Kyverno - v1.9.0


❗ Breaking ❗

✨ Added ✨

⚠️ Changed ⚠️

🐛 Fixed 🐛

Click to expand #6122 fix: policy exception event source #6112 fix: tracing attributes length and tracer name #6103 fix: flag added to init container mistake #6100 fix: cleanup-controller version #6098 fix: allow deletion of namespace containing managed resources #6051 fix: pin busybox image tag in helm tests #6047 fix: replace + with _ in Chart.Version label field #6046 validate polex activation and namespace #6030 feat: add missing polex flags #6020 fix: ns labels matching #6008 fix: policy match Kind case-senstive #5998 chore: log out cleanup policy events #5988 feat: create warning events on errors for cleanup policies #5987 fix: generate policy exception events #5982 feat: create events for cleanup policies #5980 fix: policy exceptions not working in background mode #5977 chore: log out deleted resources at default level for cleanup policies #5974 fix: invoke cleanup process during shutdown #5967 chore: upload CRDs manifests to GH release #5966 feat: add cluster role aggregation to cleanup controller #5965 fix: helm selector #5960 fix: chart kyverno-policies invalid annotations #5956 fix: imageRef mismatch #5950 feat: add more time jmespath filters #5948 fix: update policy exception CRD description #5943 fix: cleanup policies with user infos in match/exclude should be rejected #5941 chore: policy report - improve logging #5935 test: add kuttl test for policy exception #5931 fix: missing user info matching #5928 Fixes `time_now` failing #5920 chore: simplify tests workflow #5914 chore: add missing gh workflow #5913 fix: golangci-lint workflow #5910 chore: fix releaser badge #5909 fix: configure gh workflow permission #5908 feat: add violation details to report.results.properties for PSa policies #5907 chore: make check actions pinned by hash a standalone ci job #5906 fix: mutateExisting - set resourceVersion before update #5904 fix: cleanup controller - restrict cronjobs by PSS restricted checks #5897 chore: add setup test env gh action #5892 chore: add setup-build-env gh action #5888 fix: use var 'target.*' in cleanup policies #5886 fix: Configure webhook to add `ephemeralcontainers` for policies matching on Pod #5885 chore: use gh composite actions #5883 chore: small gh workflows improvements #5881 fix: Add group to subresources declaration in value.yaml file for CLI #5875 fix validation checks for foreach and nested foreach #5871 refactor: improve background scan reconciliation #5870 fix: add missing kuttl assert file #5865 fix: force background scan recomputation #5862 fix: incorrect variable substitution`request.object.*` for mutateExisting policies #5851 feat: cleanup new validatingwebhooks #5847 chore: move ConvertToUnstructured from engine utils to kube utils #5846 fix(chart/kyverno): handle multiple extraArgs in init container #5844 chore: cleanup a couple workflows #5843 fix: improve cli help message #5840 chore: bump a couple of deps #5839 fix: Add subresources support to policy exceptions #5835 fix: enum values for ValidationFailureActionOverride #5834 chore: add a couple unit tests #5832 fix: default value for validationFailureAction #5829 chore: cleanup codecov workflow #5828 refactor: move utils into sub packages #5824 Adds notes to functions #5823 Walk back change in PSS policy to send to to_upper #5819 add source archive checksum into the checksums.txt #5817 Added a time_add() filter to add duration and absolute time #5814 Adds JMESPath filter for returning cron expression for absolute time #5813 Adds JMESPath filter for returning current time #5810 feat: improve background scan reports enqueue logic #5808 fix: error handling in last scan time parsing #5807 fix: background scan events #5801 fix arguments passed to DeepEqual #5797 enhance logging, fix pull flag description #5796 feat: cleanup enhancements-1 #5789 chore: update publicKey description #5787 fix cli output adjustments #5782 redirect stderr to get digest successfully #5776 fix delete policy #5765 Bump go-plugin #5762 fix: image digest #5756 refactor: cleanup controller validating webhook #5754 refactor: move util funcs in sub packages #5752 test: add unit test for GetResourceName util #5751 chore: bump deps including k8s ones #5750 refactor: remove common package #5749 refactor: auth package and add full unit test coverage #5747 refactor: policy controller package #5746 refactor: remove a couple of old util funcs #5743 refactor: use typed client in auth #5742 chore: remove e2e tests #5740 chore: remove autogen internals tests #5739 fix: cleanup controller image build #5737 chore: build cleanup controller image #5735 feat: generate SLSA provenance on releases #5733 feat: run conformance tests with different k8s versions #5732 chore: update k8s versions test grid #5731 fix: remove all category from all our CRDs #5729 fix: add rule type "ImageVerify" #5728 Bump Go 1.19.4 #5727 feat: force background scan regularly #5721 fix: add back install.yaml manifest #5719 feat: propagate psa checks results #5712 feat: add exception logic #5710 fix: missing assignment in configmap resolver #5707 feat: add kuttl tests for #5704 #5705 fix: Initializes configmap resolver in background components #5701 fix info kind error #5697 fix: exception validation follow up #5691 refactor: supress usage of kustomize in build #5688 chore: bump a couple of deps #5687 fix: bump log level for autogen debug logs #5686 chore: remove deprecated flag splitPolicyReport #5682 chore: remove secrets client from webhook controller #5681 chore: rename exclude into match in policy exception #5680 feat: Implement PolicyException #5679 feat: add policy exception validation webhook #5678 fix: case where deny message is not a string #5677 fix: block policy admission if kyverno is down #5671 feat: add certs controller to cleanup policies #5668 fix: allow policies from stdin in apply again #5662 feat: Introduce PolicyException CRD #5660 use camel case for ForEach naming #5653 feat: add metrics service and service monitor to cleanup controller #5647 feat: add dev config with support for prom loki and tempo #5646 fix: missing permission in cleanup controller role #5645 fix: grafana dashboard #5643 refactor: tracing package #5640 fix: Improve helm-test workflow #5639 feat: propagate context through engine #5636 fix AllNotIn operator #5630 feat: add http clients tracing #5629 fix: setup tracing and minor cleanup in tracing and metrics code #5628 feat: improve cleanup policies controller and chart #5627 Support existing imagePullSecrets for image verify functionality #5626 feat: add conditions matching to cleanup controller #5625 feat: introduce v2alpha1 #5624 fix: don't create orphan spans in instrumented clients #5622 fix: registry client not propagated correctly #5620 feat: use lister in registry client #5614 feat: implement cleanup policy matching #5610 chore: bump a couple of deps #5609 refactor: improve color and table printer management in cli test command #5605 Add api docs #5598 fix: use lister for CA secret #5596 refactor: registry client #5594 use helm values for CRD labels #5593 chore: bump a couple of deps #5591 fix: replace + symbol with _ symbol on the Chart.Version field #5590 Fix: handling unexpected global-anchor-variable for the apply command #5589 Nested foreach #5580 feat: add cleanup controller BYOSA and RBAC extensions #5578 chore: bump flux action #5577 adding --warn-exit-code flag #5576 feat: add cleanup handler #5567 chore: disable dependabot auto rebase #5566 refactor: split CLI jp command #5552 refactor: cli jp command #5550 refactor: cli test command #5544 refactor: jmespath arithmetic operations #5531 chore: enable dependabot #5530 Bump SLSA GitHub generator to 1.4.0 #5523 refactor: make policy context immutable and fields private #5516 fix: pod anti affinity #5514 fix: cleanup policy validation #5513 configure opentelemetry logger #5512 chore: bump a few deps #5510 chore: use builtin slices.Clone #5509 chore: improve cleanup controller #5507 refactor: use internal cmd package in kyverno #5506 refactor: add controller helper to internal package #5504 chore: switch to kyverno/kuttl #5503 chore: bump a couple of deps #5502 fix: panic when response is nil #5500 chore: stop using set-output in gh actions #5497 fix: add image extractor for ReplicationController #5496 chore: replace utils.ContainsString with builtin slices.Contains #5495 feat: propagate context in dynamic client #5494 feat: add controller metrics #5493 feat: add webhook type to admission metrics #5492 refactor: move metrics closer to the code that use them #5489 chore: refactor metrics namespace check #5484 issue-4613: Add support for cache enhancements with informers #5482 chore: bump kyverno version in argo lab #5479 feat: propagate context to the metrics package #5478 feat: add allowed label to admission metrics #5477 feat: add dynamic client support to internal cmd package #5475 refactor: metrics configuration code #5474 chore: improve tracing instrumented clients #5473 feat: create a policy utils package #5472 feat: add new filtering handlers #5464 feat: use admission review v1 #5463 feat: add engine traces #5462 fix: remove filtering for policy admission handlers #5461 feat: support flagsets in internal cmd package #5460 chore: add instrumented clients codegen verification #5448 docs: add reports troubleshooting tips #5446 fix: argocd lab monitoring namespace #5444 feat: add signal in internal cmd package #5443 feat: use client funcs from internal cmd package #5442 feat: improve handlers tracing code #5440 chore: bump a bunch of deps #5438 feat: add logging support to instrumented clients #5437 feat: add discovery support in instrumented clients #5436 refactor: dynamic client use instrumented clients #5435 fix: reading policies for oci command and pushing image #5434 docs: add controllers README #5428 refactor: improve instrumented clients code and support dynamic/metadata client #5427 ci: cancel redundant builds of workflow on push #5423 fix request.operation in globalValues is always set to CREATE #5419 Update SLSA to v1.3.0 #5417 refactor: improve instrumented clients creation #5415 fix: typo #5412 feat: make traces better #5410 refactor: split argocd lab into multiple steps #5404 refactor: introduce cmd internal package #5401 chore: remove obsolete metrics client code #5398 refactor: generated instrumented client code part 2 #5397 feat: add tracing middleware #5392 refactor: propagate context through admission handlers #5391 refactor: improve tracing package #5385 Add reconciling logic for creating cronjobs whenever a new cleanup policy is created #5384 fix: the entry length validation for the verify image rule #5376 chore: bump sigstore deps #5367 refactor: update otlp packages #5362 refactor: generate instrumented client code #5357 chore: add helm ci values with cleanup controller #5356 fix digest variable #5351 fix: add some missing options in cleanup helm chart #5343 test: simplify autogen kuttl tests #5338 feat: add CleanupPolicy validation code to CleanupPolicyHandler #5336 fix: add replicaset and replicationController kinds in podsecurity validation #5329 feat: add cleanup controller to helm chart #5327 feat: add cleanup controller makefile targets #5324 chore: remove docker support #5323 Update SLSA generator workflow to v1.2.2 #5321 adding --audit-warn flag #5279 feat: add cleanupPolicy validation code #5248 fix: kyverno Dockerfile base image tag and sha256 hash #5246 fix: resource schema validation in policies under any/all match #5243 fix: remove /approve from prow actions #5242 fix: remove unused code in config #5233 feat: create cleanup new CRDs #5228 Fixed description for secret name #5227 feat: allow list with policies in apply #5219 fix: add warning when using deprecated validation failure action #5191 Fix: handled skip rule processing in anyPattern field #5180 fix: do not cancel context when loosing the lead #5174 refactor: remove policyreport package #5173 feat: run leader election in loop #5172 feat: add flag to control leader election frequency #5170 [Cli Bug] fix cli issue for ownerReferences resources #5168 [Feature] Pin Dependencies by Hash #5154 Add ability to use commands in comments #5152 refactor: support Audit and Enforce validation failure actions #5146 fix metadata/generateName for mutation #5134 Corrected Kubernetes spelling #5123 feat: remove policy mutation for auto-gen rules #5122 Allows {{image}} var to be used in policies #5119 Add AGE in printer columns of CRDs #5106 Fixed issue-5102: Show rule count and type in output #5026 feat: oci pull/push support for policie(s) #5024 feat: enable/disable Debug mode which shows entire AdmissionReview payload #4991 [Feature] create command line option to set failurePolicy globally #4986 feat: separate webhook rules per GVK #4975 feat: add replicaset and replicationcontroller to autogen #4938 added apiCalls support in kyverno-apply command #4855 Added support to specify key signature algorithm in verifyImages #4854 feature: use cert extension oid as key #4733 Fixed issue-4530: Added separate attestor type for secrets and KMS #4502 To support gitURLs for "apply" command #4469 validate patchJSON6902 #4268 workflow file updated for slsa provenance generation #3612 Kyverno CLI: added method to detect duplicate resource in kyverno test #3491 Integrate Sonarcloud and Nancy github action

Details

date
Feb. 1, 2023, 10:02 a.m.
name
v1.9.0
type
Minor
👇
Register or login to:
  • 🔍View and search all Kyverno releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or