Kyverno - v1.7.0
Note
status.ready
of the policy is deprecated in favor ofpolicy.IsReady()
. The implementation was changed to usestatus.conditions
that offer more flexibility. Thestatus.ready
will be kept for a couple of releases until we remove it in the future.- Deprecated flags have been removed.
- Flags that were overlapping with config map based configuration were removed (
filterK8sResources
,excludeGroupRole
,excludeUsername
). They can now be configured using the config map only.
Bug Fixes
3997 [Bug] Policy validation blocks variable @
3967 [Bug] Signatures are not set for attestations
3906 [Bug] Cleanup UR for mutate existing policies if the trigger is deleted
3875 [Bug] Validation error for variables in attestations
3818 [Bug] [CLI] scored annotation not supported
3798 [Bug] Kyverno drops OCI image config/manifest data when non compliant keys are used
3776 [Bug] Global image policies get applied on the Kyverno namespace
3745 [Bug] Kyverno is not receiving updates for changes to Service status
3742 [Bug] [CLI] Variables of type integer not supported
3722 [Bug] Autogen errors and missing cronjob rule
3720 [Bug] Fix policy status
3693 [Bug] [CLI] test command git support broken
3691 [Bug] [CLI] Subject not supported in test command
3685 [BUG] Wildcard anyin/in regression with wildcard keys
3670 [Bug] Bump Go versions across all kyverno packages to fix new CVEs in Golang 1.17.6
3732 [Bug] Missing rule names in successful events
3667 [Bug] Generate permissions are not checked
3653 [bug] Webhooks are not configured correctly
3651 [Bug] Revert PR 1597 (multi-line strings)
3639 [Bug] Some pre-defined variables not supported in preconditions, elsewhere
3626 [Bug] Investigate potential race condition for policy cache
3625 [Bug] New leader should not delete existing webhook configurations
3624 [Bug] Investigate policy status updates across pods
3620 [Bug] Logger header keeps piling up
3604 [Bug] [CLI] CI failures when cloning from main
3597 [Bug] Wrror: no kind "ClusterPolicy" is registered for version "kyverno.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"
3594 [Bug] Add KMS libs for Cosign
3584 [Bug] Autogen logs errors
3570 [Bug] Remove references to kubeconfig as parameter
3568 [Bug] Helm chart version inconsistency
3535 [Bug] Support foreach
list element to be array/string
3497 [Bug] Kyverno loops over generate and keeps tracking deleted namespaces
3440 [Bug] Policies stops working after a few hours
3416 [Bug] [CLI] Removing Validate CLI command
3401 [Bug] [CLI] kyverno test picks up backup files
3397 [Bug] Image Signature Verification Error is Misleading
3351 [Bug] Webhook update loop can retry exponentially
3339 [Bug] Helm chart default setting for config.resourceFilters
uses static value for ignoring kyverno namespace
3279 [Bug] Kyverno tries to generate events on blocked resources
3270 [Bug] [CLI] Support different context variables when using foreach
3235 [Bug] GenerateRequests not covered in aggregated ClusterRoles
3231 [Bug] Cascading Mutate rules with conditional logic (via anchors) weirdness
3197 [BUG] Background scan throws warning event when preconditions not met
3191 [BUG] Rule excluding ClusterRole cluster-admin falsely excludes other ClusterRoles
3177 [BUG] request.clusterRoles
variable not resolving when a RoleBinding references a ClusterRole
3101 [BUG] Generate clone/sync takes time to sync the updates
3077 [BUG] kyverno test
indentation fix
2982 [BUG] Generating Resources only work with ClusterPolicies
2711 [BUG] Kyverno updates ClusterPolicy needlessly when auto-generation is enabled
2053 [BUG] HA kyverno 1.4.0
2001 [BUG] Unsupported AST kind *ast.InterfaceType for apiextensions.JSON
references
3789 [Bug] Require etcd 3.4.0+
3754 [Bug] Handle duplicate image names in the image verification metadata
3858 [Bug] Raw value causes failure to sync policy in 1.7.0 dev
4009 Use background helper in ur generator
4008 Remove update ur status in generator
4007 Bypass policy mutation if autogen internals enabled
4004 Stop mutating policies when autogen internals is enabled
4003 Stop mutating cached resource in ur controller
3986 ur
is nil in ur controller
3973 Release ur when handler pod is gone
3806 Cleanup old dependencies from go.sum and go.mod
3802 Remove kubeconfig
3784 Add missing tombstone calls
3772 Cert manager duplicate event handler
3759 Logger call depth
3748 Fix verify all images
3729 Missing image verification rules in autogen
3706 Remove unused type TargetMutation
3686 Fix regression in wildcard matches in In/AnyIn operators
3599 Fix missing policy.kyverno.io/policy-name
label
3537 Disallow all in autogen annotation
3509 Reduce dependency to ns lister
3448 Use PodControllersAnnotation constant
3387 Metrics config defaults
3377 Generate api reference docs
3361 Filter resources names with helm custom release name
3358 Incorrect resource filters with helm and custom namespace
3329 Update codegen
3327 Naming typos
3313 Seccomp profile
3108 Fix parsing of resources in preconditions
3096 Fix the kyverno default keychain value to be the ggcr default keychain when uninitialized
3662 Logic of match service account is fixed for namespace
3713 Refactor: remove some api unnecessary pointers (4)
3712 Optimize UR listing on policy events
3710 Create events for ImageVerify rules
3100 Add b/w compat support for K8s version 1.20 and below for Kyverno 1.7
Features
3770 [Feature] Look up mutate.targets
via dynamic client
3769 [Feature] Add handler
to UR.status
3767 [Feature] Allow kyverno jp to work on yaml files
3758 [Feature] [CLI] support for testing image verification rules
3702 [Feature] JMESPath function to convert map to object
3615 [Feature] Support multiple static keys in a single entry
3608 [Feature] Allow users to define inline variables in context
3555 [Feature] Extend foreach
to support any JMESPath at request.*
3502 [Feature] Support Certificate Chains during Image Signature Verification
3441 [Feature] Deprecate test.yaml
3433 [Feature] Verify that image digests are used instead of tags
3431 [Feature] Require all images are signed
3430 [Feature] Mutate image tags to digest
3395 [Feature] Allow accessing the registry from the CLI for mutate/validate calls if a registry flag is passed
3241 [Feature] Remove Cluster IP from self-generated cert SANs
3224 [Feature] Expose URLs for Fulcio and Rekor
3216 [Feature] Support more certificate-extensions from cosign
2861 [Feature][CLI] Support for Roles, ClusterRoles, and Subjects
3813 [Feature] Disable the leader election for update request controller
2583 [Feature] Supporting verification of container images via cosign with multiple public keys
2567 [Feature] Support for apiCall in tests
2194 [Feature] CLI "kyverno apply" support for imageVerify rule
2139 [Feature] Mutate target resource which is different from watched resource
1722 [Feature] Post mutation
1607 [Feature] Mutate existing resource on policy update
2283 [Feature] An automatic way to apply generation to all applicable resources
3821 CLI should respect scored annotation for warnings
3808 Parse all root CA certs
3680 Remove deprecated flags
3426 Use IsReady method
3420 Move GetRules() at the policy level
3419 Add toggle package for feature flags
3413 Add webhooks object selector support
3410 Stop mutating rules
3379 Stop adding autogen annotation
3378 Add conditions support
3376 Add rules to status
3332 Add autogen controllers to policy status
3309 Gen kyverno helm chart docs
3277 Add linux/s390x
builds
3998 Support @
for mutate targets
3824 Add an object_from_lists function
3658 Allow definition of inline variables in context
3596 Add support for custom image extractors
3362 Support RSA, ECDSA and EDDSA public key verification
Enhancements
3576 Update to Cosign 1.7.x
3195 Add maxAge for attestation checks
3074 Update CRD in description field of foreach
3046 Use the typed client to update GenerateRequest
3019 Support using the 'kubernetes keychain' without -imagePullSecrets
3009 Replace ToUnstructured() inside convertToUnstructured()
3199 Add attestors declaration with AND / OR of keys and keyless signers
2938 Validate image fields for custom resources
2916 Remove resourceFilters
in Kyverno ConfigMap
2894 Convert test.yaml
-> kyverno-test.yaml
2576 Improve Kyverno CLI structure
2570 Make generate policy easier to apply on existing resources
2475 Drop v1alpha1
PolicyReport CRD
2447 Remove unused Run
function from generate
2405 Add e2e test for JSON patch mutate policy
2391 Add e2e tests for a mutate policy using global anchor
1937 Please add JMSEPath support to Kyverno CLI
1610 CLI - Generate policy - print the generated resource
3757 Split certificates from keys for imageVerify rule
33811 Remove broken .ca from helm chart
33786 Remove config flags
33697 Remove unused custom expansions from client
33649 Add artifacthub operator and prerelease annotations
33375 Add helm crds to make codegen target
3493 Simplify validation with named return
3492 Add autogen internals e2e tests
3481 Run go vet in CI
3405 Add make help target
3394 Makefile should not makefile go.mod
3356 Gen helm crds from config crds
3311 Drop helm v2
3310 Check helm docs are up to date
3894 Request operation value by default to CREATE
3863 Handle errors properly for mutate and generate on existing resources
3828 Allow variables of any kind to be defined
3826 Relax JMESPath variable validation
3825 Improve logging and error handling in json context
3814 Policy Validation check for onPolicyUpdate flag
3771 bump cosign and sigstor version
3755 Add tests for required checks for image verify
3749 Test Summary printing for failure test cases
3741 cleanup event messages and sources
3730 Convert GenerateRequest to UpdateRequest for backward compatibility
3724 Add error handling and log for image extractor errors
3717 Create UR for both mutate and generate policies
3703 Add e2e tests for mutate existing policies
3699 Enable tests in makefile
3684 Enable verifyImages and CLI registry tests
3587 Update to cosign 1.7.1
3272 Return warning on admission response when mutating pods
3263 Cleanup commented out lines of code
Others
4022 refactor: used typed admission request in ur
4012 refactor: add policy event listener in ur controller
3707 refactor: remove some api unnecessary pointers (3)
3705 refactor: remove some api unnecessary pointers (2)
3704 refactor: remove some api unnecessary pointers
3638 refactor: remove unused Run function from generate
3996 refactor: move label helper utils from policy package to background package
3877 refactor: bump KIND version to use v1.24.0 k8s release
3790 refactor: move config controller in controllers package
3783 refactor: policycache package logger
3782 refactor: create a package for controllers and move certmanager in it
3775 refactor: dclient package
3765 refactor: wait for cache sync
3737 refactor: remove unstructured usage from webhookconfig
3736 refactor: use typed informers and add tombstone support to webhookconfig
3734 refactor: metrics package logger
3696 refactor: auth package logger
3678 refactor: use typed k8s client in tls package
3591 refactor cli code from pkg to cmd
3563 refactor: engine context
3556 refactor: make response type (RuleType) typed
3554 refactor: use the typed namespace informer in GenerateRequest controller
3553 refactor: move common utils
3552 refactor: add engine utils sub package
3551 refactor: checkEngineResponse in webhooks
3550 refactor: reduce policy mutations
3549 refactor: metrics package
3548 refactor: webhooks metrics reporting
3546 refactor: use GetValidationFailureAction method
3545 refactor: use GetFailurePolicy method
3544 refactor: use BackgroundProcessingEnabled method
3543 refactor: use existing ContainsString util
3539 refactor: move some helpers in utils package
3532 refactor: simplify autogen package
3528 refactor: add os utils sub package
3527 refactor: separate kube utils package
3526 refactor: switch to admission v1
3524 refactor: add a json patch util
3523 refactor: separate json utils package
3520 refactor: separate yaml utils package
3516 refactor: webhooks package
3512 refactor: use policy interface and introduce admission utils package
3510 refactor: use more policy interface
3503 refactor: use policy interface in policycache package
3499 refactor: make use of policy interface
3496 refactor: factorize policy interface
3495 refactor: improve policycache package
3466 refactor: use abstract policy interface in webhookconfig
3454 refactor: match and exclude conflict validation
3452 refactor: remove ns lister from webhookconfig
3451 refactor: add ValidationFailureAction to the api
3450 refactor: add IsNamespaced() method to API policy types
3446 refactor: ResourceDescription validation
3445 refactor: ExcludeResources validation
3444 refactor: replace ExcludeResources by MatchResources
3422 refactor: MatchResources validation
3421 refactor: ValidationFailureActionOverrides validation
3409 refactor: Policy name validation
3406 refactor: Rule names validation
3400 refactor: Rule type validation
3399 refactor: UserInfo validation
3372 refactor: ImageVerification validation
3365 refactor: introduce api common types
3364 refactor: move controller autogen annotation in api package
3363 refactor: move api functions closer to the struct they belong to
3350 refactor: introduce rules getters and setters
3316 refactor: introduce autogen package
3315 refactor: pass only spec instead of whole policy when possible
Details
date
June 2, 2022, 1:20 p.m.
name
v1.7.0
type
Minor
official page
👇
Register or login to:
- 🔍View and search all Kyverno releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!