Skip to content

Releases: kyverno/kyverno

v1.11.5

09 May 11:09
@github-actions github-actions
v1.11.5
c708a20
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.11.5 Latest
Latest

โœจ Added โœจ

  • Added awslabs keychain for AWS and gcr keychain for GCP (#9416)
  • Added ability to configure skipBackgroundRequests (9532)

๐Ÿ› Fixed ๐Ÿ›

  • Fixed VAPs versions in the CLI (#9404)
  • Fixed cosign ctlog unit tests (#9970)
Assets 42

v1.12.1

03 May 07:06
@github-actions github-actions
v1.12.1
84fba8e
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.1

๐Ÿ› Fixed ๐Ÿ›

  • Fixed return status when celPreconditions.matchConditions aren't met (#9940)
  • Fixed the CLI to evaluate namespaceObject for Kyverno policies (#9977, #9978)
  • Fixed concurrent policy applications (#10139)
  • Fixed endless updates of policy status (#10140)
  • Fixed empty operations in mutating webhook configuration for a policy with a mixed types of rules (#10146)
  • Fixed endless policy reports reconciliation issue (#10148)
  • Fixed type conversion in jmespath context variables (#10152)

๐Ÿ”ง Others ๐Ÿ”ง

  • Fixed tests for codegen (#9942)
  • Removed unused parameters, packages (#10007, #10101)
  • Refactored VAPs registration in the API server (#10014)
  • Updated performance testing docs for 1.12 (#10116)
Assets 45

v1.12.1-rc.1

01 May 09:38
@github-actions github-actions
v1.12.1-rc.1
9ca2e4c
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.1-rc.1 Pre-release
Pre-release 
tag v1.12.1-rc.1
Assets 45

v1.12.0

26 Apr 08:47
@github-actions github-actions
v1.12.0
111b052
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0

1.12 Release Notes

โ— Importance Notice โ—

Several critical issues are found in 1.12.0 and are being closely monitored within the 1.12.1 milestone. Please hold your upgrade to this release until 1.12.1 comes out.

โ— Breaking (Potentially) โ—

  • Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators here (#8624)

โœจ Added โœจ

  • Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource (#9591, #9595, #9601, #9602, #9614, #9615, #9618, #9619, #9620, #9621, #9643, #9652, #9678, #9710, #9813)
  • Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#7728)
  • Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based matchConditions available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599)
  • Added a new container flag --protectManagedResources to the cleanup controller (#8566)
  • Added a new container flag --renewBefore to the admission cleanup controllers to configure the cert renewal time (#8567)
  • Added a new container flag --loggingtsFormat which can be used to change the time format of logs (#9276)
  • Policy Exceptions now support conditions (#8577)
  • Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule validate.podSecurity (#9343, #9817)
  • Pod Security sub-rule (validate.podSecurity) has a new ability to exclude based on restricted fields (exclude.restrictedField and associated values (#8585, #9770, #9658)
  • Added a new field to verifyImages rules called skipImageReferences allowing you to exclude certain images (#8633)
  • Added a new field to generate rules (data-type) called orphanDownstreamOnPolicyDelete which will preserve downstream resources when the policy/rule is deleted (#9579)
  • Added the ability to deploy specific controllers with CRDs following suit (#8849, #9608)
  • Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#9015)
  • Added support for more types of JSON patch operations like "move", "copy", and "test" (#9476)
  • Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#9506)
  • Created a new API group reports.kyverno.io for storing new ephemeral report kinds EphemeralReports and ClusterEphemeralReports (#9521, #9537)
  • New is_external_url() JMESPath function to determine whether a given URL is an external URL (#8614)
  • New sha256() JMESPath function to convert a string of any length to a fixed hash value (#9144)
  • Kyverno CLI: Added a new migrate command which is used to migrate Kyverno resources to the current API version (#9296)
  • Kyverno CLI: Added a new (experimental) json command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651)
  • Kyverno CLI: The test command now supports the same assertion trees available in Chainsaw (#9380)
  • Kyverno CLI: The apply command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759)
  • Kyverno CLI: apply and test commands now support Policy Exceptions (#9525, #9624, #9714, #9749)
  • Kyverno CLI: Added a --resources flag as an alias for the existing --resource flag (#9749)

Helm

  • Add chart parameters for setting revisionHistoryLimit (#8907)
  • Allow excluding resources from config.resourceFilters (#8946)
  • Allow defining ca-certificates bundle for Kyverno deployments (#8969)
  • Clean up Helm change logs (#9057)
  • Added ability to set extra environment variables globally (#9269)
  • Added the ability to enable performance profiling to the chart (#9338)
  • Added a global nodeSelector to the chart (#9339)
  • Allow adding Pod labels to cleanup jobs in the chart (#9391)
  • Added a CRD migration capability via hooks to the chart (#9481, #9657)
  • Added the ability to define additional resources to be excluded via resourceFilters (#9530)
  • Added a small note for AKS users when the chart is installed (#9552)
  • Added the ability to configure backoff limits in jobs in the chart (#9569)
  • Added default exclusions in webhooks (#9950)

โš ๏ธ Changed โš ๏ธ

  • Allow setting admission controller replica count to 2 (#8932)
  • The spec.schemaValidation field is formally deprecated. As of 1.11 it has no effect. (#9189)
  • The --reportsChunkSize flag is deprecated and has no effect since aggregation has changed (#9697)
  • The --imageSignatureRepository flag is deprecated and has no effect, use the verifyImages.Repository field instead (#9698)
  • Policy Exceptions will now be evaluated against existing resources when the exception is created (#8659, #8713, #8544)
  • Policy Exceptions API graduated to v2 (#9208, #9412)
  • Cleanup Policies API graduated to v2 (#9261, #9420)
  • Admission and Background reports APIs graduated to v2 (#9262)
  • UpdateRequests API graduated to v2 (#9267)
  • Reduced some logged messages (#9509, #9626)
  • Default logging time format is changed to RFC3339 (#9775)
  • Updated the internal Pod Security Standards up through 1.29 (#9783)
  • The time_parse() JMESPath filter now supports epoch time (#9173)
  • Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid (#9566)
  • Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status (#9220)

Helm

  • Chart will now omit policy applied and skipped events by default (#9493)
  • Allow configuring the policy kind in kyverno-policies chart (#8827)
  • Refined permissions by removing wildcards (#9507, #9516)
  • Rename the Grafana dashboard file from dashboard.json to kyverno-dashboard.json (#9041)

Performance

  • Initialize JMESPath interpreter once and reuse it across searches (#8299)
  • Optimize JSON context processing using in-memory maps (#8322)
  • Optimize how Events are created and processed (#9323, #9324)
  • Optimize validate policy application by adding a worker pool (#10056)

๐Ÿ› Fixed ๐Ÿ›

  • Fixed handling of escaped variables in an expression with multiple escaped variables (#8311)
  • Fixed an issue when verifying attestations using multiple keys (#8880)
  • Fixed an issue causing application of mutation policies to fail even when failurePolicy was set to Ignore (#8952)
  • Fixed an issue that allowed violating resources when a policy had validationFailureAction set to Enforce and failurePolicy of Ignore (#8953)
  • Fixed an issue causing premature skipping of resources in validate policies with anchors defined (#9155)
  • Fixed an issue where the -v container flag for logging was not honored (#9163)
  • Switched a logged error to info when preconditions didn't pass in a mutate existing rule (#9232)
  • Reports aggregation fixes and improvements (#9697)
  • Fixed an issue preventing of generating a ValidatingAdmissionPolicy when exclude was used in the rule (#9331)
  • Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place (#9386)
  • Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans (#9468)
  • Fixed an issue when generating Events associated with ValidatingAdmissionPolicies (#9392)
  • Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission (#9355)
  • Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working (#9416)
  • Fixed an issue preventing variables from being substituted in messages when using anyPattern validate rules (#9713)
  • Fixed an issue where skipped policies due to preconditions were returned in denial response messages (#9719)
  • Removed an unnecessary podSecurity check (#9790)
  • Fixed an issue when verifying images from an insecure registry (#9838)
  • Fixed an issue with some validate rules and the UPDATE operation (#9893)
  • Kyverno CLI: Fixed an issue doing a test with an UPDATE operation (#9191)
  • Kyverno CLI: Fixed applying cloneList generate policies with apply command (#9036)
  • Kyverno CLI: Fixed a logging error (#9238)
  • Kyverno CLI: Testing of generate rules which use the useServerSideApply field now work properly (#9385)
  • Kyverno CLI: Fixed and issue causing the apply command to panic when applying a mutate existing rule (#9492)
  • Kyverno CLI: Fixed an issue with the apply command where some errors weren't shown (#9533)
  • Kyverno CLI: Fixed an issue with the apply command where a foreach with zero elements was a skip (#9534, #9543)
  • Kyverno CLI: Fixed a regression where the --warn-exit-code stopped working (#9828)
  • Fixed cosign ctlog unit tests (#9971)
  • Fixed deferred loader panic when mutate and generate policies are applied (#9968)
  • Fixed an autogen issue where now Kyverno only generates rule for request kind (#9997)
  • Fixed the issue where the mutex is not added to mock policy context builder (#10059)
  • Fixed policy status reconciliation when it fails to set policy to ready (#10047)
  • Fixed the container flag maxQueuedEvents (#10031)
  • Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional (#10025)

Helm

  • Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart (#8913)
  • Fixed an issue preventing multiple replicas from being defined in the chart (#9066)
  • Make role and binding names consistent (#9482)
  • Fixed some minor issues with the Helm report cleanup jobs (#9555)
  • Fixed a typo in t...
Read more
Assets 45

v1.12.0-rc.5

17 Apr 14:42
@github-actions github-actions
v1.12.0-rc.5
0f1d3c5
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-rc.5 Pre-release
Pre-release 
tag v1.12.0-rc.5
Assets 45

v1.12.0-rc.4

04 Apr 11:34
@github-actions github-actions
v1.12.0-rc.4
50f0829
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-rc.4 Pre-release
Pre-release 
tag v1.12.0-rc.4
Assets 45

v1.12.0-rc.3

30 Mar 18:49
@github-actions github-actions
v1.12.0-rc.3
265d57c
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-rc.3 Pre-release
Pre-release 
tag v1.12.0-rc.3
Assets 45

v1.12.0-rc.2

15 Mar 10:24
@github-actions github-actions
v1.12.0-rc.2
c8e930b
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-rc.2 Pre-release
Pre-release 
tag v1.12.0-rc.2
Assets 45

v1.12.0-rc.1

08 Mar 09:41
@github-actions github-actions
v1.12.0-rc.1
8c5aabd
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-rc.1 Pre-release
Pre-release 
tag v1.12.0-rc.1
Assets 45

v1.12.0-alpha.5

05 Mar 08:20
@github-actions github-actions
v1.12.0-alpha.5
c41090a
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0-alpha.5 Pre-release
Pre-release 
tag v1.12.0-alpha.5
Assets 45