chore: organize constants better #7937 fix: rename --compact to --detailed-results in CLI #7929 fix: rename vap to its full name #7927 Adding `other` folder's subfolders to workflows/conformance.yaml's tests array. #7908 feat: add custom keychains using fluxcd/oci/auth package #7906 feat: update default keychain in registry to be empty #7902 Updated registryClient comments #7890 feat: add basic structure for image verify cache #7885 fix: apply command doesn't consider git and non-git paths together (#7832) #7872 Added missing info about adding remote upstream in `CONTRIBUTING.md` #7859 feat: add auto-gen rules for CEL #7840 feat: generate validating admission policies and their bindings from Kyverno policies #7835 refactor validating admission policies #7833 Removed usage of `replacements` from goreleaser.yml file #7827 move events for cleanup policies to the events controller #7821 feat: add ttl controller #7813 adding env to doc #7802 fix: remove obsolete method in discovery #7791 test: add tests for ghcr private repository #7787 feat: add `images` to allowed variables in substitution #7782 feat: add create `metrics-config` cli command #7781 feat: add `create exception` cli command #7780 feat: add `create user-info` cli command #7779 feat: add `create values` cli command #7778 feat: add `create test` cli command #7773 Move fetchClusterPolicies() and fetchPolicies() to utils #7768 feat: add applyconfiguration-gen support #7767 chore: increase linter timeout #7766 chore: switch to deepcopy-gen #7765 chore: introduce defaulters-gen #7761 chore: use register-gen to register k8s types #7760 refactor: move kyverno constants out of v1 package #7758 fix(kubectl-kyverno): dump error validation response message #7757 feat: add table output to cli apply command #7748 fix: remove cli dead code #7747 Replaced gcr crane with gcr remote #7746 fix: improve cli apply args check #7744 chore(deps): bump ubuntu from `6120be6` to `0bced47` in /.devcontainer #7739 fix: refactor cli values loading and remove dead code #7738 chore: bump ko version #7737 chore: bump kind node versions #7736 fix: nits in cli flags #7733 fix: typo in check cmd #7729 fix: reduce token permissions #7727 fix: use github token instead of pat #7726 fix: remove jmespath replace directive #7723 fix: use gh token instead of pat #7721 fix: reduce token permissions #7720 fix: remove obsolete scripts #7719 fix: reduce token permissions #7717 fix: make `test --fail-only` return 1 if there are failed tests #7716 chore: use github token instead of pat #7715 chore: bump cosign in gh workflows #7713 fix: release signing (cherry-pick #7711) #7709 test: add kuttl tests for background only policies #7705 feat: Add support for server-side-apply in generate rules #7702 chore: remove redundant tests #7697 fix: pr updater workflow #7683 Feat: Upgrade controller-gen to v0.12.0 and fix tooling #7673 feat: migrate to events.k8s.io/v1 #7672 fix: cleanup controller context from #7597 #7667 fix: factorise confimap informer code #7665 fix: pr updater workflow #7654 fix: use golang builtin version management #7653 fix: vscode debug config #7650 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 #7640 add missing VULN_TEMPLATE.md #7638 fix: harden rbac permissions #7634 fix: harden certs secrets management #7630 fix: cleanup controllerutils client interfaces #7629 fix: stop using lister in tls renewer #7626 fix: harden cleanup controller rbac #7624 fix: token permissions #7623 fix: service account name env var defined twice #7620 fix: reduce number of queries to detect delete operations #7619 fix: token permissions #7615 fix workflow #7613 fix: panic if env var not defined #7611 fix: token permissions on report vulns workflow #7610 chore: improve dependabot config #7605 fix: scorecard workflow #7592 chore: improve pr updater job #7587 fix: scorecard workflow #7585 chore: fix token permissions #7582 fix: validate subject kind #7580 chore: bump otel deps #7575 fix: update typos in docs/dev/reports/README.md #7573 Update version drop-downs #7572 Helpers to providers #7568 Test policy library #7546 feat: cache regex #7536 refactor: cut dependency between image verifier and registry client #7529 refactor: introduce engine image data client interface #7528 Updated the message to the level4log and removed err that originated from ApplyBackgroundChecks. #7501 feat: use context for toggles management #7499 fix: use RawClient in context loader #7489 [Feature] round() JMESPath function #7487 fix: propagate context when listing resources #7475 feat: make aggregated reports optional #7468 feat: add API server priority and fairness configuration for kyverno #7453 chore: add buffer unit tests #7452 feat: switch json patch lib for real #7451 chore: add engine api stats unit tests #7450 Remove response patches #7449 refactor: remove json patches from engine response #7447 refactor: remove json patches from mutation tests #7443 refactor: remove json patches from rule response in tests #7438 chore: remove last-applied-patches annotation #7422 fix: stop recording json patches in rule responses (part 2) #7420 feat: add config exclusions in the engine #7415 fix: json patch unit tests #7413 expose JSON Pointer in Images variable for extension services #7411 charts: changes validationFailureAction default value #7401 fix: replace mattbaird/jsonpatch with appscode/jsonpatch #7397 fix: cosign global var #7396 fix: Result not correct when testing a mutate rule and foreach. #7394 refactor: stop recording json patches but generate them on demand (part 1) #7391 chore: deprecate imageSignatureRepository flag #7377 refactor: introduce abstract client interface in engine #7339 fix: mutate resource in image verification handler #7323 feat: add auth checker interface #7307 fix: abort validation if value could be processed #7248 Support for Cosign 2.0 #7196 fix: remove policy-reporter from dev lab #7186 refactor: use structured jsonpatch instead of byte arrays #7175 [Feature] Enhance devcontainer #7166 chore: update dev doc for controllers #7152 chore: bump otel deps #7139 refactor: hide json context from caller #7136 Add JMESPath function for dynamic object/array lookup #7114 Enable flexible registry credential configurations #7097 chore: add makefile target for kwok #6942 refactor: restructure cli test command #6871 refactor: cli test filter #6800 Added `fetchAttestations` method to notaryV2 implimentation #6772 fix: couple of issues in policy interface #6666 feat: add background only policy support #6656 Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) #6084 Support for Context vars in cleanupDetails
date
Nov. 10, 2023, 10:34 a.m.
name
v1.11.0
type
Minor
official page
👇
Register or login to:
- 🔍View and search all Kyverno releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!