kyverno/kyverno (github.com/kyverno/kyverno)
### [`v1.12.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.5)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.4...v1.12.5)
#### β¨ Added β¨
- Added the circuit breaker for `ephemeralreports` generated from the admission events which is used to create policy reports ([#10499](https://togithub.com/kyverno/kyverno/issues/10499), [#10596](https://togithub.com/kyverno/kyverno/issues/10596), [#10610](https://togithub.com/kyverno/kyverno/issues/10610), [#10613](https://togithub.com/kyverno/kyverno/issues/10613))
- Added the circuit breaker for `updaterequests` which is used to apply generate and mutate existing rules ([#10382](https://togithub.com/kyverno/kyverno/issues/10382))
#### π Fixed π
- Fixed an issue for generate policies to correctly validate patterns for old and new objects ([#10310](https://togithub.com/kyverno/kyverno/issues/10310))
- Fixed a CLI issue to get namespace's labels in the cluster mode ([#10348](https://togithub.com/kyverno/kyverno/issues/10348))
- Normalized Global Context event's reason to be inline with other policies ([#10395](https://togithub.com/kyverno/kyverno/issues/10395))
- Fixed the `ephemeralreports` to use generate name to avoid duplicate names ([#10491](https://togithub.com/kyverno/kyverno/issues/10491))
- Fixed notary tests ([#10579](https://togithub.com/kyverno/kyverno/issues/10579))
- Fixed to delete resources for the cleanup policy ([#10582](https://togithub.com/kyverno/kyverno/issues/10582))
- Fixed a log issue to not append cleanup policy names ([#10583](https://togithub.com/kyverno/kyverno/issues/10583))
- Fixed CEL policies to be applied to deleted resources ([#10611](https://togithub.com/kyverno/kyverno/issues/10611))
- Fixed an Json context issue to delete non-exist old values for `foreach` rules ([#10615](https://togithub.com/kyverno/kyverno/issues/10615))
- Renamed level 1 logs to INFO from DEBUG ([#10617](https://togithub.com/kyverno/kyverno/issues/10617))
- Truncated event messages to 1024 chars ([#10636](https://togithub.com/kyverno/kyverno/issues/10636))
- Fixed mutatingwebhookconfiguraition configured rules ([#10639](https://togithub.com/kyverno/kyverno/issues/10639))
#### π§ Others π§
- Refactored VAPs registrations ([#10014](https://togithub.com/kyverno/kyverno/issues/10014))
- Removed unused parameters ([#10330](https://togithub.com/kyverno/kyverno/issues/10330))
- Bumped Chainsaw ([#10345](https://togithub.com/kyverno/kyverno/issues/10345))
### [`v1.12.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.3...v1.12.4)
### βImportant Notice β
If you are running 1.12, please upgrade to this version to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
[Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb)
\[updated] If you are seeing consistent creation of ephemeralreports, you can:
1. disable reporting for admission events, please see [this comment](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580).
2. tune `--aggregationWorkers` to increase the capacity of consuming ephemeralreports, see [this comment](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2178088816). It can be configured directly via the [container flag](https://kyverno.io/docs/installation/customization/#container-flags), or through Helm [extraArgs](https://togithub.com/kyverno/kyverno/blob/e64df59df/charts/kyverno/values.yaml#L2237).
3. as a user of Argo CD, check whether something is causing [continuous reconcile operations](https://argo-cd.readthedocs.io/en/stable/operator-manual/reconcile/).
#### π Fixed π
- Added condition checking to notary attestation verify chainsaw test ([https://github.com/kyverno/kyverno/pull/10288](https://togithub.com/kyverno/kyverno/pull/10288))
- Fixed a CLI issue to apply namespace labels in the cluster mode ([https://github.com/kyverno/kyverno/pull/10348](https://togithub.com/kyverno/kyverno/pull/10348))
- Fixed a gloabl context look up issue to return the error properly ([https://github.com/kyverno/kyverno/pull/10398](https://togithub.com/kyverno/kyverno/pull/10398))
- Fixed logging verbosity got the background scanner ([https://github.com/kyverno/kyverno/pull/10404](https://togithub.com/kyverno/kyverno/pull/10404))
- Shutdown the controller properly when the context is canceled ([https://github.com/kyverno/kyverno/pull/10415](https://togithub.com/kyverno/kyverno/pull/10415))
- Fixed duplicate updaterequest creation for background policies ([https://github.com/kyverno/kyverno/pull/10431](https://togithub.com/kyverno/kyverno/pull/10431))
#### π§ Others π§
- Bumped chainsaw ([https://github.com/kyverno/kyverno/pull/10345](https://togithub.com/kyverno/kyverno/pull/10345))
- Added chainsaw test for controllers leader election ([https://github.com/kyverno/kyverno/pull/10416](https://togithub.com/kyverno/kyverno/pull/10416))
### [`v1.12.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.3)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.2...v1.12.3)
### βImportant Notice β
If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
[Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb)
If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports.
#### β¨ Added β¨
- Added support for background scanning of existing resource in image verification ([#10311](https://togithub.com/kyverno/kyverno/issues/10311))
- Added a cleanup cronjob to delete updaterequests ([#10326](https://togithub.com/kyverno/kyverno/issues/10326))
- Added cleanup cronjobs for (cluster)ephemeralreports ([#10334](https://togithub.com/kyverno/kyverno/issues/10334))
- Add aggregation workers flag to configure (cluster)ephemeralreports consumer ([#10343](https://togithub.com/kyverno/kyverno/issues/10343))
#### π§ Others π§
- Removed unused parameters ([#10329](https://togithub.com/kyverno/kyverno/issues/10329))
### [`v1.12.2`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.2)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.1...v1.12.2)
### βImportant Notice β
If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
[Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb)
If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports.
#### β¨ Added β¨
- Added an option to allow kyverno apply command to continue on failure ([#10036](https://togithub.com/kyverno/kyverno/issues/10036))
##### Helm
- Added an option to configure webhook pod annotations ([#9875](https://togithub.com/kyverno/kyverno/issues/9875))
#### π Fixed π
- Fixed missing CONNECT operation in the webhook config for `pod/exec` subresource ([#9855](https://togithub.com/kyverno/kyverno/issues/9855))
- Fixed an issue to evaluate multiple `policyexceptions` regardless of condition failures ([#9994](https://togithub.com/kyverno/kyverno/issues/9994))
- Fixed the VAPs generation issues for `pods/ephemeralcontainers`, resourceNames field ([#10162](https://togithub.com/kyverno/kyverno/issues/10162), [#10187](https://togithub.com/kyverno/kyverno/issues/10187), [#10208](https://togithub.com/kyverno/kyverno/issues/10208))
- Fixed the mutate existing policies to be applied on matched resources only ([#10164](https://togithub.com/kyverno/kyverno/issues/10164))
- Fixed an issue to skip generating VAPs for policies that match multiple resources with a namespace/object selector ([#10181](https://togithub.com/kyverno/kyverno/issues/10181))
- Fixed a CLI issue when the level parameter of the apply and test commands does not work ([#10216](https://togithub.com/kyverno/kyverno/issues/10216))
- Fixed CVEs ([#10225](https://togithub.com/kyverno/kyverno/issues/10225))
- Fixed an issue when applying multiple validate rules produces the wrong result ([#10236](https://togithub.com/kyverno/kyverno/issues/10236))
- Fixed context canceled issue when creating reports ([#10245](https://togithub.com/kyverno/kyverno/issues/10245))
- Fixed an issue in `foreach` mutate policies with `Descending` order defined causing unexpected patches ([#10252](https://togithub.com/kyverno/kyverno/issues/10252))
- Fixed an event generation issue when the size exceeds the limit ([#10255](https://togithub.com/kyverno/kyverno/issues/10255))
- Fixed operation-based webhook configuration issue when there are multiple policies matching the same kind ([#10262](https://togithub.com/kyverno/kyverno/issues/10262))
- Fixed flake VAPs tests ([#10263](https://togithub.com/kyverno/kyverno/issues/10263))
- Fixed a CLI issue when loading policies from the filesystem ([#10270](https://togithub.com/kyverno/kyverno/issues/10270))
- Fixed webhook configuration update loop ([#10274](https://togithub.com/kyverno/kyverno/issues/10274))
- Fixed an issue when a rule has both conditional and equality anchors defined ([https://github.com/kyverno/kyverno/issues/10117](https://togithub.com/kyverno/kyverno/issues/10117))
#### π§ Others π§
- Made CLI results count public ([#10177](https://togithub.com/kyverno/kyverno/issues/10177))
- Added a new linter `prealloc` to enforce slice declarations best practice ([#10250](https://togithub.com/kyverno/kyverno/issues/10250))
### [`v1.12.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.1)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.0...v1.12.1)
### βImportant Notice β
If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
[Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb)
If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports.
#### π Fixed π
- Fixed return status when `celPreconditions.matchConditions` aren't met ([#9940](https://togithub.com/kyverno/kyverno/issues/9940))
- Fixed the CLI to evaluate `namespaceObject` for Kyverno policies ([#9977](https://togithub.com/kyverno/kyverno/issues/9977), [#9978](https://togithub.com/kyverno/kyverno/issues/9978))
- Fixed concurrent policy applications ([#10139](https://togithub.com/kyverno/kyverno/issues/10139))
- Fixed endless updates of policy status ([#10140](https://togithub.com/kyverno/kyverno/issues/10140))
- Fixed empty operations in mutating webhook configuration for a policy with a mixed types of rules ([#10146](https://togithub.com/kyverno/kyverno/issues/10146))
- Fixed endless policy reports reconciliation issue ([#10148](https://togithub.com/kyverno/kyverno/issues/10148))
- Fixed type conversion in jmespath context variables ([#10152](https://togithub.com/kyverno/kyverno/issues/10152))
#### π§ Others π§
- Fixed tests for codegen ([#9942](https://togithub.com/kyverno/kyverno/issues/9942))
- Removed unused parameters, packages ([#10007](https://togithub.com/kyverno/kyverno/issues/10007), [#10101](https://togithub.com/kyverno/kyverno/issues/10101))
- Refactored VAPs registration in the API server ([#10014](https://togithub.com/kyverno/kyverno/issues/10014))
- Updated performance testing docs for 1.12 ([#10116](https://togithub.com/kyverno/kyverno/issues/10116))
### [`v1.12.0`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.0)
[Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.11.5...v1.12.0)
### 1.12 Release Notes
#### β Importance Notice β
If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:
[Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb)
If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports.
Several critical issues are found in 1.12.0 and are being closely monitored within the [1.12.1 milestone](https://togithub.com/kyverno/kyverno/milestone/89). Please hold your upgrade to this release until 1.12.1 comes out.
#### β Breaking (Potentially) β
- Policies using long-deprecated or invalid operators in conditions (ex., `In` and `NotIn`) will be blocked. Please see the current list of available operators [here](https://kyverno.io/docs/writing-policies/preconditions/#operators) ([#8624](https://togithub.com/kyverno/kyverno/issues/8624))
#### β¨ Added β¨
- Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource ([#9591](https://togithub.com/kyverno/kyverno/issues/9591), [#9595](https://togithub.com/kyverno/kyverno/issues/9595), [#9601](https://togithub.com/kyverno/kyverno/issues/9601), [#9602](https://togithub.com/kyverno/kyverno/issues/9602), [#9614](https://togithub.com/kyverno/kyverno/issues/9614), [#9615](https://togithub.com/kyverno/kyverno/issues/9615), [#9618](https://togithub.com/kyverno/kyverno/issues/9618), [#9619](https://togithub.com/kyverno/kyverno/issues/9619), [#9620](https://togithub.com/kyverno/kyverno/issues/9620), [#9621](https://togithub.com/kyverno/kyverno/issues/9621), [#9643](https://togithub.com/kyverno/kyverno/issues/9643), [#9652](https://togithub.com/kyverno/kyverno/issues/9652), [#9678](https://togithub.com/kyverno/kyverno/issues/9678), [#9710](https://togithub.com/kyverno/kyverno/issues/9710), [#9813](https://togithub.com/kyverno/kyverno/issues/9813))
- Added the ability to configure the listening ports of webhooks for admission and cleanup controllers ([#7728](https://togithub.com/kyverno/kyverno/issues/7728))
- Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based `matchConditions` available in Kubernetes 1.27+ ([#8065](https://togithub.com/kyverno/kyverno/issues/8065), [#8437](https://togithub.com/kyverno/kyverno/issues/8437), [#9483](https://togithub.com/kyverno/kyverno/issues/9483), [#9599](https://togithub.com/kyverno/kyverno/issues/9599))
- Added a new container flag `--protectManagedResources` to the cleanup controller ([#8566](https://togithub.com/kyverno/kyverno/issues/8566))
- Added a new container flag `--renewBefore` to the admission cleanup controllers to configure the cert renewal time ([#8567](https://togithub.com/kyverno/kyverno/issues/8567))
- Added a new container flag `--loggingtsFormat` which can be used to change the time format of logs ([#9276](https://togithub.com/kyverno/kyverno/issues/9276))
- Policy Exceptions now support conditions ([#8577](https://togithub.com/kyverno/kyverno/issues/8577))
- Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule `validate.podSecurity` ([#9343](https://togithub.com/kyverno/kyverno/issues/9343), [#9817](https://togithub.com/kyverno/kyverno/issues/9817))
- Pod Security sub-rule (`validate.podSecurity`) has a new ability to exclude based on restricted fields (`exclude.restrictedField` and associated values ([#8585](https://togithub.com/kyverno/kyverno/issues/8585), [#9770](https://togithub.com/kyverno/kyverno/issues/9770), [#9658](https://togithub.com/kyverno/kyverno/issues/9658))
- Added a new field to verifyImages rules called `skipImageReferences` allowing you to exclude certain images ([#8633](https://togithub.com/kyverno/kyverno/issues/8633))
- Added a new field to generate rules (data-type) called `orphanDownstreamOnPolicyDelete` which will preserve downstream resources when the policy/rule is deleted ([#9579](https://togithub.com/kyverno/kyverno/issues/9579))
- Added the ability to deploy specific controllers with CRDs following suit ([#8849](https://togithub.com/kyverno/kyverno/issues/8849), [#9608](https://togithub.com/kyverno/kyverno/issues/9608))
- Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users ([#9015](https://togithub.com/kyverno/kyverno/issues/9015))
- Added support for more types of JSON patch operations like "move", "copy", and "test" ([#9476](https://togithub.com/kyverno/kyverno/issues/9476))
- Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings ([#9506](https://togithub.com/kyverno/kyverno/issues/9506))
- Created a new API group `reports.kyverno.io` for storing new ephemeral report kinds `EphemeralReports` and `ClusterEphemeralReports` ([#9521](https://togithub.com/kyverno/kyverno/issues/9521), [#9537](https://togithub.com/kyverno/kyverno/issues/9537))
- New `is_external_url()` JMESPath function to determine whether a given URL is an external URL ([#8614](https://togithub.com/kyverno/kyverno/issues/8614))
- New `sha256()` JMESPath function to convert a string of any length to a fixed hash value ([#9144](https://togithub.com/kyverno/kyverno/issues/9144))
- Kyverno CLI: Added a new `migrate` command which is used to migrate Kyverno resources to the current API version ([#9296](https://togithub.com/kyverno/kyverno/issues/9296))
- Kyverno CLI: Added a new (experimental) `json` command which incorporates the [Kyverno JSON subproject](https://togithub.com/kyverno/kyverno-json) into the main CLI allowing for testing of any JSON content ([#9639](https://togithub.com/kyverno/kyverno/issues/9639), [#9651](https://togithub.com/kyverno/kyverno/issues/9651))
- Kyverno CLI: The `test` command now supports the same [assertion trees](https://kyverno.io/blog/2023/12/13/kyverno-chainsaw-exploring-the-power-of-assertion-trees/) available in Chainsaw ([#9380](https://togithub.com/kyverno/kyverno/issues/9380))
- Kyverno CLI: The `apply` command now supports ValidatingAdmissionPolicyBindings ([#9468](https://togithub.com/kyverno/kyverno/issues/9468), [#9751](https://togithub.com/kyverno/kyverno/issues/9751), [#9759](https://togithub.com/kyverno/kyverno/issues/9759))
- Kyverno CLI: `apply` and `test` commands now support Policy Exceptions ([#9525](https://togithub.com/kyverno/kyverno/issues/9525), [#9624](https://togithub.com/kyverno/kyverno/issues/9624), [#9714](https://togithub.com/kyverno/kyverno/issues/9714), [#9749](https://togithub.com/kyverno/kyverno/issues/9749))
- Kyverno CLI: Added a `--resources` flag as an alias for the existing `--resource` flag ([#9749](https://togithub.com/kyverno/kyverno/issues/9749))
##### Helm
- Add chart parameters for setting `revisionHistoryLimit` ([#8907](https://togithub.com/kyverno/kyverno/issues/8907))
- Allow excluding resources from config.resourceFilters ([#8946](https://togithub.com/kyverno/kyverno/issues/8946))
- Allow defining ca-certificates bundle for Kyverno deployments ([#8969](https://togithub.com/kyverno/kyverno/issues/8969))
- Clean up Helm change logs ([#9057](https://togithub.com/kyverno/kyverno/issues/9057))
- Added ability to set extra environment variables globally ([#9269](https://togithub.com/kyverno/kyverno/issues/9269))
- Added the ability to enable performance profiling to the chart ([#9338](https://togithub.com/kyverno/kyverno/issues/9338))
- Added a global nodeSelector to the chart ([#9339](https://togithub.com/kyverno/kyverno/issues/9339))
- Allow adding Pod labels to cleanup jobs in the chart ([#9391](https://togithub.com/kyverno/kyverno/issues/9391))
- Added a CRD migration capability via hooks to the chart ([#9481](https://togithub.com/kyverno/kyverno/issues/9481), [#9657](https://togithub.com/kyverno/kyverno/issues/9657))
- Added the ability to define additional resources to be excluded via resourceFilters ([#9530](https://togithub.com/kyverno/kyverno/issues/9530))
- Added a small note for AKS users when the chart is installed ([#9552](https://togithub.com/kyverno/kyverno/issues/9552))
- Added the ability to configure backoff limits in jobs in the chart ([#9569](https://togithub.com/kyverno/kyverno/issues/9569))
- Added default exclusions in webhooks ([#9950](https://togithub.com/kyverno/kyverno/issues/9950))
#### β οΈ Changed β οΈ
- Allow setting admission controller replica count to 2 ([#8932](https://togithub.com/kyverno/kyverno/issues/8932))
- The `spec.schemaValidation` field is formally deprecated. As of 1.11 it has no effect. ([#9189](https://togithub.com/kyverno/kyverno/issues/9189))
- The `--reportsChunkSize` flag is deprecated and has no effect since aggregation has changed ([#9697](https://togithub.com/kyverno/kyverno/issues/9697))
- The `--imageSignatureRepository` flag is deprecated and has no effect, use the `verifyImages.Repository` field instead ([#9698](https://togithub.com/kyverno/kyverno/issues/9698))
- Policy Exceptions will now be evaluated against existing resources when the exception is created ([#8659](https://togithub.com/kyverno/kyverno/issues/8659), [#8713](https://togithub.com/kyverno/kyverno/issues/8713), [#8544](https://togithub.com/kyverno/kyverno/issues/8544))
- Policy Exceptions API graduated to v2 ([#9208](https://togithub.com/kyverno/kyverno/issues/9208), [#9412](https://togithub.com/kyverno/kyverno/issues/9412))
- Cleanup Policies API graduated to v2 ([#9261](https://togithub.com/kyverno/kyverno/issues/9261), [#9420](https://togithub.com/kyverno/kyverno/issues/9420))
- Admission and Background reports APIs graduated to v2 ([#9262](https://togithub.com/kyverno/kyverno/issues/9262))
- UpdateRequests API graduated to v2 ([#9267](https://togithub.com/kyverno/kyverno/issues/9267))
- Reduced some logged messages ([#9509](https://togithub.com/kyverno/kyverno/issues/9509), [#9626](https://togithub.com/kyverno/kyverno/issues/9626))
- Default logging time format is changed to RFC3339 ([#9775](https://togithub.com/kyverno/kyverno/issues/9775))
- Updated the internal Pod Security Standards up through 1.29 ([#9783](https://togithub.com/kyverno/kyverno/issues/9783))
- The `time_parse()` JMESPath filter now supports epoch time ([#9173](https://togithub.com/kyverno/kyverno/issues/9173))
- Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid ([#9566](https://togithub.com/kyverno/kyverno/issues/9566))
- Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status ([#9220](https://togithub.com/kyverno/kyverno/issues/9220))
##### Helm
- Chart will now omit policy applied and skipped events by default ([#9493](https://togithub.com/kyverno/kyverno/issues/9493))
- Allow configuring the policy kind in kyverno-policies chart ([#8827](https://togithub.com/kyverno/kyverno/issues/8827))
- Refined permissions by removing wildcards ([#9507](https://togithub.com/kyverno/kyverno/issues/9507), [#9516](https://togithub.com/kyverno/kyverno/issues/9516))
- Rename the Grafana dashboard file from `dashboard.json` to `kyverno-dashboard.json` ([#9041](https://togithub.com/kyverno/kyverno/issues/9041))
#### Performance
- Initialize JMESPath interpreter once and reuse it across searches ([#8299](https://togithub.com/kyverno/kyverno/issues/8299))
- Optimize JSON context processing using in-memory maps ([#8322](https://togithub.com/kyverno/kyverno/issues/8322))
- Optimize how Events are created and processed ([#9323](https://togithub.com/kyverno/kyverno/issues/9323), [#9324](https://togithub.com/kyverno/kyverno/issues/9324))
- Optimize validate policy application by adding a worker pool ([#10056](https://togithub.com/kyverno/kyverno/issues/10056))
#### π Fixed π
- Fixed handling of escaped variables in an expression with multiple escaped variables ([#8311](https://togithub.com/kyverno/kyverno/issues/8311))
- Fixed an issue when verifying attestations using multiple keys ([#8880](https://togithub.com/kyverno/kyverno/issues/8880))
- Fixed an issue causing application of mutation policies to fail even when `failurePolicy` was set to `Ignore` ([#8952](https://togithub.com/kyverno/kyverno/issues/8952))
- Fixed an issue that allowed violating resources when a policy had validationFailureAction set to `Enforce` and `failurePolicy` of Ignore ([#8953](https://togithub.com/kyverno/kyverno/issues/8953))
- Fixed an issue causing premature skipping of resources in validate policies with anchors defined ([#9155](https://togithub.com/kyverno/kyverno/issues/9155))
- Fixed an issue where the `-v` container flag for logging was not honored ([#9163](https://togithub.com/kyverno/kyverno/issues/9163))
- Switched a logged error to info when preconditions didn't pass in a mutate existing rule ([#9232](https://togithub.com/kyverno/kyverno/issues/9232))
- Reports aggregation fixes and improvements ([#9697](https://togithub.com/kyverno/kyverno/issues/9697))
- Fixed an issue preventing of generating a ValidatingAdmissionPolicy when `exclude` was used in the rule ([#9331](https://togithub.com/kyverno/kyverno/issues/9331))
- Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place ([#9386](https://togithub.com/kyverno/kyverno/issues/9386))
- Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans ([#9468](https://togithub.com/kyverno/kyverno/issues/9468))
- Fixed an issue when generating Events associated with ValidatingAdmissionPolicies ([#9392](https://togithub.com/kyverno/kyverno/issues/9392))
- Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission ([#9355](https://togithub.com/kyverno/kyverno/issues/9355))
- Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working ([#9416](https://togithub.com/kyverno/kyverno/issues/9416))
- Fixed an issue preventing variables from being substituted in messages when using `anyPattern` validate rules ([#9713](https://togithub.com/kyverno/kyverno/issues/9713))
- Fixed an issue where skipped policies due to preconditions were returned in denial response messages ([#9719](https://togithub.com/kyverno/kyverno/issues/9719))
- Removed an unnecessary podSecurity check ([#9790](https://togithub.com/kyverno/kyverno/issues/9790))
- Fixed an issue when verifying images from an insecure registry ([#9838](https://togithub.com/kyverno/kyverno/issues/9838))
- Fixed an issue with some validate rules and the UPDATE operation ([#9893](https://togithub.com/kyverno/kyverno/issues/9893))
- Kyverno CLI: Fixed an issue doing a test with an UPDATE operation ([#9191](https://togithub.com/kyverno/kyverno/issues/9191))
- Kyverno CLI: Fixed applying `cloneList` generate policies with `apply` command ([#9036](https://togithub.com/kyverno/kyverno/issues/9036))
- Kyverno CLI: Fixed a logging error ([#9238](https://togithub.com/kyverno/kyverno/issues/9238))
- Kyverno CLI: Testing of generate rules which use the `useServerSideApply` field now work properly ([#9385](https://togithub.com/kyverno/kyverno/issues/9385))
- Kyverno CLI: Fixed and issue causing the `apply` command to panic when applying a mutate existing rule ([#9492](https://togithub.com/kyverno/kyverno/issues/9492))
- Kyverno CLI: Fixed an issue with the `apply` command where some errors weren't shown ([#9533](https://togithub.com/kyverno/kyverno/issues/9533))
- Kyverno CLI: Fixed an issue with the `apply` command where a `foreach` with zero elements was a `skip` ([#9534](https://togithub.com/kyverno/kyverno/issues/9534), [#9543](https://togithub.com/kyverno/kyverno/issues/9543))
- Kyverno CLI: Fixed a regression where the `--warn-exit-code` stopped working ([#9828](https://togithub.com/kyverno/kyverno/issues/9828))
- Fixed cosign ctlog unit tests ([#9971](https://togithub.com/kyverno/kyverno/issues/9971))
- Fixed deferred loader panic when mutate and generate policies are applied ([#9968](https://togithub.com/kyverno/kyverno/issues/9968))
- Fixed an autogen issue where now Kyverno only generates rule for request kind ([#9997](https://togithub.com/kyverno/kyverno/issues/9997))
- Fixed the issue where the mutex is not added to mock policy context builder ([#10059](https://togithub.com/kyverno/kyverno/issues/10059))
- Fixed policy status reconciliation when it fails to set policy to ready ([#10047](https://togithub.com/kyverno/kyverno/issues/10047))
- Fixed the container flag `maxQueuedEvents` ([#10031](https://togithub.com/kyverno/kyverno/issues/10031))
- Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional ([#10025](https://togithub.com/kyverno/kyverno/issues/10025))
##### Helm
- Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart ([#8913](https://togithub.com/kyverno/kyverno/issues/8913))
- Fixed an issue preventing multiple replicas from being defined in the chart ([#9066](https://togithub.com/kyverno/kyverno/issues/9066))
- Make role and binding names consistent ([#9482](https://togithub.com/kyverno/kyverno/issues/9482))
- Fixed some minor issues with the Helm report cleanup jobs ([#9555](https://togithub.com/kyverno/kyverno/issues/9555))
- Fixed a typo in the Kyverno chart README ([#8911](https://togithub.com/kyverno/kyverno/issues/8911))
Click to expand all PRs
[#10013](https://togithub.com/kyverno/kyverno/issues/10013) chore: bump chainsaw to v0.1.9
[#10025](https://togithub.com/kyverno/kyverno/issues/10025) fix: add rekor opts to cosign certificate verification and make rekor url optional
[#10039](https://togithub.com/kyverno/kyverno/issues/10039) chore: bump cosign to v2.2.4
[#10031](https://togithub.com/kyverno/kyverno/issues/10031) fix: re-use the maxQueuedEvents
[#10047](https://togithub.com/kyverno/kyverno/issues/10047) fix: policy status reconciliation
[#10056](https://togithub.com/kyverno/kyverno/issues/10056) feat(audit): use a worker pool for Audit policies
[#10059](https://togithub.com/kyverno/kyverno/issues/10059) fix: add mutex to mock policy context builder
[#9989](https://togithub.com/kyverno/kyverno/issues/9989) chore: bump kyverno-json to latest
[#9997](https://togithub.com/kyverno/kyverno/issues/9997) fix(autogen): only generate rule for request kind
[#9950](https://togithub.com/kyverno/kyverno/issues/9950) feat: set default exclusions in webhooks
[#9968](https://togithub.com/kyverno/kyverno/issues/9968) fix: deferred loader panic when mutate and generate policies are applied
[#9971](https://togithub.com/kyverno/kyverno/issues/9971) fix: cosign ctlog unit tests
[#9903](https://togithub.com/kyverno/kyverno/issues/9903) fix(globalcontext): panics and validation
[#9893](https://togithub.com/kyverno/kyverno/issues/9893) fix: properly update policy context after preexisting resource in violation check
[#9849](https://togithub.com/kyverno/kyverno/issues/9849) fix: release CRDs manifests
[#9845](https://togithub.com/kyverno/kyverno/issues/9845) fix: add missing unit tests for podSecurity.hostpathVolume check
[#9838](https://togithub.com/kyverno/kyverno/issues/9838) fix: use gcr crane opts while fetching image descriptors
[#9835](https://togithub.com/kyverno/kyverno/issues/9835) fix: remove duplicate chainsaw tests for PSA
[#9828](https://togithub.com/kyverno/kyverno/issues/9828) \[Bug] \[CLI] Restore warn-exit-code functionality for apply command
[#9817](https://togithub.com/kyverno/kyverno/issues/9817) fix: add podSecurity validation checks for exceptions
[#9813](https://togithub.com/kyverno/kyverno/issues/9813) fix(globalcontext): old WaitGroup not stopping
[#9791](https://togithub.com/kyverno/kyverno/issues/9791) fix: remove unnecessary podSecurity chainsaw test
[#9790](https://togithub.com/kyverno/kyverno/issues/9790) fix: remove unnecessary validation check for podSecurity rule
[#9783](https://togithub.com/kyverno/kyverno/issues/9783) update versions
[#9781](https://togithub.com/kyverno/kyverno/issues/9781) chore: add tests for exceptions in the CLI
[#9775](https://togithub.com/kyverno/kyverno/issues/9775) chore: default logging format to rfc3339
[#9770](https://togithub.com/kyverno/kyverno/issues/9770) fix: add validation check for podSecurity subrule
[#9763](https://togithub.com/kyverno/kyverno/issues/9763) chore: bump chainsaw
[#9759](https://togithub.com/kyverno/kyverno/issues/9759) feat: support bindings in Kyvenro CLI test command
[#9751](https://togithub.com/kyverno/kyverno/issues/9751) feat: apply VAP bindings in CLI apply command in offline mode
[#9749](https://togithub.com/kyverno/kyverno/issues/9749) add plural form aliases for resources and exceptions flags
[#9719](https://togithub.com/kyverno/kyverno/issues/9719) fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses
[#9714](https://togithub.com/kyverno/kyverno/issues/9714) fix: add the support of v2alpha1 exceptions in the CLI
[#9713](https://togithub.com/kyverno/kyverno/issues/9713) Fix :variables are not getting processed in validation message for "anyPattern"
[#9710](https://togithub.com/kyverno/kyverno/issues/9710) feat: enhance global context
[#9709](https://togithub.com/kyverno/kyverno/issues/9709) chore: bump otel deps
[#9698](https://togithub.com/kyverno/kyverno/issues/9698) fix: remove deprecated imageSignatureRepository flag
[#9697](https://togithub.com/kyverno/kyverno/issues/9697) fix: reports aggregation
[#9691](https://togithub.com/kyverno/kyverno/issues/9691) fix: modify the conformance config name
[#9690](https://togithub.com/kyverno/kyverno/issues/9690) chore: rename admission to ephemeral in reports aggregation controller
[#9682](https://togithub.com/kyverno/kyverno/issues/9682) chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3
[#9680](https://togithub.com/kyverno/kyverno/issues/9680) chore: bump kind and k8s images
[#9679](https://togithub.com/kyverno/kyverno/issues/9679) fix: don't delete garbage collected policy reports
[#9678](https://togithub.com/kyverno/kyverno/issues/9678) feat(validation-webhook): validate global context reference
[#9677](https://togithub.com/kyverno/kyverno/issues/9677) feat: remove admission report controller
[#9672](https://togithub.com/kyverno/kyverno/issues/9672) feat: add chainsaw tests for exceptions
[#9667](https://togithub.com/kyverno/kyverno/issues/9667) feat: add chainsaw tests for pod security in exceptions
[#9661](https://togithub.com/kyverno/kyverno/issues/9661) test(globalcontext): add e2e tests
[#9658](https://togithub.com/kyverno/kyverno/issues/9658) \[Bug] Fix message and formatting of podSecurity validation failure with restrictedField
[#9657](https://togithub.com/kyverno/kyverno/issues/9657) fix: add missing migrations
[#9652](https://togithub.com/kyverno/kyverno/issues/9652) chore(globalcontext): remove global context flag
[#9651](https://togithub.com/kyverno/kyverno/issues/9651) feat: add scan command for generic resources
[#9645](https://togithub.com/kyverno/kyverno/issues/9645) feat: add chainsaw test for policy webhook based configuration
[#9643](https://togithub.com/kyverno/kyverno/issues/9643) fix: global context validation
[#9639](https://togithub.com/kyverno/kyverno/issues/9639) feat: add root command to process generic json resources
[#9630](https://togithub.com/kyverno/kyverno/issues/9630) chore: remove renovate config
[#9628](https://togithub.com/kyverno/kyverno/issues/9628) feat: add chainsaw tests for global context crd validation
[#9626](https://togithub.com/kyverno/kyverno/issues/9626) changed the log level in match policy context
[#9624](https://togithub.com/kyverno/kyverno/issues/9624) support -e shorthand letter with --exception flag
[#9621](https://togithub.com/kyverno/kyverno/issues/9621) fix: global context crd improvements
[#9620](https://togithub.com/kyverno/kyverno/issues/9620) feat: consider maxAPICallResponseLength
[#9619](https://togithub.com/kyverno/kyverno/issues/9619) feat: add global context entry validation webhook
[#9618](https://togithub.com/kyverno/kyverno/issues/9618) chore: move global context package out of engine
[#9616](https://togithub.com/kyverno/kyverno/issues/9616) feat: use the check block for checking CLI output in chainsaw tests
[#9615](https://togithub.com/kyverno/kyverno/issues/9615) feat: update refreshInterval in globalcontext CRD to use a duration
[#9614](https://togithub.com/kyverno/kyverno/issues/9614) feat: add global context support in helm chart
[#9609](https://togithub.com/kyverno/kyverno/issues/9609) make exception in cli exportable
[#9608](https://togithub.com/kyverno/kyverno/issues/9608) sanity check in parent chart for crd-controller mismatch
[#9606](https://togithub.com/kyverno/kyverno/issues/9606) chore: enable chainsaw fail fast
[#9602](https://togithub.com/kyverno/kyverno/issues/9602) feat: add globalcontext loader and interface
[#9601](https://togithub.com/kyverno/kyverno/issues/9601) feat: add globalcontext controller
[#9600](https://togithub.com/kyverno/kyverno/issues/9600) chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3
[#9599](https://togithub.com/kyverno/kyverno/issues/9599) feat: apply `.matchConditions` when generating reports
[#9598](https://togithub.com/kyverno/kyverno/issues/9598) fix: client codegen not deleting old files
[#9597](https://togithub.com/kyverno/kyverno/issues/9597) fix: codecov missing token
[#9596](https://togithub.com/kyverno/kyverno/issues/9596) fix: make ApplyCommandConfig public again
[#9595](https://togithub.com/kyverno/kyverno/issues/9595) feat: add global context crd to codegen
[#9592](https://togithub.com/kyverno/kyverno/issues/9592) fix: codecov args
[#9591](https://togithub.com/kyverno/kyverno/issues/9591) feat: add global context crd
[#9585](https://togithub.com/kyverno/kyverno/issues/9585) fix: update cli docs
[#9583](https://togithub.com/kyverno/kyverno/issues/9583) test: added test for pkg/utils/policy/marshal.go
[#9579](https://togithub.com/kyverno/kyverno/issues/9579) feat (generate): add `orphanDownstreamOnPolicyDelete` to preserve downstream on policy deletion
[#9574](https://togithub.com/kyverno/kyverno/issues/9574) fix: nancy ignore
[#9573](https://togithub.com/kyverno/kyverno/issues/9573) chore: small nits in cli test command
[#9572](https://togithub.com/kyverno/kyverno/issues/9572) fix: omit events flag
[#9570](https://togithub.com/kyverno/kyverno/issues/9570) chore: remove reports aggregation per namespace
[#9569](https://togithub.com/kyverno/kyverno/issues/9569) configured backoff limit in chart cronjobs
[#9566](https://togithub.com/kyverno/kyverno/issues/9566) feat: Support CEL expression warnings
[#9561](https://togithub.com/kyverno/kyverno/issues/9561) chore: add chainsaw tests for policy based webhook configuration
[#9555](https://togithub.com/kyverno/kyverno/issues/9555) fix: helm chart jobs
[#9554](https://togithub.com/kyverno/kyverno/issues/9554) fix: nancy ignore
[#9553](https://togithub.com/kyverno/kyverno/issues/9553) fix: make alternate reports storage transparent
[#9552](https://togithub.com/kyverno/kyverno/issues/9552) Add Helm note for AKS users
[#9546](https://togithub.com/kyverno/kyverno/issues/9546) feat: add openapi-gen to policyreports
[#9543](https://togithub.com/kyverno/kyverno/issues/9543) fix: follow up for [#9534](https://togithub.com/kyverno/kyverno/issues/9534)
[#9542](https://togithub.com/kyverno/kyverno/issues/9542) fix: CRDs codegen
[#9540](https://togithub.com/kyverno/kyverno/issues/9540) chore: bump a couple of deps
[#9539](https://togithub.com/kyverno/kyverno/issues/9539) chore: remove reference to kuttl
[#9538](https://togithub.com/kyverno/kyverno/issues/9538) test: added test for pkg/utils/admission/metadata.go
[#9537](https://togithub.com/kyverno/kyverno/issues/9537) refactor: use single type for ephemeral reports
[#9535](https://togithub.com/kyverno/kyverno/issues/9535) chore: configure gh workflows schemas
[#9534](https://togithub.com/kyverno/kyverno/issues/9534) fix: show skip when foreach with zero elements
[#9533](https://togithub.com/kyverno/kyverno/issues/9533) Fix: not showing error during policy validation error
[#9531](https://togithub.com/kyverno/kyverno/issues/9531) fix: move new reports api to top level folder
[#9530](https://togithub.com/kyverno/kyverno/issues/9530) [#9529](https://togithub.com/kyverno/kyverno/issues/9529) Support adding extra elements to the default resourceFilters list
[#9525](https://togithub.com/kyverno/kyverno/issues/9525) Support PolicyExceptions with CLI
[#9521](https://togithub.com/kyverno/kyverno/issues/9521) feat: add a new API group `reports.kyverno.io`
[#9520](https://togithub.com/kyverno/kyverno/issues/9520) test: added test for pkg/utils/admission/policy.go
[#9516](https://togithub.com/kyverno/kyverno/issues/9516) Move admission controller hardcoded wildcard permissions to new opt-out value
[#9515](https://togithub.com/kyverno/kyverno/issues/9515) ci: add load testing workflow
[#9509](https://togithub.com/kyverno/kyverno/issues/9509) fix: reduce logs in controllers when an item is not found
[#9507](https://togithub.com/kyverno/kyverno/issues/9507) feat: add more granular rbac rules to remove wildcards
[#9506](https://togithub.com/kyverno/kyverno/issues/9506) feat: support vap bindings in reports
[#9495](https://togithub.com/kyverno/kyverno/issues/9495) test: added test for pkg/utils/admission/exception.go
[#9493](https://togithub.com/kyverno/kyverno/issues/9493) chore(helm): omit normal events by default
[#9492](https://togithub.com/kyverno/kyverno/issues/9492) fix: kyverno apply panic for mutate policies
[#9487](https://togithub.com/kyverno/kyverno/issues/9487) chore: bump a couple of deps
[#9486](https://togithub.com/kyverno/kyverno/issues/9486) test: added test for pkg/utils/admission/cleanup.go
[#9483](https://togithub.com/kyverno/kyverno/issues/9483) feat: configure admission webhooks per policy
[#9482](https://togithub.com/kyverno/kyverno/issues/9482) fix: align clusterroles and bindings names
[#9481](https://togithub.com/kyverno/kyverno/issues/9481) feat: improve crd migration helm hooks
[#9476](https://togithub.com/kyverno/kyverno/issues/9476) feat: support all valid jsonpatches in validation webhook
[#9469](https://togithub.com/kyverno/kyverno/issues/9469) chore(contrib): add Khaled Emara as contributor
[#9468](https://togithub.com/kyverno/kyverno/issues/9468) feat: support validatingadmissionpolicybindings in CLI apply command
[#9467](https://togithub.com/kyverno/kyverno/issues/9467) update README for new features and OSS security index card
[#9465](https://togithub.com/kyverno/kyverno/issues/9465) chore: load cli image when deploying locally
[#9464](https://togithub.com/kyverno/kyverno/issues/9464) Update DEVELOPMENT.md
[#9463](https://togithub.com/kyverno/kyverno/issues/9463) fix: change generic policy to not return any
[#9461](https://togithub.com/kyverno/kyverno/issues/9461) Update CONTRIBUTORS.md
[#9459](https://togithub.com/kyverno/kyverno/issues/9459) added tests for validate foreach with 0 elements
[#9442](https://togithub.com/kyverno/kyverno/issues/9442) chore: bump otel deps
[#9440](https://togithub.com/kyverno/kyverno/issues/9440) chore: bump a couple of deps
[#9433](https://togithub.com/kyverno/kyverno/issues/9433) chore: use upstream cosign on main
[#9428](https://togithub.com/kyverno/kyverno/issues/9428) fix: nancy ignore list
[#9427](https://togithub.com/kyverno/kyverno/issues/9427) chore: bump json-patch
[#9426](https://togithub.com/kyverno/kyverno/issues/9426) chore: bump a couple of deps
[#9420](https://togithub.com/kyverno/kyverno/issues/9420) feat: migrate existing cleanup policies to the new storage version in helm hook
[#9416](https://togithub.com/kyverno/kyverno/issues/9416) feat: use awslabs keychain for AWS and gcr keychain for GCP
[#9412](https://togithub.com/kyverno/kyverno/issues/9412) feat: migrate existing policy exceptions to the new storage version in helm hook
[#9408](https://togithub.com/kyverno/kyverno/issues/9408) chore: bump bitnami/kubectl
[#9395](https://togithub.com/kyverno/kyverno/issues/9395) \[Feature] Security Improvements based on CLOMonitor Checks
[#9392](https://togithub.com/kyverno/kyverno/issues/9392) fix: use the correct API version for VAPs in the generated events
[#9391](https://togithub.com/kyverno/kyverno/issues/9391) feat: add podLabels to the hook jobs pod template
[#9389](https://togithub.com/kyverno/kyverno/issues/9389) fix PSA chainsaw tests
[#9386](https://togithub.com/kyverno/kyverno/issues/9386) feat: skip generating VAP when an exception is defined
[#9385](https://togithub.com/kyverno/kyverno/issues/9385) fix: Allow generate cli tests to work with server-side apply policies
[#9380](https://togithub.com/kyverno/kyverno/issues/9380) feat: use assertion trees in cli test command
[#9362](https://togithub.com/kyverno/kyverno/issues/9362) chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
[#9360](https://togithub.com/kyverno/kyverno/issues/9360) chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7
[#9355](https://togithub.com/kyverno/kyverno/issues/9355) fix: clean up URs if the trigger doesn't exist
[#9348](https://togithub.com/kyverno/kyverno/issues/9348) Fix report-on-vulnerabilities
[#9343](https://togithub.com/kyverno/kyverno/issues/9343) feat: support podSecurity exclusion in exceptions
[#9341](https://togithub.com/kyverno/kyverno/issues/9341) fix PSA chainsaw tests
[#9339](https://togithub.com/kyverno/kyverno/issues/9339) Add global nodeSelector
[#9338](https://togithub.com/kyverno/kyverno/issues/9338) feat: add profiling to the helm Chart
[#9332](https://togithub.com/kyverno/kyverno/issues/9332) fix a chainsaw test
[#9331](https://togithub.com/kyverno/kyverno/issues/9331) fix: remove the check of exclude in VAPs
[#9326](https://togithub.com/kyverno/kyverno/issues/9326) chore(deps): bump kubectl-validate version
[#9324](https://togithub.com/kyverno/kyverno/issues/9324) feat: use custom events watcher
[#9323](https://togithub.com/kyverno/kyverno/issues/9323) feat: add new client for events
[#9296](https://togithub.com/kyverno/kyverno/issues/9296) feat: add resource migration command
[#9279](https://togithub.com/kyverno/kyverno/issues/9279) fix: remove policy informer from vap controller
[#9276](https://togithub.com/kyverno/kyverno/issues/9276) Feat: Human readable timestamps in logs
[#9270](https://togithub.com/kyverno/kyverno/issues/9270) feat: stop serving v2alpha1 cleanup policies
[#9269](https://togithub.com/kyverno/kyverno/issues/9269) Support setting global extraEnvVars
[#9267](https://togithub.com/kyverno/kyverno/issues/9267) chore: introduce v2 for updaterequests
[#9262](https://togithub.com/kyverno/kyverno/issues/9262) chore: introduce v2 for internal reports resources
[#9261](https://togithub.com/kyverno/kyverno/issues/9261) feat: add cleanup policies v2
[#9260](https://togithub.com/kyverno/kyverno/issues/9260) chore: bump a couple of deps
[#9255](https://togithub.com/kyverno/kyverno/issues/9255) refactor: mutate checks
[#9254](https://togithub.com/kyverno/kyverno/issues/9254) fix: set v2beta1 of exceptions the storage version
[#9240](https://togithub.com/kyverno/kyverno/issues/9240) fix: remove unused file in a test
[#9238](https://togithub.com/kyverno/kyverno/issues/9238) move error message to log
[#9236](https://togithub.com/kyverno/kyverno/issues/9236) refactor: events controller
[#9232](https://togithub.com/kyverno/kyverno/issues/9232) Fixed error log
[#9220](https://togithub.com/kyverno/kyverno/issues/9220) feat: enable kubectl-validate by default in cli
[#9218](https://togithub.com/kyverno/kyverno/issues/9218) chore: add k8s 1.29 in custom-sigstore test
[#9213](https://togithub.com/kyverno/kyverno/issues/9213) chore: add missing context unit test
[#9212](https://togithub.com/kyverno/kyverno/issues/9212) (docs) changed docs tool to kubernetes-sigs/reference-docs
[#9211](https://togithub.com/kyverno/kyverno/issues/9211) chore: remove v2alpha1 version of policy exceptions
[#9208](https://togithub.com/kyverno/kyverno/issues/9208) feat: promote policy exceptions to v2
[#9200](https://togithub.com/kyverno/kyverno/issues/9200) refactor: make CLI store non static
[#9198](https://togithub.com/kyverno/kyverno/issues/9198) chore: bump a couple of deps
[#9192](https://togithub.com/kyverno/kyverno/issues/9192) chore: add cli update test
[#9191](https://togithub.com/kyverno/kyverno/issues/9191) fix: deep copy resource in cli when operation is update
[#9189](https://togithub.com/kyverno/kyverno/issues/9189) fix: deprecate spec.schemaValidation
[#9187](https://togithub.com/kyverno/kyverno/issues/9187) chore: fix conformance tests
[#9180](https://togithub.com/kyverno/kyverno/issues/9180) Minor fix
[#9179](https://togithub.com/kyverno/kyverno/issues/9179) chore: use sigstore/cosign 2.2.2 on main
[#9175](https://togithub.com/kyverno/kyverno/issues/9175) fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio...
[#9173](https://togithub.com/kyverno/kyverno/issues/9173) feat(jmespath):time_parse() support epoch time
[#9165](https://togithub.com/kyverno/kyverno/issues/9165) chore: move a mutateExisting chainsaw test under its directory
[#9163](https://togithub.com/kyverno/kyverno/issues/9163) fix: set logger level
[#9161](https://togithub.com/kyverno/kyverno/issues/9161) chore: add 1.29 to all test grids and remove 1.25
[#9158](https://togithub.com/kyverno/kyverno/issues/9158) chore: add 1.29 to the test grid
[#9155](https://togithub.com/kyverno/kyverno/issues/9155) fix: validate pattern premature skip
[#9148](https://togithub.com/kyverno/kyverno/issues/9148) fix: chainsaw test
[#9144](https://togithub.com/kyverno/kyverno/issues/9144) support for SHA256 jmespath function
[#9143](https://togithub.com/kyverno/kyverno/issues/9143) chore: use new chainsaw github action
[#9140](https://togithub.com/kyverno/kyverno/issues/9140) chore: bump chainsaw
[#9130](https://togithub.com/kyverno/kyverno/issues/9130) chore: add myself to the maintainers list
[#9125](https://togithub.com/kyverno/kyverno/issues/9125) feat: add myself (vishal-chdhry) to maintainers list
[#9124](https://togithub.com/kyverno/kyverno/issues/9124) support for Add Variable unit test
[#9120](https://togithub.com/kyverno/kyverno/issues/9120) chore: bump chainsaw
[#9114](https://togithub.com/kyverno/kyverno/issues/9114) chore: bump chainsaw
[#9113](https://togithub.com/kyverno/kyverno/issues/9113) chore: convert chainsaw tests to Test resource
[#9109](https://togithub.com/kyverno/kyverno/issues/9109) chore: convert chainsaw tests to Test resource
[#9108](https://togithub.com/kyverno/kyverno/issues/9108) chore: update PR template to require documentation PR
[#9103](https://togithub.com/kyverno/kyverno/issues/9103) chore: improve cluster startup in conformance tests
[#9100](https://togithub.com/kyverno/kyverno/issues/9100) chore: convert chainsaw tests to Test resource
[#9099](https://togithub.com/kyverno/kyverno/issues/9099) chore: convert chainsaw tests to Test resource
[#9098](https://togithub.com/kyverno/kyverno/issues/9098) chore: improve ci perf
[#9094](https://togithub.com/kyverno/kyverno/issues/9094) chore: convert chainsaw tests to Test resource
[#9093](https://togithub.com/kyverno/kyverno/issues/9093) chore: install kind from binaries
[#9092](https://togithub.com/kyverno/kyverno/issues/9092) chore: remove kuttl from makefile
[#9088](https://togithub.com/kyverno/kyverno/issues/9088) fix: nancy ignore
[#9087](https://togithub.com/kyverno/kyverno/issues/9087) chore: convert chainsaw tests to Test resource
[#9086](https://togithub.com/kyverno/kyverno/issues/9086) chore: improve conformance tests ci perf
[#9085](https://togithub.com/kyverno/kyverno/issues/9085) fix: conformance tests
[#9071](https://togithub.com/kyverno/kyverno/issues/9071) chore: bump chainsaw
[#9066](https://togithub.com/kyverno/kyverno/issues/9066) Fix Helm chart to not error when replicas defined
[#9064](https://togithub.com/kyverno/kyverno/issues/9064) chore: bump chainsaw
[#9057](https://togithub.com/kyverno/kyverno/issues/9057) Update helm docs
[#9052](https://togithub.com/kyverno/kyverno/issues/9052) chore: use Kubernetes 1.28 by default
[#9046](https://togithub.com/kyverno/kyverno/issues/9046) Use nancy on actually included dependencies
[#9045](https://togithub.com/kyverno/kyverno/issues/9045) chore: add 1.10.4-6 & 1.11.1 to github issue templates
[#9041](https://togithub.com/kyverno/kyverno/issues/9041) fix(helm): Rename dashboard.json to kyverno-dashboard.json
[#9038](https://togithub.com/kyverno/kyverno/issues/9038) chore: bump chainsaw
[#9036](https://togithub.com/kyverno/kyverno/issues/9036) fix: Provide kind list hints to the fake dynamic client.
[#9028](https://togithub.com/kyverno/kyverno/issues/9028) chore: fix chainsaw tests cleanup timeout
[#9023](https://togithub.com/kyverno/kyverno/issues/9023) chore: remove kuttl tests folder
[#9018](https://togithub.com/kyverno/kyverno/issues/9018) chore: replace more kuttl tests by chainsaw
[#9017](https://togithub.com/kyverno/kyverno/issues/9017) chore: replace more kuttl tests by chainsaw
[#9016](https://togithub.com/kyverno/kyverno/issues/9016) chore: replace standard kuttl tests by chainsaw ones
[#9015](https://togithub.com/kyverno/kyverno/issues/9015) feat: webhook labels
[#9013](https://togithub.com/kyverno/kyverno/issues/9013) chore: fix chainsaw exec timeout issue
[#9012](https://togithub.com/kyverno/kyverno/issues/9012) chore: enable all chainsaw tests
[#9011](https://togithub.com/kyverno/kyverno/issues/9011) chore: all chainsaw tests
[#9008](https://togithub.com/kyverno/kyverno/issues/9008) fix: extend chains
---
### Configuration
π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] If you want to rebase/retry this PR, check this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/appuio/component-appuio-cloud).
This PR contains the following updates:
v1.9.0
->v1.12.5
Release Notes
kyverno/kyverno (github.com/kyverno/kyverno)
### [`v1.12.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.5) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.4...v1.12.5) #### β¨ Added β¨ - Added the circuit breaker for `ephemeralreports` generated from the admission events which is used to create policy reports ([#10499](https://togithub.com/kyverno/kyverno/issues/10499), [#10596](https://togithub.com/kyverno/kyverno/issues/10596), [#10610](https://togithub.com/kyverno/kyverno/issues/10610), [#10613](https://togithub.com/kyverno/kyverno/issues/10613)) - Added the circuit breaker for `updaterequests` which is used to apply generate and mutate existing rules ([#10382](https://togithub.com/kyverno/kyverno/issues/10382)) #### π Fixed π - Fixed an issue for generate policies to correctly validate patterns for old and new objects ([#10310](https://togithub.com/kyverno/kyverno/issues/10310)) - Fixed a CLI issue to get namespace's labels in the cluster mode ([#10348](https://togithub.com/kyverno/kyverno/issues/10348)) - Normalized Global Context event's reason to be inline with other policies ([#10395](https://togithub.com/kyverno/kyverno/issues/10395)) - Fixed the `ephemeralreports` to use generate name to avoid duplicate names ([#10491](https://togithub.com/kyverno/kyverno/issues/10491)) - Fixed notary tests ([#10579](https://togithub.com/kyverno/kyverno/issues/10579)) - Fixed to delete resources for the cleanup policy ([#10582](https://togithub.com/kyverno/kyverno/issues/10582)) - Fixed a log issue to not append cleanup policy names ([#10583](https://togithub.com/kyverno/kyverno/issues/10583)) - Fixed CEL policies to be applied to deleted resources ([#10611](https://togithub.com/kyverno/kyverno/issues/10611)) - Fixed an Json context issue to delete non-exist old values for `foreach` rules ([#10615](https://togithub.com/kyverno/kyverno/issues/10615)) - Renamed level 1 logs to INFO from DEBUG ([#10617](https://togithub.com/kyverno/kyverno/issues/10617)) - Truncated event messages to 1024 chars ([#10636](https://togithub.com/kyverno/kyverno/issues/10636)) - Fixed mutatingwebhookconfiguraition configured rules ([#10639](https://togithub.com/kyverno/kyverno/issues/10639)) #### π§ Others π§ - Refactored VAPs registrations ([#10014](https://togithub.com/kyverno/kyverno/issues/10014)) - Removed unused parameters ([#10330](https://togithub.com/kyverno/kyverno/issues/10330)) - Bumped Chainsaw ([#10345](https://togithub.com/kyverno/kyverno/issues/10345)) ### [`v1.12.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.3...v1.12.4) ### βImportant Notice β If you are running 1.12, please upgrade to this version to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage: [Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb) \[updated] If you are seeing consistent creation of ephemeralreports, you can: 1. disable reporting for admission events, please see [this comment](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580). 2. tune `--aggregationWorkers` to increase the capacity of consuming ephemeralreports, see [this comment](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2178088816). It can be configured directly via the [container flag](https://kyverno.io/docs/installation/customization/#container-flags), or through Helm [extraArgs](https://togithub.com/kyverno/kyverno/blob/e64df59df/charts/kyverno/values.yaml#L2237). 3. as a user of Argo CD, check whether something is causing [continuous reconcile operations](https://argo-cd.readthedocs.io/en/stable/operator-manual/reconcile/). #### π Fixed π - Added condition checking to notary attestation verify chainsaw test ([https://github.com/kyverno/kyverno/pull/10288](https://togithub.com/kyverno/kyverno/pull/10288)) - Fixed a CLI issue to apply namespace labels in the cluster mode ([https://github.com/kyverno/kyverno/pull/10348](https://togithub.com/kyverno/kyverno/pull/10348)) - Fixed a gloabl context look up issue to return the error properly ([https://github.com/kyverno/kyverno/pull/10398](https://togithub.com/kyverno/kyverno/pull/10398)) - Fixed logging verbosity got the background scanner ([https://github.com/kyverno/kyverno/pull/10404](https://togithub.com/kyverno/kyverno/pull/10404)) - Shutdown the controller properly when the context is canceled ([https://github.com/kyverno/kyverno/pull/10415](https://togithub.com/kyverno/kyverno/pull/10415)) - Fixed duplicate updaterequest creation for background policies ([https://github.com/kyverno/kyverno/pull/10431](https://togithub.com/kyverno/kyverno/pull/10431)) #### π§ Others π§ - Bumped chainsaw ([https://github.com/kyverno/kyverno/pull/10345](https://togithub.com/kyverno/kyverno/pull/10345)) - Added chainsaw test for controllers leader election ([https://github.com/kyverno/kyverno/pull/10416](https://togithub.com/kyverno/kyverno/pull/10416)) ### [`v1.12.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.3) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.2...v1.12.3) ### βImportant Notice β If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage: [Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb) If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports. #### β¨ Added β¨ - Added support for background scanning of existing resource in image verification ([#10311](https://togithub.com/kyverno/kyverno/issues/10311)) - Added a cleanup cronjob to delete updaterequests ([#10326](https://togithub.com/kyverno/kyverno/issues/10326)) - Added cleanup cronjobs for (cluster)ephemeralreports ([#10334](https://togithub.com/kyverno/kyverno/issues/10334)) - Add aggregation workers flag to configure (cluster)ephemeralreports consumer ([#10343](https://togithub.com/kyverno/kyverno/issues/10343)) #### π§ Others π§ - Removed unused parameters ([#10329](https://togithub.com/kyverno/kyverno/issues/10329)) ### [`v1.12.2`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.2) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.1...v1.12.2) ### βImportant Notice β If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage: [Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb) If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports. #### β¨ Added β¨ - Added an option to allow kyverno apply command to continue on failure ([#10036](https://togithub.com/kyverno/kyverno/issues/10036)) ##### Helm - Added an option to configure webhook pod annotations ([#9875](https://togithub.com/kyverno/kyverno/issues/9875)) #### π Fixed π - Fixed missing CONNECT operation in the webhook config for `pod/exec` subresource ([#9855](https://togithub.com/kyverno/kyverno/issues/9855)) - Fixed an issue to evaluate multiple `policyexceptions` regardless of condition failures ([#9994](https://togithub.com/kyverno/kyverno/issues/9994)) - Fixed the VAPs generation issues for `pods/ephemeralcontainers`, resourceNames field ([#10162](https://togithub.com/kyverno/kyverno/issues/10162), [#10187](https://togithub.com/kyverno/kyverno/issues/10187), [#10208](https://togithub.com/kyverno/kyverno/issues/10208)) - Fixed the mutate existing policies to be applied on matched resources only ([#10164](https://togithub.com/kyverno/kyverno/issues/10164)) - Fixed an issue to skip generating VAPs for policies that match multiple resources with a namespace/object selector ([#10181](https://togithub.com/kyverno/kyverno/issues/10181)) - Fixed a CLI issue when the level parameter of the apply and test commands does not work ([#10216](https://togithub.com/kyverno/kyverno/issues/10216)) - Fixed CVEs ([#10225](https://togithub.com/kyverno/kyverno/issues/10225)) - Fixed an issue when applying multiple validate rules produces the wrong result ([#10236](https://togithub.com/kyverno/kyverno/issues/10236)) - Fixed context canceled issue when creating reports ([#10245](https://togithub.com/kyverno/kyverno/issues/10245)) - Fixed an issue in `foreach` mutate policies with `Descending` order defined causing unexpected patches ([#10252](https://togithub.com/kyverno/kyverno/issues/10252)) - Fixed an event generation issue when the size exceeds the limit ([#10255](https://togithub.com/kyverno/kyverno/issues/10255)) - Fixed operation-based webhook configuration issue when there are multiple policies matching the same kind ([#10262](https://togithub.com/kyverno/kyverno/issues/10262)) - Fixed flake VAPs tests ([#10263](https://togithub.com/kyverno/kyverno/issues/10263)) - Fixed a CLI issue when loading policies from the filesystem ([#10270](https://togithub.com/kyverno/kyverno/issues/10270)) - Fixed webhook configuration update loop ([#10274](https://togithub.com/kyverno/kyverno/issues/10274)) - Fixed an issue when a rule has both conditional and equality anchors defined ([https://github.com/kyverno/kyverno/issues/10117](https://togithub.com/kyverno/kyverno/issues/10117)) #### π§ Others π§ - Made CLI results count public ([#10177](https://togithub.com/kyverno/kyverno/issues/10177)) - Added a new linter `prealloc` to enforce slice declarations best practice ([#10250](https://togithub.com/kyverno/kyverno/issues/10250)) ### [`v1.12.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.1) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.12.0...v1.12.1) ### βImportant Notice β If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage: [Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb) If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports. #### π Fixed π - Fixed return status when `celPreconditions.matchConditions` aren't met ([#9940](https://togithub.com/kyverno/kyverno/issues/9940)) - Fixed the CLI to evaluate `namespaceObject` for Kyverno policies ([#9977](https://togithub.com/kyverno/kyverno/issues/9977), [#9978](https://togithub.com/kyverno/kyverno/issues/9978)) - Fixed concurrent policy applications ([#10139](https://togithub.com/kyverno/kyverno/issues/10139)) - Fixed endless updates of policy status ([#10140](https://togithub.com/kyverno/kyverno/issues/10140)) - Fixed empty operations in mutating webhook configuration for a policy with a mixed types of rules ([#10146](https://togithub.com/kyverno/kyverno/issues/10146)) - Fixed endless policy reports reconciliation issue ([#10148](https://togithub.com/kyverno/kyverno/issues/10148)) - Fixed type conversion in jmespath context variables ([#10152](https://togithub.com/kyverno/kyverno/issues/10152)) #### π§ Others π§ - Fixed tests for codegen ([#9942](https://togithub.com/kyverno/kyverno/issues/9942)) - Removed unused parameters, packages ([#10007](https://togithub.com/kyverno/kyverno/issues/10007), [#10101](https://togithub.com/kyverno/kyverno/issues/10101)) - Refactored VAPs registration in the API server ([#10014](https://togithub.com/kyverno/kyverno/issues/10014)) - Updated performance testing docs for 1.12 ([#10116](https://togithub.com/kyverno/kyverno/issues/10116)) ### [`v1.12.0`](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.0) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.11.5...v1.12.0) ### 1.12 Release Notes #### β Importance Notice β If you are running 1.12, please upgrade to [v1.12.4](https://togithub.com/kyverno/kyverno/releases/tag/v1.12.4) to pick up the [fix](https://togithub.com/kyverno/kyverno/pull/10415) for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage: [Amazon EKS- managing and fixing ETCD database size](https://marcincuber.medium.com/amazon-eks-managing-and-fixing-etcd-database-size-b6fb875888cb) If you are seeing consistent creation of ephemeralreports, please track [this issue](https://togithub.com/kyverno/kyverno/issues/10308#issuecomment-2167597580) to avoid creation of too many ephemeralreports. Several critical issues are found in 1.12.0 and are being closely monitored within the [1.12.1 milestone](https://togithub.com/kyverno/kyverno/milestone/89). Please hold your upgrade to this release until 1.12.1 comes out. #### β Breaking (Potentially) β - Policies using long-deprecated or invalid operators in conditions (ex., `In` and `NotIn`) will be blocked. Please see the current list of available operators [here](https://kyverno.io/docs/writing-policies/preconditions/#operators) ([#8624](https://togithub.com/kyverno/kyverno/issues/8624)) #### β¨ Added β¨ - Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource ([#9591](https://togithub.com/kyverno/kyverno/issues/9591), [#9595](https://togithub.com/kyverno/kyverno/issues/9595), [#9601](https://togithub.com/kyverno/kyverno/issues/9601), [#9602](https://togithub.com/kyverno/kyverno/issues/9602), [#9614](https://togithub.com/kyverno/kyverno/issues/9614), [#9615](https://togithub.com/kyverno/kyverno/issues/9615), [#9618](https://togithub.com/kyverno/kyverno/issues/9618), [#9619](https://togithub.com/kyverno/kyverno/issues/9619), [#9620](https://togithub.com/kyverno/kyverno/issues/9620), [#9621](https://togithub.com/kyverno/kyverno/issues/9621), [#9643](https://togithub.com/kyverno/kyverno/issues/9643), [#9652](https://togithub.com/kyverno/kyverno/issues/9652), [#9678](https://togithub.com/kyverno/kyverno/issues/9678), [#9710](https://togithub.com/kyverno/kyverno/issues/9710), [#9813](https://togithub.com/kyverno/kyverno/issues/9813)) - Added the ability to configure the listening ports of webhooks for admission and cleanup controllers ([#7728](https://togithub.com/kyverno/kyverno/issues/7728)) - Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based `matchConditions` available in Kubernetes 1.27+ ([#8065](https://togithub.com/kyverno/kyverno/issues/8065), [#8437](https://togithub.com/kyverno/kyverno/issues/8437), [#9483](https://togithub.com/kyverno/kyverno/issues/9483), [#9599](https://togithub.com/kyverno/kyverno/issues/9599)) - Added a new container flag `--protectManagedResources` to the cleanup controller ([#8566](https://togithub.com/kyverno/kyverno/issues/8566)) - Added a new container flag `--renewBefore` to the admission cleanup controllers to configure the cert renewal time ([#8567](https://togithub.com/kyverno/kyverno/issues/8567)) - Added a new container flag `--loggingtsFormat` which can be used to change the time format of logs ([#9276](https://togithub.com/kyverno/kyverno/issues/9276)) - Policy Exceptions now support conditions ([#8577](https://togithub.com/kyverno/kyverno/issues/8577)) - Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule `validate.podSecurity` ([#9343](https://togithub.com/kyverno/kyverno/issues/9343), [#9817](https://togithub.com/kyverno/kyverno/issues/9817)) - Pod Security sub-rule (`validate.podSecurity`) has a new ability to exclude based on restricted fields (`exclude.restrictedField` and associated values ([#8585](https://togithub.com/kyverno/kyverno/issues/8585), [#9770](https://togithub.com/kyverno/kyverno/issues/9770), [#9658](https://togithub.com/kyverno/kyverno/issues/9658)) - Added a new field to verifyImages rules called `skipImageReferences` allowing you to exclude certain images ([#8633](https://togithub.com/kyverno/kyverno/issues/8633)) - Added a new field to generate rules (data-type) called `orphanDownstreamOnPolicyDelete` which will preserve downstream resources when the policy/rule is deleted ([#9579](https://togithub.com/kyverno/kyverno/issues/9579)) - Added the ability to deploy specific controllers with CRDs following suit ([#8849](https://togithub.com/kyverno/kyverno/issues/8849), [#9608](https://togithub.com/kyverno/kyverno/issues/9608)) - Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users ([#9015](https://togithub.com/kyverno/kyverno/issues/9015)) - Added support for more types of JSON patch operations like "move", "copy", and "test" ([#9476](https://togithub.com/kyverno/kyverno/issues/9476)) - Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings ([#9506](https://togithub.com/kyverno/kyverno/issues/9506)) - Created a new API group `reports.kyverno.io` for storing new ephemeral report kinds `EphemeralReports` and `ClusterEphemeralReports` ([#9521](https://togithub.com/kyverno/kyverno/issues/9521), [#9537](https://togithub.com/kyverno/kyverno/issues/9537)) - New `is_external_url()` JMESPath function to determine whether a given URL is an external URL ([#8614](https://togithub.com/kyverno/kyverno/issues/8614)) - New `sha256()` JMESPath function to convert a string of any length to a fixed hash value ([#9144](https://togithub.com/kyverno/kyverno/issues/9144)) - Kyverno CLI: Added a new `migrate` command which is used to migrate Kyverno resources to the current API version ([#9296](https://togithub.com/kyverno/kyverno/issues/9296)) - Kyverno CLI: Added a new (experimental) `json` command which incorporates the [Kyverno JSON subproject](https://togithub.com/kyverno/kyverno-json) into the main CLI allowing for testing of any JSON content ([#9639](https://togithub.com/kyverno/kyverno/issues/9639), [#9651](https://togithub.com/kyverno/kyverno/issues/9651)) - Kyverno CLI: The `test` command now supports the same [assertion trees](https://kyverno.io/blog/2023/12/13/kyverno-chainsaw-exploring-the-power-of-assertion-trees/) available in Chainsaw ([#9380](https://togithub.com/kyverno/kyverno/issues/9380)) - Kyverno CLI: The `apply` command now supports ValidatingAdmissionPolicyBindings ([#9468](https://togithub.com/kyverno/kyverno/issues/9468), [#9751](https://togithub.com/kyverno/kyverno/issues/9751), [#9759](https://togithub.com/kyverno/kyverno/issues/9759)) - Kyverno CLI: `apply` and `test` commands now support Policy Exceptions ([#9525](https://togithub.com/kyverno/kyverno/issues/9525), [#9624](https://togithub.com/kyverno/kyverno/issues/9624), [#9714](https://togithub.com/kyverno/kyverno/issues/9714), [#9749](https://togithub.com/kyverno/kyverno/issues/9749)) - Kyverno CLI: Added a `--resources` flag as an alias for the existing `--resource` flag ([#9749](https://togithub.com/kyverno/kyverno/issues/9749)) ##### Helm - Add chart parameters for setting `revisionHistoryLimit` ([#8907](https://togithub.com/kyverno/kyverno/issues/8907)) - Allow excluding resources from config.resourceFilters ([#8946](https://togithub.com/kyverno/kyverno/issues/8946)) - Allow defining ca-certificates bundle for Kyverno deployments ([#8969](https://togithub.com/kyverno/kyverno/issues/8969)) - Clean up Helm change logs ([#9057](https://togithub.com/kyverno/kyverno/issues/9057)) - Added ability to set extra environment variables globally ([#9269](https://togithub.com/kyverno/kyverno/issues/9269)) - Added the ability to enable performance profiling to the chart ([#9338](https://togithub.com/kyverno/kyverno/issues/9338)) - Added a global nodeSelector to the chart ([#9339](https://togithub.com/kyverno/kyverno/issues/9339)) - Allow adding Pod labels to cleanup jobs in the chart ([#9391](https://togithub.com/kyverno/kyverno/issues/9391)) - Added a CRD migration capability via hooks to the chart ([#9481](https://togithub.com/kyverno/kyverno/issues/9481), [#9657](https://togithub.com/kyverno/kyverno/issues/9657)) - Added the ability to define additional resources to be excluded via resourceFilters ([#9530](https://togithub.com/kyverno/kyverno/issues/9530)) - Added a small note for AKS users when the chart is installed ([#9552](https://togithub.com/kyverno/kyverno/issues/9552)) - Added the ability to configure backoff limits in jobs in the chart ([#9569](https://togithub.com/kyverno/kyverno/issues/9569)) - Added default exclusions in webhooks ([#9950](https://togithub.com/kyverno/kyverno/issues/9950)) #### β οΈ Changed β οΈ - Allow setting admission controller replica count to 2 ([#8932](https://togithub.com/kyverno/kyverno/issues/8932)) - The `spec.schemaValidation` field is formally deprecated. As of 1.11 it has no effect. ([#9189](https://togithub.com/kyverno/kyverno/issues/9189)) - The `--reportsChunkSize` flag is deprecated and has no effect since aggregation has changed ([#9697](https://togithub.com/kyverno/kyverno/issues/9697)) - The `--imageSignatureRepository` flag is deprecated and has no effect, use the `verifyImages.Repository` field instead ([#9698](https://togithub.com/kyverno/kyverno/issues/9698)) - Policy Exceptions will now be evaluated against existing resources when the exception is created ([#8659](https://togithub.com/kyverno/kyverno/issues/8659), [#8713](https://togithub.com/kyverno/kyverno/issues/8713), [#8544](https://togithub.com/kyverno/kyverno/issues/8544)) - Policy Exceptions API graduated to v2 ([#9208](https://togithub.com/kyverno/kyverno/issues/9208), [#9412](https://togithub.com/kyverno/kyverno/issues/9412)) - Cleanup Policies API graduated to v2 ([#9261](https://togithub.com/kyverno/kyverno/issues/9261), [#9420](https://togithub.com/kyverno/kyverno/issues/9420)) - Admission and Background reports APIs graduated to v2 ([#9262](https://togithub.com/kyverno/kyverno/issues/9262)) - UpdateRequests API graduated to v2 ([#9267](https://togithub.com/kyverno/kyverno/issues/9267)) - Reduced some logged messages ([#9509](https://togithub.com/kyverno/kyverno/issues/9509), [#9626](https://togithub.com/kyverno/kyverno/issues/9626)) - Default logging time format is changed to RFC3339 ([#9775](https://togithub.com/kyverno/kyverno/issues/9775)) - Updated the internal Pod Security Standards up through 1.29 ([#9783](https://togithub.com/kyverno/kyverno/issues/9783)) - The `time_parse()` JMESPath filter now supports epoch time ([#9173](https://togithub.com/kyverno/kyverno/issues/9173)) - Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid ([#9566](https://togithub.com/kyverno/kyverno/issues/9566)) - Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status ([#9220](https://togithub.com/kyverno/kyverno/issues/9220)) ##### Helm - Chart will now omit policy applied and skipped events by default ([#9493](https://togithub.com/kyverno/kyverno/issues/9493)) - Allow configuring the policy kind in kyverno-policies chart ([#8827](https://togithub.com/kyverno/kyverno/issues/8827)) - Refined permissions by removing wildcards ([#9507](https://togithub.com/kyverno/kyverno/issues/9507), [#9516](https://togithub.com/kyverno/kyverno/issues/9516)) - Rename the Grafana dashboard file from `dashboard.json` to `kyverno-dashboard.json` ([#9041](https://togithub.com/kyverno/kyverno/issues/9041)) #### Performance - Initialize JMESPath interpreter once and reuse it across searches ([#8299](https://togithub.com/kyverno/kyverno/issues/8299)) - Optimize JSON context processing using in-memory maps ([#8322](https://togithub.com/kyverno/kyverno/issues/8322)) - Optimize how Events are created and processed ([#9323](https://togithub.com/kyverno/kyverno/issues/9323), [#9324](https://togithub.com/kyverno/kyverno/issues/9324)) - Optimize validate policy application by adding a worker pool ([#10056](https://togithub.com/kyverno/kyverno/issues/10056)) #### π Fixed π - Fixed handling of escaped variables in an expression with multiple escaped variables ([#8311](https://togithub.com/kyverno/kyverno/issues/8311)) - Fixed an issue when verifying attestations using multiple keys ([#8880](https://togithub.com/kyverno/kyverno/issues/8880)) - Fixed an issue causing application of mutation policies to fail even when `failurePolicy` was set to `Ignore` ([#8952](https://togithub.com/kyverno/kyverno/issues/8952)) - Fixed an issue that allowed violating resources when a policy had validationFailureAction set to `Enforce` and `failurePolicy` of Ignore ([#8953](https://togithub.com/kyverno/kyverno/issues/8953)) - Fixed an issue causing premature skipping of resources in validate policies with anchors defined ([#9155](https://togithub.com/kyverno/kyverno/issues/9155)) - Fixed an issue where the `-v` container flag for logging was not honored ([#9163](https://togithub.com/kyverno/kyverno/issues/9163)) - Switched a logged error to info when preconditions didn't pass in a mutate existing rule ([#9232](https://togithub.com/kyverno/kyverno/issues/9232)) - Reports aggregation fixes and improvements ([#9697](https://togithub.com/kyverno/kyverno/issues/9697)) - Fixed an issue preventing of generating a ValidatingAdmissionPolicy when `exclude` was used in the rule ([#9331](https://togithub.com/kyverno/kyverno/issues/9331)) - Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place ([#9386](https://togithub.com/kyverno/kyverno/issues/9386)) - Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans ([#9468](https://togithub.com/kyverno/kyverno/issues/9468)) - Fixed an issue when generating Events associated with ValidatingAdmissionPolicies ([#9392](https://togithub.com/kyverno/kyverno/issues/9392)) - Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission ([#9355](https://togithub.com/kyverno/kyverno/issues/9355)) - Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working ([#9416](https://togithub.com/kyverno/kyverno/issues/9416)) - Fixed an issue preventing variables from being substituted in messages when using `anyPattern` validate rules ([#9713](https://togithub.com/kyverno/kyverno/issues/9713)) - Fixed an issue where skipped policies due to preconditions were returned in denial response messages ([#9719](https://togithub.com/kyverno/kyverno/issues/9719)) - Removed an unnecessary podSecurity check ([#9790](https://togithub.com/kyverno/kyverno/issues/9790)) - Fixed an issue when verifying images from an insecure registry ([#9838](https://togithub.com/kyverno/kyverno/issues/9838)) - Fixed an issue with some validate rules and the UPDATE operation ([#9893](https://togithub.com/kyverno/kyverno/issues/9893)) - Kyverno CLI: Fixed an issue doing a test with an UPDATE operation ([#9191](https://togithub.com/kyverno/kyverno/issues/9191)) - Kyverno CLI: Fixed applying `cloneList` generate policies with `apply` command ([#9036](https://togithub.com/kyverno/kyverno/issues/9036)) - Kyverno CLI: Fixed a logging error ([#9238](https://togithub.com/kyverno/kyverno/issues/9238)) - Kyverno CLI: Testing of generate rules which use the `useServerSideApply` field now work properly ([#9385](https://togithub.com/kyverno/kyverno/issues/9385)) - Kyverno CLI: Fixed and issue causing the `apply` command to panic when applying a mutate existing rule ([#9492](https://togithub.com/kyverno/kyverno/issues/9492)) - Kyverno CLI: Fixed an issue with the `apply` command where some errors weren't shown ([#9533](https://togithub.com/kyverno/kyverno/issues/9533)) - Kyverno CLI: Fixed an issue with the `apply` command where a `foreach` with zero elements was a `skip` ([#9534](https://togithub.com/kyverno/kyverno/issues/9534), [#9543](https://togithub.com/kyverno/kyverno/issues/9543)) - Kyverno CLI: Fixed a regression where the `--warn-exit-code` stopped working ([#9828](https://togithub.com/kyverno/kyverno/issues/9828)) - Fixed cosign ctlog unit tests ([#9971](https://togithub.com/kyverno/kyverno/issues/9971)) - Fixed deferred loader panic when mutate and generate policies are applied ([#9968](https://togithub.com/kyverno/kyverno/issues/9968)) - Fixed an autogen issue where now Kyverno only generates rule for request kind ([#9997](https://togithub.com/kyverno/kyverno/issues/9997)) - Fixed the issue where the mutex is not added to mock policy context builder ([#10059](https://togithub.com/kyverno/kyverno/issues/10059)) - Fixed policy status reconciliation when it fails to set policy to ready ([#10047](https://togithub.com/kyverno/kyverno/issues/10047)) - Fixed the container flag `maxQueuedEvents` ([#10031](https://togithub.com/kyverno/kyverno/issues/10031)) - Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional ([#10025](https://togithub.com/kyverno/kyverno/issues/10025)) ##### Helm - Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart ([#8913](https://togithub.com/kyverno/kyverno/issues/8913)) - Fixed an issue preventing multiple replicas from being defined in the chart ([#9066](https://togithub.com/kyverno/kyverno/issues/9066)) - Make role and binding names consistent ([#9482](https://togithub.com/kyverno/kyverno/issues/9482)) - Fixed some minor issues with the Helm report cleanup jobs ([#9555](https://togithub.com/kyverno/kyverno/issues/9555)) - Fixed a typo in the Kyverno chart README ([#8911](https://togithub.com/kyverno/kyverno/issues/8911))Click to expand all PRs
[#10013](https://togithub.com/kyverno/kyverno/issues/10013) chore: bump chainsaw to v0.1.9 [#10025](https://togithub.com/kyverno/kyverno/issues/10025) fix: add rekor opts to cosign certificate verification and make rekor url optional [#10039](https://togithub.com/kyverno/kyverno/issues/10039) chore: bump cosign to v2.2.4 [#10031](https://togithub.com/kyverno/kyverno/issues/10031) fix: re-use the maxQueuedEvents [#10047](https://togithub.com/kyverno/kyverno/issues/10047) fix: policy status reconciliation [#10056](https://togithub.com/kyverno/kyverno/issues/10056) feat(audit): use a worker pool for Audit policies [#10059](https://togithub.com/kyverno/kyverno/issues/10059) fix: add mutex to mock policy context builder [#9989](https://togithub.com/kyverno/kyverno/issues/9989) chore: bump kyverno-json to latest [#9997](https://togithub.com/kyverno/kyverno/issues/9997) fix(autogen): only generate rule for request kind [#9950](https://togithub.com/kyverno/kyverno/issues/9950) feat: set default exclusions in webhooks [#9968](https://togithub.com/kyverno/kyverno/issues/9968) fix: deferred loader panic when mutate and generate policies are applied [#9971](https://togithub.com/kyverno/kyverno/issues/9971) fix: cosign ctlog unit tests [#9903](https://togithub.com/kyverno/kyverno/issues/9903) fix(globalcontext): panics and validation [#9893](https://togithub.com/kyverno/kyverno/issues/9893) fix: properly update policy context after preexisting resource in violation check [#9849](https://togithub.com/kyverno/kyverno/issues/9849) fix: release CRDs manifests [#9845](https://togithub.com/kyverno/kyverno/issues/9845) fix: add missing unit tests for podSecurity.hostpathVolume check [#9838](https://togithub.com/kyverno/kyverno/issues/9838) fix: use gcr crane opts while fetching image descriptors [#9835](https://togithub.com/kyverno/kyverno/issues/9835) fix: remove duplicate chainsaw tests for PSA [#9828](https://togithub.com/kyverno/kyverno/issues/9828) \[Bug] \[CLI] Restore warn-exit-code functionality for apply command [#9817](https://togithub.com/kyverno/kyverno/issues/9817) fix: add podSecurity validation checks for exceptions [#9813](https://togithub.com/kyverno/kyverno/issues/9813) fix(globalcontext): old WaitGroup not stopping [#9791](https://togithub.com/kyverno/kyverno/issues/9791) fix: remove unnecessary podSecurity chainsaw test [#9790](https://togithub.com/kyverno/kyverno/issues/9790) fix: remove unnecessary validation check for podSecurity rule [#9783](https://togithub.com/kyverno/kyverno/issues/9783) update versions [#9781](https://togithub.com/kyverno/kyverno/issues/9781) chore: add tests for exceptions in the CLI [#9775](https://togithub.com/kyverno/kyverno/issues/9775) chore: default logging format to rfc3339 [#9770](https://togithub.com/kyverno/kyverno/issues/9770) fix: add validation check for podSecurity subrule [#9763](https://togithub.com/kyverno/kyverno/issues/9763) chore: bump chainsaw [#9759](https://togithub.com/kyverno/kyverno/issues/9759) feat: support bindings in Kyvenro CLI test command [#9751](https://togithub.com/kyverno/kyverno/issues/9751) feat: apply VAP bindings in CLI apply command in offline mode [#9749](https://togithub.com/kyverno/kyverno/issues/9749) add plural form aliases for resources and exceptions flags [#9719](https://togithub.com/kyverno/kyverno/issues/9719) fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses [#9714](https://togithub.com/kyverno/kyverno/issues/9714) fix: add the support of v2alpha1 exceptions in the CLI [#9713](https://togithub.com/kyverno/kyverno/issues/9713) Fix :variables are not getting processed in validation message for "anyPattern" [#9710](https://togithub.com/kyverno/kyverno/issues/9710) feat: enhance global context [#9709](https://togithub.com/kyverno/kyverno/issues/9709) chore: bump otel deps [#9698](https://togithub.com/kyverno/kyverno/issues/9698) fix: remove deprecated imageSignatureRepository flag [#9697](https://togithub.com/kyverno/kyverno/issues/9697) fix: reports aggregation [#9691](https://togithub.com/kyverno/kyverno/issues/9691) fix: modify the conformance config name [#9690](https://togithub.com/kyverno/kyverno/issues/9690) chore: rename admission to ephemeral in reports aggregation controller [#9682](https://togithub.com/kyverno/kyverno/issues/9682) chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3 [#9680](https://togithub.com/kyverno/kyverno/issues/9680) chore: bump kind and k8s images [#9679](https://togithub.com/kyverno/kyverno/issues/9679) fix: don't delete garbage collected policy reports [#9678](https://togithub.com/kyverno/kyverno/issues/9678) feat(validation-webhook): validate global context reference [#9677](https://togithub.com/kyverno/kyverno/issues/9677) feat: remove admission report controller [#9672](https://togithub.com/kyverno/kyverno/issues/9672) feat: add chainsaw tests for exceptions [#9667](https://togithub.com/kyverno/kyverno/issues/9667) feat: add chainsaw tests for pod security in exceptions [#9661](https://togithub.com/kyverno/kyverno/issues/9661) test(globalcontext): add e2e tests [#9658](https://togithub.com/kyverno/kyverno/issues/9658) \[Bug] Fix message and formatting of podSecurity validation failure with restrictedField [#9657](https://togithub.com/kyverno/kyverno/issues/9657) fix: add missing migrations [#9652](https://togithub.com/kyverno/kyverno/issues/9652) chore(globalcontext): remove global context flag [#9651](https://togithub.com/kyverno/kyverno/issues/9651) feat: add scan command for generic resources [#9645](https://togithub.com/kyverno/kyverno/issues/9645) feat: add chainsaw test for policy webhook based configuration [#9643](https://togithub.com/kyverno/kyverno/issues/9643) fix: global context validation [#9639](https://togithub.com/kyverno/kyverno/issues/9639) feat: add root command to process generic json resources [#9630](https://togithub.com/kyverno/kyverno/issues/9630) chore: remove renovate config [#9628](https://togithub.com/kyverno/kyverno/issues/9628) feat: add chainsaw tests for global context crd validation [#9626](https://togithub.com/kyverno/kyverno/issues/9626) changed the log level in match policy context [#9624](https://togithub.com/kyverno/kyverno/issues/9624) support -e shorthand letter with --exception flag [#9621](https://togithub.com/kyverno/kyverno/issues/9621) fix: global context crd improvements [#9620](https://togithub.com/kyverno/kyverno/issues/9620) feat: consider maxAPICallResponseLength [#9619](https://togithub.com/kyverno/kyverno/issues/9619) feat: add global context entry validation webhook [#9618](https://togithub.com/kyverno/kyverno/issues/9618) chore: move global context package out of engine [#9616](https://togithub.com/kyverno/kyverno/issues/9616) feat: use the check block for checking CLI output in chainsaw tests [#9615](https://togithub.com/kyverno/kyverno/issues/9615) feat: update refreshInterval in globalcontext CRD to use a duration [#9614](https://togithub.com/kyverno/kyverno/issues/9614) feat: add global context support in helm chart [#9609](https://togithub.com/kyverno/kyverno/issues/9609) make exception in cli exportable [#9608](https://togithub.com/kyverno/kyverno/issues/9608) sanity check in parent chart for crd-controller mismatch [#9606](https://togithub.com/kyverno/kyverno/issues/9606) chore: enable chainsaw fail fast [#9602](https://togithub.com/kyverno/kyverno/issues/9602) feat: add globalcontext loader and interface [#9601](https://togithub.com/kyverno/kyverno/issues/9601) feat: add globalcontext controller [#9600](https://togithub.com/kyverno/kyverno/issues/9600) chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 [#9599](https://togithub.com/kyverno/kyverno/issues/9599) feat: apply `.matchConditions` when generating reports [#9598](https://togithub.com/kyverno/kyverno/issues/9598) fix: client codegen not deleting old files [#9597](https://togithub.com/kyverno/kyverno/issues/9597) fix: codecov missing token [#9596](https://togithub.com/kyverno/kyverno/issues/9596) fix: make ApplyCommandConfig public again [#9595](https://togithub.com/kyverno/kyverno/issues/9595) feat: add global context crd to codegen [#9592](https://togithub.com/kyverno/kyverno/issues/9592) fix: codecov args [#9591](https://togithub.com/kyverno/kyverno/issues/9591) feat: add global context crd [#9585](https://togithub.com/kyverno/kyverno/issues/9585) fix: update cli docs [#9583](https://togithub.com/kyverno/kyverno/issues/9583) test: added test for pkg/utils/policy/marshal.go [#9579](https://togithub.com/kyverno/kyverno/issues/9579) feat (generate): add `orphanDownstreamOnPolicyDelete` to preserve downstream on policy deletion [#9574](https://togithub.com/kyverno/kyverno/issues/9574) fix: nancy ignore [#9573](https://togithub.com/kyverno/kyverno/issues/9573) chore: small nits in cli test command [#9572](https://togithub.com/kyverno/kyverno/issues/9572) fix: omit events flag [#9570](https://togithub.com/kyverno/kyverno/issues/9570) chore: remove reports aggregation per namespace [#9569](https://togithub.com/kyverno/kyverno/issues/9569) configured backoff limit in chart cronjobs [#9566](https://togithub.com/kyverno/kyverno/issues/9566) feat: Support CEL expression warnings [#9561](https://togithub.com/kyverno/kyverno/issues/9561) chore: add chainsaw tests for policy based webhook configuration [#9555](https://togithub.com/kyverno/kyverno/issues/9555) fix: helm chart jobs [#9554](https://togithub.com/kyverno/kyverno/issues/9554) fix: nancy ignore [#9553](https://togithub.com/kyverno/kyverno/issues/9553) fix: make alternate reports storage transparent [#9552](https://togithub.com/kyverno/kyverno/issues/9552) Add Helm note for AKS users [#9546](https://togithub.com/kyverno/kyverno/issues/9546) feat: add openapi-gen to policyreports [#9543](https://togithub.com/kyverno/kyverno/issues/9543) fix: follow up for [#9534](https://togithub.com/kyverno/kyverno/issues/9534) [#9542](https://togithub.com/kyverno/kyverno/issues/9542) fix: CRDs codegen [#9540](https://togithub.com/kyverno/kyverno/issues/9540) chore: bump a couple of deps [#9539](https://togithub.com/kyverno/kyverno/issues/9539) chore: remove reference to kuttl [#9538](https://togithub.com/kyverno/kyverno/issues/9538) test: added test for pkg/utils/admission/metadata.go [#9537](https://togithub.com/kyverno/kyverno/issues/9537) refactor: use single type for ephemeral reports [#9535](https://togithub.com/kyverno/kyverno/issues/9535) chore: configure gh workflows schemas [#9534](https://togithub.com/kyverno/kyverno/issues/9534) fix: show skip when foreach with zero elements [#9533](https://togithub.com/kyverno/kyverno/issues/9533) Fix: not showing error during policy validation error [#9531](https://togithub.com/kyverno/kyverno/issues/9531) fix: move new reports api to top level folder [#9530](https://togithub.com/kyverno/kyverno/issues/9530) [#9529](https://togithub.com/kyverno/kyverno/issues/9529) Support adding extra elements to the default resourceFilters list [#9525](https://togithub.com/kyverno/kyverno/issues/9525) Support PolicyExceptions with CLI [#9521](https://togithub.com/kyverno/kyverno/issues/9521) feat: add a new API group `reports.kyverno.io` [#9520](https://togithub.com/kyverno/kyverno/issues/9520) test: added test for pkg/utils/admission/policy.go [#9516](https://togithub.com/kyverno/kyverno/issues/9516) Move admission controller hardcoded wildcard permissions to new opt-out value [#9515](https://togithub.com/kyverno/kyverno/issues/9515) ci: add load testing workflow [#9509](https://togithub.com/kyverno/kyverno/issues/9509) fix: reduce logs in controllers when an item is not found [#9507](https://togithub.com/kyverno/kyverno/issues/9507) feat: add more granular rbac rules to remove wildcards [#9506](https://togithub.com/kyverno/kyverno/issues/9506) feat: support vap bindings in reports [#9495](https://togithub.com/kyverno/kyverno/issues/9495) test: added test for pkg/utils/admission/exception.go [#9493](https://togithub.com/kyverno/kyverno/issues/9493) chore(helm): omit normal events by default [#9492](https://togithub.com/kyverno/kyverno/issues/9492) fix: kyverno apply panic for mutate policies [#9487](https://togithub.com/kyverno/kyverno/issues/9487) chore: bump a couple of deps [#9486](https://togithub.com/kyverno/kyverno/issues/9486) test: added test for pkg/utils/admission/cleanup.go [#9483](https://togithub.com/kyverno/kyverno/issues/9483) feat: configure admission webhooks per policy [#9482](https://togithub.com/kyverno/kyverno/issues/9482) fix: align clusterroles and bindings names [#9481](https://togithub.com/kyverno/kyverno/issues/9481) feat: improve crd migration helm hooks [#9476](https://togithub.com/kyverno/kyverno/issues/9476) feat: support all valid jsonpatches in validation webhook [#9469](https://togithub.com/kyverno/kyverno/issues/9469) chore(contrib): add Khaled Emara as contributor [#9468](https://togithub.com/kyverno/kyverno/issues/9468) feat: support validatingadmissionpolicybindings in CLI apply command [#9467](https://togithub.com/kyverno/kyverno/issues/9467) update README for new features and OSS security index card [#9465](https://togithub.com/kyverno/kyverno/issues/9465) chore: load cli image when deploying locally [#9464](https://togithub.com/kyverno/kyverno/issues/9464) Update DEVELOPMENT.md [#9463](https://togithub.com/kyverno/kyverno/issues/9463) fix: change generic policy to not return any [#9461](https://togithub.com/kyverno/kyverno/issues/9461) Update CONTRIBUTORS.md [#9459](https://togithub.com/kyverno/kyverno/issues/9459) added tests for validate foreach with 0 elements [#9442](https://togithub.com/kyverno/kyverno/issues/9442) chore: bump otel deps [#9440](https://togithub.com/kyverno/kyverno/issues/9440) chore: bump a couple of deps [#9433](https://togithub.com/kyverno/kyverno/issues/9433) chore: use upstream cosign on main [#9428](https://togithub.com/kyverno/kyverno/issues/9428) fix: nancy ignore list [#9427](https://togithub.com/kyverno/kyverno/issues/9427) chore: bump json-patch [#9426](https://togithub.com/kyverno/kyverno/issues/9426) chore: bump a couple of deps [#9420](https://togithub.com/kyverno/kyverno/issues/9420) feat: migrate existing cleanup policies to the new storage version in helm hook [#9416](https://togithub.com/kyverno/kyverno/issues/9416) feat: use awslabs keychain for AWS and gcr keychain for GCP [#9412](https://togithub.com/kyverno/kyverno/issues/9412) feat: migrate existing policy exceptions to the new storage version in helm hook [#9408](https://togithub.com/kyverno/kyverno/issues/9408) chore: bump bitnami/kubectl [#9395](https://togithub.com/kyverno/kyverno/issues/9395) \[Feature] Security Improvements based on CLOMonitor Checks [#9392](https://togithub.com/kyverno/kyverno/issues/9392) fix: use the correct API version for VAPs in the generated events [#9391](https://togithub.com/kyverno/kyverno/issues/9391) feat: add podLabels to the hook jobs pod template [#9389](https://togithub.com/kyverno/kyverno/issues/9389) fix PSA chainsaw tests [#9386](https://togithub.com/kyverno/kyverno/issues/9386) feat: skip generating VAP when an exception is defined [#9385](https://togithub.com/kyverno/kyverno/issues/9385) fix: Allow generate cli tests to work with server-side apply policies [#9380](https://togithub.com/kyverno/kyverno/issues/9380) feat: use assertion trees in cli test command [#9362](https://togithub.com/kyverno/kyverno/issues/9362) chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0 [#9360](https://togithub.com/kyverno/kyverno/issues/9360) chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 [#9355](https://togithub.com/kyverno/kyverno/issues/9355) fix: clean up URs if the trigger doesn't exist [#9348](https://togithub.com/kyverno/kyverno/issues/9348) Fix report-on-vulnerabilities [#9343](https://togithub.com/kyverno/kyverno/issues/9343) feat: support podSecurity exclusion in exceptions [#9341](https://togithub.com/kyverno/kyverno/issues/9341) fix PSA chainsaw tests [#9339](https://togithub.com/kyverno/kyverno/issues/9339) Add global nodeSelector [#9338](https://togithub.com/kyverno/kyverno/issues/9338) feat: add profiling to the helm Chart [#9332](https://togithub.com/kyverno/kyverno/issues/9332) fix a chainsaw test [#9331](https://togithub.com/kyverno/kyverno/issues/9331) fix: remove the check of exclude in VAPs [#9326](https://togithub.com/kyverno/kyverno/issues/9326) chore(deps): bump kubectl-validate version [#9324](https://togithub.com/kyverno/kyverno/issues/9324) feat: use custom events watcher [#9323](https://togithub.com/kyverno/kyverno/issues/9323) feat: add new client for events [#9296](https://togithub.com/kyverno/kyverno/issues/9296) feat: add resource migration command [#9279](https://togithub.com/kyverno/kyverno/issues/9279) fix: remove policy informer from vap controller [#9276](https://togithub.com/kyverno/kyverno/issues/9276) Feat: Human readable timestamps in logs [#9270](https://togithub.com/kyverno/kyverno/issues/9270) feat: stop serving v2alpha1 cleanup policies [#9269](https://togithub.com/kyverno/kyverno/issues/9269) Support setting global extraEnvVars [#9267](https://togithub.com/kyverno/kyverno/issues/9267) chore: introduce v2 for updaterequests [#9262](https://togithub.com/kyverno/kyverno/issues/9262) chore: introduce v2 for internal reports resources [#9261](https://togithub.com/kyverno/kyverno/issues/9261) feat: add cleanup policies v2 [#9260](https://togithub.com/kyverno/kyverno/issues/9260) chore: bump a couple of deps [#9255](https://togithub.com/kyverno/kyverno/issues/9255) refactor: mutate checks [#9254](https://togithub.com/kyverno/kyverno/issues/9254) fix: set v2beta1 of exceptions the storage version [#9240](https://togithub.com/kyverno/kyverno/issues/9240) fix: remove unused file in a test [#9238](https://togithub.com/kyverno/kyverno/issues/9238) move error message to log [#9236](https://togithub.com/kyverno/kyverno/issues/9236) refactor: events controller [#9232](https://togithub.com/kyverno/kyverno/issues/9232) Fixed error log [#9220](https://togithub.com/kyverno/kyverno/issues/9220) feat: enable kubectl-validate by default in cli [#9218](https://togithub.com/kyverno/kyverno/issues/9218) chore: add k8s 1.29 in custom-sigstore test [#9213](https://togithub.com/kyverno/kyverno/issues/9213) chore: add missing context unit test [#9212](https://togithub.com/kyverno/kyverno/issues/9212) (docs) changed docs tool to kubernetes-sigs/reference-docs [#9211](https://togithub.com/kyverno/kyverno/issues/9211) chore: remove v2alpha1 version of policy exceptions [#9208](https://togithub.com/kyverno/kyverno/issues/9208) feat: promote policy exceptions to v2 [#9200](https://togithub.com/kyverno/kyverno/issues/9200) refactor: make CLI store non static [#9198](https://togithub.com/kyverno/kyverno/issues/9198) chore: bump a couple of deps [#9192](https://togithub.com/kyverno/kyverno/issues/9192) chore: add cli update test [#9191](https://togithub.com/kyverno/kyverno/issues/9191) fix: deep copy resource in cli when operation is update [#9189](https://togithub.com/kyverno/kyverno/issues/9189) fix: deprecate spec.schemaValidation [#9187](https://togithub.com/kyverno/kyverno/issues/9187) chore: fix conformance tests [#9180](https://togithub.com/kyverno/kyverno/issues/9180) Minor fix [#9179](https://togithub.com/kyverno/kyverno/issues/9179) chore: use sigstore/cosign 2.2.2 on main [#9175](https://togithub.com/kyverno/kyverno/issues/9175) fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio... [#9173](https://togithub.com/kyverno/kyverno/issues/9173) feat(jmespath):time_parse() support epoch time [#9165](https://togithub.com/kyverno/kyverno/issues/9165) chore: move a mutateExisting chainsaw test under its directory [#9163](https://togithub.com/kyverno/kyverno/issues/9163) fix: set logger level [#9161](https://togithub.com/kyverno/kyverno/issues/9161) chore: add 1.29 to all test grids and remove 1.25 [#9158](https://togithub.com/kyverno/kyverno/issues/9158) chore: add 1.29 to the test grid [#9155](https://togithub.com/kyverno/kyverno/issues/9155) fix: validate pattern premature skip [#9148](https://togithub.com/kyverno/kyverno/issues/9148) fix: chainsaw test [#9144](https://togithub.com/kyverno/kyverno/issues/9144) support for SHA256 jmespath function [#9143](https://togithub.com/kyverno/kyverno/issues/9143) chore: use new chainsaw github action [#9140](https://togithub.com/kyverno/kyverno/issues/9140) chore: bump chainsaw [#9130](https://togithub.com/kyverno/kyverno/issues/9130) chore: add myself to the maintainers list [#9125](https://togithub.com/kyverno/kyverno/issues/9125) feat: add myself (vishal-chdhry) to maintainers list [#9124](https://togithub.com/kyverno/kyverno/issues/9124) support for Add Variable unit test [#9120](https://togithub.com/kyverno/kyverno/issues/9120) chore: bump chainsaw [#9114](https://togithub.com/kyverno/kyverno/issues/9114) chore: bump chainsaw [#9113](https://togithub.com/kyverno/kyverno/issues/9113) chore: convert chainsaw tests to Test resource [#9109](https://togithub.com/kyverno/kyverno/issues/9109) chore: convert chainsaw tests to Test resource [#9108](https://togithub.com/kyverno/kyverno/issues/9108) chore: update PR template to require documentation PR [#9103](https://togithub.com/kyverno/kyverno/issues/9103) chore: improve cluster startup in conformance tests [#9100](https://togithub.com/kyverno/kyverno/issues/9100) chore: convert chainsaw tests to Test resource [#9099](https://togithub.com/kyverno/kyverno/issues/9099) chore: convert chainsaw tests to Test resource [#9098](https://togithub.com/kyverno/kyverno/issues/9098) chore: improve ci perf [#9094](https://togithub.com/kyverno/kyverno/issues/9094) chore: convert chainsaw tests to Test resource [#9093](https://togithub.com/kyverno/kyverno/issues/9093) chore: install kind from binaries [#9092](https://togithub.com/kyverno/kyverno/issues/9092) chore: remove kuttl from makefile [#9088](https://togithub.com/kyverno/kyverno/issues/9088) fix: nancy ignore [#9087](https://togithub.com/kyverno/kyverno/issues/9087) chore: convert chainsaw tests to Test resource [#9086](https://togithub.com/kyverno/kyverno/issues/9086) chore: improve conformance tests ci perf [#9085](https://togithub.com/kyverno/kyverno/issues/9085) fix: conformance tests [#9071](https://togithub.com/kyverno/kyverno/issues/9071) chore: bump chainsaw [#9066](https://togithub.com/kyverno/kyverno/issues/9066) Fix Helm chart to not error when replicas defined [#9064](https://togithub.com/kyverno/kyverno/issues/9064) chore: bump chainsaw [#9057](https://togithub.com/kyverno/kyverno/issues/9057) Update helm docs [#9052](https://togithub.com/kyverno/kyverno/issues/9052) chore: use Kubernetes 1.28 by default [#9046](https://togithub.com/kyverno/kyverno/issues/9046) Use nancy on actually included dependencies [#9045](https://togithub.com/kyverno/kyverno/issues/9045) chore: add 1.10.4-6 & 1.11.1 to github issue templates [#9041](https://togithub.com/kyverno/kyverno/issues/9041) fix(helm): Rename dashboard.json to kyverno-dashboard.json [#9038](https://togithub.com/kyverno/kyverno/issues/9038) chore: bump chainsaw [#9036](https://togithub.com/kyverno/kyverno/issues/9036) fix: Provide kind list hints to the fake dynamic client. [#9028](https://togithub.com/kyverno/kyverno/issues/9028) chore: fix chainsaw tests cleanup timeout [#9023](https://togithub.com/kyverno/kyverno/issues/9023) chore: remove kuttl tests folder [#9018](https://togithub.com/kyverno/kyverno/issues/9018) chore: replace more kuttl tests by chainsaw [#9017](https://togithub.com/kyverno/kyverno/issues/9017) chore: replace more kuttl tests by chainsaw [#9016](https://togithub.com/kyverno/kyverno/issues/9016) chore: replace standard kuttl tests by chainsaw ones [#9015](https://togithub.com/kyverno/kyverno/issues/9015) feat: webhook labels [#9013](https://togithub.com/kyverno/kyverno/issues/9013) chore: fix chainsaw exec timeout issue [#9012](https://togithub.com/kyverno/kyverno/issues/9012) chore: enable all chainsaw tests [#9011](https://togithub.com/kyverno/kyverno/issues/9011) chore: all chainsaw tests [#9008](https://togithub.com/kyverno/kyverno/issues/9008) fix: extend chains