Releases: kyverno/kyverno
Releases ยท kyverno/kyverno
v1.11.5
v1.12.1
๐ Fixed ๐
- Fixed return status when
celPreconditions.matchConditions
aren't met (#9940) - Fixed the CLI to evaluate
namespaceObject
for Kyverno policies (#9977, #9978) - Fixed concurrent policy applications (#10139)
- Fixed endless updates of policy status (#10140)
- Fixed empty operations in mutating webhook configuration for a policy with a mixed types of rules (#10146)
- Fixed endless policy reports reconciliation issue (#10148)
- Fixed type conversion in jmespath context variables (#10152)
๐ง Others ๐ง
v1.12.1-rc.1
tag v1.12.1-rc.1
v1.12.0
1.12 Release Notes
โ Importance Notice โ
Several critical issues are found in 1.12.0 and are being closely monitored within the 1.12.1 milestone. Please hold your upgrade to this release until 1.12.1 comes out.
โ Breaking (Potentially) โ
- Policies using long-deprecated or invalid operators in conditions (ex.,
In
andNotIn
) will be blocked. Please see the current list of available operators here (#8624)
โจ Added โจ
- Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource (#9591, #9595, #9601, #9602, #9614, #9615, #9618, #9619, #9620, #9621, #9643, #9652, #9678, #9710, #9813)
- Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#7728)
- Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based
matchConditions
available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599) - Added a new container flag
--protectManagedResources
to the cleanup controller (#8566) - Added a new container flag
--renewBefore
to the admission cleanup controllers to configure the cert renewal time (#8567) - Added a new container flag
--loggingtsFormat
which can be used to change the time format of logs (#9276) - Policy Exceptions now support conditions (#8577)
- Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule
validate.podSecurity
(#9343, #9817) - Pod Security sub-rule (
validate.podSecurity
) has a new ability to exclude based on restricted fields (exclude.restrictedField
and associated values (#8585, #9770, #9658) - Added a new field to verifyImages rules called
skipImageReferences
allowing you to exclude certain images (#8633) - Added a new field to generate rules (data-type) called
orphanDownstreamOnPolicyDelete
which will preserve downstream resources when the policy/rule is deleted (#9579) - Added the ability to deploy specific controllers with CRDs following suit (#8849, #9608)
- Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#9015)
- Added support for more types of JSON patch operations like "move", "copy", and "test" (#9476)
- Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#9506)
- Created a new API group
reports.kyverno.io
for storing new ephemeral report kindsEphemeralReports
andClusterEphemeralReports
(#9521, #9537) - New
is_external_url()
JMESPath function to determine whether a given URL is an external URL (#8614) - New
sha256()
JMESPath function to convert a string of any length to a fixed hash value (#9144) - Kyverno CLI: Added a new
migrate
command which is used to migrate Kyverno resources to the current API version (#9296) - Kyverno CLI: Added a new (experimental)
json
command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651) - Kyverno CLI: The
test
command now supports the same assertion trees available in Chainsaw (#9380) - Kyverno CLI: The
apply
command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759) - Kyverno CLI:
apply
andtest
commands now support Policy Exceptions (#9525, #9624, #9714, #9749) - Kyverno CLI: Added a
--resources
flag as an alias for the existing--resource
flag (#9749)
Helm
- Add chart parameters for setting
revisionHistoryLimit
(#8907) - Allow excluding resources from config.resourceFilters (#8946)
- Allow defining ca-certificates bundle for Kyverno deployments (#8969)
- Clean up Helm change logs (#9057)
- Added ability to set extra environment variables globally (#9269)
- Added the ability to enable performance profiling to the chart (#9338)
- Added a global nodeSelector to the chart (#9339)
- Allow adding Pod labels to cleanup jobs in the chart (#9391)
- Added a CRD migration capability via hooks to the chart (#9481, #9657)
- Added the ability to define additional resources to be excluded via resourceFilters (#9530)
- Added a small note for AKS users when the chart is installed (#9552)
- Added the ability to configure backoff limits in jobs in the chart (#9569)
- Added default exclusions in webhooks (#9950)
โ ๏ธ Changed โ ๏ธ
- Allow setting admission controller replica count to 2 (#8932)
- The
spec.schemaValidation
field is formally deprecated. As of 1.11 it has no effect. (#9189) - The
--reportsChunkSize
flag is deprecated and has no effect since aggregation has changed (#9697) - The
--imageSignatureRepository
flag is deprecated and has no effect, use theverifyImages.Repository
field instead (#9698) - Policy Exceptions will now be evaluated against existing resources when the exception is created (#8659, #8713, #8544)
- Policy Exceptions API graduated to v2 (#9208, #9412)
- Cleanup Policies API graduated to v2 (#9261, #9420)
- Admission and Background reports APIs graduated to v2 (#9262)
- UpdateRequests API graduated to v2 (#9267)
- Reduced some logged messages (#9509, #9626)
- Default logging time format is changed to RFC3339 (#9775)
- Updated the internal Pod Security Standards up through 1.29 (#9783)
- The
time_parse()
JMESPath filter now supports epoch time (#9173) - Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid (#9566)
- Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status (#9220)
Helm
- Chart will now omit policy applied and skipped events by default (#9493)
- Allow configuring the policy kind in kyverno-policies chart (#8827)
- Refined permissions by removing wildcards (#9507, #9516)
- Rename the Grafana dashboard file from
dashboard.json
tokyverno-dashboard.json
(#9041)
Performance
- Initialize JMESPath interpreter once and reuse it across searches (#8299)
- Optimize JSON context processing using in-memory maps (#8322)
- Optimize how Events are created and processed (#9323, #9324)
- Optimize validate policy application by adding a worker pool (#10056)
๐ Fixed ๐
- Fixed handling of escaped variables in an expression with multiple escaped variables (#8311)
- Fixed an issue when verifying attestations using multiple keys (#8880)
- Fixed an issue causing application of mutation policies to fail even when
failurePolicy
was set toIgnore
(#8952) - Fixed an issue that allowed violating resources when a policy had validationFailureAction set to
Enforce
andfailurePolicy
of Ignore (#8953) - Fixed an issue causing premature skipping of resources in validate policies with anchors defined (#9155)
- Fixed an issue where the
-v
container flag for logging was not honored (#9163) - Switched a logged error to info when preconditions didn't pass in a mutate existing rule (#9232)
- Reports aggregation fixes and improvements (#9697)
- Fixed an issue preventing of generating a ValidatingAdmissionPolicy when
exclude
was used in the rule (#9331) - Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place (#9386)
- Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans (#9468)
- Fixed an issue when generating Events associated with ValidatingAdmissionPolicies (#9392)
- Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission (#9355)
- Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working (#9416)
- Fixed an issue preventing variables from being substituted in messages when using
anyPattern
validate rules (#9713) - Fixed an issue where skipped policies due to preconditions were returned in denial response messages (#9719)
- Removed an unnecessary podSecurity check (#9790)
- Fixed an issue when verifying images from an insecure registry (#9838)
- Fixed an issue with some validate rules and the UPDATE operation (#9893)
- Kyverno CLI: Fixed an issue doing a test with an UPDATE operation (#9191)
- Kyverno CLI: Fixed applying
cloneList
generate policies withapply
command (#9036) - Kyverno CLI: Fixed a logging error (#9238)
- Kyverno CLI: Testing of generate rules which use the
useServerSideApply
field now work properly (#9385) - Kyverno CLI: Fixed and issue causing the
apply
command to panic when applying a mutate existing rule (#9492) - Kyverno CLI: Fixed an issue with the
apply
command where some errors weren't shown (#9533) - Kyverno CLI: Fixed an issue with the
apply
command where aforeach
with zero elements was askip
(#9534, #9543) - Kyverno CLI: Fixed a regression where the
--warn-exit-code
stopped working (#9828) - Fixed cosign ctlog unit tests (#9971)
- Fixed deferred loader panic when mutate and generate policies are applied (#9968)
- Fixed an autogen issue where now Kyverno only generates rule for request kind (#9997)
- Fixed the issue where the mutex is not added to mock policy context builder (#10059)
- Fixed policy status reconciliation when it fails to set policy to ready (#10047)
- Fixed the container flag
maxQueuedEvents
(#10031) - Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional (#10025)
Helm
v1.12.0-rc.5
tag v1.12.0-rc.5
v1.12.0-rc.4
tag v1.12.0-rc.4
v1.12.0-rc.3
tag v1.12.0-rc.3
v1.12.0-rc.2
tag v1.12.0-rc.2
v1.12.0-rc.1
tag v1.12.0-rc.1
v1.12.0-alpha.5
tag v1.12.0-alpha.5