v3.8.0
❗DO NOT USE
This release has an issue that can cause unenforced violations when using config
resource without sync. Fixed in v3.8.1 with #2038.
This stable release includes bug fixes and new features.
Notable changes
- 16% speedup in constraint template compilation 🏃
- 1.5x-4x decrease in webhook CPU/memory usage 🎉
- 2x decrease in audit memory usage 🎊
- External Data now supports mutation 🥳
Features
- Prometheus metric for conflicting mutators (#1714) #1714 (Julian Katz)
- Implement tls checker for webhook (#1696) #1696 (Ethern Su)
- enable exempting additional labels in the webhooks (#1778) #1778 (Robin Opletal)
- helm: allow configuring the webhooks to be removed before gatekeeper itself is uninstalled (#1770) #1770 (Mitch Hulscher)
- Support suffix-based matching for resources (#1796) #1796 (Sunghoon Kang)
- Support setting custom rules in validating/mutatingwebhookconfigurations (#1806) #1806 (Mac Chaffee)
- Add gator test (formerly gator validate) (#1786) #1786 (Julian Katz)
- Reference
gator verify
ingator test --help
(#1836) #1836 (Julian Katz) - add health port to webhook service (#1839) #1839 (Max V)
- Add additional context to
gator test --help
(#1850) #1850 (Julian Katz) - add reinvocationPolicy config to the MutatingWebhookConfiguration Chart Config (#1844) #1844 (Mitchell Maler)
- cache namespaces in targethandler (#1908) #1908 (davis-haba)
- external data mutation (#1891) #1891 (Ernest Wong)
Bug Fixes
- Set namespace field in request (#1757) #1757 (Will Beason (he/him))
- helm upgrade test (#1766) #1766 (Sertaç Özercan)
- Check resp before call resp.TraceDump to avoid panic (#1754) #1754 (Huang Huang)
- Update frameworks and fix test (#1802) #1802 (Will Beason)
- match helm mwh timeout default value (#1913) #1913 (Sertaç Özercan)
- fix race condition in mutator controller reconcile (#1942) #1942 (Huang Huang)
- chart: allow override securityContexts (#1938) #1938 (Loïc Stevens)
- define items.type for k8srequiredlabels (#1955) #1955 (Ernest Wong)
- re-add missing constraint race condition fix (#1951) #1951 (Max Smythe)
- update gatekeeper_mutators metrics when a mutator is deleted (#1950) #1950 (Ernest Wong)
- Update deployment to include mutation-status operation (#1966) #1966 (Rita Zhang)
Documentation
- Add workload resource documentation (#1749) #1749 (Jackson Reid)
- add wildcard matching for ns exclusion (#1771) #1771 (Sertaç Özercan)
- namespace exclusion differences (#1782) #1782 (Sertaç Özercan)
- gator test --> gator verify (#1800) #1800 (Julian Katz)
- Update link to point to new default branch (#1808) #1808 (Tim McFadden)
- Add additional Constraint fields to howto (#1805) #1805 (Rita Zhang)
- add documentations for various flags (#1824) #1824 (Ernest Wong)
- add instructions on how to use tilt for development (#1895) #1895 (Ernest Wong)
- add descriptions of the various Gatekeeper operations (#1937) #1937 (Max Smythe)
- add contributing guide (#1945) #1945 (Rita Zhang)
- remove developer doc from 3.6 (#1964) #1964 (Rita Zhang)
Code Refactoring
- Rename 'gktest' to 'gator' (#1751) #1751 (Will Beason (he/him))
- Remove client.Reset usage (#1762) #1762 (Will Beason (he/him))
- Change
gator test
togator verify
(#1799) #1799 (Julian Katz)
Performance Improvements
- improve --constraint-violations-limit scaling (#1971) (#1974) #1974 (Max Smythe)
- Add ToMatcher() to K8sValidationTarget (#1789) #1789 (Will Beason (he/him))
- Implement ToMatcher and Matcher.Match (#1791) (#1807) #1807 (Becky HD)
- Update frameworks to use compiler sharding (#1900) #1900 (Will Beason)
- Upgrade frameworks to speed up compilation (#1960) #1960 (Will Beason)
Tests
- Add test for gator test to CI (#1728) #1728 (Will Beason (he/him))
- Reduce gomega usage, fix test threading, and make GetGVK deterministic (#1790) #1790 (Will Beason (he/him))
- add tests for mutation annotations (#1846) #1846 (Ernest Wong)
- Fix
BenchmarkValidationHandler
was broken (#1896) #1896 (Huang Huang) - Fix
BenchmarkModifySetMutator_Mutate
was broken (#1897) #1897 (Huang Huang)
Builds
- Upgrade frameworks to context change (#1743) #1743 (Will Beason (he/him))
- Update Gatekeeper with frameworks interface changes (#1845) #1845 (Will Beason)
- Update frameworks (#1857) #1857 (Will Beason)
- Upgrade golangci-lint (#1969) #1969 (Will Beason)
- Upgrade OPA to v0.39.0 (#1968) #1968 (Will Beason)
Continuous Integration
- update k8s and helm versions (#1739) #1739 (Sertaç Özercan)
- add vulnerability scan as part of GitHub Actions (#1817) #1817 (Ernest Wong)
- run benchmarks when running tests (#1898) #1898 (Huang Huang)
Chores
- remove package-lock.json (#1662) #1662 (Sertaç Özercan)
- semantic pr config (#1746) #1746 (Sertaç Özercan)
- Bump @docusaurus/core from 2.0.0-beta.9 to 2.0.0-beta.13 in /website (#1745) #1745 (dependabot[bot])
- Bump @docusaurus/preset-classic from 2.0.0-beta.9 to 2.0.0-beta.13 in /website (#1744) #1744 (dependabot[bot])
- update dependabot prefix with semantic commits (#1750) #1750 (Sertaç Özercan)
- bump @docusaurus/core in /website (#1777) #1777 (dependabot[bot])
- bump @docusaurus/preset-classic in /website (#1776) #1776 (dependabot[bot])
- bump actions/setup-node from 2.5.0 to 2.5.1 (#1780) #1780 (dependabot[bot])
- bump shelljs from 0.8.4 to 0.8.5 in /website (#1792) #1792 (dependabot[bot])
- bump follow-redirects from 1.14.5 to 1.14.7 in /website (#1793) #1793 (dependabot[bot])
- bump nanoid from 3.1.30 to 3.2.0 in /website (#1804) #1804 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-beta.14 to 2.0.0-beta.15 in /website (#1821) #1821 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.14 to 2.0.0-beta.15 in /website (#1820) #1820 (dependabot[bot])
- add gomod to dependabot.yml (#1816) #1816 (Ernest Wong)
- bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (#1831) #1831 (dependabot[bot])
- bump k8s.io/apiextensions-apiserver from 0.21.4 to 0.21.9 (#1829) #1829 (dependabot[bot])
- bump k8s.io/client-go from 0.21.4 to 0.21.9 (#1833) #1833 (dependabot[bot])
- bump stefanprodan/helm-gh-pages from 1.4.1 to 1.5.0 (#1847) #1847 (dependabot[bot])
- bump follow-redirects from 1.14.7 to 1.14.8 in /website (#1848) #1848 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.11.0 to 1.11.1 (#1861) #1861 (dependabot[bot])
- disable http.send by default (#1867) #1867 (Sertaç Özercan)
- bump actions/setup-node from 2.5.1 to 3 (#1872) #1872 (dependabot[bot])
- bump prismjs from 1.25.0 to 1.27.0 in /website (#1874) #1874 (dependabot[bot])
- bump k8s.io/apiextensions-apiserver from 0.23.3 to 0.23.4 (#1881) #1881 (dependabot[bot])
- bump github.com/go-logr/zapr from 1.2.0 to 1.2.3 (#1880) #1880 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#1879) #1879 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.15 to 2.0.0-beta.16 in /website (#1876) #1876 (dependabot[bot])
- bump actions/checkout from 2 to 3 (#1888) #1888 (dependabot[bot])
- Remove unneeded spaces in helm chart (#1885) #1885 (Manuel Rüger)
- bump @docusaurus/core from 2.0.0-beta.16 to 2.0.0-beta.17 in /website (#1892) #1892 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.16 to 2.0.0-beta.17 in /website (#1893) #1893 (dependabot[bot])
- update golang.org/x/crypto to resolve CVE-2021-43565 (#1911) #1911 (thomasmckay)
- bump @mdx-js/react from 1.6.22 to 2.1.0 in /website (#1914) #1914 (dependabot[bot])
- bump k8s.io/client-go from 0.23.4 to 0.23.5 (#1920) #1920 (dependabot[bot])
- bump contrib.go.opencensus.io/exporter/prometheus from 0.4.0 to 0.4.1 (#1919) #1919 (dependabot[bot])
- bump github.com/go-logr/logr from 1.2.2 to 1.2.3 (#1921) #1921 (dependabot[bot])
- bump node-forge from 1.2.1 to 1.3.0 in /website (#1930) #1930 (dependabot[bot])
- bump actions/cache from 2.1.7 to 3 (#1924) #1924 (dependabot[bot])
- bump minimist from 1.2.5 to 1.2.6 in /website (#1934) #1934 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-beta.17 to 2.0.0-beta.18 in /website (#1946) #1946 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.17 to 2.0.0-beta.18 in /website (#1947) #1947 (dependabot[bot])
- bump k8s.io/apiextensions-apiserver from 0.23.4 to 0.23.5 (#1948) #1948 (dependabot[bot])
- Prepare v3.8.0-rc.1 release (#1962) #1962 (Ernest Wong)
- Prepare v3.8.0-rc.2 release (#1990) #1990 (Ernest Wong)
- Prepare v3.8.0 release (#2014) #2014 (github-actions[bot])
Reverts
- Revert "chore: bump @mdx-js/react from 1.6.22 to 2.1.0 in /website" (#1915) #1915 (Sertaç Özercan)
Commits
- 5a2b027: Expose two Read methods in gktest (#1651) (Julian Katz) #1651
- 34c72e0: Improve labelSelector description in MatchSchema() (#1667) (Julian Katz) #1667
- de664c9: fix default dnsPolicy (#1676) (Sertaç Özercan) #1676
- 1540d5b: Start decoupling error handling from frameworks (#1673) (Will Beason) #1673
- 4c560af: update helm install doc (#1675) (Sertaç Özercan) #1675
- 70a7c57: Allow mutation to run as a standalone pod (#1669) (Max Smythe) #1669
- 37b66df: Bump actions/cache from 2.1.6 to 2.1.7 (#1679) (dependabot[bot]) #1679
- 9b6f013: Use IsUnrecognizedConstraintError (#1680) (Will Beason) #1680
- f93a538: docs for external data (#1677) (Sertaç Özercan) #1677
- f1ccb55: update docs for mutation (#1685) (Sertaç Özercan) #1685
- ad30ce0: update gatekeeper.yaml branch in install doc (#1689) (Sertaç Özercan) #1689
- c459043: website/externaldata: fix rego snippet (#1687) (Stephan Renatus) #1687
- 022607c: Remove duplicate import (#1694) (Filipe Regadas) #1694
- 967c8ac: Bump actions/setup-node from 2.4.1 to 2.5.0 (#1704) (dependabot[bot]) #1704
- 7ce2c88: Remove internal error handling coupling (#1682) (Will Beason) #1682
- f2d2e0d: go mod tidy & go mod vendor (#1707) (Will Beason) #1707
- 09bdc07: fail CI if go.mod changes are detected (#1708) (Sertaç Özercan) #1708
- b3d029f: Gator docs (#1681) (Will Beason) #1681
- d7de2a0: Set Forbidden as the response status reason (#1692) (Filipe Regadas) #1692
- 7322273: Fix broken sidebar (#1709) (Will Beason) #1709
- d07a8ea: Add copy of gator.md file to version-v3.7.x/ (#1710) (Will Beason) #1710
- a52757f: Update golangci-lint to v1.43.0 (#1683) (Will Beason) #1683
- 999c9bc: Update audit doc to add new flags and defaults (#1690) (Rita Zhang) #1690
- ae9e7dd: Update psp to allow emptyDir (#1711) (Rita Zhang) #1711
- 4e1a0f5: update apiKey for website search (#1721) (Sertaç Özercan) #1721
- 9ee0f00: Document ModifySet and assign.fromMetadata (#1718) (Max Smythe) #1718
- 18aed9e: Upgrade dependencies (#1719) (Will Beason (he/him)) #1719
- 2362f7a: Improve error messages for Assertions (#1726) (Will Beason (he/him)) #1726
- bdbbdfb: Make file traversal deterministic (#1723) (Will Beason (he/him)) #1723
- 737c8ae: Print skipped tests in verbose mode (#1724) (Will Beason (he/him)) #1724
- 840d56a: Add gator validate doc to docs/design (#1738) (Julian Katz) #1738
- f1f914c: Fix ModifySet documentation (#1731) (Bastian Hofmann) #1731
- 5903196: Flexibility to use Image SHA for gatekeeper and gatekeeper-crd images… #1674 (#1759) (priyamshet) #1759
- f102758: update cncf to graduated (#1772) (thomasmckay) #1772
- 60736af: Make sure namespace is defined on object when mutation (#1760) (Max Smythe) #1760
- 56aadff: Make gator test error when arguments are passed (#1840) (Julian Katz) #1840
- 7740642: update default min TLS to v1.3 (#1866) (Sertaç Özercan) #1866
- c189dca: fix uninstall version typo (#1890) (Avinash Desireddy) #1890
- 4b9432d: Integration test for referential data in
gator test
(#1899) (Julian Katz) #1899 - 67efa4a: Replace deprecated Ingress with new Ingress (#1906) (Zhimin Xiang) #1906
- a3d8a0d: do a audit run when we deploy (#1901) (Michael Grosser) #1901
- bf91d90: Make cmd/gator/test ReadFiles() a public function (#1912) (Julian Katz) #1912
- c21d114: Move examples and docs to apiVersion: templates.gatekeeper.sh/v1 (#1926) (Ajay Kemparaj) #1926
- 6c58cad: Revert "do a audit run when we deploy (#1901)" (#1932) (Max Smythe) #1932
- e5acd56: Fix race condition in start controllers (#1941) (Huang Huang) #1941
- 8404d5e: removed unused website deps (#1963) (Sertaç Özercan) #1963