kyverno/kyverno
### [`v1.9.0`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v190-rc1)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.5...v1.9.0)
##### Note
- Flag `backgroundScanInterval` was added to force background scans at regular intervals (default value is `1h`).
- Flag `splitPolicyReport` was removed, was unused and marked for removal in 1.9.
- Webhook is no longer updated to match `pods/ephemeralcontainers` when policy only specifies `pods`. If users want to match on `pods/ephemeralcontainers`, they must specify `pods/ephemeralcontainers` in the policy.
- Webhook is no longer updated to match `services/status` when policy only specifies `services`. If users want to match on `services/status`, they must specify `services/status` in the policy.
- Flag `autogenInternals` was removed, policy mutation has been removed.
- Flag `leaderElectionRetryPeriod` was added to control leader election renewal frequency (default value is `2s`).
- Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`.
- Flag `profileAddress` was added to configure address of profiling server (default value is `""`).
### [`v1.8.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.5)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.4...v1.8.5)
#### ⚠️ Changed ⚠️
- Remove Kyverno CRDs (minus `Policy`) from the category "all" ([#5557](https://togithub.com/kyverno/kyverno/issues/5557))
#### 🐛 Fixed 🐛
- Fixed verifyImage rule when replacing the image digest ([#5713](https://togithub.com/kyverno/kyverno/issues/5713))
- Fixed a panic issue on report deletion ([#5702](https://togithub.com/kyverno/kyverno/issues/5702))
### [`v1.8.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.4)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.3...v1.8.4)
#### 🐛 Fixed 🐛
- Fixed a panic in mutateExisting policies ([#5619](https://togithub.com/kyverno/kyverno/issues/5619))
- Fixed a panic when policy reports generated from the background controller don't have labels ([#5608](https://togithub.com/kyverno/kyverno/issues/5608))
### [`v1.8.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.3)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.2...v1.8.3)
#### Special Note
Two panics which may occur randomly have been identified in 1.8.3 which are being addressed in 1.8.4. We recommend waiting until 1.8.4 if possible.
#### ❗ Breaking ❗
- The new field `verifyImages.attestations.attestors` is added for verifying attestations. Note that the existing `verifyImages.attestors` field is only used to verify signatures ([#5409](https://togithub.com/kyverno/kyverno/issues/5409))
#### ✨ Added ✨
- Helm: Add default CI test values for helm charts ([#5518](https://togithub.com/kyverno/kyverno/issues/5518))
- Helm: Add ability to set autogen behavior into the kyverno-policies chart ([#5517](https://togithub.com/kyverno/kyverno/issues/5517))
#### ⚠️ Changed ⚠️
- Restore to the log the value of `validationFailureAction` ([#5416](https://togithub.com/kyverno/kyverno/issues/5416))
#### 🐛 Fixed 🐛
- Fixed multiple issues related to the new reporting system introduced in 1.8 ([#5525](https://togithub.com/kyverno/kyverno/issues/5525), [#5486](https://togithub.com/kyverno/kyverno/issues/5486), [#5457](https://togithub.com/kyverno/kyverno/issues/5457), [#5449](https://togithub.com/kyverno/kyverno/issues/5449))
- Fixed an issue when calling kustomize concurrently which resulted in variable errors especially with Kyverno running in HA mode ([#5465](https://togithub.com/kyverno/kyverno/issues/5465))
- Fixed an issue which prevented creating of a generate `Policy` (Namespaced) with a `data` object ([#5459](https://togithub.com/kyverno/kyverno/issues/5459))
- Fixed an issue with a mutate existing policy not get applied when background=false ([#5439](https://togithub.com/kyverno/kyverno/issues/5439))
- Fixed an issue which prevented multiple attestors to work in a keyless verifyImage policy ([#5432](https://togithub.com/kyverno/kyverno/issues/5432))
- Fixed an issue which prevented proper matching of CustomResources which had the same kind but in different groups ([#5421](https://togithub.com/kyverno/kyverno/issues/5421))
- Fixed an issue which prevented mutation of some CustomResources in their `metadata` path ([#5374](https://togithub.com/kyverno/kyverno/issues/5374))
#### Complete List of PRs
Click to expand
- [#5518](https://togithub.com/kyverno/kyverno/issues/5518) feat: Add default CI test values for helm charts
- [#5525](https://togithub.com/kyverno/kyverno/issues/5525) fix: bug in report resource watcher
- [#5517](https://togithub.com/kyverno/kyverno/issues/5517) feat(policies chart): Add ability to set autogen behavior
- [#5491](https://togithub.com/kyverno/kyverno/issues/5491) Migrate all mutate e2e tests to kuttl and expand
- [#5486](https://togithub.com/kyverno/kyverno/issues/5486) fix: report deletion fighting with garbage collection
- [#5483](https://togithub.com/kyverno/kyverno/issues/5483) Migrate validate e2e tests to kuttl tests
- [#5480](https://togithub.com/kyverno/kyverno/issues/5480) fix: typo in autogen package
- [#5465](https://togithub.com/kyverno/kyverno/issues/5465) fix: issue when calling kustomize concurrently
- [#5459](https://togithub.com/kyverno/kyverno/issues/5459) fix: add clone check before validating namespace policy
- [#5457](https://togithub.com/kyverno/kyverno/issues/5457) fix: admission reports stacking up
- [#5449](https://togithub.com/kyverno/kyverno/issues/5449) fix: log watcher error in reports controller
- [#5439](https://togithub.com/kyverno/kyverno/issues/5439) fix: mutate existing policy does not get applied when background=false
- [#5432](https://togithub.com/kyverno/kyverno/issues/5432) Fix multi attestor keyless
- [#5421](https://togithub.com/kyverno/kyverno/issues/5421) Handle GVK properly with the same kind but different apiVersion/group
- [#5416](https://togithub.com/kyverno/kyverno/issues/5416) cleanup: bring back action on `validation failed` logging
- [#5413](https://togithub.com/kyverno/kyverno/issues/5413) Add most basic kuttl tests for generate rules, clone and sync
- [#5409](https://togithub.com/kyverno/kyverno/issues/5409) feat: support attestations with multiple signatures
- [#5374](https://togithub.com/kyverno/kyverno/issues/5374) fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object
### [`v1.8.2`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.2)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.1...v1.8.2)
#### Notes
- Multiple `imagePullSecrets` is not supported, only the first secret will be used if multiple secrets are specified via the `--imagePullSecrets` container flag.
#### ✨ Added ✨
- kuttl tests ([#5400](https://togithub.com/kyverno/kyverno/issues/5400), [#5364](https://togithub.com/kyverno/kyverno/issues/5364), [#5339](https://togithub.com/kyverno/kyverno/issues/5339), [#5337](https://togithub.com/kyverno/kyverno/issues/5337), [#5330](https://togithub.com/kyverno/kyverno/issues/5330), [#5326](https://togithub.com/kyverno/kyverno/issues/5326), [#5310](https://togithub.com/kyverno/kyverno/issues/5310), [#5303](https://togithub.com/kyverno/kyverno/issues/5303), [#5293](https://togithub.com/kyverno/kyverno/issues/5293), [#5287](https://togithub.com/kyverno/kyverno/issues/5287), [#5286](https://togithub.com/kyverno/kyverno/issues/5286), [#5285](https://togithub.com/kyverno/kyverno/issues/5285), [#5280](https://togithub.com/kyverno/kyverno/issues/5280), [#5268](https://togithub.com/kyverno/kyverno/issues/5268), [#5260](https://togithub.com/kyverno/kyverno/issues/5260), [#5257](https://togithub.com/kyverno/kyverno/issues/5257), [#5254](https://togithub.com/kyverno/kyverno/issues/5254), [#5253](https://togithub.com/kyverno/kyverno/issues/5253), [#5252](https://togithub.com/kyverno/kyverno/issues/5252), [#5238](https://togithub.com/kyverno/kyverno/issues/5238), [#5229](https://togithub.com/kyverno/kyverno/issues/5229), [#5204](https://togithub.com/kyverno/kyverno/issues/5204))
- Add tempo to argocd lab ([#5365](https://togithub.com/kyverno/kyverno/issues/5365))
- Add performance tests tool ([#5241](https://togithub.com/kyverno/kyverno/issues/5241))
- Add loki to argocd lab ([#5231](https://togithub.com/kyverno/kyverno/issues/5231))
- Add grafana dashboard to helm chart ([#5230](https://togithub.com/kyverno/kyverno/issues/5230))
- Support disabling schema validation on the patched resource ([#5197](https://togithub.com/kyverno/kyverno/issues/5197))
- Add categories support to our CRDs ([#5112](https://togithub.com/kyverno/kyverno/issues/5112))
- Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default ([#4964](https://togithub.com/kyverno/kyverno/issues/4964))
- Add validation for generate namespace policy ([#5346](https://togithub.com/kyverno/kyverno/issues/5346))
#### ⚠️ Changed ⚠️
- Set rule response status as skip if precondition failed ([#5162](https://togithub.com/kyverno/kyverno/issues/5162))
- Reduce startup probe delay ([#5296](https://togithub.com/kyverno/kyverno/issues/5296))
#### 🐛 Fixed 🐛
- Fix wildcard any/all issue ([#5387](https://togithub.com/kyverno/kyverno/issues/5387))
- Enable policy validation for the verifyImage rule ([#5383](https://togithub.com/kyverno/kyverno/issues/5383))
- The panic when disable metrics is true ([#5366](https://togithub.com/kyverno/kyverno/issues/5366))
- Kyyverno generates empty BackgroundScanReports([#5350](https://togithub.com/kyverno/kyverno/issues/5350))
- Synchronize source resource's update to clone list resources ([#5317](https://togithub.com/kyverno/kyverno/issues/5317))
- Image verify rule gives error for non-existing configmap ([#5272](https://togithub.com/kyverno/kyverno/issues/5272))
- Fix the invalid kind issue for mutate policies ([#5264](https://togithub.com/kyverno/kyverno/issues/5264))
- Fix policy installation issue for Got empty response for: external.metrics.k8s.io/v1beta1 ([#5239](https://togithub.com/kyverno/kyverno/issues/5239))
- Make zapr compatible with klog's -v argument ([#5166](https://togithub.com/kyverno/kyverno/issues/5166))
- Allow delete of clone target resource with synchronize false ([#5161](https://togithub.com/kyverno/kyverno/issues/5161))
- Fix policy events created for non-applied resources ([#5158](https://togithub.com/kyverno/kyverno/issues/5158))
- Fix mutateExisting failure - reset resource version on update ([#5157](https://togithub.com/kyverno/kyverno/issues/5157))
- Fix mutation policy inconsistent patching for ephemeralContainers ([#5121](https://togithub.com/kyverno/kyverno/issues/5121))
- Fix adding parsing of json pointers to support special chars ([#4767](https://togithub.com/kyverno/kyverno/issues/4767))
- Fix adding policy label to policy reports ([#5198](https://togithub.com/kyverno/kyverno/issues/5198), [#5194](https://togithub.com/kyverno/kyverno/issues/5194))
#### Complete List of PRs
Click to expand
- [#5402](https://togithub.com/kyverno/kyverno/issues/5402) fix: add os.Exit
- [#5400](https://togithub.com/kyverno/kyverno/issues/5400) Complete all basic kuttl tests for generate rules, clone and no-sync
- [#5387](https://togithub.com/kyverno/kyverno/issues/5387) \[Bug]: Fix wildcard any/all issue
- [#5383](https://togithub.com/kyverno/kyverno/issues/5383) fix: enable policy validation for the verifyImage rule
- [#5366](https://togithub.com/kyverno/kyverno/issues/5366) fix: panic when disable metrics is true
- [#5365](https://togithub.com/kyverno/kyverno/issues/5365) chore: add tempo to argocd lab
- [#5364](https://togithub.com/kyverno/kyverno/issues/5364) Add more kuttl generate test cases
- [#5358](https://togithub.com/kyverno/kyverno/issues/5358) fix: set correct logger in profiling server
- [#5350](https://togithub.com/kyverno/kyverno/issues/5350) fix closed watchers in the resource-report-controller
- [#5349](https://togithub.com/kyverno/kyverno/issues/5349) chore: enable json logs in argocd lab
- [#5346](https://togithub.com/kyverno/kyverno/issues/5346) fix: add validation for generate namespace policy
- [#5339](https://togithub.com/kyverno/kyverno/issues/5339) test: add kuttl debug failure
- [#5337](https://togithub.com/kyverno/kyverno/issues/5337) test: add rbac kuttl test
- [#5331](https://togithub.com/kyverno/kyverno/issues/5331) chore: add cli binary to gitignore
- [#5330](https://togithub.com/kyverno/kyverno/issues/5330) test: add test to check expected webhooks are created
- [#5328](https://togithub.com/kyverno/kyverno/issues/5328) refactor: optimise and use kuttl TestStep with tests
- [#5326](https://togithub.com/kyverno/kyverno/issues/5326) add test cases for yaml verification feature
- [#5319](https://togithub.com/kyverno/kyverno/issues/5319) fix: set logger in metrics server
- [#5317](https://togithub.com/kyverno/kyverno/issues/5317) fix: synchronize source resource update to clone list resource
- [#5311](https://togithub.com/kyverno/kyverno/issues/5311) fix: wrong logger used
- [#5310](https://togithub.com/kyverno/kyverno/issues/5310) tests: add kuttl tests for jmespath special chars
- [#5303](https://togithub.com/kyverno/kyverno/issues/5303) Update kuttl test scaffolding
- [#5298](https://togithub.com/kyverno/kyverno/issues/5298) fix: send notification when stoping watching resource in reports system
- [#5296](https://togithub.com/kyverno/kyverno/issues/5296) fix: reduce startup probe delay
- [#5293](https://togithub.com/kyverno/kyverno/issues/5293) fix: image extractor kuttl tests
- [#5291](https://togithub.com/kyverno/kyverno/issues/5291) Add a note to 1.8.2-rc1 release for `ImagePullSecrets`
- [#5287](https://togithub.com/kyverno/kyverno/issues/5287) fix: kuttl test external-service
- [#5286](https://togithub.com/kyverno/kyverno/issues/5286) fix: check policy is ready in kuttl tests
- [#5285](https://togithub.com/kyverno/kyverno/issues/5285) chore: update kuttl
- [#5280](https://togithub.com/kyverno/kyverno/issues/5280) tests: add kuttl tests for multiple clone generate
- [#5272](https://togithub.com/kyverno/kyverno/issues/5272) Fixed issue-3709: Image verify rule gives error for non-existing configmap
- [#5269](https://togithub.com/kyverno/kyverno/issues/5269) fix: keep admission warnings
- [#5268](https://togithub.com/kyverno/kyverno/issues/5268) fix: add missing test suite to kuttl
- [#5264](https://togithub.com/kyverno/kyverno/issues/5264) fix: account for error rules in mutation webhook
- [#5260](https://togithub.com/kyverno/kyverno/issues/5260) chore: remove old conformance tests files
- [#5257](https://togithub.com/kyverno/kyverno/issues/5257) Kuttl updates
- [#5254](https://togithub.com/kyverno/kyverno/issues/5254) chore: add kuttl in makefile
- [#5253](https://togithub.com/kyverno/kyverno/issues/5253) chore: add kuttl autogen tests
- [#5252](https://togithub.com/kyverno/kyverno/issues/5252) chore: use conditions in kuttl tests to check ready policies
- [#5245](https://togithub.com/kyverno/kyverno/issues/5245) refactor: admission metrics (counter and latency)
- [#5244](https://togithub.com/kyverno/kyverno/issues/5244) refactor: move all middlewares in handlers sub package
- [#5241](https://togithub.com/kyverno/kyverno/issues/5241) chore: add performance tests tool
- [#5239](https://togithub.com/kyverno/kyverno/issues/5239) Fix policy installation issue for Got empty response for: external.metrics.k8s.io/v1beta1
- [#5238](https://togithub.com/kyverno/kyverno/issues/5238) More kuttl tests
- [#5234](https://togithub.com/kyverno/kyverno/issues/5234) refactor: admission response utils
- [#5231](https://togithub.com/kyverno/kyverno/issues/5231) chore: add loki to argocd lab
- [#5230](https://togithub.com/kyverno/kyverno/issues/5230) feat: add grafana dashboard to helm chart
- [#5229](https://togithub.com/kyverno/kyverno/issues/5229) add remainder of e2e verifyImages tests
- [#5209](https://togithub.com/kyverno/kyverno/issues/5209) chore: server side apply in argo lab
- [#5208](https://togithub.com/kyverno/kyverno/issues/5208) fix: too much information for the Policy Rule Execution Latency metric
- [#5204](https://togithub.com/kyverno/kyverno/issues/5204) add kuttl tests
- [#5200](https://togithub.com/kyverno/kyverno/issues/5200) fix: early return in policy validation
- [#5198](https://togithub.com/kyverno/kyverno/issues/5198) feat: add policy label to policy reports
- [#5197](https://togithub.com/kyverno/kyverno/issues/5197) feat: support disabling schema validation on the patched resource
- [#5194](https://togithub.com/kyverno/kyverno/issues/5194) fix: deletion of reports not belonging to kyverno
- [#5190](https://togithub.com/kyverno/kyverno/issues/5190) fix: use pagination to aggregate reports
- [#5189](https://togithub.com/kyverno/kyverno/issues/5189) Fix issue where CLI test command ignores failures
- [#5179](https://togithub.com/kyverno/kyverno/issues/5179) fix: check resource version on update notification
- [#5178](https://togithub.com/kyverno/kyverno/issues/5178) chore: add kind config file
- [#5177](https://togithub.com/kyverno/kyverno/issues/5177) fix: content type in log
- [#5176](https://togithub.com/kyverno/kyverno/issues/5176) refactor: health check system
- [#5166](https://togithub.com/kyverno/kyverno/issues/5166) fix: make zapr compatible with klog's -v argument
- [#5162](https://togithub.com/kyverno/kyverno/issues/5162) fix: set rule response status as skip if precondition failed
- [#5161](https://togithub.com/kyverno/kyverno/issues/5161) fix: allow delete of clone target resource with synchronize false
- [#5158](https://togithub.com/kyverno/kyverno/issues/5158) fix: policy events created for non-applied resources
- [#5157](https://togithub.com/kyverno/kyverno/issues/5157) fix: mutateExisting failure - reset resource version on update
- [#5144](https://togithub.com/kyverno/kyverno/issues/5144) fix: configure klog and global logger to use zapr in json mode
- [#5132](https://togithub.com/kyverno/kyverno/issues/5132) fix finalizers mutation with patchesJson6902
- [#5121](https://togithub.com/kyverno/kyverno/issues/5121) fix: mutation policy inconsistent patching for ephemeralContainers
- [#5112](https://togithub.com/kyverno/kyverno/issues/5112) feat: add categories support to our CRDs
- [#4996](https://togithub.com/kyverno/kyverno/issues/4996) Fixed issue-4655: verifyImages is executed before mutate
- [#4964](https://togithub.com/kyverno/kyverno/issues/4964) Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default
- [#4899](https://togithub.com/kyverno/kyverno/issues/4899) fixed dryrun option to handle changes caused by mutating policy
- [#4767](https://togithub.com/kyverno/kyverno/issues/4767) fix: add parsing of json pointers to support special chars ([#3578](https://togithub.com/kyverno/kyverno/issues/3578) [#3616](https://togithub.com/kyverno/kyverno/issues/3616))
### [`v1.8.1`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v181-rc3)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.0...v1.8.1)
##### Note
- A new flag `backgroundScanWorkers` to configure the number of background scan workers (default value is `2`).
### [`v1.8.0`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v180-rc3)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.7.5...v1.8.0)
##### Note
- A new flag `backgroundScan` to enable/disable kyverno background scans (default value is `true`). When this is set to `false`, kyverno will not perform background scans and won't trigger continuous evaluation of policies.
- A new flag `admissionReports` to enable/disable kyverno admission reports (default value is `true`). When this is set to `false`, kyverno will not create admission reports.
- If both `backgroundScan` and `admissionReports` are set to `false` the entire reports system will be disabled.
- A new flag `reportsChunkSize` to split reports according to the number of results contained in the report (default value is `1000`). This can be disabled by setting the flag value to `0`.
- Deprecated `splitPolicyReport` flag, splitting reports per policy is always enabled, keeping it for backward compatibility, will be removed in future version.
- `ReportChangeRequest` and `ClusterReportChangeRequest` CRDs have been removed and replaced by `AdmissionReport`, `ClusterAdmissionReport`, `BackgroundScanReport` and `ClusterBackgroundScanReport` CRDs.
### [`v1.7.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.7.5)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.7.4...v1.7.5)
Kyverno 1.7.5 is a patch release designed primarily to bump up Cosign to fix a soon-breaking change on their end as well as address vulnerabilities caused by other dependencies.
#### 🐛Fixed 🐛
- Bumps Cosign 1.9.1 => 1.12.1
- Bumps Go 1.17 => 1.18
- Bumps KubeBuilder controller-gen 0.8.0 => 0.9.1
- A few other smaller bumps
#### Complete List of PRs
Click to expand
[#4873](https://togithub.com/kyverno/kyverno/issues/4873) Update cosign and k8s-manifest-sigstore
### [`v1.7.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.7.4)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.7.3...v1.7.4)
#### Bug Fixes
- Fix issue for wildcard versions, [https://github.com/kyverno/kyverno/pull/4674](https://togithub.com/kyverno/kyverno/pull/4674)
- Fix incorrect namespace in report controller, [https://github.com/kyverno/kyverno/pull/4688](https://togithub.com/kyverno/kyverno/pull/4688)
### [`v1.7.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.7.3)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.7.2...v1.7.3)
#### Changed
- Change `preconditions` failure behavior from `fail` to `skip`. ([#4158](https://togithub.com/kyverno/kyverno/issues/4158))
#### Fixed
- Fixed an issue preventing the Check Deprecated APIs sample policy from working properly. ([#3580](https://togithub.com/kyverno/kyverno/issues/3580))
- Clarify `namespaceSelector` behavior in `exclude` block. ([#2608](https://togithub.com/kyverno/kyverno/issues/2608))
#### Complete List of PRs
Click to expand
[#4350](https://togithub.com/kyverno/kyverno/issues/4350) Cherry-pick: fix kyverno cli policy-report typo([#4349](https://togithub.com/kyverno/kyverno/issues/4349))
[#4256](https://togithub.com/kyverno/kyverno/issues/4256) fix: use only 1 kubernetes client
[#4163](https://togithub.com/kyverno/kyverno/issues/4163) precondition failure will skip rule independent of audit or enforce mode
### [`v1.7.2`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v172-rc2)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.7.1...v1.7.2)
##### Note
- A new flag `maxQueuedEvents` is added to the Kyverno main container, this flag sets the up-limit of the events that are queued internally.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.7.1->v1.9.0Release Notes
kyverno/kyverno
### [`v1.9.0`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v190-rc1) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.5...v1.9.0) ##### Note - Flag `backgroundScanInterval` was added to force background scans at regular intervals (default value is `1h`). - Flag `splitPolicyReport` was removed, was unused and marked for removal in 1.9. - Webhook is no longer updated to match `pods/ephemeralcontainers` when policy only specifies `pods`. If users want to match on `pods/ephemeralcontainers`, they must specify `pods/ephemeralcontainers` in the policy. - Webhook is no longer updated to match `services/status` when policy only specifies `services`. If users want to match on `services/status`, they must specify `services/status` in the policy. - Flag `autogenInternals` was removed, policy mutation has been removed. - Flag `leaderElectionRetryPeriod` was added to control leader election renewal frequency (default value is `2s`). - Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`. - Flag `profileAddress` was added to configure address of profiling server (default value is `""`). ### [`v1.8.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.5) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.4...v1.8.5) #### ⚠️ Changed ⚠️ - Remove Kyverno CRDs (minus `Policy`) from the category "all" ([#5557](https://togithub.com/kyverno/kyverno/issues/5557)) #### 🐛 Fixed 🐛 - Fixed verifyImage rule when replacing the image digest ([#5713](https://togithub.com/kyverno/kyverno/issues/5713)) - Fixed a panic issue on report deletion ([#5702](https://togithub.com/kyverno/kyverno/issues/5702)) ### [`v1.8.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.4) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.3...v1.8.4) #### 🐛 Fixed 🐛 - Fixed a panic in mutateExisting policies ([#5619](https://togithub.com/kyverno/kyverno/issues/5619)) - Fixed a panic when policy reports generated from the background controller don't have labels ([#5608](https://togithub.com/kyverno/kyverno/issues/5608)) ### [`v1.8.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.8.3) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.8.2...v1.8.3) #### Special Note Two panics which may occur randomly have been identified in 1.8.3 which are being addressed in 1.8.4. We recommend waiting until 1.8.4 if possible. #### ❗ Breaking ❗ - The new field `verifyImages.attestations.attestors` is added for verifying attestations. Note that the existing `verifyImages.attestors` field is only used to verify signatures ([#5409](https://togithub.com/kyverno/kyverno/issues/5409)) #### ✨ Added ✨ - Helm: Add default CI test values for helm charts ([#5518](https://togithub.com/kyverno/kyverno/issues/5518)) - Helm: Add ability to set autogen behavior into the kyverno-policies chart ([#5517](https://togithub.com/kyverno/kyverno/issues/5517)) #### ⚠️ Changed ⚠️ - Restore to the log the value of `validationFailureAction` ([#5416](https://togithub.com/kyverno/kyverno/issues/5416)) #### 🐛 Fixed 🐛 - Fixed multiple issues related to the new reporting system introduced in 1.8 ([#5525](https://togithub.com/kyverno/kyverno/issues/5525), [#5486](https://togithub.com/kyverno/kyverno/issues/5486), [#5457](https://togithub.com/kyverno/kyverno/issues/5457), [#5449](https://togithub.com/kyverno/kyverno/issues/5449)) - Fixed an issue when calling kustomize concurrently which resulted in variable errors especially with Kyverno running in HA mode ([#5465](https://togithub.com/kyverno/kyverno/issues/5465)) - Fixed an issue which prevented creating of a generate `Policy` (Namespaced) with a `data` object ([#5459](https://togithub.com/kyverno/kyverno/issues/5459)) - Fixed an issue with a mutate existing policy not get applied when background=false ([#5439](https://togithub.com/kyverno/kyverno/issues/5439)) - Fixed an issue which prevented multiple attestors to work in a keyless verifyImage policy ([#5432](https://togithub.com/kyverno/kyverno/issues/5432)) - Fixed an issue which prevented proper matching of CustomResources which had the same kind but in different groups ([#5421](https://togithub.com/kyverno/kyverno/issues/5421)) - Fixed an issue which prevented mutation of some CustomResources in their `metadata` path ([#5374](https://togithub.com/kyverno/kyverno/issues/5374)) #### Complete List of PRsClick to expand
- [#5518](https://togithub.com/kyverno/kyverno/issues/5518) feat: Add default CI test values for helm charts - [#5525](https://togithub.com/kyverno/kyverno/issues/5525) fix: bug in report resource watcher - [#5517](https://togithub.com/kyverno/kyverno/issues/5517) feat(policies chart): Add ability to set autogen behavior - [#5491](https://togithub.com/kyverno/kyverno/issues/5491) Migrate all mutate e2e tests to kuttl and expand - [#5486](https://togithub.com/kyverno/kyverno/issues/5486) fix: report deletion fighting with garbage collection - [#5483](https://togithub.com/kyverno/kyverno/issues/5483) Migrate validate e2e tests to kuttl tests - [#5480](https://togithub.com/kyverno/kyverno/issues/5480) fix: typo in autogen package - [#5465](https://togithub.com/kyverno/kyverno/issues/5465) fix: issue when calling kustomize concurrently - [#5459](https://togithub.com/kyverno/kyverno/issues/5459) fix: add clone check before validating namespace policy - [#5457](https://togithub.com/kyverno/kyverno/issues/5457) fix: admission reports stacking up - [#5449](https://togithub.com/kyverno/kyverno/issues/5449) fix: log watcher error in reports controller - [#5439](https://togithub.com/kyverno/kyverno/issues/5439) fix: mutate existing policy does not get applied when background=false - [#5432](https://togithub.com/kyverno/kyverno/issues/5432) Fix multi attestor keyless - [#5421](https://togithub.com/kyverno/kyverno/issues/5421) Handle GVK properly with the same kind but different apiVersion/group - [#5416](https://togithub.com/kyverno/kyverno/issues/5416) cleanup: bring back action on `validation failed` logging - [#5413](https://togithub.com/kyverno/kyverno/issues/5413) Add most basic kuttl tests for generate rules, clone and sync - [#5409](https://togithub.com/kyverno/kyverno/issues/5409) feat: support attestations with multiple signatures - [#5374](https://togithub.com/kyverno/kyverno/issues/5374) fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject objectClick to expand
- [#5402](https://togithub.com/kyverno/kyverno/issues/5402) fix: add os.Exit - [#5400](https://togithub.com/kyverno/kyverno/issues/5400) Complete all basic kuttl tests for generate rules, clone and no-sync - [#5387](https://togithub.com/kyverno/kyverno/issues/5387) \[Bug]: Fix wildcard any/all issue - [#5383](https://togithub.com/kyverno/kyverno/issues/5383) fix: enable policy validation for the verifyImage rule - [#5366](https://togithub.com/kyverno/kyverno/issues/5366) fix: panic when disable metrics is true - [#5365](https://togithub.com/kyverno/kyverno/issues/5365) chore: add tempo to argocd lab - [#5364](https://togithub.com/kyverno/kyverno/issues/5364) Add more kuttl generate test cases - [#5358](https://togithub.com/kyverno/kyverno/issues/5358) fix: set correct logger in profiling server - [#5350](https://togithub.com/kyverno/kyverno/issues/5350) fix closed watchers in the resource-report-controller - [#5349](https://togithub.com/kyverno/kyverno/issues/5349) chore: enable json logs in argocd lab - [#5346](https://togithub.com/kyverno/kyverno/issues/5346) fix: add validation for generate namespace policy - [#5339](https://togithub.com/kyverno/kyverno/issues/5339) test: add kuttl debug failure - [#5337](https://togithub.com/kyverno/kyverno/issues/5337) test: add rbac kuttl test - [#5331](https://togithub.com/kyverno/kyverno/issues/5331) chore: add cli binary to gitignore - [#5330](https://togithub.com/kyverno/kyverno/issues/5330) test: add test to check expected webhooks are created - [#5328](https://togithub.com/kyverno/kyverno/issues/5328) refactor: optimise and use kuttl TestStep with tests - [#5326](https://togithub.com/kyverno/kyverno/issues/5326) add test cases for yaml verification feature - [#5319](https://togithub.com/kyverno/kyverno/issues/5319) fix: set logger in metrics server - [#5317](https://togithub.com/kyverno/kyverno/issues/5317) fix: synchronize source resource update to clone list resource - [#5311](https://togithub.com/kyverno/kyverno/issues/5311) fix: wrong logger used - [#5310](https://togithub.com/kyverno/kyverno/issues/5310) tests: add kuttl tests for jmespath special chars - [#5303](https://togithub.com/kyverno/kyverno/issues/5303) Update kuttl test scaffolding - [#5298](https://togithub.com/kyverno/kyverno/issues/5298) fix: send notification when stoping watching resource in reports system - [#5296](https://togithub.com/kyverno/kyverno/issues/5296) fix: reduce startup probe delay - [#5293](https://togithub.com/kyverno/kyverno/issues/5293) fix: image extractor kuttl tests - [#5291](https://togithub.com/kyverno/kyverno/issues/5291) Add a note to 1.8.2-rc1 release for `ImagePullSecrets` - [#5287](https://togithub.com/kyverno/kyverno/issues/5287) fix: kuttl test external-service - [#5286](https://togithub.com/kyverno/kyverno/issues/5286) fix: check policy is ready in kuttl tests - [#5285](https://togithub.com/kyverno/kyverno/issues/5285) chore: update kuttl - [#5280](https://togithub.com/kyverno/kyverno/issues/5280) tests: add kuttl tests for multiple clone generate - [#5272](https://togithub.com/kyverno/kyverno/issues/5272) Fixed issue-3709: Image verify rule gives error for non-existing configmap - [#5269](https://togithub.com/kyverno/kyverno/issues/5269) fix: keep admission warnings - [#5268](https://togithub.com/kyverno/kyverno/issues/5268) fix: add missing test suite to kuttl - [#5264](https://togithub.com/kyverno/kyverno/issues/5264) fix: account for error rules in mutation webhook - [#5260](https://togithub.com/kyverno/kyverno/issues/5260) chore: remove old conformance tests files - [#5257](https://togithub.com/kyverno/kyverno/issues/5257) Kuttl updates - [#5254](https://togithub.com/kyverno/kyverno/issues/5254) chore: add kuttl in makefile - [#5253](https://togithub.com/kyverno/kyverno/issues/5253) chore: add kuttl autogen tests - [#5252](https://togithub.com/kyverno/kyverno/issues/5252) chore: use conditions in kuttl tests to check ready policies - [#5245](https://togithub.com/kyverno/kyverno/issues/5245) refactor: admission metrics (counter and latency) - [#5244](https://togithub.com/kyverno/kyverno/issues/5244) refactor: move all middlewares in handlers sub package - [#5241](https://togithub.com/kyverno/kyverno/issues/5241) chore: add performance tests tool - [#5239](https://togithub.com/kyverno/kyverno/issues/5239) Fix policy installation issue for Got empty response for: external.metrics.k8s.io/v1beta1 - [#5238](https://togithub.com/kyverno/kyverno/issues/5238) More kuttl tests - [#5234](https://togithub.com/kyverno/kyverno/issues/5234) refactor: admission response utils - [#5231](https://togithub.com/kyverno/kyverno/issues/5231) chore: add loki to argocd lab - [#5230](https://togithub.com/kyverno/kyverno/issues/5230) feat: add grafana dashboard to helm chart - [#5229](https://togithub.com/kyverno/kyverno/issues/5229) add remainder of e2e verifyImages tests - [#5209](https://togithub.com/kyverno/kyverno/issues/5209) chore: server side apply in argo lab - [#5208](https://togithub.com/kyverno/kyverno/issues/5208) fix: too much information for the Policy Rule Execution Latency metric - [#5204](https://togithub.com/kyverno/kyverno/issues/5204) add kuttl tests - [#5200](https://togithub.com/kyverno/kyverno/issues/5200) fix: early return in policy validation - [#5198](https://togithub.com/kyverno/kyverno/issues/5198) feat: add policy label to policy reports - [#5197](https://togithub.com/kyverno/kyverno/issues/5197) feat: support disabling schema validation on the patched resource - [#5194](https://togithub.com/kyverno/kyverno/issues/5194) fix: deletion of reports not belonging to kyverno - [#5190](https://togithub.com/kyverno/kyverno/issues/5190) fix: use pagination to aggregate reports - [#5189](https://togithub.com/kyverno/kyverno/issues/5189) Fix issue where CLI test command ignores failures - [#5179](https://togithub.com/kyverno/kyverno/issues/5179) fix: check resource version on update notification - [#5178](https://togithub.com/kyverno/kyverno/issues/5178) chore: add kind config file - [#5177](https://togithub.com/kyverno/kyverno/issues/5177) fix: content type in log - [#5176](https://togithub.com/kyverno/kyverno/issues/5176) refactor: health check system - [#5166](https://togithub.com/kyverno/kyverno/issues/5166) fix: make zapr compatible with klog's -v argument - [#5162](https://togithub.com/kyverno/kyverno/issues/5162) fix: set rule response status as skip if precondition failed - [#5161](https://togithub.com/kyverno/kyverno/issues/5161) fix: allow delete of clone target resource with synchronize false - [#5158](https://togithub.com/kyverno/kyverno/issues/5158) fix: policy events created for non-applied resources - [#5157](https://togithub.com/kyverno/kyverno/issues/5157) fix: mutateExisting failure - reset resource version on update - [#5144](https://togithub.com/kyverno/kyverno/issues/5144) fix: configure klog and global logger to use zapr in json mode - [#5132](https://togithub.com/kyverno/kyverno/issues/5132) fix finalizers mutation with patchesJson6902 - [#5121](https://togithub.com/kyverno/kyverno/issues/5121) fix: mutation policy inconsistent patching for ephemeralContainers - [#5112](https://togithub.com/kyverno/kyverno/issues/5112) feat: add categories support to our CRDs - [#4996](https://togithub.com/kyverno/kyverno/issues/4996) Fixed issue-4655: verifyImages is executed before mutate - [#4964](https://togithub.com/kyverno/kyverno/issues/4964) Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default - [#4899](https://togithub.com/kyverno/kyverno/issues/4899) fixed dryrun option to handle changes caused by mutating policy - [#4767](https://togithub.com/kyverno/kyverno/issues/4767) fix: add parsing of json pointers to support special chars ([#3578](https://togithub.com/kyverno/kyverno/issues/3578) [#3616](https://togithub.com/kyverno/kyverno/issues/3616))Click to expand
[#4873](https://togithub.com/kyverno/kyverno/issues/4873) Update cosign and k8s-manifest-sigstoreClick to expand
[#4350](https://togithub.com/kyverno/kyverno/issues/4350) Cherry-pick: fix kyverno cli policy-report typo([#4349](https://togithub.com/kyverno/kyverno/issues/4349)) [#4256](https://togithub.com/kyverno/kyverno/issues/4256) fix: use only 1 kubernetes client [#4163](https://togithub.com/kyverno/kyverno/issues/4163) precondition failure will skip rule independent of audit or enforce modeConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.