mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
d2658a1bc8
* feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
10 KiB
10 KiB
v1.9.0-rc.1
Note
- Flag
autogenInternals
was removed, policy mutation has been removed. - Support upper case
Audit
andEnforce
in.spec.validationFailureAction
of the Kyverno policy, failure actionsaudit
andenforce
are deprecated and will be removed inv1.11.0
.
v1.8.1-rc3
Note
- A new flag
backgroundScanWorkers
to configure the number of background scan workers (default value is2
).
v1.8.0-rc3
Note
- A new flag
backgroundScan
to enable/disable kyverno background scans (default value istrue
). When this is set tofalse
, kyverno will not perform background scans and won't trigger continuous evaluation of policies. - A new flag
admissionReports
to enable/disable kyverno admission reports (default value istrue
). When this is set tofalse
, kyverno will not create admission reports. - If both
backgroundScan
andadmissionReports
are set tofalse
the entire reports system will be disabled. - A new flag
reportsChunkSize
to split reports according to the number of results contained in the report (default value is1000
). This can be disabled by setting the flag value to0
. - Deprecated
splitPolicyReport
flag, splitting reports per policy is always enabled, keeping it for backward compatibility, will be removed in future version. ReportChangeRequest
andClusterReportChangeRequest
CRDs have been removed and replaced byAdmissionReport
,ClusterAdmissionReport
,BackgroundScanReport
andClusterBackgroundScanReport
CRDs.
v1.8.0-rc1
Note
- A new flag
protectManagedResources
to enable kyverno managed resources protection (default value isfalse
). When this is enabled, kyverno managed resources can only be modified or deleted by the controller.
v1.7.2-rc2
Note
- A new flag
maxQueuedEvents
is added to the Kyverno main container, this flag sets the up-limit of the events that are queued internally.
v1.7.2-rc1
Note
- A new flag
maxReportChangeRequests
is added to the Kyverno main container, this flag sets the up-limit of reportchangerequests that a namespace can take, or clusterreportchangerequests if matching kinds are cluster-wide resources. The default limit is set to 1000, and it's recommended to configure it to a small threshold on large clusters. Here the large clusters are considered that a policy report has more than 1k results.
v1.7.0-rc1
Note
status.ready
of the policy is deprecated in favor ofpolicy.IsReady()
. The implementation was changed to usestatus.conditions
that offer more flexibility. Thestatus.ready
will be kept for a couple of releases until we remove it in the future.- Deprecated flags have been removed.
- Flags that were overlapping with config map based configuration were removed (
filterK8sResources
,excludeGroupRole
,excludeUsername
). They can now be configured using the config map only.
v1.6.0-rc1
Note
- Helm charts are changed to enforce PodDisruptionBudget for multi-replica clusters and PDB is removed from install manifests.
anyPattern
for Kyverno validate policies breaks in Kubernetesv1.23.0
-v1.23.2
, and the fix is being tracked by this PR and will be available inv1.23.3
.- To use
any/all
conditions for policies that usepreconditons
anddeny.conditions
, the user can go to this resource as a good starting point.
v1.5.0-rc1
Note
- The Helm CRDs was switched back to kyverno chart. To upgrade using Helm, please refer to https://github.com/kyverno/website/pull/304.
- With the change of dynamic webhooks, the readiness of the policy is reflected by
.status.ready
, When ready, it means the policy is ready to serve the admission requests.
Deprecation
- To add a consistent style in flag names the following flags have been deprecated
webhooktimeout
,gen-workers
,disable-metrics
,background-scan
,auto-update-webhooks
,profile-port
,metrics-port
these will be removed in 1.6.0. The new flags arewebhookTimeout
,genWorkers
,disableMetrics
,backgroundScan
,autoUpdateWebhooks
,profilePort
,metricsPort
(#1991).
Features
- Feature/foreach validate #2443
- Feature/foreach mutate #2493
- Feature/cosign attest #2487
- Make webhooks configurable #1981
- FailurePolicy
Ignore
vsenforcing
policies #893 - Make failurePolicy configurable per Kyverno policy #1995
- Add feature gate flag "auto-update-webhooks" #2321
- Extend the "kyverno test" command to handle mutate policies #1821
Enhancements
- Integrate Github Action #2349
- Use a custom repository with verifyImages #2294
- Add pod anti-affinity to Kyverno #1966
- Rename 'policies.kyverno.io/patches' to reflect actual functionality #1528
- Add global variables to CLI #1472
- Allow configuration of test image through chart values #2410
- Switch Helm CRDs back to kyverno chart and moving Policies to dedicated chart #2355
- Updating Contribution Markdown #2450
- Validate GVK in
match
/exclude
block #2389 - Add
PodDisruptionBudget
in Kustomize & Helm #1979 - Upgrade Kyverno managed webhook configurations to v1 #2424
- Allow background scanning if only request.operation is used in preconditions #1883
- Add security vulnerability scan for the kyverno images #1557
- Run vulnerability scan during Kyverno builds #2432
- Sign Kyverno images and generate SBOM #2175
- Make flag name styles consistent #1991
- Improve init container to use DeleteCollection to remove policy reports #2477
- Leader election for initContianer #1965
- Sample policies should have related CLI apply/test #1994
Bug Fixes
- Autogen-controllers does not work with "any" rules #2337
- Use
patchesJson6902
where path contains a non-zero index number causes validation failure #2100 - CLI apply command - not filtering the resources from cluster #2417
- Kyverno ConfigMap name not consistent in Helm/Docs and install.yaml #2347
- Fixing helm chart documentation inconsistency #2419
- Create/Update policy failing with custom JMESPath #2409
- GenerateRequests are not cleaned up #2332
- NetworkPolicy: from should be an array of objects #2423
- Kyverno misinterprets pod spec environment variable placeholders as references #2413
- CLI | skipped policy message is displayed even if variable is passed #2445
- Update minio to address vulnerabilities #1953
- No warning about background mode when using
any
/all
inmatch
orexclude
blocks #2300 - Flaky unit test #2406
- Generating a Kyverno Policy throws error "Policy is unstructured" #2155
- Network policy is not getting generated on creation of a pod #2095
- Namespace generate policy fails with
request.operation
precondition #2226 - Fix
any
/all
matching logic in the background controller #2386 - Run code-generator for 1.5 schema changes #2465
- Generate policies with no Namespace field #2333
- Excluding clusterRoles does not work if nested under any or all #2301
- Fix auto-gen for
validate.foreach
#2464 - "Auto-gen rules for pod controllers" fails when matching kind is "v1/Pod" #2415
- Set Namespace environment variable for initContainer #2499
Others
- Cannot add label to nodes #2397
- Purge grafana dashboard json from this project #2399
Thanks to all our contributors! 😊
v1.4.3
v1.4.3-rc2
Bug Fixes
- Fix any/all conversion during policy mutation (#2392)
- Fix upgrade issue from 1.4.2 to latest (#2384)
v1.4.3-rc1
Enhancements
- CLI variables should be coming from the resources itself (#1996)
- Adding
ownerRef
with namespace for Kyverno managed webhook configurations (#2263) - Support new policy report CRD #1753, (#2376)
- Clean up formatting in mutate test file (#2338)
- Add test case for non zero index patches with patchesJson6902 (#2339)
- Cleanup Kustomization configurations (#2274)
- Kyverno CLI
apply
command improvements (#2342, #2331, #2318, #2310, #2296, #2290, #2122, #2120, #2367) - Validate
path
element begins with a forward slash inpatchesJson6902
(#2117) - Support gvk in CLI for policies applied on cluster (#2363)
- Update cosign (#2266)
- Allow users to skip policy validation when mutating resources (#2185)
- Allow NetworkPolicy customization (#2287)
- Patch labels to Helm templates (#2262)
- Support for configurable automatic refresh of metrics and selective exposure of metrics at namespace-level (#2268)
- Support global anchor behavior in validation and mutation rules (#2201)
Bug Fixes
- Unable to use
GreaterThan
operator withprecondition
(#2211) - Fix
precondition
logic for mutating policies (#2271, #2228, #2352) - Fix Kyverno Deployment updateStrategy (#1982)
- Helm chart releases are not gated behind something like a tag (#2264)
- Add validation for generate loops (#1941)
- Policy doesn't work when
match.resources.kinds
is set toPolicy/ClusterPolicy
(#2149) - Kyverno CLI panics when context is added to rule, but not actually used (#2289)
- Generate policies with
background:false
andsynchronize:false
are still re-evaluated every 15mins (#2181) - Tests applied on excluded resources should succeed (#2295)
- Kyverno CLI with context variables needs documentation (#2291)
- Kyverno CLI test requires var resolution for non-applicable resources (#2331)
- Test command result showing
Notfound
in result (#2296) any/all
in match block fails in the CLI (#2350)- JMESPath
contains
function behavior not consistent in Kyverno vs upstream (#2345) patchStrategicMerge
fails to mutate if policy written with initContainers object (#1916)- Check Any and All ResourceFilters during policy mutation (#2373)
- Support variable replacement in the key of annotations (#2316)
- Background scan doesn't work with any/all (#2299)
Others
- Kyverno gives error when installed with KEDA (#2267)
- Using Argo to deploy, baseline policies are constantly out-of-sync (#2234)
- Policy update, flux2-multi-tenancy fails to update kyverno to v1.4.2-rc3 (#2241)
- Throws a variable substitution error in spite of no variable present in the policy (#2374)
v1.4.2
Enhancements
- Remove unused variable from Kyverno CLI (#2252)
v1.4.2-rc4
Enhancements
- Update cosign to v1.0.0 (#2221)
- Helm Chart - Add Network Policy Support (#2210)
- Add platform to bug template (#2246)
- Update Grafana dashboard json with respect to new set of metrics (#2244)
- Automate CLI binaries releases (#2236)
- Removing OwnerReference for webhook configurations (#2251)
Bug Fixes
- Resolve variables from the resource passed in CLI (#2222)
- Fix CLI panics when variables are passed using set flag (#2224)