open-policy-agent/gatekeeper v3.22.0-rc.0

on GitHub

🚀 Notable Changes

• 🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access namespaceObject and Rego policies can access input.namespace for namespace-scoped policy decisions during both admission and audit (#4285)
• ⚡ gator bench — policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287)
• 📋 gator policy — brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g., pod-security-baseline), enforcement overrides, and dry-run previews (#4331)
• ✅ sync-vap-enforcement-scope now enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is now true by default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332)
• 🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced fake-reader sidecar when audit file-based logging is enabled (#4280)
• 🌐 Out-of-cluster / remote cluster support: New --enable-remote-cluster flag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368)
• ⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)

Features

• Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
• add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
• Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
• set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
• support print statement in gator (#2949) (#3872) #3872 (Julian)
• add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
• gator policy (#4331) #4331 (Sertaç Özercan)

Bug Fixes

• Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
• remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
• updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
• chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
• enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
• run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
• thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
• add missing flags as helm values (#4385) #4385 (abhisheksheth28)

Documentation

• add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
• adding jfrog provide to external data (#4357) #4357 (carmit hershman)

Continuous Integration

• add Slack meeting reminder workflow for OPA Gatekeeper weekly meetings (#4277) #4277 (Copilot)

Chores

• bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
• bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/export/fake-reader (#4264) #4264 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/image (#4266) #4266 (dependabot[bot])
• bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e (#4270) #4270 (dependabot[bot])
• bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/export/fake-subscriber (#4267) #4267 (dependabot[bot])
• bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
• migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
• bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /build/tooling (#4268) #4268 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e in /test/export/fake-reader (#4300) #4300 (dependabot[bot])
• bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/export/fake-reader (#4299) #4299 (dependabot[bot])
• bump distroless/static-debian12 from 87bce11 to 4b2a093 (#4291) #4291 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e in /test/image (#4296) #4296 (dependabot[bot])
• remove vendor (#4201) #4201 (Sertaç Özercan)
• bump golang from a02d35e to 4f9d98e in /test/externaldata/dummy-provider (#4292) #4292 (dependabot[bot])
• bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/externaldata/dummy-provider (#4293) #4293 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e (#4294) #4294 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e in /test/export/fake-subscriber (#4298) #4298 (dependabot[bot])
• bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/export/fake-subscriber (#4297) #4297 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4304) #4304 (dependabot[bot])
• bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#4290) #4290 (dependabot[bot])
• bump golang from 4f9d98e to 8e8f9c8 in /test/export/fake-reader (#4316) #4316 (dependabot[bot])
• bump golang from b669435 to 8e8f9c8 in /test/image (#4314) #4314 (dependabot[bot])
• bump golang from 5d35fb8 to 8e8f9c8 in /test/export/fake-subscriber (#4315) #4315 (dependabot[bot])
• bump the all group with 3 updates (#4313) #4313 (dependabot[bot])
• bump golang from 5d35fb8 to 8e8f9c8 (#4311) #4311 (dependabot[bot])
• bump golang from 5d35fb8 to 8e8f9c8 in /test/externaldata/dummy-provider (#4310) #4310 (dependabot[bot])
• bump kubectl from v1.34.2 to v1.34.3 (#4312) #4312 (dependabot[bot])
• bump golang from 4f9d98e to 8e8f9c8 in /build/tooling (#4309) #4309 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.2 to 1.38.3 (#4308) #4308 (dependabot[bot])
• Update metrics docs to clarify different metrics backends (#4281) #4281 (Jorge Turrado Ferrero)
• bump the k8s group with 5 updates (#4306) #4306 (dependabot[bot])
• bump google.golang.org/protobuf from 1.36.10 to 1.36.11 (#4307) #4307 (dependabot[bot])
• bump qs from 6.14.0 to 6.14.1 in /website (#4321) #4321 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 in /test/export/fake-subscriber (#4328) #4328 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 in /test/export/fake-reader (#4327) #4327 (dependabot[bot])
• bump crate-ci/typos from 1.40.0 to 1.41.0 in the all group (#4326) #4326 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 in /test/externaldata/dummy-provider (#4325) #4325 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 in /test/image (#4324) #4324 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 (#4323) #4323 (dependabot[bot])
• bump golang from 8e8f9c8 to ef151f0 in /build/tooling (#4322) #4322 (dependabot[bot])
• Move to maintained yaml library (#4227) #4227 (Manuel Rüger)
• bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4254) #4254 (dependabot[bot])
• bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/export/fake-subscriber (#4338) #4338 (dependabot[bot])
• bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/export/fake-reader (#4337) #4337 (dependabot[bot])
• bump the all group across 1 directory with 3 updates (#4339) #4339 (dependabot[bot])
• bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/externaldata/dummy-provider (#4334) #4334 (dependabot[bot])
• bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 (#4333) #4333 (dependabot[bot])
• bump distroless/static-debian12 from 4b2a093 to cd64bec (#4335) #4335 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 in /test/export/fake-reader (#4345) #4345 (dependabot[bot])
• bump the all group across 1 directory with 3 updates (#4347) #4347 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 in /build/tooling (#4342) #4342 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 (#4341) #4341 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 in /test/export/fake-subscriber (#4346) #4346 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 in /test/externaldata/dummy-provider (#4343) #4343 (dependabot[bot])
• bump lodash from 4.17.21 to 4.17.23 in /website (#4349) #4349 (dependabot[bot])
• bump golang from ef151f0 to 04741b0 in /test/image (#4340) #4340 (dependabot[bot])
• bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.22.5 in the k8s group (#4352) #4352 (dependabot[bot])
• bump golang from 04741b0 to fb4b74a in /test/export/fake-reader (#4353) #4353 (dependabot[bot])
• bump the all group across 1 directory with 5 updates (#4355) #4355 (dependabot[bot])
• bumping frameworks (#4356) #4356 (Jaydip Gabani)
• bump the all group with 3 updates (#4363) #4363 (dependabot[bot])
• bump github.com/onsi/gomega from 1.39.0 to 1.39.1 (#4362) #4362 (dependabot[bot])
• Patch docs for 3.21.1 release (#4369) #4369 (github-actions[bot])
• adding metrics for VAP integration (#4317) #4317 (Jaydip Gabani)
• bump golang from fb4b74a to dfdd969 in /test/export/fake-subscriber (#4377) #4377 (dependabot[bot])
• bump the all group with 4 updates (#4375) #4375 (dependabot[bot])
• bump golang from fb4b74a to dfdd969 in /test/export/fake-reader (#4376) #4376 (dependabot[bot])
• bump golang from fb4b74a to dfdd969 (#4374) #4374 (dependabot[bot])
• bump golang from fb4b74a to dfdd969 in /test/externaldata/dummy-provider (#4373) #4373 (dependabot[bot])
• bump webpack from 5.95.0 to 5.105.0 in /website (#4370) #4370 (dependabot[bot])
• bump golang from fb4b74a to dfdd969 in /test/image (#4372) #4372 (dependabot[bot])
• bump golang from fb4b74a to dfdd969 in /build/tooling (#4371) #4371 (dependabot[bot])
• bump qs from 6.14.1 to 6.14.2 in /website (#4384) #4384 (dependabot[bot])
• bump distroless/static-debian12 from cd64bec to 20bc6c0 (#4386) #4386 (dependabot[bot])
• bump kubectl from v1.35.0 to v1.35.1 (#4387) #4387 (dependabot[bot])
• bump golang from 1.25-trixie to 1.26-trixie in /test/externaldata/dummy-provider (#4388) #4388 (dependabot[bot])
• bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/externaldata/dummy-provider (#4389) #4389 (dependabot[bot])
• bump golang from 1.25-trixie to 1.26-trixie (#4390) #4390 (dependabot[bot])
• bump the k8s group with 5 updates (#4391) #4391 (dependabot[bot])
• bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/export/fake-subscriber (#4393) #4393 (dependabot[bot])
• bump golang from 1.25-trixie to 1.26-trixie in /test/export/fake-reader (#4394) #4394 (dependabot[bot])
• bump golang from 1.25-trixie to 1.26-trixie in /test/export/fake-subscriber (#4395) #4395 (dependabot[bot])
• bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/export/fake-reader (#4396) #4396 (dependabot[bot])
• bump the all group across 1 directory with 4 updates (#4398) #4398 (dependabot[bot])
• parallelize unit-test CI into coverage, race, and bench jobs, update GH runners (#4397) #4397 (Jaydip Gabani)
• bumping otel to 1.40 to fix GO-2026-4394 (#4404) #4404 (Jaydip Gabani)
• bump the all group with 6 updates (#4403) #4403 (dependabot[bot])
• bumping opa to 1.13.2 and frameworks to latest (#4406) #4406 (Jaydip Gabani)
• bumping-cert-controller to latest (#4405) #4405 (Jaydip Gabani)
• Prepare v3.22.0-rc.0 release (#4407) #4407 (github-actions[bot])