1
0
Fork 0
mirror of https://github.com/kyverno/policy-reporter.git synced 2024-12-15 17:50:58 +00:00
policy-reporter/CHANGELOG.md
Frank Jogeleit c164cff966 release Helm Chart v2.19.1
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
2023-05-29 15:06:21 +02:00

30 KiB

Changelog

2.19.0

  • Policy Reporter
    • AWS IRSA Authentication Support
    • Add source attribute to JSON ouput [#311 by nikolay-o]

2.19.0

  • Policy Reporter
    • New AWS SecurityHub push target - See values.yaml for available configurations
    • External DB support (PostgreSQL, MySQL, MariaDB) - See values.yaml for available configurations
      • HA Mode support - only leader write into the DB
      • Versioned Schema, autoupdated when another version is detected
      • Configurable over values and secrets
    • Cache improvements to reduce duplicated pushes
    • Split Category API into namespaced scoped and cluster scoped API
    • Support search for contained words in the results API
  • Policy Reporter UI
    • Update API requests

2.18.3

  • Policy Reporter
    • new value to add priorityClassName to pods [#283 by boniek83]
    • fixed syntax error for policy reporter config.yaml [#295 by nikolay-o]
    • fixed customFields for kinesis targets [#295 by nikolay-o]
    • image signing and sbom generation for new Policy Reporter images

2.18.2

  • Policy Reporter UI
    • Container signing and SBOM generation
    • New config api.overwriteHost to control the proxy host behavior

2.18.1

  • Signed Helm Chart

  • Policy Reporter

    • New channel property for Slack targets to define the Slack channel to send the results too
    • New mountedSecret property to read target configs from a mounted secret [#282 by rromic]
    • AWS KMS support for S3 target with new properties bucketKeyEnabled, kmsKeyId and serverSideEncryption [#281 by rromic]
      • Mountet secret needs to be in json format with keys defined in kubernetes/secrets Values struct.
  • Monitoring

    • Add namespaceSelector to serviceMonitor values

2.18.0

  • Policy Reporter
    • Improved logging configuration
      • Support JSON logging
      • Support log level
    • optional API access logging with api.logging set to true
    • New aggregation table for API performance improvements
    • Helm Ingress template
    • New Google Cloud Storage Target
      • Requires credentials as JSON String and the bucket name
      • Added in the helm valus under target.gcs
  • Policy Reporter KyvernoPlugin
    • Helm Ingress template
    • Improved logging configuration
      • Support JSON logging
      • Support log level
  • Policy Reporter UI
    • Improved logging configuration
      • Support JSON logging
      • Support log level
      • Proxy Logging

2.17.0

  • Policy Reporter
    • Use metaclient to reduce informer memory usage
    • Use workerqueue to control concurrent processing of PolicyReports
    • Remove internal PolicyReport structures
    • Make sqlite volume configurable [#255 by monotek]
    • use defer to unlock when possible [#259 by eddycharly]
  • Policy Reporter UI
    • New SSL configs for external clusters
      • skipTLS to disable SSL verification
      • certificate to configure a path to a custom CA for self signed URLs
    • New Helm values ui.volumes and ui.volumeMounts to add your custom CAs as mounts to the UI deployment.

2.16.0

2.15.0

  • Add values to configure topologySpreadConstraints for all components [#241 by Kostavro]
  • Fixing comment formats and deprecations [#250 by fengshunli]
  • Add new APIs for PolicyReport and ClusterPolicyReport metadata (/v1/policy-reports, /v1/cluster-policy-reports) [#251
  • search filter also checks the resource kind
  • Use correct probes in core deployment [#236 by rgarcia89]
  • Add source to PolicyReport Table and improve report-label API [#252

2.14.1

  • Policy Reporter
    • Fix generate multiple custom metrics

2.14.0

  • Policy Reporter
    • Persist also PolicyReport labels
    • API
      • New API to get available labels for PolicyReports: /v1/namespaced-resources/report-labels
      • New API to get available labels for ClusterPolicyReports: /v1/cluster-resources/report-labels
    • Metrics
      • special syntax to add report labels to metric labels: label:report-label-name, special characters like -, /, ., : will be transformed to _ in metrics
    • New Target Filter reportLabel to, filter results based on labels of the related (Cluster)PolicyReport
  • Monitoring
    • New values to disable dedicated Grafana Dashboards:
      • grafana.dashboards.enable.overview, default true
      • grafana.dashboards.enable.policyReportDetails, default true
      • grafana.dashboards.enable.clusterPolicyReportDetails, default true
    • New values to configure the Grafana Dashboard datasource label, pluginName, pluginId
      • grafana.datasource.label, default Prometheus
      • grafana.datasource.pluginName, default Prometheus
      • grafana.datasource.pluginId, default prometheus
    • New value grafana.dashboards.labelFilter to add custom report labels as dashboard filter, default []. Label has to be a valid prometheus label, e.g. created-by => created_by.
    • New values grafana.dashboards.multicluster.enabled and grafana.dashboards.multicluster.label to add an optional cluster label.
  • Kyverno Plugin
    • New HTML Compliance Reports
      • Grouped by Policy with Details per Namespace and Resource
      • Grouped by Namespace with Details per Policy and Resource
    • Go update to 1.19
  • UI
    • Integrate new Compliance Reports
    • New PolicyReport label based filter, use ui.labelFilter to define a list of labels to add
    • Go update to 1.19

2.13.5

  • Add configuration target.s3.pathStyle for the S3 output

2.13.4

  • Fix customFields mapping in TargetFactory

2.13.3

  • Fix customFields property in values.yaml
  • Fix PolicyReporter image.tag version

2.13.2

  • Policy Reporter
    • Add customFields property to missing targets: Elasticsearch, S3, Webhook, Kinesis
  • Policy Reporter UI
    • Create Links out of URL property values
  • Monitoring
    • New monitoring.serviceMonitor.honorLabels and monitoring.kyverno.serviceMonitor.honorLabels value: chooses the metrics labels on collisions with target labels [#216 by monotek]

2.13.1

  • Policy Reporter
    • Fix persist error for duplicated IDs
    • Disable UI SA automount

2.13.0

  • Policy Reporter
    • New certificate config for loki, elasticsearch, teams, webhook and ui, to set the path to your custom certificate for the related client.
    • New skipTLS config for loki, elasticsearch, teams, webhook and ui, to skip tls if needed for the given target.
    • New secretRef for targets to reference a secret with the related username, password, webhook, host, accessKeyID, secretAccessKey information of the given target, instead of configure your credentials directly.
  • Policy Reporter UI
    • New value refreshInterval to configure the default refresh interval for API polling. Set 0 to disable polling.
  • Policy Reporter Kyverno Plugin
    • Fix the creation of duplicated results for PolicyReportResults.

2.12.0

  • Policy Reporter
    • New Helm Chart value to add extra volumes to PolicyReporter deployment [#186 by preved911]
    • HTTP Basic authentication for Elasticsearch targets with username and password configuration fields
    • target.slack.customFields map property for Slack pushes to add additional metadata to notifications like clustername
    • Add timestamp to Result REST APIs
    • Overwrite the installation target namespace via the new global.namespace value.

2.11.3

  • Policy Reporter
    • New emailReports.smtp.secret configuration to use an existing external secret to configure your SMTP connection
      • You can set all or a subset of the available keys in your secret: host, port, username, password, from, encryption
      • Keys available in your secret have a higher priority as your Helm release values.

2.11.2

  • Policy Reporter
    • Add new Severity values info and critical
    • Update PolicyReport ID generierung
  • Policy Reporter UI
    • Fix Grouping by Policy and Categories
    • Fix ReverseProxy RequestHost
    • New configuration ui.clusterName which is used in the ClusterSelect, if you configure additional Clusters
  • Policy Reporter Kyverno Plugin
    • Add time property to PolicyReportResults

2.11.1

  • Policy Reporter
  • Policy Reporter UI
    • Fix API Proxy for APIs behind ReverseProxy (like NGINX Ingress)

2.11.0

  • Policy Reporter

    • High Availability support with leaderelection for necessary features like target pushes, to avoid duplicated pushes by multiple instances
      • Add new role and rolebinding to manage lease objects if leaderelection is enabled
    • Add redis configuration to the Helm Chart for external cache storage
    • Add PodDisruptionBudget for HA Deployments (replicaCount > 1)
    • Add skipTLS configuration for MS Teams Webhook
  • Policy Reporter KyvernoPlugin

    • High Availability support with leaderelection for necessary features like PolicyReport management for blocked resources
      • Add new role and rolebinding to manage lease objects if leaderelection is enabled
    • Add PodDisruptionBudget for HA Deployments (replicaCount > 1)
    • Internal refactoring for better CRD management
  • Policy Reporter UI

    • Add redis as possible log storage to support high availability deployments
    • Add PodDisruptionBudget for HA Deployments (replicaCount > 1)

2.10.3

  • Policy Reporter
    • Add new config target.loki.path to overwrite the deprected prom push API

2.10.2

  • Policy Reporter UI
    • New option ui.clusters makes it possible to configure additional external Policy Reporter APIs (details)
    • General UI improvements for loading state and error handling

2.10.1

  • Monitoring
    • Fix Datasource for Metrics and Filters in the preconfigured Dashboards
    • Add Datasource as additional Select to the preconfigured Dashboards

2.10.0

  • Policy Reporter
    • Email Reports
      • Send Summary Reports over SMTP to different E-Mails
      • Supports channels and filters to send different subsets of Namespaces or Sources to dedicated E-Mails
      • Reports are generated and send over dedicated CronJobs, this makes it easy to send the reports as often as needed
      • Currently a basic summary and a more detailed violation report is available and can be separatly enabled and configured
    • Metrics
      • Add metrics.mode for less or custom metric values, to reduce cardinality
    • Monitoring
      • Fix Source Column for result tables
      • Fix Warn counter for ClusterPolicyReport Details

2.9.5

  • Fix Policy Reporter Version in the Helm Chart values.yaml

2.9.4

  • Policy Reporter
    • Add AWS Kinesis compatible target
    • Add new Helm value profiling.enabled to enable pprof profiling, disabled by default
    • Improved Informer handling

2.9.3

  • Policy Reporter
    • Fix grafana.dashboards.value type conversion [fix #158]

2.9.2

  • Policy Reporter
    • Add grafana.dashboards.value value to configure the ConfigMap label value for the Prometheus Operator by [#157 by stone-z]

2.9.1

  • Policy Reporter
    • Name Configuration for Target (Channels) to customize UI Labels
  • Policy Reporter UI
    • Fix table on chip selection
    • Order labels
    • Return 404 Status Code for non existing URL paths

2.9.0

  • Policy Reporter
    • New configuration to use Redis as external result caching store
    • SQLite Improvement: Use batch insertion for PolicyReportResults
    • PolicyReport Informer Update: Use typed informer to improve performance and memory usage
    • Drop support for v1alpha1 of the PolicyReport CRD
    • Serverside Pagination for better Dashboard performance
    • Concurrent PolicyReport processing
  • Policy Reporter UI
    • Serverside Pagination support
    • Dynamic Chart sizes
  • Policy Reporter Kyverno Plugin
    • Generate Policy Reports for enforcement violations

2.8.0

  • Policy Reporter
    • New target filter and channels to define multiple configurations of the same target
      • Filter target results by exclude and include rules for namesapces, priorities and policies
      • Support wildcards for policies and namespaces
    • New webhook target
      • this target is a simple way to send notifications to custom tools and APIs
      • results are send as POST requests with a JSON representation of the result
      • the headers properties allows you to send custom header with the request to allow for example authentication

2.7.1

  • Policy Reporter
    • Add Resource APIVersion to the Results REST APIs

2.7.0

  • Policy Reporter
    • PolicyReport Filter:
      • PolicyReporter CRD Filter by Namespaces
      • Disable ClusterPolicyReport CRD processing

2.6.3

  • Policy Reporter
    • Fix Debouncer has wrong reference to OldPolicyReport when a result was cached.

2.6.2

  • Policy Reporter

    • Update Go to 1.17.8
    • Add serviceMonitor.relabelings and serviceMonitor.metricRelabelings for ServiceMonitor configuration in the monitoring Subchart.
    • Add kyverno.serviceMonitor.relabelings and kyverno.serviceMonitor.metricRelabelings for the KyvernoPlugin ServiceMonitor configuration in the monitoring Subchart.
  • Policy Reporter UI

    • Update Go to 1.17.8
  • Policy Reporter KyvernoPlugin

    • Update Go to 1.17.8

2.6.1

  • Update Policy Reporter UI to v1.3.2
    • Support access over Subpaths, e.g. Rancher Reverse Proxy
  • Update Policy Reporter Monitoring to v2.1.0
    • Fix Failing ClusterPolicyRules Columns of the PolicyReports Dashboard
    • Add Filter to the PolicyReports Dashboard

2.6.0

2.5.0

  • New Policy Reporter API to get a list of available resources
  • New Filter for Policies, Kinds, Categories and Results APIs

2.4.0

  • Policy Reporter
    • Add Support for custom Loki labels

2.3.0

  • Policy Reporter

  • Policy Reporter UI

  • Policy Reporter KyvernoPlugin

2.2.6

  • Use upper case on drop capabilities [#113 by skuethe]

2.2.5

  • Policy Reporter

    • Update Go to 1.17.6 [#110 by realshuting]
    • Update Helm Chart with new component versions
    • Update dependencies
  • Policy Reporter UI

  • Policy Reporter KyvernoPlugin

2.2.4

  • Fix PolicyReport Napper - string casting

2.2.3

  • Fix Helm Chart uihost template function.

2.2.2

2.2.1

2.2.0

  • Policy Reporter UI v1.2.0
    • New configurations to customize the dashboard by disable PolicyReport- or ClusterPolicyReport information

2.1.1

  • Fix KyvernoPlugin Metrics ServiceMonitor Port [#96 by z0rc]
  • Remove unused Port from KyvernoPlugin Deployment and Service

2.1.0

  • KyvernoPlugin v1.1.0
    • New KyvernoPlugin API - VerifyImages Rules (details)
  • Policy Reporter UI v1.1.0
    • New Kyverno VerifyImages view in Policy Reporter UI
    • New configurations to disable views (details)

2.0.1

  • Remove NetworkPolicy ingress rule for UI if not enabled
  • Update Policy Reporter UI
    • Fix: Show PolicyReportResult Properties in Tables

2.0.0

Chart

  • Removed deprecated values crdVersion, cleanupDebounceTime
  • Simplify policyPriorities, policyPriorities.enabled was removed along with the watch feature
    • Priority determined mainly over severity
  • Add sources filter to target configurations
  • Improved NetworkPolicy configuration for all components
  • Metrics now an optional feature
  • Each component expose a single Port 8080

See Migration Docs for details

Policy Reporter

  • modular functions for separate activation/deactivation
    • REST API
    • Metrics API
    • Target pushes
  • PolicyReports are now stored in an internal SQLite
  • extended REST API based on the new SQLite DB for filters and grouping of data
  • metrics API is now optional
  • metrics and REST API using the same HTTP Server (were separated before)
  • improved CRD watch logic with Kubernetes client informer
  • Yandex changed to a general S3 target.

Policy Reporter UI

  • Rewrite with NuxtJS
  • Simplified Proxy
  • Improved SPA file handling

Policy Reporter Kyverno Plugin

  • modular functions for separate activation/deactivation
    • REST API
    • Metrics API
  • metrics and REST API using the same HTTP Server (were separated before)
  • improved CRD watch logic with Kubernetes client informer

1.12.6

1.12.5

  • Dependency Update

1.12.4

  • Fix policy-reporter-ui ServiceName function [#87 by m-yosefpor]

1.12.3

1.12.2

  • Fix CRD registration for PolicyReport and ClusterPolicyReport

1.12.0

  • Add Yandex as new Target for Policy Reporter

1.11.0

  • Add Yandex as new Target for Policy Reporter

1.10.0

  • Update Policy Reporter UI to v0.15.0
    • Add Filters as Query Parameters, make them shareable over links
  • Hosting all new Images on the GitHub Container Registry instead of DockerHub
  • Go Version updates to Go 1.17 of all components

1.9.4

  • Make the Image Registry configurable with image.registry [#74 by stone-z]

1.9.3

  • Fix loki target messages for labels with dots

1.9.2

  • Add additional egress rules to kyvernoPlugin and UI subchart with networkPolicy.egress

1.9.1

  • Configure the Kubernetes API Port for NetworkPolicy with networkPolicy.kubernetesApiPort

1.9.0

  • Implement NetworkPolicy for Policy Reporter and related Components [#68 by windowsrefund]
  • Customize liveness- and readinessProbe for Policy Reporter [#67 by windowsrefund]

1.8.10

  • Fix ServiceMonitor Namespace overwrite with monitoring.serviceMonitor.namespace instead of monitoring.namespace

1.8.9

  • Ensure Backward Compatibility for monitoring.namespace configuration

1.8.8

  • Optional Namespace Configuration for Monitoring ServiceMonitor
  • Separat Namespace Configuration for Monitoring ConfigMaps with monitoring.grafana.namespace

1.8.7

  • Update Policy Reporter UI to 0.14.0
    • Colored Diagrams
    • Suppport SubPath Configuration
  • Restart CRD Watches when no CRDs are found
  • Fix Ingress Resource in the UI Subchart
  • Allow to override namespace for serviceMonitor [#57 by Issif]

1.8.6

  • Update Policy Reporter UI to 0.13.1
    • Hide Rule Chips if rule name is empty
  • Update Policy Reporter Kyvern Plugin to 0.3.2
    • Improved LivenessProbe, checks now if Kyverno CRDs are available
  • Update Policy Reporter to 1.8.4
    • Improved LivenessProbe, checks now if any PolicyReport CRD is available

1.8.5

1.8.4

  • Changed Organization

1.8.3

  • Update Policy Reporter UI to 0.13.0
    • Change Result Grouping between by Status and by Category
    • Add source filter to ClusterPolicyReports

1.8.2

  • Fix scored mapping for v1alpha2/policyreports
  • Disable KyvernPlugin as default as expected
  • Support source and properties for policyreports/v1alpha2 in Policy Reporter UI
    • Update Policy Reporter UI to 0.12.0

1.8.1

  • Customize label and annotation for Grafana dashboards [#43 by nlamirault]
  • ARM64 Support for all Components

1.7.3

  • Update Policy Reporter - Kyverno Plugin to 0.2.0
    • New APIs for Liveness and Readiness Probes

1.7.2

  • Update Policy Reporter - Kyverno Plugin to 0.1.2
    • Fix Handling of Validations with empty messages

1.7.1

  • Fix HelmChart - Deployment Probes for Policy Reporter

1.7.0

  • Enable REST API by default
    • Add /healthz and /ready APIs as new endpoints for readinessProbe and livenessProbe
  • Helm Chart Updates
    • Add global.labels to add labels on every resource created
    • Add default labels on every resource

1.6.2

  • Increase Result Caching Time to handle Kyverno issues with Policy reconcilation Issue
  • Fix golint errors

1.6.1

  • Add .global.fullnameOverride as new configuration for Policy Reporter Helm Chart
  • Add static manifests to install Policy Reporter without Helm or Kustomize

1.6.0

  • Internal refactoring
    • Unification of PolicyReports and ClusterPolicyReports processing, APIs still stable
    • DEPRECETED crdVersion, Policy Reporter handels now both versions by default
    • DEPRECETED cleanupDebounceTime, new internal caching replaced the debounce mechanism, debounce still exist with a fixed period to improve stable metric values.

1.5.0

  • Support multiple Resources for a single Result
    • Mapping Result with multiple Resources in multiple Results with a single Resource
    • Upate UI handling with Results without Resources

1.4.1

  • Update Kyverno Plugin
    • Fix Rule Type mapping
  • Update Policy Reporter UI
    • Fix Chart rerender when values are the same

1.4.0

  • Add Kyverno Plugins to the Helm Chart

1.3.4

  • Configure Debounce Time in seconds for Cleanup Events over Helm Chart
    • Helm Value cleanupDebounceTime - default: 20
  • Improved securityContext defaults

1.3.3

  • Update Policy Reporter UI to v0.9.0
    • expand Tables with Validation Message
  • Reduce log messages

1.3.2

  • Compress REST API with GZIP
  • Update Policy Reporter UI to 0.8.0
    • Support for GZIP Responses

1.3.1

  • Debounce reconcile modification events for 10s to prevent resending violations

1.3.0

  • New Helm Configuration
    • crdVersion changes the version of the PolicyReporter CRD - v1alpha1 is the current default

1.2.3

  • Fix resend violations after KubeAPI reconnect

1.2.2

  • Fix PolicyReportResult.timestamp parsing

1.2.1

  • Support PolicyReportResult.status as well as PolicyReportResult.result for newer CRD versions

1.2.0

  • Support for (Cluster)PolicyReport CRD Properties in Target Output
  • Support for (Cluster)PolicyReport CRD Timestamp in Target Output
  • Fix resend violations after Kyverno Cleanup with ResultHashes

1.1.0

  • Added PolicyReport Category to Metrics
  • New (Cluster)PolicyReport filter for Grafana Dashboards
    • Add All Selection for Policy Filter
    • Category Filter
    • Severity Filter
    • Kind Filter
    • Namespacefilter (PolicyReports only)
  • New (Cluster)PolicyReport filter for Policy Reporter UI
    • Category Filter
    • Severity Filter
    • Kind Filter

1.0.0

  • Support Priority by Severity
    • high -> critical
    • medium -> warning
    • low -> information
  • Severity is added as label to result metrics
  • Severity is added in Policy Reporter UI tables
  • Add "Critical" as new Priority to differ between Errored Policies and Failed priorities with High Severity
  • Use "Warning" as new default Priority instead of Error which should now used for Policies in Error Status

0.22.0

  • New Target Policy Reporter UI
    • New Log View in the Policy Reporter UI to see the latest log entries
    • Default: latest 200 logs with priority >= warning

0.21.0

  • New Target MS Teams

0.20.2

  • Policy Reporter UI update
    • Select All option for Policy Filter
    • New Namespace Filter for PolicyReport View

0.20.0

  • [Breaking Change] rename policy-reporter-ui Subchart to ui
    • Simplify the customization by configure all PolicyReporter UI values under ui

0.19.0

  • PolicyResult Priority mapping is now configurable over the Helm Chart

0.18.0

  • Helm Chart updates #16 fixes #14
    • Target Configuration are now configured under target in the HelmChart values.yaml
    • config.yaml are now deployed as Secret with encoded data body (plain stringData before)

0.17.0

  • New Helm Linting Workflow by kolikons #15
  • Improved Helm Chart by kolikons #13
    • More configuration possibilities like UI Ingress, ReplicaCount
    • Role and RoleBindings for ConfigMaps are now optional (required for Priority configuration)

0.16.0

  • New Optional REST API
  • New Optional Policy Reporter UI Helm SubChart

0.15.1

  • Add a checksum for the target configuration secret to the deployment. This enforces a pod recreation when the configuration changed by a Helm upgrade.

0.15.0

  • Customizable Dashboards via new Helm values for the Monitoring Subchart.

0.14.0

  • Internal refactoring
    • Improved test coverage
    • Removed duplicated caching
  • Updated Dashboard
    • Filter zero values from Policy Report Detail after Policies / Resources are deleted

0.13.0

  • Split the Monitoring out in a Sub Helm chart
    • Changed naming from metrics to monitoring
  • Make Annotations for the Deployment configurable
  • Add two new Grafana Dashboard (PolicyReport Details, ClusterPolicyReport Details)

0.12.0

  • Add support for a special default key in the Policy Priority. The default key can be used to configure a global default priority instead of error

0.11.1

  • Use a Secret instead of ConfigMap to persist target configurations

0.11.0

  • Helm Chart Value metrics.serviceMonitor changed to metrics.serviceMonitor.enabled
  • New Helm Chart Value metrics.serviceMonitor.labels can be used to add additional labels to the SeriveMonitor. This helps to fullfil the serviceMonitorSelector of the Prometheus Resource in the MonitoringStack.

0.10.0

  • Implement Discord as Target for PolicyReportResults

0.9.0

  • Implement Slack as Target for PolicyReportResults

0.8.0

  • Implement Elasticsearch as Target for PolicyReportResults
  • Replace CLI flags with a single config.yaml to manage target-configurations as separate ConfigMap
  • Set loki.skipExistingOnStartup default value to true