Note

• status.ready of the policy is deprecated in favor of policy.IsReady(). The implementation was changed to use status.conditions that offer more flexibility. The status.ready will be kept for a couple of releases until we remove it in the future.
• Deprecated flags have been removed.
• Flags that were overlapping with config map based configuration were removed (filterK8sResources, excludeGroupRole, excludeUsername). They can now be configured using the config map only.

Bug Fixes

3997 [Bug] Policy validation blocks variable @

3967 [Bug] Signatures are not set for attestations

3906 [Bug] Cleanup UR for mutate existing policies if the trigger is deleted

3875 [Bug] Validation error for variables in attestations

3818 [Bug] [CLI] scored annotation not supported

3798 [Bug] Kyverno drops OCI image config/manifest data when non compliant keys are used

3776 [Bug] Global image policies get applied on the Kyverno namespace

3745 [Bug] Kyverno is not receiving updates for changes to Service status

3742 [Bug] [CLI] Variables of type integer not supported

3722 [Bug] Autogen errors and missing cronjob rule

3720 [Bug] Fix policy status

3693 [Bug] [CLI] test command git support broken

3691 [Bug] [CLI] Subject not supported in test command

3685 [BUG] Wildcard anyin/in regression with wildcard keys

3670 [Bug] Bump Go versions across all kyverno packages to fix new CVEs in Golang 1.17.6

3732 [Bug] Missing rule names in successful events

3667 [Bug] Generate permissions are not checked

3653 [bug] Webhooks are not configured correctly

3651 [Bug] Revert PR 1597 (multi-line strings)

3639 [Bug] Some pre-defined variables not supported in preconditions, elsewhere

3626 [Bug] Investigate potential race condition for policy cache

3625 [Bug] New leader should not delete existing webhook configurations

3624 [Bug] Investigate policy status updates across pods

3620 [Bug] Logger header keeps piling up

3604 [Bug] [CLI] CI failures when cloning from main

3597 [Bug] Wrror: no kind "ClusterPolicy" is registered for version "kyverno.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"

3594 [Bug] Add KMS libs for Cosign

3584 [Bug] Autogen logs errors

3570 [Bug] Remove references to kubeconfig as parameter

3568 [Bug] Helm chart version inconsistency

3535 [Bug] Support foreach list element to be array/string

3497 [Bug] Kyverno loops over generate and keeps tracking deleted namespaces

3440 [Bug] Policies stops working after a few hours

3416 [Bug] [CLI] Removing Validate CLI command

3401 [Bug] [CLI] kyverno test picks up backup files

3397 [Bug] Image Signature Verification Error is Misleading

3351 [Bug] Webhook update loop can retry exponentially

3339 [Bug] Helm chart default setting for config.resourceFilters uses static value for ignoring kyverno namespace

3279 [Bug] Kyverno tries to generate events on blocked resources

3270 [Bug] [CLI] Support different context variables when using foreach

3235 [Bug] GenerateRequests not covered in aggregated ClusterRoles

3231 [Bug] Cascading Mutate rules with conditional logic (via anchors) weirdness

3197 [BUG] Background scan throws warning event when preconditions not met

3191 [BUG] Rule excluding ClusterRole cluster-admin falsely excludes other ClusterRoles

3177 [BUG] request.clusterRoles variable not resolving when a RoleBinding references a ClusterRole

3101 [BUG] Generate clone/sync takes time to sync the updates

3077 [BUG] kyverno test indentation fix

2982 [BUG] Generating Resources only work with ClusterPolicies

2711 [BUG] Kyverno updates ClusterPolicy needlessly when auto-generation is enabled

2053 [BUG] HA kyverno 1.4.0

2001 [BUG] Unsupported AST kind *ast.InterfaceType for apiextensions.JSON references

3789 [Bug] Require etcd 3.4.0+

3754 [Bug] Handle duplicate image names in the image verification metadata

3858 [Bug] Raw value causes failure to sync policy in 1.7.0 dev

4009 Use background helper in ur generator

4008 Remove update ur status in generator

4007 Bypass policy mutation if autogen internals enabled

4004 Stop mutating policies when autogen internals is enabled

4003 Stop mutating cached resource in ur controller

3986 ur is nil in ur controller

3973 Release ur when handler pod is gone

3806 Cleanup old dependencies from go.sum and go.mod

3802 Remove kubeconfig

3784 Add missing tombstone calls

3772 Cert manager duplicate event handler

3759 Logger call depth

3748 Fix verify all images

3729 Missing image verification rules in autogen

3706 Remove unused type TargetMutation

3686 Fix regression in wildcard matches in In/AnyIn operators

3599 Fix missing policy.kyverno.io/policy-name label

3537 Disallow all in autogen annotation

3509 Reduce dependency to ns lister

3448 Use PodControllersAnnotation constant

3387 Metrics config defaults

3377 Generate api reference docs

3361 Filter resources names with helm custom release name

3358 Incorrect resource filters with helm and custom namespace

3329 Update codegen

3327 Naming typos

3313 Seccomp profile

3108 Fix parsing of resources in preconditions

3096 Fix the kyverno default keychain value to be the ggcr default keychain when uninitialized

3662 Logic of match service account is fixed for namespace

3713 Refactor: remove some api unnecessary pointers (4)

3712 Optimize UR listing on policy events

3710 Create events for ImageVerify rules

3100 Add b/w compat support for K8s version 1.20 and below for Kyverno 1.7

Features

3770 [Feature] Look up mutate.targets via dynamic client

3769 [Feature] Add handler to UR.status

3767 [Feature] Allow kyverno jp to work on yaml files

3758 [Feature] [CLI] support for testing image verification rules

3702 [Feature] JMESPath function to convert map to object

3615 [Feature] Support multiple static keys in a single entry

3608 [Feature] Allow users to define inline variables in context

3555 [Feature] Extend foreach to support any JMESPath at request.*

3502 [Feature] Support Certificate Chains during Image Signature Verification

3441 [Feature] Deprecate test.yaml

3433 [Feature] Verify that image digests are used instead of tags

3431 [Feature] Require all images are signed

3430 [Feature] Mutate image tags to digest

3395 [Feature] Allow accessing the registry from the CLI for mutate/validate calls if a registry flag is passed

3241 [Feature] Remove Cluster IP from self-generated cert SANs

3224 [Feature] Expose URLs for Fulcio and Rekor

3216 [Feature] Support more certificate-extensions from cosign

2861 [Feature][CLI] Support for Roles, ClusterRoles, and Subjects

3813 [Feature] Disable the leader election for update request controller

2583 [Feature] Supporting verification of container images via cosign with multiple public keys

2567 [Feature] Support for apiCall in tests

2194 [Feature] CLI "kyverno apply" support for imageVerify rule

2139 [Feature] Mutate target resource which is different from watched resource

1722 [Feature] Post mutation

1607 [Feature] Mutate existing resource on policy update

2283 [Feature] An automatic way to apply generation to all applicable resources

3821 CLI should respect scored annotation for warnings

3808 Parse all root CA certs

3680 Remove deprecated flags

3426 Use IsReady method

3420 Move GetRules() at the policy level

3419 Add toggle package for feature flags

3413 Add webhooks object selector support

3410 Stop mutating rules

3379 Stop adding autogen annotation

3378 Add conditions support

3376 Add rules to status

3332 Add autogen controllers to policy status

3309 Gen kyverno helm chart docs

3277 Add linux/s390x builds

3998 Support @ for mutate targets

3824 Add an object_from_lists function

3658 Allow definition of inline variables in context

3596 Add support for custom image extractors

3362 Support RSA, ECDSA and EDDSA public key verification

Enhancements

3576 Update to Cosign 1.7.x

3195 Add maxAge for attestation checks

3074 Update CRD in description field of foreach

3046 Use the typed client to update GenerateRequest

3019 Support using the 'kubernetes keychain' without -imagePullSecrets

3009 Replace ToUnstructured() inside convertToUnstructured()

3199 Add attestors declaration with AND / OR of keys and keyless signers

2938 Validate image fields for custom resources

2916 Remove resourceFilters in Kyverno ConfigMap

2894 Convert test.yaml -> kyverno-test.yaml

2576 Improve Kyverno CLI structure

2570 Make generate policy easier to apply on existing resources

2475 Drop v1alpha1 PolicyReport CRD

2447 Remove unused Run function from generate

2405 Add e2e test for JSON patch mutate policy

2391 Add e2e tests for a mutate policy using global anchor

1937 Please add JMSEPath support to Kyverno CLI

1610 CLI - Generate policy - print the generated resource

3757 Split certificates from keys for imageVerify rule

33811 Remove broken .ca from helm chart

33786 Remove config flags

33697 Remove unused custom expansions from client

33649 Add artifacthub operator and prerelease annotations

33375 Add helm crds to make codegen target

3493 Simplify validation with named return

3492 Add autogen internals e2e tests

3481 Run go vet in CI

3405 Add make help target

3394 Makefile should not makefile go.mod

3356 Gen helm crds from config crds

3311 Drop helm v2

3310 Check helm docs are up to date

3894 Request operation value by default to CREATE

3863 Handle errors properly for mutate and generate on existing resources

3828 Allow variables of any kind to be defined

3826 Relax JMESPath variable validation

3825 Improve logging and error handling in json context

3814 Policy Validation check for onPolicyUpdate flag

3771 bump cosign and sigstor version

3755 Add tests for required checks for image verify

3749 Test Summary printing for failure test cases

3741 cleanup event messages and sources

3730 Convert GenerateRequest to UpdateRequest for backward compatibility

3724 Add error handling and log for image extractor errors

3717 Create UR for both mutate and generate policies

3703 Add e2e tests for mutate existing policies

3699 Enable tests in makefile

3684 Enable verifyImages and CLI registry tests

3587 Update to cosign 1.7.1

3272 Return warning on admission response when mutating pods

3263 Cleanup commented out lines of code

Others

4022 refactor: used typed admission request in ur

4012 refactor: add policy event listener in ur controller

3707 refactor: remove some api unnecessary pointers (3)

3705 refactor: remove some api unnecessary pointers (2)

3704 refactor: remove some api unnecessary pointers

3638 refactor: remove unused Run function from generate

3996 refactor: move label helper utils from policy package to background package

3877 refactor: bump KIND version to use v1.24.0 k8s release

3790 refactor: move config controller in controllers package

3783 refactor: policycache package logger

3782 refactor: create a package for controllers and move certmanager in it

3775 refactor: dclient package

3765 refactor: wait for cache sync

3737 refactor: remove unstructured usage from webhookconfig

3736 refactor: use typed informers and add tombstone support to webhookconfig

3734 refactor: metrics package logger

3696 refactor: auth package logger

3678 refactor: use typed k8s client in tls package

3591 refactor cli code from pkg to cmd

3563 refactor: engine context

3556 refactor: make response type (RuleType) typed

3554 refactor: use the typed namespace informer in GenerateRequest controller

3553 refactor: move common utils

3552 refactor: add engine utils sub package

3551 refactor: checkEngineResponse in webhooks

3550 refactor: reduce policy mutations

3549 refactor: metrics package

3548 refactor: webhooks metrics reporting

3546 refactor: use GetValidationFailureAction method

3545 refactor: use GetFailurePolicy method

3544 refactor: use BackgroundProcessingEnabled method

3543 refactor: use existing ContainsString util

3539 refactor: move some helpers in utils package

3532 refactor: simplify autogen package

3528 refactor: add os utils sub package

3527 refactor: separate kube utils package

3526 refactor: switch to admission v1

3524 refactor: add a json patch util

3523 refactor: separate json utils package

3520 refactor: separate yaml utils package

3516 refactor: webhooks package

3512 refactor: use policy interface and introduce admission utils package

3510 refactor: use more policy interface

3503 refactor: use policy interface in policycache package

3499 refactor: make use of policy interface

3496 refactor: factorize policy interface

3495 refactor: improve policycache package

3466 refactor: use abstract policy interface in webhookconfig

3454 refactor: match and exclude conflict validation

3452 refactor: remove ns lister from webhookconfig

3451 refactor: add ValidationFailureAction to the api

3450 refactor: add IsNamespaced() method to API policy types

3446 refactor: ResourceDescription validation

3445 refactor: ExcludeResources validation

3444 refactor: replace ExcludeResources by MatchResources

3422 refactor: MatchResources validation

3421 refactor: ValidationFailureActionOverrides validation

3409 refactor: Policy name validation

3406 refactor: Rule names validation

3400 refactor: Rule type validation

3399 refactor: UserInfo validation

3372 refactor: ImageVerification validation

3365 refactor: introduce api common types

3364 refactor: move controller autogen annotation in api package

3363 refactor: move api functions closer to the struct they belong to

3350 refactor: introduce rules getters and setters

3316 refactor: introduce autogen package

3315 refactor: pass only spec instead of whole policy when possible