Note

• A new flag maxReportChangeRequests is added to the Kyverno main container, this flag sets the up-limit of reportchangerequests that a namespace can take, or clusterreportchangerequests if matching kinds are cluster-wide resources. The default limit is set to 1000, and it's recommended to configure it to a small threshold on large clusters. Here the large clusters are considered that a policy report has more than 1k results.

• A new flag splitPolicyReport is added to the Kyverno main container, to enable/disable the split-up policy reports feature. Disable by default, once enabled the PolicyReports will be split-up per policy per namespace bases, and ClusterPolicyReports will be split-up per policy bases.

• A new flag maxQueuedEvents is added to the Kyverno main container, this flag sets the up-limit of the events that are queued internally.

Enhancements

4233 Limit queued events

4147 Split policy report per policy bases

Bug Fixes

4243 Fix check depreciated api issue

4237 Fix split policyreport name with background scan

4231 Update cosign to v1.9.0

4224 Fix kyverno cli policy-report typo

4213 Only set up logging context if it will be used

4212 Fix UpdateRequest labeling (from pull #4199)

4210 Fix: use the unstructured list instead of interface type

4204 Use non-blocking channel send for UpdateWebhookChan

4200 Fix: merging patches across image verification and mutate policy rules

4199 Fix UpdateRequest labeling

4174 Delete policy reports on policy deletion

4159 Disable event generation for resources on DELETE requests

4156 Switch to use kyverno namespace pod informer to avoid memory growth

4155 Wait for informer caches to be synced before starting controllers

4148 Clean up RCRs if the count exceeds the threshold

4139 Fix external.metrics.k8s.io/v1beta1 issue

4138 Release event memory