Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.8.0
❗DO NOT USE
This release has an issue that can cause unenforced violations when using config resource without sync. Fixed in v3.8.1 with #2038.
This stable release includes bug fixes and new features.
Notable changes
- 16% speedup in constraint template compilation 🏃
- 1.5x-4x decrease in webhook CPU/memory usage 🎉
- 2x decrease in audit memory usage 🎊
- External Data now supports mutation 🥳
Features
- Prometheus metric for conflicting mutators (#1714) #1714 (Julian Katz)
- Implement tls checker for webhook (#1696) #1696 (Ethern Su)
- enable exempting additional labels in the webhooks (#1778) #1778 (Robin Opletal)
- helm: allow configuring the webhooks to be removed before gatekeeper itself is uninstalled (#1770) #1770 (Mitch Hulscher)
- Support suffix-based matching for resources (#1796) #1796 (Sunghoon Kang)
- Support setting custom rules in validating/mutatingwebhookconfigurations (#1806) #1806 (Mac Chaffee)
- Add gator test (formerly gator validate) (#1786) #1786 (Julian Katz)
- Reference
gator verifyingator test --help(#1836) #1836 (Julian Katz) - add health port to webhook service (#1839) #1839 (Max V)
- Add additional context to
gator test --help(#1850) #1850 (Julian Katz) - add reinvocationPolicy config to the MutatingWebhookConfiguration Chart Config (#1844) #1844 (Mitchell Maler)
- cache namespaces in targethandler (#1908) #1908 (davis-haba)
- external data mutation (#1891) #1891 (Ernest Wong)
Bug Fixes
- Set namespace field in request (#1757) #1757 (Will Beason (he/him))
- helm upgrade test (#1766) #1766 (Sertaç Özercan)
- Check resp before call resp.TraceDump to avoid panic (#1754) #1754 (Huang Huang)
- Update frameworks and fix test (#1802) #1802 (Will Beason)
- match helm mwh timeout default value (#1913) #1913 (Sertaç Özercan)
- fix race condition in mutator controller reconcile (#1942) #1942 (Huang Huang)
- chart: allow override securityContexts (#1938) #1938 (Loïc Stevens)
- define items.type for k8srequiredlabels (#1955) #1955 (Ernest Wong)
- re-add missing constraint race condition fix (#1951) #1951 (Max Smythe)
- update gatekeeper_mutators metrics when a mutator is deleted (#1950) #1950 (Ernest Wong)
- Update deployment to include mutation-status operation (#1966) #1966 (Rita Zhang)
Documentation
- Add workload resource documentation (#1749) #1749 (Jackson Reid)
- add wildcard matching for ns exclusion (#1771) #1771 (Sertaç Özercan)
- namespace exclusion differences (#1782) #1782 (Sertaç Özercan)
- gator test --> gator verify (#1800) #1800 (Julian Katz)
- Update link to point to new default branch (#1808) #1808 (Tim McFadden)
- Add additional Constraint fields to howto (#1805) #1805 (Rita Zhang)
- add documentations for various flags (#1824) #1824 (Ernest Wong)
- add instructions on how to use tilt for development (#1895) #1895 (Ernest Wong)
- add descriptions of the various Gatekeeper operations (#1937) #1937 (Max Smythe)
- add contributing guide (#1945) #1945 (Rita Zhang)
- remove developer doc from 3.6 (#1964) #1964 (Rita Zhang)
Code Refactoring
- Rename 'gktest' to 'gator' (#1751) #1751 (Will Beason (he/him))
- Remove client.Reset usage (#1762) #1762 (Will Beason (he/him))
- Change
gator testtogator verify(#1799) #1799 (Julian Katz)
Performance Improvements
- improve --constraint-violations-limit scaling (#1971) (#1974) #1974 (Max Smythe)
- Add ToMatcher() to K8sValidationTarget (#1789) #1789 ([Will Beason (he/him)](https://github.com/open-policy-agent/gatekeeper/co...
v3.7.2
Bug Fixes
- Update deployment to include mutation-status operation (#1981) #1981 (Ernest Wong)
Chores
- Prepare v3.7.2 release (#2001) #2001 (github-actions[bot])
v3.8.0-rc.2
Performance Improvements
- improve --constraint-violations-limit scaling (#1971) (#1974) #1974 (Max Smythe)
Chores
- Prepare v3.8.0-rc.2 release (#1990) #1990 (Ernest Wong)
v3.8.0-rc.1
Features
- Prometheus metric for conflicting mutators (#1714) #1714 (Julian Katz)
- Implement tls checker for webhook (#1696) #1696 (Ethern Su)
- enable exempting additional labels in the webhooks (#1778) #1778 (Robin Opletal)
- helm: allow configuring the webhooks to be removed before gatekeeper itself is uninstalled (#1770) #1770 (Mitch Hulscher)
- Support suffix-based matching for resources (#1796) #1796 (Sunghoon Kang)
- Support setting custom rules in validating/mutatingwebhookconfigurations (#1806) #1806 (Mac Chaffee)
- Add gator test (formerly gator validate) (#1786) #1786 (Julian Katz)
- Reference
gator verifyingator test --help(#1836) #1836 (Julian Katz) - add health port to webhook service (#1839) #1839 (Max V)
- Add additional context to
gator test --help(#1850) #1850 (Julian Katz) - add reinvocationPolicy config to the MutatingWebhookConfiguration Chart Config (#1844) #1844 (Mitchell Maler)
- cache namespaces in targethandler (#1908) #1908 (davis-haba)
- external data mutation (#1891) #1891 (Ernest Wong)
Bug Fixes
- Set namespace field in request (#1757) #1757 (Will Beason (he/him))
- helm upgrade test (#1766) #1766 (Sertaç Özercan)
- Check resp before call resp.TraceDump to avoid panic (#1754) #1754 (Huang Huang)
- Update frameworks and fix test (#1802) #1802 (Will Beason)
- match helm mwh timeout default value (#1913) #1913 (Sertaç Özercan)
- fix race condition in mutator controller reconcile (#1942) #1942 (Huang Huang)
- chart: allow override securityContexts (#1938) #1938 (Loïc Stevens)
- define items.type for k8srequiredlabels (#1955) #1955 (Ernest Wong)
- re-add missing constraint race condition fix (#1951) #1951 (Max Smythe)
- update gatekeeper_mutators metrics when a mutator is deleted (#1950) #1950 (Ernest Wong)
- Update deployment to include mutation-status operation (#1966) #1966 (Rita Zhang)
Documentation
- Add workload resource documentation (#1749) #1749 (Jackson Reid)
- add wildcard matching for ns exclusion (#1771) #1771 (Sertaç Özercan)
- namespace exclusion differences (#1782) #1782 (Sertaç Özercan)
- gator test --> gator verify (#1800) #1800 (Julian Katz)
- Update link to point to new default branch (#1808) #1808 (Tim McFadden)
- Add additional Constraint fields to howto (#1805) #1805 (Rita Zhang)
- add documentations for various flags (#1824) #1824 (Ernest Wong)
- add instructions on how to use tilt for development (#1895) #1895 (Ernest Wong)
- add descriptions of the various Gatekeeper operations (#1937) #1937 (Max Smythe)
- add contributing guide (#1945) #1945 (Rita Zhang)
- remove developer doc from 3.6 (#1964) #1964 (Rita Zhang)
Code Refactoring
- Rename 'gktest' to 'gator' (#1751) #1751 (Will Beason (he/him))
- Remove client.Reset usage (#1762) #1762 (Will Beason (he/him))
- Change
gator testtogator verify(#1799) #1799 (Julian Katz)
Performance Improvements
- Add ToMatcher() to K8sValidationTarget (#1789) #1789 (Will Beason (he/him))
- Implement ToMatcher and Matcher.Match (#1791) (#1807) #1807 (Becky HD)
- Update frameworks to use compiler sharding (#1900) #1900 (Will Beason)
- Upgrade frameworks to speed up compilation (#1960) #1960 (Will Beason)
Tests
- Add test for gator test to...
v3.7.1
Bug Fixes
v3.7.0
This stable release includes bug fixes and new features.
Notable updates since v3.6.0
- Mutation has graduated to Beta! 🎉
- Added ModifySet mutator 📐
- Introducing External Data for validation as an alpha feature! 🎊
- Introducing Gator CLI as alpha for testing constraint templates and constraints without Kubernetes. Linux and macOS binaries are available in release assets. 🐊
- Minimum TLS version for webhooks has been updated to be v1.2 and can be configured using
--tls-min-version. In v3.8.0, TLS v1.3 will be set as the default. 🔐 - Audit memory improvement! 🔋
Commits since v3.7.0-beta.2
- 68416df: Bump @docusaurus/core from 2.0.0-beta.6 to 2.0.0-beta.7 in /website (#1617) (dependabot[bot]) #1617
- 4cbf404: Bump @docusaurus/preset-classic from 2.0.0-beta.6 to 2.0.0-beta.7 in /website (#1618) (dependabot[bot]) #1618
- e7b5041: add list constraint doc (#1613) (Sertaç Özercan) #1613
- f50fcce: use manifestlist (#1611) (Sertaç Özercan) #1611
- 6d6d266: Fix typo (#1623) (Prachi Pendse) #1623
- 7526893: add crds resources pool to the crds container (#1621) (Stanislav Chesnovskii) #1621
- c7e391f: Bump @docusaurus/core from 2.0.0-beta.7 to 2.0.0-beta.8 in /website (#1628) (dependabot[bot]) #1628
- 5554c6e: Bump @docusaurus/preset-classic from 2.0.0-beta.7 to 2.0.0-beta.8 in /website (#1627) (dependabot[bot]) #1627
- e55aa36: Feat/add dns policy (#1624) (Jim Conner) #1624
- 9fd8514: Fix defers and goroutines in tests (#1595) (Will Beason) #1595
- b1a6812: add dummy provider and e2e for external data validation (#1606) (Sertaç Özercan) #1606
- 167fa05: add token permissions for actions (#1632) (Sertaç Özercan) #1632
- 5cf1965: Add the ability to source values from resource metadata. (#1575) (Max Smythe) #1575
- c2844a6: Wrap all RBAC resources in a conditional based on values.rbac.create (#1625) (Rob Mason) #1625
- 4031f43: enable external data flag for helm (#1633) (Sertaç Özercan) #1633
- e9822b1: Bump @docusaurus/core from 2.0.0-beta.8 to 2.0.0-beta.9 in /website (#1637) (dependabot[bot]) #1637
- 778d0a4: Bump @docusaurus/preset-classic in /website (#1638) (dependabot[bot]) #1638
- 23b4165: bump node version to 16 (#1642) (Sertaç Özercan) #1642
- c36e3d8: Move mutation to beta (#1626) (Max Smythe) #1626
- 87cb662: Publish Gator CLI binaries in release (#1636) (Sertaç Özercan) #1636
- 2047863: add versioned docs (#1645) (Sertaç Özercan) #1645
- 3442bc9: Enable audit to write cache to disk to reduce memory (#1634) (Rita Zhang) #1634
- b3ed944: Make gator compatible with Windows (#1653) (Will Beason) #1653
- 8f7a74e: add v3.6.x docs (#1656) (Sertaç Özercan) #1656
- 35b2113: add clarification for versioned docs (#1657) (Sertaç Özercan) #1657
- c2119e8: remove gator windows (#1658) (Sertaç Özercan) #1658
- f43223e: Add option for audit to writeToRAMDisk to chart (#1660) (Rita Zhang) #1660
- 3ba8e93: Prepare for v3.7.0 release (#1661) (Sertaç Özercan) #1661
v3.7.0-beta.2
Commits
- Add gatekeeper-crds image pull secrets to Helm Chart (#1555) #1555 (Julian Dolce)
- 63b51d3: Run gator test 2 (#1519) (Will Beason) #1519
- 9918cbe: Add ModifySet mutator (#1508) (Max Smythe) #1508
- 45fd0c4: Add
detailsto audit log output (#1528) (Max Smythe) #1528 - c91112c: Workaround helm template bug when testing for APIVersions (#1533) (Mathieu Parent) #1533
- 426b4f4: add exempt-namespace-prefix args to helm chart (#1523) (David Wolffberg) #1523
- 0d62cc4: Add psp for upgrade hook (#1539) (Rita Zhang) #1539
- f9db4e8: changes in the base url to fix the broken link (#1503) (Kanchana Wickremasinghe) #1503
- b94a5f5: Revert "changes in the base url to fix the broken link (#1503)" (#1543) (Rita Zhang) #1543
- d903037: Upgrade dependencies to the most recent compatible (#1541) (Will Beason) #1541
- 0f910c1: Pass constraints through JSON to avoid opaclient panic (#1538) (Will Beason) #1538
- d32be19: Bump @docusaurus/core from 2.0.0-beta.5 to 2.0.0-beta.6 in /website (#1529) (dependabot[bot]) #1529
- ad6e9bb: Bump @docusaurus/preset-classic from 2.0.0-beta.5 to 2.0.0-beta.6 in /website (#1530) (dependabot[bot]) #1530
- 7f0bbfa: fixing the base url for the gatekeeper icon (#1553) (Kanchana Wickremasinghe) #1553
- 419f68e: [gator-test] add --run flag to gator test (#1536) (Will Beason) #1536
- 3824c6d: Bump codecov/codecov-action from 2.0.3 to 2.1.0 (#1557) (dependabot[bot]) #1557
- 6cbd519: update to go 1.17 (#1558) (Sertaç Özercan) #1558
- 97e3ae5: Remove
assignIffrom Assign mutator (#1548) (Max Smythe) #1548 - a7373bb: Add name to match criteria (#1542) (Julian Katz) #1542
- eeb7bff: Refactor mutation.System (#1545) (Will Beason) #1545
- 14de7cf: Scope pkg/readiness/Test_CollectDeleted to a controlled namespace (#1567) (Oren Shomron) #1567
- a968ce3: Allow to override the failurePolicy and timeout for the mutating webhook (#1540) (Mathieu Parent) #1540
- 9f4ad4f: Ensure helm hooks run as non-root and make PSP optional (#1568) (Alexander Berger) #1568
- 921869d: Set minimum TLS version in webhooks (#1426) (Sertaç Özercan) #1426
- b447eb1: add mutation exclusion to doc (#1577) (Sertaç Özercan) #1577
- cea6629: update testdata crds to v1 (#1578) (Sertaç Özercan) #1578
- b04fa2b: Bump actions/setup-node from 2.4.0 to 2.4.1 (#1584) (dependabot[bot]) #1584
- 7ea3783: Preserve conflicting mutators (#1569) (Will Beason) #1569
- 0b663ca: Upgrade to golangci-lint v1.42.1 (#1579) (Will Beason) #1579
- abe681b: Update cloud-specific.md, fix invalid nouid (#1580) (Andy Librian) #1580
- 8175c0a: Update customize-admission docs (#1565) (Max Smythe) #1565
- 623a1be: [gator test] Support referential constraints (#1574) (Will Beason) #1574
- 86da9a8: Fix bugs in ModifySet mutator (#1587) (Max Smythe) #1587
- 867b811: Add descriptions to CT match (#1546) (Julian Katz) #1546
- fb5601b: Forbid empty assertions (#1591) (Will Beason) #1591
- 655278a: Remove PodOwnership option (#1585) (Will Beason) #1585
- 25baefa: replace labelNamespace hook image (#1593) (Rita Zhang) #1593
- a51926a: add gatekeeper_ prefix to metrics (#1598) (Sertaç Özercan) #1598
- e500b26: Generate mutation resources for manifests and release (#1597) (Rita Zhang) #1597
- 1c3e376: Extend audit docs (#1586) (Max Smythe) #1586
- ad701ac: Use Istio port name naming convention (#1599) (Mathieu Parent) #1599
- eeb34b0: Use pre-baked response functions for validating webhook (#1581) (Max Smythe) #1581
- 40e1775: initial external data integration for validation (#1573) (Sertaç Özercan) #1573
- e853d0b: Prepare v3.7.0-beta.2 release (#1608) (Sertaç Özercan) #1608
v3.7.0-beta.1
v3.7.0-beta.1
v3.6.0
This stable release includes bug fixes and new features.
Notable updates since last stable version
- ConstraintTemplate CRD moves to v1 🎉
- Reduce System.Mutate runtime by 87% 🔨
- Fix race conditions in watch manager and constraint controllers 🐎
- Remove non-specific webhook request metrics 📊
- Add prefix-based matching for namespaces and excludedNamespaces 🔡
- Add integer keyValue support to mutation path parser / mutators 🔢
- Helm enable to config controller manager & audit port 🎊
- Add helm hooks to upgrade CRDs 🆙
- Add metrics reporting for mutation 📈
Commits
- aad6c27: fix whitespace error in the debugging docs (#1465) (rob salmond) #1465
- 07e2fd0: Add metrics reporting for mutation (#1435) (Julian Katz) #1435
- f695654: Add frameworks apis to scheme (#1470) (Julian Katz) #1470
- 821db67: update with k8s v1.22.0 (#1477) (Sertaç Özercan) #1477
- 5975122: Add label to bats http.send test for idempotence (#1473) (Ivan Font) #1473
- 407611a: Deduplicate mutator controller logic (#1474) (Max Smythe) #1474
- 6a8ff89: Make Context usage consistent (#1457) (Will Beason) #1457
- aa8ad45: Add helm hooks to upgrade CRDs (#1485) (Rita Zhang) #1485
- c70dfd0: Unify Gatekeeper and controller-runtime metrics into a single endpoint (#1482) (Oren Shomron) #1482
- e00262b: Refactor core.Reconciler (#1489) (Will Beason) #1489
- a1b50a0: Update the upper limit of request duration metrics to 3 seconds (#1504) (Tsubasa Umeuchi) #1504
- 0238780: Dynamically change the API version of the PDB in Helm Chart (#1502) (Yuki Iwai) #1502
- 1901725: Helm enable to config controller manager & audit port (#1438) (Edvin N) #1438
- c3e9cd4: V1 constrainttemplate docs (#1492) (Julian Katz) #1492
- dd97b8a: run gator test (#1463) (Will Beason) #1463
- 93ad7e4: Refactor mutator Matches() to make extension easy (#1494) (Julian Katz) #1494
- mutation process to allProcesses list (#1516) #1516 (Spencer McCreary)
- 94ced7f: Update supported k8s versions (#1517) (Rita Zhang) #1517
- 9503ef2: Prepare v3.6.0 release (#1518) (Sertaç Özercan) #1518