Skip to content

v1.10.0-beta.1

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 11 May 09:46
· 1608 commits to main since this release
v1.10.0-beta.1
8a350ab
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Changes since alpha.2

Kyverno 1.10 is a huge release which brings breaking changes in both the application and Helm chart. This is a pre-release.

Major features:

  • Split the main Kyverno Deployment into 3 separate controllers/Deployments
  • Intra-cluster Service calls
  • Notary v2 support
  • Major reworking of generate and "mutate existing" policies

NOTE: There is a limited upgrade path available when using the Helm chart, which requires manual intervention and NO upgrade path when using raw YAML manifests. Please see the Helm v2 to v3 migration guide here for full details.

❗ Breaking ❗

  • The generate.apiVersion field is now required in a generate rule. Policies/rules without this defined will need to set it. (#7080)

✨ Added ✨

  • The apiCall context variable, exclusively used for Kubernetes API communication, now can perform POST operations similar to the new apiCall.service (external) call. When using this new method, it is not necessary to specify a CA certificate for trust. (#6948)
  • New Policy Report cleanup jobs are added as a safeguard to remove excessive intermediate reports (not final Policy Reports) in case reconciliation doesn't happen fast enough. In almost all cases, these jobs are expected to do nothing. (#6960)
  • Added a new flag --registryCredentialHelpers with image registry specific credential helpers. This flag is passed by default. (#6974, #7002)
  • Added a new --omit-events flag which allows defining which type of Kyverno events should not be emitted. (#7010)
  • Context variables are now lazy loaded (just in time) which prevents failures of some policies. Context variables will now only be evaluated when they are needed in a policy and not all at once in the very beginning. (#7071)
  • Added a new ConfigMap key called excludeUsernames which is used to exclude certain requests with these usernames from processing. The value also supports a negation operator (!) which allows inclusion of a username in cases where it might have been excluded in a different setting elsewhere. (#7082)
  • Significant changes with how mutations work (#7095):
    • Added a new foreach.order field to control how patches are applied internally, either Ascending or Descending.
    • Instead of Kyverno patching the "final" version of the resource after every patch, it will only do so internally. All patches will be summarized and combined at the end.
    • When using multiple foreach loops, they will be evaluated from top down so the result of one loop will only be available to the next after the first loop completes. They will no longer iterate independently over the same input.
    • Rules which need mutations over the result of prior mutations should be separated into separate rules.
  • Kyverno will now ensure that generate rules are written appropriately for namespaced and cluster-scoped resources to prevent bad policies from being accepted. (#7098)
  • Conditions expressions now have an optional new field message which will be shown if that particular expression fails. Anywhere conditions are used (ex., verifyImages or validate) will have access to this field. (#7113, #7126)

Helm

  • Added a new features section in the v3 Helm chart as an easier abstraction for feature enablement. Doesn't require knowing which controllers need which flags. (#6935)
  • Split out chart values per component. (#6936)
  • Added a logging.verbosity flag in the chart to control logging verbosity without the need for an extraArg. (#6940)
  • Added a new upgrade.fromV2 flag in the Helm chart which is REQUIRED when upgrading from v2 of the chart. Please read the Helm migration guide for very important details on migrating from v2 to v3. (#7066, #7144)

⚠️ Changed ⚠️

  • Bumped Kubernetes dependencies to 1.27 (#6868)
  • Tighten up permissions needed by Kyverno. (#6957, #6970, #6972)
  • Improved instrumented clients by adding an UpstreamInterface that is an alias to the bare upstream interface. (#7006)
  • Updated the internal Kubernetes resource schemas which will prevent some calls to deprecated/removed APIs. (#7014)
  • Standardize on use of github.com/evanphx/json-patch/v5 for JSON patches. (#7015)
  • Refactor of engine patchers. (#7030)
  • Refactor of the engine response policy. (#7063)
  • Remove the deletionTimestamp check in rules handled by the background controller. (#7039)
  • All controllers' containers will print their container flags and values at the default log level upon startup. (#7127)
  • Removed the --genWorker flag from the admission controller as this is only applicable to the background controller. (#7132)
  • Changed the wording of the log message in the background controller when periodic reconciliation fires so it's not confused with the reporting controller's background scan ability. (#7142)

🐛 Fixed 🐛

  • Remove /status subresource from policy webhooks as this wasn't needed. (#6939)
  • Fixed/reverted a previous check that was preventing JSON patches (mutate) with single quotes from being accepted. JSON patches can be written more simply as YAML rather than in-line JSON. (#6941)
  • Fixed an issue matching on ephemeralContainers. (#6963)
  • Fixed an issue validating variables in policies which disabled background scanning. (#6978)
  • Fixed an issue where autogen would fire in a foreach mutation rule causing an invalid schema policy. (#6996)
  • Fixed a missing serverIP parameter in the cert renewer for the cleanup controller. (#6999)
  • Fixed when Kyverno reloads its ConfigMap to reduce log noise. (#7007)
  • Fixed a loop prevention check in generate rules. (#7026)
  • Fixed not showing the background scan interval in the report controller logs. (#7065)
  • Fixed removing entries in excludeGroups from matching. (#7083)
  • Removed a duplicate entry in the admission controller's ClusterRole for Leases. (#7125)
  • Fixed report controller quitting when losing the lead. (#7153)

Helm

  • Fixed an issue in templating of metricsRefreshInterval. (#7019)
Click to expand all PRs

#7153 fix: let reports controller quit when loosing the lead
#7144 Update chart with v2 to v3 migration guidance.
#7142 chore: update background scan logging messages
#7132 fix: remove the container flag genWorker from the admission controller
#7127 feat: print container flags and their values
#7126 add condition msg to v2beta1
#7125 fix: remove the duplicate entry from the admission clusterrole
#7113 Conditions message
#7098 feat: generate policy validation - target resource scope & namespace settings
#7095 fix: mutation code
#7083 fix: remove excluded groups from matching
#7082 feat: add config inclusions support
#7080 feat: require generate.apiVersion
#7071 lazy loading of context vars
#7068 fix: flaky github action
#7066 feat: add opt-in setting to deploy v3 chart
#7065 fix: add background scan interval log
#7063 refactor: engine response policy
#7039 fix: remove deletionTimestamp checks
#7037 update development doc
#7030 refactor: engine patchers
#7026 fix: generate policy validation to prevent endless loop
#7019 fix: helm template with metricsRefreshInterval
#7015 chore: use github.com/evanphx/json-patch/v5
#7014 feat: update built-in resource schemas
#7010 Added omit-events flag to allow disabling of event emission
#7007 fix: record configmap resource version to not reload when version didn't change
#7006 feat: improve instrumented clients
#7002 feat: add registry credential helpers feature
#6999 fix: add server ip config to cleanup controller
#6996 fix: disable autogen in foreach mutation with json patches
#6993 chore: bump kind image to 1.27.1
#6978 fix: variables validation for background enabled policies
#6974 feat: add credential helpers flags
#6972 chore: restrict default permissions
#6970 feat: new access checks for background policies
#6966 Add kuttl test for ephemeral containers
#6963 fix: match on ephemeral containers
#6960 feat: add reports cleanup jobs to prevent outage
#6957 fix: refine event permissions in default roles
#6948 add support for Kubernetes API server POST
#6941 fix: incorrect json patch validation
#6940 feat: add verbosity level in helm chart values
#6939 fix: remove status from policy webhooks
#6936 feat: split chart values in readme per component
#6935 feat: add features section in helm values
#6868 feat: bump k8s deps to 1.27
#6822 chore: implement expected tagging strategy (cherry-pick #6820)
#6820 chore: implement expected tagging strategy

Assets 24