v3.1.0-beta.5

DO NOT USE

This release has a race condition resulting in a crash. Fixed by #454

---

This beta release includes bug fixes and stable api versions.

Warning ⚠️

• This release updates flags for auditInterval to audit-interval and constraintViolationsLimit to constraint-violations-limit. Deprecated flags will be removed at the next release. (#409)

• By default, the audit will request each resource from the Kubernetes API during each cycle of the audit. To instead rely on the OPA cache, use the flag --audit-from-cache=true. (#407)

• A new validating admission webhook was added to reject the admission.gatekeeper.sh/ignore label on non-GK namespaces unless added to the --exempt-namespace flag. (#350)

Features 🌈

• Add semantic logging for audit (#434)
• Upgrade constraint framework/OPA (#435) (#441)
• Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces (#350)
• Add excludedNamespaces match type (#433)
• Audit resources using discovery client (#407)
• Add constraint template semantic logging (#420) 
• Use a designated ServiceAccount instead of the namespace default (#356)
• Add last audit runtime metric and use common audit timestamps across all metrics and logs (#415)
• Automatically shut off reconcilers when watch manager exits (#418) 

Bug Fixes 🐞

• Fix by-name namespace matching (#419)

v3.1.0-beta.4

This beta release includes bug fixes.

Warning

This release updates flags for auditInterval to audit-interval and constraintViolationsLimit to constraint-violations-limit. Deprecated flags will be removed at a future release. (#409)

Bug Fixes 🐞

• Fix dryrun denied admission (#426)

v3.1.0-beta.3

This beta release includes bug fixes and stable api versions.

Upgrade Instructions

• Remove your sync config before upgrading, so that finalizers on synced resources are cleaned up, otherwise they will need to be removed manually.

Features 🌈

• Add metrics to watch manager (#366)
• Add constraint template metrics (#377)
• Allow optional logging when admission was denied (#386)
• Health and ready checks (#396)

Bug Fixes 🐞

• Remove the sync finalizer (#369)
• Upgrade Constraint Framework (#384)
• Make sure label selectors are checked against both old and new objects (#368)
• OldObject defaults to null, assume null == missing (#406)
• Disable default Kubebuilder metrics (#397)

v3.1.0-beta.2

Bug Fixes 🐞

• Fix deadlock. (#361)

v3.1.0-beta.1

DO NOT USE

This release has a deadlock, fixed by: #361

Features 🌈

• Initial metrics integration (#290)

Bug Fixes 🐞

• Use patch to set finalizers (#317)
• Add security context to Gatekeeper container (#273)
• Clean up watch manager (#308)
• Use namespace of Pod as namespace for cert secret (#347)
• Inject namespace as part of the request. (#344)

v3.1.0-beta.0

Warning

This release is a migration to Kubebuilder V2, which changes the structure of the deployment. If upgrading, we recommend you uninstall the previous version of Gatekeeper before deploying the new version.

Features 🌈

• ValidatingAdmissionWebhookConfiguration can be fully configured from the manifest -- no more clobbering
• Certificate generation/rotation can be disabled by setting the flag: --disable-cert-rotation
• Gatekeeper is mangaged via a Deployment resource instead of a StatefulSet
• Migrate to Kubebuilder V2 (#292)
• Upgrade constraint framework, enabling multi-source constraints (#270)

Bug Fixes 🐞

• Stop caching constraint status to OPA (#313)
• Increase CPU limits (#309)
• Removed unnecessary layers/file copies from Docker images (#279)

v3.0.4-beta.2

This beta release includes bug fixes and stable api versions.

Features 🌈

• add psp library seccomp and apparmor annotations (#236)
• Add Https Only to library (#260)
• Add unique ingress host to library (#253)
• add psp library forbidden sysctls (#233)
• add psp library selinux (#234)

Bug Fixes 🐞

• Do not assume the operation is CREATE on audit (#267)
• Watch manager should ignore unrecognized groups (#263)
• Add make target-template-source to build pkg/target/target_template_source.go (#257)
• Image package update and run as a non-root user (#252)
• Dependency Updates (#251)
• Use struct literal instead of an interface for the client (#241)
• Service selector needs to not be in a system namespace in order to be denied (#227)

v3.0.4-beta.1

This beta release includes bug fixes and stable api versions.

Features 🌈

• Add dry run feature (#202)
• Add PSP constraints and CTs to library (#203)
• Add docs and update script for make release (#220)
• Add e2e with kind and bats tests (#211)
• Upgrade constraint framework (#218)
• Make logging configurable (#212)
• Add demo templates to the constraint template library (#205)

Bug Fixes 🐞

• Update templates and constraints version (#221)
• Fix handling of unrecognized constraints on deletion (#208)
• Always check for a tag update before building container (#201)
• Make gatekeeper namespace-agnostic (#200)

v3.0.4-beta.0

This beta release includes bug fixes and stable api versions.

Features 🌈

• Convert to using beta resources. (#190)
• Add enforcementAction to status (#180)

Bug Fixes 🐞

• Conversion errors should be fatal (#197)
• Update apiversion, input in yaml (#193)

v3.0.4-alpha.0

This alpha release includes breaking changes and bug fixes.