Notable changes
- If you are using Kubernetes v1.25 or later, this release includes removal of Pod Security Policies and migration to Pod Security Admission 🔐
- Mutation is promoted to stable 🦠
- Introducing Validation of Workload Resources as alpha 🚀
- Performance improvements 🏃
Features
- Promote mutation to v1 (#2305) #2305 (Max Smythe)
- Expose options to allow injection of external certificates (#2249) #2249 (Ethan Range)
- Expanding generator resources (#2062) #2062 (davis-haba)
- Return violating resource in pkg/gator/test.Test (#2198) #2198 (Julian Katz)
- Add controllerManager tlsMinVersion option to values (#2289) #2289 (Grace Do)
- Add metric reporting to ExpansionTemplate controller (#2276) #2276 (davis-haba)
- enforcement action override for ExpansionTemplates (#2277) #2277 (davis-haba)
- helm: add topologySpread to controller (#2206) #2206 (Viktor Oreshkin)
- helm: unify and extend hook job pod labels (#2205) #2205 (Viktor Oreshkin)
- helm: add options for hook jobs (#2202) #2202 (Viktor Oreshkin)
- helm: Allow configuration of probe timeouts in Helm Chart (#2220) #2220 (Ethan Range)
- helm: Allow setting annotations for mutating and validating webhook configurations (#2231) #2231 (Ethan Range)
- add audit_last_run_end_time metric (#2235) #2235 (Viktor Oreshkin)
- Add --host as a command line flag (#2227) #2227 (Max Smythe)
- remove PSP and migrate to PSA (#2174) #2174 (Sertaç Özercan)
Bug Fixes
- Ignore all stackdriver errors if --stackdriver-only-when-available is set (#2304) #2304 (Max Smythe)
- fix CVE-2022-27664 (#2310) #2310 (Sertaç Özercan)
- Namespace should be nil for audited cluster-scoped resources (#2243) #2243 (Max Smythe)
- skip empty k8s resources (#2247) #2247 (qa-ship-it)
- helm: Fix "Label exempted namespaces" (#2246) #2246 (Mathieu Parent)
- helm upgrade test (#2263) #2263 (Sertaç Özercan)
- Change 'securityContext/capabilities/drop' from 'all' to 'ALL'. (#2273) #2273 (BoatMisser)
- helm: Fix "Label exempted namespaces" (#2290) #2290 (Zhimin Xiang)
- update website/versions.json (#2175) #2175 (Ernest Wong)
- chart always use v1beta1 as pdb api version (#2164) #2164 (Mingfei Huang)
- Set spec.hard.pod value to string (#1928) #1928 (Ahmed)
- document mutations name matcher (#2168) #2168 (Nicholas Blott)
- helm: helm chart updates for disabling psp and default api for poddisruptionbudget (#2187) #2187 (Boojapho)
- helm: explicitly specify curl in probeWebhook (#2207) #2207 (Viktor Oreshkin)
- Docker related Makefile improvements (#2209) #2209 (Viktor Oreshkin)
- Only set ConstraintTemplate's status.created on success (#2208) #2208 (Viktor Oreshkin)
- sed on specific tag in
make release-manifest
(#2153) #2153 (Ernest Wong) - make audit more fault tolerant, log error instead of skipping update (#2162) #2162 (Rita Zhang)
Documentation
- Update default auditChunkSize in readme (#2303) #2303 (Simeon Bobylev)
- enforcement action override in ExpansionTemplate (#2300) #2300 (davis-haba)
- update feature state for alpha and beta things (#2260) #2260 (Rita Zhang)
- add brew install instructions to gator docs (#2255) #2255 (Xander Grzywinski)
- Update library links to point to website (#2264) #2264 (Max Smythe)
- Update contributing guide (#2275) #2275 (Rita Zhang)
- documentation for generator resource expansion feature (#2229) #2229 (davis-haba)
- link to template provider (#2190) #2190 (Sertaç Özercan)
- add fields that are not populated in audit (#2191) #2191 (Rita Zhang)
- add applyTo field for ModifySet in mutation docs (#2056) #2056 (davis-haba)
- add singleton for audit (#2155) #2155 (Rita Zhang)
Performance Improvements
- Upgrade constraint framework to v0.8.0 (#2319) #2319 (Max Smythe)
- Default --max-serving-threads to GOMAXPROCS (#2216) #2216 (Max Smythe)
Continuous Integration
- bump trivy to 0.32.1 (#2312) #2312 (Sertaç Özercan)
- bump e2e k8s version (#2258) #2258 (Sertaç Özercan)
- add stale bot config (#2183) #2183 (Sertaç Özercan)
Chores
- bump github/codeql-action from 2.1.25 to 2.1.26 (#2306) #2306 (dependabot[bot])
- bump github/codeql-action from 2.1.19 to 2.1.20 (#2244) #2244 (dependabot[bot])
- bump github/codeql-action from 2.1.20 to 2.1.22 (#2251) #2251 (dependabot[bot])
- bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 (#2250) #2250 (dependabot[bot])
- bump @docusaurus/core from 2.0.1 to 2.1.0 in /website (#2253) #2253 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.1 to 2.1.0 in /website (#2254) #2254 (dependabot[bot])
- updates gatekeeper website reference (#2257) #2257 (Nilekh Chaudhari)
- bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#2259) #2259 (dependabot[bot])
- bump github/codeql-action from 2.1.22 to 2.1.23 (#2265) #2265 (dependabot[bot])
- bump k8s.io/client-go from 0.24.4 to 0.24.5 (#2267) #2267 (dependabot[bot])
- bump contrib.go.opencensus.io/exporter/stackdriver from 0.13.13 to 0.13.14 (#2269) #2269 (dependabot[bot])
- bump github/codeql-action from 2.1.23 to 2.1.24 (#2274) #2274 (dependabot[bot])
- bump k8s.io/client-go from 0.24.5 to 0.24.6 (#2284) #2284 (dependabot[bot])
- bump github/codeql-action from 2.1.24 to 2.1.25 (#2281) #2281 (dependabot[bot])
- bump k8s.io/client-go from 0.24.2 to 0.24.3 (#2178) #2178 (dependabot[bot])
- bump frameworks to b0dbc52 (#2179) #2179 (Sertaç Özercan)
- bump terser from 5.12.1 to 5.14.2 in /website (#2180) #2180 (dependabot[bot])
- Run trivy scan on git repository and update version (#2169) #2169 (Juan Antonio Osorio)
- update stale tag (#2189) #2189 (Sertaç Özercan)
- bump github/codeql-action from 2.1.16 to 2.1.17 (#2199) #2199 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-rc.1 to 2.0.1 in /website (#2210) #2210 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-rc.1 to 2.0.1 in /website (#2211) #2211 (dependabot[bot])
- use volume mounts for tests (#2213) #2213 (Viktor Oreshkin)
- bump github/codeql-action from 2.1.17 to 2.1.18 (#2217) #2217 (dependabot[bot])
- bump ci to Go 1.19 (#2222) #2222 (Sertaç Özercan)
- bump github/codeql-action from 2.1.18 to 2.1.19 (#2233) #2233 (dependabot[bot])
- update audit duration buckets (#2234) #2234 (Viktor Oreshkin)
- bump github.com/emicklei/go-restful from v2.15.0 to v2.16.0 (#2240) #2240 (MIchael Steputat)
- bump k8s.io/apimachinery from 0.24.3 to 0.24.4 (#2236) #2236 (dependabot[bot])
- bump k8s.io/client-go from 0.24.3 to 0.24.4 (#2237) #2237 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2157) #2157 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2156) #2156 (dependabot[bot])
- bump k8s.io/klog/v2 from 2.70.0 to 2.70.1 (#2159) #2159 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.12.2 to 0.12.3 (#2158) #2158 (dependabot[bot])
- bump github/codeql-action from 2.1.15 to 2.1.16 (#2167) #2167 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2170) #2170 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2171) #2171 (dependabot[bot])
New Contributors
- @max0ne made their first contribution in #2164
- @OpenSourceZombie made their first contribution in #1928
- @JAORMX made their first contribution in #2169
- @Boojapho made their first contribution in #2187
- @ethanrange made their first contribution in #2220
- @stp-bsh made their first contribution in #2240
- @qa-ship-it made their first contribution in #2247
- @salaxander made their first contribution in #2255
- @boatmisser made their first contribution in #2273
- @gracedo made their first contribution in #2289
- @meons made their first contribution in #2303
Full Changelog: v3.9.0...v3.10.0