Kyverno - v1.6.0

Features

  • Image Verification beta: with support for annotations, keyless, KMS, in-toto annotations and several other enhancements the sigstore Cosign based image verification policy rule is now in beta.
  • OCI Image Config: you can now use image configuration data in Kyverno policies! This allows checks for labels, volume mounts, and other data used to build the container image.
  • new JMESPath operators and filters: several new operators and custom functions to make it easier to process policy data.

Enhancements

  • Performance improvements: this release includes significant improvement in memory usage by reducing the use of informers.
  • Fault Tolerance: with the Dynamic Webhooks and Fine-grained Failure Mode features in 1.5, it becomes important to de-register the webhook on shutdown. This release improves behaviors, and allows more control in managing policy exclusions.

Upgrade Notes

  • Helm charts are changed to enforce PodDisruptionBudget for multi-replica clusters and PDB is removed from install manifests.

  • anyPattern for Kyverno validate policies breaks in Kubernetes v1.23.0-v1.23.2, and the fix is merged in v1.23.3 via PR.

  • To use any/all conditions for policies that use preconditons and deny.conditions, the user can go to this resource as a good starting point.

  • mutate.overlay and mutate.patches which had been deprecated in 1.4 are now removed in v1.6.0.

What's Changed

  • Refactored operator tests to use test cases by @AverageMarcus in https://github.com/kyverno/kyverno/pull/2620
  • Improving check during generated resource updation by @NoSkillGirl in https://github.com/kyverno/kyverno/pull/2616
  • Move generate process in validating webhook by @NoSkillGirl in https://github.com/kyverno/kyverno/pull/2615
  • Tidy up some of the apply command output code by @AverageMarcus in https://github.com/kyverno/kyverno/pull/2633
  • Cleanup imports by @AverageMarcus in https://github.com/kyverno/kyverno/pull/2635
  • Range Operators by @ljakimczuk in https://github.com/kyverno/kyverno/pull/2622
  • Fix go vet errors by @AverageMarcus in https://github.com/kyverno/kyverno/pull/2637
  • Improving readability by @ljakimczuk in https://github.com/kyverno/kyverno/pull/2638
  • Fix various go lint issues by @AverageMarcus in https://github.com/kyverno/kyverno/pull/2639
  • Restructure project to follow standards by @fiunchinho in https://github.com/kyverno/kyverno/pull/2632
  • handle Cosign payload variations by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2630
  • Improve consistency in jmesPath functions test file by @MarcelMue in https://github.com/kyverno/kyverno/pull/2640
  • Add OSC related adopters by @treydock in https://github.com/kyverno/kyverno/pull/2658
  • feat: support other key methods by @developer-guy in https://github.com/kyverno/kyverno/pull/2607
  • Fix bug in event creation for failed policies by @yulianedyalkova in https://github.com/kyverno/kyverno/pull/2652
  • add keyless verification by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2677
  • fix typo in code comments by @CIPHERTron in https://github.com/kyverno/kyverno/pull/2685
  • Contributors updates, Kyverno CLI acknowledgements by @chipzoller in https://github.com/kyverno/kyverno/pull/2644
  • Ignoring generate kinds from mutate webhook by @NoSkillGirl in https://github.com/kyverno/kyverno/pull/2656
  • obtain webhook config name dynamically by @Danny-Wei in https://github.com/kyverno/kyverno/pull/2698
  • Added Skip status for generate by @NoSkillGirl in https://github.com/kyverno/kyverno/pull/2657
  • Add CODEOWNERS file for maintainers by @MarcelMue in https://github.com/kyverno/kyverno/pull/2686
  • Remove redundant PDB by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2598
  • feat: create new builder for buildx by @developer-guy in https://github.com/kyverno/kyverno/pull/2703
  • added check for misspelled fields in condition by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2707
  • Fixes in new operators by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2704
  • Wildcard values by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2692
  • Update CHANGELOG for PDB by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2727
  • Fix: Hard-coded ClusterRoleName in OwnerRef breaks by @vyankyGH in https://github.com/kyverno/kyverno/pull/2718
  • Allow use of "pods/binding" subresource by @seh in https://github.com/kyverno/kyverno/pull/2721
  • Do not log error when resource is not namespaced by @fiunchinho in https://github.com/kyverno/kyverno/pull/2730
  • Added time_since() custom JMESPath function by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2680
  • set default value of "request.operation" to "CREATE" by @viveksahu26 in https://github.com/kyverno/kyverno/pull/2688
  • fix dependabot issue and remove stale entries in go.mod by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2741
  • Trivy now scans local images by @ShubhamPalriwala in https://github.com/kyverno/kyverno/pull/2744
  • handle missing predicate type by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2743
  • Don't check for Prom Operator apiVersion by @z0rc in https://github.com/kyverno/kyverno/pull/2723
  • Add pattern_match custom JMESPath function analogous to regex_match by @bastjan in https://github.com/kyverno/kyverno/pull/2717
  • updated the contributing.md file by @Anita-ihuman in https://github.com/kyverno/kyverno/pull/2766
  • Add VSHN as adopter with APPUiO Cloud by @tobru in https://github.com/kyverno/kyverno/pull/2773
  • Only report on intended errors when checking JSONPatch path for variables by @MarcelMue in https://github.com/kyverno/kyverno/pull/2710
  • Add path_canonicalize custom JMESPath function by @Danny-Wei in https://github.com/kyverno/kyverno/pull/2787
  • JMESPath arithmetic function units by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2753
  • Add command-line flags to allow setting client rate limits (QPS/Burst) by @bastjan in https://github.com/kyverno/kyverno/pull/2797
  • fix: add Windows testcases for path_canonicalize by @Danny-Wei in https://github.com/kyverno/kyverno/pull/2803
  • [docs]: sync api docs with latest api changes by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/2808
  • tighten and clarify Kyverno roles and permissions by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2799
  • added issuer check by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2804
  • add permissions for Kyverno deployment update by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2830
  • adding support for Cosign key-value annotations by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2824
  • Update labels to fetch cluster role by @vyankyGH in https://github.com/kyverno/kyverno/pull/2842
  • Test publishing dev-test images by @realshuting in https://github.com/kyverno/kyverno/pull/2848
  • Add SelectorLabel to (Cluster)PolicyReporter resources by @fjogeleit in https://github.com/kyverno/kyverno/pull/2841
  • Kyverno CLI test default manifest should use a less generic name by @vyankyGH in https://github.com/kyverno/kyverno/pull/2715
  • truncate custom jmespath function by @dkulchinsky in https://github.com/kyverno/kyverno/pull/2836
  • Fix typos by @KushalBeniwal in https://github.com/kyverno/kyverno/pull/2860
  • added support for --git-branch flag and directory in git path for kyverno test cmd by @zeborg in https://github.com/kyverno/kyverno/pull/2763
  • jmespath truncate - handle negative input value by @dkulchinsky in https://github.com/kyverno/kyverno/pull/2856
  • added priorityClassName to helm values.yaml by @franznemeth in https://github.com/kyverno/kyverno/pull/2855
  • Increase Kyverno memory request and limit by @realshuting in https://github.com/kyverno/kyverno/pull/2862
  • remove app.kubernetes.io/managed-by label from crds by @franznemeth in https://github.com/kyverno/kyverno/pull/2852
  • Fix Foreach JMESPath issue by @vyankyGH in https://github.com/kyverno/kyverno/pull/2867
  • add semver_compare JMESPath function by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2846
  • Fix : Foreach Precondition issue by @vyankyGH in https://github.com/kyverno/kyverno/pull/2871
  • fix report permissions by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2874
  • Added validation for Condition Operators by @zeborg in https://github.com/kyverno/kyverno/pull/2864
  • Rules length check by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2884
  • Fix buildversion for local images by @realshuting in https://github.com/kyverno/kyverno/pull/2887
  • Updated the list of adopters by @Anita-ihuman in https://github.com/kyverno/kyverno/pull/2828
  • keyless signing kyverno images with digest by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2896
  • Extend new operators by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2788
  • updates for foreach and mutate by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2891
  • Added report generation for verifyImage rules by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2782
  • fix: cosign command in github action workflows by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2915
  • Manage affinity with Helm values by @fjogeleit in https://github.com/kyverno/kyverno/pull/2900
  • Fixing the CI job to push images by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2921
  • fix: removing docker-buildx-builder to get digest by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2922
  • fix: removing spaces to make CI job work by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2923
  • adding proper permissions in github action jobs by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2924
  • adds ephemeralContainers to the image variable by @mritunjaysharma394 in https://github.com/kyverno/kyverno/pull/2662
  • Corrected the value of INIT_CONFIG env in deployment by @zeborg in https://github.com/kyverno/kyverno/pull/2927
  • Fix the PR template checkboxes to render empty instead of brackets by @samj1912 in https://github.com/kyverno/kyverno/pull/2942
  • Fix: CI job to release images by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2929
  • Add parse_json function the decode json strings by @samj1912 in https://github.com/kyverno/kyverno/pull/2941
  • Remove spurious prints and fix line endings by @samj1912 in https://github.com/kyverno/kyverno/pull/2963
  • kyverno/test: print test summary of kyverno test results by @sloorush in https://github.com/kyverno/kyverno/pull/2944
  • check for issuer and subject only when declared. fix log levels. by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2973
  • Pin dependencies in Github Actions by @ShubhamPalriwala in https://github.com/kyverno/kyverno/pull/2952
  • move guidelines up by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2976
  • chore: bump go version used to build images by @Boojapho in https://github.com/kyverno/kyverno/pull/2968
  • Converted test.yaml to kyverno-test.yaml by @4molybdenum2 in https://github.com/kyverno/kyverno/pull/2898
  • handle CRDs with no props by @JimBugwadia in https://github.com/kyverno/kyverno/pull/2975
  • Fix autogen issue with cronjob generator and foreach pod generator by @samj1912 in https://github.com/kyverno/kyverno/pull/2989
  • Add arm64 goarch to go releaser by @rlandesman in https://github.com/kyverno/kyverno/pull/2991
  • Add github token permissions to improve ossf scorecard by @rlandesman in https://github.com/kyverno/kyverno/pull/2992
  • Add top level permissions to remaining github workflows by @rlandesman in https://github.com/kyverno/kyverno/pull/2995
  • Fix variable substitution for foreach preconditions by @samj1912 in https://github.com/kyverno/kyverno/pull/2993
  • Add image data to validate image configs by @samj1912 in https://github.com/kyverno/kyverno/pull/2946
  • Add the new flag webhookRegistrationTimeout by @realshuting in https://github.com/kyverno/kyverno/pull/3001
  • Add a parse_yaml function by @samj1912 in https://github.com/kyverno/kyverno/pull/2999
  • Add CODEOWNER by @vyankyGH in https://github.com/kyverno/kyverno/pull/3011
  • Support mutation of variables in validate.deny by @vyankyGH in https://github.com/kyverno/kyverno/pull/2947
  • Added Mac ARM64 build to Krew config by @AverageMarcus in https://github.com/kyverno/kyverno/pull/3002
  • Add samj1912 to codeowners by @samj1912 in https://github.com/kyverno/kyverno/pull/3015
  • Remove resourceCache from engine by @realshuting in https://github.com/kyverno/kyverno/pull/3013
  • fix(generate): use JSON patch for GenerateRequests status updates by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/3000
  • Added Kyverno specific SharedInformerFactory by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2987
  • Clean up webhook configurations when cannot find kyverno deployment by @realshuting in https://github.com/kyverno/kyverno/pull/3018
  • refactoring github actions to remove duplication and enhancement for versioned sbom's by @Namanl2001 in https://github.com/kyverno/kyverno/pull/2979
  • CLI fix for foreach policies by @vyankyGH in https://github.com/kyverno/kyverno/pull/2997
  • Support namespaceSelector with dynamic webhook enabled by @zeborg in https://github.com/kyverno/kyverno/pull/2953
  • Fixed error handling for negation anchors by @zeborg in https://github.com/kyverno/kyverno/pull/2986
  • Fix permissions for image publish workflows by @samj1912 in https://github.com/kyverno/kyverno/pull/3021
  • fix: buildx-action version by @Namanl2001 in https://github.com/kyverno/kyverno/pull/3023
  • SharedInformers for WebhookConfigurations by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/3007
  • Background controller: list resources once per policy by @realshuting in https://github.com/kyverno/kyverno/pull/3026
  • fix deployment replica type conversion and refactor webhook logs by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/3022
  • Disable autogen for policies without Pod by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2737
  • Fix: namespace quota policy failed to be applied for two resources named ResourceQuota with different APIVersions by @lshmouse in https://github.com/kyverno/kyverno/pull/2612
  • Broken exclude any all by @anushkamittal20 in https://github.com/kyverno/kyverno/pull/2990
  • clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings by @vyankyGH in https://github.com/kyverno/kyverno/pull/3029
  • clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings by @vyankyGH in https://github.com/kyverno/kyverno/pull/3032
  • Reduce throttling requests for Kyverno managed resources by @realshuting in https://github.com/kyverno/kyverno/pull/3016
  • Update division for same units by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/3038
  • Namespace Specific ValidationFailureAction by @ojhaarjun1 in https://github.com/kyverno/kyverno/pull/2794
  • Reduce throttling requests for Kyverno resources by @realshuting in https://github.com/kyverno/kyverno/pull/3042
  • Fix dynamic webhook for namespace policies by @realshuting in https://github.com/kyverno/kyverno/pull/3044
  • bumps k8s libraries for k8s v1.23 upgrade for kyverno by @mritunjaysharma394 in https://github.com/kyverno/kyverno/pull/3043
  • Bump go version from 1.16 to 1.17 by @zeborg in https://github.com/kyverno/kyverno/pull/3048
  • fix mutate preprocessing for anchors by @JimBugwadia in https://github.com/kyverno/kyverno/pull/3052
  • Release v1.6.0-rc1 by @realshuting in https://github.com/kyverno/kyverno/pull/3057
  • Cherry-pick fixes to release v1.6.0-rc1 by @realshuting in https://github.com/kyverno/kyverno/pull/3062
  • Revert workflow configs to unblock v1.6.0-rc1 by @realshuting in https://github.com/kyverno/kyverno/pull/3080
  • Revert workflow configs for Helm release by @realshuting in https://github.com/kyverno/kyverno/pull/3081
  • Revert workflow configs - add sbom container for images sigining by @realshuting in https://github.com/kyverno/kyverno/pull/3082
  • Cherry-pick fixes for 1.6.0. by @realshuting in https://github.com/kyverno/kyverno/pull/3085
  • Cherry-pick GGCR mem leak fixes for Kyverno 1.6 by @samj1912 in https://github.com/kyverno/kyverno/pull/3097
  • Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (cherry-pick v1.6) by @samj1912 in https://github.com/kyverno/kyverno/pull/3098
  • Cherry-pick commits for 1.6.0-rc2 by @realshuting in https://github.com/kyverno/kyverno/pull/3123
  • Release 1.6.0-rc2 by @realshuting in https://github.com/kyverno/kyverno/pull/3124
  • Backport recent bug fixes to 1.6 by @samj1912 in https://github.com/kyverno/kyverno/pull/3140
  • Cherry pick #3143 by @zeborg in https://github.com/kyverno/kyverno/pull/3144
  • fix filtered and sort patches index (#3146) by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/3149
  • add missing patch verbs in event clusterrole (#3151) by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/3153
  • Add cloud provider keychains to DefaultKeychain (#3116) by @prateekpandey14 in https://github.com/kyverno/kyverno/pull/3166
  • Cherry-pick commits and release v1.6.0-rc3 by @realshuting in https://github.com/kyverno/kyverno/pull/3173
  • Cherry-pick commits and release v1.6.0-rc4 by @realshuting in https://github.com/kyverno/kyverno/pull/3182
  • Release v1.6.0 by @realshuting in https://github.com/kyverno/kyverno/pull/3194

New Contributors

  • @Issif made their first contribution in https://github.com/kyverno/kyverno/pull/2258
  • @freym made their first contribution in https://github.com/kyverno/kyverno/pull/2298
  • @james-callahan made their first contribution in https://github.com/kyverno/kyverno/pull/2274
  • @slayer321 made their first contribution in https://github.com/kyverno/kyverno/pull/2270
  • @Anita-ihuman made their first contribution in https://github.com/kyverno/kyverno/pull/2402
  • @anushkamittal20 made their first contribution in https://github.com/kyverno/kyverno/pull/2360
  • @hobaen made their first contribution in https://github.com/kyverno/kyverno/pull/2410
  • @AverageMarcus made their first contribution in https://github.com/kyverno/kyverno/pull/2526
  • @jamiecore made their first contribution in https://github.com/kyverno/kyverno/pull/2546
  • @siddharthlal25 made their first contribution in https://github.com/kyverno/kyverno/pull/2592
  • @devholic made their first contribution in https://github.com/kyverno/kyverno/pull/2562
  • @VinodAnandan made their first contribution in https://github.com/kyverno/kyverno/pull/2572
  • @lshmouse made their first contribution in https://github.com/kyverno/kyverno/pull/2614
  • @ljakimczuk made their first contribution in https://github.com/kyverno/kyverno/pull/2622
  • @fiunchinho made their first contribution in https://github.com/kyverno/kyverno/pull/2632
  • @yulianedyalkova made their first contribution in https://github.com/kyverno/kyverno/pull/2652
  • @CIPHERTron made their first contribution in https://github.com/kyverno/kyverno/pull/2685
  • @Danny-Wei made their first contribution in https://github.com/kyverno/kyverno/pull/2698
  • @seh made their first contribution in https://github.com/kyverno/kyverno/pull/2721
  • @z0rc made their first contribution in https://github.com/kyverno/kyverno/pull/2723
  • @bastjan made their first contribution in https://github.com/kyverno/kyverno/pull/2717
  • @tobru made their first contribution in https://github.com/kyverno/kyverno/pull/2773
  • @KushalBeniwal made their first contribution in https://github.com/kyverno/kyverno/pull/2860
  • @franznemeth made their first contribution in https://github.com/kyverno/kyverno/pull/2855
  • @sloorush made their first contribution in https://github.com/kyverno/kyverno/pull/2944
  • @Boojapho made their first contribution in https://github.com/kyverno/kyverno/pull/2968
  • @rlandesman made their first contribution in https://github.com/kyverno/kyverno/pull/2991

Full Changelog: https://github.com/kyverno/kyverno/compare/v1.5.8...v1.6.0

Details

date
Feb. 8, 2022, 8:38 a.m.
name
v1.6.0
type
Minor
official page
https://github.com/kyverno/kyverno/releases/tag/v1.6.0
👇
Register or login to:
  • 🔍View and search all Kyverno releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or