Skip to content

v1.8.0
Compare
Choose a tag to compare
@github-actions github-actions released this 10 Oct 09:06
· 3186 commits to main since this release
v1.8.0
957a6bc
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

The 1.8.0 release is a HUGE one with the following new user-facing features, changes, and fixes. A ton of work went into internal processes, clean-ups, refactorings, optimizations, and other under-the-cover or housekeeping changes that will make Kyverno cleaner, more stable, and easier to maintain. For a complete list of all PRs which include internal-facing additions, fixes, optimizations, etc., see the Complete List of PRs.

✨Added ✨

  • ⭐ New validate subrule called podSecurity which integrates the Pod Security Admission libraries (#4840, #4814, #4735, #4710, #4558, #4475, #4364, #4804).
  • ⭐ New validate subrule called manifests which enables YAML manifest signature validation (#4235).
  • ⭐ Allow generate rules to generate multiple resources in a single rule, also specifiable via labels (#4713, #4384, #4684).
  • ⭐ OpenTelemetry support (#3910).
  • ⭐ [CLI] Support for testing generate policies (#3456).
  • Support for Kubernetes 1.25 (#4503).
  • New JMESPath filter x509_decode to support decoding of X.509 certificates (#4664).
  • New JMESPath filter random allowing random, yet composable, generation of random strings (#4527, #4591, #4697).
  • New feature flag backgroundScan to enable/disable background scans. true by default. (#4638). This replaces the previous flag of the same name and rather than controlling the background scan interval merely enables/disables it.
  • New feature flag protectManagedResources (default false) to enable Kyverno managed resources protection (#4522, #4414).
  • New feature flag admissionReports to enable/disable kyverno admission reports (default value is true). When this is set to false, kyverno will not create admission reports. If both backgroundScan and admissionReports are set to false the entire reports system will be disabled.
  • New feature flag maxQueuedEvents to limit internally queued events (#4233, #4236).
  • New feature flag reportsChunkSize to split reports according to the number of results contained in the report (default value is 1000). This can be disabled by setting the flag value to 0.
  • Deprecated splitPolicyReport flag, splitting reports per policy is always enabled, keeping it for backward compatibility, will be removed in future version.
  • ReportChangeRequest and ClusterReportChangeRequest CRDs have been removed and replaced by AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport CRDs.
  • Introduces a new v2beta1 version of Kyverno resources which removes deprecated CRD types and fields from v1. v1 will be deprecated and eventually removed in a future version (#4514, #4654).
  • New metric kyverno_client_queries_total (#4359).
  • Kyverno officially supports running outside of the Kubernetes cluster it sevices through support of a kubeconfig flag and a serverIP flag. This was technically an earlier possibility, was removed, and subsequently restored (#4308).
  • A new PolicySkipped event is added (#4251).
  • [CLI] Adds a --fail-only flag (default false) to the test command to show only failing tests (#4227).
  • Adds a new field applyRules which controls how rules in a policy are applied (#4196).
  • Certificate rotation is now handled with a much more graceful process (#3890).
  • Certificates are fetched dynamically rather than statically (#3851).

⚠️Changed ⚠️

  • ⭐ Autogeneration of Pod controller rules now goes into status and not spec and is enabled by default (#4381, #4370).
  • Helm chart registry URL has changed from ghcr.io/kyverno/kyverno/kyverno to ghcr.io/kyverno/charts/kyverno (#4768).
  • Helm chart now follows semver (omits the 'v' before version).
  • All new reporting system refactored from the ground up (#4608, #4737)!
  • Kyverno now builds with ko by default instead of docker and uses distroless as its base (#4492, #4366, #4219).
  • Removed the maxReportChangeRequests container flag since the reporting system has been revamped.
  • Context API call constraints have been lifted allowing for raw API support (#4389, #3820).
  • Several Helm chart changes with both kyverno and kyverno-policies. See individual change logs for those changes.
  • Tightened up permissions on events (#4292).
  • The Action column has been renamed to Validate Action (#4488).
  • (Cluster)PolicyReport CRDs have been updated (#4355).
  • [CLI] Help message in the apply command has been updated (#4344).
  • Bumps in Go, Cosign, go-wildcard and net (#4685, #4677, #4631, #4413, #4408, #4328, #4444).
  • Kyverno now uses aggregated cluster roles making adding custom permissions easier (#3845, #4378).
  • The Kyverno CA key is now included in its Secret (#3804).
  • Self-signed certificates no longer need to be annotated (#3850).
  • ⚠️BREAKING: Unresolved JMESPath expressions are fixed to properly evaluate as null instead of an empty string (''). Some policy updates to use existence checks may be necessary or otherwise may now deny validating or mutating requests.

πŸ›Fixed πŸ›

  • [CLI] Chained context variables are now processed correctly (#4290).
  • [CLI] Better message is returned upon invalid patched resources (#4129).
  • Policy readiness status is reset upon Pod termination (#4269).
  • Shutdown methods are added to prevent dropping of metrics and traces (#4214).
  • Validate rules are skipped if the conditional anchor doesn't match (#4451).
  • Fixed Cosign extension checks including some field transposition in messages (#4836).
  • Fixed subject and issuer validation for attestations (#4786).
  • Policies (namespaced) apply properly to their own Namespaces in mutate rules (#4671, #4653).
  • Fixed issue with using wildcards in GVK in match/exclude blocks and others impacting the check-deprecated-apis policy (#4670, #4349).
  • Fixed issues when clusters with many CRDs could slow down Kyverno (#4600, #4275).
  • Fixed a rounding issue causing some metrics' duration to not be precise (#4393).
  • Fixed issues with PEM key parsing in verifyImages rules (#4331).
  • Fixed an issue where a policy report entry was added for a blocked image in a verifyImages rule (#4297).
  • Fixed the merging of patches across verifyImages and mutate rules (#4202).
  • Fixed metric kyverno_policy_results_total with validationMode (#4198).

Complete List of PRs

Click to expand

#4840 Update PSa images dsecription
#4814 Fix psa validation
#4768 chore: change charts registry url
#4735 Add PSa policy validations
#4713 feat: add match label selector support with multiple clone
#4710 Support PSa integration by controlName only
#4664 Added x509_decode JMESPath function
#4642 feat: introduce RCR interface
#4639 feat: add controller utils tools
#4638 feat: add feature flag to disable background scan
#4628 feat: add explicit key support to controller utils
#4608 feat: reports v2 implementation
#4588 chore: add messages in makefile kind targets
#4583 chore: add a codegen-quick makefile target
#4577 chore: add toggle package unit tests
#4573 chore: preserve pr title in cherry picks
#4563 chore: switch to github.com/IGLOU-EU/go-wildcard
#4558 allow PSa validation with no exceptions
#4527 add random filter
#4522 chore: add protectManagedResources flag to changelog
#4516 chore: add unit tests for pkg/utils/json
#4514 Support V2beta1 Version
#4511 chore: update my affiliation in maintainers
#4507 docs: add section for generating helm docs and crds
#4503 chore: test for k8s 1.25
#4501 docs: add section about switching between docker and ko
#4492 feat: support switching build with docker or ko
#4482 chore: add kocache
#4476 docs: add api docs generation
#4475 Add PodSecurity descriptions
#4470 chore: enable cherry-pick bot
#4467 feat: enable autogen client from makefile
#4416 [Feature] Add ability to get additional policies from restricted
#4414 feat: add kyverno managed resources protection
#4400 [Feature] Add posibility to set validationFailureAction by Policy
#4389 feat: remove context api call constraints
#4384 feat: allow cloning multiple resource from a namespace
#4381 feat: enable autogen internals by default
#4366 feat: use ko to build images
#4364 Extend Pod Security Admission
#4359 Add the metric "kyverno_client_queries_total"
#4323 support failurePolicy in kyverno-policies helm chart
#4312 Change resource names to plurals
#4308 Added kubeconfig flag support
#4299 [Helm] Added ability to remove namespaces from default resourceFilters list
#4292 Tightened scope on apiGroups for kyverno:events Clusterrole
#4290 Context vars substitution in CLI
#4283 [Helm Chart] additional init and sidecar container
#4277 feat: auto optimize GOMAXPROCS
#4269 Reset policy status on termination
#4260 Add Techcombank to adopters
#4251 feature: added new type of event, PolicySkipped
#4236 Limit queued events
#4235 Yaml signing and verification
#4227 Implementing flag to show all failing tests only through the test command
#4219 chore: use new distroless base image provided by distroless org
#4214 Add shutdown methods for exporters and controllers
#4207 Make method public
#4196 add applyRules to control whether one or all rules are applied
#3890 feat: gracefull certificates rotation support
#3859 chore: remove ca-certificates from our repository
#3851 feat: fetch tls certificate dynamically
#3820 feat: add raw api call support
#4591 enhance jmespath random-filter
#4541 chore: add unit test for updating ur status
#4512 chore: add unit tests for pkg/utils/yaml
#4510 chore: add unit tests for pkg/utils/wildcard
#4509 chore: add unit tests for pkg/utils/os
#4508 chore: add unit tests for pkg/utils/image
#4506 chore: add wildcard unit test
#4488 Improve printer column name for validationFailureAction
#4486 chore: relax auto update PRs conditions
#4477 chore: add makefile help comments
#4468 chore: speed up local image builds
#4451 Skip validate rules if the conditional anchor does not match
#4458 docs: add section for deploying a local build
#4452 docs: add pushing images section
#4449 docs: add local image build section
#4445 docs: add section for local builds
#4443 docs: add section for dev tools
#4361 Update pr_documentation.md
#4355 Update wgpolicyk8s.io CRDs
#4344 update apply help message
#4341 Added appropriate logging levels to log.Info() calls wherever necessary
#4215 Corrected description for UpdateRequest struct
#4194 feat: improve flag message for disableMetricsExport
#4129 return helpful error message on invalid patched resources.
#4011 chore: remove unused ur errors
#3989 chore: enable nosprintfhostport linter
#3959 chore: enable goimports linter
#3958 chore: make kyverno informers and listers import aliases consistent
#3957 chore: make kube informers and listers import aliases consistent
#3956 chore: make clients import aliases consistent
#3952 feat: add controller utils package
#3951 chore: make dclient import aliases consistent
#3950 chore: make k8s api import aliases consistent
#3946 chore: enable paralleltest linter
#3945 chore: enable ifshort linter
#3941 chore: enable nolintlint linter
#3940 chore: enable grouper linter
#3939 chore: make kyverno api import aliases consistent
#3937 chore: enable makezero linter
#3932 chore: enable misspell linter
#3931 chore: enable gofmt and gofumpt linters
#3930 chore: enable gci linter
#3926 chore: enable errname linter
#3921 chore: enable dogsled linter
#3920 chore: enable decorder linter
#3902 chore: remove unused function
#3899 chore: enable goprintffuncname linter
#3898 chore: enable wastedassign linter
#3888 chore: enable noctx linter
#3882 chore: enable importas linter
#3874 chore: enable gochecknoinits linter
#3873 chore: enable containedctx linter
#3871 chore: enable asciicheck and bidichk linters
#3870 chore: enable durationcheck linter
#3869 chore: enable exportloopref linter
#3868 chore: enable tenv thelper and tparallel linters
#3867 chore: add unconvert linter
#3862 chore: enable more linters
#3855 chore: increase golangci-lint timeout
#4836 fix extension checks
#4822 fix: validationFailureAction default value
#4815 fix: controllers start in loop
#4804 Skip succeed rules when building the blocked return message
#4793 fix: logger panic
#4786 fix: subject and issuer validation when attestations are present
#4751 fix: watch error in resource controller
#4743 fix: reports not generated
#4738 fix: publish yaml manifests in release instead of repo
#4727 fix: output make messages to stderr
#4718 fix: change key used in test
#4703 fix: missing client wrapper
#4697 fix: jmespath random error handling
#4685 fix: bump net standard lib
#4684 fix: handle auth permission for cloneList validation
#4681 fix: shutdown controllers workers gracefully
#4671 fix: namespaced policy targets validation and scoping them to the policy namespace
#4670 Fix issue for wildcard versions
#4654 fix: missing elements in v2beta1 api
#4653 fix: namespaced policy not validated in engine
#4650 fix: split webhook handlers per failure policy
#4637 fix: incorrect namespace in report controller
#4636 fix: remove RCR from mutation webhook
#4629 fix: containerd dependency vulnerability
#4617 fix: background printer column
#4601 fix: lock in policy report mapper
#4600 Fix multiple crd slowness issue
#4582 fix: typo
#4576 fix: split policy report flag
#4540 fix: defer ur update until validation passes
#4515 fix: load policy and add tests
#4493 fix: incorrect kustomize call in makefile
#4491 fix: fetch history in pre-checks job
#4490 fix: api reference docs
#4483 fix: release workflow
#4478 fix: auto update pr workflow
#4474 Fix logger format
#4464 fix: warning in all makefile targets
#4462 fix: local image build with docker
#4444 fix: update go-wildcard to v1.0.5
#4438 chore: fix workflows related to ko recent changes
#4419 fix: make ldflags optional in .ko.yaml
#4417 fix: Add --bare for ko-build-dev targets
#4405 fix: chart docs for generatecontrollerExtraResources
#4393 fix: duration metrics precision
#4388 chore: fix golangcilint timeout
#4387 chore: fix goimports check not working in ci job
#4378 fix: missing aggregated role for UR
#4370 fix: exclude autogen rules when autogen internals is enabled
#4368 fix: prevent installing helm chart in namespace kube-system
#4362 fix: fix the verbosity of reconciling logs in the config controller
#4349 Fix deprecated api policy issue
#4348 fix: image verify logs
#4331 Fix PEM delimiter parse
#4315 Fix Kyverno Events Missing Error Message
#4297 Fix pr image verify blocked
#4275 Fix multiple crd slowness issue
#4263 fix: use an absolute path in docker entrypoint
#4202 Fix merging JSON patches
#4198 Fix metrics with invalid validationMode
#4171 fix: use official controller-gen
#4057 fix: add missing release notes in helm chart
#3995 fix: init container gr copy
#3948 fix: add helmignore
#3944 fix: use admissionrequest subresource to filter webhooks
#3943 fix: cache warmup log message
#3924 fix: return type changed to bool in jpfCompare fn
#3891 fix: write secret
#3860 fix: remove code to load CA from kubeconfig
#3846 fix: golangci-lint warnings in pkg
#3843 fix: golangci-lint warnings in cmd
#3804 fix: include ca key in secret
#4706 chore: refactor manifests related makefile targets
#4691 refactor: replace signal package by signal.NotifyContext
#4680 refactor: use pod name as leader id
#4646 refactor: update log based on the policy types
#4641 refactor: split policyreport api files
#4640 refactor: add a couple of constants in api
#4598 refactor: info in policyreport package
#4578 refactor: simplify RCR creator queue
#4570 refactor: move generation handler out of webhooks package
#4569 refactor: move image verification handler out of webhooks package
#4567 refactor: move mutation handler out of webhooks package
#4562 refactor: move validation audit out of webhooks package
#4556 refactor: move validation handler out of webhooks package
#4554 refactor: make webhook metrics helpers static
#4545 refactor: move webhook events utils in utils package
#4535 refactor: introduce ur updater
#4531 refactor: webhook block and unit tests
#4529 refactor: webhook propagate start time along handlers
#4528 refactor: webhook exclusion and unit tests
#4525 refactor: use generics in client wrappers
#4523 refactor: utils for warnings and unit tests
#4519 refactor: client wrappers
#4518 refactor: add auth interface and unit tests
#4498 chore: refactor helm targets in makefile
#4494 refactor: verify codegen targets in makefile
#4484 refactor: clean webhooks logs
#4480 refactor: webhook policy context creation
#4456 refactor: make toggles easier to define and use
#4454 refactor: clearly separate makefile docker targets for build and publish
#4450 refactor: clearly separate makefile ko targets for build and publish
#4441 refactor: docker related makefile targets
#4418 refactor: makefile build targets
#4403 refactor: tools install in makefile
#4090 refactor: finish refactoring generate e2e tests
#4041 refactor: to remove generate cleanup controller
#3975 refactor: make registry client variables private
#3974 refactor: ur cleaner controller
#3949 refactor: clean updaterequest generator
#3925 refactor: separate policy cache and controller
#3919 refactor: policy cache
#3908 refactor: separate resource mutation/validation handlers from server
#3905 refactor: separate policy mutation/validation handlers from server
#3904 refactor: webhooks server logger
#3886 refactor: remove deployment hash on certs secrets
#3854 refactor: cleanup tls package
#3853 refactor: init certs with certs renewer directly
#3850 refactor: remove the need for self-signed annotation on cert secret
#3823 refactor: make config vars private
#4692 chore: cleanup go.mod
#4677 chore: bump minimum go version
#4631 chore: bump cosign 1.12.0 to fix vulnerabilities
#4485 chore: bump cache action and improve paths
#4413 bump golang 1.18.5 version digest in Dockerfile
#4408 bump cosign deps version to 1.11.1
#4328 chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1
#4596 Update helm releases path
#4551 Update helm release config
#4479 chore: publish helm charts to ghcr.io

Assets 11
Loading