github kyverno/kyverno v1.9.0
on GitHub

latest releases: v1.11.5, kyverno-policies-chart-3.1.5, kyverno-chart-3.1.5...
15 months ago

Check the release announcement blog here for an overview of this packed release!

✨ Added ✨

  • New PolicyException (alpha) resource introduced (#5662, #5680, #5712)
  • New CleanupPolicy (alpha) resource introduced (#5233, #5279)
  • Distributed Tracing (#5630, #5643, #5639, #5629, #5624, #5495, #5474, #5463, #5442, #5412, #5397, #5392, #5391)
  • Extended support for validating and mutating subresources in webhook and CLI (#4916)
  • ConfigMap caching (#5484)
  • Nested foreach loops (#5589)
  • Dump AdmissionReview payload using a new --dumpPayload flag (#5024)
  • New JMESPath filters for working with time (#5950, #5817, #5814, #5813)
  • Pod controller rule auto-generation for ReplicaSets and ReplicationControllers (#4975)
  • Kyverno CLI experimental support for pushing/pulling Kyverno policies as OCI artifacts (#5026)
  • Kyverno CLI now supports policy input from a git repo when used with the apply command (#4502)
  • New v2beta1 schema introduced which removes all deprecated fields (#5625)
  • Support for Kubernetes 1.26 (#5733, #5732)
  • SLSA provenance now generated, provisionally achieving SLSA Level 3, for all Kyverno container images (blog) (#4268, #5735)
  • Kyverno policy library up to over 260 policies
  • CRD manifests are now uploaded for each release (#5967)
  • Add --audit-warn and --warn-exit-code flags for use in the CLI (#5577, #5321)
  • A new --leaderElectionRetryPeriod flag is added to control leader election frequency (#5172)
  • A new --forceFailurePolicyIgnore flag is added to control the failure policy at a global level (#4991)
  • Some new controller metrics have been added (#5494)
  • Some new printer columns have been added when returning Kyverno policies including AGE and the count and type of rules (#5119, #5106)
  • Key signature algorithm can now be specified in verifyImages rules (#4855)
  • Attestors can now be specified sourced from a Kubernetes Secret in a verifyImages rule (#4733)
  • (Helm) Support for consuming existing imagePullSecrets for use in verifyImages rules (#5627)

⚠️ Changed ⚠️

  • A deprecation warning is now printed when setting enforce or audit (lower-case) in the validationFailureAction field (#5152, #5219)
  • A log message will now be printed when background scans occur (#5941)
  • Rules of type validate.podSecurity ("subrule") will show additional information in policy reports (#5908, #5719)
  • Background report scanning reconciliation improvements (#5871, #5865, #5810, #5808, #5807, #5727)
  • Cleaned up the CLI help messages a bit (#5843)
  • All CLI custom JMESPath functions now have notes (#5824)
  • The CLI's jp command has been split up into multiple subcommands (#5566, #5552)
  • The CLI can now accept a list of policies piped into it (#5227)
  • The CLI will now make API calls to the live cluster when using the apply command with the --cluster flag (#4938)
  • The CLI will now property detect when duplicate test resources are provided (#3612)
  • Removed the all category from Kyverno CRDs; they show with a kubectl get kyverno properly (#5731)
  • Log enhancements (#5701, #5687)
  • Removed deprecated flag --splitPolicyReport since this is now done automatically (#5686)
  • If Kyverno is down, any new/changed policies will be blocked until it returns to service (#5677)
  • Improved some color and table things in the CLI's test command (#5609)
  • Several of the JMESPath arithmetic functions have been adjusted to provide better guardrails (#5544)
  • Admission metrics now have the webhook type and request_allowed added (#5493, #5478)
  • Start using AdmissionReview v1 instead of v1beta1 (#5464)
  • Webhooks now have separate rules per GVK (#4986)
  • The additionalExtensions field in a verifyImages rule can now use the cert extension as the key (#4854)
  • Some minor validation improvements when using mutate rules consisting of a JSON patch (#4469)

🐛 Fixed 🐛

  • Fixed allow deletion of resource when --protectManagedResources in use (#6098)
  • Fixed Namespace selector matching in policies which used wildcards (kind: "*") (#6020)
  • Fixed an issue with matching resources with lower case letters (#6008)
  • Fixed an image mismatch issue when using a verifyImages rule with multiple attestors (#5956)
  • Fixed mutate existing rules to set resourceVersion prior to update (#5906)
  • Fixed incorrect variable substitution in mutate existing rules (#5862)
  • Fixed an issue whereby deletion of a Policy (namespaced) with generate rule didn't result in deletion of generated resources (#5776)
  • Fixed empty rule type in metrics when using verifyImages (#5729)
  • Fixed a panic in verifyImages rules when loading a ConfigMap (#5710, #5705)
  • Fixed an issue when the message field of a policy had a variable that didn't resolve to a string (#5678)
  • Fixed an issue in the CLI which prevented policies from stdin from being applied (#5668)
  • Fixed an issue in the CLI in how global anchors were handled in the apply command (#5590)
  • Fixed an issue in the CLI with how request.operation was defaulted (#5423)
  • Fixed an issue in the CLI when testing for Pods which define the ownerReferences object (#5170)
  • Fixed use of AllNotIn operator with wildcards (#5636)
  • Fixed and improved some registry client issues (#5622, #5620, #5596)
  • Fixed a metrics panic issue when a null response was received (#5502)
  • Fixed an issue preventing creation of a verifyImages rule with multiple attestors (#5384)
  • Fixed validating a resource's schema when any/all is used (#5246)
  • Fixed how the global anchor was handled when used in anyPattern validate rules (#5191)
  • Fixed an issue preventing the use of a generateName field if used (#5146)
  • Fixed an issue in verifyImages rules allowing proper use of the {{image}} variable (#5122)
  • Leader election now runs in a loop preventing Pod termination when the lead is lost (#5173)
  • (Helm) Fixed using the kyverno-test Pod to test connection by pinning the busybox image (#6051)
  • (Helm) Replaced + with _ in the Chart.Version field to prevent Flux reconciliation failures (#6056, #5591)
  • (Helm) Fixed the cleanup process with Kyverno managed resources upon uninstall (#5974)
  • (Helm) Fixed an issue with selectors when upgrading from 1.8 (#5965)
  • (Helm) Fixed using multiple args in the initContainer (#5846)
  • (Helm) Fixed the Grafana dashboard to use delta instead of increase (#5645)
  • (Helm) Fixed the labels that got assigned to CRDs so they're correct per the release name (#5594)
  • (Helm) Fixed an issue with Pod anti-affinity when deploying the chart with a custom name (#5516)

❗ Breaking ❗

  • The new field verifyImages.attestations.attestors is added for verifying attestations. Note that the existing verifyImages.attestors field is only used to verify signatures (carry-over from release v1.8.3)
Click to expand

#6122 fix: policy exception event source
#6112 fix: tracing attributes length and tracer name
#6103 fix: flag added to init container mistake
#6100 fix: cleanup-controller version
#6098 fix: allow deletion of namespace containing managed resources
#6051 fix: pin busybox image tag in helm tests
#6047 fix: replace + with _ in Chart.Version label field
#6046 validate polex activation and namespace
#6030 feat: add missing polex flags
#6020 fix: ns labels matching
#6008 fix: policy match Kind case-senstive
#5998 chore: log out cleanup policy events
#5988 feat: create warning events on errors for cleanup policies
#5987 fix: generate policy exception events
#5982 feat: create events for cleanup policies
#5980 fix: policy exceptions not working in background mode
#5977 chore: log out deleted resources at default level for cleanup policies
#5974 fix: invoke cleanup process during shutdown
#5967 chore: upload CRDs manifests to GH release
#5966 feat: add cluster role aggregation to cleanup controller
#5965 fix: helm selector
#5960 fix: chart kyverno-policies invalid annotations
#5956 fix: imageRef mismatch
#5950 feat: add more time jmespath filters
#5948 fix: update policy exception CRD description
#5943 fix: cleanup policies with user infos in match/exclude should be rejected
#5941 chore: policy report - improve logging
#5935 test: add kuttl test for policy exception
#5931 fix: missing user info matching
#5928 Fixes time_now failing
#5920 chore: simplify tests workflow
#5914 chore: add missing gh workflow
#5913 fix: golangci-lint workflow
#5910 chore: fix releaser badge
#5909 fix: configure gh workflow permission
#5908 feat: add violation details to report.results.properties for PSa policies
#5907 chore: make check actions pinned by hash a standalone ci job
#5906 fix: mutateExisting - set resourceVersion before update
#5904 fix: cleanup controller - restrict cronjobs by PSS restricted checks
#5897 chore: add setup test env gh action
#5892 chore: add setup-build-env gh action
#5888 fix: use var 'target.*' in cleanup policies
#5886 fix: Configure webhook to add ephemeralcontainers for policies matching on Pod
#5885 chore: use gh composite actions
#5883 chore: small gh workflows improvements
#5881 fix: Add group to subresources declaration in value.yaml file for CLI
#5875 fix validation checks for foreach and nested foreach
#5871 refactor: improve background scan reconciliation
#5870 fix: add missing kuttl assert file
#5865 fix: force background scan recomputation
#5862 fix: incorrect variable substitutionrequest.object.* for mutateExisting policies
#5851 feat: cleanup new validatingwebhooks
#5847 chore: move ConvertToUnstructured from engine utils to kube utils
#5846 fix(chart/kyverno): handle multiple extraArgs in init container
#5844 chore: cleanup a couple workflows
#5843 fix: improve cli help message
#5840 chore: bump a couple of deps
#5839 fix: Add subresources support to policy exceptions
#5835 fix: enum values for ValidationFailureActionOverride
#5834 chore: add a couple unit tests
#5832 fix: default value for validationFailureAction
#5829 chore: cleanup codecov workflow
#5828 refactor: move utils into sub packages
#5824 Adds notes to functions
#5823 Walk back change in PSS policy to send to to_upper
#5819 add source archive checksum into the checksums.txt
#5817 Added a time_add() filter to add duration and absolute time
#5814 Adds JMESPath filter for returning cron expression for absolute time
#5813 Adds JMESPath filter for returning current time
#5810 feat: improve background scan reports enqueue logic
#5808 fix: error handling in last scan time parsing
#5807 fix: background scan events
#5801 fix arguments passed to DeepEqual
#5797 enhance logging, fix pull flag description
#5796 feat: cleanup enhancements-1
#5789 chore: update publicKey description
#5787 fix cli output adjustments
#5782 redirect stderr to get digest successfully
#5776 fix delete policy
#5765 Bump go-plugin
#5762 fix: image digest
#5756 refactor: cleanup controller validating webhook
#5754 refactor: move util funcs in sub packages
#5752 test: add unit test for GetResourceName util
#5751 chore: bump deps including k8s ones
#5750 refactor: remove common package
#5749 refactor: auth package and add full unit test coverage
#5747 refactor: policy controller package
#5746 refactor: remove a couple of old util funcs
#5743 refactor: use typed client in auth
#5742 chore: remove e2e tests
#5740 chore: remove autogen internals tests
#5739 fix: cleanup controller image build
#5737 chore: build cleanup controller image
#5735 feat: generate SLSA provenance on releases
#5733 feat: run conformance tests with different k8s versions
#5732 chore: update k8s versions test grid
#5731 fix: remove all category from all our CRDs
#5729 fix: add rule type "ImageVerify"
#5728 Bump Go 1.19.4
#5727 feat: force background scan regularly
#5721 fix: add back install.yaml manifest
#5719 feat: propagate psa checks results
#5712 feat: add exception logic
#5710 fix: missing assignment in configmap resolver
#5707 feat: add kuttl tests for #5704
#5705 fix: Initializes configmap resolver in background components
#5701 fix info kind error
#5697 fix: exception validation follow up
#5691 refactor: supress usage of kustomize in build
#5688 chore: bump a couple of deps
#5687 fix: bump log level for autogen debug logs
#5686 chore: remove deprecated flag splitPolicyReport
#5682 chore: remove secrets client from webhook controller
#5681 chore: rename exclude into match in policy exception
#5680 feat: Implement PolicyException
#5679 feat: add policy exception validation webhook
#5678 fix: case where deny message is not a string
#5677 fix: block policy admission if kyverno is down
#5671 feat: add certs controller to cleanup policies
#5668 fix: allow policies from stdin in apply again
#5662 feat: Introduce PolicyException CRD
#5660 use camel case for ForEach naming
#5653 feat: add metrics service and service monitor to cleanup controller
#5647 feat: add dev config with support for prom loki and tempo
#5646 fix: missing permission in cleanup controller role
#5645 fix: grafana dashboard
#5643 refactor: tracing package
#5640 fix: Improve helm-test workflow
#5639 feat: propagate context through engine
#5636 fix AllNotIn operator
#5630 feat: add http clients tracing
#5629 fix: setup tracing and minor cleanup in tracing and metrics code
#5628 feat: improve cleanup policies controller and chart
#5627 Support existing imagePullSecrets for image verify functionality
#5626 feat: add conditions matching to cleanup controller
#5625 feat: introduce v2alpha1
#5624 fix: don't create orphan spans in instrumented clients
#5622 fix: registry client not propagated correctly
#5620 feat: use lister in registry client
#5614 feat: implement cleanup policy matching
#5610 chore: bump a couple of deps
#5609 refactor: improve color and table printer management in cli test command
#5605 Add api docs
#5598 fix: use lister for CA secret
#5596 refactor: registry client
#5594 use helm values for CRD labels
#5593 chore: bump a couple of deps
#5591 fix: replace + symbol with _ symbol on the Chart.Version field
#5590 Fix: handling unexpected global-anchor-variable for the apply command
#5589 Nested foreach
#5580 feat: add cleanup controller BYOSA and RBAC extensions
#5578 chore: bump flux action
#5577 adding --warn-exit-code flag
#5576 feat: add cleanup handler
#5567 chore: disable dependabot auto rebase
#5566 refactor: split CLI jp command
#5552 refactor: cli jp command
#5550 refactor: cli test command
#5544 refactor: jmespath arithmetic operations
#5531 chore: enable dependabot
#5530 Bump SLSA GitHub generator to 1.4.0
#5523 refactor: make policy context immutable and fields private
#5516 fix: pod anti affinity
#5514 fix: cleanup policy validation
#5513 configure opentelemetry logger
#5512 chore: bump a few deps
#5510 chore: use builtin slices.Clone
#5509 chore: improve cleanup controller
#5507 refactor: use internal cmd package in kyverno
#5506 refactor: add controller helper to internal package
#5504 chore: switch to kyverno/kuttl
#5503 chore: bump a couple of deps
#5502 fix: panic when response is nil
#5500 chore: stop using set-output in gh actions
#5497 fix: add image extractor for ReplicationController
#5496 chore: replace utils.ContainsString with builtin slices.Contains
#5495 feat: propagate context in dynamic client
#5494 feat: add controller metrics
#5493 feat: add webhook type to admission metrics
#5492 refactor: move metrics closer to the code that use them
#5489 chore: refactor metrics namespace check
#5484 issue-4613: Add support for cache enhancements with informers
#5482 chore: bump kyverno version in argo lab
#5479 feat: propagate context to the metrics package
#5478 feat: add allowed label to admission metrics
#5477 feat: add dynamic client support to internal cmd package
#5475 refactor: metrics configuration code
#5474 chore: improve tracing instrumented clients
#5473 feat: create a policy utils package
#5472 feat: add new filtering handlers
#5464 feat: use admission review v1
#5463 feat: add engine traces
#5462 fix: remove filtering for policy admission handlers
#5461 feat: support flagsets in internal cmd package
#5460 chore: add instrumented clients codegen verification
#5448 docs: add reports troubleshooting tips
#5446 fix: argocd lab monitoring namespace
#5444 feat: add signal in internal cmd package
#5443 feat: use client funcs from internal cmd package
#5442 feat: improve handlers tracing code
#5440 chore: bump a bunch of deps
#5438 feat: add logging support to instrumented clients
#5437 feat: add discovery support in instrumented clients
#5436 refactor: dynamic client use instrumented clients
#5435 fix: reading policies for oci command and pushing image
#5434 docs: add controllers README
#5428 refactor: improve instrumented clients code and support dynamic/metadata client
#5427 ci: cancel redundant builds of workflow on push
#5423 fix request.operation in globalValues is always set to CREATE
#5419 Update SLSA to v1.3.0
#5417 refactor: improve instrumented clients creation
#5415 fix: typo
#5412 feat: make traces better
#5410 refactor: split argocd lab into multiple steps
#5404 refactor: introduce cmd internal package
#5401 chore: remove obsolete metrics client code
#5398 refactor: generated instrumented client code part 2
#5397 feat: add tracing middleware
#5392 refactor: propagate context through admission handlers
#5391 refactor: improve tracing package
#5385 Add reconciling logic for creating cronjobs whenever a new cleanup policy is created
#5384 fix: the entry length validation for the verify image rule
#5376 chore: bump sigstore deps
#5367 refactor: update otlp packages
#5362 refactor: generate instrumented client code
#5357 chore: add helm ci values with cleanup controller
#5356 fix digest variable
#5351 fix: add some missing options in cleanup helm chart
#5343 test: simplify autogen kuttl tests
#5338 feat: add CleanupPolicy validation code to CleanupPolicyHandler
#5336 fix: add replicaset and replicationController kinds in podsecurity validation
#5329 feat: add cleanup controller to helm chart
#5327 feat: add cleanup controller makefile targets
#5324 chore: remove docker support
#5323 Update SLSA generator workflow to v1.2.2
#5321 adding --audit-warn flag
#5279 feat: add cleanupPolicy validation code
#5248 fix: kyverno Dockerfile base image tag and sha256 hash
#5246 fix: resource schema validation in policies under any/all match
#5243 fix: remove /approve from prow actions
#5242 fix: remove unused code in config
#5233 feat: create cleanup new CRDs
#5228 Fixed description for secret name
#5227 feat: allow list with policies in apply
#5219 fix: add warning when using deprecated validation failure action
#5191 Fix: handled skip rule processing in anyPattern field
#5180 fix: do not cancel context when loosing the lead
#5174 refactor: remove policyreport package
#5173 feat: run leader election in loop
#5172 feat: add flag to control leader election frequency
#5170 [Cli Bug] fix cli issue for ownerReferences resources
#5168 [Feature] Pin Dependencies by Hash
#5154 Add ability to use commands in comments
#5152 refactor: support Audit and Enforce validation failure actions
#5146 fix metadata/generateName for mutation
#5134 Corrected Kubernetes spelling
#5123 feat: remove policy mutation for auto-gen rules
#5122 Allows {{image}} var to be used in policies
#5119 Add AGE in printer columns of CRDs
#5106 Fixed issue-5102: Show rule count and type in output
#5026 feat: oci pull/push support for policie(s)
#5024 feat: enable/disable Debug mode which shows entire AdmissionReview payload
#4991 [Feature] create command line option to set failurePolicy globally
#4986 feat: separate webhook rules per GVK
#4975 feat: add replicaset and replicationcontroller to autogen
#4938 added apiCalls support in kyverno-apply command
#4855 Added support to specify key signature algorithm in verifyImages
#4854 feature: use cert extension oid as key
#4733 Fixed issue-4530: Added separate attestor type for secrets and KMS
#4502 To support gitURLs for "apply" command
#4469 validate patchJSON6902
#4268 workflow file updated for slsa provenance generation
#3612 Kyverno CLI: added method to detect duplicate resource in kyverno test
#3491 Integrate Sonarcloud and Nancy github action

Check out latest releases or
releases around kyverno/kyverno v1.9.0

Don't miss a new kyverno release

NewReleases is sending notifications on new releases.

Get notifications