| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: kyverno-bash-completion | Distribution: openSUSE Tumbleweed |
| Version: 1.17.1 | Vendor: openSUSE |
| Release: 1.2 | Build date: Thu Feb 19 13:05:04 2026 |
| Group: System/Shells | Build host: reproducible |
| Size: 52451 | Source RPM: kyverno-1.17.1-1.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/kyverno/kyverno | |
| Summary: Bash Completion for kyverno | |
Bash command line completion support for kyverno.
Apache-2.0
* Thu Feb 19 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.17.1:
* fix: eliminate memcache error spam and expose isFake in CLI
helper functions (#15187) (#15193)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to
5.16.5 (#15164) (#15278)
* chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#15183) (#15284)
* fix: CVE-2025-68121 (#15203) (#15212)
* Mon Feb 02 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.17.0:
CLI-related changes
* fix(cli): color issue for --remove-color flag (#14270)
* extend CLI policy and exception load, adding test for v1
application (#14541)
* fix: implement the fake image metadata for the CLI (#14415)
* fix: cli test with context file from git (#14414)
* fix: use context in deletingpolicies in the CLI (#14382)
* feat: generate and copy crd to cli for namespaced validating
policy and namespaced deleting policy (#14316)
Dependencies
* chore(deps): bump github.com/aptible/supercronic from 0.2.41 to
0.2.42 (#15087) (#15088)
* chore(deps): bump actions/cache from 5.0.2 to 5.0.3 (#15030)
(#15036)
* chore(deps): bump github.com/onsi/gomega from 1.39.0 to 1.39.1
(#15031) (#15034)
* chore(deps): bump docker/login-action from 3.6.0 to 3.7.0
(#14990) (#14994)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2
(#14868) (#14885)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.23.0 to
0.23.1 (#14876) (#14879)
* chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0
(#14875) (#14878)
* chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11
(#14848) (#14851)
* chore(deps): bump the sigstore group across 1 directory with 4
updates (#14780) (#14783)
* chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#14779)
(#14782)
* chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to
1.10.4 (#14771) (#14773)
* chore(deps): bump github.com/in-toto/in-toto-golang (#14750)
(#14754)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2
(#14741) (#14759)
* chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0
(#14749) (#14753)
* chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0
(#14748) (#14751)
* chore(deps): bump github.com/kyverno/api (#14732)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to
0.23.0 (#14722)
* chore(deps): bump sigs.k8s.io/release-utils from 0.12.2 to
0.12.3 (#14714)
* chore(deps): bump actions/cache from 5.0.1 to 5.0.2 (#14713)
* chore(deps): bump github.com/sirupsen/logrus (#14699)
* chore(deps): bump mikefarah/yq in /.github/actions/run-tests
(#14686)
* chore(deps): bump github/codeql-action from 4.31.9 to 4.31.10
(#14654)
* chore(deps): bump golang.org/x/crypto from 0.46.0 to 0.47.0
(#14656)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#14655)
* chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to
3.0.4 (#14639)
* chore(deps): bump github.com/onsi/gomega from 1.38.3 to 1.39.0
(#14626)
* feat: bump kube to 1.35 (#14608)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#14591)
* chore(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0
(#14562)
* chore(deps): bump github.com/sigstore/sigstore from 1.9.5 to
1.10.3 (#14516)
* chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0
(#14553)
* chore(deps): bump sigs.k8s.io/controller-tools in
/hack/controller-gen (#14546)
* chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9
(#14532)
* chore(deps): bump the sigstore group across 1 directory with 4
updates (#14513)
* chore(deps): bump google.golang.org/protobuf from 1.36.10 to
1.36.11 (#14514)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#14507)
* chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8
(#14508)
* chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0
(#14509)
* chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0
(#14510)
* chore(deps): bump actions/download-artifact (#14512)
* chore(deps): bump actions/upload-artifact (#14511)
* chore(deps): bump github.com/aptible/supercronic from 0.2.40 to
0.2.41 (#14515)
* chore(deps): bump the sigstore group across 1 directory with 4
updates (#14475)
* chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#14474)
* chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2
(#14473)
* chore(deps): bump the otel group across 1 directory with 10
updates (#14463)
* chore(deps): bump github.com/aptible/supercronic from 0.2.39 to
0.2.40 (#14467)
* chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
(#14465)
* chore(deps): bump golang.org/x/sync from 0.18.0 to 0.19.0
(#14464)
* chore(deps): bump github.com/onsi/gomega from 1.38.2 to 1.38.3
(#14466)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to
5.7.0 (#14458)
* chore(deps): bump github/codeql-action from 4.31.6 to 4.31.7
(#14457)
* chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
(#14443)
* chore(deps): bump github.com/spf13/cobra in
/hack/controller-gen (#14444)
* chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#14432)
* chore(deps): bump golangci/golangci-lint-action from 9.1.0 to
9.2.0 (#14433)
* chore(deps): bump actions/checkout in
/.github/actions/run-tests (#14434)
* chore(deps): bump the sigstore group across 1 directory with 4
updates (#14376)
* chore(deps): bump fluxcd/flux2 from 2.7.4 to 2.7.5 (#14425)
* chore(deps): bump github/codeql-action from 4.31.5 to 4.31.6
(#14426)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#14427)
* chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
(#14374)
* chore(deps): bump github.com/google/gnostic-models from 0.7.0
to 0.7.1 (#14406)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#14375)
* chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0
(#14403)
* chore(deps): bump fluxcd/flux2 from 2.7.3 to 2.7.4 (#14404)
* chore(deps): bump github.com/google/go-containerregistry
(#14421)
* chore(deps): bump golangci/golangci-lint-action from 9.0.0 to
9.1.0 (#14420)
* chore(deps): bump actions/checkout from 5.0.1 to 6.0.0 (#14419)
* chore(deps): bump github/codeql-action from 4.31.3 to 4.31.5
(#14405)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#14407)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.16.3 to
5.16.4 (#14408)
* chore(deps): bump svenstaro/upload-release-action from 2.11.2
to 2.11.3 (#14379)
* chore(deps): bump github.com/sigstore/rekor from 1.3.10 to
1.4.3 (#14364)
* chore(deps): bump actions/checkout in
/.github/actions/run-tests (#14363)
* chore(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0
(#14365)
* chore(deps): bump actions/checkout from 4.2.2 to 5.0.1 (#14362)
* chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0
(#14309)
* chore(deps): bump golangci/golangci-lint-action from 8.0.0 to
9.0.0 (#14318)
* chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#14343)
* chore(deps): bump the otel group across 1 directory with 10
updates (#14298)
* chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
(#14344)
* chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3
(#14342)
* chore(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0
(#14322)
* chore(deps): bump
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
(#14324)
* chore(deps): bump sigs.k8s.io/kustomize/api from 0.20.1 to
0.21.0 (#14321)
* chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0
(#14284)
* chore(deps): bump helm/kind-action in
/.github/actions/run-tests (#14285)
* chore(deps): bump github.com/aptible/supercronic from 0.2.36 to
0.2.39 (#14288)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.0 to
0.22.4 (#14287)
* chore(deps): bump github/codeql-action from 4.31.0 to 4.31.2
(#14266)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#14274)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#14275)
* chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0
(#14228)
* chore(deps): bump actions/download-artifact (#14226)
* chore(deps): bump fluxcd/flux2 from 2.7.2 to 2.7.3 (#14240)
* chore(deps): bump actions/download-artifact from 4.3.0 to 6.0.0
(#14227)
* chore(deps): bump actions/upload-artifact (#14230)
* chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0
(#14229)
* Tue Jan 27 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.16.3:
No CLI-related changes
Full changelog:
https://github.com/kyverno/kyverno/compare/v1.16.2...v1.16.3
* Sun Jan 11 2026 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.16.2:
No CLI-related changes
Full changelog:
https://github.com/kyverno/kyverno/compare/v1.16.1...v1.16.2
* Thu Dec 04 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.16.1:
No CLI-related changes
Full changelog:
https://github.com/kyverno/kyverno/compare/v1.16.0...v1.16.1
* Mon Nov 10 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.16.0:
CLI-related changes
* Feature/add cli completion command (#13905)
* Fix/cli docs website urls (#13841)
* VAP/MAP params in the CLI (second attempt) (#13734)
Depencencies
* chore(deps): bump actions/checkout in
/.github/actions/run-tests (#13828)
* chore(deps): bump actions/github-script from 7.0.1 to 8.0.0
(#13957)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#13950)
* chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0
(#13948)
* chore(deps): bump adRise/update-pr-branch from 0.10.1 to 0.10.2
(#14156)
* chore(deps): bump aquasecurity/trivy-action from 0.31.0 to
0.32.0 (#13527)
* chore(deps): bump aquasecurity/trivy-action from 0.32.0 to
0.33.0 (#13911)
* chore(deps): bump aquasecurity/trivy-action from 0.33.0 to
0.33.1 (#13951)
* chore(deps): bump azure/setup-helm from 4.3.0 to 4.3.1 (#13870)
* chore(deps): bump azure/setup-helm in
/.github/actions/run-tests (#13869)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#13742)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#13863)
* chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0
(#13881)
* chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1
(#13956)
* chore(deps): bump docker/login-action from 3.4.0 to 3.5.0
(#13753)
* chore(deps): bump docker/login-action from 3.5.0 to 3.6.0
(#14091)
* chore(deps): bump fluxcd/flux2 from 2.6.3 to 2.6.4 (#13540)
* chore(deps): bump fluxcd/flux2 from 2.6.4 to 2.7.0 (#14100)
* chore(deps): bump fluxcd/flux2 from 2.7.0 to 2.7.1 (#14123)
* chore(deps): bump fluxcd/flux2 from 2.7.1 to 2.7.2 (#14137)
* chore(deps): bump github.com/aptible/supercronic from 0.2.34 to
0.2.36 (#14064)
* chore(deps): bump
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
(#13706)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#14077)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.16.2 to
5.16.3 (#14125)
* chore(deps): bump github.com/go-viper/mapstructure/v2 (#13882)
* chore(deps): bump github.com/google/cel-go from 0.23.2 to
0.26.0 (#13579)
* chore(deps): bump github.com/google/cel-go from 0.26.0 to
0.26.1 (#13914)
* chore(deps): bump github.com/onsi/gomega from 1.37.0 to 1.38.0
(#13659)
* chore(deps): bump github.com/onsi/gomega from 1.38.0 to 1.38.2
(#13900)
* chore(deps): bump github.com/prometheus/client_golang (#13727)
* chore(deps): bump github.com/prometheus/client_golang (#14021)
* chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1
(#13942)
* chore(deps): bump github.com/spf13/cobra in
/hack/controller-gen (#13944)
* chore(deps): bump github.com/stretchr/testify from 1.10.0 to
1.11.0 (#13892)
* chore(deps): bump github/codeql-action from 3.29.11 to 3.30.0
(#13938)
* chore(deps): bump github/codeql-action from 3.29.2 to 3.29.3
(#13648)
* chore(deps): bump github/codeql-action from 3.29.3 to 3.29.4
(#13667)
* chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5
(#13713)
* chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8
(#13814)
* chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9
(#13832)
* chore(deps): bump github/codeql-action from 3.29.9 to 3.29.11
(#13884)
* chore(deps): bump github/codeql-action from 3.30.0 to 3.30.2
(#13979)
* chore(deps): bump github/codeql-action from 3.30.2 to 3.30.3
(#13984)
* chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4
(#14074)
* chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5
(#14083)
* chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6
(#14118)
* chore(deps): bump github/codeql-action from 3.30.6 to 4.30.7
(#14133)
* chore(deps): bump github/codeql-action from 4.30.7 to 4.30.8
(#14157)
* chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9
(#14196)
* chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus
(#13649)
* chore(deps): bump golang.org/x/crypto from 0.39.0 to 0.40.0
(#13551)
* chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.41.0
(#13787)
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
(#14014)
* chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
(#14141)
* chore(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0
(#13542)
* chore(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.0
(#13597)
* chore(deps): bump google.golang.org/grpc from 1.74.0 to 1.74.2
(#13658)
* chore(deps): bump google.golang.org/grpc from 1.74.2 to 1.75.1
(#13986)
* chore(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0
(#14126)
* chore(deps): bump google.golang.org/protobuf from 1.36.6 to
1.36.7 (#13786)
* chore(deps): bump google.golang.org/protobuf from 1.36.7 to
1.36.8 (#13880)
* chore(deps): bump google.golang.org/protobuf from 1.36.8 to
1.36.9 (#14013)
* chore(deps): bump google.golang.org/protobuf from 1.36.9 to
1.36.10 (#14120)
* chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to
6.4.0 (#13844)
* chore(deps): bump kyverno/action-install-chainsaw (#13917)
* chore(deps): bump kyverno/action-install-chainsaw from 0.2.12
to 0.2.13 (#13906)
* chore(deps): bump oras-project/setup-oras from 1.2.3 to 1.2.4
(#13970)
* chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
(#14101)
* chore(deps): bump sigs.k8s.io/kustomize/api from 0.20.0 to
0.20.1 (#13669)
* chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.20.0 to
0.20.1 (#13668)
* chore(deps): bump sigs.k8s.io/release-utils from 0.11.1 to
0.12.0 (#13613)
* chore(deps): bump sigs.k8s.io/release-utils from 0.12.0 to
0.12.1 (#13815)
* chore(deps): bump sigs.k8s.io/release-utils from 0.12.1 to
0.12.2 (#14059)
* chore(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#13686)
* chore(deps): bump sigstore/cosign-installer (#13616)
* chore(deps): bump sigstore/cosign-installer (#14011)
* chore(deps): bump sigstore/cosign-installer (#14188)
* chore(deps): bump svenstaro/upload-release-action from 2.11.1
to 2.11.2 (#13532)
* chore(deps): bump the kubernetes group across 2 directories
with 2 updates (#14210)
* chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#13596)
* chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#13839)
* chore(deps): bump ubuntu from `353675e` to `fdb6c9c` in
/.devcontainer (#14110)
* chore(deps): bump ubuntu from `440dcf6` to `e356c06` in
/.devcontainer (#13590)
* chore(deps): bump ubuntu from `590e57a` to `353675e` in
/.devcontainer (#14026)
* chore(deps): bump ubuntu from `59a458b` to `66460d5` in
/.devcontainer (#14172)
* chore(deps): bump ubuntu from `728785b` to `59a458b` in
/.devcontainer (#14147)
* chore(deps): bump ubuntu from `7c06e91` to `9cbed75` in
/.devcontainer (#13955)
* chore(deps): bump ubuntu from `89ef6e4` to `440dcf6` in
/.devcontainer (#13516)
* chore(deps): bump ubuntu from `9cbed75` to `590e57a` in
/.devcontainer (#14019)
* chore(deps): bump ubuntu from `a08e551` to `7c06e91` in
/.devcontainer (#13833)
* chore(deps): bump ubuntu from `c4570d2` to `a08e551` in
/.devcontainer (#13638)
* chore(deps): bump ubuntu from `e356c06` to `c4570d2` in
/.devcontainer (#13595)
* fix(gpols): fetch sources from the cluster in case of
in-cluster mode in the CLI (#13603)
* fix: evaluate MAPs correctly in the CLI (#13557)
* fix: handle nil namespace pointer in CLI mode for
ValidatingPolicies with namespaceSelector (#13636)
* fix: pass userInfo to VAPs and MAPs in the CLI (#13920)
* fix: support beta version in CLI (#14205)
* Fri Sep 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.15.2:
* fix: pass userInfo to VAPs and MAPs in the CLI (#13920)
(#14024)
* Tue Aug 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.15.1:
No CLI-related changes
* Dependencies
- chore: update go.mod to 1.24.6 (latest) (#13822) (#13823)
* Fri Aug 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.15.0:
* CLI-related changes
- fix(gpols): fetch sources from the cluster in case of
in-cluster mode in the CLI (#13603) (#13604)
- fix: evaluate MAPs correctly in the CLI (#13557) (#13578)
- Complete CLI fix command documentation with website URLs
(#13300)
- feat: apply GPOLs in cluster mode in CLI (#13414)
- feat: remove CLI deprecated APIs (#13481)
- Support MutatingPolicy in Kyverno CLI apply command (#13425)
- Init MutatingPolicy support in the CLI test command (#13420)
- feat: support gpols in CLI test (#13412)
- feat: support gpols in CLI apply (#13365)
- Support dpol in kyverno apply CLI command (#13301)
- Support JSON Payload for dpols in kyverno cli test command
(#13286)
- feat: test deleting policy with the CLI test command
(#13284)
- feat: support Cli for map (#12667)
- fix(cli): ensure JMESPath expressions handle number types
correctly (#12037)
- chore: add mpol and gpol crds in the CLI (#13181)
- fix: apply IVPs in cluster mode in the CLI (#13101)
- test: add cli test with namespaceObject (#13083)
- fix: apply VPs in cluster mode in the CLI (#13084)
- chore: update CLI warning messages (#13060)
- refactor: use resource fetcher in the CLI (#13054)
- chore: remove unused function in CLI (#13053)
- fix: use the generic policy in the CLI (#13035)
- feature: support multiple output formats (json, yaml,
markdown, junit) for CLI test command (#12799)
- fix: convert gvk to gvr for VAPs in the CLI (#12937)
- feat: remove CLI legacy loader (#12919)
- fix: compute vpols autogen in CLI provider (#12871)
- chore: add local CLI tests for the new policy types in the
workflow (… (#12758)
- chore: add local CLI tests for the new policy types in the
workflow (#12755)
- feat: add --markdownLinks to cli docs command (#12734)
- fix: evaluate celexceptions with ivpol in CLI (#12728)
- chore: add --noDate to cli docs command (#12712)
- feat(cli): return an error if tests are required (#12395)
- fix: add result count for VPs in the CLI (#12711)
- feat: add cli test command support for ivpols (#12660)
- fix: use correct resource in cli processor (#12575)
- fix: CLI policies processing order (VPOL) (#12567)
- fix: CLI policies processing order (#12561)
- feat: support json for ivpol via CLI apply (#12511)
- fix: handle nil namespace pointer in CLI mode for
ValidatingPolicies with namespaceSelector (#13636) (#13646)
- fix(gpols): fetch sources from the cluster in case of
in-cluster mode in the CLI (#13603) (#13604)
- fix: evaluate MAPs correctly in the CLI (#13557) (#13578)
* Dependencies
- fix: Update Go version to fix CVE-2025-22871 vulnerability by
@samsonkolge in #12714
- chore(deps): bump actions/download-artifact (#12881)
- chore(deps): bump actions/download-artifact from 4.2.1 to
4.3.0 (#12879)
- chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#12743)
- chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#13077)
- chore(deps): bump actions/setup-python from 5.4.0 to 5.5.0
(#12529)
- chore(deps): bump actions/setup-python from 5.5.0 to 5.6.0
(#12869)
- chore(deps): bump adRise/update-pr-branch from 0.9.1 to
0.10.1 (#13294)
- chore(deps): bump aquasecurity/trivy-action from 0.30.0 to
0.31.0 (#13316)
- chore(deps): bump cbrgm/cleanup-stale-branches-action
(#12617)
- chore(deps): bump cbrgm/cleanup-stale-branches-action
(#12993)
- chore(deps): bump cbrgm/cleanup-stale-branches-action
(#13297)
- chore(deps): bump cbrgm/cleanup-stale-branches-action
(#13511)
- chore(deps): bump codecov/codecov-action from 5.4.0 to 5.4.2
(#12761)
- chore(deps): bump codecov/codecov-action from 5.4.2 to 5.4.3
(#13160)
- chore(deps): bump fluxcd/flux2 from 2.5.1 to 2.6.0 (#13282)
- chore(deps): bump fluxcd/flux2 from 2.6.0 to 2.6.1 (#13295)
- chore(deps): bump fluxcd/flux2 from 2.6.1 to 2.6.2 (#13388)
- chore(deps): bump fluxcd/flux2 from 2.6.2 to 2.6.3 (#13490)
- chore(deps): bump fossas/fossa-action from 1.6.0 to 1.7.0
(#13147)
- chore(deps): bump github.com/aptible/supercronic from 0.2.33
to 0.2.34 (#13438)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.14.0 to
5.15.0 (#12747)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.15.0 to
5.16.0 (#12788)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to
5.16.1 (#13318)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to
5.16.2 (#13342)
- chore(deps): bump github.com/go-logr/logr from 1.4.2 to 1.4.3
(#13271)
- chore(deps): bump github.com/go-viper/mapstructure/v2
(#13486)
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to
4.5.2 (#12496)
- chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to
5.2.2 (#12495)
- chore(deps): bump github.com/onsi/gomega from 1.36.2 to
1.36.3 (#12506)
- chore(deps): bump github.com/onsi/gomega from 1.36.3 to
1.37.0 (#12628)
- chore(deps): bump github.com/open-policy-agent/opa from 1.1.0
to 1.4.0 (#13019)
- chore(deps): bump github.com/prometheus/client_golang
(#12675)
- chore(deps): bump github.com/rs/zerolog from 1.33.0 to 1.34.0
(#12507)
- chore(deps): bump github.com/sergi/go-diff (#13328)
- chore(deps): bump github.com/sigstore/rekor from 1.3.9 to
1.3.10 (#12746)
- chore(deps): bump github.com/sigstore/sigstore from 1.9.1 to
1.9.3 (#12696)
- chore(deps): bump github.com/sigstore/sigstore from 1.9.3 to
1.9.4 (#12902)
- chore(deps): bump github.com/sigstore/sigstore from 1.9.4 to
1.9.5 (#13356)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12695)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12884)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12677)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12883)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12698)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12885)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12676)
- chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12882)
- chore(deps): bump github/codeql-action from 3.28.12 to
3.28.13 (#12528)
- chore(deps): bump github/codeql-action from 3.28.13 to
3.28.15 (#12656)
- chore(deps): bump github/codeql-action from 3.28.15 to
3.28.16 (#12868)
- chore(deps): bump github/codeql-action from 3.28.16 to
3.28.17 (#13004)
- chore(deps): bump github/codeql-action from 3.28.17 to
3.28.18 (#13173)
- chore(deps): bump github/codeql-action from 3.28.18 to
3.28.19 (#13315)
- chore(deps): bump github/codeql-action from 3.28.19 to 3.29.0
(#13358)
- chore(deps): bump github/codeql-action from 3.29.0 to 3.29.1
(#13489)
- chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2
(#13503)
- chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
(#13469)
- chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0
(#12659)
- chore(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0
(#13024)
- chore(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0
(#13331)
- chore(deps): bump golang.org/x/net in
/hack/api-group-resources (#12805)
- chore(deps): bump golang.org/x/net in /hack/controller-gen
(#12846)
- chore(deps): bump golang.org/x/text from 0.23.0 to 0.24.0
(#12645)
- chore(deps): bump google.golang.org/grpc from 1.71.0 to
1.72.0 (#12843)
- chore(deps): bump google.golang.org/grpc from 1.72.0 to
1.72.1 (#13146)
- chore(deps): bump google.golang.org/grpc from 1.72.1 to
1.72.2 (#13242)
- chore(deps): bump google.golang.org/grpc from 1.72.2 to
1.73.0 (#13330)
- chore(deps): bump goreleaser/goreleaser-action from 6.2.1 to
6.3.0 (#12597)
- chore(deps): bump jpmcb/prow-github-actions from 1.1.3 to
2.0.0 (#12674)
- chore(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
(#13296)
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.3
to 0.20.4 (#12526)
- chore(deps): bump sigs.k8s.io/controller-tools in
/hack/controller-gen (#13092)
- chore(deps): bump sigs.k8s.io/kustomize/api from 0.19.0 to
0.20.0 (#13493)
- chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.19.0 to
0.20.0 (#13491)
- chore(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0
(#13470)
- chore(deps): bump sigstore/cosign-installer (#12860)
- chore(deps): bump sigstore/cosign-installer (#13406)
- chore(deps): bump sigstore/cosign-installer (#13445)
- chore(deps): bump sigstore/cosign-installer from 3.8.1 to
3.8.2 (#12859)
- chore(deps): bump sigstore/cosign-installer from 3.8.2 to
3.9.0 (#13405)
- chore(deps): bump sigstore/scaffolding (#13404)
- chore(deps): bump sigstore/scaffolding (#13437)
- chore(deps): bump svenstaro/upload-release-action from 2.10.0
to 2.11.1 (#13501)
- chore(deps): bump svenstaro/upload-release-action from 2.9.0
to 2.10.0 (#13436)
- chore(deps): bump the kubernetes group across 3 directories
with 7 updates (#13426)
- chore(deps): bump the otel group across 1 directory with 10
updates (#13206)
- chore(deps): bump the otel group across 1 directory with 9
updates (#13454)
- chore(deps): bump the sigstore group across 1 directory with
4 updates (#13355)
- chore(deps): bump ubuntu from `1e622c5` to `6015f66` in
/.devcontainer (#13021)
- chore(deps): bump ubuntu from `4524361` to `1e622c5` in
/.devcontainer (#12694)
- chore(deps): bump ubuntu from `6015f66` to `b59d215` in
/.devcontainer (#13307)
- chore(deps): bump ubuntu from `7229784` to `4524361` in
/.devcontainer (#12673)
- chore(deps): bump ubuntu from `b59d215` to `89ef6e4` in
/.devcontainer (#13510)
- chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#12598)
- chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#13003)
- chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#13172)
* Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.4:
no CLI-related changes or dependency updates
* Thu Jun 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.3:
no CLI-related changes or dependency updates
* Tue Jun 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.2:
CLI-related changes and dependency updates
* fix(cli): ensure JMESPath expressions handle number types
correctly (#12037) (#13214)
* fix: apply IVPs in cluster mode in the CLI (#13101) (#13116)
* fix: apply VPs in cluster mode in the CLI (#13084) (#13098)
* test: add cli test with namespaceObject (#13083) (#13096)
* refactor: use resource fetcher in the CLI (#13080)
* chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to
5.2.2 (#12495) (#13071)
* chore: remove unused function in CLI (cherry-pick #13053)
(#13078)
* chore: update CLI warning messages (#13060) (#13066)
* fix: use the generic policy in the CLI (#13059)
* Wed Apr 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.1:
* Added
- Added a new adopter ONZACK AG (#12983)
- Added support for auditAnnotations in ImageValidatingPolicy
(#12946)
* Fixed
- Fixed object matching in cel/matching package (#12899,
[#12920], #12929)
- Fixed a panic issue for the reports controller to check if
apiGroup and apiVersion are defined (#12924)
- Fixed to avoid applying CEL PolicyException when the flag is
disabled (#12931)
- Fixed a panic issue when ValidatingPolicy does not have
matchConstraints defined (#12957, #12968)
- [CLI]Fixed the issue which maps gvk to gvr for custom
resources (#12979)
- [CLI]Fixed gvk/gvr conversion for ValidatingAdmissionPolicy
(#12937)
* Others
- Tests enhancements (#12873, #12875, #12877, #12886, #12904,
[#12942], #12964)
- Code refactoring (#12950, #12951, #12952, #12955, #12975,
[#12934], #12961, #12971)
* Fri Apr 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.14.0:
* release-1.14.0 (#12867)
* fix: compute vpols autogen in CLI provider (#12871) (#12874)
* refactor: improve new policy types api and test coverage
(#12864) (#12872)
* fix: remove cached autogen pols (#12852) (#12865)
* fix: regex to parse kinds correctly (#11763) (#12863)
* refactor: ivpols engine (#12855) (#12862)
* fix: missing docs for new policy types (#12856) (#12858)
* refactor: cel policies autogen (#12832) (#12854)
* feat: add cel expression support to attestors (#12835) (#12853)
* chore(deps): bump golang.org/x/net in /hack/controller-gen
(#12846) (#12851)
* chore: rename cel helper payload() to extractPayload() (#12844)
(#12848)
* rename fields (#12817) (#12845)
* refactor: converge vpol and ivpol status structs (#12823)
(#12831)
* chore: rename imagedata.Get to image.GetMetadata (#12826)
(#12830)
* feat: relax variable validation checks for generate clone type
(#12792) (#12829)
* rename globalcontext.Get to globalContext.Get (#12825) (#12828)
* refactor: autogen cel package (#12811) (#12827)
* Fix global context chainsaw test (#12801) (#12824)
* add and use template for imageverification policies (#12803)
(#12821)
* chore: rename image verify to image validating (#12812)
(#12822)
* fix(cleanup): respect resourceFilters from kyverno config
(#12808) (#12814)
* fix: restrict validationActions in IVPOLs (#12810) (#12813)
* use template instead of random sleep intervals (#12804)
(#12809)
* chore: add local CLI tests for the new policy types in the
workflow (… (#12758) (#12807)
* fix: skip VAP generation in case autogen is enabled (#12770)
(#12802)
* feat: Relax immutability requirements on match statements for
generate rules (#12784) (#12800)
* refactor: cel autogen package (#12789) (#12798)
* fix: restrict failurePolicy to either Fail or Ignore (#12793)
(#12796)
* fix: add default value for actions in VPOLs (#12686) (#12794)
* resource.Post API (#12732) (#12791)
* version update kubectl (#12607) (#12790)
* feat: improve ivpol autogen API (#12781) (#12783)
* chore: add chainsaw tests for exceptions in the reports
(#12751) (#12769)
* fix: CanAutoGen logic (#12779) (#12780)
* chore: add local CLI tests for the new policy types in the
workflow (#12755) (#12773)
* chore: bump controller gen (#12765) (#12778)
* chore: fix ivpol chainsaw tests for reports (#12653) (#12777)
* Apply PolicyException on Background Scanning for ivpol and vpol
(#12750) (#12772)
* fix: skip webhook registration if vap is generated from
validate.cel subrule (#12767) (#12771)
* refactor: cel libs names, return types and cleanup TODOs
(#12757) (#12774)
* Add HorizontalPodAutoscaler to admission-controller (#10586)
(#12768)
* feat(helm): Add `dnsconfig` value to deployments (#12608)
(#12737)
* fix: allow policy creation if GVK is not found (#12722)
(#12763)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#12743) (#12760)
* Fix Namespace Selector Error Propagation and Scope Policy for
Accurate Rule Evaluation (#12744) (#12756)
* feat: add --markdownLinks to cli docs command (#12734) (#12754)
* [fix] The source property is populated for VP, VAP and
ImageValidatingPolicy (#12727) (#12753)
* fix: job returns success if configmap is not found (#12621)
(#12736)
* fix: evaluate celexceptions with ivpol in CLI (#12728) (#12735)
* fix VPOL and IVPOL for Kyverno test command (#12730) (#12733)
* chainsaw test for http (#12721) (#12731)
* fix-fail-only-flag (#12600) (#12725)
* chore: add --noDate to cli docs command (#12712) (#12724)
* feat(cli): return an error if tests are required (#12395)
(#12723)
* fix: add result count for VPs in the CLI (#12711) (#12718)
* fix: Update Go version to fix CVE-2025-22871 vulnerability
(#12714) (#12719)
* align naming of ImageValidatingPolicy related code (#12703)
(#12716)
* fix: forbid json and k8s resources at the same time in the CLI
(#12699) (#12700)
* chore: add chainsaw test for policies with the same name
(#12652) (#12682)
* feat: add cli test command support for ivpols (#12660) (#12679)
* fix: add missing nil check in pss validation (#12636) (#12671)
* chore: add policy-ready step template for validating-policies
(#12546) (#12669)
* chore: add ivpol report labels (#12650) (#12654)
* chore: disable global context test (#12648) (#12649)
* fix: enable imagedata for ivpol (#12568) (#12613)
* fix: rename autogen configuration (#12605) (#12612)
* release 1.14.0-rc.1 (#12610)
* fix: pod controllers autogen api (#12603) (#12604)
* Add Webhook validation for IVPOL (#12577) (#12588)
* feat: improve vpol api for autogen (#12582) (#12585)
* chore: add tests for background reporting (#12579) (#12581)
* fix: use correct resource in cli processor (#12575) (#12578)
* chore: add Chainsaw test for ivpol admission reporting (#12576)
(#12580)
* fix: CLI policies processing order (VPOL) (#12567) (#12571)
* fix: enable k8s resource lookup for ivpol (#12569) (#12570)
* fix: CLI policies processing order (#12561) (#12565)
* Chainsaw tests: globalcontextentry (#12533) (#12564)
* feat: bump kube libs to 1.32 (cherry-pick #12555) (#12559)
* chore: chainsaw tests for ivpol autogen (#12548) (#12560)
* chore: update tooling deps (#12553) (#12554)
* chore: update supported k8s versions (#12310) (#12551)
* chore: cherry-pick #12515 (#12550)
* chore: remove unused field in vap processor (#12545) (#12547)
* Minor fixes in feature flags reademe file (#12503) (#12541)
* chore: use kube 1.32 by default in makefile (#12334) (#12540)
* chore: vpol block ephemeral containers (#12536) (#12537)
* chainsaw-test imagedata arch (#12500) (#12535)
* feat: support json for ivpol via CLI apply (#12511) (#12534)
* add chainsaw test for parse-sa (#12502) (#12532)
* handle runtime error (#12487) (#12531)
* refactor: vpol generation api (#12482) (#12519)
* fix: image verify exception flake (#12516) (#12518)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to
4.5.2 (#12496) (#12509)
* feat: release 1.14.0-alpha.1 (#12498)
* feat: rename image verification policy to image validating
policy (#12439)
* feat: support ivpol via CLI apply (#12492)
* feat: basic exception support in ivpols (#12478)
* chore(deps): bump the otel group across 1 directory with 10
updates (#12490)
* chore(deps): bump fossas/fossa-action from 1.5.0 to 1.6.0
(#12489)
* chore(deps): bump actions/download-artifact (#12464)
* fix: vpol validating webhook configuration (#12481)
* chore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
(#12460)
* chore(deps): bump actions/download-artifact from 4.2.0 to 4.2.1
(#12459)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#12470)
* feat: support json in CLI test (#12454)
* Add ValidatingPolicy Validation Webhook (#12479)
* chore: skip webhook registration if vap is generated (#12474)
* feat: adopt psa to v1.32.3 (#12457)
* chore: add some cel lib unit tests (#12458)
* chore(deps): bump actions/upload-artifact (#12463)
* chore(deps): bump github/codeql-action from 3.28.11 to 3.28.12
(#12462)
* chore: add api-group-resources to dependabot config (#12451)
* chore: enable ivpol chainsaw tests in CI (#12452)
* chore: add some cel unit tests (#12453)
* chore: bump a couple of deps (#12450)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#12445)
* feat: add imagedata cel lib (#12442)
* chore: move imageverify cel lib (#12449)
* chore(deps): bump actions/download-artifact (#12444)
* chore(deps): bump actions/download-artifact from 4.1.9 to 4.2.0
(#12443)
* chore: bump kube deps to 1.32.3 (#12437)
* fix: engine response for ivpol background scanning (#12436)
* chore(deps): bump golangci/golangci-lint-action from 6.5.1 to
6.5.2 (#12430)
* fix: set correct policy for ivpols (#12434)
* fix: check if response includes a policy for ivpol (#12433)
* Implement Reporting and Background scan for
ImageVerificationPolicy (#12432)
* fix: autogen status for ivpol (#12431)
* feat: simplify resource cel lib (#12427)
* feat: simplify resource cel lib (#12426)
* feat: add globalcontext CEL lib (#12425)
* chainsaw test to check messageExpression interpolation (#12415)
* feat: enable mutating webhook for ivpol (#12423)
* chore: make function comment match function name (#12417)
* chore(deps): bump docker/login-action from 3.3.0 to 3.4.0
(#12422)
* feat: reconcile `ivpol.status` (#12392)
* feat: add cel user lib (#12414)
* Update ADOPTERS.md (#12411)
* feat: add user info in cel engine (#12410)
* feat: webhook integration image verification policies (#12403)
* feat: support vps in cli test command (#12384)
* chore(deps): bump aquasecurity/trivy-action from 0.29.0 to
0.30.0 (#12406)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12401)
* solves the cronjob autogen nested path issue (#12383)
* chore(deps): bump golangci/golangci-lint-action from 6.5.0 to
6.5.1 (#12402)
* fix: image parse func and add chainsaw tests (#12396)
* Fix: data access in audit annotations (#12394)
* fix: add missing context type and http type in ivpols (#12393)
* feat: register webhook for ivpol (#12391)
* Fix: data access in message expressions (#12390)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12388)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12389)
* feat: mock list resources in context (#12380)
* Minor fixes in Contributing and Development docs (#12377)
* fix: providing the http provider in the compiler (#12379)
* feat: make image ref parsing a static function (#12374)
* chore: improve error handling (#12376)
* chore(deps): bump fluxcd/flux2 from 2.4.0 to 2.5.1 (#12359)
* chore(deps): bump github.com/sigstore/sigstore from 1.9.0 to
1.9.1 (#12370)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12371)
* feat: webhook handlers for image verification (#12318)
* chore(deps): bump goreleaser/goreleaser-action from 6.1.0 to
6.2.1 (#12347)
* chore(deps): bump actions/setup-python from 5.3.0 to 5.4.0
(#12362)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#12364)
* fix: use pointer in context config map getter (#12365)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#12363)
* feat: support mock in CLI for VPs (#12344)
* chore(deps): bump sonarsource/sonarcloud-github-action (#12358)
* chore(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
(#12360)
* chore(deps): bump actions/download-artifact (#12361)
* chore(deps): bump gomodules.xyz/jsonpatch/v2 from 2.4.0 to
2.5.0 (#12354)
* fix: Update copyrights to 2025 (#12356)
* chore(deps): bump slsa-framework/slsa-github-generator (#12349)
* chore(deps): bump azure/setup-helm in
/.github/actions/run-tests (#12351)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.2 to
0.20.3 (#12355)
* chore(deps): bump actions/upload-artifact from 4.5.0 to 4.6.1
(#12348)
* chore(deps): bump actions/upload-artifact (#12350)
* chore(deps): bump azure/setup-helm from 4.2.0 to 4.3.0 (#12346)
* chore(deps): bump github.com/sigstore/sigstore from 1.8.15 to
1.9.0 (#12331)
* fix: nits in cel context lib (#12333)
* Add CEL context.Lib to the imageverification compiler (#12337)
* chore(deps): bump sigstore/cosign-installer (#12343)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#12342)
* chore(deps): bump github/codeql-action from 3.27.9 to 3.28.11
(#12341)
* chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.1
(#12340)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#12339)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12332)
* chore(deps): bump golangci/golangci-lint-action from 6.1.1 to
6.5.0 (#12322)
* chore: add dryrun as label (#11962)
* Add CEL HTTP Lib to the imageverification compiler (#12335)
* chore(deps): bump codecov/codecov-action from 5.1.1 to 5.4.0
(#12321)
* chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
(#12327)
* chore: remove unused code (#12325)
* chore(deps): bump fossas/fossa-action from 1.4.0 to 1.5.0
(#12328)
* chore(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0
(#12330)
* feat: skip applying a VP which is converted to VAP (#12312)
* feat: add parse image reference function (#12317)
* feat: support rest mapper in cli with cluster enabled (#12319)
* chore(deps): bump helm/kind-action in
/.github/actions/run-tests (#12324)
* chore(deps): bump helm/chart-testing-action from 2.6.1 to 2.7.0
(#12323)
* chore(deps): bump helm/kind-action from 1.11.0 to 1.12.0
(#12320)
* chore: ignore kyverno.tar file (#12314)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12307)
* chore: add policy api unit tests (#12315)
* Cel HTTP Lib (#12241)
* Skip reporting for vpol when vap generation is enabled (#12311)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12306)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12305)
* feat(vp): implement gctx in context library (#12055)
* feat: support json payload via CLI apply command (#12296)
* feat: support GVK to GVR mapping in the CLI (#12301)
* feat: add api-group-resources codegen (#12303)
* fix: use object key in json image verification (#12298)
* docs: add popular use cases section to README (#12297)
* chore: remove dead code (#12302)
* feat: support CELPolicyException in the report-controller
(#12287)
* chore(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
(#12295)
* chore(deps): bump github.com/prometheus/client_golang (#12294)
* feat: autogenerate image verification policies for pod
controllers (#12290)
* feat: add cel evaluator for json payload (#12288)
* chore: add policy API unit tests (#12289)
* chore(deps): bump github.com/opencontainers/image-spec (#12285)
* fix: autogen refactor (#12286)
* chore: add unit tests (#12281)
* feat: image verify performance fix and tests (#12282)
* feat: add evaluation config to image verification policies
(#12279)
* Update post-delete-configmap.yaml (#12240)
* fix(gctx): add event handler before informer start (#12263)
* chore: add VP/CEL unit tests (#12271)
* Indicate in report result the origin, admission, or background
(#12056)
* chore: remove mutatingpolicies (#12261)
* feat: add new field to control VAP generation per policy
(#12242)
* fix chainsaw test (#12272)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to
5.14.0 (#12269)
* feat(test): image verification on any payload (#12266)
* changes if condition to check for RegExp field (#12237)
* feat: context function to request resources from api server
(#12181)
* feat: generate VAPs given celexceptions (#12255)
* chore: add VP/CEL unit tests (#12264)
* feat: add evaluation mode to api (#12262)
* chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to
3.0.4 (#12257)
* fix(gctx): remove unnecessary json Marshal/Unmarshal operations
to reduce memory usage (#12201)
* fix(gctx): fix gctx projection cache (#12226)
* feat: add evaluator for image verification policies (#12251)
* feat: improve validating policy api (#12243)
* feat: create patchers and apply mutations (#12253)
* chore: bump kube deps to 1.32.2 (#12252)
* feat: add cel library for image verification (#12233)
* chore: add VP api unit tests (#12248)
* Add aggegration toggle for clusterRoles (#12234)
* feat: introduce generic exception interface (#12244)
* feat: stop reusing
admissionregistrationv1.ValidatingAdmissionPolicySpec (#12246)
* chore: add codecov config and exclude api generated files
(#12245)
* feat: generate VAPs from VPs (#12222)
* chore(deps): bump golang.org/x/crypto from 0.34.0 to 0.35.0
(#12239)
* Adds kyverno_info metric (#12128)
* chore: add cel unit tests (#12232)
* chore: add CEL unit tests (#12230)
* chore(deps): bump golang.org/x/crypto from 0.33.0 to 0.34.0
(#12228)
* chore(refactor): refactor image verification packages (#12220)
* feat: add mpol.spec.admission and mpol.spec.background (#12218)
* chore(deps): bump github.com/notaryproject/notation-go (#12214)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12210)
* fix: add unit tests for cosign keyed image verification
(#12217)
* chore(deps): bump github.com/prometheus/client_golang (#12215)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12216)
* feat: cosign verifier for new image verifier crd (#12196)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12209)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12208)
* chore(deps): bump github.com/sigstore/sigstore from 1.8.14 to
1.8.15 (#12211)
* Update _pdb.tpl (#11970)
* chore: add resource manifests in autogen tests (#12205)
* Validating policy audit annotations (#12115)
* fix: modify celexception flake test (#12192)
* feat: support celexceptions in the CLI `apply` command (#12182)
* chore: bump cobra dependency (#12199)
* fix: add result count for VPs in the CLI (#12193)
* chore: format conformance.yaml workflow file (#12194)
* fix: publish codecov reports (#12197)
* feat(gctx): add jmespath caching through projections (#11833)
* fix: codegen (#12195)
* feat: add notary verifier with tsa support (#12160)
* chore(deps): bump
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
(#12178)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#12179)
* use serviceAccountName instead of deprecated serviceAccount
(#12158)
* chore: cel policies nits (#12184)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.1 to
0.20.2 (#12180)
* README: fix markdown syntax (#12176)
* feat: add MutatingPolicies CRD (#12150)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12170)
* chore: remove applyconfiguration (#12174)
* feat: add image data context (#12175)
* feat: compile and evaluate autogen rules (#12163)
* refactor: status manager (#12173)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/aws (#12167)
* add get to rbac.authorization.k8s.io (#12043)
* fix: modify the client URL for finegrained validatingpolicies
(#12171)
* fix CEL autogen (#12165)
* chore(deps): bump github.com/sigstore/sigstore from 1.8.12 to
1.8.14 (#12168)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/hashivault
(#12169)
* update the docs for logging (#12140)
* feat: configure admission and background flag for
ValidatingPolicies (#12153)
* structuring log (#12111)
* fix: Certificate Renewer Does Not Remove Old CA Certificate
From Secret (#12073)
* feat: add types for image verification attestors (#12080)
* fix: sort autogen resources list (#12162)
* chore: remove vp and celpolex from the kyverno group (#12156)
* feat: aggregate vpol.status.conditions (#12133)
* Add helm changelog for reports-server related fix (#12144)
* fix: update match conditions for autogen rules (#12146)
* chore: move celexceptions to the new group (#12143)
* update issue templates (#12145)
* Don't fail disabling reports CRDs when sanitychecks is disabled
(for use with reports-server) (#12129)
* feat: add cel-autogen chainsaw tests (#12135)
* feat: add image data fetching support (#12134)
* chore(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0
(#12131)
* feat: add status.autogen (#12109)
* feat: use dedicated group for new policies (#12123)
* feat: compile and evaluate polex's match conditions (#12113)
* log action and message when creating event (#12092)
* feat: add autogen pod controllers to webhooks (#12112)
* feat: implement background scan (#12101)
* feat: use namespace in bg scan instead of just labels (#12102)
* chore: remove polex match constraints (#12103)
* feat: validate CELPolicyExceptions (#12083)
* feat: add vpol status (#11956)
* chore: make validating policies e2e tests required (#12100)
* feat: add validating policies to reports aggregation (#12096)
* chore(deps): bump golang.org/x/text from 0.21.0 to 0.22.0
(#12094)
* feat: add reporting to validating admission handler (#12090)
* chore: add celpolicyexceptions in helm chart (#12084)
* feat: consider Warn validation action (#12081)
* fix(flag): lookup kubeconfig only after parsing (#12082)
* refactor: webhook server/handlers (#12079)
* chore: remove polex compiler (#12078)
* tests: add chainsaw test for image data loading (#12077)
* chore(deps): bump ubuntu from `80dd3c3` to `7229784` in
/.devcontainer (#12074)
* chore(deps): bump sigs.k8s.io/release-utils from 0.10.0 to
0.11.0 (#12076)
* chore(deps): bump github.com/fluxcd/pkg/oci from 0.43.1 to
0.45.0 (#12059)
* feat: consider validation actions (#12072)
* feat: implement match conditions failure policy (#12071)
* chore(deps): bump sigs.k8s.io/release-utils from 0.9.0 to
0.10.0 (#12060)
* feat: add context provider in admission handling (#12070)
* feat: compile CEL exceptions (#12066)
* feat: add message expression support to validating policies
(#12063)
* feat: create image data loader (#12036)
* chore: add validating policies chainsaw tests (#12062)
* feat: add admission request cel variable (#12054)
* feat: add validation message in cel engine response (#12052)
* fix: remove 1.27 and 1.28 from tests (#12061)
* feat: use v1 of ValidatingAdmissionPolicies (#12050)
* fix: match the old object against the object selector for VAPs
in the CLI (#12051)
* feat: add CEL PolicyException CRD (#12038)
* feat: process cel engine response in webhook handler (#12047)
* feat: support adminssion review in cel engine (#12046)
* feat: use more admission attributes (#12044)
* fix: cel lib get config map return type (#12042)
* feat: use admission attributes (#12041)
* fix: error handling and reduce log clutter (#11979)
* replace ghcr.io to reg.kyverno.io (#12031)
* feat(validating policies): add support for ns and object
selectors (#12034)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#12027)
* feat: execute handler (#12033)
* fix: don't sort cel policies (#12028)
* fix: bad usage of wait group (#12029)
* chore(deps): bump github.com/evanphx/json-patch/v5 from 5.9.10
to 5.9.11 (#12025)
* feat: watch validating policies (#12008)
* feat: add rest config support in setup code (#12019)
* feat: add validation action to VPs (#12017)
* fix: test typo (#12016)
* feat: add validating policy webhook handler (#12015)
* chore(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0
to 5.9.10 (#12014)
* chore(deps): bump github.com/sigstore/rekor from 1.3.7 to 1.3.9
(#12013)
* refactor: use k8s wait group (#12010)
* fix: make flags compatible with controller-runtime (#12009)
* chore(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
(#11991)
* feat: register cel context lib (#12007)
* feat: add autogen package for ValidatingPolicies (#11996)
* test: add more cli vp tests (#12006)
* feat: implement cel engine context provider (#11995)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.0 to
0.20.1 (#11992)
* chore: remove unused functions in autogen (#11993)
* feat: add support for more context elements (#11986)
* Fix default value for apiCall context (#11733)
* fix: implement cel context lib correctly (#11983)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to
5.13.2 (#11981)
* refactor: reduce generic policy interface (#11977)
* refactor: reduce generic policy interface (#11974)
* feat: introduce evaluation results in cel engine (#11971)
* Add OVHcloud in ADOPTERS.md (#11966)
* feat: add validating policy engine api wrapper (#11963)
* fix: cli schema generation (#11959)
* feat: add namespace support in CLI values (#11958)
* chore: bump k8s 0.32.1 (#11954)
* feat: use policy provider (#11947)
* feat: add generic policy interface (#11922)
* chore(deps): bump the otel group across 1 directory with 10
updates (#11952)
* log non fatal parsing errors (#11932)
* feat: add MAP's mutation logic for the CLI (#11946)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.4 to
0.20.0 (#11944)
* chore(deps): bump github.com/google/go-containerregistry
(#11941)
* chore(deps): bump github.com/notaryproject/notation-go (#11940)
* feat(cli,apply): load validating policies (#11933)
* feat: register webhook configurations for validatingpolicies
(#11892)
* fix the result column for Kyverno test (#11842)
* fix:[Bug] [CLI] CEL scanning a namespace yaml object makes
Kyverno crash (#11834)
* Update ADOPTERS.md (#11936)
* feat: update annotations of kyverno images (#11935)
* chore(deps): bump github.com/notaryproject/notation-core-go
from 1.1.0 to 1.2.0 (#11926)
* chore: add 1.13.1 and 1.13.2 to issue templates (#11930)
* chore: use v1 of VAPs in the tests (#11929)
* chore: move CEL package to admissionpolicy package (#11931)
* refactor: cleanup cli apply functions (#11928)
* chore(deps): bump sigs.k8s.io/kustomize/api from 0.18.0 to
0.19.0 (#11925)
* Implement Object type checking based on OpenAPI v3 schema
(#11919)
* feat: add CEL variables type checking (#11920)
* feat: add auditAnnotation in CEL Compiler (#11918)
* feat: add CEL variables support (#11913)
* chore(deps): bump google.golang.org/grpc from 1.69.2 to 1.69.4
(#11911)
* feat: add validating policy compiler (#11906)
* chore(deps): bump github.com/fluxcd/pkg/oci from 0.43.0 to
0.43.1 (#11903)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#11901)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.1 to
5.6.2 (#11902)
* feat: add context cel lib to get config map (#11898)
* feat: setup validating policy cel environment (#11897)
* feat: add support for loading validating policies in the cli
(#11883)
* chore: bump a couple of deps (#11890)
* refactor: get policy helper (#11891)
* chore: bump a couple of deps (#11879)
* chore(deps): bump github.com/google/cel-go from 0.22.0 to
0.22.1 (#11880)
* chore: bump a couple of deps (#11878)
* feat: bump kube deps to 1.32 (#11877)
* chore: bump a couple of deps (#11876)
* chore: bump go-git to 5.13.0 (#11860)
* fix(reports-controller): add a flag to disable reports sanity
checks (#11867)
* Add Tigera to Kyverno ADOPTERS.md (#11874)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.0 to
5.6.1 (#11837)
* feat: add validating policy crd in helm chart (#11870)
* feat: add kyverno vap API (#11790)
* fix: sorting in fix test command (#11869)
* Add flag for JSON output in policy reports (#11840)
* remove policy exception dependancy from globalcontext and add
some tests (#11788)
* fix global context error message logic error (#11815)
* Fix: Policy with failureActionOverrides not applying desired
failure actions in desired namespaces (#11811)
* fix panic when rules are empty (#11821)
* Fix panic in background controller when updating Generate rule
(#11835)
* chore(deps): bump
github.com/sigstore/sigstore/pkg/signature/kms/azure (#11791)
* chore: bump x/net 0/33/0 (#11825)
* chore: bump python to 3.13.1 (#11800)
* fix: cleanup unwanted files (#11803)
* chore(deps): bump helm/kind-action from 1.10.0 to 1.11.0
(#11774)
* fix: update chainsaw test apply timeout to 30s (#11794)
* chore(deps): bump helm/kind-action in
/.github/actions/run-tests (#11775)
* fix: copy all the fields of public keys when splitting (#11770)
* fix: [Helm] mergeOverwrite overwrites nested objects #11536
(#11584)
* Mutate existing CLI support (#11453)
* fix: exemption error caused by convertChecks function (#11780)
* chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0
(#11783)
* chore(deps): bump actions/upload-artifact (#11784)
* fix: remove extra line in configmsp (#11762)
* fix: pin ubuntu version to 22.04 in custom sigstore conformance
tests (#11772)
* distributed labels in group, version, and resource so it
doesn't exceed (#11620)
* chore(deps): bump github/codeql-action from 3.27.7 to 3.27.9
(#11757)
* chore(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
(#11761)
* chore(deps): bump the otel group across 1 directory with 10
updates (#11759)
* fix: revert default background scan interval to 1h (#11754)
* chore(deps): bump github/codeql-action from 3.27.6 to 3.27.7
(#11741)
* fix/duplicate-test-entries-deduplication (#11709)
* chore(deps): bump sigs.k8s.io/structured-merge-diff/v4 (#11751)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0
(#11749)
* chore(deps): bump the kubernetes group across 2 directories
with 7 updates (#11743)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#11742)
* chore(deps): bump github.com/aquilax/truncate from 1.0.0 to
1.0.1 (#11744)
* chore(deps): bump sonarsource/sonarcloud-github-action (#11725)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#11731)
* chore(deps): bump github.com/onsi/gomega from 1.36.0 to 1.36.1
(#11735)
* chore(deps): bump github.com/fluxcd/pkg/oci from 0.41.1 to
0.42.0 (#11732)
* chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0
(#11712)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#11727)
* chore(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1
(#11711)
* chore(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1
(#11726)
* chore(deps): bump kyverno/action-install-chainsaw (#11716)
* chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6
(#11706)
* chore(deps): bump kyverno/action-install-chainsaw from 0.2.11
to 0.2.12 (#11715)
* fix(readme): add changelog for
spec.validate[*].allowExistingViolations field in kyverno chart
(#11714)
* fix: add metrics-server Helm repo (#11717)
* fix: properly verify precondition in old object validation
(#11644)
* feat: Show textual diff when generate test fails (#11674)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.2 to
0.19.3 (#11698)
* chore(deps): bump ubuntu from `278628f` to `80dd3c3` in
/.devcontainer (#11697)
* fix: api call chainsaw tests (#11682)
* Fix(doc): correct invalid links in documentation (#11681)
* fix: check the patchedResources in kyverno-test (#11686)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#11691)
* add allowExistingViolations option in policy chart (#11656)
* Print generate output cli (#11634)
* chore(deps): bump github.com/google/gnostic-models (#11676)
* fix(chart): global image registry bug in 3.3.3 (#11604)
* chore(deps): bump github.com/onsi/gomega from 1.35.1 to 1.36.0
(#11669)
* fix: add conversion function in Helm template (#11651)
* feat: add/improve error logs (#11657)
* fix(policy chart): fix the merging of policyExclude
customizations to avoid wrong overrides (#11653)
* fix: use deleteOptions in cleanup controller (#11662)
* chore(deps): bump github.com/stretchr/testify from 1.9.0 to
1.10.0 (#11660)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#11659)
* chore(deps): bump the kubernetes group across 2 directories
with 7 updates (#11640)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.1 to
0.19.2 (#11647)
* chore(deps): bump codecov/codecov-action from 5.0.4 to 5.0.7
(#11650)
* chore(deps): bump sigstore/scaffolding from 0.7.16 to 0.7.17
(#11641)
* chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5
(#11642)
* chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.4
(#11625)
* fix: Open the mutated resources file in append mode to allow
additions to it (#11619)
* Context vars with labelselector (#11608)
* fix: kubernetes and kyverno version annotations in
kyverno-policies helm chart to match installed kyverno release
and supported versions from Chart.yaml with override option
(kyverno#1165) (#11258)
* chore(deps): bump aquasecurity/trivy-action from 0.28.0 to
0.29.0 (#11624)
* fix: return nil error when trigger resource not found for a
subresouces (#11594)
* Passed the deleteOptions to the DeleteResource client (#11484)
* chore(deps): bump actions/checkout in
/.github/actions/run-tests (#11612)
* chore(deps): bump ubuntu from `99c3519` to `278628f` in
/.devcontainer (#11610)
* chore(deps): bump codecov/codecov-action from 5.0.0 to 5.0.2
(#11611)
* fix(background-controller): reduce logging for URs (#11616)
* fix(ci): run conformance upgrade on schedule (#11602)
* fix: use ephemeralreportsfor reports controller in helm
(#11600)
* feat(ci): test upgrade conformance (#11498)
* chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4
(#11598)
* fix: use generate name for background scan reports (#11586)
* chore(deps): bump sigs.k8s.io/structured-merge-diff/v4 (#11596)
* chore(deps): bump codecov/codecov-action from 4.6.0 to 5.0.0
(#11597)
* fix: add a check for nil rule response (#11591)
* Add missing error check (#11587)
* feat: Add Manifest Index to ImageRegistry context (#9883)
* fix: update explicit webhook based on the policy type (#11580)
* chore(deps): bump github/codeql-action from 3.27.1 to 3.27.3
(#11575)
* chore(deps): bump the otel group across 1 directory with 10
updates (#11566)
* chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1
(#11568)
* Set the UserAgent in client-go based calls to kube-apiserver
(#11569)
* Add SHA1 and MD5 hash functions to JMESPath (#11564)
* chore(deps): bump rajatjindal/krew-release-bot from 0.0.46 to
0.0.47 (#11567)
* toggle for autogen version (#11535)
* chore(deps): bump goreleaser/goreleaser-action from 6.0.0 to
6.1.0 (#11556)
* chore(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0
(#11557)
* chore(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0
(#11559)
* fix: panic for nil rule response when processing old object
(#11550)
* fix: add 'immutable fields in the policy validation msg for
FluxCD' (#11549)
* chore(deps): bump sigstore/scaffolding from 0.7.15 to 0.7.16
(#11548)
* fix: match failure action case insensitively for validating old
object (#11486)
* fix: remove logic that uses annotation to skip image
verification (#11529)
* fix(validate): custom match conditions errors (#11461)
* set the defautl namespace for policy (#11505)
* Autogenv2 rule evaluation logic (#11434)
* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to
4.5.1 (#11526)
* chore: change controller rated limiting queue (#11509)
* fix: use webhook object instead of a list (#11516)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#11521)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#11520)
* fix(chart): correct behavior for global image registry (#11482)
* chore(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1
(#11510)
* fix: switch configmap removal to use post-delete helm hook
(#11504)
* fix: add celPreconditions in autogen rules (#11503)
* fix: support VAP stable version v1 in the CLI (#11501)
* chore(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0
(#11487)
* chore(deps): bump sigstore/scaffolding from 0.7.13 to 0.7.15
(#11499)
* fix: add emitWarning field in v2beta1 (#11489)
* fix: use digest instead of tag for custom-sigstore-tuf
conformance test (#11492)
* feat: skip azure keychain based login for mcr registry (#11480)
* chore(deps): bump sigs.k8s.io/controller-tools in
/hack/controller-gen (#11478)
* chore(deps): bump github.com/dgraph-io/ristretto from 0.1.1 to
0.2.0 (#11456)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to
5.6.0 (#11455)
* chore(deps): bump the kubernetes group across 2 directories
with 7 updates (#11465)
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to
0.19.1 (#11471)
* chore(deps): bump actions/setup-go in
/.github/actions/setup-build-env (#11473)
* chore(deps): bump actions/setup-python from 5.2.0 to 5.3.0
(#11472)
* chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#11464)
* chore(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0
(#11457)
* chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0
(#11458)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#11459)
* Introduced the DeletionPropagationPolicy field in CleanupPolicy
and C… (#11368)
* chore: bump sigstore/sigstore to 1.8.10 (#11448)
* fix[breaking]: disable exceptions by default (#11426)
* fix: update match logic for old object validation (#11427)
* chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#11437)
* chore(deps): bump ubuntu from `d4f6f70` to `99c3519` in
/.devcontainer (#11440)
* feat: improve webhooks rules generation (#11419)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#11439)
* chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3
(#11438)
* feat(ci): enhance load testing (#11429)
* chore(deps): bump github.com/prometheus/client_golang (#11413)
* chore(deps): bump sigstore/scaffolding from 0.7.12 to 0.7.13
(#11423)
* feat: add options to configure resync period for informers in
helm chart (#11420)
* refactor: introduce autogen interface (#11418)
* Selector with mutate target (#11208)
* chore(deps): bump ubuntu from `ab64a83` to `d4f6f70` in
/.devcontainer (#11415)
* refactor: move autogen v1 and v2 packages (#11416)
* fix: use autogen v2 in exceptions controller (#11397)
* chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
(#11402)
* chore(deps): bump aquasecurity/trivy-action from 0.27.0 to
0.28.0 (#11410)
* chore: Bump python installation in helm test to 3.8.13 as the
installation action doesnt support ubuntu 24 (#11409)
* chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13
(#11403)
* feat: update engine response.generatedResources to support
multiple resource (#11398)
* Added GetNames and GetKinds function (#11327)
* chore: add delay after policy gets ready (#11344)
* chore(deps): bump ubuntu from `b359f10` to `ab64a83` in
/.devcontainer (#11393)
* chore(deps): bump the otel group across 1 directory with 9
updates (#11392)
* chore(deps): bump sigstore/scaffolding from 0.7.11 to 0.7.12
(#11391)
* chore(deps): bump sigs.k8s.io/controller-tools in
/hack/controller-gen (#11385)
* feat: add helm configuration for reporting in different rules
(#11376)
* chore(deps): bump aquasecurity/trivy-action from 0.26.0 to
0.27.0 (#11383)
* Reports controller circuit breaker (#11329)
* Add permission command to generate ClusterRole and
ClusterRoleBinding (#11211)
* feat(cache): use shallow copy instead of deep copy (#11378)
* chore(deps): bump actions/upload-artifact (#11375)
* chore(deps): bump actions/upload-artifact from 4.4.2 to 4.4.3
(#11374)
* chore(deps): bump sigs.k8s.io/kustomize/api from 0.17.3 to
0.18.0 (#11373)
* chore(deps): bump aquasecurity/trivy-action from 0.25.0 to
0.26.0 (#11363)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#11366)
* feat: add --backgroundReports flag to disable mutateexisting
and generate reporting (#11361)
* chore(deps): bump actions/upload-artifact (#11364)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#11365)
* chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.2
(#11362)
* add support for shallow substitution (#11058)
* chore: Add a new field in the test results CRD to specify
patched resources (#11297)
* chore(deps): bump aquasecurity/trivy-action from 0.24.0 to
0.25.0 (#11352)
* chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#11351)
* chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12
(#11350)
* chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1
(#11353)
* chore(deps): bump actions/upload-artifact (#11354)
* Added chainsaw test for the ttl based cleanup poliy (#11328)
* fix: transfer image verify iamges to kyverno (#11340)
* fix: Allow images to be pulled from insecure registry when
allowInsecureRegistry flag is set to true (#10934) (#11243)
* chore: use ptr package (#11346)
* Test/ttl cleanup deletion policy (#11277)
* fix: isolate report creation context for mutate in admission
(#11304)
* fix: use aws mirror of trivy db to fix rate limiter issue
(#11342)
* chore: use more chainsaw step templates (#11324)
* fix: add permission for mutate existing report test (#11339)
* chore(deps): bump sonarsource/sonarcloud-github-action (#11332)
* chore(deps): bump sigstore/cosign-installer (#11335)
* chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0
(#11334)
* chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0
(#11337)
* chore(deps): bump actions/cache in
/.github/actions/setup-caches (#11336)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#11333)
* chore: use more chainsaw step templates (#11317)
* Updated autogenv2 package (#11212)
* chore(deps): bump github.com/sigstore/cosign/v2 from 2.4.0 to
2.4.1 (#11321)
* chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11
(#11320)
* chore: use more chainsaw step templates (#11313)
* chore: bump chainsaw (#11280)
* chore: use more chainsaw step templates (#11311)
* chore: use more chainsaw step templates (#11308)
* chore: use more chainsaw step templates (#11303)
* chore: use more chainsaw step templates (#11300)
* chore(deps): bump golangci/golangci-lint-action from 6.1.0 to
6.1.1 (#11298)
* chore: use more chainsaw step templates (#11296)
* chore: use more chainsaw step templates (#11293)
* feat: use more chainsaw test templates (#11285)
* feat: add reporting to mutate and generate rules (#11265)
* chore(deps): bump kyverno/action-install-chainsaw (#11290)
* chore(deps): bump kyverno/action-install-chainsaw from 0.2.10
to 0.2.11 (#11289)
* chore(deps): bump cbrgm/cleanup-stale-branches-action (#11288)
* chore(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
(#11287)
* chore(deps): bump ubuntu from `dfc1087` to `b359f10` in
/.devcontainer (#11286)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#11275)
* chore(deps): bump github.com/theupdateframework/go-tuf/v2
(#11282)
* feat: use more chainsaw test templates (#11281)
* chore(deps): bump fluxcd/flux2 from 2.3.0 to 2.4.0 (#11274)
* chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1
(#11276)
* chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10
(#11273)
* fix(refactor): move breaker resource counter to pkg (#11271)
* Minor changes in dev docs (#11266)
* fix: overwrite the managed-by label for target resources
(#11267)
* update PR templates for supported versions (#11262)
* chore(deps): bump
zgosalvez/github-actions-ensure-sha-pinned-actions (#11264)
* add Corestream as an adopter (#11263)
* Added propagationPolicy to TTL controller for resource deletion
(#11207)
* chore: pin go.opentelemetry.io/otel/semconv/v1.24.0 (#11256)
* fix: foreach list validation (#11222)
* chore: remove uneeded cleanupJobs keys from values.yaml and
README (#11242)
* chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#11244)
* chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9
(#11221)
* fix: policy status updates not stabilising (#11236)
* feat: add dumpPatch flag (#11237)
* fix: webhooks reconciliation with policies (#11233)
* fix: webhooks reconciliation when no policies (#11230)
* fix(webhook): error variable (#11225)
* chore(deps): bump sigstore/scaffolding from 0.7.9 to 0.7.11
(#11220)
* fix: print out errors (#11218)
* fix(status): status comparison is wrong (#11203)
* feat: allow generate pattern changes (#11202)
* chore(deps): bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0
(#11213)
* chore(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.0
(#11201)
* fix: skip processing the oldObject for audit policies (#10233)
* chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8
(#11200)
* chore(deps): bump github.com/open-policy-agent/opa from 0.67.1
to 0.68.0 (#11199)
* feature: Added test.imagePullSecrets config in values.yaml
(#11180) (#11195)
* chore: add more chainsaw tests for `generate.foreach` (#11140)
* fix: remove unused functions (#11190)
* chore(deps): bump sigs.k8s.io/controller-tools in
/hack/controller-gen (#11187)
* chore(deps): bump github.com/prometheus/client_golang (#11186)
* fix(chart,kyverno): update dashboard to support Grafana 11
(#11070)
* chore(deps): bump the kubernetes group across 2 directories
with 1 update (#11179)
* chore(deps): bump ubuntu from `8a37d68` to `dfc1087` in
/.devcontainer (#11166)
* chore: bump chainsaw (#11161)
* feat: add helm upgrade tests (#11163)
* chore(deps): bump the otel group across 1 directory with 7
updates (#11170)
* chore: update dependabot gomod config (#11164)
* fix: Added missing label info in the cleanup metrics (#10321)
(#11147)
* chore(deps): bump github.com/fluxcd/pkg/oci from 0.41.0 to
0.41.1 (#11153)
* chore(deps): bump github.com/cyphar/filepath-securejoin
(#11152)
* chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7
(#11150)
* fix: Updated Go version to v1.23.1 to address CVE-2024-34156
(#11112)
* move governance (#11138)
* fix: go releaser config (#11135)
* chore(deps): bump k8s.io/apiextensions-apiserver in the
kubernetes group (#11130)
* chore: add dependabot groups for k8s and otel (#11116)
* fix: expect base64 string in raw tuf root (#11117)
* chore(deps): bump k8s.io/kube-aggregator from 0.31.0 to 0.31.1
(#11111)
* chore(deps): bump k8s.io/cli-runtime from 0.31.0 to 0.31.1
(#11107)
* chore(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2
(#11109)
* chore: fix sonar exclusions (#11119)
* chore(deps): bump k8s.io/api from 0.31.0 to 0.31.1 (#11108)
* chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
(#11110)
* feat: add flag to pass tuf root directly (#11103)
* fix broken oss-fuzz build (#11101)
* feat: use pointer in rule (validate field) (#11095)
* chore: bump otel libs (#11096)
* chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to
0.6.2 (#11093)
* fix: make webhook cleanup setup optional and add cleanup ci
test (#11077)
* feat: use pointer in rule (mutation field) (#11078)
* chore: fix sonar exclusions (take 2) (#11074)
* chore: reduce jobs run on push (#11080)
* feat: use pointer in rule (generate field) (#11076)
* fix: policy report generation for namespaced policies in CLI
(#10923)
* chore: fix sonar exclusions (#11072)
* feat: use pointer in rule (exclude field) (#11050)
* chore: remove MarcelMue (#11066)
* fix: avoid generating empty urs (#11065)
* chore(deps): bump google.golang.org/grpc from 1.66.0 to 1.66.1
(#11062)
* chore(deps): bump sigstore/scaffolding from 0.7.8 to 0.7.9
(#11061)
* support HTTP headers in service API calls (#11041)
* Generate Policy Exceptions (#9987)
* Update CONTRIBUTORS.md (#11053)
* added Anudeep to CONTRIBUTORS.md (#11054)
* fix: make match field required in rule API (#11048)
* bug: print failure message when rule fails in kyverno apply
(#9166)
* feat: use pointer in rule (#11037)
* Sat Feb 08 2025 opensuse_buildservice@ojkastl.de
- Update to version 1.13.4:
* release v1.13.4 (#12126)
* Revert "replace ghcr.io to reg.kyverno.io (#12031) (#12106)"
(#12125)
* chore(deps): bump go dependencies to fix CVEs (#12119)
* Fri Feb 07 2025 opensuse_buildservice@ojkastl.de
- Update to version 1.13.3:
* feat: release v1.13.3 (#12105)
* replace ghcr.io to reg.kyverno.io (#12031) (#12106)
* chore: bump golang.org/x/net to 0.33.0 for release-1.13
(#12040)
* Fix default value for apiCall context (#11733) (#11988)
* log non fatal parsing errors (#11932) (#11949)
* feat: update annotations of kyverno images (#11935) (#11938)
* chore: bump opa 0.68.0 (#11786)
* fix(reports-controller): add a flag to disable reports sanity
checks (#11867) (#11875)
* remove policy exception dependancy from globalcontext and add
some tests (#11788) (#11854)
* fix global context error message logic error (#11815) (#11853)
* Fix: Policy with failureActionOverrides not applying desired
failure actions in desired namespaces (#11811) (#11850)
* fix panic when rules are empty (#11821) (#11848)
* Fix panic in background controller when updating Generate rule
(#11835) (#11846)
* fix: [Helm] mergeOverwrite overwrites nested objects #11536
(#11584) (#11797)
* fix: remove extra line in configmsp (#11762) (#11776)
* chore: bump python to 3.13.1 (#11801)
* fix: update chainsaw test apply timeout to 30s (cherry-pick
[#11794]) (#11802)
* fix: copy all the fields of public keys when splitting (#11770)
(#11798)
* fix: exemption error caused by convertChecks function (#11780)
(#11787)
* fix: pin sigstore (#11777)
* fix: revert default background scan interval to 1h (#11754)
(#11756)
* chore: bump golang.org/x/crypto 0.31.0 (#11753)
* Tue Dec 10 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.13.2:
* release 1.13.2 (#11736)
* release 1.13.2-rc.1 (#11713)
* fix: properly verify precondition in old object validation
(#11644) (#11705)
* fix: add metrics-server Helm repo (#11717) (#11718)
* add allowExistingViolations option in policy chart (#11656)
(#11720)
* fix(readme): add changelog for
spec.validate[*].allowExistingViolations field in kyverno chart
(#11714) (#11719)
* feat: Show textual diff when generate test fails (#11674)
(#11704)
* fix: api call chainsaw tests (#11682) (#11696)
* fix: check the patchedResources in kyverno-test (#11686)
(#11695)
* Print generate output cli (#11634) (#11678)
* fix(chart): global image registry bug in 3.3.3 (#11604)
(#11672)
* chore: Add a new field in the test results CRD to specify
patched resources (#11297) (#11673)
* fix: add conversion function in Helm template (#11651) (#11666)
* fix(policy chart): fix the merging of policyExclude
customizations to avoid wrong overrides (#11653) (#11663)
* fix: Open the mutated resources file in append mode to allow
additions to it (#11619) (#11633)
* Context vars with labelselector (#11608) (#11631)
* fix: return nil error when trigger resource not found for a
subresouces (#11594) (#11627)
* fix(background-controller): reduce logging for URs (#11616)
(#11617)
* fix: use ephemeralreportsfor reports controller in helm
(#11600) (#11614)
* fix: use generate name for background scan reports (#11586)
(#11599)
* Add missing error check (#11587) (#11590)
* fix: update explicit webhook based on the policy type (#11580)
(#11581)
* fix: add a check for nil rule response (cherry-pick #11591)
(#11593)
* feat: Add Manifest Index to ImageRegistry context (#9883)
(#11585)
* Set the UserAgent in client-go based calls to kube-apiserver
(#11569) (#11571)
* Tue Nov 12 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.13.1:
* release 1.13.1 (#11570)
* release 1.13.1-rc.1 (#11554)
* fix: panic for nil rule response when processing old object
(#11550) (#11553)
* fix: add 'immutable fields in the policy validation msg for
FluxCD' (#11549) (#11552)
* fix: match failure action case insensitively for validating old
object (#11486) (#11546)
* fix: add celPreconditions in autogen rules (#11542)
* fix: remove logic that uses annotation to skip image
verification (#11529) (#11537)
* fix(validate): custom match conditions errors (#11461) (#11543)
* set the defautl namespace for policy (#11505) (#11532)
* fix(chart): correct behavior for global image registry (#11482)
(#11517)
* fix: use webhook object instead of a list (#11516) (#11522)
* release chart 3.3.2 (#11512)
* feat: skip azure keychain based login for mcr registry (#11480)
(#11481)
* fix: switch configmap removal to use post-delete helm hook
(#11504) (#11508)
* fix: support VAP stable version v1 in the CLI (#11501) (#11502)
* release chart 3.3.1 (#11500)
* fix: use digest instead of tag for custom-sigstore-tuf
conformance test (#11492) (#11493)
* fix: add emitWarning field in v2beta1 (#11489) (#11494)
* Tue Oct 29 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.13.0 (boo#1232559):
Large update, please see the changelog and the release blog post
for new features
https://github.com/kyverno/kyverno/releases/tag/v1.13.0
https://nirmata.com/2024/10/30/announcing-kyverno-release-1-13/
Please check the upgrade documentation here:
https://main.kyverno.io/docs/installation/upgrading/#upgrading-to-kyverno-v113
* Fri Sep 27 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.6:
* release 1.12.6 (#11255)
* release-1.12.6-rc.3 (#11246)
* fix: webhooks reconciliation with policies (#11233) (#11235)
* fix: webhooks reconciliation when no policies (#11230) (#11232)
* fix(webhook): error variable (#11225) (#11228)
* fix(status): status comparison is wrong ( cherry-pick #11203)
(#11217)
* fix(helm): remove namespace from RoleBinding/roleRef field
(cherry-pick #10685) (#11194)
* release v1.12.6-rc.2 (#11165)
* fix: get ns labels before creating a policy context (#11176)
* fix: range through all resources to build webhook (#11162)
* Release v1.12.6-rc.1 (#11151)
* fix: Updated Go version to v1.23.1 to address CVE-2024-34156
(#11112) (#11142)
* fix: bump docker in release 1.12 (#11088)
* fix: Check for the client being nil before applying a mutation
(#10726) (#10737)
* Evaluate one version of each pod security standard (#10924)
(#10996)
* fix: properly use useCache field in image verification policies
(#10709) (#10889)
* fix: check the resource namespace (#10738) (#10740)
* chore(deps): bump github.com/docker/docker (#10750) (#10764)
* chore: bump chainsaw (cherry-pick #10687) (#10765)
* chore: retrayable/http version bump (#10719)
* cherry-pick #10678 (#10681)
* Fri Jul 12 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.5:
* release v1.12.5 (#10653)
* release v1.12.5-rc.2 (#10651)
* fix: truncate event messages to 1024 chars (#10636) (#10643)
* fix: rename level 1 logs to INFO from DEBUG (#10617) (#10642)
* fix: compute operations for mutatingwebhookconf (#10639)
(#10641)
* fix: CEL policies aren't applied to deleted resources (#10624)
* release v1.12.5-rc.1 (#10632)
* refactor: add a function to check if VAPs are registered in the
API server (#10625)
* fix: remove unused parameters (#10626)
* feat: add reports circuit breaker (cherry-pick #10499 #10596
[#10610] #10613) (#10628)
* fix(json-ctx): overwrite element each iteration (#10615)
(#10616)
* cherry-pick #10382 (#10593)
* feat(events): normalize gctx events reason to be inline with
other po… (#10395) (#10612)
* fix: get ns labels in the cluster mode when using the CLI
(cherry-pick #10348) (#10549)
* fix: cleanup policy name is appended to logs (#10583) (#10599)
* fix: failed to delete resource (#10582) (#10598)
* feat: fix notary tests (#10579) (#10584)
* fix: correctly validate patterns for old and new objects
(#10310) (#10537)
* fix: use generate name for admission reports (#10491) (#10522)
* Mon Jun 17 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.4:
* release v1.12.4 (#10479)
* feat: fix custom sigstore conformance tests (#10473) (#10480)
* release v1.12.4-rc.2 (#10466)
* fix: avoid creating duplicate urs for background policies
(#10431) (#10444)
* fix: remove dropped flag (#10433)
* Release v1.12.4-rc.1 (#10429)
* chore: add chainsaw test for controllers leader election
(#10416) (#10427)
* fix: cancel context for proper shutdown in reports-controller
(#10415) (#10426)
* fix: add verbosity to background scanner log (#10404) (#10405)
* fix(gctx): returning old error (#10398) (#10400)
* chore: add condition checking to notary attestation verify
chainsaw tests (#10288) (#10349)
* Fri May 31 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.3:
* feat: add aggregation workers flag (#10331) (#10343)
* fix: remove unused parameters (#10327) (#10329)
* feat: add cleanup cronjobs for (cluster)ephemeralreports
(#10325) (#10334)
* feat: add a cleanup cronjob to delete urs (#10249) (#10326)
* feat: add support for background scanning of existing resource
in image verification (#10287) (#10311)
* Thu May 23 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.2:
* Release v1.12.2 (#10298)
* chore: make contrinue-on-fail flag available outside package
(#10293) (#10297)
* release v1.12.2-rc.3 (#10294)
* release v1.12.2-rc.2 (#10286)
* fix(anchor): skip anchors don't have priority (#10206) (#10284)
* release v1.12.2-rc.1 (#10282)
* fix: add a copy method to the policy context (#10236) (#10280)
* fix: sort webhookconfig.operations (#10274) (#10275)
* fix: webhook config set (#10262) (#10273)
* chore: cherry-pick #10270 (#10272)
* fix: generate VAPs that match all resources when kinds is set
to * (#10266)
* fix flake test in VAPs (#10269)
* fix: process the matched resources only for mutate existing
policies (#10164) (#10267)
* fix: add resourceNames field in the generated VAPs (#10187)
(#10265)
* chore: cherry-pick #10250 (#10264)
* truncate event messages to 1024 chars (#10255) (#10261)
* fix: deepcopy patched resource in foreach mutate (#10252)
(#10258)
* fix: isolate reports creation context (#10245) (#10246)
* [Bug] [CLI] Level parameter of the apply and test commands does
not work (#10216) (#10240)
* kyverno-1.12 CVE fix (#10225)
* allow kyverno apply command to continue on failure (#10036)
(#10178)
* feat: make cli results count public (#10177) (#10194)
* feat: release chart 3.2.2 (#10193)
* [kyverno helm chart] make webhook pod annotations configurable
(#9875) (#10185)
* fix(polex): multiple polexes with conditions (#9994) (#10183)
* fix: skip generating VAPs for policies that match multiple
resources with a namespace/object selector (#10181) (#10184)
* fix: add CONNECT operation in the webhook config for pod/exec
subresource (#9855) (#10179)
* fix: add pods/ephemeralcontainers to the generated VAPs
(#10162) (#10176)
* Fri May 03 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.1:
* feat: release-1.12.1 (#10166)
* Ensure CA certificate ConfigMaps get defined (#10156) (#10161)
* Release v1.12.1-rc.1 (#10154)
* fix: add error check in jmespath type conversion in context
variables (#10152) (#10153)
* fix: skip rules without operation in resource webhook creation
(#10146) (#10151)
* fix: shared policy context needs to be copied (#10139) (#10147)
* fix: fetch only adopted ephemeral report (#10148) (#10150)
* fix: sort pod controllers for autogen rule (#10140) (#10142)
* chore: remove a package that is imported twice (#10101)
(#10130)
* chore: update perf docs for 1.12 (#10116) (#10129)
* fix: evaluate namespaceObject for Kyverno policies in the CLI
(#9977) (#10077)
* fix: evaluate namespaceObject for VAPs in the CLI (#9978)
(#10076)
* fix: remove unused parameters (#10007) (#10069)
* fix: return skip when celPreconditions/matchConditions aren't
met (#9940) (#10085)
* Sat Apr 27 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- fix missing version output
* Fri Apr 26 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.12.0:
large update, please see the full changelog at
https://github.com/kyverno/kyverno/releases/tag/v1.12.0
Breaking (Potentially)
* Policies using long-deprecated or invalid operators in
conditions (ex., In and NotIn) will be blocked. Please see
the current list of available operators
[here](https://kyverno.io/docs/writing-policies/preconditions/#operators)
* Thu Apr 18 2024 opensuse_buildservice@ojkastl.de
- do not strip aka remove -s -w ldflags
* Sat Jan 20 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.11.4:
* release 1.11.4 (#9453)
* update bitnami/kubectl (#9408) (#9452)
* bump libs (#9411)
* Fri Jan 05 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.11.3:
* release 1.11.3 (#9346)
* fix: update CLI to use store for fetching regclient (#9345)
* fix: non-trigger resources should be skipped for background
policies regardless of `skipBackgroundRequests` settings
(#9333) (#9337)
* Thu Jan 04 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.11.2:
* Add Chainsaw Test for Conditional Anchor (#9295) (#9304)
* release 1.11.2 (#9302)
* fix(cli): handle excluded resources as pass (cherry-pick #9274)
(#9300)
* feat: add deprecation warnings in the CLI (#9222) (#9294)
* fix: updaterequests stuck in pending/fail infinite loop
(cherry-pick #9119) (#9293)
* chore: update chart.yaml with the changes (#9292)
* cherry-picj #9151 (#9291)
* Support more signature algorithms (#9102) (#9289)
* fix: large table row ID number format in CLI (#9281) (#9287)
* fix: remove skip increment when resource not found in cli apply
(#9282) (#9284)
* chore: disable policy library kuttl tests in 1.11 (#9259)
* fix: use http.MaxBytesReader instead of content length for API
Calls (#9265) (#9268)
* Add imagePullSecrets to post-upgrade job (#9264) (#9273)
* release v1.11.2-rc.1 (#9252)
* chore: bump k8s to 1.29 stable (release 1.11) (#9257)
* fix: convert chainsaw tests to kuttl (#9242)
* fix: bump k8s to 0.29-alpha.3 and add support for fips
endpoints in AWS authentication (cherry-pick: #9233) (#9244)
* fix launch.json (#9239) (#9245)
* cherry-pick #9230 (#9234)
* fix: add chainsaw test for mutate existing (#9210) (#9221)
* fix: add `skipBackgoundRequests` to configure loop protection
option (#9157) (#9207)
* fix: limit the trigger name to a maximum of 63 characters for
mutate existing rules (#9162) (#9195)
* fix: enable additional report printers by default (#9194)
(#9196)
* improve messages (#9168) (#9169)
* fix: add tolerations and affinity to the post-upgrate hook
(#9156) (#9164)
* fix: allow changes to preexisting resource in violation of a
policy in Enforce (#9027) (#9139)
* (cherry-pick) Fix Helm chart to not error when replicas defined
(#9066) (#9073)
* fix: add nodeSelector to the reports cleanup helm hook (#9065)
(#9069)
* fix: ttl cleanup not working with cluster wide resources
(#9060) (#9063)
* Wed Nov 29 2023 kastl@b1-systems.de
- Update to version 1.11.1:
* release 1.11.1 (#9039)
* fix: cleanup older policy reports (#9026) (#9035)
* fix: use validate.message in case there is no message
associated with the CEL expression (#9025)
* Remove var check (#8990) (#9024)
* fix: use the default namespace in case --namespace isn't set in
kyverno create exception (#9022)
* fix: remove the additional dash in kyverno create exception
(#9021)
* fix: use v2beta1 version of exceptions in kyverno create CLI
(#9020)
* fix: delete VAPs in case Kyverno policies can't be translated
(#8887) (#9019)
* fix: block mutation only when failurePolicy is set to fail
(#8952) (#8986)
* fix: update KeysAreMissing() to ignore negations in resource
(#8953) (#8982)
* feat: add checks for max response size in API Call (#8957)
(#8971)
* Revert "fix(chart): only create ServiceMonitor if cluster
supports it (#7926)" (#8913) (#8931)
* correct typo in README for Kyverno 1.10+ (#8911) (#8927)
* Add policyKind option to kyverno-policies chart (#8827) (#8923)
* chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
from 0.45.0 to 0.46.0 (#8893) (#8897)
* Close reponse right after succesful request (#8894) (#8896)
* Reduced verbosity of admission request filter INFO log message
(#8712) (#8882)
* Thu Nov 16 2023 kastl@b1-systems.de
- Update to version 1.11.0:
* Breaking (Potentially) ❗
- Policy Reports are now created on a per-resource basis and
using a UID as the name rather than the previous behavior of
per-policy. This may be a breaking change if you relied upon
either of these attributes in previous versions. This change
has the benefit of putting less pressure on the Kubernetes
API server and less storage cost on etcd.
- In accordance with Cosign 2.0 updates, the Rekor URL is now
required in a policy. The url field may be empty ("") but
must be specified even if you've opted not to store
signatures in a Rekor instance. Users upgrading from Kyverno
v1.10 to v1.11 who have image verification policies using
cosign will have to explicitly disable Tlogs and SCT
verification in their policy using the rekor.ignoreTlogs and
ctlog.IgnoreSCT fields if they did not use Rekor while
signing the image.
* Added
- Context variables are now supported in cleanup policies
(#6084)
- Introduced ability to cleanup resources based upon assignment
of a new reserved label cleanup.kyverno.io/ttl (#7821, #8096,
[#8128], #8660)
- ValidatingAdmissionPolicies (VAP) can now be tested in the
Kyverno CLI in both test and apply commands (#6656)
- ValidatingAdmissionPolicies can be generated/managed by
Kyverno when a compatible validate.cel rule is created
(#7840, #8219)
- Generate Policy Reports for VAPs (#8135)
- Kyverno validate rules can now be written using CEL
expressions, including auto-gen support (#7859, #8024, #8071,
[#8084], #8098, #8099, #8196)
- Added a new field in a policy at spec.admission which, when
set to false, allows policies to work in background-only mode
(#6666)
- Added a new field under verifyImages rules called
imageRegistryCredentials which allows flexible, easier
configuration of credentials for image registries including
defining the required credential helpers (#7114)
- Added new caching of image signature verifications (#7890,
[#7969])
- New lookup() JMESPath filter (#7136)
- New round() JMESPath filter (#7489)
- Support for Cosign 2.0 (#7248, #8521)
- Added an auth checker interface from Kyverno Playground
(#7323)
- Added a check for digest mismatch in verifyImages rules
(#8443)
- Added new ability to more finely control configuration of
metrics (#8569)
- Added an --aggregateReports flag to the reports controller to
enable/disable aggregated reports (#7475)
- Events are now created in the events.k8s.io/v1 API group and
version (#7673)
- Generate rules now support using server-side apply via the
field spec.useServerSideApply (#7705)
- Added CLI API schema for test command (#8422, #8438, #8439,
see also Changed below)
- Added new create commands to the Kyverno CLI used to easily
create the various resources needed for testing (#7778,
[#7779], #7780, #7781, #7782, #8160)
- Added new Kyverno CLI docs command to generate CLI
documentation (#8179, #8180, #8181, #8191, #8193, #8200,
[#8259])
- Added Kyverno CLI experimental fix command (#8213, #8404)
- Added support for wildcards in CLI test command (#8216)
- Kyverno CLI now has experimental validation of policies being
tested (#8384, #8406, #8410)
- Added ability to test supported ValidatingAdmissionPolicies
(VAP) variables in both Kyverno CLI test and apply commands
(#8182)
- Kyverno is now tested against and uses libraries from
Kubernetes version 1.28 (#8036, #8037)
- Kyverno now supports configuring matchConditions in webhooks
(Kubernetes 1.27+) (#8042)
- Wildcards now work in subject statements in match/exclude
(#8068)
- Added variables support for Kyverno validate.cel policies
(#8103, #8113)
- Added CTLogs verification to Cosign (#8130, #8166)
- New metric of type Meter is added for the TTL cleanup manager
with attributes resource_group, resource_version, and
resource_resource (#8134)
- Added ability to configure TUF when using a custom Sigstore
implementation (#8385)
- Added ability to disable TUF when used in air-gapped
environments (#8509)
- Helm
- Added API priority and fairness resources to the Kyverno
chart (FlowSchema and PriorityLevelConfiguration) (#7468)
- Added ability to set security contexts for the webhook
cleanup Pod (#7970)
- Added Helm secret size check to CI to detect of the current
chart size exceeds the Helm secret size limit (#8195)
- Allow resourceNames on extraResources for the cleanup
controller (#8307)
- Added a global image registry value (#8625)
* Changed
- Policy Exceptions and Cleanup Policies graduated from alpha
API to beta (#8594, #8609, #8621, #8378, #8587)
- Policy Exceptions are now enabled by default (#8545)
- Policy Reports are changed to be generated per-resource
rather than per-policy, and intermediary aggregated reports
are expunged immediately (#8426)
- Schema validation will no longer be done on patterns
(including internal validation for mutate rules) obviating
the need for spec.schemaValidation. We will deprecate and
remove this field in a future version (#8538)
- Cleanup policies no longer use CronJobs to invoke the cleanup
action. This is all handled internally now (#8526, #8529,
[#8531])
- Kyverno CLI test command has been refactored and includes a
formal test manifest schema (#8422, #6871, #6942, #7995,
[#8145], #8163, #8168, #8177, #8189, #8212, #8387, and more)
- Kyverno CLI apply command now has a nice tabular output
format (#7757)
- Kyverno CLI apply now shows failure messages when a result
fails (#7758)
- Kyverno CLI --compact flag has been renamed to
- -detailed-results (#7937)
- Kyverno CLI the --set flag can be used to set a variable for
multiple input resources rather than just one (#7984)
- Kyverno CLI certain more "internal" flags will no longer be
hidden (#8077)
- Refactored JSON patches to use structure instead of byte
arrays (#7186)
- Deprecated the --imageSignatureRepository container flag. Use
verifyImages.Repository in a policy definition instead
(#7391)
- Replaced the internal package used to apply JSON patches.
This resulted in some fixes and slight behavioral changes
(#7401, #7452)
- The policies.kyverno.io/last-applied-patches annotation upon
successful mutation has been removed (#7438)
- RBAC has been hardened for a couple controllers to better
follow least privileges (#7626, #7634, #7638, #8083)
- The images variable ({{ images }}) can be used correctly in a
policy (#7787)
- Use a new custom keychains from Flux package preventing some
timeouts (#7908)
- Allow overriding CA and TLS secret names which store the
Kyverno certificates (#8137)
- Replaced CLI manifest commands by create command (#8165)
- Kyverno CLI test command has been extended to support
multiple paths (#8247)
- The remainder of match/excludewill be skipped if
theoperations[]` do not match (#8324)
- Helm
- The Grafana dashboard has been moved to its own subchart in
an effort to reduce the size of the main Kyverno chart
(#8619)
- Kyverno CRDs have been moved to a subchart for the same
reason (#8623)
- Updated the Chart metadata so the minimum version is
correctly aligned with that of Kyverno itself (#8708)
* Fixed
- Abort pattern validation earlier when processing can occur
(#7307)
- Fixed an issue when testing for mutations using foreach
(#7396)
- Fixed not validating that subject kinds were on the allowed
list (#7582)
- Fixed a panic when certain environment variables weren't
passed to the controllers (#7613)
- Fixed the missing severity type when generating a policy
report (#7974)
- Fixed adding server name into TLS certs when running Kyverno
with --serverIP flag (#8053)
- Fixed an issue which prevented mutation of policy report
resources (#8080)
- Fixed a crash when using an unquoted null (#8081)
- Fixed indefinitely retry for the mutateExisting rule by
applying the retry limit (#8100)
- Fixed nil-dereferences by adding mocks to unit tests (#8102)
- Fixed TLS cert renewal when the CA cert is deleted (#8114)
- Fixed a nil dereference in validate.podSecurity subrules
(#8271)
- Fixed an issue where generating an empty kind would be
allowed (#8332)
- Fixed/improved some logs (#8442, #8673)
- Fixed a couple issues impacting generate rules when a trigger
or clone source resource name exceeded 63 characeters (#8466)
- Fixed an issue where Kyverno would modify reports it didn't
own (#8502)
- Fixed an image cache panic issue (#8512)
- Fixed an issue preventing creation of ClusterAdmissionReports
if the resource had a colon in the name (#8530)
- Kyverno CLI: fixed using the --fail-only flag in the test
command now exits properly upon failed tests (#7717)
- Kyverno CLI: fixed logging failure (#8110)
* Mon Nov 13 2023 kastl@b1-systems.de
- Update to version 1.10.5:
* Release 1.10.5 (#8881)
* feat: add GHSA-vfp6-jrw2-99g9 fixes in cosign v1.13.1 (#8870)
* fixL upgrade cosign installer version in release 1.10 and use
cosign 1.13.1 (#8813)
* chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0
(#8809) (#8811)
* Wed Nov 01 2023 kastl@b1-systems.de
- Update to version 1.10.4:
* release-1.10.4 (#8799)
* fix: backport CVE fixes (#8798)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 1.10.3:
* release 1.10.3 (#8006)
* fix: return err in load data (#7982) (#7983)
* release: bump chart versions (#7933)
* fix(chart): only create ServiceMonitor if cluster supports it
(#7926) (#7931)
* Tue Aug 01 2023 kastl@b1-systems.de
- Update to version 1.10.2:
* release 1.10.2 (#7928)
* bug: add severity and category in cluster policy report (#7828)
(#7922)
* refactor: remove obsolete structs from CLI (#6802)
(cherry-pick) (#7921)
* feat: add events for successful generation (#7550) (#7804)
* cherry-pick #7888 (#7920)
* Feat: cloneList rule validation (#7823) (#7914)
* refactor: remove manual keychain refresh from client (#7806)
(#7917)
* cherry-pick #7774 (#7915)
* fix(policy chart): Skip DELETE requests on policies using deny
statements (#7883) (#7900)
* Modified annotation matching during rollback (#7752) (#7894)
* fix log level (#7877) (#7881)
* Added log message for API call failures (#7834), cherry picked
(#7880)
* feat(chart) Add configurations for cleanup jobs and webhooks
(#7871) (#7875)
* policy validation: fix assignment to entry in nil map (#7874)
(#7876)
* feat: skip schema validation for CRD (#7869) (#7873)
* fix: namespace label matching for Namespace (#7837) (#7870)
* fix: ignore tekton/pipeline (#7858) (#7863)
* fix type confusion in policy validation (#7857) (#7862)
* feat: enable operator boolean comparison (#7847) (#7860)
* Add nodeSelector for cleanupJob CronJob resources (#7851)
(#7855)
* cherry-pick kyverno#7810 (#7822)
* cherry-pick #7800 (#7819)
* feat: allow pod labels for cleanup jobs (#7808) (#7809)
* fix: aggregated admission report not updated correctly (#7798)
(#7799)
* Update Chart README migration guide with 1.10.1 updates (#7770)
* Thu Jul 06 2023 kastl@b1-systems.de
- Update to version 1.10.1:
* release 1.10.1 (#7762)
* feat: Add option to add imagePullSecrets to cleanup CronJobs
(#7730) (#7732)
* fix: remove show goreleaser version step (#7712)
* fix: release signing (#7711)
* fix goreleaser version (#7707)
* fix: lock schema manager when updating it (#7704) (#7706)
* release v1.10.1-rc.1 (#7701)
* fix: customizable tracer configuration (#7644) (#7700)
* fix: Swap any/all in the error message. (#7688) (#7696)
* Fix deferred loading (#7597) (#7694)
* fix: image verification (#7652) (#7692)
* feat: add lazy loading feature flag (#7680) (#7691)
* refactor: migrate context loaders (part 2) from #7597 (#7677)
(#7690)
* fix: cleanup controller rbac (#7669) (#7679)
* refactor: migrate context loaders (part 1) from #7597 (#7676)
(#7678)
* refactor: add specific loaders from #7597 (#7671) (#7675)
* feat: add cluster select and relabling config for
ServiceMonitors (#7659) (#7674)
* chore bump (#7666)
* fix: auth checks with the APIVersion and the subresource
(#7628) (#7641)
* enable webhook clean up (#7633) (#7637)
* fix: update the flag descriptions of the reports-controller
(#7617) (#7621)
* Add nancy-ignore to make it pass with current dependencies
(#7590) (#7602)
* fix: make configuring max procs not exit in case of error
(#7588) (#7591)
* fix: deletion mismatch for the generate policy (#7579) (#7606)
* fix: autogen not working correctly with cronjob conditions
(#7571) (#7604)
* reduce sleep duration for generate kuttl tests (#7589) (#7603)
* fix: CLI tests (#7596) (#7601)
* fix: background image verification not working (#7564) (#7570)
* feat: sign released artifacts (#7478) (#7560)
* feat: cleanup jobs resources (#7337) (#7559)
* Fix: Error cause is missing (#7563) (#7565)
* fix: recursive lazy loading (#7552) (#7562)
* fix: autogen not generating the correct kind (#7455) (#7561)
* feat: obey the order field in patchStrategicMerge method
(#7336) (#7558)
* fix: Delete downstream objects on precondition fail (#7496)
(#7549)
* fix: update kyverno admission-controller role to have delete
verb for… (#7527) (#7544)
* fix: add type conversion error judgment to avoid program panic
(#6526) (#7534)
* refactor: generate reconciliation on policy updates (#7531)
(#7533)
* fix: Remove ownerReferences when cloning across Namespaces
(#7517) (#7523)
* fix: misleading error message in deny conditions (#7503)
(#7520)
* fix: log level initialisation (#7515) (#7522)
* add debug env BACKGROUND_SCAN_INTERVAL (#7504) (#7519)
* fix: target scope validation for the generate rule (#7479)
(#7518)
* fix: cloneList sync behavior (#7466) (#7514)
* fix: log kind/namespace/name in scan errors (#7498) (#7500)
* fix (#7473) (#7477)
* fix: image pull secrets in admission controller (#7474) (#7476)
* fix: rule name not required in the crd schema (#7464) (#7465)
* fix: add missing webhook timeouts (#7435) (#7467)
* fix: the same source cannot be used for multiple targets with a
generate clone rule (#7436) (#7454)
* fix flaky tests (#7460) (#7461)
* fixed typo in admission controller chart template (#7440)
(#7442)
* fix: error reported when sanity check fails (#7439) (#7441)
* fix: exceptions not considered on delete (#7433) (#7437)
* fix: helm template for cleanup jobs image (#7430) (#7434)
* fix: array element removal should be synced to the downstream
resource with a generate data sync rule (#7417) (#7432)
* fix: reports discovery error (#7428) (#7431)
* feat: hold custom labels (#7416) (#7419)
* update migration guide with generate guidance (#7409) (#7410)
* fix: missing extraEnvVars in helm chart (#7403) (#7407)
* Fix: [Bug] The default field in a context variable does not
replace nil results (#7251) (#7400)
* fix mutate targets validation (#7387) (#7399)
* Remove policy validation prevent loop for generate (#7388)
(#7398)
* Allow setting verbs for clusterrole extraresources on
backgroundController (#7380) (#7392)
* fix: missing/incorrect env variables (#7383) (#7389)
* Add missing delete verb to admission cleanup clusterrole
(#7375) (#7384)
* fix: permission validation message (#7362) (#7371)
* feat(cronjobs): Enable podAnnotations on CronJobs (#7366)
(#7370)
* fix: protect managed resource not considering other components
(#7363) (#7367)
* fix: helm migration guide (#7360) (#7364)
* feat: cleanup job tolerations (#7331) (#7351)
* fix: flaky kuttl test add-external-secret-prefix (#7338)
(#7343)
* Add scaling testing instructions (#7295) (#7348)
* chore: new helm chart version (#7349)
* fix: config map name in helm chart (#7341) (#7342)
* fix: panic in background reports (#7332) (#7334)
* Tue May 30 2023 Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.20
- add completion subpackages for bash, zsh and fish shells
* Tue May 30 2023 kastl@b1-systems.de
- Update to version 1.10.0:
Kyverno 1.10 is a huge release which brings breaking changes in
both the application and Helm chart. Please read these release
notes carefully!
* Major features:
- Split the main Kyverno Deployment into 3 separate
controllers/Deployments
- Intra-cluster Service calls
- Notary v2 support
- Major reworking of generate and "mutate existing" policies
* Breaking changes
- This release separates Kyverno into its 3 main components:
admission controller, reporting controller, and background
controller. As a result, there is no direct upgrade path from
previous versions. When deploying with Helm, we recommend
either backing up and restoring Kyverno policies (kubectl get
pol,cpol,cleanpol,ccleanpol,polex -A > backup.yaml) or
scaling the Kyverno deployment(s) to zero first. Policy
reports will be regenerated from existing resources when
policies are reinstalled. Regardless of the option, this
upgrade should be performed in a maintenance window as there
will be downtime involved.
- As a result of this decomposition, aggregated ClusterRoles
may need to be updated to use the new label values depending
on the controller which requires those permissions.
- Policies which matched on some types of subresources (such as
PodExecOptions) will need to be updated to use the
standardized form of <parent>/<subresource> (Pod/exec).
- The following fields in a generate rule are now immutable
once created: spec.rules.name, spec.rules.match,
spec.rules.exclude, spec.rules.preconditions,
spec.generate.apiVersion, spec.generate.kind,
spec.generate.namespace, spec.generate.name,
spec.generate.clone, and spec.generate.cloneList (#6328,
[#6451])
- Variables in these portions of a generate rule will now be
disallowed: clone, cloneList, generate.kind, and
generate.apiVersion (#6438)
- Generate and "mutate existing" policies, once installed, will
check to see if Kyverno has the necessary permissions to
successfully execute them. If not, Kyverno will block their
creation until the permissions are available. This is added
to bring behavior in alignment with how cleanup policies work
and provide a better UX (#6610)
- Properly enforcing that "mutate existing" rules, when
mutateExistingOnPolicyUpdate is set to true, also has
mutate.targets[] defined or else the policy creation will be
blocked (#6693)
- When a verifyImages policy is created in Audit mode, its
creation will be rejected unless mutateDigest is set to false
(#6757)
- Mutation rules which change the image field in a Pod spec and
which relied on docker.io being silently added by Kyverno
(when it was not explicitly defined in the image) will need
to be adjusted to either use the images.*.registry predefined
variable or the new normalize_image() JMESPath filter. To
address other discovered issues with mutation, Kyverno can no
longer add the default registry to the context. It will only
be accessible to internal variables and JMESPath.
- The generate.apiVersion field is now required in a generate
rule. Policies/rules without this defined will need to set
it. (#7080)
* Mon May 29 2023 kastl@b1-systems.de
- Update to version 1.9.5:
* release 1.9.5 (#7314)
* fix: tls cipher suites (#7308) (#7310)
* Thu May 25 2023 kastl@b1-systems.de
- Update to version 1.9.4:
* release 1.9.4 (#7284)
* fix latest version check (#7263) (#7266)
* Wed May 10 2023 kastl@b1-systems.de
- Update to version 1.9.3:
* feat: release 1.9.3 (#7137)
* fix conflicts (#7109)
* fix: do not pass dynamicConfig to
matchesResourceDescriptionMatchHelper (#6231) (#6242) (#6331)
* cherry-pick #6787 (#7108)
* chore: update argocd lab (#6698) (#6702)
* Wed Mar 22 2023 kastl@b1-systems.de
- Update to version 1.9.2:
* fix: skip duplicate PSa checks for the latest version (#6634)
(#6636)
* tag v1.9.2 (#6637)
* fix: add message to bypass schema validation when it fails
(#6604) (#6606)
* fix: controller duration computation (#6569) (#6574)
* release v1.9.2-rc.1 (#6536)
* fix: process audit policies when admission reports are disabled
(#6531) (#6545)
* More kuttl standard generate tests (#6332) (#6533)
* fix: increase burst (#6540)
* fix: improve reports controller default values and workers
(cherry-pick #6522) (#6532)
* Thu Mar 09 2023 kastl@b1-systems.de
- Update to version 1.9.1:
* release v1.9.1 (#6520)
* fix: missing metrics for policies in audit mode (#6509)
* fix: release (#6502)
* fix: release (#6498)
* release v1.9.1-rc.1 (#6485)
* cherry-pick #6459 (#6468)
* fix: error log (#6429) (#6437)
* check errors (#6424) (#6426)
* fix: autoUpdateWebhooks=false causes ClusterPolicy to never be
ready (#6374) (#6382)
* fix: delete certificate secret if type is not TLS
(#6368) (#6373)
* oldObject translation solved in autogen (#6305) (#6372)
* chore(deps): bump github.com/sigstore/k8s-manifest-sigstore
(cherry-pick #6320) (#6359)
* fix: dump admission response (#6349) (#6352)
* chore(deps): bump golang.org/x/net (#6344)
* fix: add roles and clusterroles when dumping admission requests
(#6319) (#6323)
* fix: use client instead of discovery for sanity checks
(cherry-pick #6296) (#6299)
* cherry-pick #6237 (#6273)
* chore: add error logs in wait for cache sync helper (#6275)
* fix: jp divide quantities (#6229) (#6232)
* Cherry-pick #6126 (#6228)
* fix: admission review variables for DELETE operations
(#6197) (#6214)
* cherry-pick #6188 (#6209)
* fix: image tagging strategy (#6200)
* Thu Feb 02 2023 kastl@b1-systems.de
- Update to version 1.9.0:
* tag v1.9.0 (#6186)
* fix: policy exception event source (#6122)
* Release v1.9.0-rc.4 (#6108)
* fix: tracing attributes length and tracer name (#6112)
* fix: cleanup-controller version (#6100) (#6105)
* fix: flag added to init container mistake (#6103)
* fix: allow deletion of namespace containing managed resources (#6098) (#6102)
* fix: flag added to init container mistake (#6103)
* Release v1.9.0-rc.3 (#6095)
* validate polex activation and namespace (#6046) (#6080)
* fix: pin busybox image tag in helm tests (#6051) (#6063)
* fix: replace + with _ in Chart.Version label field (#6047) (#6056)
* cherry-pick #6030 (#6034)
* tag v1.9.0-rc.2 (#6023)
* fix ns labels matching (#6022)
* tag v1.9.0-rc.1 (#6012)
* fix: policy match Kind case-senstive (#6010)
* fix: policy exceptions not working in background mode (#5980) (#6003)
* chore: log out cleanup policy events (#5998) (#6000)
* create failure events on errors (#5988) (#5997)
* fix: generate policy exception events (#5987) (#5996)
* cherry-pick #5920 (#5990)
* Fixes time_now failing (cherry-pick 5928) (#5991)
* create events for cleanup policies (#5982) (#5983)
* fix: invoke cleanup process during shutdown (#5974) (#5981)
* cherry-pick #5967 (#5970)
* log out deleted resources at default level (#5977) (#5978)
* fix: helm selector (#5965) (#5969)
* feat: add cluster role aggregation to cleanup controller (#5966) (#5968)
* fix chart invalid annotations (#5960) (#5963)
* tag v1.9.0-beta.2 (#5959)
* fix imageRef matching (#5956) (#5957)
* cherry-pick #5950 (#5955)
* Cherry-pick #5941 (#5952)
* fix: update policy exception CRD description (#5948) (#5951)
* chore: fix releaser badge (#5910) (#5947)
* Added a time_add() filter to add duration and absolute time (#5817) (#5946)
* fix: cleanup policies with user infos in match/exclude should be rejected (#5943) (#5944)
* test: add kuttl test for policy exception (#5935) (#5936)
* fix: missing user info matching (#5931) (#5934)
* chore: add missing gh workflow concurrency statements (#5914) (#5924)
* restrict cjs by PSS restricted checks (#5904) (#5922)
* fix: Configure webhook to add ephemeralcontainers for policies matching on Pod (#5886) (#5919)
* fix: golangci-lint workflow (#5913) (#5917)
* set resourceVersion before update (#5906) (#5916)
* fix: configure gh workflow permission (#5909) (#5915)
* chore: make check actions pinned by hash a standalone ci job (#5907) (#5911)
* feat: add violation details to report.results.properties for PSa policies (#5908) (#5912)
* Adds JMESPath filter for returning cron expression for absolute time (#5814) (#5905)
* chore: add setup test env gh action (#5897) (#5899)
* chore: add setup-build-env gh action (#5892) (#5896)
* fix cleanup var 'target.*' (#5888) (#5895)
* add kuttl assert file (#5870) (#5894)
* chore: small gh workflows improvements (#5883) (#5887)
* chore: use gh composite actions (#5885) (#5893)
* fix: Add group to subresources declaration in value.yaml file for CLI (#5881) (#5884)
* refactor: improve background scan reconciliation (#5871) (#5882)
* fix: Add subresources support to policy exceptions (#5839) (#5880)
* fix validation checks for foreach and nested foreach (#5875) (#5877)
* fix: force background scan recomputation (#5865) (#5868)
* fix: background scan events (#5807) (#5874)
* feat: cleanup enhancements-1 (cherry-pick #5796) (#5867)
* fix mutate targets variable (#5862) (#5866)
* chore: move ConvertToUnstructured from engine utils to kube utils (#5847) (#5863)
* cleanup new validate webhooks (#5851) (#5857)
* Walk back change in PSS policy to send to to_upper (#5823) (#5856)
* cherry-pick #5846 (#5855)
* feat: improve background scan reports enqueue logic (#5810) (#5853)
* chore: cleanup a couple workflows (#5844) (#5854)
* fix: improve cli help message (#5843) (#5849)
* chore: bump a couple of deps (#5840) (#5850)
* refactor: move utils into sub packages (#5828) (#5845)
* chore: add a couple unit tests (#5834) (#5842)
* chore: cleanup codecov workflow (#5829) (#5838)
* fix: enum values for ValidationFailureActionOverride (#5835) (#5836)
* fix: default value for validationFailureAction (#5832) (#5833)
* Adds JMESPath filter for returning current time (#5813) (#5831)
* add source archive checksum into the checksums.txt (#5819) (#5827)
* Adds notes to functions (#5824) (#5826)
* fix: error handling in last scan time parsing (#5808) (#5809)
* fix arguments passed to DeepEqual (#5801) (#5806)
* refactor: policy controller package (#5747) (#5803)
* enhance logging, fix pull flag description (#5797) (#5798)
* chore: switch to kyverno/kuttl (#5504) (#5794)
* fix cli output adjustments (#5787) (#5793)
* redirect stderr to get digest successfully (#5782) (#5791)
* chore: update publicKey description (#5789) (#5792)
* fix delete policy (#5776) (#5790)
* fix helm chart version (#5775)
* bump dep (#5765)
* fix image digest (#5762)
* tag v1.9.0-beta.1 (#5761)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.2 to 2.9.0 (#5760)
* chore(deps): bump fluxcd/flux2 from 0.37.0 to 0.38.1 (#5759)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.0 (#5758)
* refactor: move util funcs in sub packages (#5754)
* refactor: cleanup controller validating webhook (#5756)
* test: add unit test for GetResourceName util (#5752)
* refactor: auth package and add full unit test coverage (#5749)
* chore: bump deps including k8s ones (#5751)
* refactor: remove common package (#5750)
* refactor: use typed client in auth (#5743)
* refactor: remove a couple of old util funcs (#5746)
* chore: remove e2e tests (#5742)
* Issue_templates (#5741)
* chore: remove autogen internals tests (#5740)
* fix: cleanup controller image build (#5739)
* chore: build cleanup controller image (#5737)
* generate SLSA provenance on releases (#5735)
* run conformance tests on different k8s versions (#5733)
* Allows {{image}} var to be used in policies (#5122)
* refactor: split CLI jp command (#5566)
* chore: update k8s versions test grid (#5732)
* feat: add exception logic (#5712)
* fix: remove all category from all our CRDs (#5731)
* feat: force background scan regularly (#5727)
* add rule type pkg/metrics/parsers.go (#5729)
* bump Go 1.19.4 (#5728)
* Revert "chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)" (#5725)
* chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)
* feat: propagate psa checks results (#5719)
* fix: add back install.yaml manifest (#5721)
* refactor: supress usage of kustomize in build (#5691)
* Require predicate type (#5713)
* fix logger panic (#5715)
* fix: interface conversion panic (#5708)
* fix missing assignment (#5710)
* feat: add kuttl tests for #5704 (#5707)
* fix: allow policies from stdin in apply again (#5668)
* initialize configmap resolver in background components (#5705)
* feat: Implement PolicyException (#5680)
* fix digest and verify logic (#5703)
* fix: block policy admission if kyverno is down (#5677)
* fix info kind error (#5701)
* fix: exception validation follow up (#5697)
* chore(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#5696)
* feat: add policy exception validation webhook (#5679)
* chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#5695)
* chore: bump a couple of deps (#5688)
* chore(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#5694)
* chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#5683)
* fix: bump log level for autogen debug logs (#5687)
* chore: remove deprecated flag splitPolicyReport (#5686)
* chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#5684)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.1 to 2.8.2 (#5685)
* chore: remove secrets client from webhook controller (#5682)
* chore: rename exclude into match in policy exception (#5681)
* fix: case where deny message is not a string (#5678)
* feat: Introduce PolicyException CRD (#5662)
* feat: add certs controller to cleanup policies (#5671)
* chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#5666)
* Update version drop-downs in issue templates (#5674)
* fix AllNotIn operator (#5636)
* chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#5663)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#5667)
* feat: add engine traces (#5463)
* use camel case for ForEach naming (#5660)
* feat: add metrics service and service monitor to cleanup controller (#5653)
* Support existing imagePullSecrets for image verify functionality (#5627)
* Nested foreach (#5589)
* chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650)
* feat: add dev config with support for prom loki and tempo (#5647)
* fix: grafana dashboard (#5645)
* fix: missing permission in cleanup controller role (#5646)
* refactor: tracing package (#5643)
* added Arrikto and Trendyol as adopters (via Google Form) (#5644)
* feat: improve cleanup policies controller and chart (#5628)
* feat: add support for subresources to validating and mutating policies (#4916)
* fix: Improve helm-test workflow (#5640)
* feat: propagate context through engine (#5639)
* chore(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#5631)
* feat: add conditions matching to cleanup controller (#5626)
* fix: setup tracing and minor cleanup in tracing and metrics code (#5629)
* feat: add http clients tracing (#5630)
* chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 (#5632)
* chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635)
* Add api docs (#5605)
* feat: use lister in registry client (#5620)
* fix: registry client not propagated correctly (#5622)
* fix: don't create orphan spans in instrumented clients (#5624)
* feat: introduce v2alpha1 (#5625)
* feat: implement cleanup policy matching (#5614)
* fix nil error panic (#5619)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618)
* add 1.8.3 to version drop-downs (#5616)
* fix: mutation of cached object in bg scan controller (#5608)
* refactor: registry client (#5596)
* use helm values for crd labels (#5594)
* chore: bump a couple of deps (#5611)
* chore(deps): bump reviewdog/action-golangci-lint from 1.25.0 to 2.2.2 (#5603)
* chore(deps): bump azure/setup-helm from 1.1 to 3.4 (#5604)
* refactor: improve color management in cli test (#5609)
* chore: bump a couple of deps (#5610)
* chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.0.0 to 1.1.0 (#5601)
* feat: add cleanup handler (#5576)
* chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#5602)
* Fix: handling unexpected global-anchor-variable for the apply command (#5590)
* chore: bump a couple of deps (#5593)
* fix: use lister for CA secret (#5598)
* add logging guideline (#5406)
* Delete category all from CRDs (#5557)
* refactor: update otlp packages (#5367)
* chore: bump flux action (#5578)
* chore(deps): bump aquasecurity/trivy-action from 0.2.3 to 0.8.0 (#5584)
* fix: replace + symbol with _ symbol on the Chart.Version field (#5591)
* chore(deps): bump helm/chart-testing-action from 2.0.1 to 2.3.1 (#5586)
* chore(deps): bump rajatjindal/krew-release-bot from 0.0.38 to 0.0.43 (#5588)
* chore(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#5587)
* chore(deps): bump actions/setup-go from 2.1.5 to 3.4.0 (#5585)
* chore(deps): bump actions/setup-python from 2.3.1 to 4.3.0 (#5562)
* chore(deps): bump sonarsource/sonarcloud-github-action from 1.7 to 1.8 (#5563)
* chore(deps): bump codecov/codecov-action from 2.1.0 to 3.1.1 (#5573)
* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559)
* adding --warn-exit-code flag (#5577)
* feat: add cleanup controller BYOSA and RBAC extensions (#5580)
* chore(deps): bump goreleaser/goreleaser-action from 2.8.0 to 3.2.0 (#5572)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.0 to 2.8.1 (#5571)
* chore: disable dependabot auto rebase (#5567)
* chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560)
* refactor: jmespath arithmetic operations (#5544)
* chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.1 (#5561)
* chore(deps): bump actions/checkout from 2.4.0 to 3.1.0 (#5564)
* chore(deps): bump actions/cache from 3.0.8 to 3.0.11 (#5565)
* refactor: cli test command (#5550)
* refactor: cli jp command (#5552)
* add Wayfair to adopters (#5547)
* Kyverno CLI: added method to detect duplicate resource in kyverno test (#3612)
* To support gitURLs for "apply" command (#4502)
* issue-4613: Add support for cache enhancements with informers (#5484)
* chore(deps): bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 (#5534)
* chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#5532)
* chore(deps): bump github/codeql-action from 1.0.26 to 2.1.35 (#5536)
* bump slsa GH generator to 1.4.0 (#5530)
* chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#5535)
* chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#5533)
* chore: enable dependabot (#5531)
* refactor: make policy context immutable and fields private (#5523)
* configure opentelemetry logger (#5513)
* feat: support attestations with multiple signatures (#5409)
* fix: bug in report resource watcher (#5525)
* Adding Rafay Systems to Kyverno Adopters list. (#5524)
* feat: Add default CI test values for helm charts (#5518)
* feat(policies chart): Add ability to set autogen behavior (#5517)
* fix: cleanup policy validation (#5514)
* fix: pod anti affinity (#5516)
* chore: improve cleanup controller (#5509)
* feat: use admission review v1 (#5464)
* refactor: use internal cmd package in kyverno (#5507)
* chore: bump a few deps (#5512)
* chore: stop using set-output in gh actions (#5500)
* refactor: add controller helper to internal package (#5506)
* chore: use builtin slices.Clone (#5510)
* feat: add webhook type to admission metrics (#5493)
* feat: propagate context to dynamic client (#5495)
* chore: bump a couple of deps (#5503)
* feat: add controller metrics (#5494)
* fix: panic when response is nil (#5502)
* fix: report deletion fighting with garbage collection (#5486)
* feat: add dynamic client support to internal cmd package (#5477)
* Migrate all mutate e2e tests to kuttl and expand (#5491)
* chore: replace utils.ContainsString with builtin slices.Contains (#5496)
* fix: add image extractor for ReplicationController (#5497)
* refactor: move metrics closer to the code that use them (#5492)
* chore: refactor metrics namespace check (#5489)
* Migrate validate e2e tests to kuttl tests (#5483)
* Fix: handled skip rule processing in anyPattern field (#5191)
* feat: propagate context to the metrics package (#5479)
* fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374)
* feat: add allowed label to admission metrics (#5478)
* chore: bump kyverno version in argo lab (#5482)
* fix: typo in autogen package (#5480)
* chore: improve tracing instrumented clients (#5474)
* refactor: metrics configuration code (#5475)
* feat: create a policy utils package (#5473)
* Add reconciling logic for creating cronjobs whenever a new cleanup policy is created (#5385)
* feat: add new filtering handlers (#5472)
* fix: remove filtering for policy admission handlers (#5462)
* fix: add clone check before validating namespace policy (#5459)
* fix: issue when calling kustomize concurrently (#5465)
* feat: support flagsets in internal cmd package (#5461)
* chore: add instrumented clients codegen verification (#5460)
* fix: reading policies for oci command and pushing image (#5435)
* fix: admission reports stacking up (#5457)
* docs: add controllers README (#5434)
* fix: log watcher error in reports controller (#5449)
* ci: cancel redundant builds of workflow on push (#5427)
* feat: use client funcs from internal cmd package (#5443)
* docs: add reports troubleshooting tips (#5448)
* fix: argocd lab monitoring namespace (#5446)
* fix: mutate existing policy does not get applied when background=false (#5439)
* feat: add signal in internal cmd package (#5444)
* feat: improve handlers tracing code (#5442)
* chore: bump a bunch of deps (#5440)
* feat: add logging support to instrumented clients (#5438)
* feat: add discovery support in instrumented clients (#5437)
* refactor: dynamic client use instrumented clients (#5436)
* fix request.operation in globalValues is always set to CREATE (#5423)
* chore: remove obsolete metrics client code (#5401)
* refactor: improve instrumented clients code and support dynamic/metadata client (#5428)
* refactor: split argocd lab into multiple steps (#5410)
* Fix multi attestor keyless (#5432)
* Handle Match resources kind (#5421)
* udpate slsa to v1.3.0 (#5419)
* chore: bump sigstore deps (#5376)
* fix blank lines in crds (#5422)
* refactor: improve instrumented clients creation (#5417)
* logging action (#5416)
* adding --audit-warn flag (#5321)
* Update version drop-downs; bump Trivy (#5425)
* Add most basic kuttl tests for generate rules, clone and sync (#5413)
* fix: typo (#5415)
* feat: make traces better (#5412)
* refactor: introduce cmd internal package (#5404)
* refactor: generated instrumented client code part 2 (#5398)
* feat: add tracing middleware (#5397)
* Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272)
* add os.Exit (#5402)
* Complete all basic kuttl tests for generate rules, clone and no-sync (#5400)
* refactor: generate instrumented client code (#5362)
* refactor: propagate context through admission handlers (#5392)
* refactor: improve tracing package (#5391)
* [Bug]: Fix wildcard any/all issue (#5387)
* Fix incorrect step ID reference (#5388)
* fix the entry length validation for the verify image rule (#5384)
* Add more kuttl generate test cases (#5364)
* fix: set correct logger in profiling server (#5358)
* fix closed watchers in the resource-report-controller (#5350)
* fix: set logger in metrics server (#5319)
* fixed dryrun option to handle changes caused by mutating policy (#4899)
* fix: add validation for generate namespace policy (#5346)
* chore: add tempo to argocd lab (#5365)
* chore: add performance tests tool (#5241)
* fix: panic when disable metrics is true (#5366)
* feat: add CleanupPolicy validation code to CleanupPolicyHandler (#5338)
* test: simplify autogen kuttl tests (#5343)
* chore: enable json logs in argocd lab (#5349)
* fix digest variable (#5356)
* chore: add helm ci values with cleanup controller (#5357)
* fix: add some missing options in cleanup helm chart (#5351)
* add test cases for yaml verification feature (#5326)
* refactor: optimise and use kuttl TestStep with tests (#5328)
* test: add rbac kuttl test (#5337)
* Update SLSA generator workflow to v1.2.2 (#5323)
* test: add kuttl debug failure (#5339)
* fix: add replicaset and replicationController kinds in podsecurity validation (#5336)
* feat: add cleanup controller to helm chart (#5329)
* chore: remove docker support (#5324)
* chore: add cli binary to gitignore (#5331)
* test: add test to check expected webhooks are created (#5330)
* feat: add cleanup controller makefile targets (#5327)
* feat: add replicaset and replicationcontroller to autogen (#4975)
* feat: add cleanupPolicy validation code (#5279)
* fix: synchronize source resource update to clone list resource (#5317)
* allow list with policies in test (#5227)
* test: add kuttl tests for jmespath special chars (#5310)
* Fix issue where CLI test command ignores failures (#5189)
* fix: wrong logger used (#5311)
* fix: send notification when stoping watching resource in reports system (#5298)
* fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767)
* fix: set rule response status as skip if precondition failed (#5162)
* Update kuttl test scaffolding (#5303)
* fix: reduce startup probe delay (#5296)
* tests: add kuttl tests for multiple clone generate (#5280)
* fix: allow delete of clone target resource with synchronize false (#5161)
* fix: image extractor kuttl tests (#5293)
* fix: check policy is ready in kuttl tests (#5286)
* fix: kuttl test external-service (#5287)
* chore: update kuttl (#5285)
* fix: make zapr compatible with klog's -v argument (#5166)
* feat: add flag to control leader election frequency (#5172)
* refactor: admission metrics (counter and latency) (#5245)
* fix: resource schema validation in policies under any/all match (#5246)
* fix: keep admission warnings (#5269)
* add test instructions (#5271)
* chore: add kuttl autogen tests (#5253)
* fix: add missing test suite to kuttl (#5268)
* fix: account for error rules in mutation webhook (#5264)
* refactor: admission response utils (#5234)
* feat: create cleanup new CRDs (#5233)
* chore: remove old conformance tests files (#5260)
* fix: add warning when using deprecated validation failure action (#5219)
* Kuttl updates (#5257)
* chore: use conditions in kuttl tests to check ready policies (#5252)
* chore: add kuttl in makefile (#5254)
* More kuttl tests (#5238)
* fix: remove unused code in config (#5242)
* feat: separate webhook rules per GVK/rule (#4986)
* fix: kyverno Dockerfile base image tag and sha256 hash (#5248)
* refactor: move all middlewares in handlers sub package (#5244)
* fix generateName mutation (#5146)
* Fix Keda policy installation issue (#5239)
* fix: remove /approve from prow actions (#5243)
* [Feature] Pin Dependencies by Hash (#5168)
* chore: add loki to argocd lab (#5231)
* Fixed description for secret name (#5228)
* feat: add grafana dashboard to helm chart (#5230)
* add remainder of e2e verifyImages tests (#5229)
* add kuttl tests (#5204)
* [BUG] Fix foreach deletion issue (#5224)
* feat: add policy label to policy reports (#5198)
* fix: too much information for the Policy Rule Execution Latency metric (#5208)
* chore: server side apply in argo lab (#5209)
* refactor: health check system (#5176)
* fix: early return in policy validation (#5200)
* feat: support disabling schema validation on the patched resource (#5197)
* fix: deletion of reports not belonging to kyverno (#5194)
* Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964)
* refactor: remove policyreport package (#5174)
* fix: use pagination to aggregate reports (#5190)
* fix: check resource version on update notification (#5179)
* fix: do not cancel context when loosing the lead (#5180)
* chore: add kind config file (#5178)
* fix: content type in log (#5177)
* feat: run leader election in loop (#5173)
* refactor: support Audit and Enforce validation failure actions (#5152)
* Corrected Kubernetes spelling (#5134)
* fix 5151 issue (#5170)
* Add ability to use commands in comments (#5154)
* fix: configure klog and global logger to use zapr in json mode (#5144)
* feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268)
* Fixed issue-5102: Show rule count and type in output (#5106)
* skip generating events on empty rule response (#5158)
* reset resource version on update (#5157)
* fix: mutation policy inconsistent patching for ephemeralContainers (#5121)
* feat: remove policy mutation for auto-gen rules (#5123)
* chore: remove old docs (#5130)
* fix finalizers mutation with patchesJson6902 (#5132)
* Add AGE in printer columns of CRDs (#5119)
* feat: oci pull/push support for policie(s) (#5026)
* feat: add categories support to our CRDs (#5112)
* Remove old version of golang.org/x/sys (#5125)
* fix: conformance tests (#5118)
* [Feature] create command line option to set failurePolicy globally (#4991)
* clean conformance (#5089)
* feat: enable/disable Debug mode which shows entire AdmissionReview payload (#5024)
* docs: separate dev and user docs (#5114)
* ci: Fix install manifests publishing with Flux (#5110)
* fix: use correct side effects in validating webhooks (#5080)
* refactor: simplify variables regex (#5075)
* feat: add flag to configure the number of background scan workers (#5088)
* fix: allow delete of target resource with synchronize false (#5081)
* ci: Use the Docker login action for GHCR auth (#5091)
* fix: handle resource cleanup when policy is deleted (#5021)
* test: add best practices policies in conformance tests (#5082)
* fix: use correct logger in webhook controller (#5083)
* feat: add simple conformance tests (#5073)
* fix: make reponse order predictable (#5079)
* added apiCalls support in kyverno-apply command (#4938)
* feat: add webhook server logger (#5063)
* fix: configure idle timeout in server (#5062)
* fix: image verification reports missing in admission mode (#5037)
* fix: setup max procs with correct logger (#5059)
* fix: detection of kyverno going down (#5055)
* fix: do not update reports when they are identical (#5056)
* fix: go routines not gracefully shut down in controllers (#5022)
* fix: account for policy/rule deletion in aggregated reports (#5048)
* Created configuration file for Openssf scorecard (#4778)
* feat: add image verification support to background scan (#5047)
* feat: add controller logger helper (#5029)
* fix env (#5046)
* fix: lease log message (#5030)
* feat: make shutdown more graceful (#5031)
* fix: lower default qps/burst (#5034)
* fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035)
* Fixed issue-4655: verifyImages is executed before mutate (#4996)
* fix: add more infos in reports printers (#5027)
* Enable adding annotations to configmaps in the helm chart (#4984)
* validate patchJSON6902 (#4469)
* remove RBACInfo check (#5015)
* fix: policy not denied when kinds set is empty (#5016)
* fix: global anchor warning (#4962)
* fix: don't process non background policies in background scan (#5008)
* fix: update policy status (#5006)
* fix: use default retry with retryfunc for a conflict (#4973)
* updates with case insensitivity guarantee (#4954)
* refactor: add update status helper (#4985)
* fix principal and role variables are not substituted (#5000)
* fix: skip admission in dry run requests (#4994)
* fix: webhooks not registering when using name override (#4992)
* feat: add metrics server and kube-prometheus-stack to argocd lab (#4995)
* feat: add startup probes support (#4896)
* feat: add policy-reporter to argocd lab (#4988)
* docs: add resource exclusions note in helm docs (#4989)
* chore: add myself in approvers (#4990)
* feat: Add container registry setting on Helm Chart (#4281)
* fix: config reloading not working correctly (#4951)
* fix: missing autogen rules in status (#4971)
* fix: add user info in admission request logs (#4969)
* fix: don't produce empty admission reports (#4966)
* fix: improve banned types management in reports (#4953)
* fix: missing watchers in resource report controller (#4967)
* chore: Push and sign install manifests to GHCR (#4895)
* Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733)
* fix: admission reports printer (#4950)
* chore: bump a few deps (#4943)
* Added support to specify key signature algorithm in verifyImages (#4855)
* fix: don't report ready until certs are valid (#4934)
* Update issue templates and scan for vulns action (#4952)
* Fix background scan with request.operation (#4947)
* fix: consider generateName when matching resources (#4945)
* fix: probes should work in debug mode (#4926)
* fix: set operation in context when necessary (#4940)
* chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922)
* fix: panic when bad variable substitution (#4928)
* feat: make cert renewer private and add server name support (#4904)
* chore: bump a couple of deps (#4925)
* [Cleanup] Disable PolicySkipped events (#4913)
* add filter for validation policies when ValidationFailureActionOverrides is used (#4809)
* chore: update controller-tools to v0.10.0 (#4918)
* fix: use constants defined in openapi controller (#4919)
* chore: signing helm releases (#4801)
* fix: openapi controller discovery (#4912)
* refactor: openapi controller part 2 (#4910)
* fix: clean background scan reports (#4908)
* fix: don't specify rules when aggregationRule is set (#4867)
* refactor: openapi controller part 1 (#4901)
* fix: remove unnecessary dependencies from tls package (#4903)
* fix: reduce webhook controller logs (#4897)
* chore: add argocd lab (#4884)
* refactor: manage webhooks with webhook controller (#4846)
* fix: auto gen enabled when using names (#4863)
* fix: non watchable resources in report controller (#4888)
* Fix result colour (#4885)
* fix: background scan labels (#4865)
* fix: hardening policy validation for generate cloneList (#4881)
* docs: add section in helm docs to install with argocd (#4878)
* fix test output numbering (#4853)
* feature: use cert extension oid as key (#4854)
* chore: add launch.json for vscode debugging (#4856)
* Add workflow to detect and report on image vulns (#4850)
* docs: add debug instructions (#4843)
* e2e test for mutate policy (#3383)
* fix: replace AbsPath with RequestURI to support query params (#4849)
* refactor: make cert manager a real controller (#4792)
* refactor: add config support to webhook controller (#4838)
* feat: use a dedicated policy metrics controller (#4818)
* chore: bump a couple of deps (#4842)
* Update PSa images dsecription (#4840)
* refactor: leader controllers management (#4832)
* fix extension checks (#4836)
* fix: call depth in logging package and global logger support for call depth (#4834)
* upgrade controller-runtime dependency (#4829)
* refactor: non leader controllers management (#4831)
* refactor: make tls cert func not depending on cert controller (#4820)
* fix: use new client in tls package (#4746)
* fix: debug mode (#4785)
* fix: add policy validation for ValidationFailureActionOverride field (#4784)
* update helm doc
* Fix CRD format issue
* Bump k8s libraries to v0.25.2
* Fix PSa the control name validation
* fix: validationFailureAction default value (#4822)
* refactor: split main into sub funcs (#4821)
* chore: use concurrent map v2 (generics) (#4803)
* fix: controllers start in loop (#4815)
* refactor: split main into sub func (#4810)
* feat: add context support to leader election (#4811)
* feat: add context funcs to logging package (#4812)
* skip succeed rules when building the blocked return message (#4804)
* fix: subject and issuer validation when attestations are present (#4786)
* refactor: split main func for metrics (#4796)
* fix: remove error prone debug field (#4794)
* chore: bump a couple of deps (#4802)
* refactor: split main into funcs (#4795)
* fix: logger panic (#4793)
* fix: publish yaml manifests in release instead of repo (#4738)
* fix: remove explicit wait for cache sync (#4791)
* Add security context and resource block to test (#4712)
* fix: new cert manager controller never returns error (#4789)
* chore: bump a few deps (#4790)
* refact:update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758)
* refactor: introduce webhook controller (#4749)
* fix: remove reference to controller runtime log (#4779)
* refactor: more context less chans (#4764)
* Fix: Typo in x509_decode JMESPath function's note (#4773)
* fix: add workers to the controller interface (#4776)
* update cosign and k8s-manifest-sigstore (#4781)
* chore: change charts registry url (#4768)
* add package logger in files (#4766)
* fix: parse flags error handling (#4775)
* refactor: make server owner of the cleanup chan (#4765)
* refactor: use context in openapi controller (#4760)
* refactor: use context in controllers instead of chan (#4761)
* refactor: use context in dynamic client instead of chan (#4756)
* refactor: move from io/ioutil to io and os packages (#4752)
* refactor: split main in a couple of funcs and use local loggers (#4754)
* fix: helm self signed cert (#4745)
* add and use package level logger (#4750)
* fix: watch error in resource controller (#4751)
* chore: use constant in cert manager controller (#4747)
* feat: add typed client support and metrics wrapper (#4724)
* chore: speed up helm docs gen on mac (#4742)
* fix: reports not generated (#4743)
* feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661)
* fix: use a single leader election (#4722)
* fix: containerd dependency vulnerability (#4629)
* Add PSa policy validations (#4735)
* Added `x509_decode` JMESPath function (#4664)
* feat: add matchlabel selector support with multiple clone (#4713)
* docs: add policy cache controller docs (#4714)
* fix: output make messages to stderr (#4727)
* feat: reports v2 implementation (#4608)
* Support PSa integration by `controlName` only (#4710)
* chore: update client code generator (#4711)
* chore: group unit and cli tests targets and separate sections (#4693)
* fix: remove deprecation notice (#4635)
* chore: enable overriding images repo (#4694)
* fix: change key used in test (#4718)
* chore: refactor manifests related makefile targets (#4706)
* fix: missing client wrapper (#4703)
* refactor: use pod name as leader id (#4680)
* fix: split webhook handlers per failure policy (#4650)
* fix: shutdown controllers workers gracefully (#4681)
* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671)
* refactor: replace signal package by signal.NotifyContext (#4691)
* fix: jmespath random error handling (#4697)
* chore: simplify go mod (#4692)
* fix: bump net standard lib (#4685)
* fix: handle auth permission for cloneList validation (#4684)
* fix: namespaced policy not validated in engine (#4653)
* chore: bump minimum go version (#4677)
* Fix issue for wildcard versions (#4670)
* chore: publish sbom result to a different repositry from an image (#4665)
* added kubeconfig and context flag to kyverno apply (#4524)
* feat: add feature flag to disable background scan (#4638)
* feat: add explicit key support to controller utils (#4628)
* refactor: update log based on the policy types (#4646)
* refactor: split policyreport api files (#4641)
* fix: missing elements in v2beta1 api (#4654)
* refactor: add a couple of constants in api (#4640)
* feat: introduce RCR interface (#4642)
* fix: incorrect namespace in report controller (#4637)
* fix: remove RCR from mutation webhook (#4636)
* feat: add controller utils tools (#4639)
* chore: bump cosign 1.12.0 to fix vulnerabilities (#4631)
* chore: add makefile target to deploy metrics server (#4627)
* chore: add target to deploy policy reporter (#4621)
* Integrate Sonarcloud and Nancy github action (#3491)
* fix: background printer column (#4617)
* enhance jmespath random-filter (#4591)
* fix: lock in policy report mapper (#4601)
* refactor: simplify RCR creator queue (#4578)
* chore: add messages in makefile kind targets (#4588)
* refactor: info in policyreport package (#4598)
* Fix multiple crd slowness issue (#4275)
* update helm releases path (#4596)
* enable autogen for validate.podsecurity with no exclude (#4594)
* chore: add a codegen-quick makefile target (#4583)
* chore: switch to github.com/IGLOU-EU/go-wildcard (#4563)
* allow PSa validation with no exceptions (#4558)
* fix: typo (#4582)
* fix: split policy report flag (#4576)
* update version drop-down (#4579)
* chore: add toggle package unit tests (#4577)
* chore: preserve pr title in cherry picks (#4573)
* refactor: move generation handler out of webhooks package (#4570)
* refactor: move image verification handler out of webhooks package (#4569)
* refactor: move mutation handler out of webhooks package (#4567)
* refactor: move validation audit out of webhooks package (#4562)
* chore: add kocache (#4482)
* docs: add help on fetching tags (#4560)
* refactor: move validation handler out of webhooks package (#4556)
* refactor: make webhook metrics helpers static (#4554)
* add new patterns for releases (#4552)
* refactor: move webhook events utils in utils package (#4545)
* chore: add unit test for updating ur status (#4541)
* fix: defer ur update until validation passes (#4540)
* refactor: introduce ur updater (#4535)
/usr/share/bash-completion/completions/kyverno
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Apr 21 22:23:10 2026