| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: kyverno | Distribution: openSUSE:Factory:zSystems |
| Version: 1.11.3 | Vendor: openSUSE |
| Release: 1.1 | Build date: Fri Jan 5 22:03:41 2024 |
| Group: Unspecified | Build host: s390zl29 |
| Size: 197819902 | Source RPM: kyverno-1.11.3-1.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/kyverno/kyverno | |
| Summary: CLI and kubectl plugin for Kyverno | |
Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
Apache-2.0
* Fri Jan 05 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.11.3:
* release 1.11.3 (#9346)
* fix: update CLI to use store for fetching regclient (#9345)
* fix: non-trigger resources should be skipped for background
policies regardless of `skipBackgroundRequests` settings
(#9333) (#9337)
* Thu Jan 04 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.11.2:
* Add Chainsaw Test for Conditional Anchor (#9295) (#9304)
* release 1.11.2 (#9302)
* fix(cli): handle excluded resources as pass (cherry-pick #9274)
(#9300)
* feat: add deprecation warnings in the CLI (#9222) (#9294)
* fix: updaterequests stuck in pending/fail infinite loop
(cherry-pick #9119) (#9293)
* chore: update chart.yaml with the changes (#9292)
* cherry-picj #9151 (#9291)
* Support more signature algorithms (#9102) (#9289)
* fix: large table row ID number format in CLI (#9281) (#9287)
* fix: remove skip increment when resource not found in cli apply
(#9282) (#9284)
* chore: disable policy library kuttl tests in 1.11 (#9259)
* fix: use http.MaxBytesReader instead of content length for API
Calls (#9265) (#9268)
* Add imagePullSecrets to post-upgrade job (#9264) (#9273)
* release v1.11.2-rc.1 (#9252)
* chore: bump k8s to 1.29 stable (release 1.11) (#9257)
* fix: convert chainsaw tests to kuttl (#9242)
* fix: bump k8s to 0.29-alpha.3 and add support for fips
endpoints in AWS authentication (cherry-pick: #9233) (#9244)
* fix launch.json (#9239) (#9245)
* cherry-pick #9230 (#9234)
* fix: add chainsaw test for mutate existing (#9210) (#9221)
* fix: add `skipBackgoundRequests` to configure loop protection
option (#9157) (#9207)
* fix: limit the trigger name to a maximum of 63 characters for
mutate existing rules (#9162) (#9195)
* fix: enable additional report printers by default (#9194)
(#9196)
* improve messages (#9168) (#9169)
* fix: add tolerations and affinity to the post-upgrate hook
(#9156) (#9164)
* fix: allow changes to preexisting resource in violation of a
policy in Enforce (#9027) (#9139)
* (cherry-pick) Fix Helm chart to not error when replicas defined
(#9066) (#9073)
* fix: add nodeSelector to the reports cleanup helm hook (#9065)
(#9069)
* fix: ttl cleanup not working with cluster wide resources
(#9060) (#9063)
* Wed Nov 29 2023 kastl@b1-systems.de
- Update to version 1.11.1:
* release 1.11.1 (#9039)
* fix: cleanup older policy reports (#9026) (#9035)
* fix: use validate.message in case there is no message
associated with the CEL expression (#9025)
* Remove var check (#8990) (#9024)
* fix: use the default namespace in case --namespace isn't set in
kyverno create exception (#9022)
* fix: remove the additional dash in kyverno create exception
(#9021)
* fix: use v2beta1 version of exceptions in kyverno create CLI
(#9020)
* fix: delete VAPs in case Kyverno policies can't be translated
(#8887) (#9019)
* fix: block mutation only when failurePolicy is set to fail
(#8952) (#8986)
* fix: update KeysAreMissing() to ignore negations in resource
(#8953) (#8982)
* feat: add checks for max response size in API Call (#8957)
(#8971)
* Revert "fix(chart): only create ServiceMonitor if cluster
supports it (#7926)" (#8913) (#8931)
* correct typo in README for Kyverno 1.10+ (#8911) (#8927)
* Add policyKind option to kyverno-policies chart (#8827) (#8923)
* chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
from 0.45.0 to 0.46.0 (#8893) (#8897)
* Close reponse right after succesful request (#8894) (#8896)
* Reduced verbosity of admission request filter INFO log message
(#8712) (#8882)
* Thu Nov 16 2023 kastl@b1-systems.de
- Update to version 1.11.0:
* Breaking (Potentially) ❗
- Policy Reports are now created on a per-resource basis and
using a UID as the name rather than the previous behavior of
per-policy. This may be a breaking change if you relied upon
either of these attributes in previous versions. This change
has the benefit of putting less pressure on the Kubernetes
API server and less storage cost on etcd.
- In accordance with Cosign 2.0 updates, the Rekor URL is now
required in a policy. The url field may be empty ("") but
must be specified even if you've opted not to store
signatures in a Rekor instance. Users upgrading from Kyverno
v1.10 to v1.11 who have image verification policies using
cosign will have to explicitly disable Tlogs and SCT
verification in their policy using the rekor.ignoreTlogs and
ctlog.IgnoreSCT fields if they did not use Rekor while
signing the image.
* Added
- Context variables are now supported in cleanup policies
(#6084)
- Introduced ability to cleanup resources based upon assignment
of a new reserved label cleanup.kyverno.io/ttl (#7821, #8096,
[#8128], #8660)
- ValidatingAdmissionPolicies (VAP) can now be tested in the
Kyverno CLI in both test and apply commands (#6656)
- ValidatingAdmissionPolicies can be generated/managed by
Kyverno when a compatible validate.cel rule is created
(#7840, #8219)
- Generate Policy Reports for VAPs (#8135)
- Kyverno validate rules can now be written using CEL
expressions, including auto-gen support (#7859, #8024, #8071,
[#8084], #8098, #8099, #8196)
- Added a new field in a policy at spec.admission which, when
set to false, allows policies to work in background-only mode
(#6666)
- Added a new field under verifyImages rules called
imageRegistryCredentials which allows flexible, easier
configuration of credentials for image registries including
defining the required credential helpers (#7114)
- Added new caching of image signature verifications (#7890,
[#7969])
- New lookup() JMESPath filter (#7136)
- New round() JMESPath filter (#7489)
- Support for Cosign 2.0 (#7248, #8521)
- Added an auth checker interface from Kyverno Playground
(#7323)
- Added a check for digest mismatch in verifyImages rules
(#8443)
- Added new ability to more finely control configuration of
metrics (#8569)
- Added an --aggregateReports flag to the reports controller to
enable/disable aggregated reports (#7475)
- Events are now created in the events.k8s.io/v1 API group and
version (#7673)
- Generate rules now support using server-side apply via the
field spec.useServerSideApply (#7705)
- Added CLI API schema for test command (#8422, #8438, #8439,
see also Changed below)
- Added new create commands to the Kyverno CLI used to easily
create the various resources needed for testing (#7778,
[#7779], #7780, #7781, #7782, #8160)
- Added new Kyverno CLI docs command to generate CLI
documentation (#8179, #8180, #8181, #8191, #8193, #8200,
[#8259])
- Added Kyverno CLI experimental fix command (#8213, #8404)
- Added support for wildcards in CLI test command (#8216)
- Kyverno CLI now has experimental validation of policies being
tested (#8384, #8406, #8410)
- Added ability to test supported ValidatingAdmissionPolicies
(VAP) variables in both Kyverno CLI test and apply commands
(#8182)
- Kyverno is now tested against and uses libraries from
Kubernetes version 1.28 (#8036, #8037)
- Kyverno now supports configuring matchConditions in webhooks
(Kubernetes 1.27+) (#8042)
- Wildcards now work in subject statements in match/exclude
(#8068)
- Added variables support for Kyverno validate.cel policies
(#8103, #8113)
- Added CTLogs verification to Cosign (#8130, #8166)
- New metric of type Meter is added for the TTL cleanup manager
with attributes resource_group, resource_version, and
resource_resource (#8134)
- Added ability to configure TUF when using a custom Sigstore
implementation (#8385)
- Added ability to disable TUF when used in air-gapped
environments (#8509)
- Helm
- Added API priority and fairness resources to the Kyverno
chart (FlowSchema and PriorityLevelConfiguration) (#7468)
- Added ability to set security contexts for the webhook
cleanup Pod (#7970)
- Added Helm secret size check to CI to detect of the current
chart size exceeds the Helm secret size limit (#8195)
- Allow resourceNames on extraResources for the cleanup
controller (#8307)
- Added a global image registry value (#8625)
* Changed
- Policy Exceptions and Cleanup Policies graduated from alpha
API to beta (#8594, #8609, #8621, #8378, #8587)
- Policy Exceptions are now enabled by default (#8545)
- Policy Reports are changed to be generated per-resource
rather than per-policy, and intermediary aggregated reports
are expunged immediately (#8426)
- Schema validation will no longer be done on patterns
(including internal validation for mutate rules) obviating
the need for spec.schemaValidation. We will deprecate and
remove this field in a future version (#8538)
- Cleanup policies no longer use CronJobs to invoke the cleanup
action. This is all handled internally now (#8526, #8529,
[#8531])
- Kyverno CLI test command has been refactored and includes a
formal test manifest schema (#8422, #6871, #6942, #7995,
[#8145], #8163, #8168, #8177, #8189, #8212, #8387, and more)
- Kyverno CLI apply command now has a nice tabular output
format (#7757)
- Kyverno CLI apply now shows failure messages when a result
fails (#7758)
- Kyverno CLI --compact flag has been renamed to
- -detailed-results (#7937)
- Kyverno CLI the --set flag can be used to set a variable for
multiple input resources rather than just one (#7984)
- Kyverno CLI certain more "internal" flags will no longer be
hidden (#8077)
- Refactored JSON patches to use structure instead of byte
arrays (#7186)
- Deprecated the --imageSignatureRepository container flag. Use
verifyImages.Repository in a policy definition instead
(#7391)
- Replaced the internal package used to apply JSON patches.
This resulted in some fixes and slight behavioral changes
(#7401, #7452)
- The policies.kyverno.io/last-applied-patches annotation upon
successful mutation has been removed (#7438)
- RBAC has been hardened for a couple controllers to better
follow least privileges (#7626, #7634, #7638, #8083)
- The images variable ({{ images }}) can be used correctly in a
policy (#7787)
- Use a new custom keychains from Flux package preventing some
timeouts (#7908)
- Allow overriding CA and TLS secret names which store the
Kyverno certificates (#8137)
- Replaced CLI manifest commands by create command (#8165)
- Kyverno CLI test command has been extended to support
multiple paths (#8247)
- The remainder of match/excludewill be skipped if
theoperations[]` do not match (#8324)
- Helm
- The Grafana dashboard has been moved to its own subchart in
an effort to reduce the size of the main Kyverno chart
(#8619)
- Kyverno CRDs have been moved to a subchart for the same
reason (#8623)
- Updated the Chart metadata so the minimum version is
correctly aligned with that of Kyverno itself (#8708)
* Fixed
- Abort pattern validation earlier when processing can occur
(#7307)
- Fixed an issue when testing for mutations using foreach
(#7396)
- Fixed not validating that subject kinds were on the allowed
list (#7582)
- Fixed a panic when certain environment variables weren't
passed to the controllers (#7613)
- Fixed the missing severity type when generating a policy
report (#7974)
- Fixed adding server name into TLS certs when running Kyverno
with --serverIP flag (#8053)
- Fixed an issue which prevented mutation of policy report
resources (#8080)
- Fixed a crash when using an unquoted null (#8081)
- Fixed indefinitely retry for the mutateExisting rule by
applying the retry limit (#8100)
- Fixed nil-dereferences by adding mocks to unit tests (#8102)
- Fixed TLS cert renewal when the CA cert is deleted (#8114)
- Fixed a nil dereference in validate.podSecurity subrules
(#8271)
- Fixed an issue where generating an empty kind would be
allowed (#8332)
- Fixed/improved some logs (#8442, #8673)
- Fixed a couple issues impacting generate rules when a trigger
or clone source resource name exceeded 63 characeters (#8466)
- Fixed an issue where Kyverno would modify reports it didn't
own (#8502)
- Fixed an image cache panic issue (#8512)
- Fixed an issue preventing creation of ClusterAdmissionReports
if the resource had a colon in the name (#8530)
- Kyverno CLI: fixed using the --fail-only flag in the test
command now exits properly upon failed tests (#7717)
- Kyverno CLI: fixed logging failure (#8110)
* Mon Nov 13 2023 kastl@b1-systems.de
- Update to version 1.10.5:
* Release 1.10.5 (#8881)
* feat: add GHSA-vfp6-jrw2-99g9 fixes in cosign v1.13.1 (#8870)
* fixL upgrade cosign installer version in release 1.10 and use
cosign 1.13.1 (#8813)
* chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0
(#8809) (#8811)
* Wed Nov 01 2023 kastl@b1-systems.de
- Update to version 1.10.4:
* release-1.10.4 (#8799)
* fix: backport CVE fixes (#8798)
* Tue Sep 05 2023 kastl@b1-systems.de
- Update to version 1.10.3:
* release 1.10.3 (#8006)
* fix: return err in load data (#7982) (#7983)
* release: bump chart versions (#7933)
* fix(chart): only create ServiceMonitor if cluster supports it
(#7926) (#7931)
* Tue Aug 01 2023 kastl@b1-systems.de
- Update to version 1.10.2:
* release 1.10.2 (#7928)
* bug: add severity and category in cluster policy report (#7828)
(#7922)
* refactor: remove obsolete structs from CLI (#6802)
(cherry-pick) (#7921)
* feat: add events for successful generation (#7550) (#7804)
* cherry-pick #7888 (#7920)
* Feat: cloneList rule validation (#7823) (#7914)
* refactor: remove manual keychain refresh from client (#7806)
(#7917)
* cherry-pick #7774 (#7915)
* fix(policy chart): Skip DELETE requests on policies using deny
statements (#7883) (#7900)
* Modified annotation matching during rollback (#7752) (#7894)
* fix log level (#7877) (#7881)
* Added log message for API call failures (#7834), cherry picked
(#7880)
* feat(chart) Add configurations for cleanup jobs and webhooks
(#7871) (#7875)
* policy validation: fix assignment to entry in nil map (#7874)
(#7876)
* feat: skip schema validation for CRD (#7869) (#7873)
* fix: namespace label matching for Namespace (#7837) (#7870)
* fix: ignore tekton/pipeline (#7858) (#7863)
* fix type confusion in policy validation (#7857) (#7862)
* feat: enable operator boolean comparison (#7847) (#7860)
* Add nodeSelector for cleanupJob CronJob resources (#7851)
(#7855)
* cherry-pick kyverno#7810 (#7822)
* cherry-pick #7800 (#7819)
* feat: allow pod labels for cleanup jobs (#7808) (#7809)
* fix: aggregated admission report not updated correctly (#7798)
(#7799)
* Update Chart README migration guide with 1.10.1 updates (#7770)
* Thu Jul 06 2023 kastl@b1-systems.de
- Update to version 1.10.1:
* release 1.10.1 (#7762)
* feat: Add option to add imagePullSecrets to cleanup CronJobs
(#7730) (#7732)
* fix: remove show goreleaser version step (#7712)
* fix: release signing (#7711)
* fix goreleaser version (#7707)
* fix: lock schema manager when updating it (#7704) (#7706)
* release v1.10.1-rc.1 (#7701)
* fix: customizable tracer configuration (#7644) (#7700)
* fix: Swap any/all in the error message. (#7688) (#7696)
* Fix deferred loading (#7597) (#7694)
* fix: image verification (#7652) (#7692)
* feat: add lazy loading feature flag (#7680) (#7691)
* refactor: migrate context loaders (part 2) from #7597 (#7677)
(#7690)
* fix: cleanup controller rbac (#7669) (#7679)
* refactor: migrate context loaders (part 1) from #7597 (#7676)
(#7678)
* refactor: add specific loaders from #7597 (#7671) (#7675)
* feat: add cluster select and relabling config for
ServiceMonitors (#7659) (#7674)
* chore bump (#7666)
* fix: auth checks with the APIVersion and the subresource
(#7628) (#7641)
* enable webhook clean up (#7633) (#7637)
* fix: update the flag descriptions of the reports-controller
(#7617) (#7621)
* Add nancy-ignore to make it pass with current dependencies
(#7590) (#7602)
* fix: make configuring max procs not exit in case of error
(#7588) (#7591)
* fix: deletion mismatch for the generate policy (#7579) (#7606)
* fix: autogen not working correctly with cronjob conditions
(#7571) (#7604)
* reduce sleep duration for generate kuttl tests (#7589) (#7603)
* fix: CLI tests (#7596) (#7601)
* fix: background image verification not working (#7564) (#7570)
* feat: sign released artifacts (#7478) (#7560)
* feat: cleanup jobs resources (#7337) (#7559)
* Fix: Error cause is missing (#7563) (#7565)
* fix: recursive lazy loading (#7552) (#7562)
* fix: autogen not generating the correct kind (#7455) (#7561)
* feat: obey the order field in patchStrategicMerge method
(#7336) (#7558)
* fix: Delete downstream objects on precondition fail (#7496)
(#7549)
* fix: update kyverno admission-controller role to have delete
verb for… (#7527) (#7544)
* fix: add type conversion error judgment to avoid program panic
(#6526) (#7534)
* refactor: generate reconciliation on policy updates (#7531)
(#7533)
* fix: Remove ownerReferences when cloning across Namespaces
(#7517) (#7523)
* fix: misleading error message in deny conditions (#7503)
(#7520)
* fix: log level initialisation (#7515) (#7522)
* add debug env BACKGROUND_SCAN_INTERVAL (#7504) (#7519)
* fix: target scope validation for the generate rule (#7479)
(#7518)
* fix: cloneList sync behavior (#7466) (#7514)
* fix: log kind/namespace/name in scan errors (#7498) (#7500)
* fix (#7473) (#7477)
* fix: image pull secrets in admission controller (#7474) (#7476)
* fix: rule name not required in the crd schema (#7464) (#7465)
* fix: add missing webhook timeouts (#7435) (#7467)
* fix: the same source cannot be used for multiple targets with a
generate clone rule (#7436) (#7454)
* fix flaky tests (#7460) (#7461)
* fixed typo in admission controller chart template (#7440)
(#7442)
* fix: error reported when sanity check fails (#7439) (#7441)
* fix: exceptions not considered on delete (#7433) (#7437)
* fix: helm template for cleanup jobs image (#7430) (#7434)
* fix: array element removal should be synced to the downstream
resource with a generate data sync rule (#7417) (#7432)
* fix: reports discovery error (#7428) (#7431)
* feat: hold custom labels (#7416) (#7419)
* update migration guide with generate guidance (#7409) (#7410)
* fix: missing extraEnvVars in helm chart (#7403) (#7407)
* Fix: [Bug] The default field in a context variable does not
replace nil results (#7251) (#7400)
* fix mutate targets validation (#7387) (#7399)
* Remove policy validation prevent loop for generate (#7388)
(#7398)
* Allow setting verbs for clusterrole extraresources on
backgroundController (#7380) (#7392)
* fix: missing/incorrect env variables (#7383) (#7389)
* Add missing delete verb to admission cleanup clusterrole
(#7375) (#7384)
* fix: permission validation message (#7362) (#7371)
* feat(cronjobs): Enable podAnnotations on CronJobs (#7366)
(#7370)
* fix: protect managed resource not considering other components
(#7363) (#7367)
* fix: helm migration guide (#7360) (#7364)
* feat: cleanup job tolerations (#7331) (#7351)
* fix: flaky kuttl test add-external-secret-prefix (#7338)
(#7343)
* Add scaling testing instructions (#7295) (#7348)
* chore: new helm chart version (#7349)
* fix: config map name in helm chart (#7341) (#7342)
* fix: panic in background reports (#7332) (#7334)
* Tue May 30 2023 Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.20
- add completion subpackages for bash, zsh and fish shells
* Tue May 30 2023 kastl@b1-systems.de
- Update to version 1.10.0:
Kyverno 1.10 is a huge release which brings breaking changes in
both the application and Helm chart. Please read these release
notes carefully!
* Major features:
- Split the main Kyverno Deployment into 3 separate
controllers/Deployments
- Intra-cluster Service calls
- Notary v2 support
- Major reworking of generate and "mutate existing" policies
* Breaking changes
- This release separates Kyverno into its 3 main components:
admission controller, reporting controller, and background
controller. As a result, there is no direct upgrade path from
previous versions. When deploying with Helm, we recommend
either backing up and restoring Kyverno policies (kubectl get
pol,cpol,cleanpol,ccleanpol,polex -A > backup.yaml) or
scaling the Kyverno deployment(s) to zero first. Policy
reports will be regenerated from existing resources when
policies are reinstalled. Regardless of the option, this
upgrade should be performed in a maintenance window as there
will be downtime involved.
- As a result of this decomposition, aggregated ClusterRoles
may need to be updated to use the new label values depending
on the controller which requires those permissions.
- Policies which matched on some types of subresources (such as
PodExecOptions) will need to be updated to use the
standardized form of <parent>/<subresource> (Pod/exec).
- The following fields in a generate rule are now immutable
once created: spec.rules.name, spec.rules.match,
spec.rules.exclude, spec.rules.preconditions,
spec.generate.apiVersion, spec.generate.kind,
spec.generate.namespace, spec.generate.name,
spec.generate.clone, and spec.generate.cloneList (#6328,
[#6451])
- Variables in these portions of a generate rule will now be
disallowed: clone, cloneList, generate.kind, and
generate.apiVersion (#6438)
- Generate and "mutate existing" policies, once installed, will
check to see if Kyverno has the necessary permissions to
successfully execute them. If not, Kyverno will block their
creation until the permissions are available. This is added
to bring behavior in alignment with how cleanup policies work
and provide a better UX (#6610)
- Properly enforcing that "mutate existing" rules, when
mutateExistingOnPolicyUpdate is set to true, also has
mutate.targets[] defined or else the policy creation will be
blocked (#6693)
- When a verifyImages policy is created in Audit mode, its
creation will be rejected unless mutateDigest is set to false
(#6757)
- Mutation rules which change the image field in a Pod spec and
which relied on docker.io being silently added by Kyverno
(when it was not explicitly defined in the image) will need
to be adjusted to either use the images.*.registry predefined
variable or the new normalize_image() JMESPath filter. To
address other discovered issues with mutation, Kyverno can no
longer add the default registry to the context. It will only
be accessible to internal variables and JMESPath.
- The generate.apiVersion field is now required in a generate
rule. Policies/rules without this defined will need to set
it. (#7080)
* Mon May 29 2023 kastl@b1-systems.de
- Update to version 1.9.5:
* release 1.9.5 (#7314)
* fix: tls cipher suites (#7308) (#7310)
* Thu May 25 2023 kastl@b1-systems.de
- Update to version 1.9.4:
* release 1.9.4 (#7284)
* fix latest version check (#7263) (#7266)
* Wed May 10 2023 kastl@b1-systems.de
- Update to version 1.9.3:
* feat: release 1.9.3 (#7137)
* fix conflicts (#7109)
* fix: do not pass dynamicConfig to
matchesResourceDescriptionMatchHelper (#6231) (#6242) (#6331)
* cherry-pick #6787 (#7108)
* chore: update argocd lab (#6698) (#6702)
* Wed Mar 22 2023 kastl@b1-systems.de
- Update to version 1.9.2:
* fix: skip duplicate PSa checks for the latest version (#6634)
(#6636)
* tag v1.9.2 (#6637)
* fix: add message to bypass schema validation when it fails
(#6604) (#6606)
* fix: controller duration computation (#6569) (#6574)
* release v1.9.2-rc.1 (#6536)
* fix: process audit policies when admission reports are disabled
(#6531) (#6545)
* More kuttl standard generate tests (#6332) (#6533)
* fix: increase burst (#6540)
* fix: improve reports controller default values and workers
(cherry-pick #6522) (#6532)
* Thu Mar 09 2023 kastl@b1-systems.de
- Update to version 1.9.1:
* release v1.9.1 (#6520)
* fix: missing metrics for policies in audit mode (#6509)
* fix: release (#6502)
* fix: release (#6498)
* release v1.9.1-rc.1 (#6485)
* cherry-pick #6459 (#6468)
* fix: error log (#6429) (#6437)
* check errors (#6424) (#6426)
* fix: autoUpdateWebhooks=false causes ClusterPolicy to never be
ready (#6374) (#6382)
* fix: delete certificate secret if type is not TLS
(#6368) (#6373)
* oldObject translation solved in autogen (#6305) (#6372)
* chore(deps): bump github.com/sigstore/k8s-manifest-sigstore
(cherry-pick #6320) (#6359)
* fix: dump admission response (#6349) (#6352)
* chore(deps): bump golang.org/x/net (#6344)
* fix: add roles and clusterroles when dumping admission requests
(#6319) (#6323)
* fix: use client instead of discovery for sanity checks
(cherry-pick #6296) (#6299)
* cherry-pick #6237 (#6273)
* chore: add error logs in wait for cache sync helper (#6275)
* fix: jp divide quantities (#6229) (#6232)
* Cherry-pick #6126 (#6228)
* fix: admission review variables for DELETE operations
(#6197) (#6214)
* cherry-pick #6188 (#6209)
* fix: image tagging strategy (#6200)
* Thu Feb 02 2023 kastl@b1-systems.de
- Update to version 1.9.0:
* tag v1.9.0 (#6186)
* fix: policy exception event source (#6122)
* Release v1.9.0-rc.4 (#6108)
* fix: tracing attributes length and tracer name (#6112)
* fix: cleanup-controller version (#6100) (#6105)
* fix: flag added to init container mistake (#6103)
* fix: allow deletion of namespace containing managed resources (#6098) (#6102)
* fix: flag added to init container mistake (#6103)
* Release v1.9.0-rc.3 (#6095)
* validate polex activation and namespace (#6046) (#6080)
* fix: pin busybox image tag in helm tests (#6051) (#6063)
* fix: replace + with _ in Chart.Version label field (#6047) (#6056)
* cherry-pick #6030 (#6034)
* tag v1.9.0-rc.2 (#6023)
* fix ns labels matching (#6022)
* tag v1.9.0-rc.1 (#6012)
* fix: policy match Kind case-senstive (#6010)
* fix: policy exceptions not working in background mode (#5980) (#6003)
* chore: log out cleanup policy events (#5998) (#6000)
* create failure events on errors (#5988) (#5997)
* fix: generate policy exception events (#5987) (#5996)
* cherry-pick #5920 (#5990)
* Fixes time_now failing (cherry-pick 5928) (#5991)
* create events for cleanup policies (#5982) (#5983)
* fix: invoke cleanup process during shutdown (#5974) (#5981)
* cherry-pick #5967 (#5970)
* log out deleted resources at default level (#5977) (#5978)
* fix: helm selector (#5965) (#5969)
* feat: add cluster role aggregation to cleanup controller (#5966) (#5968)
* fix chart invalid annotations (#5960) (#5963)
* tag v1.9.0-beta.2 (#5959)
* fix imageRef matching (#5956) (#5957)
* cherry-pick #5950 (#5955)
* Cherry-pick #5941 (#5952)
* fix: update policy exception CRD description (#5948) (#5951)
* chore: fix releaser badge (#5910) (#5947)
* Added a time_add() filter to add duration and absolute time (#5817) (#5946)
* fix: cleanup policies with user infos in match/exclude should be rejected (#5943) (#5944)
* test: add kuttl test for policy exception (#5935) (#5936)
* fix: missing user info matching (#5931) (#5934)
* chore: add missing gh workflow concurrency statements (#5914) (#5924)
* restrict cjs by PSS restricted checks (#5904) (#5922)
* fix: Configure webhook to add ephemeralcontainers for policies matching on Pod (#5886) (#5919)
* fix: golangci-lint workflow (#5913) (#5917)
* set resourceVersion before update (#5906) (#5916)
* fix: configure gh workflow permission (#5909) (#5915)
* chore: make check actions pinned by hash a standalone ci job (#5907) (#5911)
* feat: add violation details to report.results.properties for PSa policies (#5908) (#5912)
* Adds JMESPath filter for returning cron expression for absolute time (#5814) (#5905)
* chore: add setup test env gh action (#5897) (#5899)
* chore: add setup-build-env gh action (#5892) (#5896)
* fix cleanup var 'target.*' (#5888) (#5895)
* add kuttl assert file (#5870) (#5894)
* chore: small gh workflows improvements (#5883) (#5887)
* chore: use gh composite actions (#5885) (#5893)
* fix: Add group to subresources declaration in value.yaml file for CLI (#5881) (#5884)
* refactor: improve background scan reconciliation (#5871) (#5882)
* fix: Add subresources support to policy exceptions (#5839) (#5880)
* fix validation checks for foreach and nested foreach (#5875) (#5877)
* fix: force background scan recomputation (#5865) (#5868)
* fix: background scan events (#5807) (#5874)
* feat: cleanup enhancements-1 (cherry-pick #5796) (#5867)
* fix mutate targets variable (#5862) (#5866)
* chore: move ConvertToUnstructured from engine utils to kube utils (#5847) (#5863)
* cleanup new validate webhooks (#5851) (#5857)
* Walk back change in PSS policy to send to to_upper (#5823) (#5856)
* cherry-pick #5846 (#5855)
* feat: improve background scan reports enqueue logic (#5810) (#5853)
* chore: cleanup a couple workflows (#5844) (#5854)
* fix: improve cli help message (#5843) (#5849)
* chore: bump a couple of deps (#5840) (#5850)
* refactor: move utils into sub packages (#5828) (#5845)
* chore: add a couple unit tests (#5834) (#5842)
* chore: cleanup codecov workflow (#5829) (#5838)
* fix: enum values for ValidationFailureActionOverride (#5835) (#5836)
* fix: default value for validationFailureAction (#5832) (#5833)
* Adds JMESPath filter for returning current time (#5813) (#5831)
* add source archive checksum into the checksums.txt (#5819) (#5827)
* Adds notes to functions (#5824) (#5826)
* fix: error handling in last scan time parsing (#5808) (#5809)
* fix arguments passed to DeepEqual (#5801) (#5806)
* refactor: policy controller package (#5747) (#5803)
* enhance logging, fix pull flag description (#5797) (#5798)
* chore: switch to kyverno/kuttl (#5504) (#5794)
* fix cli output adjustments (#5787) (#5793)
* redirect stderr to get digest successfully (#5782) (#5791)
* chore: update publicKey description (#5789) (#5792)
* fix delete policy (#5776) (#5790)
* fix helm chart version (#5775)
* bump dep (#5765)
* fix image digest (#5762)
* tag v1.9.0-beta.1 (#5761)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.2 to 2.9.0 (#5760)
* chore(deps): bump fluxcd/flux2 from 0.37.0 to 0.38.1 (#5759)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.0 (#5758)
* refactor: move util funcs in sub packages (#5754)
* refactor: cleanup controller validating webhook (#5756)
* test: add unit test for GetResourceName util (#5752)
* refactor: auth package and add full unit test coverage (#5749)
* chore: bump deps including k8s ones (#5751)
* refactor: remove common package (#5750)
* refactor: use typed client in auth (#5743)
* refactor: remove a couple of old util funcs (#5746)
* chore: remove e2e tests (#5742)
* Issue_templates (#5741)
* chore: remove autogen internals tests (#5740)
* fix: cleanup controller image build (#5739)
* chore: build cleanup controller image (#5737)
* generate SLSA provenance on releases (#5735)
* run conformance tests on different k8s versions (#5733)
* Allows {{image}} var to be used in policies (#5122)
* refactor: split CLI jp command (#5566)
* chore: update k8s versions test grid (#5732)
* feat: add exception logic (#5712)
* fix: remove all category from all our CRDs (#5731)
* feat: force background scan regularly (#5727)
* add rule type pkg/metrics/parsers.go (#5729)
* bump Go 1.19.4 (#5728)
* Revert "chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)" (#5725)
* chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)
* feat: propagate psa checks results (#5719)
* fix: add back install.yaml manifest (#5721)
* refactor: supress usage of kustomize in build (#5691)
* Require predicate type (#5713)
* fix logger panic (#5715)
* fix: interface conversion panic (#5708)
* fix missing assignment (#5710)
* feat: add kuttl tests for #5704 (#5707)
* fix: allow policies from stdin in apply again (#5668)
* initialize configmap resolver in background components (#5705)
* feat: Implement PolicyException (#5680)
* fix digest and verify logic (#5703)
* fix: block policy admission if kyverno is down (#5677)
* fix info kind error (#5701)
* fix: exception validation follow up (#5697)
* chore(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#5696)
* feat: add policy exception validation webhook (#5679)
* chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#5695)
* chore: bump a couple of deps (#5688)
* chore(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#5694)
* chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#5683)
* fix: bump log level for autogen debug logs (#5687)
* chore: remove deprecated flag splitPolicyReport (#5686)
* chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#5684)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.1 to 2.8.2 (#5685)
* chore: remove secrets client from webhook controller (#5682)
* chore: rename exclude into match in policy exception (#5681)
* fix: case where deny message is not a string (#5678)
* feat: Introduce PolicyException CRD (#5662)
* feat: add certs controller to cleanup policies (#5671)
* chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#5666)
* Update version drop-downs in issue templates (#5674)
* fix AllNotIn operator (#5636)
* chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#5663)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#5667)
* feat: add engine traces (#5463)
* use camel case for ForEach naming (#5660)
* feat: add metrics service and service monitor to cleanup controller (#5653)
* Support existing imagePullSecrets for image verify functionality (#5627)
* Nested foreach (#5589)
* chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650)
* feat: add dev config with support for prom loki and tempo (#5647)
* fix: grafana dashboard (#5645)
* fix: missing permission in cleanup controller role (#5646)
* refactor: tracing package (#5643)
* added Arrikto and Trendyol as adopters (via Google Form) (#5644)
* feat: improve cleanup policies controller and chart (#5628)
* feat: add support for subresources to validating and mutating policies (#4916)
* fix: Improve helm-test workflow (#5640)
* feat: propagate context through engine (#5639)
* chore(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#5631)
* feat: add conditions matching to cleanup controller (#5626)
* fix: setup tracing and minor cleanup in tracing and metrics code (#5629)
* feat: add http clients tracing (#5630)
* chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 (#5632)
* chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635)
* Add api docs (#5605)
* feat: use lister in registry client (#5620)
* fix: registry client not propagated correctly (#5622)
* fix: don't create orphan spans in instrumented clients (#5624)
* feat: introduce v2alpha1 (#5625)
* feat: implement cleanup policy matching (#5614)
* fix nil error panic (#5619)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618)
* add 1.8.3 to version drop-downs (#5616)
* fix: mutation of cached object in bg scan controller (#5608)
* refactor: registry client (#5596)
* use helm values for crd labels (#5594)
* chore: bump a couple of deps (#5611)
* chore(deps): bump reviewdog/action-golangci-lint from 1.25.0 to 2.2.2 (#5603)
* chore(deps): bump azure/setup-helm from 1.1 to 3.4 (#5604)
* refactor: improve color management in cli test (#5609)
* chore: bump a couple of deps (#5610)
* chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.0.0 to 1.1.0 (#5601)
* feat: add cleanup handler (#5576)
* chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#5602)
* Fix: handling unexpected global-anchor-variable for the apply command (#5590)
* chore: bump a couple of deps (#5593)
* fix: use lister for CA secret (#5598)
* add logging guideline (#5406)
* Delete category all from CRDs (#5557)
* refactor: update otlp packages (#5367)
* chore: bump flux action (#5578)
* chore(deps): bump aquasecurity/trivy-action from 0.2.3 to 0.8.0 (#5584)
* fix: replace + symbol with _ symbol on the Chart.Version field (#5591)
* chore(deps): bump helm/chart-testing-action from 2.0.1 to 2.3.1 (#5586)
* chore(deps): bump rajatjindal/krew-release-bot from 0.0.38 to 0.0.43 (#5588)
* chore(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#5587)
* chore(deps): bump actions/setup-go from 2.1.5 to 3.4.0 (#5585)
* chore(deps): bump actions/setup-python from 2.3.1 to 4.3.0 (#5562)
* chore(deps): bump sonarsource/sonarcloud-github-action from 1.7 to 1.8 (#5563)
* chore(deps): bump codecov/codecov-action from 2.1.0 to 3.1.1 (#5573)
* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559)
* adding --warn-exit-code flag (#5577)
* feat: add cleanup controller BYOSA and RBAC extensions (#5580)
* chore(deps): bump goreleaser/goreleaser-action from 2.8.0 to 3.2.0 (#5572)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.0 to 2.8.1 (#5571)
* chore: disable dependabot auto rebase (#5567)
* chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560)
* refactor: jmespath arithmetic operations (#5544)
* chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.1 (#5561)
* chore(deps): bump actions/checkout from 2.4.0 to 3.1.0 (#5564)
* chore(deps): bump actions/cache from 3.0.8 to 3.0.11 (#5565)
* refactor: cli test command (#5550)
* refactor: cli jp command (#5552)
* add Wayfair to adopters (#5547)
* Kyverno CLI: added method to detect duplicate resource in kyverno test (#3612)
* To support gitURLs for "apply" command (#4502)
* issue-4613: Add support for cache enhancements with informers (#5484)
* chore(deps): bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 (#5534)
* chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#5532)
* chore(deps): bump github/codeql-action from 1.0.26 to 2.1.35 (#5536)
* bump slsa GH generator to 1.4.0 (#5530)
* chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#5535)
* chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#5533)
* chore: enable dependabot (#5531)
* refactor: make policy context immutable and fields private (#5523)
* configure opentelemetry logger (#5513)
* feat: support attestations with multiple signatures (#5409)
* fix: bug in report resource watcher (#5525)
* Adding Rafay Systems to Kyverno Adopters list. (#5524)
* feat: Add default CI test values for helm charts (#5518)
* feat(policies chart): Add ability to set autogen behavior (#5517)
* fix: cleanup policy validation (#5514)
* fix: pod anti affinity (#5516)
* chore: improve cleanup controller (#5509)
* feat: use admission review v1 (#5464)
* refactor: use internal cmd package in kyverno (#5507)
* chore: bump a few deps (#5512)
* chore: stop using set-output in gh actions (#5500)
* refactor: add controller helper to internal package (#5506)
* chore: use builtin slices.Clone (#5510)
* feat: add webhook type to admission metrics (#5493)
* feat: propagate context to dynamic client (#5495)
* chore: bump a couple of deps (#5503)
* feat: add controller metrics (#5494)
* fix: panic when response is nil (#5502)
* fix: report deletion fighting with garbage collection (#5486)
* feat: add dynamic client support to internal cmd package (#5477)
* Migrate all mutate e2e tests to kuttl and expand (#5491)
* chore: replace utils.ContainsString with builtin slices.Contains (#5496)
* fix: add image extractor for ReplicationController (#5497)
* refactor: move metrics closer to the code that use them (#5492)
* chore: refactor metrics namespace check (#5489)
* Migrate validate e2e tests to kuttl tests (#5483)
* Fix: handled skip rule processing in anyPattern field (#5191)
* feat: propagate context to the metrics package (#5479)
* fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374)
* feat: add allowed label to admission metrics (#5478)
* chore: bump kyverno version in argo lab (#5482)
* fix: typo in autogen package (#5480)
* chore: improve tracing instrumented clients (#5474)
* refactor: metrics configuration code (#5475)
* feat: create a policy utils package (#5473)
* Add reconciling logic for creating cronjobs whenever a new cleanup policy is created (#5385)
* feat: add new filtering handlers (#5472)
* fix: remove filtering for policy admission handlers (#5462)
* fix: add clone check before validating namespace policy (#5459)
* fix: issue when calling kustomize concurrently (#5465)
* feat: support flagsets in internal cmd package (#5461)
* chore: add instrumented clients codegen verification (#5460)
* fix: reading policies for oci command and pushing image (#5435)
* fix: admission reports stacking up (#5457)
* docs: add controllers README (#5434)
* fix: log watcher error in reports controller (#5449)
* ci: cancel redundant builds of workflow on push (#5427)
* feat: use client funcs from internal cmd package (#5443)
* docs: add reports troubleshooting tips (#5448)
* fix: argocd lab monitoring namespace (#5446)
* fix: mutate existing policy does not get applied when background=false (#5439)
* feat: add signal in internal cmd package (#5444)
* feat: improve handlers tracing code (#5442)
* chore: bump a bunch of deps (#5440)
* feat: add logging support to instrumented clients (#5438)
* feat: add discovery support in instrumented clients (#5437)
* refactor: dynamic client use instrumented clients (#5436)
* fix request.operation in globalValues is always set to CREATE (#5423)
* chore: remove obsolete metrics client code (#5401)
* refactor: improve instrumented clients code and support dynamic/metadata client (#5428)
* refactor: split argocd lab into multiple steps (#5410)
* Fix multi attestor keyless (#5432)
* Handle Match resources kind (#5421)
* udpate slsa to v1.3.0 (#5419)
* chore: bump sigstore deps (#5376)
* fix blank lines in crds (#5422)
* refactor: improve instrumented clients creation (#5417)
* logging action (#5416)
* adding --audit-warn flag (#5321)
* Update version drop-downs; bump Trivy (#5425)
* Add most basic kuttl tests for generate rules, clone and sync (#5413)
* fix: typo (#5415)
* feat: make traces better (#5412)
* refactor: introduce cmd internal package (#5404)
* refactor: generated instrumented client code part 2 (#5398)
* feat: add tracing middleware (#5397)
* Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272)
* add os.Exit (#5402)
* Complete all basic kuttl tests for generate rules, clone and no-sync (#5400)
* refactor: generate instrumented client code (#5362)
* refactor: propagate context through admission handlers (#5392)
* refactor: improve tracing package (#5391)
* [Bug]: Fix wildcard any/all issue (#5387)
* Fix incorrect step ID reference (#5388)
* fix the entry length validation for the verify image rule (#5384)
* Add more kuttl generate test cases (#5364)
* fix: set correct logger in profiling server (#5358)
* fix closed watchers in the resource-report-controller (#5350)
* fix: set logger in metrics server (#5319)
* fixed dryrun option to handle changes caused by mutating policy (#4899)
* fix: add validation for generate namespace policy (#5346)
* chore: add tempo to argocd lab (#5365)
* chore: add performance tests tool (#5241)
* fix: panic when disable metrics is true (#5366)
* feat: add CleanupPolicy validation code to CleanupPolicyHandler (#5338)
* test: simplify autogen kuttl tests (#5343)
* chore: enable json logs in argocd lab (#5349)
* fix digest variable (#5356)
* chore: add helm ci values with cleanup controller (#5357)
* fix: add some missing options in cleanup helm chart (#5351)
* add test cases for yaml verification feature (#5326)
* refactor: optimise and use kuttl TestStep with tests (#5328)
* test: add rbac kuttl test (#5337)
* Update SLSA generator workflow to v1.2.2 (#5323)
* test: add kuttl debug failure (#5339)
* fix: add replicaset and replicationController kinds in podsecurity validation (#5336)
* feat: add cleanup controller to helm chart (#5329)
* chore: remove docker support (#5324)
* chore: add cli binary to gitignore (#5331)
* test: add test to check expected webhooks are created (#5330)
* feat: add cleanup controller makefile targets (#5327)
* feat: add replicaset and replicationcontroller to autogen (#4975)
* feat: add cleanupPolicy validation code (#5279)
* fix: synchronize source resource update to clone list resource (#5317)
* allow list with policies in test (#5227)
* test: add kuttl tests for jmespath special chars (#5310)
* Fix issue where CLI test command ignores failures (#5189)
* fix: wrong logger used (#5311)
* fix: send notification when stoping watching resource in reports system (#5298)
* fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767)
* fix: set rule response status as skip if precondition failed (#5162)
* Update kuttl test scaffolding (#5303)
* fix: reduce startup probe delay (#5296)
* tests: add kuttl tests for multiple clone generate (#5280)
* fix: allow delete of clone target resource with synchronize false (#5161)
* fix: image extractor kuttl tests (#5293)
* fix: check policy is ready in kuttl tests (#5286)
* fix: kuttl test external-service (#5287)
* chore: update kuttl (#5285)
* fix: make zapr compatible with klog's -v argument (#5166)
* feat: add flag to control leader election frequency (#5172)
* refactor: admission metrics (counter and latency) (#5245)
* fix: resource schema validation in policies under any/all match (#5246)
* fix: keep admission warnings (#5269)
* add test instructions (#5271)
* chore: add kuttl autogen tests (#5253)
* fix: add missing test suite to kuttl (#5268)
* fix: account for error rules in mutation webhook (#5264)
* refactor: admission response utils (#5234)
* feat: create cleanup new CRDs (#5233)
* chore: remove old conformance tests files (#5260)
* fix: add warning when using deprecated validation failure action (#5219)
* Kuttl updates (#5257)
* chore: use conditions in kuttl tests to check ready policies (#5252)
* chore: add kuttl in makefile (#5254)
* More kuttl tests (#5238)
* fix: remove unused code in config (#5242)
* feat: separate webhook rules per GVK/rule (#4986)
* fix: kyverno Dockerfile base image tag and sha256 hash (#5248)
* refactor: move all middlewares in handlers sub package (#5244)
* fix generateName mutation (#5146)
* Fix Keda policy installation issue (#5239)
* fix: remove /approve from prow actions (#5243)
* [Feature] Pin Dependencies by Hash (#5168)
* chore: add loki to argocd lab (#5231)
* Fixed description for secret name (#5228)
* feat: add grafana dashboard to helm chart (#5230)
* add remainder of e2e verifyImages tests (#5229)
* add kuttl tests (#5204)
* [BUG] Fix foreach deletion issue (#5224)
* feat: add policy label to policy reports (#5198)
* fix: too much information for the Policy Rule Execution Latency metric (#5208)
* chore: server side apply in argo lab (#5209)
* refactor: health check system (#5176)
* fix: early return in policy validation (#5200)
* feat: support disabling schema validation on the patched resource (#5197)
* fix: deletion of reports not belonging to kyverno (#5194)
* Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964)
* refactor: remove policyreport package (#5174)
* fix: use pagination to aggregate reports (#5190)
* fix: check resource version on update notification (#5179)
* fix: do not cancel context when loosing the lead (#5180)
* chore: add kind config file (#5178)
* fix: content type in log (#5177)
* feat: run leader election in loop (#5173)
* refactor: support Audit and Enforce validation failure actions (#5152)
* Corrected Kubernetes spelling (#5134)
* fix 5151 issue (#5170)
* Add ability to use commands in comments (#5154)
* fix: configure klog and global logger to use zapr in json mode (#5144)
* feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268)
* Fixed issue-5102: Show rule count and type in output (#5106)
* skip generating events on empty rule response (#5158)
* reset resource version on update (#5157)
* fix: mutation policy inconsistent patching for ephemeralContainers (#5121)
* feat: remove policy mutation for auto-gen rules (#5123)
* chore: remove old docs (#5130)
* fix finalizers mutation with patchesJson6902 (#5132)
* Add AGE in printer columns of CRDs (#5119)
* feat: oci pull/push support for policie(s) (#5026)
* feat: add categories support to our CRDs (#5112)
* Remove old version of golang.org/x/sys (#5125)
* fix: conformance tests (#5118)
* [Feature] create command line option to set failurePolicy globally (#4991)
* clean conformance (#5089)
* feat: enable/disable Debug mode which shows entire AdmissionReview payload (#5024)
* docs: separate dev and user docs (#5114)
* ci: Fix install manifests publishing with Flux (#5110)
* fix: use correct side effects in validating webhooks (#5080)
* refactor: simplify variables regex (#5075)
* feat: add flag to configure the number of background scan workers (#5088)
* fix: allow delete of target resource with synchronize false (#5081)
* ci: Use the Docker login action for GHCR auth (#5091)
* fix: handle resource cleanup when policy is deleted (#5021)
* test: add best practices policies in conformance tests (#5082)
* fix: use correct logger in webhook controller (#5083)
* feat: add simple conformance tests (#5073)
* fix: make reponse order predictable (#5079)
* added apiCalls support in kyverno-apply command (#4938)
* feat: add webhook server logger (#5063)
* fix: configure idle timeout in server (#5062)
* fix: image verification reports missing in admission mode (#5037)
* fix: setup max procs with correct logger (#5059)
* fix: detection of kyverno going down (#5055)
* fix: do not update reports when they are identical (#5056)
* fix: go routines not gracefully shut down in controllers (#5022)
* fix: account for policy/rule deletion in aggregated reports (#5048)
* Created configuration file for Openssf scorecard (#4778)
* feat: add image verification support to background scan (#5047)
* feat: add controller logger helper (#5029)
* fix env (#5046)
* fix: lease log message (#5030)
* feat: make shutdown more graceful (#5031)
* fix: lower default qps/burst (#5034)
* fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035)
* Fixed issue-4655: verifyImages is executed before mutate (#4996)
* fix: add more infos in reports printers (#5027)
* Enable adding annotations to configmaps in the helm chart (#4984)
* validate patchJSON6902 (#4469)
* remove RBACInfo check (#5015)
* fix: policy not denied when kinds set is empty (#5016)
* fix: global anchor warning (#4962)
* fix: don't process non background policies in background scan (#5008)
* fix: update policy status (#5006)
* fix: use default retry with retryfunc for a conflict (#4973)
* updates with case insensitivity guarantee (#4954)
* refactor: add update status helper (#4985)
* fix principal and role variables are not substituted (#5000)
* fix: skip admission in dry run requests (#4994)
* fix: webhooks not registering when using name override (#4992)
* feat: add metrics server and kube-prometheus-stack to argocd lab (#4995)
* feat: add startup probes support (#4896)
* feat: add policy-reporter to argocd lab (#4988)
* docs: add resource exclusions note in helm docs (#4989)
* chore: add myself in approvers (#4990)
* feat: Add container registry setting on Helm Chart (#4281)
* fix: config reloading not working correctly (#4951)
* fix: missing autogen rules in status (#4971)
* fix: add user info in admission request logs (#4969)
* fix: don't produce empty admission reports (#4966)
* fix: improve banned types management in reports (#4953)
* fix: missing watchers in resource report controller (#4967)
* chore: Push and sign install manifests to GHCR (#4895)
* Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733)
* fix: admission reports printer (#4950)
* chore: bump a few deps (#4943)
* Added support to specify key signature algorithm in verifyImages (#4855)
* fix: don't report ready until certs are valid (#4934)
* Update issue templates and scan for vulns action (#4952)
* Fix background scan with request.operation (#4947)
* fix: consider generateName when matching resources (#4945)
* fix: probes should work in debug mode (#4926)
* fix: set operation in context when necessary (#4940)
* chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922)
* fix: panic when bad variable substitution (#4928)
* feat: make cert renewer private and add server name support (#4904)
* chore: bump a couple of deps (#4925)
* [Cleanup] Disable PolicySkipped events (#4913)
* add filter for validation policies when ValidationFailureActionOverrides is used (#4809)
* chore: update controller-tools to v0.10.0 (#4918)
* fix: use constants defined in openapi controller (#4919)
* chore: signing helm releases (#4801)
* fix: openapi controller discovery (#4912)
* refactor: openapi controller part 2 (#4910)
* fix: clean background scan reports (#4908)
* fix: don't specify rules when aggregationRule is set (#4867)
* refactor: openapi controller part 1 (#4901)
* fix: remove unnecessary dependencies from tls package (#4903)
* fix: reduce webhook controller logs (#4897)
* chore: add argocd lab (#4884)
* refactor: manage webhooks with webhook controller (#4846)
* fix: auto gen enabled when using names (#4863)
* fix: non watchable resources in report controller (#4888)
* Fix result colour (#4885)
* fix: background scan labels (#4865)
* fix: hardening policy validation for generate cloneList (#4881)
* docs: add section in helm docs to install with argocd (#4878)
* fix test output numbering (#4853)
* feature: use cert extension oid as key (#4854)
* chore: add launch.json for vscode debugging (#4856)
* Add workflow to detect and report on image vulns (#4850)
* docs: add debug instructions (#4843)
* e2e test for mutate policy (#3383)
* fix: replace AbsPath with RequestURI to support query params (#4849)
* refactor: make cert manager a real controller (#4792)
* refactor: add config support to webhook controller (#4838)
* feat: use a dedicated policy metrics controller (#4818)
* chore: bump a couple of deps (#4842)
* Update PSa images dsecription (#4840)
* refactor: leader controllers management (#4832)
* fix extension checks (#4836)
* fix: call depth in logging package and global logger support for call depth (#4834)
* upgrade controller-runtime dependency (#4829)
* refactor: non leader controllers management (#4831)
* refactor: make tls cert func not depending on cert controller (#4820)
* fix: use new client in tls package (#4746)
* fix: debug mode (#4785)
* fix: add policy validation for ValidationFailureActionOverride field (#4784)
* update helm doc
* Fix CRD format issue
* Bump k8s libraries to v0.25.2
* Fix PSa the control name validation
* fix: validationFailureAction default value (#4822)
* refactor: split main into sub funcs (#4821)
* chore: use concurrent map v2 (generics) (#4803)
* fix: controllers start in loop (#4815)
* refactor: split main into sub func (#4810)
* feat: add context support to leader election (#4811)
* feat: add context funcs to logging package (#4812)
* skip succeed rules when building the blocked return message (#4804)
* fix: subject and issuer validation when attestations are present (#4786)
* refactor: split main func for metrics (#4796)
* fix: remove error prone debug field (#4794)
* chore: bump a couple of deps (#4802)
* refactor: split main into funcs (#4795)
* fix: logger panic (#4793)
* fix: publish yaml manifests in release instead of repo (#4738)
* fix: remove explicit wait for cache sync (#4791)
* Add security context and resource block to test (#4712)
* fix: new cert manager controller never returns error (#4789)
* chore: bump a few deps (#4790)
* refact:update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758)
* refactor: introduce webhook controller (#4749)
* fix: remove reference to controller runtime log (#4779)
* refactor: more context less chans (#4764)
* Fix: Typo in x509_decode JMESPath function's note (#4773)
* fix: add workers to the controller interface (#4776)
* update cosign and k8s-manifest-sigstore (#4781)
* chore: change charts registry url (#4768)
* add package logger in files (#4766)
* fix: parse flags error handling (#4775)
* refactor: make server owner of the cleanup chan (#4765)
* refactor: use context in openapi controller (#4760)
* refactor: use context in controllers instead of chan (#4761)
* refactor: use context in dynamic client instead of chan (#4756)
* refactor: move from io/ioutil to io and os packages (#4752)
* refactor: split main in a couple of funcs and use local loggers (#4754)
* fix: helm self signed cert (#4745)
* add and use package level logger (#4750)
* fix: watch error in resource controller (#4751)
* chore: use constant in cert manager controller (#4747)
* feat: add typed client support and metrics wrapper (#4724)
* chore: speed up helm docs gen on mac (#4742)
* fix: reports not generated (#4743)
* feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661)
* fix: use a single leader election (#4722)
* fix: containerd dependency vulnerability (#4629)
* Add PSa policy validations (#4735)
* Added `x509_decode` JMESPath function (#4664)
* feat: add matchlabel selector support with multiple clone (#4713)
* docs: add policy cache controller docs (#4714)
* fix: output make messages to stderr (#4727)
* feat: reports v2 implementation (#4608)
* Support PSa integration by `controlName` only (#4710)
* chore: update client code generator (#4711)
* chore: group unit and cli tests targets and separate sections (#4693)
* fix: remove deprecation notice (#4635)
* chore: enable overriding images repo (#4694)
* fix: change key used in test (#4718)
* chore: refactor manifests related makefile targets (#4706)
* fix: missing client wrapper (#4703)
* refactor: use pod name as leader id (#4680)
* fix: split webhook handlers per failure policy (#4650)
* fix: shutdown controllers workers gracefully (#4681)
* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671)
* refactor: replace signal package by signal.NotifyContext (#4691)
* fix: jmespath random error handling (#4697)
* chore: simplify go mod (#4692)
* fix: bump net standard lib (#4685)
* fix: handle auth permission for cloneList validation (#4684)
* fix: namespaced policy not validated in engine (#4653)
* chore: bump minimum go version (#4677)
* Fix issue for wildcard versions (#4670)
* chore: publish sbom result to a different repositry from an image (#4665)
* added kubeconfig and context flag to kyverno apply (#4524)
* feat: add feature flag to disable background scan (#4638)
* feat: add explicit key support to controller utils (#4628)
* refactor: update log based on the policy types (#4646)
* refactor: split policyreport api files (#4641)
* fix: missing elements in v2beta1 api (#4654)
* refactor: add a couple of constants in api (#4640)
* feat: introduce RCR interface (#4642)
* fix: incorrect namespace in report controller (#4637)
* fix: remove RCR from mutation webhook (#4636)
* feat: add controller utils tools (#4639)
* chore: bump cosign 1.12.0 to fix vulnerabilities (#4631)
* chore: add makefile target to deploy metrics server (#4627)
* chore: add target to deploy policy reporter (#4621)
* Integrate Sonarcloud and Nancy github action (#3491)
* fix: background printer column (#4617)
* enhance jmespath random-filter (#4591)
* fix: lock in policy report mapper (#4601)
* refactor: simplify RCR creator queue (#4578)
* chore: add messages in makefile kind targets (#4588)
* refactor: info in policyreport package (#4598)
* Fix multiple crd slowness issue (#4275)
* update helm releases path (#4596)
* enable autogen for validate.podsecurity with no exclude (#4594)
* chore: add a codegen-quick makefile target (#4583)
* chore: switch to github.com/IGLOU-EU/go-wildcard (#4563)
* allow PSa validation with no exceptions (#4558)
* fix: typo (#4582)
* fix: split policy report flag (#4576)
* update version drop-down (#4579)
* chore: add toggle package unit tests (#4577)
* chore: preserve pr title in cherry picks (#4573)
* refactor: move generation handler out of webhooks package (#4570)
* refactor: move image verification handler out of webhooks package (#4569)
* refactor: move mutation handler out of webhooks package (#4567)
* refactor: move validation audit out of webhooks package (#4562)
* chore: add kocache (#4482)
* docs: add help on fetching tags (#4560)
* refactor: move validation handler out of webhooks package (#4556)
* refactor: make webhook metrics helpers static (#4554)
* add new patterns for releases (#4552)
* refactor: move webhook events utils in utils package (#4545)
* chore: add unit test for updating ur status (#4541)
* fix: defer ur update until validation passes (#4540)
* refactor: introduce ur updater (#4535)
* Tue Dec 20 2022 kastl@b1-systems.de
- Update to version 1.8.5:
* release v1.8.5 (#5726)
* tag v1.8.5-rc.1 (#5718)
* Cherry-pick Require predicate type (#5717)
* cherry-pick: fix digest and verify logic (#5706)
* fix: interface conversion panic (#5708) (#5711)
* Delete category all from CRDs (cherry-pick #5557) (#5709)
* Fri Dec 09 2022 kastl@b1-systems.de
- Update to version 1.8.4:
* release v1.8.4 (#5638)
* tag v1.8.4-rc.1 (#5623)
* fix nil error panic (#5619) (#5621)
* fix: mutation of cached object in bg scan controller (#5608) (#5613)
* Tue Dec 06 2022 kastl@b1-systems.de
- Update to version 1.8.3:
* tag v1.8.3 (#5579)
* tag v1.8.3-rc.2 (#5529)
* feat: support attestations with multiple signatures (cherry-pick #5409) (#5528)
* logging action (#5416) (#5527)
* fix: bug in report resource watcher (#5525) (#5526)
* feat: Add default CI test values for helm charts (#5518) (#5521)
* feat(policies chart): Add ability to set autogen behavior (#5517) (#5520)
* tag 1.8.3-rc.1 (#5508)
* fix: report deletion fighting with garbage collection (#5486) (#5501)
* Migrate all mutate e2e tests to kuttl and expand (#5491) (#5499)
* Cherry-pick ff9328809b62097895b99d866d0d3c6d6a801ae9 (#5488)
* fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) (#5487)
* fix: typo in autogen package (#5480) (#5481)
* fix: add clone check before validating namespace policy (#5459) (#5471)
* fix: issue when calling kustomize concurrently (cherry-pick #5465) (#5470)
* fix: admission reports stacking up (#5457) (#5467)
* fix: log watcher error in reports controller (#5449) (#5455)
* Handle Match resources kind (#5421) (#5450)
* fix: mutate existing policy does not get applied when background=false (#5439) (#5447)
* Fix multi attestor keyless (#5432) (#5433)
* fix validationFailureAction case in kuttl tests (#5426)
* Add most basic kuttl tests for generate rules, clone and sync (#5413) (#5424)
* Mon Nov 21 2022 kastl@b1-systems.de
- Update to version 1.8.2:
* Tag v1.8.2 (#5418)
* tag v1.8.2-rc.2 (#5408)
* Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) (#5407)
* add os.Exit (#5402) (#5405)
* Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) (#5403)
* tag v1.8.2-rc.1 (#5393)
* [Bug]: Fix wildcard any/all issue (#5387) (#5390)
* fix: enable policy validation for the verifyImage rule (#5383)
* fix: set logger in metrics server (#5319) (#5377)
* Add more kuttl generate test cases (#5364) (#5382)
* test: add rbac kuttl test (#5337) (#5380)
* fix: set correct logger in profiling server (#5358) (#5381)
* fix closed watchers in the resource-report-controller (#5350) (#5378)
* fix: add validation for generate namespace policy (#5346) (#5373)
* fixed dryrun option to handle changes caused by mutating policy (#4899) (#5375)
* add test cases for yaml verification feature (#5326) (#5372)
* chore: add tempo to argocd lab (#5365) (#5370)
* chore: add performance tests tool (#5241) (#5369)
* fix: panic when disable metrics is true (#5366) (#5368)
* chore: enable json logs in argocd lab (#5349) (#5359)
* refactor: optimise and use kuttl TestStep with tests (#5328) (#5353)
* test: add kuttl debug failure (#5339) (#5341)
* chore: add cli binary to gitignore (#5331) (#5333)
* test: add test to check expected webhooks are created (#5330) (#5332)
* fix: synchronize source resource update to clone list resource (#5317) (#5320)
* Fix issue where CLI test command ignores failures (#5189) (#5313)
* fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) (#5315)
* test: add kuttl tests for jmespath special chars (#5310) (#5316)
* fix: wrong logger used (#5311) (#5314)
* chore: Fix policy installation issue (cherry-pick #5239) (#5308)
* fix: reduce startup probe delay (#5296) (#5302)
* fix: send notification when stoping watching resource in reports system (#5298) (#5309)
* fix: set rule response status as skip if precondition failed (#5162) (#5306)
* Update kuttl test scaffolding (#5303) (#5304)
* tests: add kuttl tests for multiple clone generate (#5280) (#5299)
* add a note to 1.8.2-rc1 release (#5291)
* fix: allow delete of clone target resource with synchronize false (#5161) (#5297)
* fix: check policy is ready in kuttl tests (#5286) (#5292)
* fix: image extractor kuttl tests (#5293) (#5295)
* fix: kuttl test external-service (#5287) (#5290)
* chore: update kuttl (#5285) (#5288)
* refactor: admission metrics (counter and latency) (#5245) (#5282)
* chore: use conditions in kuttl tests to check ready policies (#5252) (#5281)
* fix: make zapr compatible with klog's -v argument (#5166) (#5283)
* fix: keep admission warnings (#5269) (#5275)
* chore: add kuttl autogen tests (#5253) (#5274)
* fix: add missing test suite to kuttl (#5268) (#5273)
* fix: early return in policy validation (cherry-pick #5200) (#5213)
* chore: remove old conformance tests files (#5260) (#5263)
* fix: account for error rules in mutation webhook (#5264) (#5267)
* refactor: admission response utils (#5234) (#5265)
* chore: add kuttl in makefile (#5254) (#5258)
* Kuttl updates (#5257) (#5261)
* More kuttl tests (#5238) (#5259)
* add remainder of e2e verifyImages tests (#5229) (#5256)
* add kuttl tests (cherry-pick #5204) (#5255)
* refactor: move all middlewares in handlers sub package (cherry-pick #5244) (#5250)
* chore: add loki to argocd lab (#5231) (#5240)
* feat: add grafana dashboard to helm chart (#5230) (#5232)
* feat: add policy label to policy reports (#5198) (#5225)
* Merge 396593d8997f218270a398e18e956d892f004bc3 into b3c5a9c74165d573aab9928dd8ac1187e8d8fc3a (#5216)
* chore: server side apply in argo lab (#5209) (#5210)
* refactor: health check system (#5176) (#5207)
* feat: support disabling schema validation on the patched resource (#5197) (#5206)
* Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) (#5195)
* fix: deletion of reports not belonging to kyverno (#5194) (#5196)
* fix: use pagination to aggregate reports (#5190) (#5192)
* fix: check resource version on update notification (#5179) (#5186)
* chore: add kind config file (#5178) (#5183)
* fix: content type in log (#5177) (#5182)
* fix: configure klog and global logger to use zapr in json mode (#5144) (#5181)
* skip generating events on empty rule response (#5158) (#5160)
* reset resource version on update (#5157) (#5159)
* feat: add categories support to our CRDs (#5112) (#5137)
* fix: mutation policy inconsistent patching for ephemeralContainers (#5121) (#5145)
* Fixed issue-4655: verifyImages is executed before mutate (#4996) (#5143)
* fix finalizers mutation with patchesJson6902 (#5132) (#5135)
* Tue Oct 25 2022 kastl@b1-systems.de
- Update to version 1.8.1:
* Tag v1.8.1 (#5133)
* Tag v1.8.1-rc.4 (#5128)
* remove the empty add entry in Hehlm chart manifest (#5127)
* Remove old version of golang.org/x/sys (#5125) (#5126)
* docs: separate dev and user docs (cherry-pick #5114) (#5117)
* ci: Fix install manifests publishing with Flux (#5110) (#5111)
* Tag v1.8.1-rc.3 (#5108)
* fix: use correct side effects in validating webhooks (#5080) (#5105)
* refactor: simplify variables regex (#5075) (#5104)
* fix: allow delete of target resource with synchronize false (#5081) (#5095)
* test: add best practices policies in conformance tests (#5082) (#5097)
* fix: use correct logger in webhook controller (#5083) (#5098)
* feat: add flag to configure the number of background scan workers (#5088) (#5096)
* ci: Use the Docker login action for GHCR auth (#5091) (#5094)
* fix: handle resource cleanup when policy is deleted (#5021) (#5093)
* Cherry pick 5035, 5046 (#5090)
* fix: make reponse order predictable (#5079) (#5087)
* feat: add simple conformance tests (#5073) (#5086)
* feat: add webhook server logger (#5063) (#5085)
* release 1.8.1-rc.2 (#5072)
* fix: image verification reports missing in admission mode (cherry-pick #5037) (#5066)
* fix: configure idle timeout in server (#5062) (#5067)
* fix: setup max procs with correct logger (#5059) (#5065)
* fix: do not update reports when they are identical (#5056) (#5061)
* fix: detection of kyverno going down (#5055) (#5064)
* fix: go routines not gracefully shut down in controllers (#5022) (#5060)
* fix: account for policy/rule deletion in aggregated reports (#5048) (#5058)
* feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) (#5052)
* feat: add image verification support to background scan (#5047) (#5049)
* feat: add controller logger helper (#5029) (#5050)
* feat: add policy-reporter to argocd lab (#4988) (#5051)
* feat: make shutdown more graceful (#5031) (#5040)
* Enable adding annotations to configmaps in the helm chart (#4984) (#5039)
* fix: wrong controller logger names (#5043)
* chore: add argocd lab (#4884) (#5041)
* fix: lease log message (#5030) (#5045)
* fix: lower default qps/burst (#5034) (#5038)
* fix: add more infos in reports printers (#5027) (#5033)
* Tag v1.8.1-rc1 (#5020)
* remove RBACInfo check (#5015) (#5019)
* fix: policy not denied when kinds set is empty (#5016) (#5017)
* fix: global anchor warning (#4962) (#5013)
* feat: add startup probes support (#4896) (#5012)
* fix: webhooks not registering when using name override (#4992) (#5010)
* fix: don't process non background policies in background scan (#5008) (#5009)
* fix principal and role variables are not substituted (#5000) (#5001)
* fix: update policy status (#5006) (#5007)
* fix: use default retry with retryfunc for a conflict (#4973) (#5005)
* updates with case insensitivity guarantee (#4954) (#5003)
* refactor: add update status helper (#4985) (#5002)
* fix: skip admission in dry run requests (#4994) (#4999)
* fix: improve banned types management in reports (#4953) (#4997)
* docs: add resource exclusions note in helm docs (#4989) (#4993)
* feat: Add container registry setting on Helm Chart (cherry-pick #4281) (#4987)
* fix: config reloading not working correctly (#4951) (#4982)
* fix: missing autogen rules in status (#4971) (#4978)
* fix: missing watchers in resource report controller (#4967) (#4974)
* fix: add user info in admission request logs (#4969) (#4976)
* fix: don't produce empty admission reports (#4966) (#4972)
* chore: Push and sign install manifests to GHCR (#4895) (#4970)
* fix: admission reports printer (#4950) (#4961)
* fix: consider generateName when matching resources (#4945) (#4960)
* chore: bump a few deps (#4943) (#4958)
* fix: don't report ready until certs are valid (#4934) (#4957)
* Fix background scan with request.operation (#4947) (#4949)
* fix: probes should work in debug mode (#4926) (#4944)
* fix: set operation in context when necessary (#4940) (#4942)
* chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) (#4936)
* add filter for validation policies when ValidationFailureActionOverrides is used (#4809) (#4932)
* fix: panic when bad variable substitution (#4928) (#4935)
* feat: make cert renewer private and add server name support (#4904) (#4933)
* [Cleanup] Disable PolicySkipped events (#4913) (#4931)
* chore: bump a couple of deps (#4925) (#4929)
* chore: update controller-tools to v0.10.0 (#4918) (#4923)
* fix: use constants defined in openapi controller (#4919) (#4921)
* chore: signing helm releases (#4801) (#4920)
* fix: openapi controller discovery (#4912) (#4917)
* fix: don't specify rules when aggregationRule is set (#4867) (#4915)
* refactor: openapi controller part 2 (#4910) (#4914)
* refactor: openapi controller part 1 (#4901) (#4906)
* fix: clean background scan reports (#4908) (#4911)
* fix: remove unnecessary dependencies from tls package (#4903) (#4905)
* fix: reduce webhook controller logs (#4897) (#4900)
* refactor: manage webhooks with webhook controller (#4846) (#4893)
* fix: auto gen enabled when using names (#4863) (#4892)
* fix: non watchable resources in report controller (#4888) (#4890)
* Fix result colour (#4885) (#4887)
* fix: background scan labels (#4865) (#4886)
* cherry-pick (#4794 #4812 #4815 #4821 #4784 #4820 #4831 #4834 #4818 #4838 #4792 #4843 #4878) (#4882)
* fix: hardening policy validation for generate cloneList (#4881) (#4883)
* cherry-pick (#4811 #4849 #4842 #4829) (#4877)
* fix test output numbering (#4853) (#4875)
* cherry-pick (#4790 #4791 #4795 #4796 #4802 #4803) (#4861)
* cherry-pick (#4749 #4766 #4773 #4775 #4779 #4785 #4789) (#4860)
* cherry-pick (#4754 #4756 #4760 #4761 #4764 #4765 #4776) (#4859)
* cherry-pick (#4745 #4746 #4747 #4750 #4752) (#4858)
* cherry-pick (#4661 #4712 #4722 #4724 #4742) (#4857)
* Mon Oct 10 2022 kastl@b1-systems.de
- Update to version 1.8.0:
* release: 1.8 (#4851)
* Update PSa images dsecription (#4840) (#4841)
* tag v1.8.0-rc6 (#4839)
* fix extension checks (#4836) (#4837)
* Cherry pick #4814 (#4826)
* update helm doc (#4824)
* fix: validationFailureAction default value (#4822) (#4823)
* Cherry-pick #4815 (#4817)
* tag v1.8.0-rc5 (#4807)
* fix: subject and issuer validation when attestations are present (#4786) (#4805)
* skip succeed rules when building the blocked return message (#4804) (#4806)
* cherry-pick #4738 (#4799)
* cherry-pick #4793 (#4800)
* update cosign (#4797)
* chore: change charts registry url (#4768) (#4780)
* tag v1.8.0-rc4 (#4759)
* fix: watch error in resource controller (#4751) (#4753)
* fix: reports not generated (#4743) (#4744)
* tag v1.8.0-rc3 (#4741)
* fix: containerd dependency vulnerability (#4629) (#4740)
* Add PSa policy validations (#4735) (#4739)
* Added `x509_decode` JMESPath function (#4664) (#4737)
* feat: add matchlabel selector support with multiple clone (#4713) (#4734)
* fix: output make messages to stderr (#4727)
* fix crds yaml conflicts
* feat: reports v2 implementation (#4608)
* docs: add policy cache controller docs (#4714) (#4730)
* chore: update client code generator (#4711) (#4728)
* Support PSa integration by `controlName` only (#4710) (#4725)
* chore: group unit and cli tests targets and separate sections (#4693) (#4723)
* chore: enable overriding images repo (#4694) (#4721)
* chore: refactor manifests related makefile targets (#4706) (#4720)
* fix: change key used in test (#4718) (#4719)
* fix: missing client wrapper (#4703) (#4709)
* refactor: use pod name as leader id (#4680) (#4708)
* fix: split webhook handlers per failure policy (#4650) (#4707)
* fix: shutdown controllers workers gracefully (#4681) (#4704)
* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) (#4702)
* refactor: replace signal package by signal.NotifyContext (#4691) (#4701)
* fix: jmespath random error handling (#4697) (#4699)
* chore: simplify go mod (#4692) (#4696)
* fix: bump net standard lib (#4685) (#4690)
* fix: handle auth permission for cloneList validation (#4684) (#4687)
* fix: namespaced policy not validated in engine (#4653) (#4682)
* chore: bump minimum go version (#4677) (#4678)
* Fix issue for wildcard versions (#4670) (#4673)
* chore: publish sbom result to a different repositry from an image (#4665) (#4667)
* refactor: update log based on the policy types (#4646) (#4658)
* feat: add explicit key support to controller utils (#4628) (#4659)
* feat: add feature flag to disable background scan (#4638) (#4660)
* refactor: split policyreport api files (#4641) (#4657)
* fix: missing elements in v2beta1 api (#4654) (#4656)
* refactor: add a couple of constants in api (#4640) (#4652)
* feat: introduce RCR interface (#4642) (#4651)
* fix: incorrect namespace in report controller (#4637) (#4649)
* fix: remove RCR from mutation webhook (#4636) (#4647)
* chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) (#4633)
* feat: add controller utils tools (#4639) (#4645)
* fix: background printer column (#4617) (#4620)
* enhance jmespath random-filter (#4591) (#4619)
* fix: lock in policy report mapper (#4601) (#4611)
* release v1.8.0-rc2 (#4607)
* refactor: simplify RCR creator queue (#4578) (#4606)
* chore: add messages in makefile kind targets (#4588) (#4604)
* refactor: info in policyreport package (#4598) (#4603)
* Fix multiple crd slowness issue (#4275) (#4600)
* update helm releases path (#4596) (#4599)
* enable autogen for validate.podsecurity with no exclude (#4594) (#4595)
* chore: add a codegen-quick makefile target (#4583) (#4587)
* chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) (#4586)
* allow PSa validation with no exceptions (#4558) (#4585)
* fix: typo (#4582) (#4584)
* fix: split policy report flag (#4576) (#4581)
* chore: add toggle package unit tests (#4577) (#4580)
* chore: preserve pr title in cherry picks (#4573) (#4574)
* refactor: move generation handler out of webhooks package (#4570) (#4572)
* refactor: move image verification handler out of webhooks package (#4569) (#4571)
* refactor: move mutation handler out of webhooks package (#4567) (#4568)
* refactor: move validation audit out of webhooks package (#4562) (#4566)
* chore: add kocache (#4482) (#4564)
* refactor: move validation handler out of webhooks package (#4556) (#4561)
* refactor: make webhook metrics helpers static (#4554) (#4555)
* refactor: move webhook events utils in utils package (#4545) (#4548)
* add new patterns for releases (#4551)
* chore: add unit test for updating ur status (#4541) (#4544)
* - tag v1.8.0-rc1; - remove "v" from Helm charts versions (#4538)
* fix: defer ur update until validation passes (#4540) (#4543)
* refactor: introduce ur updater (#4535) (#4539)
* Support V2beta1 Version (#4514)
* refactor: webhook block and unit tests (#4531)
* refactor: webhook propagate start time along handlers (#4529)
* refactor: webhook exclusion and unit tests (#4528)
* feat: allow cloning multiple resource from a namespace (#4384)
* add random filter (#4527)
* chore: add protectManagedResources flag to changelog (#4522)
* refactor: utils for warnings and unit tests (#4523)
* refactor: use generics in client wrappers (#4525)
* refactor: add auth interface and unit tests (#4518)
* fix: api reference docs (#4490)
* refactor: client wrappers (#4519)
* feat: add kyverno managed resources protection (#4414)
* fix: load policy and add tests (#4515)
* chore: test for k8s 1.25 (#4503)
* chore: add unit tests for pkg/utils/json (#4516)
* chore: add unit tests for pkg/utils/yaml (#4512)
* chore: add unit tests for pkg/utils/wildcard (#4510)
* chore: add unit tests for pkg/utils/os (#4509)
* chore: add unit tests for pkg/utils/image (#4508)
* chore: update maintainers (#4511)
* docs: add section for generating helm docs and crds (#4507)
* chore: add wildcard unit test (#4506)
* chore: upgrade golang to 1.18 (#4505)
* docs: add section about switching between docker and ko (#4501)
* Auto-detect Kyverno version in policies chart (#4460)
* chore: refactor helm targets in makefile (#4498)
* feat: support switchin build with docker or ko (#4492)
* fix: incorrect kustomize call in makefile (#4493)
* refactor: verify codegen targets in makefile (#4494)
* fix: fetch history in pre-checks job (#4491)
* Improve printer column name for validationFailureAction (#4488)
* chore: Bump helm-docs version to v1.11.0 (#4489)
* chore: publish helm charts to ghcr.io (#4479)
* chore: bump cache action and improve paths (#4485)
* chore: relax auto update PRs conditions (#4486)
* fix: release workflow (#4483)
* refactor: clean webhooks logs (#4484)
* refactor: webhook policy context creation (#4480)
* docs: add api docs generation (#4476)
* fix: auto update pr workflow (#4478)
* chore: add makefile help comments (#4477)
* refactor: to remove generate cleanup controller (#4041)
* Add PodSecurity description (#4475)
* feat: remove context api call constraints (#4389)
* fix logger format (#4474)
* feat: enable autogen from makefile (#4467)
* chore: speed up local image builds (#4468)
* chore: enable cherry-pick bot (#4470)
* docs: add section for generated code (#4465)
* fix: local image build with docker (#4462)
* fix: warning in all makefile targets (#4464)
* Extend Pod Security Admission (#4364)
* docs: add section for deploying a local build (#4458)
* refactor: make toggles easier to define and use (#4456)
* Add the metric "kyverno_client_queries_total" (#4359)
* skip validate rules if conditional anchor key doesn't exist in the resource (#4451)
* refactor: clearly separate makefile docker targets for build and publish (#4454)
* Yaml signing and verification (#4235)
* docs: add pushing images section (#4452)
* refactor: clearly separate makefile ko targets for build and publish (#4450)
* chore: fix workflows related to ko recent changes (#4441)
* docs: add local image build section (#4449)
* chore: fix workflows related to ko recent changes (#4438)
* Update issue template drop-down version numbers (#4446)
* docs: add section for local builds (#4445)
* [Feature] Add ability to get additional policies from restricted (#4416)
* fix: update go-wildcard to v1.5.0 (#4444)
* docs: add section for dev tools (#4443)
* chore: remove godownloader and install-cli script (#4442)
* Added kubeconfig flag support (#4308)
* fix: ko login (#4427)
* fix: ko login (#4425)
* fix: ko login (#4424)
* fix: ko login (#4423)
* fix: ko login (#4422)
* fix: make ldflags optional in .ko.yaml (#4419)
* refactor: makefile build targets (#4418)
* fix: Add --bare for ko-build-dev targets (#4417)
* Use ko to build images (#4366)
* refactor: makefile (#4403)
* [Feature] Add posibility to set validationFailureAction by Policy (#4400)
* feat: enable autogen internals by default (#4381)
* bump golang 1.18.5 version digest in Dockerfile (#4413)
* bump cosign deps version to 1.11.1 (#4408)
* chore: improve docker image tagging (#4409)
* refactor: introduce wildcard utils package (#4406)
* fix: chart docs for generatecontrollerExtraResources (#4405)
* chore: enable asasalint linter (#4396)
* bump cosign version to 1.11.0 (#4398)
* Sync 1.7.3 Helm versions (#4395)
* fix: goimports check not working in ci job (#4387)
* chore: fix golangcilint timeout (#4388)
* fix: duration metrics precision (#4393)
* chore: add workflow to ensure github actions are pinned to a commit SHA (#4390)
* feat: add raw api call support (#3820)
* chore: update maintainers md (#4380)
* chore: fix fossa ci job (#4382)
* fix: missing aggregated role for UR (#4378)
* fix: exclude autogen rules when autogen internals is enabled (#4370)
* fix: prevent installing helm chart in namespace kube-system (#4368)
* fix: fix the verbosity of reconciling logs in the config controller (#4362)
* Update wgpolicyk8s.io CRDs (#4355)
* Update pr_documentation.md (#4361)
* Added remove-color flag for CLI-test (#4345)
* Added appropriate logging levels to log.Info() calls wherever necessary (#4341)
* update apply help message (#4344)
* Fix deprecated api policy issue (#4349)
* Treat normal and precondition variable equally (#4217)
* fix: image verify logs (#4348)
* Remove myself as codeowner (#4333)
* Fix PEM delimiter parse (#4331)
* [Helm] Added ability to remove namespaces from default resourceFilters list (#4299)
* chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328)
* support failurePolicy in kyverno-policies helm chart (#4323)
* Context vars substitution in CLI (#4290)
* Replaced status with message (#4315)
* Changed resource names to plurals (#4312)
* Fix pr image verify blocked (#4297)
* feat: use tombstone helper (#4273)
* Tightened scope on apiGroups for Kyverno:events Clusterrole (#4292)
* trivial typo update (#4291)
* use failurePolicy to block or allow requests, on policy errors (#4183)
* update log levels (#4286)
* added additional init and sidecar container config (#4283)
* feat: auto optimize GOMAXPROCS (#4277)
* add applyRules to control whether one or all rules are applied (#4196)
* feature: added new type of event, PolicySkipped (#4251)
* Reset policy status on termination (#4269)
* fix: use an absolute path in docker entrypoint (#4263)
* Add shutdown methods for exporters and controllers (#4214)
* sync Helm versions (#4262)
* fix: use only 1 kubernetes client (#4256)
* Add Techcombank to adopters (#4260)
* Implementing flag to show all failing tests only through the test command (#4227)
* fix split policyreport name with background scan (#4237)
* chore: use new distroless base image provided by distroless org (#4219)
* fix check depreciated api issue (#4243)
* Cherry-pick #4233 (#4236)
* Revert "fix: metrics with invalid validationMode (#4198)" (#4241)
* fix: metrics with invalid validationMode (#4198)
* Corrected description for UpdateRequest struct (#4215)
* Removed confusing output message for the apply and replaced no of policies by no of policy rules count in the output message (#4229)
* fix kyverno cli policy-report typo (#4224)
* feat: improve flag message for disableMetricsExport (#4194)
* precondition failure will skip rule independent of audit or enforce mode (#4163)
* Make method public (#4207)
* Fix UpdateRequest labeling (from pull #4199) (#4212)
* use the unstructured list instead of interface type (#4210)
* feat: Opentelemetry support for metrics and traces (#3910)
* Use non-blocking channel send for UpdateWebhookChan (#4204)
* Fix merging JSON patches (#4202)
* Resolve conflict introduced to contributing page (#4192)
* return helpful error message on invalid patched resources. (#4129)
* docs(contributing): add how to cherry-pick section (#4127)
* refactor: finish refactoring generate e2e tests (#4090)
* feat: policy status for autogen rules (#4173)
* fix: use official controller-gen (#4171)
* fix external.metrics.k8s.io/v1beta1 issue (#4139)
* fix: add seccompProfile (#4178)
* fix: add more verify images e2e test for bool fields (#4172)
* delete policy reports on policy deletion (#4174)
* chore: add myself into owners (#4170)
* feat: split policy report per policy bases (#4147)
* Clean up RCRs if the count exceeds the threshold (#4148)
* Wait for informers' cache to be synced before starting controllers (#4155)
* - Disable events generation on DELETE; - Reduce event generation retry from 10 to 3 (#4159)
* Use kyverno namespace informer to list pods while processing URs (#4156)
* Template updates (#4150)
* release event memory (#4138)
* fix: use dev tag for init container local build target (#4142)
* added resource lists for test cli (#4082)
* update contributing guide (#4119)
* sync release versions (#4133)
* bump cosign to 1.9.1 to fix fulcio panic (#4117)
* fix: use policyName key to get the policy name (#4114)
* fix imageVerify validation checks and conversion logic (#4038)
* fix: Stop incorrect any block condition logging (#4107)
* set test.namespace value implict as resource namespace until and unless explict value is added (#4100)
* remove TUF initialization from main (#4098)
* Update CODEOWNERS to include treydock (#4097)
* feat: add e2e framework and verify image new test (#4094)
* add chipzoller to CODEOWNERS (#4096)
* refactor: generate e2e GeneratePolicyDeletionforCloneTests (#4071)
* Exclude Kyverno namespace by default (#4079)
* docs(chart): fix deadlink in NOTES.txt (#4085)
* Updated jp command flags and also added URL for help. (#4084)
* update drop-downs (#4081)
* refactor: generate e2e tests (#4068)
* refactor: use t.Cleanup in e2e tests (#4067)
* Remove s390X (#4063)
* fix: add missing release notes in helm chart (#4057)
* fix: bool fields in image verification types (#4053)
* Print for failed test cases (#4048)
* Sync v1.7.0 release manifests (#4051)
* refactor: bump KIND version to use v1.24.0 k8s release (#3877)
* feat: add aggregated cluster role support (#3845)
* chore(dockerfile): use buildx features for cross-compilation (#4023)
* Ensure preconditions are present with default values (#4046)
* Fix handling of kyverno-policies version check when port in image tag (#4042)
* fix policy typo (#4039)
* Fix labels with invalid charrs (#4034)
* refactor: used typed admission request in ur (#4022)
* fix vulnerable (#4027)
* feat: Extend CLI to cover generate policies (#3456)
* Request operation value by default to CREATE (#3894)
* Feature: Add support for allowing insecure registries. (#3983)
* refactor: move policy deletion code from policy controller to ur controller (#4013)
* fix: bypass policy mutation if autogen internals enabled (#4007)
* fix: use background helper in ur generator (#4009)
* fix: remove update ur status in generator (#4008)
* refactor: add policy event listener in ur controller (#4012)
* chore: remove unused ur errors (#4011)
* refactor: ur cleaner controller (#3974)
* add validation check to ensure the annotations quoted (#3976)
* Support `@` for mutate targets (#3998)
* fix: stop mutation policies when autogen internals is enabled (#4004)
* refactor: background controllers cleanup (#4001)
* fix: stop mutating cached resource in ur controller (#4003)
* refactor: move label helper utils from policy package to background package (#3996)
* fix attestation checks (#3999)
* fix: init container gr copy (#3995)
* refactor: clean updaterequest generator (#3949)
* chore: enable nosprintfhostport linter (#3989)
* feat: add controller utils package (#3952)
* refactor: make registry client variables private (#3975)
* fix: ur is nil in ur controller (#3986)
* chore: add previous pod logs in case of job failure (#3978)
* fix: remove unused field (#3971)
* fix: release ur when handler pod is gone (#3973)
* fix: move ur controller filtering in reconciler (#3964)
* fix: mark ur retry on conflict (#3961)
* chore: enable paralleltest linter (#3946)
* chore: enable goimports linter (#3959)
* chore: make kyverno informers and listers import aliases consistent (#3958)
* chore: enable ifshort linter (#3945)
* fix: add helmignore (#3948)
* fix: replica count in helm chart (#3954)
* fix panic issue for ur (#3953)
* Cleanup URs on trigger deletion (#3955)
* chore: make kube informers and listers import aliases consistent (#3957)
* chore: make clients import aliases consistent (#3956)
* chore: make dclient import aliases consistent (#3951)
* chore: make k8s api import aliases consistent (#3950)
* fix: use admissionrequest subresource to filter webhooks (#3944)
* chore: make kyverno api import aliases consistent (#3939)
* chore: enable nolintlint linter (#3941)
* chore: enable grouper linter (#3940)
* fix: cache warmup log message (#3943)
* fix: use patch to update handler status in UR (#3928)
* chore: enable makezero linter (#3937)
* fix: handle UR delete once trigger namespace deleted (#3934)
* chore: enable gofmt and gofumpt linters (#3931)
* chore: enble gci linter (#3930)
* fix: return type changed to bool in jpfCompare fn (#3924)
* refactor: separate policy cache and controller (#3925)
* refactor: separate resource mutation/validation handlers from server (#3908)
* chore: enable misspell linter (#3932)
* chore: enable errname linter (#3926)
* chore: enable decorder linter (#3920)
* refactor: policy cache (#3919)
* chore: enable dogsled linter (#3921)
* Cleanup the UR for mutate policies once it's completed (#3912)
* [Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917)
* fix: gosec G304 file inclusion error (#3916)
* refactor: separate policy mutation/validation handlers from server (#3905)
* fix: docker build (#3907)
* refactor: webhooks server logger (#3904)
* feat: gracefull certificates rotation support (#3890)
* chore: remove ca-certificates from our repository (#3859)
* chore: enable wastedassign linter (#3898)
* chore: enable goprintffuncname linter (#3899)
* chore: remove unused function (#3902)
* Remove permissions in helm-release workflow (#3901)
* Timeout and init (#3893)
* fix: write secret (#3891)
* Fix subject match selector issue in cli (#3887)
* refactor: remove deployment hash on certs secrets (#3886)
* chore: enable noctx linter (#3888)
* chore: enable importas linter (#3882)
* skip var checks in attestations (#3876)
* chore: enable gochecknoinits linter (#3874)
* refactor: cleanup tls package (#3854)
* chore: enable containedctx linter (#3873)
* fix: include ca key in secret (#3804)
* refactor: make config vars private (#3823)
* fix: undo length validation check for generate rule resource name (#3865)
* fix subjects in test cli (#3743)
* chore: enable exportloopref linter (#3869)
* chore: enable tenv thelper and tparallel linters (#3868)
* chore: enable durationcheck linter (#3870)
* chore: enable asciicheck and bidichk linters (#3871)
* chore: add unconvert linter (#3867)
* chore: enable whitespace linter (#3864)
* Handle errors properly for mutate and generate on existing resources (#3863)
* fix: remove code to load CA from kubeconfig (#3860)
* chore: enable more linters (#3862)
* chore: enable deadcode and unused linters (#3861)
* chore: increase golangci-lint timeout (#3855)
* refactor: init certs with certs renewer directly (#3853)
* tests: add unit tests for utils functions (#3857)
* chore: enable golangci-lint in ci (#3852)
* feat: fetch tls certificate dynamically (#3851)
* fix: golangci-lint warnings in pkg (#3846)
* refactor: remove the need for self-signed annotation on cert secret (#3850)
* handle subresources (#3841)
* fix: golangci-lint warnings in cmd (#3843)
* refactor: webhookconfig package (part 4) (#3835)
* refactor: webhookconfig package (part 3) (#3834)
* refactor: remove unused functions (#3840)
* Tue Sep 27 2022 kastl@b1-systems.de
- Update to version 1.7.4:
* fix: update github action to use current workflow path (#4705)
* tag v1.7.4 (#4698)
* fix: incorrect namespace in report controller (#4637) (#4688)
* Fix issue for wildcard versions (#4670) (#4674)
* Wed Sep 07 2022 kastl@b1-systems.de
- Update to version 1.7.3:
* Cherry-pick #4398 - bump cosign to 1.11.0 (#4399)
* Release v1.7.3 (#4394)
* Fix deprecated api policy issue (#4349) (#4350)
* precondition failure will skip rule independent of audit or enforce mode (#4163) (#4296)
* Mon Jul 25 2022 kastl@b1-systems.de
- Update to version 1.7.2:
* tag v1.7.2 (#4261)
* Use non-blocking channel send for UpdateWebhookChan (#4204) (#4247)
* Release v1.7.2-rc2 (#4246)
* fix split policyreport name with background scan (#4237) (#4245)
* fix check depreciated api issue (#4243) (#4244)
* fix kyverno cli policy-report typo (#4224) (#4232)
* Limit queued events (#4233)
* update cosign to v1.9.0 (#4231)
* Only set up logging context if it will be used (#4213)
* use the unstructured list instead of interface type (#4211)
* Fix UpdateRequest labeling (#4199)
* Release 1.7 (#4200)
* external.metrics.k8s.io/v1beta1 issue (#4182)
* delete policy reports on policy deletion (#4174) (#4175)
* tag v1.7.2-rc1 (#4167)
* feat: split policy report per policy bases (#4147) (#4166)
* Re-implement #4159 (#4165)
* Cherry pick #4155 (#4164)
* Cherry-pick #4148
* Use kyverno namespace informer to list pods while processing URs (#4156)
* Cherry-pick #4138 to 1.7 (#4160)
* fix: use dev tag for init container local build target (#4141)
* Wed Jun 22 2022 kastl@b1-systems.de
- Update to version 1.7.1:
* tag v1.7.1 (#4132)
* fix build failures
* fix: bool fields in image verification types (#4053)
* cherry-pick #4013
* Release 1.7 (#4130)
* fix: use policyName key to get the policy name (#4113)
* chore(dockerfile): use buildx features for cross-compilation (#4023) (#4123)
* Updated jp command flags and also added URL for help. (#4122)
* fix: handle nil ur while retry (#4109)
* Release 1.7 (#4099)
* Bump Charts version to 2.5.0 (#4092)
* bump chart versions to v2.4.2 (#4089)
* cherry-pick #4079 (#4088)
* Remove s390X (#4063) (#4064)
* Bump charts version to 2.4.1 (#4061)
* Ensure preconditions are present with default values (#4046)
* Fix handling of kyverno-policies version check when port in image tag (#4042)
* Sat Jun 04 2022 kastl@b1-systems.de
- Update to version 1.7.0:
* Tag v1.7.0 (#4050)
* refactor: bump KIND version to use v1.24.0 k8s release (#4049)
* fix policy typo (#4039) (#4045)
* Tag 1.7.0-rc3 (#4036)
* Fix labels with invalid charrs (#4034) (#4035)
* Cherry-pick #4022 (#4033)
* fix vulnerable (#4027) (#4028)
* Request operation value by default to CREATE (#3894) (#4026)
* Release v1.7.0-rc2 (#4021)
* Cherry pick #4007 #4008 (#4020)
* fix: stop mutation policies when autogen internals is enabled (#4004,#4009,#3996) (#4016)
* cherry-pick fix attestation checks https://github.com/kyverno/kyverno/pull/3999 (#4015)
* refactor: add policy event listener in ur controller (#4012) (#4014)
* Support `@` for mutate targets (#3998) (#4010)
* fix: stop mutating cached resource in ur controller (#4003) (#4006)
* fix: move ur controller filtering in reconciler (#3964) (#3994)
* fix: release ur when handler pod is gone (#3993)
* fix: mark ur retry on conflict (#3961) (#3963)
* fix: replica count in helm chart (#3954) (#3962)
* Cherry pick #3953 #3955 (#3960)
* fix: handle UR delete once trigger namespace deleted (#3934) (#3938)
* fix: use patch to update handler status in UR (#3927)
* Cleanup the UR for mutate policies once it's completed (#3923)
* Remove permissions in helm-release workflow (#3901) (#3903)
* Release v1.7.0-rc1 (#3896)
* cherry-pick #3893 (#3895)
* Fix subject match selector issue in cli (#3887) (#3892)
* skip var checks in attestations (#3876) (#3885)
* fix: undo length validation check for generate rule resource name (#3865) (#3872)
* Handle errors properly for mutate and generate on existing resources (#3863) (#3866)
* refactor: remove unused functions (#3844)
* handle subresources (#3841) (#3848)
* feat: trigger generate on existing matched resource (#3819)
* refactor: webhook config package (part 2) (#3833)
* refactor: webhookconfig package (part 1) (#3831)
* fix check and add logs (#3838)
* Allow variables of any kind to be defined (#3828)
* fix: policy deletion in webhookconfig (#3832)
* refactor: imported pkg redeclared and a few other unused func (#3827)
* refactor: shell to prevent globbing and word splitting (#3829)
* CLI should respect scored annotation for warnings (#3821)
* Add an object_from_lists function (#3824)
* Improve logging and error handling in json context (#3825)
* Relax JMESPath variable validation (#3826)
* Load `mutate.targets` via dclient (#3797)
* Cert attestor (#3809)
* handle duplicate images; use container name as key (#3779)
* fix: autogen rules in status (#3728)
* refact: disable leader for update request controller (#3807)
* chore: remove broken .ca from helm chart (#3811)
* fix: remove k8s apiserver from self-generated cert (#3803)
* Policy Validation check for onPolicyUpdate flag (#3814)
* Add `handler` to `UR.status` (#3791)
* fix: remove kubeconfig (#3802)
* fix: cleanup old dependencies from go.sum and go.mod (#3806)
* feat: parse all root CA certs (#3808)
* removed kubeconfig flags (#3744)
* Fix issue with image registry when decoding OCI descriptors with out of spec keys (#3799)
* refactor: move config controller in controllers package (#3790)
* chore: add informer util (#3796)
* chore: remove useless util NewKubeClient (#3795)
* fix: pod stay in terminating when scaling to 0 (#3793)
* Add JMESPath Function `items` (#3777)
* Fix Cli test for image verification (#3760)
* Add rule to PolicyViolation event messages (#3787)
* chore: remove config flags (#3786)
* fix: add missing tombstone calls (#3784)
* refactor: create a package for controllers and move certmanager in it (#3782)
* refactor: policycache package logger (#3783)
* refactor: move ImageExtractorConfigs in api package (#3781)
* refactor: dclient package logger (#3778)
* Fix PR update flow and allow updates from release branches (#3780)
* fix: cert manager duplicate event handler (#3772)
* webhookconfig: if services resource, add services/status as well (#3740)
* refactor: dclient package (#3775)
* refactor: replace clientset by inteface (#3774)
* refactor: cosign package logger (#3773)
* Bump cosign and sigstore version (#3771)
* Auto-update PRs which are enabled for auto-merging (#3766)
* refactor: wait for cache sync (#3765)
* Allow kyverno jp to take yaml files as inputs (#3768)
* Allow non-object type elements for foreach rules (#3763)
* fix: logger call depth (#3759)
* Reduce log verbosity for image extractors (#3764)
* chore: remove unused resourcecache package (#3762)
* refactor: remove unstructured usage from webhookconfig (#3737)
* refactor: use typed informers and add tombstone support to webhookconfig (#3736)
* Remove YAML multiline support in CM values (#3721)
* cleanup event messages and sources (#3741)
* Add tests for required checks for image verify (#3755)
* Add error handling and log for image extractor errors (#3724)
* Fix verify all images (#3748)
* Retry policy creation to avoid flaky CRD readiness (#3752)
* Fix test Summary printing for failure test cases (#3749)
* Enable tests in makefile (#3699)
* refactor: metrics package logger (#3734)
* Use inclusive language (#3738)
* fix: block policy for missing matched kind (#3733)
* fix: missing image verification rules in autogen (#3729)
* Convert GenerateRequest to UpdateRequest for backward compatibility (#3730)
* refactor: autogen package logger (#3727)
* fix: correct tombstone usage (#3718)
* refactor: remove some api unnecessary pointers (4) (#3713)
* Set policy kind to generate events in the webhook (#3726)
* Create UR for both mutate and generate policies (#3717)
* fix: remove supported from autogen status (#3714)
* fix: generated api reference docs (#3711)
* refactor: remove some api unnecessary pointers (3) (#3707)
* Optimize UR listing on policy events (#3712)
* - Create events for imageVerify rules (#3710)
* refactor: remove some api unnecessary pointers (2) (#3705)
* fix: remove unused type TargetMutation (#3706)
* refactor: remove some api unnecessary pointers (#3704)
* add e2e tests for mutate existing policies (#3703)
* Verify digest (#3679)
* fix: kind wash in mutate policy helper (#3698)
* refactor: auth package logger (#3696)
* chore: remove unused custom expansions from client (#3697)
* refactor: client gen code (#3695)
* Fix test command git issue (#3692)
* Enable verifyImages and CLI registry tests (#3684)
* Cherry-pick release-1.6 Helm changes (#3689)
* Show warnings in Helm chart installation; update issue templates (#3673)
* refactor: use typed k8s client in tls package (#3678)
* refactor: config package logger (#3683)
* Fix flaky e2e tests for generate policies (#3681)
* Fix regression in wildcard matches in In/AnyIn operators (#3686)
* feat: remove deprecated flags (#3680)
* Logic of match service account is fixed for namespace (#3662)
* fix test cli CI failures from main (#3682)
* Fix issue pod should not be ready until the policy cache loaded (#3646)
* bug: fix nil pointer when generating events (#3677)
* remove Validate Cmd (#3674)
* Support context variables when using foreach CLI (#3637)
* fix: webhooks are not configured correctly (#3660)
* bump to Go 1.17.9 (#3671)
* fix: api reference docs link (#3664)
* feat: mutate existing resources (#3669)
* fix: pass logger by value (#3666)
* Allow definition of inline variables in context (#3658)
* fix: add char length validation for generate rule resource name (#3640)
* chore: remove e2e tests for kube 1.20 (#3665)
* chore: add support for artifacthub.io/changes in helm charts (#3652)
* fix: policy controller missing GVK (#3659)
* [imageVerify]: adding `digestMutate` to simplify tag-to-digest mutation (#3531)
* Multiple keys (#3636)
* fix: do not remove webhooks during initialization (#3641)
* fix: prevent installing chart with 2 replicas (#3647)
* fix: print helm install warnings (#3648)
* chore: warn if kube version is too old in helm notes (#3650)
* chore: add artifacthub operator and prerelease annotations (#3649)
* refactor: use the typed ns informer in GR controller (#3554)
* refactor: image utils (#3630)
* Remove helm mode setting (#3628)
* refact: remove unused Run function from generate (#3638)
* Fix race condition in pCache (#3632)
* Allow defining imagePullSecrets (#3633)
* Image verify attestors (#3614)
* Allow kyverno-policies to have preconditions defined (#3606)
* updating version in Chart.yaml (#3618)
* Update vulnerable dependencies (#3577)
* Add support for custom image extractors (#3596)
* add-kms-libraries for cosign (#3603)
* refactor cli code from pkg to cmd (#3591)
* fix missing policy.kyverno.io/policy-name label (#3599)
* refactor generate controller (#3589)
* change/suppress warning messages (#3593)
* Feat - add the new CR UpdateRequest for post mutation (#3592)
* Update to cosign 1.7.1 (#3587)
* Update GH workflow config (#3588)
* Update CODEOWNER folders for @samj1912 (#3586)
* Update hash of dependencies instead of mutable version (#3582)
* add support for roles, cluster roles and subjects (#3188)
* fix imageVerify rule conversion (#3583)
* update imageVerify schema (#3574)
* Refactor image extraction to allow extracting custom resources (#3572)
* chore: remove dead code (#3561)
* Add returnType for regexMatch in kyverno jp output (#3575)
* refactor: engine context (#3563)
* Fixes #3555 (#3558)
* update image pull policy for YAML install which uses :latest (#3565)
* add @eddycharly as a maintainer! (#3566)
* chore: add some make help comments (#3560)
* refactor: switch to admission v1 (#3526)
* refactor: make response type (RuleType) typed (#3556)
* refactor: metrics package (#3549)
* refactor: webhooks metrics reporting (#3548)
* test: pass lock by value (#3481)
* refactor: simplify autogen package (#3532)
* refactor: move common utils (#3553)
* refactor: add engine utils sub package (#3552)
* fix: checkEngineResponse in webhooks (#3551)
* Do not generate preconditions not met warning for audit policies (#3487)
* refactor: reduce policy mutations (#3550)
* fix: annotation path (#3547)
* refactor: use GetFailurePolicy method (#3545)
* refactor: use BackgroundProcessingEnabled method (#3544)
* refactor: move some helpers in utils package (#3539)
* refactor: use GetValidationFailureAction method (#3546)
* fix: disallow all in autogen annotation (#3537)
* refactor: use existing ContainsString util (#3543)
* Create `poddisruptionbudget.yaml` when `mode=ha` (#3536)
* fix wildcards in value arrays (#3486)
* refactor: separate yaml utils package (#3520)
* refactor: separate kube utils package (#3527)
* refactor: add os utils sub package (#3528)
* refactor: add a json patch util and use it in autogen package (#3524)
* fix: tls min version (#3521)
* refactor: separate json utils package (#3523)
* refactor: webhooks package (#3516)
* refactor: use policy interface and introduce admission utils package (#3512)
* fix: use github repo env instead of hardcoded repo name (#3513)
* fix: reduce dependency to ns lister (#3509)
* refactor: use more policy interface (#3510)
* refactor: use policy interface in policycache package (#3503)
* refactor: make use of policy interface (#3499)
* refactor: improve policycache package (#3495)
* chore: add autogen internals e2e tests (#3492)
* refactor: factorize policy interface (#3496)
* feat: add webhooks object selector support (#3413)
* feat: generate support for namespace policy (#3472)
* chore: simplify validation with named return (#3493)
* add missing namespace to role and rolebinding (#3389) (#3429) (#3485)
* chore(deps): add renovate.json (#3471)
* feat: stop mutating rules (#3410)
* use mutex as field instead of embedded (#3480)
* refactor: create e2e infra using make to speed up e2e tests (#3470)
* fix ordering of mutate element (#3468)
* refactor: use abstract policy interface in webhookconfig (#3466)
* adds lease objects for storing last-request-time and set-status annotations in deployment (#3447)
* clean up dependencies (#3469)
* fix: use RWMutex lock while concurrent read/write (#3462)
* refactor: match and exclude conflict validation (#3454)
* refactor: add ValidationFailureAction to the api (#3451)
* refactor: remove ns lister from webhookconfig (#3452)
* refactor: add IsNamespaced() method to API policy types (#3450)
* fix: use PodControllersAnnotation constant (#3448)
* Update MAINTAINERS.md (#3449)
* support for deprecated API's (#3439)
* Drop v1alpha1 PolicyReport CRD (#3437)
* refactor: ExcludeResources validation (#3445)
* refactor: replace ExcludeResources by MatchResources (#3444)
* refactor: ResourceDescription validation (#3446)
* Fix incorrectly renamed file (#3443)
* Remove support for test.yaml (#3442)
* fix cli panic for --cluster flag (#3436)
* Fix check for generated webhook rules being equal to what the API server has (#3407)
* refactor: MatchResources validation (#3422)
* feat: use IsReady method (#3426)
* refactor: ValidationFailureActionOverrides validation (#3421)
* PR and issue template updates per contributors' meetings (#3428)
* [imageVerify]: correcting error msg (#3398)
* feat: add toggle package for feature flags (#3419)
* feat: move GetRules() at the policy level (#3420)
* feat: add conditions support (#3378)
* feat: stop adding autogen annotation (#3379)
* fix webhook configuration issue when auto update is disabled (#3417)
* Ignore test files that do not end in test.yaml (#3402)
* refactor: Policy name validation (#3409)
* Replace `ToUnstructured()` with Marshal/Unmarshal (#3150)
* [ImageVerify] Verify additional certificate-extensions (#3404)
* fix: filter resources names with helm custom release name (#3361)
* refactor: Rule names validation (#3406)
* refactor: Rule type validation (#3400)
* chore: remove check-helm-docs workflow (#3408)
* refactor: UserInfo validation (#3399)
* Fix webhook re-creation error (#3403)
* chore: add make help target (#3405)
* Only queue one retry if webhook update fails (#3353)
* chore: add more codegen target and verifications (#3393)
* Return warning on admission response when mutating pods (#3272)
* Add a registry flag to allow direct access to container registries in the CLI (#3396)
* feat: add rules to status (#3376)
* chore: makefile should not makefile go.mod (#3394)
* refactor: ImageVerification validation (#3372)
* Cli Apply command support Dir as resources (#3391)
* chore: add helm crds to make codegen target (#3375)
* fix: metrics config defaults (#3387)
* fix for gvk not working for existing resources policy (#3384)
* e2e test for mutate global anchor Policy (#2574)
* Add `codecov` to CI (#3382)
* Update cosign to v1.6.0 (#3341)
* fix: generate api reference docs (#3377)
* fix PodExecOptions issue (#3373)
* Update OWNERS.md (#3371)
* feat: add autogen controllers to policy status (#3332)
* chore: gen helm crds from config crds (#3356)
* refactor: introduce api common types (#3365)
* adding emptyDir vol for keyless signing (#3366)
* refactor: move api functions closer to the struct they belong to (#3363)
* refactor: introduce rules getters and setters (#3350)
* refactor: move controller autogen annotation in api package (#3364)
* Add new test-case-selector flag to test command (#3183)
* support RSA, ECDSA and EDDSA public key verification (#3362)
* fix: configmap resource filters generated by helm does not account for namespace (#3358)
* chore: check helm docs are up to date (#3310)
* Fix any_all wildcard issue (#3352)
* fix: invalid path in helm-test workflow (#3344)
* Add Bloomberg to adopters (#3348)
* updated description field of foreach (#3157)
* chore: verify codegen in CI (#3343)
* Update generate clusterrole (#3336)
* fix: CRD generation (#3334)
* refactor: reduce usage of reflect.DeepEqual (#3328)
* fix: update codegen (#3329)
* fix: naming typos (#3327)
* refactor: introduce autogen package (#3316)
* refactor: pass only spec instead of whole policy when possible (#3315)
* fetch tag across all branches instead of current branch (#3324)
* add separate step for digest (#3321)
* adding check for digest and update git command
* correcting makefile latest tag (#3314)
* fix: helm install docs (#3312)
* fix: seccomp profile (#3313)
* chore: drop helm v2 (#3311)
* feat: gen kyverno helm chart docs (#3309)
* feat: gen kyverno-policies helm chart docs (#3301)
* Fix workflow using regex in `main` (#3306)
* arranging permissions (#3293)
* fix: helm chart broken when use generatecontrollerExtraResources (#3302)
* feat: support background mode configuration in kyverno-policies chart (#3299)
* Improve CLI test times by instantiating openapi controller once (#3297)
* Fix namespace typo (#3298)
* fix: add support for other platforms before executing docker buildx (#3296)
* validate and block policy based on the matched kind cache (#3283)
* fix: comma separated lists in config (#3290)
* Run E2E tests on all supported k8s versions (#3256)
* latest will point to main (#3285)
* Shallow clone git repositories for kyverno test command
* update trivy scanning (#3284)
* feat: add linux/s390x builds (#3277)
* Fix label mutation while updating the secret (#3273)
* Modify capabilities for compatibility with Pod Security (#3274)
* Fix Helm releasing to preserve creation timestamps (#3268)
* Added `kyverno test` subcommand for test manifest file (#3264)
* Clean up commented out lines of code (#3263)
* Add .DS_store to gitignore (#3255)
* fix mutate wildcard issue (#3193)
* Fix foreach validations precondition issue (#3228)
* Fix policy report OwnerReference (#3249)
* Improve E2E test CI timings (#3250)
* Add openssf badge (#3246)
* Fix old object validation check (#3248)
* Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229)
* add helm pre-delete hook which deletes all the webhooks (#3148)
* Skip updating webhook configs if namespaceSelector is nil (#3237)
* Sync latest changes to release/install.yaml (#3239)
* add aggregated role for generaterequest (#3240)
* Remove abstraction that doesn't work anyway (#3209)
* Fix image parsing for image referenced as digests (#3196)
* feat: ha mode support in helm chart (#3207)
* Fix keyless attest (#3219)
* update dependencies (#3221)
* Issue forms and PR template adjustment (#3213)
* add prateekpandey14 to codeowners (#3205)
* Added e2e test for JSON patch mutate policy (#2966)
* fixing bug to handle two different types of rules (#2954)
* Allow setting validationFailureActionOverrides for policies (#3201)
* feat: fix app version in NOTES.txt (#3189)
* Indentation fix (#3179)
* Fix unused tagTest in helm chart tests (#3174)
* Update kyverno-policies chart with latest pod-security policies (#3126)
* Add a kyverno jp command to test jmespath expressions (#3169)
* test-cases for wildcard match label selector (#3165)
* Filter kyverno resources instead of entire kyverno namespace (#3170)
* Fix panic for provides a set to the key of a precondition and deny condition (#3162)
* Bump up verbosity for `patched resource mismatch` (#3127)
* bump chart versions (#3160)
* Update dev image tag in Make targets (#3159)
* Add sam (#3155)
* add missing patch verbs in event clusterrole (#3151)
* fix filtered and sort patches index (#3146)
* Fix kyverno panic with `PodSpec.containers` JSON merge patch w/o image (#3143)
* Relax rule context validation to follow JMESPath grammar (#3129)
* Fixed kyverno panic at JMESPath zero division (#3137)
* Fix variable substitution when curly braces are used in jmespath (#3133)
* Fix parsing of resources in preconditions (#3108)
* Add cloud provider keychains to DefaultKeychain (#3116)
* improve antiAffinity and add podAffinity and nodeAffinity for kyverno helm chart (#3067)
* fixing and adding tests (#3112)
* update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)
* Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (#3100)
* Fix the kyverno default keychain value to be the ggcr default keychain (#3096)
* fix: typo Cluter to Cluster (#3092)
* Fix memory leak when updating ggcr keychain (#3088)
* Support registry keychain from cloud providers (#3036)
* Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045)
* Add KYVERNO_DEPLOYMENT to initContainer (#3086)
* apply patches cumulatively (#3083)
* Fix CLI test/apply when any/all use namespaceSelector (#3050)
* fix mutating ownerReferenecs (#3061)
* update workflow configurations to fix CI failure (#3060)
* Fix documentation for helm charts (#3056)
* Fri Apr 01 2022 kastl@b1-systems.de
- Update to version 1.6.2:
* tag v1.6.2 (#3511)
* Cherry-pick #3111 and release v1.6.2-rc3 (#3506)
* tag v1.6.2-rc2 (#3500)
* feat: generate support for namespace policy (#3498)
* use mutex as field instead of embedded (#3480) (#3489)
* release v1.6.2-rc1 (#3482)
* Cherry-pick #3477 (#3479)
* adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) (#3478)
* fix: use RWMutex lock while concurrent read/write (#3462) (#3467)
* support for deprecated API's (#3439) (#3453)
* fix cli panic for --cluster flag (#3436) (#3438)
* add missing namespace to role and rolebinding (#3389) (#3429)
* fix webhook configuration issue when auto update is disabled (#3417) (#3418)
* Cli Apply command support Dir as resources (#3391) (#3392)
* fix for gvk not working for existing resources policy (#3384) (#3386)
* Cherry pick/3366 (#3367)
* Update generate clusterrole (#3336) (#3359)
* fixing bug to handle two different types of rules (#2954) (#3357)
* Fix any_all wildcard issue (#3352)
* Wed Mar 02 2022 kastl@b1-systems.de
- Update to version 1.6.1:
* fix release tag command (#3323)
* fetching proper digest for release images (#3319)
* update release v1.6.1 manifest (#3318)
* changing git command to fetch the tag (#3317)
* release v1.6.1-rc2
* cherry-pick c4075af3d17c59fe73b50083bb206d85a1cb38ba
* Run E2E tests on all supported k8s versions (#3256)
* Fix namespace typo (#3298)
* feat: support background mode configuration in kyverno-policies chart (#3299)
* fix: helm chart broken when use generatecontrollerExtraResources (#3302)
* Shallow clone git repositories for kyverno test command
* fix: add support for other platforms before executing docker buildx (#3296)
* latest pointing to main
* added condition
* using regex
* updated workflows
* validate and block policy based on the matched kind cache (#3283) (#3291)
* Filter kyverno resources instead of entire kyverno namespace (#3170) (#3171)
* update trivy scanning (#3284)
* tag v1.6.1-rc1
* Fix label mutation while updating the secret (#3273) (#3278)
* Modify capabilities for compatibility with Pod Security (#3274) (#3275)
* Fix Helm releasing to preserve creation timestamps (#3268)
* fix mutate wildcard issue (#3193)
* Fix foreach validations precondition issue (#3228)
* Fix policy report OwnerReference (#3249) (#3257)
* Fix old object validation check (#3248)
* Skip updating webhook configs if namespaceSelector is nil (#3237) (#3243)
* bump chart versions to v2.3.0
* cherry-pick #3209
* Fix image parsing for image referenced as digests (#3196) (#3233)
* Fix keyless attest (#3219)
* update dependencies (#3221)
* release Helm chart v2.2.1
* Allow setting validationFailureActionOverrides for policies (#3201)
* Fri Feb 18 2022 Johannes Kastl <kastl@b1-systems.de>
- link /usr/bin/kyverno to /usr/bin/kubectl-kyverno to make this usable as a kubectl plugin
* Fri Feb 18 2022 Johannes Kastl <kastl@b1-systems.de>
- new package kyverno: CLI and kubectl plugin for the Kyverno Policy engine
/usr/bin/kubectl-kyverno /usr/bin/kyverno /usr/share/doc/packages/kyverno /usr/share/doc/packages/kyverno/README.md /usr/share/licenses/kyverno /usr/share/licenses/kyverno/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Mar 9 12:50:11 2024