Skip to content

v1.11.0
Compare
Choose a tag to compare
@github-actions github-actions released this 10 Nov 10:34
· 1909 commits to main since this release
v1.11.0
a411fe6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Kyverno 1.11.0 is another huge release which brings may new capabilities and significant enhancements to existing ones. The main features of Kyverno 1.11.0 include:

  • ValidatingAdmissionPolicy support (alpha)
    • Write validate rules using CEL
    • Generate VAPs from compatible Kyverno validate rules when authored in CEL
    • Generate Policy Reports from VAPs
    • Test VAPs using the Kyverno CLI
  • Policy Reports now per-resource rather than per policy
  • Updates to Cosign and Notary including OCI 1.1 support and Cosign 2.0 support
  • Cleanup resources using a special Kyverno label
  • Major CLI refactoring and new test schema

Other new releases in the Kyverno organization:

As with all significant releases, PLEASE READ THESE RELEASE NOTES CAREFULLY!

❗ Breaking (Potentially) ❗

  • Policy Reports are now created on a per-resource basis and using a UID as the name rather than the previous behavior of per-policy. This may be a breaking change if you relied upon either of these attributes in previous versions. This change has the benefit of putting less pressure on the Kubernetes API server and less storage cost on etcd.
  • In accordance with Cosign 2.0 updates, the Rekor URL is now required in a policy. The url field may be empty ("") but must be specified even if you've opted not to store signatures in a Rekor instance. Users upgrading from Kyverno v1.10 to v1.11 who have image verification policies using cosign will have to explicitly disable Tlogs and SCT verification in their policy using the rekor.ignoreTlogs and ctlog.IgnoreSCT fields if they did not use Rekor while signing the image.

✨ Added ✨

  • Context variables are now supported in cleanup policies (#6084)
  • Introduced ability to cleanup resources based upon assignment of a new reserved label cleanup.kyverno.io/ttl (#7821, #8096, #8128, #8660)
  • ValidatingAdmissionPolicies (VAP) can now be tested in the Kyverno CLI in both test and apply commands (#6656)
  • ValidatingAdmissionPolicies can be generated/managed by Kyverno when a compatible validate.cel rule is created (#7840, #8219)
  • Generate Policy Reports for VAPs (#8135)
  • Kyverno validate rules can now be written using CEL expressions, including auto-gen support (#7859, #8024, #8071, #8084, #8098, #8099, #8196)
  • Added a new field in a policy at spec.admission which, when set to false, allows policies to work in background-only mode (#6666)
  • Added a new field under verifyImages rules called imageRegistryCredentials which allows flexible, easier configuration of credentials for image registries including defining the required credential helpers (#7114)
  • Added new caching of image signature verifications (#7890, #7969)
  • New lookup() JMESPath filter (#7136)
  • New round() JMESPath filter (#7489)
  • Support for Cosign 2.0 (#7248, #8521)
  • Added an auth checker interface from Kyverno Playground (#7323)
  • Added a check for digest mismatch in verifyImages rules (#8443)
  • Added new ability to more finely control configuration of metrics (#8569)
  • Added an --aggregateReports flag to the reports controller to enable/disable aggregated reports (#7475)
  • Events are now created in the events.k8s.io/v1 API group and version (#7673)
  • Generate rules now support using server-side apply via the field spec.useServerSideApply (#7705)
  • Added CLI API schema for test command (#8422, #8438, #8439, see also Changed below)
  • Added new create commands to the Kyverno CLI used to easily create the various resources needed for testing (#7778, #7779, #7780, #7781, #7782, #8160)
  • Added new Kyverno CLI docs command to generate CLI documentation (#8179, #8180, #8181, #8191, #8193, #8200, #8259)
  • Added Kyverno CLI experimental fix command (#8213, #8404)
  • Added support for wildcards in CLI test command (#8216)
  • Kyverno CLI now has experimental validation of policies being tested (#8384, #8406, #8410)
  • Added ability to test supported ValidatingAdmissionPolicies (VAP) variables in both Kyverno CLI test and apply commands (#8182)
  • Kyverno is now tested against and uses libraries from Kubernetes version 1.28 (#8036, #8037)
  • Kyverno now supports configuring matchConditions in webhooks (Kubernetes 1.27+) (#8042)
  • Wildcards now work in subject statements in match/exclude (#8068)
  • Added variables support for Kyverno validate.cel policies (#8103, #8113)
  • Added CTLogs verification to Cosign (#8130, #8166)
  • New metric of type Meter is added for the TTL cleanup manager with attributes resource_group, resource_version, and resource_resource (#8134)
  • Added ability to configure TUF when using a custom Sigstore implementation (#8385)
  • Added ability to disable TUF when used in air-gapped environments (#8509)

Helm

  • Added API priority and fairness resources to the Kyverno chart (FlowSchema and PriorityLevelConfiguration) (#7468)
  • Added ability to set security contexts for the webhook cleanup Pod (#7970)
  • Added Helm secret size check to CI to detect of the current chart size exceeds the Helm secret size limit (#8195)
  • Allow resourceNames on extraResources for the cleanup controller (#8307)
  • Added a global image registry value (#8625)

⚠️ Changed ⚠️

  • Policy Exceptions and Cleanup Policies graduated from alpha API to beta (#8594, #8609, #8621, #8378, #8587)
  • Policy Exceptions are now enabled by default (#8545)
  • Policy Reports are changed to be generated per-resource rather than per-policy, and intermediary aggregated reports are expunged immediately (#8426)
  • Schema validation will no longer be done on patterns (including internal validation for mutate rules) obviating the need for spec.schemaValidation. We will deprecate and remove this field in a future version (#8538)
  • Cleanup policies no longer use CronJobs to invoke the cleanup action. This is all handled internally now (#8526, #8529, #8531)
  • Kyverno CLI test command has been refactored and includes a formal test manifest schema (#8422, #6871, #6942, #7995, #8145, #8163, #8168, #8177, #8189, #8212, #8387, and more)
  • Kyverno CLI apply command now has a nice tabular output format (#7757)
  • Kyverno CLI apply now shows failure messages when a result fails (#7758)
  • Kyverno CLI --compact flag has been renamed to --detailed-results (#7937)
  • Kyverno CLI the --set flag can be used to set a variable for multiple input resources rather than just one (#7984)
  • Kyverno CLI certain more "internal" flags will no longer be hidden (#8077)
  • Refactored JSON patches to use structure instead of byte arrays (#7186)
  • Deprecated the --imageSignatureRepository container flag. Use verifyImages.Repository in a policy definition instead (#7391)
  • Replaced the internal package used to apply JSON patches. This resulted in some fixes and slight behavioral changes (#7401, #7452)
  • The policies.kyverno.io/last-applied-patches annotation upon successful mutation has been removed (#7438)
  • RBAC has been hardened for a couple controllers to better follow least privileges (#7626, #7634, #7638, #8083)
  • The images variable ({{ images }}) can be used correctly in a policy (#7787)
  • Use a new custom keychains from Flux package preventing some timeouts (#7908)
  • Allow overriding CA and TLS secret names which store the Kyverno certificates (#8137)
  • Replaced CLI manifest commands by create command (#8165)
  • Kyverno CLI test command has been extended to support multiple paths (#8247)
  • The remainder of match/excludewill be skipped if theoperations[]` do not match (#8324)

Helm

  • The Grafana dashboard has been moved to its own subchart in an effort to reduce the size of the main Kyverno chart (#8619)
  • Kyverno CRDs have been moved to a subchart for the same reason (#8623)
  • Updated the Chart metadata so the minimum version is correctly aligned with that of Kyverno itself (#8708)

πŸ› Fixed πŸ›

  • Abort pattern validation earlier when processing can occur (#7307)
  • Fixed an issue when testing for mutations using foreach (#7396)
  • Fixed not validating that subject kinds were on the allowed list (#7582)
  • Fixed a panic when certain environment variables weren't passed to the controllers (#7613)
  • Fixed the missing severity type when generating a policy report (#7974)
  • Fixed adding server name into TLS certs when running Kyverno with --serverIP flag (#8053)
  • Fixed an issue which prevented mutation of policy report resources (#8080)
  • Fixed a crash when using an unquoted null (#8081)
  • Fixed indefinitely retry for the mutateExisting rule by applying the retry limit (#8100)
  • Fixed nil-dereferences by adding mocks to unit tests (#8102)
  • Fixed TLS cert renewal when the CA cert is deleted (#8114)
  • Fixed a nil dereference in validate.podSecurity subrules (#8271)
  • Fixed an issue where generating an empty kind would be allowed (#8332)
  • Fixed/improved some logs (#8442, #8673)
  • Fixed a couple issues impacting generate rules when a trigger or clone source resource name exceeded 63 characeters (#8466)
  • Fixed an issue where Kyverno would modify reports it didn't own (#8502)
  • Fixed an image cache panic issue (#8512)
  • Fixed an issue preventing creation of ClusterAdmissionReports if the resource had a colon in the name (#8530)
  • Kyverno CLI: fixed using the --fail-only flag in the test command now exits properly upon failed tests (#7717)
  • Kyverno CLI: fixed logging failure (#8110)
  • Kyverno CLI: fixed test command to behave correctly when the mutated resource differs from the expected patched resource (#8183)
  • Kyverno CLI: fixed test command behavior when there are multiple tests written for the generate policy (#8197)
  • Kyverno CLI: fixed apply command now correctly parses both git and non-git paths when used together (#7885)
  • Kyverno CLI: fixed issue with container ordering causing incorrect results (#7943)
  • Kyverno CLI: fixed issue with duplicate result count (#7945)
  • Kyverno CLI: fixed an issue with splitting of variables when names included a dot (#7981, #8377)
  • Kyverno CLI: fixed an issue so setting CLI log level to 0 properly disables all logs (#8335)
  • Kyverno CLI: fixed an issue preventing auto-gen rules from getting variables (#8337)
  • Kyverno CLI: fixed an issue which prevented parsing of variables unless a context was present (#8339)
  • Kyverno CLI: fixed an issue which resulted in all tests failing with multiple generate rules, clone type (#8341)
  • Kyverno CLI: fixed an issue which resulted in ignoring of namespace in the resources file (#8348)
  • Kyverno CLI: fixed an issue where tests would fail to load resources depending on the order (#8349)
  • Kyverno CLI: fixed an issue where the namespace in the test manifest would have no effect in an exclude (#8354)
  • Kyverno CLI: fixed an issue where testing a verifyImages rule with two or more imageReferences produced inconsistent results (#8357)
  • Kyverno CLI: fixed an issue where the apply command produced false positives if the resource had a field like annotations: with no map (#8358)
  • Kyverno CLI: fixed an issue where request.operation is not considered by match/exclude with operations[] (#8361)
  • Kyverno CLI: fixed an issue where the test command used wrong patchedResource due to ordering (#8362)
  • Kyverno CLI: fixed an issue where the test command was applying previous mutations to subsequent cases (#8363)
  • Kyverno CLI: fixed an issue where the test command was not able to test for generation of a custom resource (#8373)
  • Kyverno CLI: fixed an issue where the test command had an incorrect result when testing a mutate rule using a strategic merge patch under a foreach declaration (#8375)
  • Kyverno CLI: fixed the ability to provide user info in test cases (#8429)
  • Fixed some queries in the Grafana dashboard (#8751)

Helm

  • Fixed the Helm pre-delete hook so now it only scales Kyverno's deployments specifically (#8381)
  • Fixed an issue preventing non-integer values in a replicas field (#8539)
  • Fixed the missing policyexceptions resource in RBAC for background controller (#8648)
  • Fixed missing imagePullPolicy in controllers (#8067)
  • Allowed value for declaratively enabling PDBs (#8652)
  • Fixed the permissions to secrets in the background controller RBAC (#8690, #8721)
Click to expand all PRs

#8855 chore: bump cosign version to v2.2.1
#8819 Revert "fix: add VAP and VAPB to reports controller ClusterRole"
#8809 chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0
#8793 chore: upgrade docker/docker to v24.0.7
#8786 Changes to correctly run delete operation in kyverno11beta4
#8785 fix: rename vap logging name to ValidatingAdmissionPolicy
#8784 fix: display helm warnings together
#8783 fix: generate events for scanning VAPs in reports controller
#8779 feat: update verify images types with better descriptions
#8778 fix: print the number of VAPs being applied to the resources in test command
#8777 fix: add VAP and VAPB to reports controller ClusterRole
#8776 fix: display a message when the controller has no permissions for VAPs
#8770 feat: update descriptions of image verify cache flags
#8768 add VAP and VAPB to admission controller ClusterRole
#8752 Revert "feat: add secrets name in background-controller's role"
#8751 fix: grafana dashboard to support replicas
#8748 feat: disable validate maintainer for helm gha (cherry pick: #8747)
#8747 feat: disable validate maintainer for helm gha
#8744 fix: fetch correct branch name in helm-release workflow
#8737 fix: revert maintainers in helm charts
#8736 fix: replace base_ref with ref_name in helm test GHA (Cherry Pick #8735)
#8735 fix: replace base_ref with ref_name in helm test GHA
#8732 fix: dynamically get branch name in helm test
#8721 feat: add secrets name in background-controller's role
#8708 [Helm] AdmissionReport cleanup job tag bump
#8707 fix: use correct k8s version in custom sigstore tuf kuttl test
#8692 fix: add codegen-cli-crds target to codegen-crds-all
#8690 fix: add permissions to secrets for background controller role
#8688 feat: fix outdated description of imageregistrycredentials
#8681 fix: allow cleanup controller to update the policy status
#8679 chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.59.0
#8673 remove duplicated log messages
#8666 fix typo
#8660 feat: add support for days in ttl labels
#8652 fix(helm): add values for declaratively enabling PDBs
#8648 fix(helm): add missing policyexceptions RBAC to background-controller
#8637 deps: bump to Go 1.21.3
#8626 chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0
#8625 feat: Implement global values for image registry in Kyverno Helm chart
#8623 feat: move crds to a subchart
#8621 chore: bump cleanup policies to v2beta1
#8619 feat: move grafana dashboard to a subchart
#8609 Revert "chore: bump cleanup policies to v2beta1"
#8594 chore: bump cleanup policies to v2beta1
#8587 fix: use v2beta1 of policy exceptions
#8569 fix: allow dropping metrics, labels and configuring histogram bucket boundaries to avoid high cardinality
#8565 refactor: use GetKind() from the cleanup policy interface
#8564 feat: generate events for CEL policies that generate VAPs
#8555 Refactor fuzzing utils and add 3 fuzzers
#8549 release: v1.11.0-beta.4
#8548 chore: bump kubectl-validate
#8545 chore: enable policy exceptions by default
#8542 fix: make tuf feature in chart consistent with others
#8539 fix(helm): skip deployment replicas validation in non-int value
#8538 refactor: remove openapi package
#8531 refactor: get the last execution time from the cleanup policy interface
#8530 fix: creating ClusterAdmissionReports fails for resources with colon in name
#8529 fix: remove cronjobs from cleanup controller rbac
#8527 release: v1.11.0-beta.3
#8526 feat: remove the creation of cronjobs in cleanup controller
#8521 fix: only fetch pub keys when tlogs and scts are not ignored
#8517 release: 1.11.0-beta.2
#8512 fix: image cache panic and cleanup
#8509 fix: disables TUF by default
#8508 feat: add cli package to load policy exceptions
#8502 fix: make sure we don't modify reports not owned by kyverno
#8501 fix: return gvk when loading resource
#8499 feat: add resource load funcs in cli
#8494 refactor: common remote authenticator for notary and cosign
#8493 fix: webhookTimeout flag not clear
#8489 feat: improve assertion and error messages in ivcache tests
#8488 feat: add cli resource loader package
#8484 feat: add a package to convert unstructured into typed
#8483 fix: deep copy before validaitng
#8482 chore: fix release
#8478 fix: make free disk space action configurable
#8476 release: fix chart versions for 1.11.0-beta.1
#8475 fix: release archive name template
#8473 fix: publish images workflow
#8471 fix: release workflow
#8470 refactor: check subjects func
#8468 chore: free disk space before running jobs
#8466 fix: generate policy fails if triggered resource name exceeds 63 characters limit
#8464 chore: add a required job to simplify branch protection
#8462 fix: image verify cache test
#8459 fix: custom-sigstore conformance job
#8458 fix: use vap map in report aggregation
#8454 fix: linter
#8453 chore: bump a couple of deps
#8452 fix: use go 1.21 new packages
#8450 chore: bump golang to 1.21
#8449 chore: fix policies
#8444 style: improve descriptions in notary verifier
#8443 feat: add check for digest mismatch
#8442 chore: improve log messages
#8439 chore: embed cli schemas in cli
#8438 feat: fix variables used in tests
#8436 feat: add a new wrapper logger for debugging
#8430 fix: add missing omitempty tag
#8429 feat: fix user infos used in tests
#8428 Check payload counts and limits for image verification data returned from registries
#8427 chore: apply policy fixes
#8426 refactor: add per resource reports aggregation
#8425 chore: apply policy fixes
#8423 chore: apply policy fixes
#8422 feat: add cli api schemas
#8420 feat: detect duplicate resources in cli fix test
#8419 refactor: move per namespace reports aggregator in a sub package
#8418 chore: fix cli test files
#8411 fix: names not formatted correctly in cli output
#8410 chore: bump kubectl-validate
#8408 fix: bump golang exp lib
#8407 chore: add workflow to test cli with kubectl-validate enabled
#8406 chore: use upstream kubectl-validate
#8404 feat: fix policy command
#8403 fix: load policies
#8400 refactor: add cli fix package
#8399 fix typo
#8398 fix: cli output improvements
#8397 fix: cli test manifests
#8396 chore: bump kuttl version
#8389 fix: replace fmt.Print calls by fmt.Fprint ones
#8388 chore: lint test files
#8387 feat: CLI test command should validate the policy under test
#8386 fix: cli test policy
#8385 feat: add support for custom sigstore using TUF
#8384 feat: use kubectl-validate to load policies
#8381 fix: helm pre-delete-hook
#8379 refactor: move cli path utils package
#8378 chore: move policy exceptions to beta
#8377 fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots
#8376 fix generate VAPs kuttl tests
#8375 fix: Result not correct when testing a mutate rule and foreach with add anchor
#8374 chore: kuttl tests enhancement
#8373 fix: Testing a generate rule for a custom resource fails
#8367 refactor: cli commands tests and error handling
#8366 chore: add cli commands unit tests
#8365 chore: add cli unit tests
#8364 [Fix]: Wrong Field in the test
#8363 fix: kyverno test are applying previous mutation rules to subsequent test cases causing failures
#8362 fix: kyverno test wrongly finds 'patchedResource mismatch' due to wrong order in array
#8361 fix: Overridden request.operation is not considered by match/exclude with operations
#8360 refactor: cli proper error handling
#8358 fix: Kyverno apply produces false positives when validating 'empty dangling" tags
#8357 fix: verifyImages w/ multiple entries is not consistent
#8356 fix: ignore generating backgroundscan reports for Kyverno policies in case VAPs are generated
#8354 fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude
#8352 refactor: simplify cli processor
#8350 chore: add gofiber/fiber/v2@v2.43.0 to nancy ignore
#8349 fix: Kyverno test fails to load resources
#8348 fix: kyverno test ignores namespace of resources in resource.yaml
#8345 chore: add --compress to cli test files verification
#8343 feat: compress test results in cli fix test command
#8342 chore: validate test files are up to date
#8341 fix: all tests fails when use mutiple results with generate-clone
#8339 fix: Kyverno test ignores variables.yaml file unless context is present
#8338 chore: switch back to official policies repo
#8337 fix: Auto-gen rules can not get variables from test input values
#8336 chore: improve cli version command and add tests
#8335 fix: disable cli logs when level is 0
#8333 fix: TODOs in cli
#8332 fix: generate empty kind
#8329 chore: bump kuttl version
#8327 fix: cli engine invocation order
#8326 chore: add cli unit tests
#8325 fix: simplify cli autogen and labels selector check
#8324 skip other checks if operations do not match
#8319 fix: vap processor in cli
#8318 feat: update condition in image verify cache tests
#8316 fix: cache invalidation in FindResources
#8310 chore: add validationAction in kuttl tests
#8308 fix: add matchConditions and variables when generating VAPs
#8307 feature(charts): resourceNames on extraResources for cleanup-controller
#8305 fix: allow any type in cli test global values
#8304 chore: improve unit tests in cli
#8301 chore: improve unit tests in cli
#8300 chore: improve unit tests in cli
#8296 chore: improve unit tests in cli
#8295 refactor: move utils report cli package
#8294 chore: remove validating admission policy support from v1.26
#8293 refactore: move utils store package
#8292 feat: add kuttl tests for validating admission policy reports
#8291 refactor: move utils cobra to command package
#8287 fix: add generate VAPs test suite to v1.28
#8286 feat: update ivcache Set() to use Wait()
#8285 refactor: introduce cli variables package
#8281 refactor: introduce cli processor package
#8280 fix: cli dependency to controller-runtime logger
#8279 refactor: cli policy package
#8276 refactor: combine unstructured and resource packages
#8275 refactor: introduce api package in cli
#8274 refactor: remove dependency from validation to cli
#8272 refactor: introduce userinfo package in the cli
#8271 [Bug] Fix nil-dereference in pss validation
#8269 fix: Remove os.exit calls in apply command
#8267 fix: cli exit cleanly
#8266 refactor: cli test command test execution
#8259 docs: improve cli commands docs
#8258 fix: bad test file causes all tests to pass with success
#8257 refactor: cli packages structure
#8256 refactor: introduce resource package in cli
#8255 refactor: add a cobra utils package to build commands doc
#8254 refactor: cli packages structure
#8253 [Fix] flakes in e2e tests
#8251 fix: return engine responses without checking TestResult.rule since it is empty in case of VAPs
#8250 fix: add cli test from #6463
#8249 chore: add cli test utils unit tests
#8248 fix test flake: update assertion in image verify cache test
#8247 feat: add multiple paths support to cli test command
#8244 refactor: cli test loading
#8243 chore: add more cli utils unit tests
#8234 fix: return error in LoadMatching
#8233 chore: add gh action to the cli readme
#8232 chore: improve test coverage of cli utils package
#8231 refactor: move all cli commands in a commands package
#8227 chore: name all cli command files the same
#8226 refactor: introduce source package in cli
#8224 refactor: CLI oci commands
#8223 chore: add cli readme
#8222 refactor: introduce experimental cli package
#8219 fix: check if VAPs are registered in the API server or not
#8218 fix: remove unused struct in cli
#8216 feat: add support for wildcard in CLI filters
#8215 fix: revert rekor upgrade
#8213 feat: add fix test cli command
#8212 refactor: cli test command
#8211 fix: logger calls
#8210 chore: build cli only once for conformance tests
#8209 chore: fix vscode launch.json for cli
#8203 refactor: introduce report utils package and use it in cli apply
#8201 refactor: introduce cli annotations utils package
#8200 feat: add experimental commands docs
#8199 chore: add a couple unit tests
#8197 fix: multiple test cases for generate policy lead to wrong test results
#8196 fix flakes found in CEL kuttl tests
#8195 chore: monitor helm secret size
#8193 fix: verification of cli docs breaks CI (for real)
#8192 fix: propagate registration and error in controllerutils pkg
#8191 fix: verification of cli docs breaks CI
#8189 fix: kyverno test generated resource inconsistency
#8188 fix: mutation unit test not working as expected
#8187 chore: increase setup-build-env timeout
#8186 feat: remove description from deprecated fields
#8183 fix: kyverno test doesn't fail when mutated YAML != patchedResource YAML
#8182 feat: support validating admission policy variables in the CLI
#8181 fix: website docs generation
#8180 chore: improve verification of generated docs
#8179 feat: add cli docs command
#8177 refactor: refactor cli filters and add unit tests
#8175 chore: merge go.mod indirect deps
#8169 fix: use controller utils package in ttl controller
#8168 feat: allow kyverno test variables directly in test
#8167 chore: add cli path utils unit tests
#8166 feat: migrate ignoreSCT from rekor to ctlog
#8165 fix: remove cli manifest commands
#8164 chore: create cli pathutils package
#8163 fix: support fully-qualified file paths in cli test command
#8161 chore: bump kuttl to use stopOnFirstFailure feature
#8160 fix: add description to CLI create command
#8159 feat: bump otel libs
#8157 refactor: remove logger from tls package
#8156 fix cel/parameter-resources/clusterscoped kuttl test
#8155 fix: check caSecretName and tlsSecretName flags
#8154 chore: enable admissionregistration v1alpha1 in kind config
#8153 chore: add a timeout to setup-build-env action
#8145 fix: validate the YAML test file syntactically and schematically
#8143 fix: build cli in conformance tests
#8142 chore: remove old comment from helm chart
#8139 chore: add kind config file for v1beta1 of validating admission policies
#8138 fix: vscode debug config
#8137 feat: allow overriding ca and tls secret names
#8136 chore: add .helmignore to .helmignore
#8135 feat: generate backgroundscan reports for validating admission policies
#8134 feat: add ttl manager metric for tracked resources
#8132 fix: nancy ignore file
#8131 [update] The nancy-ignore file is not updated
#8130 feat: add CTLogs verification to cosign
#8129 fix: update certmanager and config to take common name and namespace as arguments
#8128 [Feat]: Perform permissions check when TTL label is observed
#8127 fix: misleading warning about matching on status
#8126 chore: bump kustomize
#8125 chore: bump a couple of deps
#8116 fix: cli tests scenarios_to_cli/other
#8115 fix: conditions v2beta1 help
#8114 fix: renew tls cert when ca cert is deleted
#8113 fix: cel-variables kuttl test
#8110 fix: cli logs not working
#8109 fix: reduce tls package dependencies (part 2)
#8108 refactor: create cel package for compiling expressions
#8107 fix: reduce tls package dependencies
#8106 chore: add otel collector to dev lab
#8105 chore: add kind config with kubelet and apiserver tracing
#8104 fix: context propagation in tracing
#8103 feat: support variables for CEL in Kyverno policies
#8102 chore: add mocks to mutate fuzzer
#8100 fix: extend retry function to mutate rules
#8099 fix: check if client is set in CEL validations
#8098 refactor CEL validation in Kyverno policies
#8096 [Feat]: added ttl-metrics
#8090 chore: improve performance of engine fuzzers
#8088 fix: mutate existing kuttl tests
#8087 fix: generate/clusterpolicy kuttl tests
#8085 fix: generate/validation kuttl tests
#8084 feat: support namespaced parameter resources for CEL expressions in Kyverno policies
#8083 refactor: background controller permissions
#8082 chore: replace usage of v1beta1 with v1alpha1 for cel subrule
#8081 fix: crash when applying unquoted null
#8080 fix: allow mutation of policy reports
#8079 chore: add support for different kind config
#8077 fix: stop hiding flags in the cli
#8075 chore: replace usage of v1alpha1 with v1beta1 for cel subrule
#8072 feat: use kyverno/action-install-cli action for conformance workflow
#8071 feat: support namespaceObject variable in CEL expressions
#8068 feat: support wildcard in subjects statements
#8067 fix: image pull policy missing
#8066 chore: bump a couple of deps
#8064 chore: bump a couple of deps
#8057 test: move OSS-Fuzz build script from cncf-fuzzing
#8056 chore: use fuzzers own cfg variable
#8055 Migrated scenario based tests to CLI
#8054 chore: bump a couple of deps
#8053 fix: server name without port to generated certificate
#8052 chore: use k8s 1.27 by default
#8043 chore: remove tests for k8s v1.24
#8042 feat: add match conditions support in webhooks
#8040 fix: image logger
#8039 chore: add 1.28 to issue template
#8038 chore: bump codegen tools
#8037 feat: use k8s 1.28 libs
#8036 chore: add k8s 1.28 testing
#8027 feat: add fuzzers from cncf-fuzzing
#8024 feat: support authorizer variable in CEL expressions
#8016 Add an abstraction interface for Kyverno policies and validating admission policies
#7995 Refactor Kyverno CLI
#7988 fix, enhancement
#7984 Remove length restriction in --set
#7981 fix: Fixed issue with AddVariable that prevented certain variables
#7974 fix:Add Missing Severity Cases in SeverityFromString Function
#7972 test: add tests for isAnyNotIn function and lazy evaluate it
#7970 feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup
#7969 added verify image ristretto cache implementation
#7966 fix: ttl manager stop informer on error
#7965 test: add test to cleanup the same resource twice
#7964 fix: ttl cleanup controller events processing
#7963 chore: fix cleanup controller debug in vscode
#7960 refactor: ttl label validation
#7958 chore: move ttl formats to constants
#7957 chore: rename ttl controller package
#7955 chore: move kyverno.io/verify-images constant
#7949 chore: move cache enabled label
#7945 fix: Kyverno cli apply duplicate result counts
#7944 chore: move more constants
#7943 Fixes kyverno cli container reorder
#7942 chore: move cert.kyverno.io/managed-by label in constants
#7941 chore: organize constants better
#7937 fix: rename --compact to --detailed-results in CLI
#7929 fix: rename vap to its full name
#7927 Adding other folder's subfolders to workflows/conformance.yaml's tests array.
#7908 feat: add custom keychains using fluxcd/oci/auth package
#7906 feat: update default keychain in registry to be empty
#7902 Updated registryClient comments
#7890 feat: add basic structure for image verify cache
#7885 fix: apply command doesn't consider git and non-git paths together (#7832)
#7872 Added missing info about adding remote upstream in CONTRIBUTING.md
#7859 feat: add auto-gen rules for CEL
#7840 feat: generate validating admission policies and their bindings from Kyverno policies
#7835 refactor validating admission policies
#7833 Removed usage of replacements from goreleaser.yml file
#7827 move events for cleanup policies to the events controller
#7821 feat: add ttl controller
#7813 adding env to doc
#7802 fix: remove obsolete method in discovery
#7791 test: add tests for ghcr private repository
#7787 feat: add images to allowed variables in substitution
#7782 feat: add create metrics-config cli command
#7781 feat: add create exception cli command
#7780 feat: add create user-info cli command
#7779 feat: add create values cli command
#7778 feat: add create test cli command
#7773 Move fetchClusterPolicies() and fetchPolicies() to utils
#7768 feat: add applyconfiguration-gen support
#7767 chore: increase linter timeout
#7766 chore: switch to deepcopy-gen
#7765 chore: introduce defaulters-gen
#7761 chore: use register-gen to register k8s types
#7760 refactor: move kyverno constants out of v1 package
#7758 fix(kubectl-kyverno): dump error validation response message
#7757 feat: add table output to cli apply command
#7748 fix: remove cli dead code
#7747 Replaced gcr crane with gcr remote
#7746 fix: improve cli apply args check
#7744 chore(deps): bump ubuntu from 6120be6 to 0bced47 in /.devcontainer
#7739 fix: refactor cli values loading and remove dead code
#7738 chore: bump ko version
#7737 chore: bump kind node versions
#7736 fix: nits in cli flags
#7733 fix: typo in check cmd
#7729 fix: reduce token permissions
#7727 fix: use github token instead of pat
#7726 fix: remove jmespath replace directive
#7723 fix: use gh token instead of pat
#7721 fix: reduce token permissions
#7720 fix: remove obsolete scripts
#7719 fix: reduce token permissions
#7717 fix: make test --fail-only return 1 if there are failed tests
#7716 chore: use github token instead of pat
#7715 chore: bump cosign in gh workflows
#7713 fix: release signing (cherry-pick #7711)
#7709 test: add kuttl tests for background only policies
#7705 feat: Add support for server-side-apply in generate rules
#7702 chore: remove redundant tests
#7697 fix: pr updater workflow
#7683 Feat: Upgrade controller-gen to v0.12.0 and fix tooling
#7673 feat: migrate to events.k8s.io/v1
#7672 fix: cleanup controller context from #7597
#7667 fix: factorise confimap informer code
#7665 fix: pr updater workflow
#7654 fix: use golang builtin version management
#7653 fix: vscode debug config
#7650 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6
#7640 add missing VULN_TEMPLATE.md
#7638 fix: harden rbac permissions
#7634 fix: harden certs secrets management
#7630 fix: cleanup controllerutils client interfaces
#7629 fix: stop using lister in tls renewer
#7626 fix: harden cleanup controller rbac
#7624 fix: token permissions
#7623 fix: service account name env var defined twice
#7620 fix: reduce number of queries to detect delete operations
#7619 fix: token permissions
#7615 fix workflow
#7613 fix: panic if env var not defined
#7611 fix: token permissions on report vulns workflow
#7610 chore: improve dependabot config
#7605 fix: scorecard workflow
#7592 chore: improve pr updater job
#7587 fix: scorecard workflow
#7585 chore: fix token permissions
#7582 fix: validate subject kind
#7580 chore: bump otel deps
#7575 fix: update typos in docs/dev/reports/README.md
#7573 Update version drop-downs
#7572 Helpers to providers
#7568 Test policy library
#7546 feat: cache regex
#7536 refactor: cut dependency between image verifier and registry client
#7529 refactor: introduce engine image data client interface
#7528 Updated the message to the level4log and removed err that originated from ApplyBackgroundChecks.
#7501 feat: use context for toggles management
#7499 fix: use RawClient in context loader
#7489 [Feature] round() JMESPath function
#7487 fix: propagate context when listing resources
#7475 feat: make aggregated reports optional
#7468 feat: add API server priority and fairness configuration for kyverno
#7453 chore: add buffer unit tests
#7452 feat: switch json patch lib for real
#7451 chore: add engine api stats unit tests
#7450 Remove response patches
#7449 refactor: remove json patches from engine response
#7447 refactor: remove json patches from mutation tests
#7443 refactor: remove json patches from rule response in tests
#7438 chore: remove last-applied-patches annotation
#7422 fix: stop recording json patches in rule responses (part 2)
#7420 feat: add config exclusions in the engine
#7415 fix: json patch unit tests
#7413 expose JSON Pointer in Images variable for extension services
#7411 charts: changes validationFailureAction default value
#7401 fix: replace mattbaird/jsonpatch with appscode/jsonpatch
#7397 fix: cosign global var
#7396 fix: Result not correct when testing a mutate rule and foreach.
#7394 refactor: stop recording json patches but generate them on demand (part 1)
#7391 chore: deprecate imageSignatureRepository flag
#7377 refactor: introduce abstract client interface in engine
#7339 fix: mutate resource in image verification handler
#7323 feat: add auth checker interface
#7307 fix: abort validation if value could be processed
#7248 Support for Cosign 2.0
#7196 fix: remove policy-reporter from dev lab
#7186 refactor: use structured jsonpatch instead of byte arrays
#7175 [Feature] Enhance devcontainer
#7166 chore: update dev doc for controllers
#7152 chore: bump otel deps
#7139 refactor: hide json context from caller
#7136 Add JMESPath function for dynamic object/array lookup
#7114 Enable flexible registry credential configurations
#7097 chore: add makefile target for kwok
#6942 refactor: restructure cli test command
#6871 refactor: cli test filter
#6800 Added fetchAttestations method to notaryV2 implimentation
#6772 fix: couple of issues in policy interface
#6666 feat: add background only policy support
#6656 Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command)
#6084 Support for Context vars in cleanup

Assets 42
Loading