open-policy-agent/gatekeeper v3.10.0

on GitHub

Notable changes

• If you are using Kubernetes v1.25 or later, this release includes removal of Pod Security Policies and migration to Pod Security Admission 🔐
• Mutation is promoted to stable 🦠
• Introducing Validation of Workload Resources as alpha 🚀
• Performance improvements 🏃

Features

• Promote mutation to v1 (#2305) #2305 (Max Smythe)
• Expose options to allow injection of external certificates (#2249) #2249 (Ethan Range)
• Expanding generator resources (#2062) #2062 (davis-haba)
• Return violating resource in pkg/gator/test.Test (#2198) #2198 (Julian Katz)
• Add controllerManager tlsMinVersion option to values (#2289) #2289 (Grace Do)
• Add metric reporting to ExpansionTemplate controller (#2276) #2276 (davis-haba)
• enforcement action override for ExpansionTemplates (#2277) #2277 (davis-haba)
• helm: add topologySpread to controller (#2206) #2206 (Viktor Oreshkin)
• helm: unify and extend hook job pod labels (#2205) #2205 (Viktor Oreshkin)
• helm: add options for hook jobs (#2202) #2202 (Viktor Oreshkin)
• helm: Allow configuration of probe timeouts in Helm Chart (#2220) #2220 (Ethan Range)
• helm: Allow setting annotations for mutating and validating webhook configurations (#2231) #2231 (Ethan Range)
• add audit_last_run_end_time metric (#2235) #2235 (Viktor Oreshkin)
• Add --host as a command line flag (#2227) #2227 (Max Smythe)
• remove PSP and migrate to PSA (#2174) #2174 (Sertaç Özercan)

Bug Fixes

• Ignore all stackdriver errors if --stackdriver-only-when-available is set (#2304) #2304 (Max Smythe)
• fix CVE-2022-27664 (#2310) #2310 (Sertaç Özercan)
• Namespace should be nil for audited cluster-scoped resources (#2243) #2243 (Max Smythe)
• skip empty k8s resources (#2247) #2247 (qa-ship-it)
• helm: Fix "Label exempted namespaces" (#2246) #2246 (Mathieu Parent)
• helm upgrade test (#2263) #2263 (Sertaç Özercan)
• Change 'securityContext/capabilities/drop' from 'all' to 'ALL'. (#2273) #2273 (BoatMisser)
• helm: Fix "Label exempted namespaces" (#2290) #2290 (Zhimin Xiang)
• update website/versions.json (#2175) #2175 (Ernest Wong)
• chart always use v1beta1 as pdb api version (#2164) #2164 (Mingfei Huang)
• Set spec.hard.pod value to string (#1928) #1928 (Ahmed)
• document mutations name matcher (#2168) #2168 (Nicholas Blott)
• helm: helm chart updates for disabling psp and default api for poddisruptionbudget (#2187) #2187 (Boojapho)
• helm: explicitly specify curl in probeWebhook (#2207) #2207 (Viktor Oreshkin)
• Docker related Makefile improvements (#2209) #2209 (Viktor Oreshkin)
• Only set ConstraintTemplate's status.created on success (#2208) #2208 (Viktor Oreshkin)
• sed on specific tag in make release-manifest (#2153) #2153 (Ernest Wong)
• make audit more fault tolerant, log error instead of skipping update (#2162) #2162 (Rita Zhang)

Documentation

• Update default auditChunkSize in readme (#2303) #2303 (Simeon Bobylev)
• enforcement action override in ExpansionTemplate (#2300) #2300 (davis-haba)
• update feature state for alpha and beta things (#2260) #2260 (Rita Zhang)
• add brew install instructions to gator docs (#2255) #2255 (Xander Grzywinski)
• Update library links to point to website (#2264) #2264 (Max Smythe)
• Update contributing guide (#2275) #2275 (Rita Zhang)
• documentation for generator resource expansion feature (#2229) #2229 (davis-haba)
• link to template provider (#2190) #2190 (Sertaç Özercan)
• add fields that are not populated in audit (#2191) #2191 (Rita Zhang)
• add applyTo field for ModifySet in mutation docs (#2056) #2056 (davis-haba)
• add singleton for audit (#2155) #2155 (Rita Zhang)

Performance Improvements

• Upgrade constraint framework to v0.8.0 (#2319) #2319 (Max Smythe)
• Default --max-serving-threads to GOMAXPROCS (#2216) #2216 (Max Smythe)

Continuous Integration

• bump trivy to 0.32.1 (#2312) #2312 (Sertaç Özercan)
• bump e2e k8s version (#2258) #2258 (Sertaç Özercan)
• add stale bot config (#2183) #2183 (Sertaç Özercan)

Chores

• bump github/codeql-action from 2.1.25 to 2.1.26 (#2306) #2306 (dependabot[bot])
• bump github/codeql-action from 2.1.19 to 2.1.20 (#2244) #2244 (dependabot[bot])
• bump github/codeql-action from 2.1.20 to 2.1.22 (#2251) #2251 (dependabot[bot])
• bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 (#2250) #2250 (dependabot[bot])
• bump @docusaurus/core from 2.0.1 to 2.1.0 in /website (#2253) #2253 (dependabot[bot])
• bump @docusaurus/preset-classic from 2.0.1 to 2.1.0 in /website (#2254) #2254 (dependabot[bot])
• updates gatekeeper website reference (#2257) #2257 (Nilekh Chaudhari)
• bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#2259) #2259 (dependabot[bot])
• bump github/codeql-action from 2.1.22 to 2.1.23 (#2265) #2265 (dependabot[bot])
• bump k8s.io/client-go from 0.24.4 to 0.24.5 (#2267) #2267 (dependabot[bot])
• bump contrib.go.opencensus.io/exporter/stackdriver from 0.13.13 to 0.13.14 (#2269) #2269 (dependabot[bot])
• bump github/codeql-action from 2.1.23 to 2.1.24 (#2274) #2274 (dependabot[bot])
• bump k8s.io/client-go from 0.24.5 to 0.24.6 (#2284) #2284 (dependabot[bot])
• bump github/codeql-action from 2.1.24 to 2.1.25 (#2281) #2281 (dependabot[bot])
• bump k8s.io/client-go from 0.24.2 to 0.24.3 (#2178) #2178 (dependabot[bot])
• bump frameworks to b0dbc52 (#2179) #2179 (Sertaç Özercan)
• bump terser from 5.12.1 to 5.14.2 in /website (#2180) #2180 (dependabot[bot])
• Run trivy scan on git repository and update version (#2169) #2169 (Juan Antonio Osorio)
• update stale tag (#2189) #2189 (Sertaç Özercan)
• bump github/codeql-action from 2.1.16 to 2.1.17 (#2199) #2199 (dependabot[bot])
• bump @docusaurus/core from 2.0.0-rc.1 to 2.0.1 in /website (#2210) #2210 (dependabot[bot])
• bump @docusaurus/preset-classic from 2.0.0-rc.1 to 2.0.1 in /website (#2211) #2211 (dependabot[bot])
• use volume mounts for tests (#2213) #2213 (Viktor Oreshkin)
• bump github/codeql-action from 2.1.17 to 2.1.18 (#2217) #2217 (dependabot[bot])
• bump ci to Go 1.19 (#2222) #2222 (Sertaç Özercan)
• bump github/codeql-action from 2.1.18 to 2.1.19 (#2233) #2233 (dependabot[bot])
• update audit duration buckets (#2234) #2234 (Viktor Oreshkin)
• bump github.com/emicklei/go-restful from v2.15.0 to v2.16.0 (#2240) #2240 (MIchael Steputat)
• bump k8s.io/apimachinery from 0.24.3 to 0.24.4 (#2236) #2236 (dependabot[bot])
• bump k8s.io/client-go from 0.24.3 to 0.24.4 (#2237) #2237 (dependabot[bot])
• bump @docusaurus/core from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2157) #2157 (dependabot[bot])
• bump @docusaurus/preset-classic from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2156) #2156 (dependabot[bot])
• bump k8s.io/klog/v2 from 2.70.0 to 2.70.1 (#2159) #2159 (dependabot[bot])
• bump sigs.k8s.io/controller-runtime from 0.12.2 to 0.12.3 (#2158) #2158 (dependabot[bot])
• bump github/codeql-action from 2.1.15 to 2.1.16 (#2167) #2167 (dependabot[bot])
• bump @docusaurus/core from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2170) #2170 (dependabot[bot])
• bump @docusaurus/preset-classic from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2171) #2171 (dependabot[bot])

New Contributors

• @max0ne made their first contribution in #2164
• @OpenSourceZombie made their first contribution in #1928
• @JAORMX made their first contribution in #2169
• @Boojapho made their first contribution in #2187
• @ethanrange made their first contribution in #2220
• @stp-bsh made their first contribution in #2240
• @qa-ship-it made their first contribution in #2247
• @salaxander made their first contribution in #2255
• @boatmisser made their first contribution in #2273
• @gracedo made their first contribution in #2289
• @meons made their first contribution in #2303

Full Changelog: v3.9.0...v3.10.0