Release 1.6.3 (#4134)

* fix: do not remove webhooks during initialization (#3641)

* Do not remove webhooks during initialization

During initialization the Kyverno leader Pod deletes all the
existing webhooks and recreates them. There is a small time window were
the cluster is not protected by the webhooks, allowing a user to apply
resources without any verfication.
This commit updates the leader registration logic to not remove and
recreate the webhooks but, in the case that the webhooks already exist,
update them.

Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>

* Fix linter errors

Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>

* Use the Lister to get webhook configurations

Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Tag v1.6.3

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Ioannis Bouloumpasis <buluba89@gmail.com>

charts/kyverno-policies/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: kyverno-policies
-version: v2.3.4
+version: v2.3.5
-appVersion: v1.6.2
+appVersion: v1.6.3
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
 keywords:

charts/kyverno/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: kyverno
-version: v2.3.3
+version: v2.3.4
-appVersion: v1.6.2
+appVersion: v1.6.3
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
 keywords:

charts/kyverno/templates/crds.yaml

@@ -11,7 +11,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -1388,7 +1388,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -1880,7 +1880,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterreportchangerequests.kyverno.io
 spec:
   group: kyverno.io
@@ -2372,7 +2372,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: generaterequests.kyverno.io
 spec:
   group: kyverno.io
@@ -2553,7 +2553,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policies.kyverno.io
 spec:
   group: kyverno.io
@@ -3930,7 +3930,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -4422,7 +4422,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: reportchangerequests.kyverno.io
 spec:
   group: kyverno.io

config/install.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -21,7 +21,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -2202,7 +2202,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -2882,7 +2882,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterreportchangerequests.kyverno.io
 spec:
   group: kyverno.io
@@ -3562,7 +3562,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: generaterequests.kyverno.io
 spec:
   group: kyverno.io
@@ -3759,7 +3759,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policies.kyverno.io
 spec:
   group: kyverno.io
@@ -5942,7 +5942,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -6620,7 +6620,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: reportchangerequests.kyverno.io
 spec:
   group: kyverno.io
@@ -7298,7 +7298,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-service-account
   namespace: kyverno
 ---
@@ -7311,7 +7311,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:leaderelection
   namespace: kyverno
 rules:
@@ -7345,7 +7345,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-policies
 rules:
@@ -7372,7 +7372,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-policyreport
 rules:
@@ -7399,7 +7399,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-reportchangerequest
 rules:
@@ -7426,7 +7426,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:events
 rules:
 - apiGroups:
@@ -7448,7 +7448,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:generate
 rules:
 - apiGroups:
@@ -7495,7 +7495,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:policies
 rules:
 - apiGroups:
@@ -7546,7 +7546,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:userinfo
 rules:
 - apiGroups:
@@ -7569,7 +7569,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:view
 rules:
 - apiGroups:
@@ -7590,7 +7590,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:webhook
 rules:
 - apiGroups:
@@ -7616,7 +7616,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:leaderelection
   namespace: kyverno
 roleRef:
@@ -7637,7 +7637,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:events
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7657,7 +7657,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:generate
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7677,7 +7677,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:policies
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7697,7 +7697,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:userinfo
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7717,7 +7717,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:view
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7737,7 +7737,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:webhook
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7761,7 +7761,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
   namespace: kyverno
 ---
@@ -7777,7 +7777,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-metrics
   namespace: kyverno
 ---
@@ -7790,7 +7790,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-svc
   namespace: kyverno
 spec:
@@ -7811,7 +7811,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-svc-metrics
   namespace: kyverno
 spec:
@@ -7832,7 +7832,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
   namespace: kyverno
 spec:
@@ -7854,7 +7854,7 @@ spec:
         app.kubernetes.io/instance: kyverno
         app.kubernetes.io/name: kyverno
         app.kubernetes.io/part-of: kyverno
-        app.kubernetes.io/version: v1.6.2
+        app.kubernetes.io/version: v1.6.3
     spec:
       affinity:
         podAntiAffinity:
@@ -7885,7 +7885,7 @@ spec:
           value: kyverno-svc
         - name: TUF_ROOT
           value: /.sigstore
-        image: ghcr.io/kyverno/kyverno:v1.6.2
+        image: ghcr.io/kyverno/kyverno:v1.6.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2
@@ -7940,7 +7940,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/kyverno/kyvernopre:v1.6.2
+        image: ghcr.io/kyverno/kyvernopre:v1.6.3
         imagePullPolicy: IfNotPresent
         name: kyverno-pre
         resources:

config/release/install.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -21,7 +21,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicies.kyverno.io
 spec:
   group: kyverno.io
@@ -2202,7 +2202,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterpolicyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -2882,7 +2882,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: clusterreportchangerequests.kyverno.io
 spec:
   group: kyverno.io
@@ -3562,7 +3562,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: generaterequests.kyverno.io
 spec:
   group: kyverno.io
@@ -3759,7 +3759,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policies.kyverno.io
 spec:
   group: kyverno.io
@@ -5942,7 +5942,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: policyreports.wgpolicyk8s.io
 spec:
   group: wgpolicyk8s.io
@@ -6620,7 +6620,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: reportchangerequests.kyverno.io
 spec:
   group: kyverno.io
@@ -7298,7 +7298,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-service-account
   namespace: kyverno
 ---
@@ -7311,7 +7311,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:leaderelection
   namespace: kyverno
 rules:
@@ -7345,7 +7345,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-policies
 rules:
@@ -7372,7 +7372,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-policyreport
 rules:
@@ -7399,7 +7399,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: kyverno:admin-reportchangerequest
 rules:
@@ -7426,7 +7426,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:events
 rules:
 - apiGroups:
@@ -7448,7 +7448,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:generate
 rules:
 - apiGroups:
@@ -7495,7 +7495,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:policies
 rules:
 - apiGroups:
@@ -7546,7 +7546,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:userinfo
 rules:
 - apiGroups:
@@ -7569,7 +7569,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:view
 rules:
 - apiGroups:
@@ -7590,7 +7590,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:webhook
 rules:
 - apiGroups:
@@ -7616,7 +7616,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:leaderelection
   namespace: kyverno
 roleRef:
@@ -7637,7 +7637,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:events
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7657,7 +7657,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:generate
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7677,7 +7677,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:policies
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7697,7 +7697,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:userinfo
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7717,7 +7717,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:view
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7737,7 +7737,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno:webhook
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -7761,7 +7761,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
   namespace: kyverno
 ---
@@ -7777,7 +7777,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-metrics
   namespace: kyverno
 ---
@@ -7790,7 +7790,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-svc
   namespace: kyverno
 spec:
@@ -7811,7 +7811,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno-svc-metrics
   namespace: kyverno
 spec:
@@ -7832,7 +7832,7 @@ metadata:
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: v1.6.2
+    app.kubernetes.io/version: v1.6.3
   name: kyverno
   namespace: kyverno
 spec:
@@ -7854,7 +7854,7 @@ spec:
         app.kubernetes.io/instance: kyverno
         app.kubernetes.io/name: kyverno
         app.kubernetes.io/part-of: kyverno
-        app.kubernetes.io/version: v1.6.2
+        app.kubernetes.io/version: v1.6.3
     spec:
       affinity:
         podAntiAffinity:
@@ -7885,7 +7885,7 @@ spec:
           value: kyverno-svc
         - name: TUF_ROOT
           value: /.sigstore
-        image: ghcr.io/kyverno/kyverno:v1.6.2
+        image: ghcr.io/kyverno/kyverno:v1.6.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2
@@ -7940,7 +7940,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/kyverno/kyvernopre:v1.6.2
+        image: ghcr.io/kyverno/kyvernopre:v1.6.3
         imagePullPolicy: IfNotPresent
         name: kyverno-pre
         resources:

config/release/kustomization.yaml

@@ -9,6 +9,6 @@ transformers:
 
 images:
 - name: ghcr.io/kyverno/kyverno
-  newTag: v1.6.2
+  newTag: v1.6.3
 - name: ghcr.io/kyverno/kyvernopre
-  newTag: v1.6.2
+  newTag: v1.6.3

config/release/labels.yaml

@@ -4,7 +4,7 @@ kind: LabelTransformer
 metadata:
   name: labelTransformer
 labels:
-  app.kubernetes.io/version: v1.6.2
+  app.kubernetes.io/version: v1.6.3
 fieldSpecs:
 - path: metadata/labels
   create: true

pkg/webhookconfig/registration.go

@@ -126,7 +126,6 @@ func (wrc *Register) Register() error {
 			return err
 		}
 	}
-	wrc.removeWebhookConfigurations()
 
 	caData := wrc.readCaData()
 	if caData == nil {
@@ -318,9 +317,12 @@ func (wrc *Register) createResourceMutatingWebhookConfiguration(caData []byte) e
 	_, err := wrc.client.CreateResource("", kindMutating, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
 		logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name)
+		err = wrc.updateMutatingWebhookConfiguration(config)
+		if err != nil {
+			return err
+		}
 		return nil
 	}
-
 	if err != nil {
 		logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name)
 		return err
@@ -344,6 +346,10 @@ func (wrc *Register) createResourceValidatingWebhookConfiguration(caData []byte)
 	_, err := wrc.client.CreateResource("", kindValidating, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
 		logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name)
+		err = wrc.updateValidatingWebhookConfiguration(config)
+		if err != nil {
+			return err
+		}
 		return nil
 	}
 
@@ -369,6 +375,10 @@ func (wrc *Register) createPolicyValidatingWebhookConfiguration(caData []byte) e
 	if _, err := wrc.client.CreateResource("", kindValidating, "", *config, false); err != nil {
 		if errorsapi.IsAlreadyExists(err) {
 			wrc.log.V(6).Info("webhook already exists", "kind", kindValidating, "name", config.Name)
+			err = wrc.updateValidatingWebhookConfiguration(config)
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -392,6 +402,10 @@ func (wrc *Register) createPolicyMutatingWebhookConfiguration(caData []byte) err
 	if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil {
 		if errorsapi.IsAlreadyExists(err) {
 			wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name)
+			err = wrc.updateMutatingWebhookConfiguration(config)
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -414,6 +428,10 @@ func (wrc *Register) createVerifyMutatingWebhookConfiguration(caData []byte) err
 	if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil {
 		if errorsapi.IsAlreadyExists(err) {
 			wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name)
+			err = wrc.updateMutatingWebhookConfiguration(config)
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -684,9 +702,6 @@ func (wrc *Register) checkEndpoint() error {
 		}
 	}
 
-	// clean up old webhook configurations, if any
-	wrc.removeWebhookConfigurations()
-
 	err = fmt.Errorf("endpoint not ready")
 	wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName)
 	return err
@@ -851,3 +866,93 @@ func (wrc *Register) updateResourceMutatingWebhookConfiguration(nsSelector map[s
 
 	return nil
 }
+
+// updateMutatingWebhookConfiguration updates an existing MutatingWebhookConfiguration with the rules provided by
+// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved.
+func (wrc *Register) updateMutatingWebhookConfiguration(targetConfig *admregapi.MutatingWebhookConfiguration) error {
+	// Fetch the existing webhook.
+	currentConfiguration, err := wrc.mwcLister.Get(targetConfig.Name)
+	if err != nil {
+		return fmt.Errorf("failed to get %s %s: %v", kindMutating, targetConfig.Name, err)
+	}
+	// Create a map of the target webhooks.
+	targetWebhooksMap := make(map[string]admregapi.MutatingWebhook)
+	for _, w := range targetConfig.Webhooks {
+		targetWebhooksMap[w.Name] = w
+	}
+	// Update the webhooks.
+	newWebhooks := make([]admregapi.MutatingWebhook, 0)
+	for _, w := range currentConfiguration.Webhooks {
+		target, exist := targetWebhooksMap[w.Name]
+		if !exist {
+			continue
+		}
+		delete(targetWebhooksMap, w.Name)
+		// Update the webhook configuration
+		w.ClientConfig.URL = target.ClientConfig.URL
+		w.ClientConfig.Service = target.ClientConfig.Service
+		w.ClientConfig.CABundle = target.ClientConfig.CABundle
+		if target.Rules != nil {
+			// If the target webhook has rule definitions override the current.
+			w.Rules = target.Rules
+		}
+		newWebhooks = append(newWebhooks, w)
+	}
+	// Check if there are additional webhooks defined and add them.
+	for _, w := range targetWebhooksMap {
+		newWebhooks = append(newWebhooks, w)
+	}
+	// Update the current configuration.
+	currentConfiguration.Webhooks = newWebhooks
+	_, err = wrc.client.UpdateResource("", kindMutating, "", currentConfiguration, false)
+	if err != nil {
+		return err
+	}
+	wrc.log.V(3).Info("successfully updated mutatingWebhookConfigurations", "name", targetConfig.Name)
+	return nil
+}
+
+// updateValidatingWebhookConfiguration updates an existing ValidatingWebhookConfiguration with the rules provided by
+// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved.
+func (wrc *Register) updateValidatingWebhookConfiguration(targetConfig *admregapi.ValidatingWebhookConfiguration) error {
+	// Fetch the existing webhook.
+	currentConfiguration, err := wrc.vwcLister.Get(targetConfig.Name)
+	if err != nil {
+		return fmt.Errorf("failed to get %s %s: %v", kindValidating, targetConfig.Name, err)
+	}
+	// Create a map of the target webhooks.
+	targetWebhooksMap := make(map[string]admregapi.ValidatingWebhook)
+	for _, w := range targetConfig.Webhooks {
+		targetWebhooksMap[w.Name] = w
+	}
+	// Update the webhooks.
+	newWebhooks := make([]admregapi.ValidatingWebhook, 0)
+	for _, w := range currentConfiguration.Webhooks {
+		target, exist := targetWebhooksMap[w.Name]
+		if !exist {
+			continue
+		}
+		delete(targetWebhooksMap, w.Name)
+		// Update the webhook configuration
+		w.ClientConfig.URL = target.ClientConfig.URL
+		w.ClientConfig.Service = target.ClientConfig.Service
+		w.ClientConfig.CABundle = target.ClientConfig.CABundle
+		if target.Rules != nil {
+			// If the target webhook has rule definitions override the current.
+			w.Rules = target.Rules
+		}
+		newWebhooks = append(newWebhooks, w)
+	}
+	// Check if there are additional webhooks defined and add them.
+	for _, w := range targetWebhooksMap {
+		newWebhooks = append(newWebhooks, w)
+	}
+	// Update the current configuration.
+	currentConfiguration.Webhooks = newWebhooks
+	_, err = wrc.client.UpdateResource("", kindValidating, "", currentConfiguration, false)
+	if err != nil {
+		return err
+	}
+	wrc.log.V(3).Info("successfully updated validatingWebhookConfigurations", "name", targetConfig.Name)
+	return nil
+}