Kyverno Release 1.1.3

This is a patch release for bug fixes and improvements.

BREAKING CHANGE

• Kyverno uses the custom ClusterRoles during initialization, the pre-installed generate policies may be impacted by this change. Please check configure-kyverno-role for details.

Enhancements

• Change "kinds" in match / exclude block to be optional, #670
• Improve the patch annotations generated by Kyverno, #640
• Kyverno CLI, #536
• Documentation updates, #647

Bug Fixes

• Auto-generated policies for pod controllers support policy UPDATE, #635
• 'kubectl scale' command fails due to validating webhook configuration, #253, #570
• Cannot match or exclude clusterroles, #634
• Filters in Match and Exclude are processed as a logical AND, #644

CRD Changes

• "kinds" is not a required field, commit
• Add "background" to openAPI schema, commit
• Add ClusterRoles "kyverno:*", commit

Best Practice Policies

• Remove auto-gen annotation

Kyverno Release 1.1.3-rc1

This is a patch release for bug fixes and improvements.

BREAKING CHANGE

• Kyverno uses the custom ClusterRoles during initialization, the pre-installed generate policies may be impacted by this change. Please check configure-kyverno-role for details.

Enhancements

• Change "kinds" in match / exclude block to be optional, #670
• Improve the patch annotations generated by Kyverno, #640
• Kyverno CLI, #536
• Documentation updates, #647

Bug Fixes

• Auto-generated policies for pod controllers support policy UPDATE, #635
• 'kubectl scale' command fails due to validating webhook configuration, #253, #570
• Cannot match or exclude clusterroles, #634
• Filters in Match and Exclude are processed as a logical AND, #644

CRD Changes

• "kinds" is not a required field, commit
• Add "background" to openAPI schema, commit
• Add ClusterRoles "kyverno:*", commit

Best Practice Policies

• Remove auto-gen annotation

Kyverno Release 1.1.2

This is a patch release:

BUG FIXES

• Mutation failure is reported as the violation, the resource creation is allowed, #627.
• Failure message only shows enforce-policy error message in the admission response, #636.
• Failure policy defaults to Ignore in k8s 1.16+.

Kyverno Release 1.1.1

This is a patch release for v1.1.0, which includes:

BUG FIXES

• Return error if policy uses userInfo and serviceAccount variables in the policy in background mode bug
• Enforce Validation Policy does not work for Pods

POLICY UPDATES

• Add the annotation to ns-creator sample policy

Kyverno Release 1.1.0

NOTE: It is recommended to deploy the stable release v1.1.1.

Features

• (CRD changes) Change CRD namespacedpolicyviolation to policyviolation
• (CRD changes) Update abbreviations: clusterpolicy -> cpol; clusterpolicyviolation -> cpolv; policyviolation -> polv
• (CRD changes) Create role for the tenant admin to allow access to the namespace policy violations, instruction
• Support variable substitution #549
• Apply rules of Pod on podControllers automatically by default #518
• Handle memory/cpu or volumes comparison
• Support Amazon EKS cluster #542

Enhancement

• (CRD changes) Policy violations are displayed with detailed information: policyname, resource name, resource kind, age.
• Introduce background flag to disable of policy running backgroung mode #566
• Report violation if referenced context is not present when substitute variables #568
• Flip ownerReferences on violations to resource and handle policy explicitly #524
• Refactor cluster PV and namespaced PV generator
• Register webhooks for policy and resource after verifying webhook is active #421
• Add init container to clean up stale webhookconfigurations created by Kyverno
• Webhook configurations are gracefully cleaned up when Kyverno shuts down #424
• Best Practices: disallow_bind_mounts, disallow_helm_tiller, disallow_privileged, disallow_root_user, add_network_policy, add_ns_quota, add_safe_to_evict, restrict_usergroup_fsgroup_id

Bug fixes

• Error while deploying kyverno on minikube #581
• Webhookconfiguration support since v1.16.2 #528
• (CRD changes) Remove reference to namespace in policy violation #504
• (CRD changes) fix each policy acts on its own validationFailureAction #567

Kyverno Release 1.0.0

This is the GA release of Kyverno.

In addition to Kyverno v1.0.0-rc1 release, this version contains:

• Bug fixes: #510, #516, #532
• Generate LimitRange along with ResourceQuota in best practice AddNamespaceQuota.

v1.0.0-rc1 Release Note

BREAKING CHANGE

• API version has changed to kyverno.io/v1, the backward compatibility is NOT guaranteed. It is recommended to cleanup policies and CRDs with the older version and re-deploy kyverno.

Features

• Add namespaced policy violation, any violation on a namespaced resource will be reported within the namespace.
• Allow a policy to be applied on a certain type of users, add roles/clusterRoles/subjects fileds in match and exclude block, detail.
• Report webhook status in Kyverno deployment annotation with tag kyverno.io/webhookActive, detail.

Enhancement

• Build policy store to retrieve policies faster.
• Decouple reporting components (violations and events) from webhook.
• Update Docs.
• Add more best practices.
• Improve logging messages.

Kyverno Release 1.0.0-rc1

This is the release candidate for Kyverno GA.

BREAKING CHANGE

• API version has changed to kyverno.io/v1, the backward compatibility is NOT guaranteed. It is recommended to cleanup policies and CRDs with the older version and re-deploy kyverno.

Features

• Add namespaced policy violation, any violation on a namespaced resource will be reported within the namespace.
• Allow a policy to be applied on a certain type of users, add roles/clusterRoles/subjects fileds in match and exclude block, detail.
• Report webhook status in Kyverno deployment annotation with tag kyverno.io/webhookActive, detail.

Enhancement

• Build policy store to retrieve policies faster.
• Decouple reporting components (violations and events) from webhook.
• Update Docs.
• Add more best practices.
• Improve logging messages.

Kyverno Release 0.11.0

Features:

• Use configmaps to dynamic configure filterkinds

Enhancement:

• Audit Command line argument format
• Improve document

Kyverno Release 0.10.0

Features:

• Provide best practices policy samples
• Refine anchors in the validation rule, add negation anchor to check existence, refer to this doc
• Perform validation checks when policy creates
• Extend policyviolation to generate on the resource owner
• Apply generate rule immediately on existing namespaces when the policy is created
• Set default validation failure action to audit
• Display rule level message in the policy status

Enhancement:

• Make error messages more readable
• Refactor webhook configuration logic

Kyverno Release 0.9.1

Update the CRD name:

• Policy -> ClusterPolicy
• PolicyViolation -> ClusterPolicyViolation

** as the name changes result in new CRD resources, it requires removal of old CRD's (Policy, PolicyViolation) **