github kyverno/kyverno v1.12.0
on GitHub

latest releases: v1.11.5, kyverno-policies-chart-3.1.5, kyverno-chart-3.1.5...
14 days ago

1.12 Release Notes

❗ Breaking (Potentially) ❗

  • Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators here (#8624)

✨ Added ✨

  • Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource (#9591, #9595, #9601, #9602, #9614, #9615, #9618, #9619, #9620, #9621, #9643, #9652, #9678, #9710, #9813)
  • Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#7728)
  • Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based matchConditions available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599)
  • Added a new container flag --protectManagedResources to the cleanup controller (#8566)
  • Added a new container flag --renewBefore to the admission cleanup controllers to configure the cert renewal time (#8567)
  • Added a new container flag --loggingtsFormat which can be used to change the time format of logs (#9276)
  • Policy Exceptions now support conditions (#8577)
  • Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule validate.podSecurity (#9343, #9817)
  • Pod Security sub-rule (validate.podSecurity) has a new ability to exclude based on restricted fields (exclude.restrictedField and associated values (#8585, #9770, #9658)
  • Added a new field to verifyImages rules called skipImageReferences allowing you to exclude certain images (#8633)
  • Added a new field to generate rules (data-type) called orphanDownstreamOnPolicyDelete which will preserve downstream resources when the policy/rule is deleted (#9579)
  • Added the ability to deploy specific controllers with CRDs following suit (#8849, #9608)
  • Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#9015)
  • Added support for more types of JSON patch operations like "move", "copy", and "test" (#9476)
  • Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#9506)
  • Created a new API group reports.kyverno.io for storing new ephemeral report kinds EphemeralReports and ClusterEphemeralReports (#9521, #9537)
  • New is_external_url() JMESPath function to determine whether a given URL is an external URL (#8614)
  • New sha256() JMESPath function to convert a string of any length to a fixed hash value (#9144)
  • Kyverno CLI: Added a new migrate command which is used to migrate Kyverno resources to the current API version (#9296)
  • Kyverno CLI: Added a new (experimental) json command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651)
  • Kyverno CLI: The test command now supports the same assertion trees available in Chainsaw (#9380)
  • Kyverno CLI: The apply command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759)
  • Kyverno CLI: apply and test commands now support Policy Exceptions (#9525, #9624, #9714, #9749)
  • Kyverno CLI: Added a --resources flag as an alias for the existing --resource flag (#9749)

Helm

  • Add chart parameters for setting revisionHistoryLimit (#8907)
  • Allow excluding resources from config.resourceFilters (#8946)
  • Allow defining ca-certificates bundle for Kyverno deployments (#8969)
  • Clean up Helm change logs (#9057)
  • Added ability to set extra environment variables globally (#9269)
  • Added the ability to enable performance profiling to the chart (#9338)
  • Added a global nodeSelector to the chart (#9339)
  • Allow adding Pod labels to cleanup jobs in the chart (#9391)
  • Added a CRD migration capability via hooks to the chart (#9481, #9657)
  • Added the ability to define additional resources to be excluded via resourceFilters (#9530)
  • Added a small note for AKS users when the chart is installed (#9552)
  • Added the ability to configure backoff limits in jobs in the chart (#9569)
  • Added default exclusions in webhooks (#9950)

⚠️ Changed ⚠️

  • Allow setting admission controller replica count to 2 (#8932)
  • The spec.schemaValidation field is formally deprecated. As of 1.11 it has no effect. (#9189)
  • The --reportsChunkSize flag is deprecated and has no effect since aggregation has changed (#9697)
  • The --imageSignatureRepository flag is deprecated and has no effect, use the verifyImages.Repository field instead (#9698)
  • Policy Exceptions will now be evaluated against existing resources when the exception is created (#8659, #8713, #8544)
  • Policy Exceptions API graduated to v2 (#9208, #9412)
  • Cleanup Policies API graduated to v2 (#9261, #9420)
  • Admission and Background reports APIs graduated to v2 (#9262)
  • UpdateRequests API graduated to v2 (#9267)
  • Reduced some logged messages (#9509, #9626)
  • Default logging time format is changed to RFC3339 (#9775)
  • Updated the internal Pod Security Standards up through 1.29 (#9783)
  • The time_parse() JMESPath filter now supports epoch time (#9173)
  • Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid (#9566)
  • Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status (#9220)

Helm

  • Chart will now omit policy applied and skipped events by default (#9493)
  • Allow configuring the policy kind in kyverno-policies chart (#8827)
  • Refined permissions by removing wildcards (#9507, #9516)
  • Rename the Grafana dashboard file from dashboard.json to kyverno-dashboard.json (#9041)

Performance

  • Initialize JMESPath interpreter once and reuse it across searches (#8299)
  • Optimize JSON context processing using in-memory maps (#8322)
  • Optimize how Events are created and processed (#9323, #9324)
  • Optimize validate policy application by adding a worker pool (#10056)

🐛 Fixed 🐛

  • Fixed handling of escaped variables in an expression with multiple escaped variables (#8311)
  • Fixed an issue when verifying attestations using multiple keys (#8880)
  • Fixed an issue causing application of mutation policies to fail even when failurePolicy was set to Ignore (#8952)
  • Fixed an issue that allowed violating resources when a policy had validationFailureAction set to Enforce and failurePolicy of Ignore (#8953)
  • Fixed an issue causing premature skipping of resources in validate policies with anchors defined (#9155)
  • Fixed an issue where the -v container flag for logging was not honored (#9163)
  • Switched a logged error to info when preconditions didn't pass in a mutate existing rule (#9232)
  • Reports aggregation fixes and improvements (#9697)
  • Fixed an issue preventing of generating a ValidatingAdmissionPolicy when exclude was used in the rule (#9331)
  • Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place (#9386)
  • Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans (#9468)
  • Fixed an issue when generating Events associated with ValidatingAdmissionPolicies (#9392)
  • Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission (#9355)
  • Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working (#9416)
  • Fixed an issue preventing variables from being substituted in messages when using anyPattern validate rules (#9713)
  • Fixed an issue where skipped policies due to preconditions were returned in denial response messages (#9719)
  • Removed an unnecessary podSecurity check (#9790)
  • Fixed an issue when verifying images from an insecure registry (#9838)
  • Fixed an issue with some validate rules and the UPDATE operation (#9893)
  • Kyverno CLI: Fixed an issue doing a test with an UPDATE operation (#9191)
  • Kyverno CLI: Fixed applying cloneList generate policies with apply command (#9036)
  • Kyverno CLI: Fixed a logging error (#9238)
  • Kyverno CLI: Testing of generate rules which use the useServerSideApply field now work properly (#9385)
  • Kyverno CLI: Fixed and issue causing the apply command to panic when applying a mutate existing rule (#9492)
  • Kyverno CLI: Fixed an issue with the apply command where some errors weren't shown (#9533)
  • Kyverno CLI: Fixed an issue with the apply command where a foreach with zero elements was a skip (#9534, #9543)
  • Kyverno CLI: Fixed a regression where the --warn-exit-code stopped working (#9828)
  • Fixed cosign ctlog unit tests (#9971)
  • Fixed deferred loader panic when mutate and generate policies are applied (#9968)
  • Fixed an autogen issue where now Kyverno only generates rule for request kind (#9997)
  • Fixed the issue where the mutex is not added to mock policy context builder (#10059)
  • Fixed policy status reconciliation when it fails to set policy to ready (#10047)
  • Fixed the container flag maxQueuedEvents (#10031)
  • Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional (#10025)

Helm

  • Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart (#8913)
  • Fixed an issue preventing multiple replicas from being defined in the chart (#9066)
  • Make role and binding names consistent (#9482)
  • Fixed some minor issues with the Helm report cleanup jobs (#9555)
  • Fixed a typo in the Kyverno chart README (#8911)
Click to expand all PRs

#10013 chore: bump chainsaw to v0.1.9
#10025 fix: add rekor opts to cosign certificate verification and make rekor url optional
#10039 chore: bump cosign to v2.2.4
#10031 fix: re-use the maxQueuedEvents
#10047 fix: policy status reconciliation
#10056 feat(audit): use a worker pool for Audit policies
#10059 fix: add mutex to mock policy context builder
#9989 chore: bump kyverno-json to latest
#9997 fix(autogen): only generate rule for request kind
#9950 feat: set default exclusions in webhooks
#9968 fix: deferred loader panic when mutate and generate policies are applied
#9971 fix: cosign ctlog unit tests
#9903 fix(globalcontext): panics and validation
#9893 fix: properly update policy context after preexisting resource in violation check
#9849 fix: release CRDs manifests
#9845 fix: add missing unit tests for podSecurity.hostpathVolume check
#9838 fix: use gcr crane opts while fetching image descriptors
#9835 fix: remove duplicate chainsaw tests for PSA
#9828 [Bug] [CLI] Restore warn-exit-code functionality for apply command
#9817 fix: add podSecurity validation checks for exceptions
#9813 fix(globalcontext): old WaitGroup not stopping
#9791 fix: remove unnecessary podSecurity chainsaw test
#9790 fix: remove unnecessary validation check for podSecurity rule
#9783 update versions
#9781 chore: add tests for exceptions in the CLI
#9775 chore: default logging format to rfc3339
#9770 fix: add validation check for podSecurity subrule
#9763 chore: bump chainsaw
#9759 feat: support bindings in Kyvenro CLI test command
#9751 feat: apply VAP bindings in CLI apply command in offline mode
#9749 add plural form aliases for resources and exceptions flags
#9719 fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses
#9714 fix: add the support of v2alpha1 exceptions in the CLI
#9713 Fix :variables are not getting processed in validation message for "anyPattern"
#9710 feat: enhance global context
#9709 chore: bump otel deps
#9698 fix: remove deprecated imageSignatureRepository flag
#9697 fix: reports aggregation
#9691 fix: modify the conformance config name
#9690 chore: rename admission to ephemeral in reports aggregation controller
#9682 chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3
#9680 chore: bump kind and k8s images
#9679 fix: don't delete garbage collected policy reports
#9678 feat(validation-webhook): validate global context reference
#9677 feat: remove admission report controller
#9672 feat: add chainsaw tests for exceptions
#9667 feat: add chainsaw tests for pod security in exceptions
#9661 test(globalcontext): add e2e tests
#9658 [Bug] Fix message and formatting of podSecurity validation failure with restrictedField
#9657 fix: add missing migrations
#9652 chore(globalcontext): remove global context flag
#9651 feat: add scan command for generic resources
#9645 feat: add chainsaw test for policy webhook based configuration
#9643 fix: global context validation
#9639 feat: add root command to process generic json resources
#9630 chore: remove renovate config
#9628 feat: add chainsaw tests for global context crd validation
#9626 changed the log level in match policy context
#9624 support -e shorthand letter with --exception flag
#9621 fix: global context crd improvements
#9620 feat: consider maxAPICallResponseLength
#9619 feat: add global context entry validation webhook
#9618 chore: move global context package out of engine
#9616 feat: use the check block for checking CLI output in chainsaw tests
#9615 feat: update refreshInterval in globalcontext CRD to use a duration
#9614 feat: add global context support in helm chart
#9609 make exception in cli exportable
#9608 sanity check in parent chart for crd-controller mismatch
#9606 chore: enable chainsaw fail fast
#9602 feat: add globalcontext loader and interface
#9601 feat: add globalcontext controller
#9600 chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3
#9599 feat: apply .matchConditions when generating reports
#9598 fix: client codegen not deleting old files
#9597 fix: codecov missing token
#9596 fix: make ApplyCommandConfig public again
#9595 feat: add global context crd to codegen
#9592 fix: codecov args
#9591 feat: add global context crd
#9585 fix: update cli docs
#9583 test: added test for pkg/utils/policy/marshal.go
#9579 feat (generate): add orphanDownstreamOnPolicyDelete to preserve downstream on policy deletion
#9574 fix: nancy ignore
#9573 chore: small nits in cli test command
#9572 fix: omit events flag
#9570 chore: remove reports aggregation per namespace
#9569 configured backoff limit in chart cronjobs
#9566 feat: Support CEL expression warnings
#9561 chore: add chainsaw tests for policy based webhook configuration
#9555 fix: helm chart jobs
#9554 fix: nancy ignore
#9553 fix: make alternate reports storage transparent
#9552 Add Helm note for AKS users
#9546 feat: add openapi-gen to policyreports
#9543 fix: follow up for #9534
#9542 fix: CRDs codegen
#9540 chore: bump a couple of deps
#9539 chore: remove reference to kuttl
#9538 test: added test for pkg/utils/admission/metadata.go
#9537 refactor: use single type for ephemeral reports
#9535 chore: configure gh workflows schemas
#9534 fix: show skip when foreach with zero elements
#9533 Fix: not showing error during policy validation error
#9531 fix: move new reports api to top level folder
#9530 #9529 Support adding extra elements to the default resourceFilters list
#9525 Support PolicyExceptions with CLI
#9521 feat: add a new API group reports.kyverno.io
#9520 test: added test for pkg/utils/admission/policy.go
#9516 Move admission controller hardcoded wildcard permissions to new opt-out value
#9515 ci: add load testing workflow
#9509 fix: reduce logs in controllers when an item is not found
#9507 feat: add more granular rbac rules to remove wildcards
#9506 feat: support vap bindings in reports
#9495 test: added test for pkg/utils/admission/exception.go
#9493 chore(helm): omit normal events by default
#9492 fix: kyverno apply panic for mutate policies
#9487 chore: bump a couple of deps
#9486 test: added test for pkg/utils/admission/cleanup.go
#9483 feat: configure admission webhooks per policy
#9482 fix: align clusterroles and bindings names
#9481 feat: improve crd migration helm hooks
#9476 feat: support all valid jsonpatches in validation webhook
#9469 chore(contrib): add Khaled Emara as contributor
#9468 feat: support validatingadmissionpolicybindings in CLI apply command
#9467 update README for new features and OSS security index card
#9465 chore: load cli image when deploying locally
#9464 Update DEVELOPMENT.md
#9463 fix: change generic policy to not return any
#9461 Update CONTRIBUTORS.md
#9459 added tests for validate foreach with 0 elements
#9442 chore: bump otel deps
#9440 chore: bump a couple of deps
#9433 chore: use upstream cosign on main
#9428 fix: nancy ignore list
#9427 chore: bump json-patch
#9426 chore: bump a couple of deps
#9420 feat: migrate existing cleanup policies to the new storage version in helm hook
#9416 feat: use awslabs keychain for AWS and gcr keychain for GCP
#9412 feat: migrate existing policy exceptions to the new storage version in helm hook
#9408 chore: bump bitnami/kubectl
#9395 [Feature] Security Improvements based on CLOMonitor Checks
#9392 fix: use the correct API version for VAPs in the generated events
#9391 feat: add podLabels to the hook jobs pod template
#9389 fix PSA chainsaw tests
#9386 feat: skip generating VAP when an exception is defined
#9385 fix: Allow generate cli tests to work with server-side apply policies
#9380 feat: use assertion trees in cli test command
#9362 chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
#9360 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7
#9355 fix: clean up URs if the trigger doesn't exist
#9348 Fix report-on-vulnerabilities
#9343 feat: support podSecurity exclusion in exceptions
#9341 fix PSA chainsaw tests
#9339 Add global nodeSelector
#9338 feat: add profiling to the helm Chart
#9332 fix a chainsaw test
#9331 fix: remove the check of exclude in VAPs
#9326 chore(deps): bump kubectl-validate version
#9324 feat: use custom events watcher
#9323 feat: add new client for events
#9296 feat: add resource migration command
#9279 fix: remove policy informer from vap controller
#9276 Feat: Human readable timestamps in logs
#9270 feat: stop serving v2alpha1 cleanup policies
#9269 Support setting global extraEnvVars
#9267 chore: introduce v2 for updaterequests
#9262 chore: introduce v2 for internal reports resources
#9261 feat: add cleanup policies v2
#9260 chore: bump a couple of deps
#9255 refactor: mutate checks
#9254 fix: set v2beta1 of exceptions the storage version
#9240 fix: remove unused file in a test
#9238 move error message to log
#9236 refactor: events controller
#9232 Fixed error log
#9220 feat: enable kubectl-validate by default in cli
#9218 chore: add k8s 1.29 in custom-sigstore test
#9213 chore: add missing context unit test
#9212 (docs) changed docs tool to kubernetes-sigs/reference-docs
#9211 chore: remove v2alpha1 version of policy exceptions
#9208 feat: promote policy exceptions to v2
#9200 refactor: make CLI store non static
#9198 chore: bump a couple of deps
#9192 chore: add cli update test
#9191 fix: deep copy resource in cli when operation is update
#9189 fix: deprecate spec.schemaValidation
#9187 chore: fix conformance tests
#9180 Minor fix
#9179 chore: use sigstore/cosign 2.2.2 on main
#9175 fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio...
#9173 feat(jmespath):time_parse() support epoch time
#9165 chore: move a mutateExisting chainsaw test under its directory
#9163 fix: set logger level
#9161 chore: add 1.29 to all test grids and remove 1.25
#9158 chore: add 1.29 to the test grid
#9155 fix: validate pattern premature skip
#9148 fix: chainsaw test
#9144 support for SHA256 jmespath function
#9143 chore: use new chainsaw github action
#9140 chore: bump chainsaw
#9130 chore: add myself to the maintainers list
#9125 feat: add myself (vishal-chdhry) to maintainers list
#9124 support for Add Variable unit test
#9120 chore: bump chainsaw
#9114 chore: bump chainsaw
#9113 chore: convert chainsaw tests to Test resource
#9109 chore: convert chainsaw tests to Test resource
#9108 chore: update PR template to require documentation PR
#9103 chore: improve cluster startup in conformance tests
#9100 chore: convert chainsaw tests to Test resource
#9099 chore: convert chainsaw tests to Test resource
#9098 chore: improve ci perf
#9094 chore: convert chainsaw tests to Test resource
#9093 chore: install kind from binaries
#9092 chore: remove kuttl from makefile
#9088 fix: nancy ignore
#9087 chore: convert chainsaw tests to Test resource
#9086 chore: improve conformance tests ci perf
#9085 fix: conformance tests
#9071 chore: bump chainsaw
#9066 Fix Helm chart to not error when replicas defined
#9064 chore: bump chainsaw
#9057 Update helm docs
#9052 chore: use Kubernetes 1.28 by default
#9046 Use nancy on actually included dependencies
#9045 chore: add 1.10.4-6 & 1.11.1 to github issue templates
#9041 fix(helm): Rename dashboard.json to kyverno-dashboard.json
#9038 chore: bump chainsaw
#9036 fix: Provide kind list hints to the fake dynamic client.
#9028 chore: fix chainsaw tests cleanup timeout
#9023 chore: remove kuttl tests folder
#9018 chore: replace more kuttl tests by chainsaw
#9017 chore: replace more kuttl tests by chainsaw
#9016 chore: replace standard kuttl tests by chainsaw ones
#9015 feat: webhook labels
#9013 chore: fix chainsaw exec timeout issue
#9012 chore: enable all chainsaw tests
#9011 chore: all chainsaw tests
#9008 fix: extend chainsaw cleanup timeout
#8999 chore: cleanup go.mod
#8998 chore: bump chainsaw
#8997 chore: migrate tests to chainsaw
#8987 chore: bump a couple of deps
#8985 chore: bump otel libs
#8969 Allow defining ca-certificates bundle for Kyverno deployments
#8967 chore: bump chainsaw
#8966 chore: run force-failure-policy-ignore test using chainsaw
#8965 chore: run vap reports test suite using chainsaw
#8958 chore: run generate VAP test suite using chainsaw
#8956 chore: run range operators tests with chainsaw
#8953 fix: update KeysAreMissing() to ignore negations in resource
#8952 fix: block mutation only when failurePolicy is set to fail
#8951 chore: run events test suite using chainsaw
#8950 chore: run rbac testsuite using chainsaw
#8947 fix: change names of fuzzing policies
#8946 Allow excluding resources from config.resourceFilters
#8937 chore: run autogen tests with chainsaw
#8932 feat: allow setting admission controller replica count to 2
#8929 chore: bump k8s package to 1.29
#8913 Revert "fix(chart): only create ServiceMonitor if cluster supports it (#7926)
#8911 [Helm] correct typo in README for Kyverno 1.10+
#8907 fix: Add chart parameters for setting revisionHistoryLimit
#8903 Extended the Trivy scan for N-2 Kyverno versions
#8894 Close reponse right after succesful request
#8893 chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0
#8880 fix: allow multiple keys in verifyImages.attestations.attestors.entries
#8861 Adopters groww
#8857 feat: added ability to bump version using in-file editing
#8849 Deploy specific controllers
#8827 Add policyKind option to kyverno-policies chart
#8780 refactor: move resource loader package to ext
#8772 chore: move utils/wildcard in ext
#8769 refactor: move resource/convert in ext
#8767 feat: add force color in color ext pkg
#8766 feat: add utils packages in ext
#8762 chore: run tests with chainsaw
#8761 chore: fix nancy ignore
#8760 feat: add ext/yaml package
#8758 chore: init ext packages
#8713 feat: compute policy exceptions as a part of the rule execution
#8675 feat: add arm64 support in devcontainers
#8672 feat: adds ci test for building devcontainer image
#8659 feat: re-evaluate policy exceptions for existing resources and modify reports accordingly
#8654 Reduce deps
#8647 feat: use ubuntu:22.04 in devcontainer
#8633 feat: add skipImageReferences in verify images
#8624 feat: add fail/warn on deprecated/invalid operators
#8614 feat: Add external_url_check custom JMESPath function
#8585 [Feature] New restrictedField in podSecurity subrule
#8577 feat: support conditions in PolicyException
#8567 chore: set cert renewal time to 15 days before expiration
#8566 feat: reuse --protectManagedResources flag in the cleanup controller
#8544 fix: apply exceptions after executing the policy itself
#8518 fix: cache error in gh workflows
#8437 Changes to dynamically configure webhooks
#8322 optimize JSON context processing using in-memory maps
#8311 fix: use ungreedy pattern to process all variables
#8299 create interpreter once and reuse across searches
#8065 feat: configure webhook scope based on resource and policy type
#7728 Make server ports configurable, resolves #7279

Check out latest releases or
releases around kyverno/kyverno v1.12.0

Don't miss a new kyverno release

NewReleases is sending notifications on new releases.

Get notifications