open-policy-agent/gatekeeper v3.21.0

on GitHub

🚀 Notable Changes

• 🛠️ New flag: sync-vap-enforcement has been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper's ValidatingWebhookConfigurations, Config resource exclusions, and exempt-namespace–based exemptions. This improves enforcement consistency across all policy mechanisms.
• 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
• 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-subscriber (#4112) #4112 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/externaldata/dummy-provider (#4113) #4113 (dependabot[bot])
• Patch docs for 3.20.1 release (#4134) #4134 (github-actions[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/image (#4110) #4110 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/export/fake-subscriber (#4146) #4146 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/export/fake-reader (#4145) #4145 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/image (#4144) #4144 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 (#4143) #4143 (dependabot[bot])
• bump the all group with 5 updates (#4142) #4142 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/externaldata/dummy-provider (#4141) #4141 (dependabot[bot])
• bump distroless/static-debian12 from 2e114d2 to f2ff10a in /test/externaldata/dummy-provider (#4140) #4140 (dependabot[bot])
• remove deprecated PodSecurityPolicy from helm chart (#4131) #4131 (Tyler Owens)
• bump golang from 6ad9415 to c4bc074 in /test/image (#4163) #4163 (dependabot[bot])
• bump distroless/static-debian12 from f2ff10a to 87bce11 in /test/export/fake-reader (#4161) #4161 (dependabot[bot])
• bump golang from 6ad9415 to c4bc074 in /test/export/fake-reader (#4160) #4160 (dependabot[bot])
• bump distroless/static-debian12 from f2ff10a to 87bce11 in /test/export/fake-subscriber (#4159) #4159 (dependabot[bot])
• bump golang from 6ad9415 to c4bc074 in /test/export/fake-subscriber (#4158) #4158 (dependabot[bot])
• bump golang from 6ad9415 to c4bc074 (#4157) #4157 (dependabot[bot])
• bump distroless/static-debian12 from f2ff10a to 87bce11 (#4162) #4162 (dependabot[bot])
• bump golang from 08c8ac4 to c4bc074 in /test/externaldata/dummy-provider (#4154) #4154 (dependabot[bot])
• bump google.golang.org/protobuf from 1.36.8 to 1.36.9 (#4153) #4153 (dependabot[bot])
• bump kubectl from v1.34.0 to v1.34.1 (#4152) #4152 (dependabot[bot])
• bump google.golang.org/grpc from 1.74.2 to 1.74.3 (#4156) #4156 (dependabot[bot])
• bump the k8s group with 5 updates (#4151) #4151 (dependabot[bot])
• support cert rotation for multiple whcs (#4139) #4139 (Anlan Du)
• bump the all group with 6 updates (#4169) #4169 (dependabot[bot])
• bump algoliasearch-helper from 3.10.0 to 3.26.0 in /website (#4171) #4171 (dependabot[bot])
• bump the all group across 1 directory with 5 updates (#4186) #4186 (dependabot[bot])
• remove go.uber.org/automaxprocs (#4172) #4172 (Eng Zer Jun)
• bump golang from c8c8d55 to 61226c6 in /test/externaldata/dummy-provider (#4181) #4181 (dependabot[bot])
• bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 (#4175) #4175 (dependabot[bot])
• bump the all group across 1 directory with 3 updates (#4196) #4196 (dependabot[bot])
• bump oras.land/oras-go from 1.2.5 to 1.2.7 (#4191) #4191 (dependabot[bot])
• bump golang from c8c8d55 to 61226c6 in /build/tooling (#4180) #4180 (dependabot[bot])
• bump golang from ec34da7 to 7534a62 in /test/externaldata/dummy-provider (#4195) #4195 (dependabot[bot])
• bump golang from c8c8d55 to 61226c6 in /test/image (#4178) #4178 (dependabot[bot])
• bumping frameworks and k8s to 0.34.1 (#4199) #4199 (Jaydip Gabani)
• bump golang from c8c8d55 to 61226c6 (#4179) #4179 (dependabot[bot])
• bump google.golang.org/protobuf from 1.36.9 to 1.36.10 (#4176) #4176 (dependabot[bot])
• bump golang from c8c8d55 to 61226c6 in /test/export/fake-subscriber (#4183) #4183 (dependabot[bot])
• bump golang from c8c8d55 to 61226c6 in /test/export/fake-reader (#4182) #4182 (dependabot[bot])
• bump golang from 61226c6 to 7534a62 in /build/tooling (#4210) #4210 (dependabot[bot])
• bump the all group with 2 updates (#4209) #4209 (dependabot[bot])
• bumping frameworks (#4208) #4208 (Jaydip Gabani)
• bumping cert-controller (#4213) #4213 (Jaydip Gabani)
• Prepare v3.21.0-rc.0 release (#4214) #4214 (github-actions[bot])