Update dependency kyverno/kyverno to v1.12.4 #267
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.10.7
->v1.12.4
Release Notes
kyverno/kyverno (kyverno/kyverno)
v1.12.4
Compare Source
❗Important Notice ❗
If you are running 1.12, please upgrade to this version to pick up the fix for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
Amazon EKS- managing and fixing ETCD database size
[updated] If you are seeing consistent creation of ephemeralreports, you can:
--aggregationWorkers
to increase the capacity of consuming ephemeralreports, see this comment. It can be configured directly via the container flag, or through Helm extraArgs.🐛 Fixed 🐛
🔧 Others 🔧
v1.12.3
Compare Source
✨ Added ✨
🔧 Others 🔧
v1.12.2
Compare Source
✨ Added ✨
Helm
🐛 Fixed 🐛
pod/exec
subresource (#9855)policyexceptions
regardless of condition failures (#9994)pods/ephemeralcontainers
, resourceNames field (#10162, #10187, #10208)foreach
mutate policies withDescending
order defined causing unexpected patches (#10252)🔧 Others 🔧
prealloc
to enforce slice declarations best practice (#10250)v1.12.1
Compare Source
🐛 Fixed 🐛
celPreconditions.matchConditions
aren't met (#9940)namespaceObject
for Kyverno policies (#9977, #9978)🔧 Others 🔧
v1.12.0
Compare Source
1.12 Release Notes
❗ Importance Notice ❗
Several critical issues are found in 1.12.0 and are being closely monitored within the 1.12.1 milestone. Please hold your upgrade to this release until 1.12.1 comes out.
❗ Breaking (Potentially) ❗
In
andNotIn
) will be blocked. Please see the current list of available operators here (#8624)✨ Added ✨
matchConditions
available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599)--protectManagedResources
to the cleanup controller (#8566)--renewBefore
to the admission cleanup controllers to configure the cert renewal time (#8567)--loggingtsFormat
which can be used to change the time format of logs (#9276)validate.podSecurity
(#9343, #9817)validate.podSecurity
) has a new ability to exclude based on restricted fields (exclude.restrictedField
and associated values (#8585, #9770, #9658)skipImageReferences
allowing you to exclude certain images (#8633)orphanDownstreamOnPolicyDelete
which will preserve downstream resources when the policy/rule is deleted (#9579)reports.kyverno.io
for storing new ephemeral report kindsEphemeralReports
andClusterEphemeralReports
(#9521, #9537)is_external_url()
JMESPath function to determine whether a given URL is an external URL (#8614)sha256()
JMESPath function to convert a string of any length to a fixed hash value (#9144)migrate
command which is used to migrate Kyverno resources to the current API version (#9296)json
command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651)test
command now supports the same assertion trees available in Chainsaw (#9380)apply
command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759)apply
andtest
commands now support Policy Exceptions (#9525, #9624, #9714, #9749)--resources
flag as an alias for the existing--resource
flag (#9749)Helm
revisionHistoryLimit
(#8907)spec.schemaValidation
field is formally deprecated. As of 1.11 it has no effect. (#9189)--reportsChunkSize
flag is deprecated and has no effect since aggregation has changed (#9697)--imageSignatureRepository
flag is deprecated and has no effect, use theverifyImages.Repository
field instead (#9698)time_parse()
JMESPath filter now supports epoch time (#9173)Helm
dashboard.json
tokyverno-dashboard.json
(#9041)Performance
🐛 Fixed 🐛
failurePolicy
was set toIgnore
(#8952)Enforce
andfailurePolicy
of Ignore (#8953)-v
container flag for logging was not honored (#9163)exclude
was used in the rule (#9331)anyPattern
validate rules (#9713)cloneList
generate policies withapply
command (#9036)useServerSideApply
field now work properly (#9385)apply
command to panic when applying a mutate existing rule (#9492)apply
command where some errors weren't shown (#9533)apply
command where aforeach
with zero elements was askip
(#9534, #9543)--warn-exit-code
stopped working (#9828)maxQueuedEvents
(#10031)Helm
Click to expand all PRs
#10013 chore: bump chainsaw to v0.1.9
#10025 fix: add rekor opts to cosign certificate verification and make rekor url optional
#10039 chore: bump cosign to v2.2.4
#10031 fix: re-use the maxQueuedEvents
#10047 fix: policy status reconciliation
#10056 feat(audit): use a worker pool for Audit policies
#10059 fix: add mutex to mock policy context builder
#9989 chore: bump kyverno-json to latest
#9997 fix(autogen): only generate rule for request kind
#9950 feat: set default exclusions in webhooks
#9968 fix: deferred loader panic when mutate and generate policies are applied
#9971 fix: cosign ctlog unit tests
#9903 fix(globalcontext): panics and validation
#9893 fix: properly update policy context after preexisting resource in violation check
#9849 fix: release CRDs manifests
#9845 fix: add missing unit tests for podSecurity.hostpathVolume check
#9838 fix: use gcr crane opts while fetching image descriptors
#9835 fix: remove duplicate chainsaw tests for PSA
#9828 [Bug] [CLI] Restore warn-exit-code functionality for apply command
#9817 fix: add podSecurity validation checks for exceptions
#9813 fix(globalcontext): old WaitGroup not stopping
#9791 fix: remove unnecessary podSecurity chainsaw test
#9790 fix: remove unnecessary validation check for podSecurity rule
#9783 update versions
#9781 chore: add tests for exceptions in the CLI
#9775 chore: default logging format to rfc3339
#9770 fix: add validation check for podSecurity subrule
#9763 chore: bump chainsaw
#9759 feat: support bindings in Kyvenro CLI test command
#9751 feat: apply VAP bindings in CLI apply command in offline mode
#9749 add plural form aliases for resources and exceptions flags
#9719 fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses
#9714 fix: add the support of v2alpha1 exceptions in the CLI
#9713 Fix :variables are not getting processed in validation message for "anyPattern"
#9710 feat: enhance global context
#9709 chore: bump otel deps
#9698 fix: remove deprecated imageSignatureRepository flag
#9697 fix: reports aggregation
#9691 fix: modify the conformance config name
#9690 chore: rename admission to ephemeral in reports aggregation controller
#9682 chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3
#9680 chore: bump kind and k8s images
#9679 fix: don't delete garbage collected policy reports
#9678 feat(validation-webhook): validate global context reference
#9677 feat: remove admission report controller
#9672 feat: add chainsaw tests for exceptions
#9667 feat: add chainsaw tests for pod security in exceptions
#9661 test(globalcontext): add e2e tests
#9658 [Bug] Fix message and formatting of podSecurity validation failure with restrictedField
#9657 fix: add missing migrations
#9652 chore(globalcontext): remove global context flag
#9651 feat: add scan command for generic resources
#9645 feat: add chainsaw test for policy webhook based configuration
#9643 fix: global context validation
#9639 feat: add root command to process generic json resources
#9630 chore: remove renovate config
#9628 feat: add chainsaw tests for global context crd validation
#9626 changed the log level in match policy context
#9624 support -e shorthand letter with --exception flag
#9621 fix: global context crd improvements
#9620 feat: consider maxAPICallResponseLength
#9619 feat: add global context entry validation webhook
#9618 chore: move global context package out of engine
#9616 feat: use the check block for checking CLI output in chainsaw tests
#9615 feat: update refreshInterval in globalcontext CRD to use a duration
#9614 feat: add global context support in helm chart
#9609 make exception in cli exportable
#9608 sanity check in parent chart for crd-controller mismatch
#9606 chore: enable chainsaw fail fast
#9602 feat: add globalcontext loader and interface
#9601 feat: add globalcontext controller
#9600 chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3
#9599 feat: apply
.matchConditions
when generating reports#9598 fix: client codegen not deleting old files
#9597 fix: codecov missing token
#9596 fix: make ApplyCommandConfig public again
#9595 feat: add global context crd to codegen
#9592 fix: codecov args
#9591 feat: add global context crd
#9585 fix: update cli docs
#9583 test: added test for pkg/utils/policy/marshal.go
#9579 feat (generate): add
orphanDownstreamOnPolicyDelete
to preserve downstream on policy deletion#9574 fix: nancy ignore
#9573 chore: small nits in cli test command
#9572 fix: omit events flag
#9570 chore: remove reports aggregation per namespace
#9569 configured backoff limit in chart cronjobs
#9566 feat: Support CEL expression warnings
#9561 chore: add chainsaw tests for policy based webhook configuration
#9555 fix: helm chart jobs
#9554 fix: nancy ignore
#9553 fix: make alternate reports storage transparent
#9552 Add Helm note for AKS users
#9546 feat: add openapi-gen to policyreports
#9543 fix: follow up for #9534
#9542 fix: CRDs codegen
#9540 chore: bump a couple of deps
#9539 chore: remove reference to kuttl
#9538 test: added test for pkg/utils/admission/metadata.go
#9537 refactor: use single type for ephemeral reports
#9535 chore: configure gh workflows schemas
#9534 fix: show skip when foreach with zero elements
#9533 Fix: not showing error during policy validation error
#9531 fix: move new reports api to top level folder
#9530 #9529 Support adding extra elements to the default resourceFilters list
#9525 Support PolicyExceptions with CLI
#9521 feat: add a new API group
reports.kyverno.io
#9520 test: added test for pkg/utils/admission/policy.go
#9516 Move admission controller hardcoded wildcard permissions to new opt-out value
#9515 ci: add load testing workflow
#9509 fix: reduce logs in controllers when an item is not found
#9507 feat: add more granular rbac rules to remove wildcards
#9506 feat: support vap bindings in reports
#9495 test: added test for pkg/utils/admission/exception.go
#9493 chore(helm): omit normal events by default
#9492 fix: kyverno apply panic for mutate policies
#9487 chore: bump a couple of deps
#9486 test: added test for pkg/utils/admission/cleanup.go
#9483 feat: configure admission webhooks per policy
#9482 fix: align clusterroles and bindings names
#9481 feat: improve crd migration helm hooks
#9476 feat: support all valid jsonpatches in validation webhook
#9469 chore(contrib): add Khaled Emara as contributor
#9468 feat: support validatingadmissionpolicybindings in CLI apply command
#9467 update README for new features and OSS security index card
#9465 chore: load cli image when deploying locally
#9464 Update DEVELOPMENT.md
#9463 fix: change generic policy to not return any
#9461 Update CONTRIBUTORS.md
#9459 added tests for validate foreach with 0 elements
#9442 chore: bump otel deps
#9440 chore: bump a couple of deps
#9433 chore: use upstream cosign on main
#9428 fix: nancy ignore list
#9427 chore: bump json-patch
#9426 chore: bump a couple of deps
#9420 feat: migrate existing cleanup policies to the new storage version in helm hook
#9416 feat: use awslabs keychain for AWS and gcr keychain for GCP
#9412 feat: migrate existing policy exceptions to the new storage version in helm hook
#9408 chore: bump bitnami/kubectl
#9395 [Feature] Security Improvements based on CLOMonitor Checks
#9392 fix: use the correct API version for VAPs in the generated events
#9391 feat: add podLabels to the hook jobs pod template
#9389 fix PSA chainsaw tests
#9386 feat: skip generating VAP when an exception is defined
#9385 fix: Allow generate cli tests to work with server-side apply policies
#9380 feat: use assertion trees in cli test command
#9362 chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
#9360 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7
#9355 fix: clean up URs if the trigger doesn't exist
#9348 Fix report-on-vulnerabilities
#9343 feat: support podSecurity exclusion in exceptions
#9341 fix PSA chainsaw tests
#9339 Add global nodeSelector
#9338 feat: add profiling to the helm Chart
#9332 fix a chainsaw test
#9331 fix: remove the check of exclude in VAPs
#9326 chore(deps): bump kubectl-validate version
#9324 feat: use custom events watcher
#9323 feat: add new client for events
#9296 feat: add resource migration command
#9279 fix: remove policy informer from vap controller
#9276 Feat: Human readable timestamps in logs
#9270 feat: stop serving v2alpha1 cleanup policies
#9269 Support setting global extraEnvVars
#9267 chore: introduce v2 for updaterequests
#9262 chore: introduce v2 for internal reports resources
#9261 feat: add cleanup policies v2
#9260 chore: bump a couple of deps
#9255 refactor: mutate checks
#9254 fix: set v2beta1 of exceptions the storage version
#9240 fix: remove unused file in a test
#9238 move error message to log
#9236 refactor: events controller
#9232 Fixed error log
#9220 feat: enable kubectl-validate by default in cli
#9218 chore: add k8s 1.29 in custom-sigstore test
#9213 chore: add missing context unit test
#9212 (docs) changed docs tool to kubernetes-sigs/reference-docs
#9211 chore: remove v2alpha1 version of policy exceptions
#9208 feat: promote policy exceptions to v2
#9200 refactor: make CLI store non static
#9198 chore: bump a couple of deps
#9192 chore: add cli update test
#9191 fix: deep copy resource in cli when operation is update
#9189 fix: deprecate spec.schemaValidation
#9187 chore: fix conformance tests
#9180 Minor fix
#9179 chore: use sigstore/cosign 2.2.2 on main
#9175 fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio...
#9173 feat(jmespath):time_parse() support epoch time
#9165 chore: move a mutateExisting chainsaw test under its directory
#9163 fix: set logger level
#9161 chore: add 1.29 to all test grids and remove 1.25
#9158 chore: add 1.29 to the test grid
#9155 fix: validate pattern premature skip
#9148 fix: chainsaw test
#9144 support for SHA256 jmespath function
#9143 chore: use new chainsaw github action
#9140 chore: bump chainsaw
#9130 chore: add myself to the maintainers list
#9125 feat: add myself (vishal-chdhry) to maintainers list
#9124 support for Add Variable unit test
#9120 chore: bump chainsaw
#9114 chore: bump chainsaw
#9113 chore: convert chainsaw tests to Test resource
#9109 chore: convert chainsaw tests to Test resource
#9108 chore: update PR template to require documentation PR
#9103 chore: improve cluster startup in conformance tests
#9100 chore: convert chainsaw tests to Test resource
#9099 chore: convert chainsaw tests to Test resource
#9098 chore: improve ci perf
#9094 chore: convert chainsaw tests to Test resource
#9093 chore: install kind from binaries
#9092 chore: remove kuttl from makefile
#9088 fix: nancy ignore
#9087 chore: convert chainsaw tests to Test resource
#9086 chore: improve conformance tests ci perf
#9085 fix: conformance tests
#9071 chore: bump chainsaw
#9066 Fix Helm chart to not error when replicas defined
#9064 chore: bump chainsaw
#9057 Update helm docs
#9052 chore: use Kubernetes 1.28 by default
#9046 Use nancy on actually included dependencies
#9045 chore: add 1.10.4-6 & 1.11.1 to github issue templates
#9041 fix(helm): Rename dashboard.json to kyverno-dashboard.json
#9038 chore: bump chainsaw
#9036 fix: Provide kind list hints to the fake dynamic client.
#9028 chore: fix chainsaw tests cleanup timeout
#9023 chore: remove kuttl tests folder
#9018 chore: replace more kuttl tests by chainsaw
#9017 chore: replace more kuttl tests by chainsaw
#9016 chore: replace standard kuttl tests by chainsaw ones
#9015 feat: webhook labels
#9013 chore: fix chainsaw exec timeout issue
#9012 chore: enable all chainsaw tests
#9011 chore: all chainsaw tests
#9008 fix: extend chainsaw cleanup timeout
#8999 chore: cleanup go.mod
#8998 chore: bump chainsaw
#8997 chore: migrate tests to chainsaw
#8987 chore: bump a couple of deps
#8985 chore: bump otel libs
#8969 Allow defining ca-certificates bundle for Kyverno deployments
#8967 chore: bump chainsaw
#8966 chore: run force-failure-policy-ignore test using chainsaw
#8965 chore: run vap reports test suite using chainsaw
#8958 chore: run generate VAP test suite using chainsaw
#8956 chore: run range operators tests with chainsaw
#8953 fix: update KeysAreMissing() to ignore negations in resource
#8952 fix: block mutation only when failurePolicy is set to fail
#8951 chore: run events test suite using chainsaw
#8950 chore: run rbac testsuite using chainsaw
#8947 fix: change names of fuzzing policies
#8946 Allow excluding resources from config.resourceFilters
#8937 chore: run autogen tests with chainsaw
#8932 feat: allow setting admission controller replica count to 2
#8929 chore: bump k8s package to 1.29
#8913 Revert "fix(chart): only create ServiceMonitor if cluster supports it (#7926)
#8911 [Helm] correct typo in README for Kyverno 1.10+
#8907 fix: Add chart parameters for setting revisionHistoryLimit
#8903 Extended the Trivy scan for N-2 Kyverno versions
#8894 Close reponse right after succesful request
#8893 chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0
#8880 fix: allow multiple keys in verifyImages.attestations.attestors.entries
#8861 Adopters groww
#8857 feat: added ability to bump version using in-file editing
#8849 Deploy specific controllers
#8827 Add policyKind option to kyverno-policies chart
#8780 refactor: move resource loader package to ext
#8772 chore: move utils/wildcard in ext
#8769 refactor: move resource/convert in ext
#8767 feat: add force color in color ext pkg
#8766 feat: add utils packages in ext
#8762 chore: run tests with chainsaw
#8761 chore: fix nancy ignore
#8760 feat: add ext/yaml package
#8758 chore: init ext packages
#8713 feat: compute policy exceptions as a part of the rule execution
#8675 feat: add arm64 support in devcontainers
#8672 feat: adds ci test for building devcontainer image
#8659 feat: re-evaluate policy exceptions for existing resources and modify reports accordingly
#8654 Reduce deps
#8647 feat: use ubuntu:22.04 in devcontainer
#8633 feat: add skipImageReferences in verify images
#8624 feat: add fail/warn on deprecated/invalid operators
#8614 feat: Add external_url_check custom JMESPath function
#8585 [Feature] New
restrictedField
in podSecurity subrule#8577 feat: support conditions in PolicyException
#8567 chore: set cert renewal time to 15 days before expiration
#8566 feat: reuse --protectManagedResources flag in the cleanup controller
#8544 fix: apply exceptions after executing the policy itself
[#8518](https://togithub.co
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.