approver-policy provides a policy engine for certificates issued by cert-manager!
This release strengthens the CEL validation pipeline, makes the validating webhook configuration more precise, hardens the policy registry, and pulls in security-relevant Go module updates alongside refreshed controller-runtime, cel-go, and Kubernetes client-go.
Highlights
- Hardening of CEL evaluation to prevent denial-of-service from expensive policies: per-call cost limit (#923), bounded LRU cache for compiled programs (#926), and an iterative wildcard matcher that removes recursion-based DoS risk (#925).
ValidatingWebhookConfigurationis now precise about whichCertificateRequestevents trigger admission, reducing unnecessary webhook traffic (#908, fixes #907).Registry.Store()now detects duplicate approver names within a single call as well as across calls (#875).- Security-relevant
golang.org/xupdates:x/sysv0.44.0,x/netv0.55.0,x/cryptov0.52.0.
What's Changed
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #895
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #896
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #897
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #898
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #899
- fix(deps): update module sigs.k8s.io/controller-runtime to v0.24.1 by @renovate[bot] in #900
- fix(deps): update kubernetes go patches to v0.36.1 by @renovate[bot] in #902
- fix(deps): update module github.com/google/cel-go to v0.28.1 by @renovate[bot] in #901
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #903
- fix(deps): update github.com/onsi deps by @renovate[bot] in #905
- BUGFIX: Make ValidatingWebhookConfiguration precise by @erikgb in #908
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #906
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #909
- chore(deps): update module golang.org/x/sys to v0.44.0 [security] by @renovate[bot] in #913
- chore(deps): update module golang.org/x/crypto to v0.52.0 [security] by @renovate[bot] in #911
- chore(deps): update module golang.org/x/net to v0.55.0 [security] by @renovate[bot] in #912
- chore(deps): update docker/login-action action to v4.2.0 by @renovate[bot] in #910
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #914
- chore(deps): update misc github actions to v6.0.3 by @renovate[bot] in #916
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #917
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #918
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #919
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #920
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #921
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #922
- VC-53793: Add CEL cost limit by @wallrj-cyberark in #923
- VC-53793: Bound the CEL validator cache with an LRU (alternative to #924) by @wallrj-cyberark in #926
- fix(deps): update github.com/onsi deps to v2.30.0 by @renovate[bot] in #927
- VC-53793: Replace recursive wildcard matching with iterative algorithm by @wallrj-cyberark in #925
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #929
- fix(deps): update kubernetes go patches to v0.36.2 by @renovate[bot] in #928
- fix(deps): update github.com/onsi deps by @renovate[bot] in #930
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #932
- chore(deps): update makefile modules to 7835ffe by @renovate[bot] in #933
- chore(deps): update makefile modules to 92aeb18 by @renovate[bot] in #934
- Fix Store() to detect duplicate approver names within a single call by @archy-rock3t-cloud in #875
- chore(deps): update makefile modules to 5d90d75 by @renovate[bot] in #935
- test: assert registry is unmodified when Store() panics by @wallrj-cyberark in #936
New Contributors
- @wallrj-cyberark made their first contribution in #923
Full Changelog: v0.25.1...v0.26.0