Releases: kyverno/kyverno
Kyverno Release 1.1.3
This is a patch release for bug fixes and improvements.
BREAKING CHANGE
- Kyverno uses the custom ClusterRoles during initialization, the pre-installed generate policies may be impacted by this change. Please check configure-kyverno-role for details.
Enhancements
- Change "kinds" in match / exclude block to be optional, #670
- Improve the patch annotations generated by Kyverno, #640
- Kyverno CLI, #536
- Documentation updates, #647
Bug Fixes
- Auto-generated policies for pod controllers support policy UPDATE, #635
- 'kubectl scale' command fails due to validating webhook configuration, #253, #570
- Cannot match or exclude clusterroles, #634
- Filters in Match and Exclude are processed as a logical AND, #644
CRD Changes
- "kinds" is not a required field, commit
- Add "background" to openAPI schema, commit
- Add ClusterRoles "kyverno:*", commit
Best Practice Policies
Kyverno Release 1.1.3-rc1
This is a patch release for bug fixes and improvements.
BREAKING CHANGE
- Kyverno uses the custom ClusterRoles during initialization, the pre-installed generate policies may be impacted by this change. Please check configure-kyverno-role for details.
Enhancements
- Change "kinds" in match / exclude block to be optional, #670
- Improve the patch annotations generated by Kyverno, #640
- Kyverno CLI, #536
- Documentation updates, #647
Bug Fixes
- Auto-generated policies for pod controllers support policy UPDATE, #635
- 'kubectl scale' command fails due to validating webhook configuration, #253, #570
- Cannot match or exclude clusterroles, #634
- Filters in Match and Exclude are processed as a logical AND, #644
CRD Changes
- "kinds" is not a required field, commit
- Add "background" to openAPI schema, commit
- Add ClusterRoles "kyverno:*", commit
Best Practice Policies
Kyverno Release 1.1.2
Kyverno Release 1.1.1
This is a patch release for v1.1.0, which includes:
BUG FIXES
- Return error if policy uses userInfo and serviceAccount variables in the policy in background mode bug
- Enforce Validation Policy does not work for Pods
POLICY UPDATES
- Add the annotation to ns-creator sample policy
Kyverno Release 1.1.0
NOTE: It is recommended to deploy the stable release v1.1.1.
Features
- (CRD changes) Change CRD namespacedpolicyviolation to policyviolation
- (CRD changes) Update abbreviations: clusterpolicy -> cpol; clusterpolicyviolation -> cpolv; policyviolation -> polv
- (CRD changes) Create role for the tenant admin to allow access to the namespace policy violations, instruction
- Support variable substitution #549
- Apply rules of Pod on podControllers automatically by default #518
- Handle memory/cpu or volumes comparison
- Support Amazon EKS cluster #542
Enhancement
- (CRD changes) Policy violations are displayed with detailed information: policyname, resource name, resource kind, age.
- Introduce
background
flag to disable of policy running backgroung mode #566 - Report violation if referenced context is not present when substitute variables #568
- Flip ownerReferences on violations to resource and handle policy explicitly #524
- Refactor cluster PV and namespaced PV generator
- Register webhooks for policy and resource after verifying webhook is active #421
- Add init container to clean up stale webhookconfigurations created by Kyverno
- Webhook configurations are gracefully cleaned up when Kyverno shuts down #424
- Best Practices: disallow_bind_mounts, disallow_helm_tiller, disallow_privileged, disallow_root_user, add_network_policy, add_ns_quota, add_safe_to_evict, restrict_usergroup_fsgroup_id
Bug fixes
Kyverno Release 1.0.0
This is the GA release of Kyverno.
In addition to Kyverno v1.0.0-rc1 release, this version contains:
- Bug fixes: #510, #516, #532
- Generate LimitRange along with ResourceQuota in best practice AddNamespaceQuota.
v1.0.0-rc1 Release Note
BREAKING CHANGE
- API version has changed to
kyverno.io/v1
, the backward compatibility is NOT guaranteed. It is recommended to cleanup policies and CRDs with the older version and re-deploy kyverno.
Features
- Add namespaced policy violation, any violation on a namespaced resource will be reported within the namespace.
- Allow a policy to be applied on a certain type of users, add roles/clusterRoles/subjects fileds in match and exclude block, detail.
- Report webhook status in Kyverno deployment annotation with tag
kyverno.io/webhookActive
, detail.
Enhancement
- Build policy store to retrieve policies faster.
- Decouple reporting components (violations and events) from webhook.
- Update Docs.
- Add more best practices.
- Improve logging messages.
Kyverno Release 1.0.0-rc1
This is the release candidate for Kyverno GA.
BREAKING CHANGE
- API version has changed to
kyverno.io/v1
, the backward compatibility is NOT guaranteed. It is recommended to cleanup policies and CRDs with the older version and re-deploy kyverno.
Features
- Add namespaced policy violation, any violation on a namespaced resource will be reported within the namespace.
- Allow a policy to be applied on a certain type of users, add roles/clusterRoles/subjects fileds in match and exclude block, detail.
- Report webhook status in Kyverno deployment annotation with tag
kyverno.io/webhookActive
, detail.
Enhancement
- Build policy store to retrieve policies faster.
- Decouple reporting components (violations and events) from webhook.
- Update Docs.
- Add more best practices.
- Improve logging messages.
Kyverno Release 0.11.0
Features:
- Use configmaps to dynamic configure filterkinds
Enhancement:
- Audit Command line argument format
- Improve document
Kyverno Release 0.10.0
Features:
- Provide best practices policy samples
- Refine anchors in the validation rule, add negation anchor to check existence, refer to this doc
- Perform validation checks when policy creates
- Extend policyviolation to generate on the resource owner
- Apply generate rule immediately on existing namespaces when the policy is created
- Set default validation failure action to audit
- Display rule level message in the policy status
Enhancement:
- Make error messages more readable
- Refactor webhook configuration logic
Kyverno Release 0.9.1
Update the CRD name:
- Policy -> ClusterPolicy
- PolicyViolation -> ClusterPolicyViolation
** as the name changes result in new CRD resources, it requires removal of old CRD's (Policy, PolicyViolation) **