Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators here (#8624)
Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#7728)
Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based matchConditions available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599)
Added a new container flag --protectManagedResources to the cleanup controller (#8566)
Added a new container flag --renewBefore to the admission cleanup controllers to configure the cert renewal time (#8567)
Added a new container flag --loggingtsFormat which can be used to change the time format of logs (#9276)
Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule validate.podSecurity (#9343, #9817)
Pod Security sub-rule (validate.podSecurity) has a new ability to exclude based on restricted fields (exclude.restrictedField and associated values (#8585, #9770, #9658)
Added a new field to verifyImages rules called skipImageReferences allowing you to exclude certain images (#8633)
Added a new field to generate rules (data-type) called orphanDownstreamOnPolicyDelete which will preserve downstream resources when the policy/rule is deleted (#9579)
Added the ability to deploy specific controllers with CRDs following suit (#8849, #9608)
Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#9015)
Added support for more types of JSON patch operations like "move", "copy", and "test" (#9476)
Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#9506)
Created a new API group reports.kyverno.io for storing new ephemeral report kinds EphemeralReports and ClusterEphemeralReports (#9521, #9537)
New is_external_url() JMESPath function to determine whether a given URL is an external URL (#8614)
New sha256() JMESPath function to convert a string of any length to a fixed hash value (#9144)
Kyverno CLI: Added a new migrate command which is used to migrate Kyverno resources to the current API version (#9296)
Kyverno CLI: Added a new (experimental) json command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651)
Kyverno CLI: The test command now supports the same assertion trees available in Chainsaw (#9380)
Kyverno CLI: The apply command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759)
Kyverno CLI: apply and test commands now support Policy Exceptions (#9525, #9624, #9714, #9749)
Kyverno CLI: Added a --resources flag as an alias for the existing --resource flag (#9749)
Helm
Add chart parameters for setting revisionHistoryLimit (#8907)
Allow excluding resources from config.resourceFilters (#8946)
Allow defining ca-certificates bundle for Kyverno deployments (#8969)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/kyverno/kyverno from 1.12.0-alpha.1 to 1.12.0.
Release notes
Sourced from github.com/kyverno/kyverno's releases.
... (truncated)
Commits
111b052
release v1.12.0 (#10082)0f1d3c5
release v1.12.0-rc.5 (#10060)5915865
fix(cherry-pick #10057): add mutex to mock policy context builder (#10059)0c0753b
feat(audit): use a worker pool for Audit policies (#10048) (#10056)f00dcef
fix: policy status reconciliation (#10032) (#10047)6c71685
fix: re-use the maxQueuedEvents (#10024) (#10031)f8c058c
chore: bump cosign to v2.2.4 (#10039)1f5245e
fix: add rekor opts to cosign certificate verification and make rekor url opt...4d20c91
chore: bump chainsaw to 0.1.9 (#10013)50f0829
release v1.12.0-rc.4 (#9999)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show