Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: kyverno | Distribution: openSUSE Tumbleweed |
Version: 1.15.2 | Vendor: openSUSE |
Release: 1.1 | Build date: Fri Sep 19 07:20:35 2025 |
Group: Unspecified | Build host: reproducible |
Size: 255323758 | Source RPM: kyverno-1.15.2-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://github.com/kyverno/kyverno | |
Summary: CLI and kubectl plugin for Kyverno |
Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
Apache-2.0
* Fri Sep 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.15.2: * fix: pass userInfo to VAPs and MAPs in the CLI (#13920) (#14024) * Tue Aug 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.15.1: No CLI-related changes * Dependencies - chore: update go.mod to 1.24.6 (latest) (#13822) (#13823) * Fri Aug 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.15.0: * CLI-related changes - fix(gpols): fetch sources from the cluster in case of in-cluster mode in the CLI (#13603) (#13604) - fix: evaluate MAPs correctly in the CLI (#13557) (#13578) - Complete CLI fix command documentation with website URLs (#13300) - feat: apply GPOLs in cluster mode in CLI (#13414) - feat: remove CLI deprecated APIs (#13481) - Support MutatingPolicy in Kyverno CLI apply command (#13425) - Init MutatingPolicy support in the CLI test command (#13420) - feat: support gpols in CLI test (#13412) - feat: support gpols in CLI apply (#13365) - Support dpol in kyverno apply CLI command (#13301) - Support JSON Payload for dpols in kyverno cli test command (#13286) - feat: test deleting policy with the CLI test command (#13284) - feat: support Cli for map (#12667) - fix(cli): ensure JMESPath expressions handle number types correctly (#12037) - chore: add mpol and gpol crds in the CLI (#13181) - fix: apply IVPs in cluster mode in the CLI (#13101) - test: add cli test with namespaceObject (#13083) - fix: apply VPs in cluster mode in the CLI (#13084) - chore: update CLI warning messages (#13060) - refactor: use resource fetcher in the CLI (#13054) - chore: remove unused function in CLI (#13053) - fix: use the generic policy in the CLI (#13035) - feature: support multiple output formats (json, yaml, markdown, junit) for CLI test command (#12799) - fix: convert gvk to gvr for VAPs in the CLI (#12937) - feat: remove CLI legacy loader (#12919) - fix: compute vpols autogen in CLI provider (#12871) - chore: add local CLI tests for the new policy types in the workflow (… (#12758) - chore: add local CLI tests for the new policy types in the workflow (#12755) - feat: add --markdownLinks to cli docs command (#12734) - fix: evaluate celexceptions with ivpol in CLI (#12728) - chore: add --noDate to cli docs command (#12712) - feat(cli): return an error if tests are required (#12395) - fix: add result count for VPs in the CLI (#12711) - feat: add cli test command support for ivpols (#12660) - fix: use correct resource in cli processor (#12575) - fix: CLI policies processing order (VPOL) (#12567) - fix: CLI policies processing order (#12561) - feat: support json for ivpol via CLI apply (#12511) - fix: handle nil namespace pointer in CLI mode for ValidatingPolicies with namespaceSelector (#13636) (#13646) - fix(gpols): fetch sources from the cluster in case of in-cluster mode in the CLI (#13603) (#13604) - fix: evaluate MAPs correctly in the CLI (#13557) (#13578) * Dependencies - fix: Update Go version to fix CVE-2025-22871 vulnerability by @samsonkolge in #12714 - chore(deps): bump actions/download-artifact (#12881) - chore(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 (#12879) - chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#12743) - chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#13077) - chore(deps): bump actions/setup-python from 5.4.0 to 5.5.0 (#12529) - chore(deps): bump actions/setup-python from 5.5.0 to 5.6.0 (#12869) - chore(deps): bump adRise/update-pr-branch from 0.9.1 to 0.10.1 (#13294) - chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.31.0 (#13316) - chore(deps): bump cbrgm/cleanup-stale-branches-action (#12617) - chore(deps): bump cbrgm/cleanup-stale-branches-action (#12993) - chore(deps): bump cbrgm/cleanup-stale-branches-action (#13297) - chore(deps): bump cbrgm/cleanup-stale-branches-action (#13511) - chore(deps): bump codecov/codecov-action from 5.4.0 to 5.4.2 (#12761) - chore(deps): bump codecov/codecov-action from 5.4.2 to 5.4.3 (#13160) - chore(deps): bump fluxcd/flux2 from 2.5.1 to 2.6.0 (#13282) - chore(deps): bump fluxcd/flux2 from 2.6.0 to 2.6.1 (#13295) - chore(deps): bump fluxcd/flux2 from 2.6.1 to 2.6.2 (#13388) - chore(deps): bump fluxcd/flux2 from 2.6.2 to 2.6.3 (#13490) - chore(deps): bump fossas/fossa-action from 1.6.0 to 1.7.0 (#13147) - chore(deps): bump github.com/aptible/supercronic from 0.2.33 to 0.2.34 (#13438) - chore(deps): bump github.com/go-git/go-git/v5 from 5.14.0 to 5.15.0 (#12747) - chore(deps): bump github.com/go-git/go-git/v5 from 5.15.0 to 5.16.0 (#12788) - chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#13318) - chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#13342) - chore(deps): bump github.com/go-logr/logr from 1.4.2 to 1.4.3 (#13271) - chore(deps): bump github.com/go-viper/mapstructure/v2 (#13486) - chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#12496) - chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#12495) - chore(deps): bump github.com/onsi/gomega from 1.36.2 to 1.36.3 (#12506) - chore(deps): bump github.com/onsi/gomega from 1.36.3 to 1.37.0 (#12628) - chore(deps): bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 (#13019) - chore(deps): bump github.com/prometheus/client_golang (#12675) - chore(deps): bump github.com/rs/zerolog from 1.33.0 to 1.34.0 (#12507) - chore(deps): bump github.com/sergi/go-diff (#13328) - chore(deps): bump github.com/sigstore/rekor from 1.3.9 to 1.3.10 (#12746) - chore(deps): bump github.com/sigstore/sigstore from 1.9.1 to 1.9.3 (#12696) - chore(deps): bump github.com/sigstore/sigstore from 1.9.3 to 1.9.4 (#12902) - chore(deps): bump github.com/sigstore/sigstore from 1.9.4 to 1.9.5 (#13356) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12695) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12884) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12677) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12883) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12698) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12885) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12676) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12882) - chore(deps): bump github/codeql-action from 3.28.12 to 3.28.13 (#12528) - chore(deps): bump github/codeql-action from 3.28.13 to 3.28.15 (#12656) - chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#12868) - chore(deps): bump github/codeql-action from 3.28.16 to 3.28.17 (#13004) - chore(deps): bump github/codeql-action from 3.28.17 to 3.28.18 (#13173) - chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#13315) - chore(deps): bump github/codeql-action from 3.28.19 to 3.29.0 (#13358) - chore(deps): bump github/codeql-action from 3.29.0 to 3.29.1 (#13489) - chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2 (#13503) - chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#13469) - chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 (#12659) - chore(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#13024) - chore(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#13331) - chore(deps): bump golang.org/x/net in /hack/api-group-resources (#12805) - chore(deps): bump golang.org/x/net in /hack/controller-gen (#12846) - chore(deps): bump golang.org/x/text from 0.23.0 to 0.24.0 (#12645) - chore(deps): bump google.golang.org/grpc from 1.71.0 to 1.72.0 (#12843) - chore(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.1 (#13146) - chore(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 (#13242) - chore(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#13330) - chore(deps): bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 (#12597) - chore(deps): bump jpmcb/prow-github-actions from 1.1.3 to 2.0.0 (#12674) - chore(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#13296) - chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.3 to 0.20.4 (#12526) - chore(deps): bump sigs.k8s.io/controller-tools in /hack/controller-gen (#13092) - chore(deps): bump sigs.k8s.io/kustomize/api from 0.19.0 to 0.20.0 (#13493) - chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.19.0 to 0.20.0 (#13491) - chore(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#13470) - chore(deps): bump sigstore/cosign-installer (#12860) - chore(deps): bump sigstore/cosign-installer (#13406) - chore(deps): bump sigstore/cosign-installer (#13445) - chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#12859) - chore(deps): bump sigstore/cosign-installer from 3.8.2 to 3.9.0 (#13405) - chore(deps): bump sigstore/scaffolding (#13404) - chore(deps): bump sigstore/scaffolding (#13437) - chore(deps): bump svenstaro/upload-release-action from 2.10.0 to 2.11.1 (#13501) - chore(deps): bump svenstaro/upload-release-action from 2.9.0 to 2.10.0 (#13436) - chore(deps): bump the kubernetes group across 3 directories with 7 updates (#13426) - chore(deps): bump the otel group across 1 directory with 10 updates (#13206) - chore(deps): bump the otel group across 1 directory with 9 updates (#13454) - chore(deps): bump the sigstore group across 1 directory with 4 updates (#13355) - chore(deps): bump ubuntu from `1e622c5` to `6015f66` in /.devcontainer (#13021) - chore(deps): bump ubuntu from `4524361` to `1e622c5` in /.devcontainer (#12694) - chore(deps): bump ubuntu from `6015f66` to `b59d215` in /.devcontainer (#13307) - chore(deps): bump ubuntu from `7229784` to `4524361` in /.devcontainer (#12673) - chore(deps): bump ubuntu from `b59d215` to `89ef6e4` in /.devcontainer (#13510) - chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#12598) - chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#13003) - chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#13172) * Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.14.4: no CLI-related changes or dependency updates * Thu Jun 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.14.3: no CLI-related changes or dependency updates * Tue Jun 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.14.2: CLI-related changes and dependency updates * fix(cli): ensure JMESPath expressions handle number types correctly (#12037) (#13214) * fix: apply IVPs in cluster mode in the CLI (#13101) (#13116) * fix: apply VPs in cluster mode in the CLI (#13084) (#13098) * test: add cli test with namespaceObject (#13083) (#13096) * refactor: use resource fetcher in the CLI (#13080) * chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#12495) (#13071) * chore: remove unused function in CLI (cherry-pick #13053) (#13078) * chore: update CLI warning messages (#13060) (#13066) * fix: use the generic policy in the CLI (#13059) * Wed Apr 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.14.1: * Added - Added a new adopter ONZACK AG (#12983) - Added support for auditAnnotations in ImageValidatingPolicy (#12946) * Fixed - Fixed object matching in cel/matching package (#12899, [#12920], #12929) - Fixed a panic issue for the reports controller to check if apiGroup and apiVersion are defined (#12924) - Fixed to avoid applying CEL PolicyException when the flag is disabled (#12931) - Fixed a panic issue when ValidatingPolicy does not have matchConstraints defined (#12957, #12968) - [CLI]Fixed the issue which maps gvk to gvr for custom resources (#12979) - [CLI]Fixed gvk/gvr conversion for ValidatingAdmissionPolicy (#12937) * Others - Tests enhancements (#12873, #12875, #12877, #12886, #12904, [#12942], #12964) - Code refactoring (#12950, #12951, #12952, #12955, #12975, [#12934], #12961, #12971) * Fri Apr 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 1.14.0: * release-1.14.0 (#12867) * fix: compute vpols autogen in CLI provider (#12871) (#12874) * refactor: improve new policy types api and test coverage (#12864) (#12872) * fix: remove cached autogen pols (#12852) (#12865) * fix: regex to parse kinds correctly (#11763) (#12863) * refactor: ivpols engine (#12855) (#12862) * fix: missing docs for new policy types (#12856) (#12858) * refactor: cel policies autogen (#12832) (#12854) * feat: add cel expression support to attestors (#12835) (#12853) * chore(deps): bump golang.org/x/net in /hack/controller-gen (#12846) (#12851) * chore: rename cel helper payload() to extractPayload() (#12844) (#12848) * rename fields (#12817) (#12845) * refactor: converge vpol and ivpol status structs (#12823) (#12831) * chore: rename imagedata.Get to image.GetMetadata (#12826) (#12830) * feat: relax variable validation checks for generate clone type (#12792) (#12829) * rename globalcontext.Get to globalContext.Get (#12825) (#12828) * refactor: autogen cel package (#12811) (#12827) * Fix global context chainsaw test (#12801) (#12824) * add and use template for imageverification policies (#12803) (#12821) * chore: rename image verify to image validating (#12812) (#12822) * fix(cleanup): respect resourceFilters from kyverno config (#12808) (#12814) * fix: restrict validationActions in IVPOLs (#12810) (#12813) * use template instead of random sleep intervals (#12804) (#12809) * chore: add local CLI tests for the new policy types in the workflow (… (#12758) (#12807) * fix: skip VAP generation in case autogen is enabled (#12770) (#12802) * feat: Relax immutability requirements on match statements for generate rules (#12784) (#12800) * refactor: cel autogen package (#12789) (#12798) * fix: restrict failurePolicy to either Fail or Ignore (#12793) (#12796) * fix: add default value for actions in VPOLs (#12686) (#12794) * resource.Post API (#12732) (#12791) * version update kubectl (#12607) (#12790) * feat: improve ivpol autogen API (#12781) (#12783) * chore: add chainsaw tests for exceptions in the reports (#12751) (#12769) * fix: CanAutoGen logic (#12779) (#12780) * chore: add local CLI tests for the new policy types in the workflow (#12755) (#12773) * chore: bump controller gen (#12765) (#12778) * chore: fix ivpol chainsaw tests for reports (#12653) (#12777) * Apply PolicyException on Background Scanning for ivpol and vpol (#12750) (#12772) * fix: skip webhook registration if vap is generated from validate.cel subrule (#12767) (#12771) * refactor: cel libs names, return types and cleanup TODOs (#12757) (#12774) * Add HorizontalPodAutoscaler to admission-controller (#10586) (#12768) * feat(helm): Add `dnsconfig` value to deployments (#12608) (#12737) * fix: allow policy creation if GVK is not found (#12722) (#12763) * chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#12743) (#12760) * Fix Namespace Selector Error Propagation and Scope Policy for Accurate Rule Evaluation (#12744) (#12756) * feat: add --markdownLinks to cli docs command (#12734) (#12754) * [fix] The source property is populated for VP, VAP and ImageValidatingPolicy (#12727) (#12753) * fix: job returns success if configmap is not found (#12621) (#12736) * fix: evaluate celexceptions with ivpol in CLI (#12728) (#12735) * fix VPOL and IVPOL for Kyverno test command (#12730) (#12733) * chainsaw test for http (#12721) (#12731) * fix-fail-only-flag (#12600) (#12725) * chore: add --noDate to cli docs command (#12712) (#12724) * feat(cli): return an error if tests are required (#12395) (#12723) * fix: add result count for VPs in the CLI (#12711) (#12718) * fix: Update Go version to fix CVE-2025-22871 vulnerability (#12714) (#12719) * align naming of ImageValidatingPolicy related code (#12703) (#12716) * fix: forbid json and k8s resources at the same time in the CLI (#12699) (#12700) * chore: add chainsaw test for policies with the same name (#12652) (#12682) * feat: add cli test command support for ivpols (#12660) (#12679) * fix: add missing nil check in pss validation (#12636) (#12671) * chore: add policy-ready step template for validating-policies (#12546) (#12669) * chore: add ivpol report labels (#12650) (#12654) * chore: disable global context test (#12648) (#12649) * fix: enable imagedata for ivpol (#12568) (#12613) * fix: rename autogen configuration (#12605) (#12612) * release 1.14.0-rc.1 (#12610) * fix: pod controllers autogen api (#12603) (#12604) * Add Webhook validation for IVPOL (#12577) (#12588) * feat: improve vpol api for autogen (#12582) (#12585) * chore: add tests for background reporting (#12579) (#12581) * fix: use correct resource in cli processor (#12575) (#12578) * chore: add Chainsaw test for ivpol admission reporting (#12576) (#12580) * fix: CLI policies processing order (VPOL) (#12567) (#12571) * fix: enable k8s resource lookup for ivpol (#12569) (#12570) * fix: CLI policies processing order (#12561) (#12565) * Chainsaw tests: globalcontextentry (#12533) (#12564) * feat: bump kube libs to 1.32 (cherry-pick #12555) (#12559) * chore: chainsaw tests for ivpol autogen (#12548) (#12560) * chore: update tooling deps (#12553) (#12554) * chore: update supported k8s versions (#12310) (#12551) * chore: cherry-pick #12515 (#12550) * chore: remove unused field in vap processor (#12545) (#12547) * Minor fixes in feature flags reademe file (#12503) (#12541) * chore: use kube 1.32 by default in makefile (#12334) (#12540) * chore: vpol block ephemeral containers (#12536) (#12537) * chainsaw-test imagedata arch (#12500) (#12535) * feat: support json for ivpol via CLI apply (#12511) (#12534) * add chainsaw test for parse-sa (#12502) (#12532) * handle runtime error (#12487) (#12531) * refactor: vpol generation api (#12482) (#12519) * fix: image verify exception flake (#12516) (#12518) * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#12496) (#12509) * feat: release 1.14.0-alpha.1 (#12498) * feat: rename image verification policy to image validating policy (#12439) * feat: support ivpol via CLI apply (#12492) * feat: basic exception support in ivpols (#12478) * chore(deps): bump the otel group across 1 directory with 10 updates (#12490) * chore(deps): bump fossas/fossa-action from 1.5.0 to 1.6.0 (#12489) * chore(deps): bump actions/download-artifact (#12464) * fix: vpol validating webhook configuration (#12481) * chore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 (#12460) * chore(deps): bump actions/download-artifact from 4.2.0 to 4.2.1 (#12459) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#12470) * feat: support json in CLI test (#12454) * Add ValidatingPolicy Validation Webhook (#12479) * chore: skip webhook registration if vap is generated (#12474) * feat: adopt psa to v1.32.3 (#12457) * chore: add some cel lib unit tests (#12458) * chore(deps): bump actions/upload-artifact (#12463) * chore(deps): bump github/codeql-action from 3.28.11 to 3.28.12 (#12462) * chore: add api-group-resources to dependabot config (#12451) * chore: enable ivpol chainsaw tests in CI (#12452) * chore: add some cel unit tests (#12453) * chore: bump a couple of deps (#12450) * chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#12445) * feat: add imagedata cel lib (#12442) * chore: move imageverify cel lib (#12449) * chore(deps): bump actions/download-artifact (#12444) * chore(deps): bump actions/download-artifact from 4.1.9 to 4.2.0 (#12443) * chore: bump kube deps to 1.32.3 (#12437) * fix: engine response for ivpol background scanning (#12436) * chore(deps): bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 (#12430) * fix: set correct policy for ivpols (#12434) * fix: check if response includes a policy for ivpol (#12433) * Implement Reporting and Background scan for ImageVerificationPolicy (#12432) * fix: autogen status for ivpol (#12431) * feat: simplify resource cel lib (#12427) * feat: simplify resource cel lib (#12426) * feat: add globalcontext CEL lib (#12425) * chainsaw test to check messageExpression interpolation (#12415) * feat: enable mutating webhook for ivpol (#12423) * chore: make function comment match function name (#12417) * chore(deps): bump docker/login-action from 3.3.0 to 3.4.0 (#12422) * feat: reconcile `ivpol.status` (#12392) * feat: add cel user lib (#12414) * Update ADOPTERS.md (#12411) * feat: add user info in cel engine (#12410) * feat: webhook integration image verification policies (#12403) * feat: support vps in cli test command (#12384) * chore(deps): bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 (#12406) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12401) * solves the cronjob autogen nested path issue (#12383) * chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 (#12402) * fix: image parse func and add chainsaw tests (#12396) * Fix: data access in audit annotations (#12394) * fix: add missing context type and http type in ivpols (#12393) * feat: register webhook for ivpol (#12391) * Fix: data access in message expressions (#12390) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12388) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12389) * feat: mock list resources in context (#12380) * Minor fixes in Contributing and Development docs (#12377) * fix: providing the http provider in the compiler (#12379) * feat: make image ref parsing a static function (#12374) * chore: improve error handling (#12376) * chore(deps): bump fluxcd/flux2 from 2.4.0 to 2.5.1 (#12359) * chore(deps): bump github.com/sigstore/sigstore from 1.9.0 to 1.9.1 (#12370) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12371) * feat: webhook handlers for image verification (#12318) * chore(deps): bump goreleaser/goreleaser-action from 6.1.0 to 6.2.1 (#12347) * chore(deps): bump actions/setup-python from 5.3.0 to 5.4.0 (#12362) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#12364) * fix: use pointer in context config map getter (#12365) * chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#12363) * feat: support mock in CLI for VPs (#12344) * chore(deps): bump sonarsource/sonarcloud-github-action (#12358) * chore(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 (#12360) * chore(deps): bump actions/download-artifact (#12361) * chore(deps): bump gomodules.xyz/jsonpatch/v2 from 2.4.0 to 2.5.0 (#12354) * fix: Update copyrights to 2025 (#12356) * chore(deps): bump slsa-framework/slsa-github-generator (#12349) * chore(deps): bump azure/setup-helm in /.github/actions/run-tests (#12351) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.2 to 0.20.3 (#12355) * chore(deps): bump actions/upload-artifact from 4.5.0 to 4.6.1 (#12348) * chore(deps): bump actions/upload-artifact (#12350) * chore(deps): bump azure/setup-helm from 4.2.0 to 4.3.0 (#12346) * chore(deps): bump github.com/sigstore/sigstore from 1.8.15 to 1.9.0 (#12331) * fix: nits in cel context lib (#12333) * Add CEL context.Lib to the imageverification compiler (#12337) * chore(deps): bump sigstore/cosign-installer (#12343) * chore(deps): bump cbrgm/cleanup-stale-branches-action (#12342) * chore(deps): bump github/codeql-action from 3.27.9 to 3.28.11 (#12341) * chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.1 (#12340) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#12339) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12332) * chore(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 (#12322) * chore: add dryrun as label (#11962) * Add CEL HTTP Lib to the imageverification compiler (#12335) * chore(deps): bump codecov/codecov-action from 5.1.1 to 5.4.0 (#12321) * chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#12327) * chore: remove unused code (#12325) * chore(deps): bump fossas/fossa-action from 1.4.0 to 1.5.0 (#12328) * chore(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 (#12330) * feat: skip applying a VP which is converted to VAP (#12312) * feat: add parse image reference function (#12317) * feat: support rest mapper in cli with cluster enabled (#12319) * chore(deps): bump helm/kind-action in /.github/actions/run-tests (#12324) * chore(deps): bump helm/chart-testing-action from 2.6.1 to 2.7.0 (#12323) * chore(deps): bump helm/kind-action from 1.11.0 to 1.12.0 (#12320) * chore: ignore kyverno.tar file (#12314) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12307) * chore: add policy api unit tests (#12315) * Cel HTTP Lib (#12241) * Skip reporting for vpol when vap generation is enabled (#12311) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12306) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12305) * feat(vp): implement gctx in context library (#12055) * feat: support json payload via CLI apply command (#12296) * feat: support GVK to GVR mapping in the CLI (#12301) * feat: add api-group-resources codegen (#12303) * fix: use object key in json image verification (#12298) * docs: add popular use cases section to README (#12297) * chore: remove dead code (#12302) * feat: support CELPolicyException in the report-controller (#12287) * chore(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 (#12295) * chore(deps): bump github.com/prometheus/client_golang (#12294) * feat: autogenerate image verification policies for pod controllers (#12290) * feat: add cel evaluator for json payload (#12288) * chore: add policy API unit tests (#12289) * chore(deps): bump github.com/opencontainers/image-spec (#12285) * fix: autogen refactor (#12286) * chore: add unit tests (#12281) * feat: image verify performance fix and tests (#12282) * feat: add evaluation config to image verification policies (#12279) * Update post-delete-configmap.yaml (#12240) * fix(gctx): add event handler before informer start (#12263) * chore: add VP/CEL unit tests (#12271) * Indicate in report result the origin, admission, or background (#12056) * chore: remove mutatingpolicies (#12261) * feat: add new field to control VAP generation per policy (#12242) * fix chainsaw test (#12272) * chore(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0 (#12269) * feat(test): image verification on any payload (#12266) * changes if condition to check for RegExp field (#12237) * feat: context function to request resources from api server (#12181) * feat: generate VAPs given celexceptions (#12255) * chore: add VP/CEL unit tests (#12264) * feat: add evaluation mode to api (#12262) * chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#12257) * fix(gctx): remove unnecessary json Marshal/Unmarshal operations to reduce memory usage (#12201) * fix(gctx): fix gctx projection cache (#12226) * feat: add evaluator for image verification policies (#12251) * feat: improve validating policy api (#12243) * feat: create patchers and apply mutations (#12253) * chore: bump kube deps to 1.32.2 (#12252) * feat: add cel library for image verification (#12233) * chore: add VP api unit tests (#12248) * Add aggegration toggle for clusterRoles (#12234) * feat: introduce generic exception interface (#12244) * feat: stop reusing admissionregistrationv1.ValidatingAdmissionPolicySpec (#12246) * chore: add codecov config and exclude api generated files (#12245) * feat: generate VAPs from VPs (#12222) * chore(deps): bump golang.org/x/crypto from 0.34.0 to 0.35.0 (#12239) * Adds kyverno_info metric (#12128) * chore: add cel unit tests (#12232) * chore: add CEL unit tests (#12230) * chore(deps): bump golang.org/x/crypto from 0.33.0 to 0.34.0 (#12228) * chore(refactor): refactor image verification packages (#12220) * feat: add mpol.spec.admission and mpol.spec.background (#12218) * chore(deps): bump github.com/notaryproject/notation-go (#12214) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12210) * fix: add unit tests for cosign keyed image verification (#12217) * chore(deps): bump github.com/prometheus/client_golang (#12215) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12216) * feat: cosign verifier for new image verifier crd (#12196) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12209) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12208) * chore(deps): bump github.com/sigstore/sigstore from 1.8.14 to 1.8.15 (#12211) * Update _pdb.tpl (#11970) * chore: add resource manifests in autogen tests (#12205) * Validating policy audit annotations (#12115) * fix: modify celexception flake test (#12192) * feat: support celexceptions in the CLI `apply` command (#12182) * chore: bump cobra dependency (#12199) * fix: add result count for VPs in the CLI (#12193) * chore: format conformance.yaml workflow file (#12194) * fix: publish codecov reports (#12197) * feat(gctx): add jmespath caching through projections (#11833) * fix: codegen (#12195) * feat: add notary verifier with tsa support (#12160) * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#12178) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12179) * use serviceAccountName instead of deprecated serviceAccount (#12158) * chore: cel policies nits (#12184) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#12180) * README: fix markdown syntax (#12176) * feat: add MutatingPolicies CRD (#12150) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12170) * chore: remove applyconfiguration (#12174) * feat: add image data context (#12175) * feat: compile and evaluate autogen rules (#12163) * refactor: status manager (#12173) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#12167) * add get to rbac.authorization.k8s.io (#12043) * fix: modify the client URL for finegrained validatingpolicies (#12171) * fix CEL autogen (#12165) * chore(deps): bump github.com/sigstore/sigstore from 1.8.12 to 1.8.14 (#12168) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#12169) * update the docs for logging (#12140) * feat: configure admission and background flag for ValidatingPolicies (#12153) * structuring log (#12111) * fix: Certificate Renewer Does Not Remove Old CA Certificate From Secret (#12073) * feat: add types for image verification attestors (#12080) * fix: sort autogen resources list (#12162) * chore: remove vp and celpolex from the kyverno group (#12156) * feat: aggregate vpol.status.conditions (#12133) * Add helm changelog for reports-server related fix (#12144) * fix: update match conditions for autogen rules (#12146) * chore: move celexceptions to the new group (#12143) * update issue templates (#12145) * Don't fail disabling reports CRDs when sanitychecks is disabled (for use with reports-server) (#12129) * feat: add cel-autogen chainsaw tests (#12135) * feat: add image data fetching support (#12134) * chore(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 (#12131) * feat: add status.autogen (#12109) * feat: use dedicated group for new policies (#12123) * feat: compile and evaluate polex's match conditions (#12113) * log action and message when creating event (#12092) * feat: add autogen pod controllers to webhooks (#12112) * feat: implement background scan (#12101) * feat: use namespace in bg scan instead of just labels (#12102) * chore: remove polex match constraints (#12103) * feat: validate CELPolicyExceptions (#12083) * feat: add vpol status (#11956) * chore: make validating policies e2e tests required (#12100) * feat: add validating policies to reports aggregation (#12096) * chore(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 (#12094) * feat: add reporting to validating admission handler (#12090) * chore: add celpolicyexceptions in helm chart (#12084) * feat: consider Warn validation action (#12081) * fix(flag): lookup kubeconfig only after parsing (#12082) * refactor: webhook server/handlers (#12079) * chore: remove polex compiler (#12078) * tests: add chainsaw test for image data loading (#12077) * chore(deps): bump ubuntu from `80dd3c3` to `7229784` in /.devcontainer (#12074) * chore(deps): bump sigs.k8s.io/release-utils from 0.10.0 to 0.11.0 (#12076) * chore(deps): bump github.com/fluxcd/pkg/oci from 0.43.1 to 0.45.0 (#12059) * feat: consider validation actions (#12072) * feat: implement match conditions failure policy (#12071) * chore(deps): bump sigs.k8s.io/release-utils from 0.9.0 to 0.10.0 (#12060) * feat: add context provider in admission handling (#12070) * feat: compile CEL exceptions (#12066) * feat: add message expression support to validating policies (#12063) * feat: create image data loader (#12036) * chore: add validating policies chainsaw tests (#12062) * feat: add admission request cel variable (#12054) * feat: add validation message in cel engine response (#12052) * fix: remove 1.27 and 1.28 from tests (#12061) * feat: use v1 of ValidatingAdmissionPolicies (#12050) * fix: match the old object against the object selector for VAPs in the CLI (#12051) * feat: add CEL PolicyException CRD (#12038) * feat: process cel engine response in webhook handler (#12047) * feat: support adminssion review in cel engine (#12046) * feat: use more admission attributes (#12044) * fix: cel lib get config map return type (#12042) * feat: use admission attributes (#12041) * fix: error handling and reduce log clutter (#11979) * replace ghcr.io to reg.kyverno.io (#12031) * feat(validating policies): add support for ns and object selectors (#12034) * chore(deps): bump github.com/cyphar/filepath-securejoin (#12027) * feat: execute handler (#12033) * fix: don't sort cel policies (#12028) * fix: bad usage of wait group (#12029) * chore(deps): bump github.com/evanphx/json-patch/v5 from 5.9.10 to 5.9.11 (#12025) * feat: watch validating policies (#12008) * feat: add rest config support in setup code (#12019) * feat: add validation action to VPs (#12017) * fix: test typo (#12016) * feat: add validating policy webhook handler (#12015) * chore(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.10 (#12014) * chore(deps): bump github.com/sigstore/rekor from 1.3.7 to 1.3.9 (#12013) * refactor: use k8s wait group (#12010) * fix: make flags compatible with controller-runtime (#12009) * chore(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#11991) * feat: register cel context lib (#12007) * feat: add autogen package for ValidatingPolicies (#11996) * test: add more cli vp tests (#12006) * feat: implement cel engine context provider (#11995) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.0 to 0.20.1 (#11992) * chore: remove unused functions in autogen (#11993) * feat: add support for more context elements (#11986) * Fix default value for apiCall context (#11733) * fix: implement cel context lib correctly (#11983) * chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#11981) * refactor: reduce generic policy interface (#11977) * refactor: reduce generic policy interface (#11974) * feat: introduce evaluation results in cel engine (#11971) * Add OVHcloud in ADOPTERS.md (#11966) * feat: add validating policy engine api wrapper (#11963) * fix: cli schema generation (#11959) * feat: add namespace support in CLI values (#11958) * chore: bump k8s 0.32.1 (#11954) * feat: use policy provider (#11947) * feat: add generic policy interface (#11922) * chore(deps): bump the otel group across 1 directory with 10 updates (#11952) * log non fatal parsing errors (#11932) * feat: add MAP's mutation logic for the CLI (#11946) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 (#11944) * chore(deps): bump github.com/google/go-containerregistry (#11941) * chore(deps): bump github.com/notaryproject/notation-go (#11940) * feat(cli,apply): load validating policies (#11933) * feat: register webhook configurations for validatingpolicies (#11892) * fix the result column for Kyverno test (#11842) * fix:[Bug] [CLI] CEL scanning a namespace yaml object makes Kyverno crash (#11834) * Update ADOPTERS.md (#11936) * feat: update annotations of kyverno images (#11935) * chore(deps): bump github.com/notaryproject/notation-core-go from 1.1.0 to 1.2.0 (#11926) * chore: add 1.13.1 and 1.13.2 to issue templates (#11930) * chore: use v1 of VAPs in the tests (#11929) * chore: move CEL package to admissionpolicy package (#11931) * refactor: cleanup cli apply functions (#11928) * chore(deps): bump sigs.k8s.io/kustomize/api from 0.18.0 to 0.19.0 (#11925) * Implement Object type checking based on OpenAPI v3 schema (#11919) * feat: add CEL variables type checking (#11920) * feat: add auditAnnotation in CEL Compiler (#11918) * feat: add CEL variables support (#11913) * chore(deps): bump google.golang.org/grpc from 1.69.2 to 1.69.4 (#11911) * feat: add validating policy compiler (#11906) * chore(deps): bump github.com/fluxcd/pkg/oci from 0.43.0 to 0.43.1 (#11903) * chore(deps): bump github.com/cyphar/filepath-securejoin (#11901) * chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 (#11902) * feat: add context cel lib to get config map (#11898) * feat: setup validating policy cel environment (#11897) * feat: add support for loading validating policies in the cli (#11883) * chore: bump a couple of deps (#11890) * refactor: get policy helper (#11891) * chore: bump a couple of deps (#11879) * chore(deps): bump github.com/google/cel-go from 0.22.0 to 0.22.1 (#11880) * chore: bump a couple of deps (#11878) * feat: bump kube deps to 1.32 (#11877) * chore: bump a couple of deps (#11876) * chore: bump go-git to 5.13.0 (#11860) * fix(reports-controller): add a flag to disable reports sanity checks (#11867) * Add Tigera to Kyverno ADOPTERS.md (#11874) * chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 (#11837) * feat: add validating policy crd in helm chart (#11870) * feat: add kyverno vap API (#11790) * fix: sorting in fix test command (#11869) * Add flag for JSON output in policy reports (#11840) * remove policy exception dependancy from globalcontext and add some tests (#11788) * fix global context error message logic error (#11815) * Fix: Policy with failureActionOverrides not applying desired failure actions in desired namespaces (#11811) * fix panic when rules are empty (#11821) * Fix panic in background controller when updating Generate rule (#11835) * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#11791) * chore: bump x/net 0/33/0 (#11825) * chore: bump python to 3.13.1 (#11800) * fix: cleanup unwanted files (#11803) * chore(deps): bump helm/kind-action from 1.10.0 to 1.11.0 (#11774) * fix: update chainsaw test apply timeout to 30s (#11794) * chore(deps): bump helm/kind-action in /.github/actions/run-tests (#11775) * fix: copy all the fields of public keys when splitting (#11770) * fix: [Helm] mergeOverwrite overwrites nested objects #11536 (#11584) * Mutate existing CLI support (#11453) * fix: exemption error caused by convertChecks function (#11780) * chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 (#11783) * chore(deps): bump actions/upload-artifact (#11784) * fix: remove extra line in configmsp (#11762) * fix: pin ubuntu version to 22.04 in custom sigstore conformance tests (#11772) * distributed labels in group, version, and resource so it doesn't exceed (#11620) * chore(deps): bump github/codeql-action from 3.27.7 to 3.27.9 (#11757) * chore(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 (#11761) * chore(deps): bump the otel group across 1 directory with 10 updates (#11759) * fix: revert default background scan interval to 1h (#11754) * chore(deps): bump github/codeql-action from 3.27.6 to 3.27.7 (#11741) * fix/duplicate-test-entries-deduplication (#11709) * chore(deps): bump sigs.k8s.io/structured-merge-diff/v4 (#11751) * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#11749) * chore(deps): bump the kubernetes group across 2 directories with 7 updates (#11743) * chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#11742) * chore(deps): bump github.com/aquilax/truncate from 1.0.0 to 1.0.1 (#11744) * chore(deps): bump sonarsource/sonarcloud-github-action (#11725) * chore(deps): bump github.com/cyphar/filepath-securejoin (#11731) * chore(deps): bump github.com/onsi/gomega from 1.36.0 to 1.36.1 (#11735) * chore(deps): bump github.com/fluxcd/pkg/oci from 0.41.1 to 0.42.0 (#11732) * chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 (#11712) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#11727) * chore(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 (#11711) * chore(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 (#11726) * chore(deps): bump kyverno/action-install-chainsaw (#11716) * chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#11706) * chore(deps): bump kyverno/action-install-chainsaw from 0.2.11 to 0.2.12 (#11715) * fix(readme): add changelog for spec.validate[*].allowExistingViolations field in kyverno chart (#11714) * fix: add metrics-server Helm repo (#11717) * fix: properly verify precondition in old object validation (#11644) * feat: Show textual diff when generate test fails (#11674) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.2 to 0.19.3 (#11698) * chore(deps): bump ubuntu from `278628f` to `80dd3c3` in /.devcontainer (#11697) * fix: api call chainsaw tests (#11682) * Fix(doc): correct invalid links in documentation (#11681) * fix: check the patchedResources in kyverno-test (#11686) * chore(deps): bump cbrgm/cleanup-stale-branches-action (#11691) * add allowExistingViolations option in policy chart (#11656) * Print generate output cli (#11634) * chore(deps): bump github.com/google/gnostic-models (#11676) * fix(chart): global image registry bug in 3.3.3 (#11604) * chore(deps): bump github.com/onsi/gomega from 1.35.1 to 1.36.0 (#11669) * fix: add conversion function in Helm template (#11651) * feat: add/improve error logs (#11657) * fix(policy chart): fix the merging of policyExclude customizations to avoid wrong overrides (#11653) * fix: use deleteOptions in cleanup controller (#11662) * chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#11660) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#11659) * chore(deps): bump the kubernetes group across 2 directories with 7 updates (#11640) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.2 (#11647) * chore(deps): bump codecov/codecov-action from 5.0.4 to 5.0.7 (#11650) * chore(deps): bump sigstore/scaffolding from 0.7.16 to 0.7.17 (#11641) * chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#11642) * chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.4 (#11625) * fix: Open the mutated resources file in append mode to allow additions to it (#11619) * Context vars with labelselector (#11608) * fix: kubernetes and kyverno version annotations in kyverno-policies helm chart to match installed kyverno release and supported versions from Chart.yaml with override option (kyverno#1165) (#11258) * chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 (#11624) * fix: return nil error when trigger resource not found for a subresouces (#11594) * Passed the deleteOptions to the DeleteResource client (#11484) * chore(deps): bump actions/checkout in /.github/actions/run-tests (#11612) * chore(deps): bump ubuntu from `99c3519` to `278628f` in /.devcontainer (#11610) * chore(deps): bump codecov/codecov-action from 5.0.0 to 5.0.2 (#11611) * fix(background-controller): reduce logging for URs (#11616) * fix(ci): run conformance upgrade on schedule (#11602) * fix: use ephemeralreportsfor reports controller in helm (#11600) * feat(ci): test upgrade conformance (#11498) * chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4 (#11598) * fix: use generate name for background scan reports (#11586) * chore(deps): bump sigs.k8s.io/structured-merge-diff/v4 (#11596) * chore(deps): bump codecov/codecov-action from 4.6.0 to 5.0.0 (#11597) * fix: add a check for nil rule response (#11591) * Add missing error check (#11587) * feat: Add Manifest Index to ImageRegistry context (#9883) * fix: update explicit webhook based on the policy type (#11580) * chore(deps): bump github/codeql-action from 3.27.1 to 3.27.3 (#11575) * chore(deps): bump the otel group across 1 directory with 10 updates (#11566) * chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#11568) * Set the UserAgent in client-go based calls to kube-apiserver (#11569) * Add SHA1 and MD5 hash functions to JMESPath (#11564) * chore(deps): bump rajatjindal/krew-release-bot from 0.0.46 to 0.0.47 (#11567) * toggle for autogen version (#11535) * chore(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (#11556) * chore(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#11557) * chore(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#11559) * fix: panic for nil rule response when processing old object (#11550) * fix: add 'immutable fields in the policy validation msg for FluxCD' (#11549) * chore(deps): bump sigstore/scaffolding from 0.7.15 to 0.7.16 (#11548) * fix: match failure action case insensitively for validating old object (#11486) * fix: remove logic that uses annotation to skip image verification (#11529) * fix(validate): custom match conditions errors (#11461) * set the defautl namespace for policy (#11505) * Autogenv2 rule evaluation logic (#11434) * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#11526) * chore: change controller rated limiting queue (#11509) * fix: use webhook object instead of a list (#11516) * chore(deps): bump cbrgm/cleanup-stale-branches-action (#11521) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#11520) * fix(chart): correct behavior for global image registry (#11482) * chore(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 (#11510) * fix: switch configmap removal to use post-delete helm hook (#11504) * fix: add celPreconditions in autogen rules (#11503) * fix: support VAP stable version v1 in the CLI (#11501) * chore(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 (#11487) * chore(deps): bump sigstore/scaffolding from 0.7.13 to 0.7.15 (#11499) * fix: add emitWarning field in v2beta1 (#11489) * fix: use digest instead of tag for custom-sigstore-tuf conformance test (#11492) * feat: skip azure keychain based login for mcr registry (#11480) * chore(deps): bump sigs.k8s.io/controller-tools in /hack/controller-gen (#11478) * chore(deps): bump github.com/dgraph-io/ristretto from 0.1.1 to 0.2.0 (#11456) * chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#11455) * chore(deps): bump the kubernetes group across 2 directories with 7 updates (#11465) * chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 (#11471) * chore(deps): bump actions/setup-go in /.github/actions/setup-build-env (#11473) * chore(deps): bump actions/setup-python from 5.2.0 to 5.3.0 (#11472) * chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#11464) * chore(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 (#11457) * chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#11458) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#11459) * Introduced the DeletionPropagationPolicy field in CleanupPolicy and C… (#11368) * chore: bump sigstore/sigstore to 1.8.10 (#11448) * fix[breaking]: disable exceptions by default (#11426) * fix: update match logic for old object validation (#11427) * chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#11437) * chore(deps): bump ubuntu from `d4f6f70` to `99c3519` in /.devcontainer (#11440) * feat: improve webhooks rules generation (#11419) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#11439) * chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 (#11438) * feat(ci): enhance load testing (#11429) * chore(deps): bump github.com/prometheus/client_golang (#11413) * chore(deps): bump sigstore/scaffolding from 0.7.12 to 0.7.13 (#11423) * feat: add options to configure resync period for informers in helm chart (#11420) * refactor: introduce autogen interface (#11418) * Selector with mutate target (#11208) * chore(deps): bump ubuntu from `ab64a83` to `d4f6f70` in /.devcontainer (#11415) * refactor: move autogen v1 and v2 packages (#11416) * fix: use autogen v2 in exceptions controller (#11397) * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#11402) * chore(deps): bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#11410) * chore: Bump python installation in helm test to 3.8.13 as the installation action doesnt support ubuntu 24 (#11409) * chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (#11403) * feat: update engine response.generatedResources to support multiple resource (#11398) * Added GetNames and GetKinds function (#11327) * chore: add delay after policy gets ready (#11344) * chore(deps): bump ubuntu from `b359f10` to `ab64a83` in /.devcontainer (#11393) * chore(deps): bump the otel group across 1 directory with 9 updates (#11392) * chore(deps): bump sigstore/scaffolding from 0.7.11 to 0.7.12 (#11391) * chore(deps): bump sigs.k8s.io/controller-tools in /hack/controller-gen (#11385) * feat: add helm configuration for reporting in different rules (#11376) * chore(deps): bump aquasecurity/trivy-action from 0.26.0 to 0.27.0 (#11383) * Reports controller circuit breaker (#11329) * Add permission command to generate ClusterRole and ClusterRoleBinding (#11211) * feat(cache): use shallow copy instead of deep copy (#11378) * chore(deps): bump actions/upload-artifact (#11375) * chore(deps): bump actions/upload-artifact from 4.4.2 to 4.4.3 (#11374) * chore(deps): bump sigs.k8s.io/kustomize/api from 0.17.3 to 0.18.0 (#11373) * chore(deps): bump aquasecurity/trivy-action from 0.25.0 to 0.26.0 (#11363) * chore(deps): bump github.com/cyphar/filepath-securejoin (#11366) * feat: add --backgroundReports flag to disable mutateexisting and generate reporting (#11361) * chore(deps): bump actions/upload-artifact (#11364) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#11365) * chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.2 (#11362) * add support for shallow substitution (#11058) * chore: Add a new field in the test results CRD to specify patched resources (#11297) * chore(deps): bump aquasecurity/trivy-action from 0.24.0 to 0.25.0 (#11352) * chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#11351) * chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12 (#11350) * chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 (#11353) * chore(deps): bump actions/upload-artifact (#11354) * Added chainsaw test for the ttl based cleanup poliy (#11328) * fix: transfer image verify iamges to kyverno (#11340) * fix: Allow images to be pulled from insecure registry when allowInsecureRegistry flag is set to true (#10934) (#11243) * chore: use ptr package (#11346) * Test/ttl cleanup deletion policy (#11277) * fix: isolate report creation context for mutate in admission (#11304) * fix: use aws mirror of trivy db to fix rate limiter issue (#11342) * chore: use more chainsaw step templates (#11324) * fix: add permission for mutate existing report test (#11339) * chore(deps): bump sonarsource/sonarcloud-github-action (#11332) * chore(deps): bump sigstore/cosign-installer (#11335) * chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#11334) * chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#11337) * chore(deps): bump actions/cache in /.github/actions/setup-caches (#11336) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#11333) * chore: use more chainsaw step templates (#11317) * Updated autogenv2 package (#11212) * chore(deps): bump github.com/sigstore/cosign/v2 from 2.4.0 to 2.4.1 (#11321) * chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11 (#11320) * chore: use more chainsaw step templates (#11313) * chore: bump chainsaw (#11280) * chore: use more chainsaw step templates (#11311) * chore: use more chainsaw step templates (#11308) * chore: use more chainsaw step templates (#11303) * chore: use more chainsaw step templates (#11300) * chore(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (#11298) * chore: use more chainsaw step templates (#11296) * chore: use more chainsaw step templates (#11293) * feat: use more chainsaw test templates (#11285) * feat: add reporting to mutate and generate rules (#11265) * chore(deps): bump kyverno/action-install-chainsaw (#11290) * chore(deps): bump kyverno/action-install-chainsaw from 0.2.10 to 0.2.11 (#11289) * chore(deps): bump cbrgm/cleanup-stale-branches-action (#11288) * chore(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#11287) * chore(deps): bump ubuntu from `dfc1087` to `b359f10` in /.devcontainer (#11286) * chore(deps): bump github.com/cyphar/filepath-securejoin (#11275) * chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#11282) * feat: use more chainsaw test templates (#11281) * chore(deps): bump fluxcd/flux2 from 2.3.0 to 2.4.0 (#11274) * chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1 (#11276) * chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#11273) * fix(refactor): move breaker resource counter to pkg (#11271) * Minor changes in dev docs (#11266) * fix: overwrite the managed-by label for target resources (#11267) * update PR templates for supported versions (#11262) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#11264) * add Corestream as an adopter (#11263) * Added propagationPolicy to TTL controller for resource deletion (#11207) * chore: pin go.opentelemetry.io/otel/semconv/v1.24.0 (#11256) * fix: foreach list validation (#11222) * chore: remove uneeded cleanupJobs keys from values.yaml and README (#11242) * chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#11244) * chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#11221) * fix: policy status updates not stabilising (#11236) * feat: add dumpPatch flag (#11237) * fix: webhooks reconciliation with policies (#11233) * fix: webhooks reconciliation when no policies (#11230) * fix(webhook): error variable (#11225) * chore(deps): bump sigstore/scaffolding from 0.7.9 to 0.7.11 (#11220) * fix: print out errors (#11218) * fix(status): status comparison is wrong (#11203) * feat: allow generate pattern changes (#11202) * chore(deps): bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0 (#11213) * chore(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#11201) * fix: skip processing the oldObject for audit policies (#10233) * chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8 (#11200) * chore(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0 (#11199) * feature: Added test.imagePullSecrets config in values.yaml (#11180) (#11195) * chore: add more chainsaw tests for `generate.foreach` (#11140) * fix: remove unused functions (#11190) * chore(deps): bump sigs.k8s.io/controller-tools in /hack/controller-gen (#11187) * chore(deps): bump github.com/prometheus/client_golang (#11186) * fix(chart,kyverno): update dashboard to support Grafana 11 (#11070) * chore(deps): bump the kubernetes group across 2 directories with 1 update (#11179) * chore(deps): bump ubuntu from `8a37d68` to `dfc1087` in /.devcontainer (#11166) * chore: bump chainsaw (#11161) * feat: add helm upgrade tests (#11163) * chore(deps): bump the otel group across 1 directory with 7 updates (#11170) * chore: update dependabot gomod config (#11164) * fix: Added missing label info in the cleanup metrics (#10321) (#11147) * chore(deps): bump github.com/fluxcd/pkg/oci from 0.41.0 to 0.41.1 (#11153) * chore(deps): bump github.com/cyphar/filepath-securejoin (#11152) * chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#11150) * fix: Updated Go version to v1.23.1 to address CVE-2024-34156 (#11112) * move governance (#11138) * fix: go releaser config (#11135) * chore(deps): bump k8s.io/apiextensions-apiserver in the kubernetes group (#11130) * chore: add dependabot groups for k8s and otel (#11116) * fix: expect base64 string in raw tuf root (#11117) * chore(deps): bump k8s.io/kube-aggregator from 0.31.0 to 0.31.1 (#11111) * chore(deps): bump k8s.io/cli-runtime from 0.31.0 to 0.31.1 (#11107) * chore(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 (#11109) * chore: fix sonar exclusions (#11119) * chore(deps): bump k8s.io/api from 0.31.0 to 0.31.1 (#11108) * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#11110) * feat: add flag to pass tuf root directly (#11103) * fix broken oss-fuzz build (#11101) * feat: use pointer in rule (validate field) (#11095) * chore: bump otel libs (#11096) * chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 (#11093) * fix: make webhook cleanup setup optional and add cleanup ci test (#11077) * feat: use pointer in rule (mutation field) (#11078) * chore: fix sonar exclusions (take 2) (#11074) * chore: reduce jobs run on push (#11080) * feat: use pointer in rule (generate field) (#11076) * fix: policy report generation for namespaced policies in CLI (#10923) * chore: fix sonar exclusions (#11072) * feat: use pointer in rule (exclude field) (#11050) * chore: remove MarcelMue (#11066) * fix: avoid generating empty urs (#11065) * chore(deps): bump google.golang.org/grpc from 1.66.0 to 1.66.1 (#11062) * chore(deps): bump sigstore/scaffolding from 0.7.8 to 0.7.9 (#11061) * support HTTP headers in service API calls (#11041) * Generate Policy Exceptions (#9987) * Update CONTRIBUTORS.md (#11053) * added Anudeep to CONTRIBUTORS.md (#11054) * fix: make match field required in rule API (#11048) * bug: print failure message when rule fails in kyverno apply (#9166) * feat: use pointer in rule (#11037) * Sat Feb 08 2025 opensuse_buildservice@ojkastl.de - Update to version 1.13.4: * release v1.13.4 (#12126) * Revert "replace ghcr.io to reg.kyverno.io (#12031) (#12106)" (#12125) * chore(deps): bump go dependencies to fix CVEs (#12119) * Fri Feb 07 2025 opensuse_buildservice@ojkastl.de - Update to version 1.13.3: * feat: release v1.13.3 (#12105) * replace ghcr.io to reg.kyverno.io (#12031) (#12106) * chore: bump golang.org/x/net to 0.33.0 for release-1.13 (#12040) * Fix default value for apiCall context (#11733) (#11988) * log non fatal parsing errors (#11932) (#11949) * feat: update annotations of kyverno images (#11935) (#11938) * chore: bump opa 0.68.0 (#11786) * fix(reports-controller): add a flag to disable reports sanity checks (#11867) (#11875) * remove policy exception dependancy from globalcontext and add some tests (#11788) (#11854) * fix global context error message logic error (#11815) (#11853) * Fix: Policy with failureActionOverrides not applying desired failure actions in desired namespaces (#11811) (#11850) * fix panic when rules are empty (#11821) (#11848) * Fix panic in background controller when updating Generate rule (#11835) (#11846) * fix: [Helm] mergeOverwrite overwrites nested objects #11536 (#11584) (#11797) * fix: remove extra line in configmsp (#11762) (#11776) * chore: bump python to 3.13.1 (#11801) * fix: update chainsaw test apply timeout to 30s (cherry-pick [#11794]) (#11802) * fix: copy all the fields of public keys when splitting (#11770) (#11798) * fix: exemption error caused by convertChecks function (#11780) (#11787) * fix: pin sigstore (#11777) * fix: revert default background scan interval to 1h (#11754) (#11756) * chore: bump golang.org/x/crypto 0.31.0 (#11753) * Tue Dec 10 2024 opensuse_buildservice@ojkastl.de - Update to version 1.13.2: * release 1.13.2 (#11736) * release 1.13.2-rc.1 (#11713) * fix: properly verify precondition in old object validation (#11644) (#11705) * fix: add metrics-server Helm repo (#11717) (#11718) * add allowExistingViolations option in policy chart (#11656) (#11720) * fix(readme): add changelog for spec.validate[*].allowExistingViolations field in kyverno chart (#11714) (#11719) * feat: Show textual diff when generate test fails (#11674) (#11704) * fix: api call chainsaw tests (#11682) (#11696) * fix: check the patchedResources in kyverno-test (#11686) (#11695) * Print generate output cli (#11634) (#11678) * fix(chart): global image registry bug in 3.3.3 (#11604) (#11672) * chore: Add a new field in the test results CRD to specify patched resources (#11297) (#11673) * fix: add conversion function in Helm template (#11651) (#11666) * fix(policy chart): fix the merging of policyExclude customizations to avoid wrong overrides (#11653) (#11663) * fix: Open the mutated resources file in append mode to allow additions to it (#11619) (#11633) * Context vars with labelselector (#11608) (#11631) * fix: return nil error when trigger resource not found for a subresouces (#11594) (#11627) * fix(background-controller): reduce logging for URs (#11616) (#11617) * fix: use ephemeralreportsfor reports controller in helm (#11600) (#11614) * fix: use generate name for background scan reports (#11586) (#11599) * Add missing error check (#11587) (#11590) * fix: update explicit webhook based on the policy type (#11580) (#11581) * fix: add a check for nil rule response (cherry-pick #11591) (#11593) * feat: Add Manifest Index to ImageRegistry context (#9883) (#11585) * Set the UserAgent in client-go based calls to kube-apiserver (#11569) (#11571) * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 1.13.1: * release 1.13.1 (#11570) * release 1.13.1-rc.1 (#11554) * fix: panic for nil rule response when processing old object (#11550) (#11553) * fix: add 'immutable fields in the policy validation msg for FluxCD' (#11549) (#11552) * fix: match failure action case insensitively for validating old object (#11486) (#11546) * fix: add celPreconditions in autogen rules (#11542) * fix: remove logic that uses annotation to skip image verification (#11529) (#11537) * fix(validate): custom match conditions errors (#11461) (#11543) * set the defautl namespace for policy (#11505) (#11532) * fix(chart): correct behavior for global image registry (#11482) (#11517) * fix: use webhook object instead of a list (#11516) (#11522) * release chart 3.3.2 (#11512) * feat: skip azure keychain based login for mcr registry (#11480) (#11481) * fix: switch configmap removal to use post-delete helm hook (#11504) (#11508) * fix: support VAP stable version v1 in the CLI (#11501) (#11502) * release chart 3.3.1 (#11500) * fix: use digest instead of tag for custom-sigstore-tuf conformance test (#11492) (#11493) * fix: add emitWarning field in v2beta1 (#11489) (#11494) * Tue Oct 29 2024 opensuse_buildservice@ojkastl.de - Update to version 1.13.0 (boo#1232559): Large update, please see the changelog and the release blog post for new features https://github.com/kyverno/kyverno/releases/tag/v1.13.0 https://nirmata.com/2024/10/30/announcing-kyverno-release-1-13/ Please check the upgrade documentation here: https://main.kyverno.io/docs/installation/upgrading/#upgrading-to-kyverno-v113 * Fri Sep 27 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.6: * release 1.12.6 (#11255) * release-1.12.6-rc.3 (#11246) * fix: webhooks reconciliation with policies (#11233) (#11235) * fix: webhooks reconciliation when no policies (#11230) (#11232) * fix(webhook): error variable (#11225) (#11228) * fix(status): status comparison is wrong ( cherry-pick #11203) (#11217) * fix(helm): remove namespace from RoleBinding/roleRef field (cherry-pick #10685) (#11194) * release v1.12.6-rc.2 (#11165) * fix: get ns labels before creating a policy context (#11176) * fix: range through all resources to build webhook (#11162) * Release v1.12.6-rc.1 (#11151) * fix: Updated Go version to v1.23.1 to address CVE-2024-34156 (#11112) (#11142) * fix: bump docker in release 1.12 (#11088) * fix: Check for the client being nil before applying a mutation (#10726) (#10737) * Evaluate one version of each pod security standard (#10924) (#10996) * fix: properly use useCache field in image verification policies (#10709) (#10889) * fix: check the resource namespace (#10738) (#10740) * chore(deps): bump github.com/docker/docker (#10750) (#10764) * chore: bump chainsaw (cherry-pick #10687) (#10765) * chore: retrayable/http version bump (#10719) * cherry-pick #10678 (#10681) * Fri Jul 12 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.5: * release v1.12.5 (#10653) * release v1.12.5-rc.2 (#10651) * fix: truncate event messages to 1024 chars (#10636) (#10643) * fix: rename level 1 logs to INFO from DEBUG (#10617) (#10642) * fix: compute operations for mutatingwebhookconf (#10639) (#10641) * fix: CEL policies aren't applied to deleted resources (#10624) * release v1.12.5-rc.1 (#10632) * refactor: add a function to check if VAPs are registered in the API server (#10625) * fix: remove unused parameters (#10626) * feat: add reports circuit breaker (cherry-pick #10499 #10596 [#10610] #10613) (#10628) * fix(json-ctx): overwrite element each iteration (#10615) (#10616) * cherry-pick #10382 (#10593) * feat(events): normalize gctx events reason to be inline with other po… (#10395) (#10612) * fix: get ns labels in the cluster mode when using the CLI (cherry-pick #10348) (#10549) * fix: cleanup policy name is appended to logs (#10583) (#10599) * fix: failed to delete resource (#10582) (#10598) * feat: fix notary tests (#10579) (#10584) * fix: correctly validate patterns for old and new objects (#10310) (#10537) * fix: use generate name for admission reports (#10491) (#10522) * Mon Jun 17 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.4: * release v1.12.4 (#10479) * feat: fix custom sigstore conformance tests (#10473) (#10480) * release v1.12.4-rc.2 (#10466) * fix: avoid creating duplicate urs for background policies (#10431) (#10444) * fix: remove dropped flag (#10433) * Release v1.12.4-rc.1 (#10429) * chore: add chainsaw test for controllers leader election (#10416) (#10427) * fix: cancel context for proper shutdown in reports-controller (#10415) (#10426) * fix: add verbosity to background scanner log (#10404) (#10405) * fix(gctx): returning old error (#10398) (#10400) * chore: add condition checking to notary attestation verify chainsaw tests (#10288) (#10349) * Fri May 31 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.3: * feat: add aggregation workers flag (#10331) (#10343) * fix: remove unused parameters (#10327) (#10329) * feat: add cleanup cronjobs for (cluster)ephemeralreports (#10325) (#10334) * feat: add a cleanup cronjob to delete urs (#10249) (#10326) * feat: add support for background scanning of existing resource in image verification (#10287) (#10311) * Thu May 23 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.2: * Release v1.12.2 (#10298) * chore: make contrinue-on-fail flag available outside package (#10293) (#10297) * release v1.12.2-rc.3 (#10294) * release v1.12.2-rc.2 (#10286) * fix(anchor): skip anchors don't have priority (#10206) (#10284) * release v1.12.2-rc.1 (#10282) * fix: add a copy method to the policy context (#10236) (#10280) * fix: sort webhookconfig.operations (#10274) (#10275) * fix: webhook config set (#10262) (#10273) * chore: cherry-pick #10270 (#10272) * fix: generate VAPs that match all resources when kinds is set to * (#10266) * fix flake test in VAPs (#10269) * fix: process the matched resources only for mutate existing policies (#10164) (#10267) * fix: add resourceNames field in the generated VAPs (#10187) (#10265) * chore: cherry-pick #10250 (#10264) * truncate event messages to 1024 chars (#10255) (#10261) * fix: deepcopy patched resource in foreach mutate (#10252) (#10258) * fix: isolate reports creation context (#10245) (#10246) * [Bug] [CLI] Level parameter of the apply and test commands does not work (#10216) (#10240) * kyverno-1.12 CVE fix (#10225) * allow kyverno apply command to continue on failure (#10036) (#10178) * feat: make cli results count public (#10177) (#10194) * feat: release chart 3.2.2 (#10193) * [kyverno helm chart] make webhook pod annotations configurable (#9875) (#10185) * fix(polex): multiple polexes with conditions (#9994) (#10183) * fix: skip generating VAPs for policies that match multiple resources with a namespace/object selector (#10181) (#10184) * fix: add CONNECT operation in the webhook config for pod/exec subresource (#9855) (#10179) * fix: add pods/ephemeralcontainers to the generated VAPs (#10162) (#10176) * Fri May 03 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.1: * feat: release-1.12.1 (#10166) * Ensure CA certificate ConfigMaps get defined (#10156) (#10161) * Release v1.12.1-rc.1 (#10154) * fix: add error check in jmespath type conversion in context variables (#10152) (#10153) * fix: skip rules without operation in resource webhook creation (#10146) (#10151) * fix: shared policy context needs to be copied (#10139) (#10147) * fix: fetch only adopted ephemeral report (#10148) (#10150) * fix: sort pod controllers for autogen rule (#10140) (#10142) * chore: remove a package that is imported twice (#10101) (#10130) * chore: update perf docs for 1.12 (#10116) (#10129) * fix: evaluate namespaceObject for Kyverno policies in the CLI (#9977) (#10077) * fix: evaluate namespaceObject for VAPs in the CLI (#9978) (#10076) * fix: remove unused parameters (#10007) (#10069) * fix: return skip when celPreconditions/matchConditions aren't met (#9940) (#10085) * Sat Apr 27 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de> - fix missing version output * Fri Apr 26 2024 opensuse_buildservice@ojkastl.de - Update to version 1.12.0: large update, please see the full changelog at https://github.com/kyverno/kyverno/releases/tag/v1.12.0 Breaking (Potentially) * Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators [here](https://kyverno.io/docs/writing-policies/preconditions/#operators) * Thu Apr 18 2024 opensuse_buildservice@ojkastl.de - do not strip aka remove -s -w ldflags * Sat Jan 20 2024 opensuse_buildservice@ojkastl.de - Update to version 1.11.4: * release 1.11.4 (#9453) * update bitnami/kubectl (#9408) (#9452) * bump libs (#9411) * Fri Jan 05 2024 opensuse_buildservice@ojkastl.de - Update to version 1.11.3: * release 1.11.3 (#9346) * fix: update CLI to use store for fetching regclient (#9345) * fix: non-trigger resources should be skipped for background policies regardless of `skipBackgroundRequests` settings (#9333) (#9337) * Thu Jan 04 2024 opensuse_buildservice@ojkastl.de - Update to version 1.11.2: * Add Chainsaw Test for Conditional Anchor (#9295) (#9304) * release 1.11.2 (#9302) * fix(cli): handle excluded resources as pass (cherry-pick #9274) (#9300) * feat: add deprecation warnings in the CLI (#9222) (#9294) * fix: updaterequests stuck in pending/fail infinite loop (cherry-pick #9119) (#9293) * chore: update chart.yaml with the changes (#9292) * cherry-picj #9151 (#9291) * Support more signature algorithms (#9102) (#9289) * fix: large table row ID number format in CLI (#9281) (#9287) * fix: remove skip increment when resource not found in cli apply (#9282) (#9284) * chore: disable policy library kuttl tests in 1.11 (#9259) * fix: use http.MaxBytesReader instead of content length for API Calls (#9265) (#9268) * Add imagePullSecrets to post-upgrade job (#9264) (#9273) * release v1.11.2-rc.1 (#9252) * chore: bump k8s to 1.29 stable (release 1.11) (#9257) * fix: convert chainsaw tests to kuttl (#9242) * fix: bump k8s to 0.29-alpha.3 and add support for fips endpoints in AWS authentication (cherry-pick: #9233) (#9244) * fix launch.json (#9239) (#9245) * cherry-pick #9230 (#9234) * fix: add chainsaw test for mutate existing (#9210) (#9221) * fix: add `skipBackgoundRequests` to configure loop protection option (#9157) (#9207) * fix: limit the trigger name to a maximum of 63 characters for mutate existing rules (#9162) (#9195) * fix: enable additional report printers by default (#9194) (#9196) * improve messages (#9168) (#9169) * fix: add tolerations and affinity to the post-upgrate hook (#9156) (#9164) * fix: allow changes to preexisting resource in violation of a policy in Enforce (#9027) (#9139) * (cherry-pick) Fix Helm chart to not error when replicas defined (#9066) (#9073) * fix: add nodeSelector to the reports cleanup helm hook (#9065) (#9069) * fix: ttl cleanup not working with cluster wide resources (#9060) (#9063) * Wed Nov 29 2023 kastl@b1-systems.de - Update to version 1.11.1: * release 1.11.1 (#9039) * fix: cleanup older policy reports (#9026) (#9035) * fix: use validate.message in case there is no message associated with the CEL expression (#9025) * Remove var check (#8990) (#9024) * fix: use the default namespace in case --namespace isn't set in kyverno create exception (#9022) * fix: remove the additional dash in kyverno create exception (#9021) * fix: use v2beta1 version of exceptions in kyverno create CLI (#9020) * fix: delete VAPs in case Kyverno policies can't be translated (#8887) (#9019) * fix: block mutation only when failurePolicy is set to fail (#8952) (#8986) * fix: update KeysAreMissing() to ignore negations in resource (#8953) (#8982) * feat: add checks for max response size in API Call (#8957) (#8971) * Revert "fix(chart): only create ServiceMonitor if cluster supports it (#7926)" (#8913) (#8931) * correct typo in README for Kyverno 1.10+ (#8911) (#8927) * Add policyKind option to kyverno-policies chart (#8827) (#8923) * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0 (#8893) (#8897) * Close reponse right after succesful request (#8894) (#8896) * Reduced verbosity of admission request filter INFO log message (#8712) (#8882) * Thu Nov 16 2023 kastl@b1-systems.de - Update to version 1.11.0: * Breaking (Potentially) ❗ - Policy Reports are now created on a per-resource basis and using a UID as the name rather than the previous behavior of per-policy. This may be a breaking change if you relied upon either of these attributes in previous versions. This change has the benefit of putting less pressure on the Kubernetes API server and less storage cost on etcd. - In accordance with Cosign 2.0 updates, the Rekor URL is now required in a policy. The url field may be empty ("") but must be specified even if you've opted not to store signatures in a Rekor instance. Users upgrading from Kyverno v1.10 to v1.11 who have image verification policies using cosign will have to explicitly disable Tlogs and SCT verification in their policy using the rekor.ignoreTlogs and ctlog.IgnoreSCT fields if they did not use Rekor while signing the image. * Added - Context variables are now supported in cleanup policies (#6084) - Introduced ability to cleanup resources based upon assignment of a new reserved label cleanup.kyverno.io/ttl (#7821, #8096, [#8128], #8660) - ValidatingAdmissionPolicies (VAP) can now be tested in the Kyverno CLI in both test and apply commands (#6656) - ValidatingAdmissionPolicies can be generated/managed by Kyverno when a compatible validate.cel rule is created (#7840, #8219) - Generate Policy Reports for VAPs (#8135) - Kyverno validate rules can now be written using CEL expressions, including auto-gen support (#7859, #8024, #8071, [#8084], #8098, #8099, #8196) - Added a new field in a policy at spec.admission which, when set to false, allows policies to work in background-only mode (#6666) - Added a new field under verifyImages rules called imageRegistryCredentials which allows flexible, easier configuration of credentials for image registries including defining the required credential helpers (#7114) - Added new caching of image signature verifications (#7890, [#7969]) - New lookup() JMESPath filter (#7136) - New round() JMESPath filter (#7489) - Support for Cosign 2.0 (#7248, #8521) - Added an auth checker interface from Kyverno Playground (#7323) - Added a check for digest mismatch in verifyImages rules (#8443) - Added new ability to more finely control configuration of metrics (#8569) - Added an --aggregateReports flag to the reports controller to enable/disable aggregated reports (#7475) - Events are now created in the events.k8s.io/v1 API group and version (#7673) - Generate rules now support using server-side apply via the field spec.useServerSideApply (#7705) - Added CLI API schema for test command (#8422, #8438, #8439, see also Changed below) - Added new create commands to the Kyverno CLI used to easily create the various resources needed for testing (#7778, [#7779], #7780, #7781, #7782, #8160) - Added new Kyverno CLI docs command to generate CLI documentation (#8179, #8180, #8181, #8191, #8193, #8200, [#8259]) - Added Kyverno CLI experimental fix command (#8213, #8404) - Added support for wildcards in CLI test command (#8216) - Kyverno CLI now has experimental validation of policies being tested (#8384, #8406, #8410) - Added ability to test supported ValidatingAdmissionPolicies (VAP) variables in both Kyverno CLI test and apply commands (#8182) - Kyverno is now tested against and uses libraries from Kubernetes version 1.28 (#8036, #8037) - Kyverno now supports configuring matchConditions in webhooks (Kubernetes 1.27+) (#8042) - Wildcards now work in subject statements in match/exclude (#8068) - Added variables support for Kyverno validate.cel policies (#8103, #8113) - Added CTLogs verification to Cosign (#8130, #8166) - New metric of type Meter is added for the TTL cleanup manager with attributes resource_group, resource_version, and resource_resource (#8134) - Added ability to configure TUF when using a custom Sigstore implementation (#8385) - Added ability to disable TUF when used in air-gapped environments (#8509) - Helm - Added API priority and fairness resources to the Kyverno chart (FlowSchema and PriorityLevelConfiguration) (#7468) - Added ability to set security contexts for the webhook cleanup Pod (#7970) - Added Helm secret size check to CI to detect of the current chart size exceeds the Helm secret size limit (#8195) - Allow resourceNames on extraResources for the cleanup controller (#8307) - Added a global image registry value (#8625) * Changed - Policy Exceptions and Cleanup Policies graduated from alpha API to beta (#8594, #8609, #8621, #8378, #8587) - Policy Exceptions are now enabled by default (#8545) - Policy Reports are changed to be generated per-resource rather than per-policy, and intermediary aggregated reports are expunged immediately (#8426) - Schema validation will no longer be done on patterns (including internal validation for mutate rules) obviating the need for spec.schemaValidation. We will deprecate and remove this field in a future version (#8538) - Cleanup policies no longer use CronJobs to invoke the cleanup action. This is all handled internally now (#8526, #8529, [#8531]) - Kyverno CLI test command has been refactored and includes a formal test manifest schema (#8422, #6871, #6942, #7995, [#8145], #8163, #8168, #8177, #8189, #8212, #8387, and more) - Kyverno CLI apply command now has a nice tabular output format (#7757) - Kyverno CLI apply now shows failure messages when a result fails (#7758) - Kyverno CLI --compact flag has been renamed to - -detailed-results (#7937) - Kyverno CLI the --set flag can be used to set a variable for multiple input resources rather than just one (#7984) - Kyverno CLI certain more "internal" flags will no longer be hidden (#8077) - Refactored JSON patches to use structure instead of byte arrays (#7186) - Deprecated the --imageSignatureRepository container flag. Use verifyImages.Repository in a policy definition instead (#7391) - Replaced the internal package used to apply JSON patches. This resulted in some fixes and slight behavioral changes (#7401, #7452) - The policies.kyverno.io/last-applied-patches annotation upon successful mutation has been removed (#7438) - RBAC has been hardened for a couple controllers to better follow least privileges (#7626, #7634, #7638, #8083) - The images variable ({{ images }}) can be used correctly in a policy (#7787) - Use a new custom keychains from Flux package preventing some timeouts (#7908) - Allow overriding CA and TLS secret names which store the Kyverno certificates (#8137) - Replaced CLI manifest commands by create command (#8165) - Kyverno CLI test command has been extended to support multiple paths (#8247) - The remainder of match/excludewill be skipped if theoperations[]` do not match (#8324) - Helm - The Grafana dashboard has been moved to its own subchart in an effort to reduce the size of the main Kyverno chart (#8619) - Kyverno CRDs have been moved to a subchart for the same reason (#8623) - Updated the Chart metadata so the minimum version is correctly aligned with that of Kyverno itself (#8708) * Fixed - Abort pattern validation earlier when processing can occur (#7307) - Fixed an issue when testing for mutations using foreach (#7396) - Fixed not validating that subject kinds were on the allowed list (#7582) - Fixed a panic when certain environment variables weren't passed to the controllers (#7613) - Fixed the missing severity type when generating a policy report (#7974) - Fixed adding server name into TLS certs when running Kyverno with --serverIP flag (#8053) - Fixed an issue which prevented mutation of policy report resources (#8080) - Fixed a crash when using an unquoted null (#8081) - Fixed indefinitely retry for the mutateExisting rule by applying the retry limit (#8100) - Fixed nil-dereferences by adding mocks to unit tests (#8102) - Fixed TLS cert renewal when the CA cert is deleted (#8114) - Fixed a nil dereference in validate.podSecurity subrules (#8271) - Fixed an issue where generating an empty kind would be allowed (#8332) - Fixed/improved some logs (#8442, #8673) - Fixed a couple issues impacting generate rules when a trigger or clone source resource name exceeded 63 characeters (#8466) - Fixed an issue where Kyverno would modify reports it didn't own (#8502) - Fixed an image cache panic issue (#8512) - Fixed an issue preventing creation of ClusterAdmissionReports if the resource had a colon in the name (#8530) - Kyverno CLI: fixed using the --fail-only flag in the test command now exits properly upon failed tests (#7717) - Kyverno CLI: fixed logging failure (#8110) * Mon Nov 13 2023 kastl@b1-systems.de - Update to version 1.10.5: * Release 1.10.5 (#8881) * feat: add GHSA-vfp6-jrw2-99g9 fixes in cosign v1.13.1 (#8870) * fixL upgrade cosign installer version in release 1.10 and use cosign 1.13.1 (#8813) * chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0 (#8809) (#8811) * Wed Nov 01 2023 kastl@b1-systems.de - Update to version 1.10.4: * release-1.10.4 (#8799) * fix: backport CVE fixes (#8798) * Tue Sep 05 2023 kastl@b1-systems.de - Update to version 1.10.3: * release 1.10.3 (#8006) * fix: return err in load data (#7982) (#7983) * release: bump chart versions (#7933) * fix(chart): only create ServiceMonitor if cluster supports it (#7926) (#7931) * Tue Aug 01 2023 kastl@b1-systems.de - Update to version 1.10.2: * release 1.10.2 (#7928) * bug: add severity and category in cluster policy report (#7828) (#7922) * refactor: remove obsolete structs from CLI (#6802) (cherry-pick) (#7921) * feat: add events for successful generation (#7550) (#7804) * cherry-pick #7888 (#7920) * Feat: cloneList rule validation (#7823) (#7914) * refactor: remove manual keychain refresh from client (#7806) (#7917) * cherry-pick #7774 (#7915) * fix(policy chart): Skip DELETE requests on policies using deny statements (#7883) (#7900) * Modified annotation matching during rollback (#7752) (#7894) * fix log level (#7877) (#7881) * Added log message for API call failures (#7834), cherry picked (#7880) * feat(chart) Add configurations for cleanup jobs and webhooks (#7871) (#7875) * policy validation: fix assignment to entry in nil map (#7874) (#7876) * feat: skip schema validation for CRD (#7869) (#7873) * fix: namespace label matching for Namespace (#7837) (#7870) * fix: ignore tekton/pipeline (#7858) (#7863) * fix type confusion in policy validation (#7857) (#7862) * feat: enable operator boolean comparison (#7847) (#7860) * Add nodeSelector for cleanupJob CronJob resources (#7851) (#7855) * cherry-pick kyverno#7810 (#7822) * cherry-pick #7800 (#7819) * feat: allow pod labels for cleanup jobs (#7808) (#7809) * fix: aggregated admission report not updated correctly (#7798) (#7799) * Update Chart README migration guide with 1.10.1 updates (#7770) * Thu Jul 06 2023 kastl@b1-systems.de - Update to version 1.10.1: * release 1.10.1 (#7762) * feat: Add option to add imagePullSecrets to cleanup CronJobs (#7730) (#7732) * fix: remove show goreleaser version step (#7712) * fix: release signing (#7711) * fix goreleaser version (#7707) * fix: lock schema manager when updating it (#7704) (#7706) * release v1.10.1-rc.1 (#7701) * fix: customizable tracer configuration (#7644) (#7700) * fix: Swap any/all in the error message. (#7688) (#7696) * Fix deferred loading (#7597) (#7694) * fix: image verification (#7652) (#7692) * feat: add lazy loading feature flag (#7680) (#7691) * refactor: migrate context loaders (part 2) from #7597 (#7677) (#7690) * fix: cleanup controller rbac (#7669) (#7679) * refactor: migrate context loaders (part 1) from #7597 (#7676) (#7678) * refactor: add specific loaders from #7597 (#7671) (#7675) * feat: add cluster select and relabling config for ServiceMonitors (#7659) (#7674) * chore bump (#7666) * fix: auth checks with the APIVersion and the subresource (#7628) (#7641) * enable webhook clean up (#7633) (#7637) * fix: update the flag descriptions of the reports-controller (#7617) (#7621) * Add nancy-ignore to make it pass with current dependencies (#7590) (#7602) * fix: make configuring max procs not exit in case of error (#7588) (#7591) * fix: deletion mismatch for the generate policy (#7579) (#7606) * fix: autogen not working correctly with cronjob conditions (#7571) (#7604) * reduce sleep duration for generate kuttl tests (#7589) (#7603) * fix: CLI tests (#7596) (#7601) * fix: background image verification not working (#7564) (#7570) * feat: sign released artifacts (#7478) (#7560) * feat: cleanup jobs resources (#7337) (#7559) * Fix: Error cause is missing (#7563) (#7565) * fix: recursive lazy loading (#7552) (#7562) * fix: autogen not generating the correct kind (#7455) (#7561) * feat: obey the order field in patchStrategicMerge method (#7336) (#7558) * fix: Delete downstream objects on precondition fail (#7496) (#7549) * fix: update kyverno admission-controller role to have delete verb for… (#7527) (#7544) * fix: add type conversion error judgment to avoid program panic (#6526) (#7534) * refactor: generate reconciliation on policy updates (#7531) (#7533) * fix: Remove ownerReferences when cloning across Namespaces (#7517) (#7523) * fix: misleading error message in deny conditions (#7503) (#7520) * fix: log level initialisation (#7515) (#7522) * add debug env BACKGROUND_SCAN_INTERVAL (#7504) (#7519) * fix: target scope validation for the generate rule (#7479) (#7518) * fix: cloneList sync behavior (#7466) (#7514) * fix: log kind/namespace/name in scan errors (#7498) (#7500) * fix (#7473) (#7477) * fix: image pull secrets in admission controller (#7474) (#7476) * fix: rule name not required in the crd schema (#7464) (#7465) * fix: add missing webhook timeouts (#7435) (#7467) * fix: the same source cannot be used for multiple targets with a generate clone rule (#7436) (#7454) * fix flaky tests (#7460) (#7461) * fixed typo in admission controller chart template (#7440) (#7442) * fix: error reported when sanity check fails (#7439) (#7441) * fix: exceptions not considered on delete (#7433) (#7437) * fix: helm template for cleanup jobs image (#7430) (#7434) * fix: array element removal should be synced to the downstream resource with a generate data sync rule (#7417) (#7432) * fix: reports discovery error (#7428) (#7431) * feat: hold custom labels (#7416) (#7419) * update migration guide with generate guidance (#7409) (#7410) * fix: missing extraEnvVars in helm chart (#7403) (#7407) * Fix: [Bug] The default field in a context variable does not replace nil results (#7251) (#7400) * fix mutate targets validation (#7387) (#7399) * Remove policy validation prevent loop for generate (#7388) (#7398) * Allow setting verbs for clusterrole extraresources on backgroundController (#7380) (#7392) * fix: missing/incorrect env variables (#7383) (#7389) * Add missing delete verb to admission cleanup clusterrole (#7375) (#7384) * fix: permission validation message (#7362) (#7371) * feat(cronjobs): Enable podAnnotations on CronJobs (#7366) (#7370) * fix: protect managed resource not considering other components (#7363) (#7367) * fix: helm migration guide (#7360) (#7364) * feat: cleanup job tolerations (#7331) (#7351) * fix: flaky kuttl test add-external-secret-prefix (#7338) (#7343) * Add scaling testing instructions (#7295) (#7348) * chore: new helm chart version (#7349) * fix: config map name in helm chart (#7341) (#7342) * fix: panic in background reports (#7332) (#7334) * Tue May 30 2023 Johannes Kastl <kastl@b1-systems.de> - BuildRequire go1.20 - add completion subpackages for bash, zsh and fish shells * Tue May 30 2023 kastl@b1-systems.de - Update to version 1.10.0: Kyverno 1.10 is a huge release which brings breaking changes in both the application and Helm chart. Please read these release notes carefully! * Major features: - Split the main Kyverno Deployment into 3 separate controllers/Deployments - Intra-cluster Service calls - Notary v2 support - Major reworking of generate and "mutate existing" policies * Breaking changes - This release separates Kyverno into its 3 main components: admission controller, reporting controller, and background controller. As a result, there is no direct upgrade path from previous versions. When deploying with Helm, we recommend either backing up and restoring Kyverno policies (kubectl get pol,cpol,cleanpol,ccleanpol,polex -A > backup.yaml) or scaling the Kyverno deployment(s) to zero first. Policy reports will be regenerated from existing resources when policies are reinstalled. Regardless of the option, this upgrade should be performed in a maintenance window as there will be downtime involved. - As a result of this decomposition, aggregated ClusterRoles may need to be updated to use the new label values depending on the controller which requires those permissions. - Policies which matched on some types of subresources (such as PodExecOptions) will need to be updated to use the standardized form of <parent>/<subresource> (Pod/exec). - The following fields in a generate rule are now immutable once created: spec.rules.name, spec.rules.match, spec.rules.exclude, spec.rules.preconditions, spec.generate.apiVersion, spec.generate.kind, spec.generate.namespace, spec.generate.name, spec.generate.clone, and spec.generate.cloneList (#6328, [#6451]) - Variables in these portions of a generate rule will now be disallowed: clone, cloneList, generate.kind, and generate.apiVersion (#6438) - Generate and "mutate existing" policies, once installed, will check to see if Kyverno has the necessary permissions to successfully execute them. If not, Kyverno will block their creation until the permissions are available. This is added to bring behavior in alignment with how cleanup policies work and provide a better UX (#6610) - Properly enforcing that "mutate existing" rules, when mutateExistingOnPolicyUpdate is set to true, also has mutate.targets[] defined or else the policy creation will be blocked (#6693) - When a verifyImages policy is created in Audit mode, its creation will be rejected unless mutateDigest is set to false (#6757) - Mutation rules which change the image field in a Pod spec and which relied on docker.io being silently added by Kyverno (when it was not explicitly defined in the image) will need to be adjusted to either use the images.*.registry predefined variable or the new normalize_image() JMESPath filter. To address other discovered issues with mutation, Kyverno can no longer add the default registry to the context. It will only be accessible to internal variables and JMESPath. - The generate.apiVersion field is now required in a generate rule. Policies/rules without this defined will need to set it. (#7080) * Mon May 29 2023 kastl@b1-systems.de - Update to version 1.9.5: * release 1.9.5 (#7314) * fix: tls cipher suites (#7308) (#7310) * Thu May 25 2023 kastl@b1-systems.de - Update to version 1.9.4: * release 1.9.4 (#7284) * fix latest version check (#7263) (#7266) * Wed May 10 2023 kastl@b1-systems.de - Update to version 1.9.3: * feat: release 1.9.3 (#7137) * fix conflicts (#7109) * fix: do not pass dynamicConfig to matchesResourceDescriptionMatchHelper (#6231) (#6242) (#6331) * cherry-pick #6787 (#7108) * chore: update argocd lab (#6698) (#6702) * Wed Mar 22 2023 kastl@b1-systems.de - Update to version 1.9.2: * fix: skip duplicate PSa checks for the latest version (#6634) (#6636) * tag v1.9.2 (#6637) * fix: add message to bypass schema validation when it fails (#6604) (#6606) * fix: controller duration computation (#6569) (#6574) * release v1.9.2-rc.1 (#6536) * fix: process audit policies when admission reports are disabled (#6531) (#6545) * More kuttl standard generate tests (#6332) (#6533) * fix: increase burst (#6540) * fix: improve reports controller default values and workers (cherry-pick #6522) (#6532) * Thu Mar 09 2023 kastl@b1-systems.de - Update to version 1.9.1: * release v1.9.1 (#6520) * fix: missing metrics for policies in audit mode (#6509) * fix: release (#6502) * fix: release (#6498) * release v1.9.1-rc.1 (#6485) * cherry-pick #6459 (#6468) * fix: error log (#6429) (#6437) * check errors (#6424) (#6426) * fix: autoUpdateWebhooks=false causes ClusterPolicy to never be ready (#6374) (#6382) * fix: delete certificate secret if type is not TLS (#6368) (#6373) * oldObject translation solved in autogen (#6305) (#6372) * chore(deps): bump github.com/sigstore/k8s-manifest-sigstore (cherry-pick #6320) (#6359) * fix: dump admission response (#6349) (#6352) * chore(deps): bump golang.org/x/net (#6344) * fix: add roles and clusterroles when dumping admission requests (#6319) (#6323) * fix: use client instead of discovery for sanity checks (cherry-pick #6296) (#6299) * cherry-pick #6237 (#6273) * chore: add error logs in wait for cache sync helper (#6275) * fix: jp divide quantities (#6229) (#6232) * Cherry-pick #6126 (#6228) * fix: admission review variables for DELETE operations (#6197) (#6214) * cherry-pick #6188 (#6209) * fix: image tagging strategy (#6200) * Thu Feb 02 2023 kastl@b1-systems.de - Update to version 1.9.0: * tag v1.9.0 (#6186) * fix: policy exception event source (#6122) * Release v1.9.0-rc.4 (#6108) * fix: tracing attributes length and tracer name (#6112) * fix: cleanup-controller version (#6100) (#6105) * fix: flag added to init container mistake (#6103) * fix: allow deletion of namespace containing managed resources (#6098) (#6102) * fix: flag added to init container mistake (#6103) * Release v1.9.0-rc.3 (#6095) * validate polex activation and namespace (#6046) (#6080) * fix: pin busybox image tag in helm tests (#6051) (#6063) * fix: replace + with _ in Chart.Version label field (#6047) (#6056) * cherry-pick #6030 (#6034) * tag v1.9.0-rc.2 (#6023) * fix ns labels matching (#6022) * tag v1.9.0-rc.1 (#6012) * fix: policy match Kind case-senstive (#6010) * fix: policy exceptions not working in background mode (#5980) (#6003) * chore: log out cleanup policy events (#5998) (#6000) * create failure events on errors (#5988) (#5997) * fix: generate policy exception events (#5987) (#5996) * cherry-pick #5920 (#5990) * Fixes time_now failing (cherry-pick 5928) (#5991) * create events for cleanup policies (#5982) (#5983) * fix: invoke cleanup process during shutdown (#5974) (#5981) * cherry-pick #5967 (#5970) * log out deleted resources at default level (#5977) (#5978) * fix: helm selector (#5965) (#5969) * feat: add cluster role aggregation to cleanup controller (#5966) (#5968) * fix chart invalid annotations (#5960) (#5963) * tag v1.9.0-beta.2 (#5959) * fix imageRef matching (#5956) (#5957) * cherry-pick #5950 (#5955) * Cherry-pick #5941 (#5952) * fix: update policy exception CRD description (#5948) (#5951) * chore: fix releaser badge (#5910) (#5947) * Added a time_add() filter to add duration and absolute time (#5817) (#5946) * fix: cleanup policies with user infos in match/exclude should be rejected (#5943) (#5944) * test: add kuttl test for policy exception (#5935) (#5936) * fix: missing user info matching (#5931) (#5934) * chore: add missing gh workflow concurrency statements (#5914) (#5924) * restrict cjs by PSS restricted checks (#5904) (#5922) * fix: Configure webhook to add ephemeralcontainers for policies matching on Pod (#5886) (#5919) * fix: golangci-lint workflow (#5913) (#5917) * set resourceVersion before update (#5906) (#5916) * fix: configure gh workflow permission (#5909) (#5915) * chore: make check actions pinned by hash a standalone ci job (#5907) (#5911) * feat: add violation details to report.results.properties for PSa policies (#5908) (#5912) * Adds JMESPath filter for returning cron expression for absolute time (#5814) (#5905) * chore: add setup test env gh action (#5897) (#5899) * chore: add setup-build-env gh action (#5892) (#5896) * fix cleanup var 'target.*' (#5888) (#5895) * add kuttl assert file (#5870) (#5894) * chore: small gh workflows improvements (#5883) (#5887) * chore: use gh composite actions (#5885) (#5893) * fix: Add group to subresources declaration in value.yaml file for CLI (#5881) (#5884) * refactor: improve background scan reconciliation (#5871) (#5882) * fix: Add subresources support to policy exceptions (#5839) (#5880) * fix validation checks for foreach and nested foreach (#5875) (#5877) * fix: force background scan recomputation (#5865) (#5868) * fix: background scan events (#5807) (#5874) * feat: cleanup enhancements-1 (cherry-pick #5796) (#5867) * fix mutate targets variable (#5862) (#5866) * chore: move ConvertToUnstructured from engine utils to kube utils (#5847) (#5863) * cleanup new validate webhooks (#5851) (#5857) * Walk back change in PSS policy to send to to_upper (#5823) (#5856) * cherry-pick #5846 (#5855) * feat: improve background scan reports enqueue logic (#5810) (#5853) * chore: cleanup a couple workflows (#5844) (#5854) * fix: improve cli help message (#5843) (#5849) * chore: bump a couple of deps (#5840) (#5850) * refactor: move utils into sub packages (#5828) (#5845) * chore: add a couple unit tests (#5834) (#5842) * chore: cleanup codecov workflow (#5829) (#5838) * fix: enum values for ValidationFailureActionOverride (#5835) (#5836) * fix: default value for validationFailureAction (#5832) (#5833) * Adds JMESPath filter for returning current time (#5813) (#5831) * add source archive checksum into the checksums.txt (#5819) (#5827) * Adds notes to functions (#5824) (#5826) * fix: error handling in last scan time parsing (#5808) (#5809) * fix arguments passed to DeepEqual (#5801) (#5806) * refactor: policy controller package (#5747) (#5803) * enhance logging, fix pull flag description (#5797) (#5798) * chore: switch to kyverno/kuttl (#5504) (#5794) * fix cli output adjustments (#5787) (#5793) * redirect stderr to get digest successfully (#5782) (#5791) * chore: update publicKey description (#5789) (#5792) * fix delete policy (#5776) (#5790) * fix helm chart version (#5775) * bump dep (#5765) * fix image digest (#5762) * tag v1.9.0-beta.1 (#5761) * chore(deps): bump JasonEtco/create-an-issue from 2.8.2 to 2.9.0 (#5760) * chore(deps): bump fluxcd/flux2 from 0.37.0 to 0.38.1 (#5759) * chore(deps): bump actions/cache from 3.0.11 to 3.2.0 (#5758) * refactor: move util funcs in sub packages (#5754) * refactor: cleanup controller validating webhook (#5756) * test: add unit test for GetResourceName util (#5752) * refactor: auth package and add full unit test coverage (#5749) * chore: bump deps including k8s ones (#5751) * refactor: remove common package (#5750) * refactor: use typed client in auth (#5743) * refactor: remove a couple of old util funcs (#5746) * chore: remove e2e tests (#5742) * Issue_templates (#5741) * chore: remove autogen internals tests (#5740) * fix: cleanup controller image build (#5739) * chore: build cleanup controller image (#5737) * generate SLSA provenance on releases (#5735) * run conformance tests on different k8s versions (#5733) * Allows {{image}} var to be used in policies (#5122) * refactor: split CLI jp command (#5566) * chore: update k8s versions test grid (#5732) * feat: add exception logic (#5712) * fix: remove all category from all our CRDs (#5731) * feat: force background scan regularly (#5727) * add rule type pkg/metrics/parsers.go (#5729) * bump Go 1.19.4 (#5728) * Revert "chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)" (#5725) * chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724) * feat: propagate psa checks results (#5719) * fix: add back install.yaml manifest (#5721) * refactor: supress usage of kustomize in build (#5691) * Require predicate type (#5713) * fix logger panic (#5715) * fix: interface conversion panic (#5708) * fix missing assignment (#5710) * feat: add kuttl tests for #5704 (#5707) * fix: allow policies from stdin in apply again (#5668) * initialize configmap resolver in background components (#5705) * feat: Implement PolicyException (#5680) * fix digest and verify logic (#5703) * fix: block policy admission if kyverno is down (#5677) * fix info kind error (#5701) * fix: exception validation follow up (#5697) * chore(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#5696) * feat: add policy exception validation webhook (#5679) * chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#5695) * chore: bump a couple of deps (#5688) * chore(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#5694) * chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#5683) * fix: bump log level for autogen debug logs (#5687) * chore: remove deprecated flag splitPolicyReport (#5686) * chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#5684) * chore(deps): bump JasonEtco/create-an-issue from 2.8.1 to 2.8.2 (#5685) * chore: remove secrets client from webhook controller (#5682) * chore: rename exclude into match in policy exception (#5681) * fix: case where deny message is not a string (#5678) * feat: Introduce PolicyException CRD (#5662) * feat: add certs controller to cleanup policies (#5671) * chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#5666) * Update version drop-downs in issue templates (#5674) * fix AllNotIn operator (#5636) * chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#5663) * chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#5667) * feat: add engine traces (#5463) * use camel case for ForEach naming (#5660) * feat: add metrics service and service monitor to cleanup controller (#5653) * Support existing imagePullSecrets for image verify functionality (#5627) * Nested foreach (#5589) * chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652) * chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650) * feat: add dev config with support for prom loki and tempo (#5647) * fix: grafana dashboard (#5645) * fix: missing permission in cleanup controller role (#5646) * refactor: tracing package (#5643) * added Arrikto and Trendyol as adopters (via Google Form) (#5644) * feat: improve cleanup policies controller and chart (#5628) * feat: add support for subresources to validating and mutating policies (#4916) * fix: Improve helm-test workflow (#5640) * feat: propagate context through engine (#5639) * chore(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#5631) * feat: add conditions matching to cleanup controller (#5626) * fix: setup tracing and minor cleanup in tracing and metrics code (#5629) * feat: add http clients tracing (#5630) * chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 (#5632) * chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635) * Add api docs (#5605) * feat: use lister in registry client (#5620) * fix: registry client not propagated correctly (#5622) * fix: don't create orphan spans in instrumented clients (#5624) * feat: introduce v2alpha1 (#5625) * feat: implement cleanup policy matching (#5614) * fix nil error panic (#5619) * chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618) * add 1.8.3 to version drop-downs (#5616) * fix: mutation of cached object in bg scan controller (#5608) * refactor: registry client (#5596) * use helm values for crd labels (#5594) * chore: bump a couple of deps (#5611) * chore(deps): bump reviewdog/action-golangci-lint from 1.25.0 to 2.2.2 (#5603) * chore(deps): bump azure/setup-helm from 1.1 to 3.4 (#5604) * refactor: improve color management in cli test (#5609) * chore: bump a couple of deps (#5610) * chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.0.0 to 1.1.0 (#5601) * feat: add cleanup handler (#5576) * chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#5602) * Fix: handling unexpected global-anchor-variable for the apply command (#5590) * chore: bump a couple of deps (#5593) * fix: use lister for CA secret (#5598) * add logging guideline (#5406) * Delete category all from CRDs (#5557) * refactor: update otlp packages (#5367) * chore: bump flux action (#5578) * chore(deps): bump aquasecurity/trivy-action from 0.2.3 to 0.8.0 (#5584) * fix: replace + symbol with _ symbol on the Chart.Version field (#5591) * chore(deps): bump helm/chart-testing-action from 2.0.1 to 2.3.1 (#5586) * chore(deps): bump rajatjindal/krew-release-bot from 0.0.38 to 0.0.43 (#5588) * chore(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#5587) * chore(deps): bump actions/setup-go from 2.1.5 to 3.4.0 (#5585) * chore(deps): bump actions/setup-python from 2.3.1 to 4.3.0 (#5562) * chore(deps): bump sonarsource/sonarcloud-github-action from 1.7 to 1.8 (#5563) * chore(deps): bump codecov/codecov-action from 2.1.0 to 3.1.1 (#5573) * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559) * adding --warn-exit-code flag (#5577) * feat: add cleanup controller BYOSA and RBAC extensions (#5580) * chore(deps): bump goreleaser/goreleaser-action from 2.8.0 to 3.2.0 (#5572) * chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574) * chore(deps): bump JasonEtco/create-an-issue from 2.8.0 to 2.8.1 (#5571) * chore: disable dependabot auto rebase (#5567) * chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560) * refactor: jmespath arithmetic operations (#5544) * chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.1 (#5561) * chore(deps): bump actions/checkout from 2.4.0 to 3.1.0 (#5564) * chore(deps): bump actions/cache from 3.0.8 to 3.0.11 (#5565) * refactor: cli test command (#5550) * refactor: cli jp command (#5552) * add Wayfair to adopters (#5547) * Kyverno CLI: added method to detect duplicate resource in kyverno test (#3612) * To support gitURLs for "apply" command (#4502) * issue-4613: Add support for cache enhancements with informers (#5484) * chore(deps): bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 (#5534) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#5532) * chore(deps): bump github/codeql-action from 1.0.26 to 2.1.35 (#5536) * bump slsa GH generator to 1.4.0 (#5530) * chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#5535) * chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#5533) * chore: enable dependabot (#5531) * refactor: make policy context immutable and fields private (#5523) * configure opentelemetry logger (#5513) * feat: support attestations with multiple signatures (#5409) * fix: bug in report resource watcher (#5525) * Adding Rafay Systems to Kyverno Adopters list. (#5524) * feat: Add default CI test values for helm charts (#5518) * feat(policies chart): Add ability to set autogen behavior (#5517) * fix: cleanup policy validation (#5514) * fix: pod anti affinity (#5516) * chore: improve cleanup controller (#5509) * feat: use admission review v1 (#5464) * refactor: use internal cmd package in kyverno (#5507) * chore: bump a few deps (#5512) * chore: stop using set-output in gh actions (#5500) * refactor: add controller helper to internal package (#5506) * chore: use builtin slices.Clone (#5510) * feat: add webhook type to admission metrics (#5493) * feat: propagate context to dynamic client (#5495) * chore: bump a couple of deps (#5503) * feat: add controller metrics (#5494) * fix: panic when response is nil (#5502) * fix: report deletion fighting with garbage collection (#5486) * feat: add dynamic client support to internal cmd package (#5477) * Migrate all mutate e2e tests to kuttl and expand (#5491) * chore: replace utils.ContainsString with builtin slices.Contains (#5496) * fix: add image extractor for ReplicationController (#5497) * refactor: move metrics closer to the code that use them (#5492) * chore: refactor metrics namespace check (#5489) * Migrate validate e2e tests to kuttl tests (#5483) * Fix: handled skip rule processing in anyPattern field (#5191) * feat: propagate context to the metrics package (#5479) * fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) * feat: add allowed label to admission metrics (#5478) * chore: bump kyverno version in argo lab (#5482) * fix: typo in autogen package (#5480) * chore: improve tracing instrumented clients (#5474) * refactor: metrics configuration code (#5475) * feat: create a policy utils package (#5473) * Add reconciling logic for creating cronjobs whenever a new cleanup policy is created (#5385) * feat: add new filtering handlers (#5472) * fix: remove filtering for policy admission handlers (#5462) * fix: add clone check before validating namespace policy (#5459) * fix: issue when calling kustomize concurrently (#5465) * feat: support flagsets in internal cmd package (#5461) * chore: add instrumented clients codegen verification (#5460) * fix: reading policies for oci command and pushing image (#5435) * fix: admission reports stacking up (#5457) * docs: add controllers README (#5434) * fix: log watcher error in reports controller (#5449) * ci: cancel redundant builds of workflow on push (#5427) * feat: use client funcs from internal cmd package (#5443) * docs: add reports troubleshooting tips (#5448) * fix: argocd lab monitoring namespace (#5446) * fix: mutate existing policy does not get applied when background=false (#5439) * feat: add signal in internal cmd package (#5444) * feat: improve handlers tracing code (#5442) * chore: bump a bunch of deps (#5440) * feat: add logging support to instrumented clients (#5438) * feat: add discovery support in instrumented clients (#5437) * refactor: dynamic client use instrumented clients (#5436) * fix request.operation in globalValues is always set to CREATE (#5423) * chore: remove obsolete metrics client code (#5401) * refactor: improve instrumented clients code and support dynamic/metadata client (#5428) * refactor: split argocd lab into multiple steps (#5410) * Fix multi attestor keyless (#5432) * Handle Match resources kind (#5421) * udpate slsa to v1.3.0 (#5419) * chore: bump sigstore deps (#5376) * fix blank lines in crds (#5422) * refactor: improve instrumented clients creation (#5417) * logging action (#5416) * adding --audit-warn flag (#5321) * Update version drop-downs; bump Trivy (#5425) * Add most basic kuttl tests for generate rules, clone and sync (#5413) * fix: typo (#5415) * feat: make traces better (#5412) * refactor: introduce cmd internal package (#5404) * refactor: generated instrumented client code part 2 (#5398) * feat: add tracing middleware (#5397) * Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) * add os.Exit (#5402) * Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) * refactor: generate instrumented client code (#5362) * refactor: propagate context through admission handlers (#5392) * refactor: improve tracing package (#5391) * [Bug]: Fix wildcard any/all issue (#5387) * Fix incorrect step ID reference (#5388) * fix the entry length validation for the verify image rule (#5384) * Add more kuttl generate test cases (#5364) * fix: set correct logger in profiling server (#5358) * fix closed watchers in the resource-report-controller (#5350) * fix: set logger in metrics server (#5319) * fixed dryrun option to handle changes caused by mutating policy (#4899) * fix: add validation for generate namespace policy (#5346) * chore: add tempo to argocd lab (#5365) * chore: add performance tests tool (#5241) * fix: panic when disable metrics is true (#5366) * feat: add CleanupPolicy validation code to CleanupPolicyHandler (#5338) * test: simplify autogen kuttl tests (#5343) * chore: enable json logs in argocd lab (#5349) * fix digest variable (#5356) * chore: add helm ci values with cleanup controller (#5357) * fix: add some missing options in cleanup helm chart (#5351) * add test cases for yaml verification feature (#5326) * refactor: optimise and use kuttl TestStep with tests (#5328) * test: add rbac kuttl test (#5337) * Update SLSA generator workflow to v1.2.2 (#5323) * test: add kuttl debug failure (#5339) * fix: add replicaset and replicationController kinds in podsecurity validation (#5336) * feat: add cleanup controller to helm chart (#5329) * chore: remove docker support (#5324) * chore: add cli binary to gitignore (#5331) * test: add test to check expected webhooks are created (#5330) * feat: add cleanup controller makefile targets (#5327) * feat: add replicaset and replicationcontroller to autogen (#4975) * feat: add cleanupPolicy validation code (#5279) * fix: synchronize source resource update to clone list resource (#5317) * allow list with policies in test (#5227) * test: add kuttl tests for jmespath special chars (#5310) * Fix issue where CLI test command ignores failures (#5189) * fix: wrong logger used (#5311) * fix: send notification when stoping watching resource in reports system (#5298) * fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) * fix: set rule response status as skip if precondition failed (#5162) * Update kuttl test scaffolding (#5303) * fix: reduce startup probe delay (#5296) * tests: add kuttl tests for multiple clone generate (#5280) * fix: allow delete of clone target resource with synchronize false (#5161) * fix: image extractor kuttl tests (#5293) * fix: check policy is ready in kuttl tests (#5286) * fix: kuttl test external-service (#5287) * chore: update kuttl (#5285) * fix: make zapr compatible with klog's -v argument (#5166) * feat: add flag to control leader election frequency (#5172) * refactor: admission metrics (counter and latency) (#5245) * fix: resource schema validation in policies under any/all match (#5246) * fix: keep admission warnings (#5269) * add test instructions (#5271) * chore: add kuttl autogen tests (#5253) * fix: add missing test suite to kuttl (#5268) * fix: account for error rules in mutation webhook (#5264) * refactor: admission response utils (#5234) * feat: create cleanup new CRDs (#5233) * chore: remove old conformance tests files (#5260) * fix: add warning when using deprecated validation failure action (#5219) * Kuttl updates (#5257) * chore: use conditions in kuttl tests to check ready policies (#5252) * chore: add kuttl in makefile (#5254) * More kuttl tests (#5238) * fix: remove unused code in config (#5242) * feat: separate webhook rules per GVK/rule (#4986) * fix: kyverno Dockerfile base image tag and sha256 hash (#5248) * refactor: move all middlewares in handlers sub package (#5244) * fix generateName mutation (#5146) * Fix Keda policy installation issue (#5239) * fix: remove /approve from prow actions (#5243) * [Feature] Pin Dependencies by Hash (#5168) * chore: add loki to argocd lab (#5231) * Fixed description for secret name (#5228) * feat: add grafana dashboard to helm chart (#5230) * add remainder of e2e verifyImages tests (#5229) * add kuttl tests (#5204) * [BUG] Fix foreach deletion issue (#5224) * feat: add policy label to policy reports (#5198) * fix: too much information for the Policy Rule Execution Latency metric (#5208) * chore: server side apply in argo lab (#5209) * refactor: health check system (#5176) * fix: early return in policy validation (#5200) * feat: support disabling schema validation on the patched resource (#5197) * fix: deletion of reports not belonging to kyverno (#5194) * Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) * refactor: remove policyreport package (#5174) * fix: use pagination to aggregate reports (#5190) * fix: check resource version on update notification (#5179) * fix: do not cancel context when loosing the lead (#5180) * chore: add kind config file (#5178) * fix: content type in log (#5177) * feat: run leader election in loop (#5173) * refactor: support Audit and Enforce validation failure actions (#5152) * Corrected Kubernetes spelling (#5134) * fix 5151 issue (#5170) * Add ability to use commands in comments (#5154) * fix: configure klog and global logger to use zapr in json mode (#5144) * feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) * Fixed issue-5102: Show rule count and type in output (#5106) * skip generating events on empty rule response (#5158) * reset resource version on update (#5157) * fix: mutation policy inconsistent patching for ephemeralContainers (#5121) * feat: remove policy mutation for auto-gen rules (#5123) * chore: remove old docs (#5130) * fix finalizers mutation with patchesJson6902 (#5132) * Add AGE in printer columns of CRDs (#5119) * feat: oci pull/push support for policie(s) (#5026) * feat: add categories support to our CRDs (#5112) * Remove old version of golang.org/x/sys (#5125) * fix: conformance tests (#5118) * [Feature] create command line option to set failurePolicy globally (#4991) * clean conformance (#5089) * feat: enable/disable Debug mode which shows entire AdmissionReview payload (#5024) * docs: separate dev and user docs (#5114) * ci: Fix install manifests publishing with Flux (#5110) * fix: use correct side effects in validating webhooks (#5080) * refactor: simplify variables regex (#5075) * feat: add flag to configure the number of background scan workers (#5088) * fix: allow delete of target resource with synchronize false (#5081) * ci: Use the Docker login action for GHCR auth (#5091) * fix: handle resource cleanup when policy is deleted (#5021) * test: add best practices policies in conformance tests (#5082) * fix: use correct logger in webhook controller (#5083) * feat: add simple conformance tests (#5073) * fix: make reponse order predictable (#5079) * added apiCalls support in kyverno-apply command (#4938) * feat: add webhook server logger (#5063) * fix: configure idle timeout in server (#5062) * fix: image verification reports missing in admission mode (#5037) * fix: setup max procs with correct logger (#5059) * fix: detection of kyverno going down (#5055) * fix: do not update reports when they are identical (#5056) * fix: go routines not gracefully shut down in controllers (#5022) * fix: account for policy/rule deletion in aggregated reports (#5048) * Created configuration file for Openssf scorecard (#4778) * feat: add image verification support to background scan (#5047) * feat: add controller logger helper (#5029) * fix env (#5046) * fix: lease log message (#5030) * feat: make shutdown more graceful (#5031) * fix: lower default qps/burst (#5034) * fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035) * Fixed issue-4655: verifyImages is executed before mutate (#4996) * fix: add more infos in reports printers (#5027) * Enable adding annotations to configmaps in the helm chart (#4984) * validate patchJSON6902 (#4469) * remove RBACInfo check (#5015) * fix: policy not denied when kinds set is empty (#5016) * fix: global anchor warning (#4962) * fix: don't process non background policies in background scan (#5008) * fix: update policy status (#5006) * fix: use default retry with retryfunc for a conflict (#4973) * updates with case insensitivity guarantee (#4954) * refactor: add update status helper (#4985) * fix principal and role variables are not substituted (#5000) * fix: skip admission in dry run requests (#4994) * fix: webhooks not registering when using name override (#4992) * feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) * feat: add startup probes support (#4896) * feat: add policy-reporter to argocd lab (#4988) * docs: add resource exclusions note in helm docs (#4989) * chore: add myself in approvers (#4990) * feat: Add container registry setting on Helm Chart (#4281) * fix: config reloading not working correctly (#4951) * fix: missing autogen rules in status (#4971) * fix: add user info in admission request logs (#4969) * fix: don't produce empty admission reports (#4966) * fix: improve banned types management in reports (#4953) * fix: missing watchers in resource report controller (#4967) * chore: Push and sign install manifests to GHCR (#4895) * Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733) * fix: admission reports printer (#4950) * chore: bump a few deps (#4943) * Added support to specify key signature algorithm in verifyImages (#4855) * fix: don't report ready until certs are valid (#4934) * Update issue templates and scan for vulns action (#4952) * Fix background scan with request.operation (#4947) * fix: consider generateName when matching resources (#4945) * fix: probes should work in debug mode (#4926) * fix: set operation in context when necessary (#4940) * chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) * fix: panic when bad variable substitution (#4928) * feat: make cert renewer private and add server name support (#4904) * chore: bump a couple of deps (#4925) * [Cleanup] Disable PolicySkipped events (#4913) * add filter for validation policies when ValidationFailureActionOverrides is used (#4809) * chore: update controller-tools to v0.10.0 (#4918) * fix: use constants defined in openapi controller (#4919) * chore: signing helm releases (#4801) * fix: openapi controller discovery (#4912) * refactor: openapi controller part 2 (#4910) * fix: clean background scan reports (#4908) * fix: don't specify rules when aggregationRule is set (#4867) * refactor: openapi controller part 1 (#4901) * fix: remove unnecessary dependencies from tls package (#4903) * fix: reduce webhook controller logs (#4897) * chore: add argocd lab (#4884) * refactor: manage webhooks with webhook controller (#4846) * fix: auto gen enabled when using names (#4863) * fix: non watchable resources in report controller (#4888) * Fix result colour (#4885) * fix: background scan labels (#4865) * fix: hardening policy validation for generate cloneList (#4881) * docs: add section in helm docs to install with argocd (#4878) * fix test output numbering (#4853) * feature: use cert extension oid as key (#4854) * chore: add launch.json for vscode debugging (#4856) * Add workflow to detect and report on image vulns (#4850) * docs: add debug instructions (#4843) * e2e test for mutate policy (#3383) * fix: replace AbsPath with RequestURI to support query params (#4849) * refactor: make cert manager a real controller (#4792) * refactor: add config support to webhook controller (#4838) * feat: use a dedicated policy metrics controller (#4818) * chore: bump a couple of deps (#4842) * Update PSa images dsecription (#4840) * refactor: leader controllers management (#4832) * fix extension checks (#4836) * fix: call depth in logging package and global logger support for call depth (#4834) * upgrade controller-runtime dependency (#4829) * refactor: non leader controllers management (#4831) * refactor: make tls cert func not depending on cert controller (#4820) * fix: use new client in tls package (#4746) * fix: debug mode (#4785) * fix: add policy validation for ValidationFailureActionOverride field (#4784) * update helm doc * Fix CRD format issue * Bump k8s libraries to v0.25.2 * Fix PSa the control name validation * fix: validationFailureAction default value (#4822) * refactor: split main into sub funcs (#4821) * chore: use concurrent map v2 (generics) (#4803) * fix: controllers start in loop (#4815) * refactor: split main into sub func (#4810) * feat: add context support to leader election (#4811) * feat: add context funcs to logging package (#4812) * skip succeed rules when building the blocked return message (#4804) * fix: subject and issuer validation when attestations are present (#4786) * refactor: split main func for metrics (#4796) * fix: remove error prone debug field (#4794) * chore: bump a couple of deps (#4802) * refactor: split main into funcs (#4795) * fix: logger panic (#4793) * fix: publish yaml manifests in release instead of repo (#4738) * fix: remove explicit wait for cache sync (#4791) * Add security context and resource block to test (#4712) * fix: new cert manager controller never returns error (#4789) * chore: bump a few deps (#4790) * refact:update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758) * refactor: introduce webhook controller (#4749) * fix: remove reference to controller runtime log (#4779) * refactor: more context less chans (#4764) * Fix: Typo in x509_decode JMESPath function's note (#4773) * fix: add workers to the controller interface (#4776) * update cosign and k8s-manifest-sigstore (#4781) * chore: change charts registry url (#4768) * add package logger in files (#4766) * fix: parse flags error handling (#4775) * refactor: make server owner of the cleanup chan (#4765) * refactor: use context in openapi controller (#4760) * refactor: use context in controllers instead of chan (#4761) * refactor: use context in dynamic client instead of chan (#4756) * refactor: move from io/ioutil to io and os packages (#4752) * refactor: split main in a couple of funcs and use local loggers (#4754) * fix: helm self signed cert (#4745) * add and use package level logger (#4750) * fix: watch error in resource controller (#4751) * chore: use constant in cert manager controller (#4747) * feat: add typed client support and metrics wrapper (#4724) * chore: speed up helm docs gen on mac (#4742) * fix: reports not generated (#4743) * feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661) * fix: use a single leader election (#4722) * fix: containerd dependency vulnerability (#4629) * Add PSa policy validations (#4735) * Added `x509_decode` JMESPath function (#4664) * feat: add matchlabel selector support with multiple clone (#4713) * docs: add policy cache controller docs (#4714) * fix: output make messages to stderr (#4727) * feat: reports v2 implementation (#4608) * Support PSa integration by `controlName` only (#4710) * chore: update client code generator (#4711) * chore: group unit and cli tests targets and separate sections (#4693) * fix: remove deprecation notice (#4635) * chore: enable overriding images repo (#4694) * fix: change key used in test (#4718) * chore: refactor manifests related makefile targets (#4706) * fix: missing client wrapper (#4703) * refactor: use pod name as leader id (#4680) * fix: split webhook handlers per failure policy (#4650) * fix: shutdown controllers workers gracefully (#4681) * fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) * refactor: replace signal package by signal.NotifyContext (#4691) * fix: jmespath random error handling (#4697) * chore: simplify go mod (#4692) * fix: bump net standard lib (#4685) * fix: handle auth permission for cloneList validation (#4684) * fix: namespaced policy not validated in engine (#4653) * chore: bump minimum go version (#4677) * Fix issue for wildcard versions (#4670) * chore: publish sbom result to a different repositry from an image (#4665) * added kubeconfig and context flag to kyverno apply (#4524) * feat: add feature flag to disable background scan (#4638) * feat: add explicit key support to controller utils (#4628) * refactor: update log based on the policy types (#4646) * refactor: split policyreport api files (#4641) * fix: missing elements in v2beta1 api (#4654) * refactor: add a couple of constants in api (#4640) * feat: introduce RCR interface (#4642) * fix: incorrect namespace in report controller (#4637) * fix: remove RCR from mutation webhook (#4636) * feat: add controller utils tools (#4639) * chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) * chore: add makefile target to deploy metrics server (#4627) * chore: add target to deploy policy reporter (#4621) * Integrate Sonarcloud and Nancy github action (#3491) * fix: background printer column (#4617) * enhance jmespath random-filter (#4591) * fix: lock in policy report mapper (#4601) * refactor: simplify RCR creator queue (#4578) * chore: add messages in makefile kind targets (#4588) * refactor: info in policyreport package (#4598) * Fix multiple crd slowness issue (#4275) * update helm releases path (#4596) * enable autogen for validate.podsecurity with no exclude (#4594) * chore: add a codegen-quick makefile target (#4583) * chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) * allow PSa validation with no exceptions (#4558) * fix: typo (#4582) * fix: split policy report flag (#4576) * update version drop-down (#4579) * chore: add toggle package unit tests (#4577) * chore: preserve pr title in cherry picks (#4573) * refactor: move generation handler out of webhooks package (#4570) * refactor: move image verification handler out of webhooks package (#4569) * refactor: move mutation handler out of webhooks package (#4567) * refactor: move validation audit out of webhooks package (#4562) * chore: add kocache (#4482) * docs: add help on fetching tags (#4560) * refactor: move validation handler out of webhooks package (#4556) * refactor: make webhook metrics helpers static (#4554) * add new patterns for releases (#4552) * refactor: move webhook events utils in utils package (#4545) * chore: add unit test for updating ur status (#4541) * fix: defer ur update until validation passes (#4540) * refactor: introduce ur updater (#4535) * Tue Dec 20 2022 kastl@b1-systems.de - Update to version 1.8.5: * release v1.8.5 (#5726) * tag v1.8.5-rc.1 (#5718) * Cherry-pick Require predicate type (#5717) * cherry-pick: fix digest and verify logic (#5706) * fix: interface conversion panic (#5708) (#5711) * Delete category all from CRDs (cherry-pick #5557) (#5709) * Fri Dec 09 2022 kastl@b1-systems.de - Update to version 1.8.4: * release v1.8.4 (#5638) * tag v1.8.4-rc.1 (#5623) * fix nil error panic (#5619) (#5621) * fix: mutation of cached object in bg scan controller (#5608) (#5613) * Tue Dec 06 2022 kastl@b1-systems.de - Update to version 1.8.3: * tag v1.8.3 (#5579) * tag v1.8.3-rc.2 (#5529) * feat: support attestations with multiple signatures (cherry-pick #5409) (#5528) * logging action (#5416) (#5527) * fix: bug in report resource watcher (#5525) (#5526) * feat: Add default CI test values for helm charts (#5518) (#5521) * feat(policies chart): Add ability to set autogen behavior (#5517) (#5520) * tag 1.8.3-rc.1 (#5508) * fix: report deletion fighting with garbage collection (#5486) (#5501) * Migrate all mutate e2e tests to kuttl and expand (#5491) (#5499) * Cherry-pick ff9328809b62097895b99d866d0d3c6d6a801ae9 (#5488) * fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) (#5487) * fix: typo in autogen package (#5480) (#5481) * fix: add clone check before validating namespace policy (#5459) (#5471) * fix: issue when calling kustomize concurrently (cherry-pick #5465) (#5470) * fix: admission reports stacking up (#5457) (#5467) * fix: log watcher error in reports controller (#5449) (#5455) * Handle Match resources kind (#5421) (#5450) * fix: mutate existing policy does not get applied when background=false (#5439) (#5447) * Fix multi attestor keyless (#5432) (#5433) * fix validationFailureAction case in kuttl tests (#5426) * Add most basic kuttl tests for generate rules, clone and sync (#5413) (#5424) * Mon Nov 21 2022 kastl@b1-systems.de - Update to version 1.8.2: * Tag v1.8.2 (#5418) * tag v1.8.2-rc.2 (#5408) * Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) (#5407) * add os.Exit (#5402) (#5405) * Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) (#5403) * tag v1.8.2-rc.1 (#5393) * [Bug]: Fix wildcard any/all issue (#5387) (#5390) * fix: enable policy validation for the verifyImage rule (#5383) * fix: set logger in metrics server (#5319) (#5377) * Add more kuttl generate test cases (#5364) (#5382) * test: add rbac kuttl test (#5337) (#5380) * fix: set correct logger in profiling server (#5358) (#5381) * fix closed watchers in the resource-report-controller (#5350) (#5378) * fix: add validation for generate namespace policy (#5346) (#5373) * fixed dryrun option to handle changes caused by mutating policy (#4899) (#5375) * add test cases for yaml verification feature (#5326) (#5372) * chore: add tempo to argocd lab (#5365) (#5370) * chore: add performance tests tool (#5241) (#5369) * fix: panic when disable metrics is true (#5366) (#5368) * chore: enable json logs in argocd lab (#5349) (#5359) * refactor: optimise and use kuttl TestStep with tests (#5328) (#5353) * test: add kuttl debug failure (#5339) (#5341) * chore: add cli binary to gitignore (#5331) (#5333) * test: add test to check expected webhooks are created (#5330) (#5332) * fix: synchronize source resource update to clone list resource (#5317) (#5320) * Fix issue where CLI test command ignores failures (#5189) (#5313) * fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) (#5315) * test: add kuttl tests for jmespath special chars (#5310) (#5316) * fix: wrong logger used (#5311) (#5314) * chore: Fix policy installation issue (cherry-pick #5239) (#5308) * fix: reduce startup probe delay (#5296) (#5302) * fix: send notification when stoping watching resource in reports system (#5298) (#5309) * fix: set rule response status as skip if precondition failed (#5162) (#5306) * Update kuttl test scaffolding (#5303) (#5304) * tests: add kuttl tests for multiple clone generate (#5280) (#5299) * add a note to 1.8.2-rc1 release (#5291) * fix: allow delete of clone target resource with synchronize false (#5161) (#5297) * fix: check policy is ready in kuttl tests (#5286) (#5292) * fix: image extractor kuttl tests (#5293) (#5295) * fix: kuttl test external-service (#5287) (#5290) * chore: update kuttl (#5285) (#5288) * refactor: admission metrics (counter and latency) (#5245) (#5282) * chore: use conditions in kuttl tests to check ready policies (#5252) (#5281) * fix: make zapr compatible with klog's -v argument (#5166) (#5283) * fix: keep admission warnings (#5269) (#5275) * chore: add kuttl autogen tests (#5253) (#5274) * fix: add missing test suite to kuttl (#5268) (#5273) * fix: early return in policy validation (cherry-pick #5200) (#5213) * chore: remove old conformance tests files (#5260) (#5263) * fix: account for error rules in mutation webhook (#5264) (#5267) * refactor: admission response utils (#5234) (#5265) * chore: add kuttl in makefile (#5254) (#5258) * Kuttl updates (#5257) (#5261) * More kuttl tests (#5238) (#5259) * add remainder of e2e verifyImages tests (#5229) (#5256) * add kuttl tests (cherry-pick #5204) (#5255) * refactor: move all middlewares in handlers sub package (cherry-pick #5244) (#5250) * chore: add loki to argocd lab (#5231) (#5240) * feat: add grafana dashboard to helm chart (#5230) (#5232) * feat: add policy label to policy reports (#5198) (#5225) * Merge 396593d8997f218270a398e18e956d892f004bc3 into b3c5a9c74165d573aab9928dd8ac1187e8d8fc3a (#5216) * chore: server side apply in argo lab (#5209) (#5210) * refactor: health check system (#5176) (#5207) * feat: support disabling schema validation on the patched resource (#5197) (#5206) * Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) (#5195) * fix: deletion of reports not belonging to kyverno (#5194) (#5196) * fix: use pagination to aggregate reports (#5190) (#5192) * fix: check resource version on update notification (#5179) (#5186) * chore: add kind config file (#5178) (#5183) * fix: content type in log (#5177) (#5182) * fix: configure klog and global logger to use zapr in json mode (#5144) (#5181) * skip generating events on empty rule response (#5158) (#5160) * reset resource version on update (#5157) (#5159) * feat: add categories support to our CRDs (#5112) (#5137) * fix: mutation policy inconsistent patching for ephemeralContainers (#5121) (#5145) * Fixed issue-4655: verifyImages is executed before mutate (#4996) (#5143) * fix finalizers mutation with patchesJson6902 (#5132) (#5135) * Tue Oct 25 2022 kastl@b1-systems.de - Update to version 1.8.1: * Tag v1.8.1 (#5133) * Tag v1.8.1-rc.4 (#5128) * remove the empty add entry in Hehlm chart manifest (#5127) * Remove old version of golang.org/x/sys (#5125) (#5126) * docs: separate dev and user docs (cherry-pick #5114) (#5117) * ci: Fix install manifests publishing with Flux (#5110) (#5111) * Tag v1.8.1-rc.3 (#5108) * fix: use correct side effects in validating webhooks (#5080) (#5105) * refactor: simplify variables regex (#5075) (#5104) * fix: allow delete of target resource with synchronize false (#5081) (#5095) * test: add best practices policies in conformance tests (#5082) (#5097) * fix: use correct logger in webhook controller (#5083) (#5098) * feat: add flag to configure the number of background scan workers (#5088) (#5096) * ci: Use the Docker login action for GHCR auth (#5091) (#5094) * fix: handle resource cleanup when policy is deleted (#5021) (#5093) * Cherry pick 5035, 5046 (#5090) * fix: make reponse order predictable (#5079) (#5087) * feat: add simple conformance tests (#5073) (#5086) * feat: add webhook server logger (#5063) (#5085) * release 1.8.1-rc.2 (#5072) * fix: image verification reports missing in admission mode (cherry-pick #5037) (#5066) * fix: configure idle timeout in server (#5062) (#5067) * fix: setup max procs with correct logger (#5059) (#5065) * fix: do not update reports when they are identical (#5056) (#5061) * fix: detection of kyverno going down (#5055) (#5064) * fix: go routines not gracefully shut down in controllers (#5022) (#5060) * fix: account for policy/rule deletion in aggregated reports (#5048) (#5058) * feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) (#5052) * feat: add image verification support to background scan (#5047) (#5049) * feat: add controller logger helper (#5029) (#5050) * feat: add policy-reporter to argocd lab (#4988) (#5051) * feat: make shutdown more graceful (#5031) (#5040) * Enable adding annotations to configmaps in the helm chart (#4984) (#5039) * fix: wrong controller logger names (#5043) * chore: add argocd lab (#4884) (#5041) * fix: lease log message (#5030) (#5045) * fix: lower default qps/burst (#5034) (#5038) * fix: add more infos in reports printers (#5027) (#5033) * Tag v1.8.1-rc1 (#5020) * remove RBACInfo check (#5015) (#5019) * fix: policy not denied when kinds set is empty (#5016) (#5017) * fix: global anchor warning (#4962) (#5013) * feat: add startup probes support (#4896) (#5012) * fix: webhooks not registering when using name override (#4992) (#5010) * fix: don't process non background policies in background scan (#5008) (#5009) * fix principal and role variables are not substituted (#5000) (#5001) * fix: update policy status (#5006) (#5007) * fix: use default retry with retryfunc for a conflict (#4973) (#5005) * updates with case insensitivity guarantee (#4954) (#5003) * refactor: add update status helper (#4985) (#5002) * fix: skip admission in dry run requests (#4994) (#4999) * fix: improve banned types management in reports (#4953) (#4997) * docs: add resource exclusions note in helm docs (#4989) (#4993) * feat: Add container registry setting on Helm Chart (cherry-pick #4281) (#4987) * fix: config reloading not working correctly (#4951) (#4982) * fix: missing autogen rules in status (#4971) (#4978) * fix: missing watchers in resource report controller (#4967) (#4974) * fix: add user info in admission request logs (#4969) (#4976) * fix: don't produce empty admission reports (#4966) (#4972) * chore: Push and sign install manifests to GHCR (#4895) (#4970) * fix: admission reports printer (#4950) (#4961) * fix: consider generateName when matching resources (#4945) (#4960) * chore: bump a few deps (#4943) (#4958) * fix: don't report ready until certs are valid (#4934) (#4957) * Fix background scan with request.operation (#4947) (#4949) * fix: probes should work in debug mode (#4926) (#4944) * fix: set operation in context when necessary (#4940) (#4942) * chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) (#4936) * add filter for validation policies when ValidationFailureActionOverrides is used (#4809) (#4932) * fix: panic when bad variable substitution (#4928) (#4935) * feat: make cert renewer private and add server name support (#4904) (#4933) * [Cleanup] Disable PolicySkipped events (#4913) (#4931) * chore: bump a couple of deps (#4925) (#4929) * chore: update controller-tools to v0.10.0 (#4918) (#4923) * fix: use constants defined in openapi controller (#4919) (#4921) * chore: signing helm releases (#4801) (#4920) * fix: openapi controller discovery (#4912) (#4917) * fix: don't specify rules when aggregationRule is set (#4867) (#4915) * refactor: openapi controller part 2 (#4910) (#4914) * refactor: openapi controller part 1 (#4901) (#4906) * fix: clean background scan reports (#4908) (#4911) * fix: remove unnecessary dependencies from tls package (#4903) (#4905) * fix: reduce webhook controller logs (#4897) (#4900) * refactor: manage webhooks with webhook controller (#4846) (#4893) * fix: auto gen enabled when using names (#4863) (#4892) * fix: non watchable resources in report controller (#4888) (#4890) * Fix result colour (#4885) (#4887) * fix: background scan labels (#4865) (#4886) * cherry-pick (#4794 #4812 #4815 #4821 #4784 #4820 #4831 #4834 #4818 #4838 #4792 #4843 #4878) (#4882) * fix: hardening policy validation for generate cloneList (#4881) (#4883) * cherry-pick (#4811 #4849 #4842 #4829) (#4877) * fix test output numbering (#4853) (#4875) * cherry-pick (#4790 #4791 #4795 #4796 #4802 #4803) (#4861) * cherry-pick (#4749 #4766 #4773 #4775 #4779 #4785 #4789) (#4860) * cherry-pick (#4754 #4756 #4760 #4761 #4764 #4765 #4776) (#4859) * cherry-pick (#4745 #4746 #4747 #4750 #4752) (#4858) * cherry-pick (#4661 #4712 #4722 #4724 #4742) (#4857) * Mon Oct 10 2022 kastl@b1-systems.de - Update to version 1.8.0: * release: 1.8 (#4851) * Update PSa images dsecription (#4840) (#4841) * tag v1.8.0-rc6 (#4839) * fix extension checks (#4836) (#4837) * Cherry pick #4814 (#4826) * update helm doc (#4824) * fix: validationFailureAction default value (#4822) (#4823) * Cherry-pick #4815 (#4817) * tag v1.8.0-rc5 (#4807) * fix: subject and issuer validation when attestations are present (#4786) (#4805) * skip succeed rules when building the blocked return message (#4804) (#4806) * cherry-pick #4738 (#4799) * cherry-pick #4793 (#4800) * update cosign (#4797) * chore: change charts registry url (#4768) (#4780) * tag v1.8.0-rc4 (#4759) * fix: watch error in resource controller (#4751) (#4753) * fix: reports not generated (#4743) (#4744) * tag v1.8.0-rc3 (#4741) * fix: containerd dependency vulnerability (#4629) (#4740) * Add PSa policy validations (#4735) (#4739) * Added `x509_decode` JMESPath function (#4664) (#4737) * feat: add matchlabel selector support with multiple clone (#4713) (#4734) * fix: output make messages to stderr (#4727) * fix crds yaml conflicts * feat: reports v2 implementation (#4608) * docs: add policy cache controller docs (#4714) (#4730) * chore: update client code generator (#4711) (#4728) * Support PSa integration by `controlName` only (#4710) (#4725) * chore: group unit and cli tests targets and separate sections (#4693) (#4723) * chore: enable overriding images repo (#4694) (#4721) * chore: refactor manifests related makefile targets (#4706) (#4720) * fix: change key used in test (#4718) (#4719) * fix: missing client wrapper (#4703) (#4709) * refactor: use pod name as leader id (#4680) (#4708) * fix: split webhook handlers per failure policy (#4650) (#4707) * fix: shutdown controllers workers gracefully (#4681) (#4704) * fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) (#4702) * refactor: replace signal package by signal.NotifyContext (#4691) (#4701) * fix: jmespath random error handling (#4697) (#4699) * chore: simplify go mod (#4692) (#4696) * fix: bump net standard lib (#4685) (#4690) * fix: handle auth permission for cloneList validation (#4684) (#4687) * fix: namespaced policy not validated in engine (#4653) (#4682) * chore: bump minimum go version (#4677) (#4678) * Fix issue for wildcard versions (#4670) (#4673) * chore: publish sbom result to a different repositry from an image (#4665) (#4667) * refactor: update log based on the policy types (#4646) (#4658) * feat: add explicit key support to controller utils (#4628) (#4659) * feat: add feature flag to disable background scan (#4638) (#4660) * refactor: split policyreport api files (#4641) (#4657) * fix: missing elements in v2beta1 api (#4654) (#4656) * refactor: add a couple of constants in api (#4640) (#4652) * feat: introduce RCR interface (#4642) (#4651) * fix: incorrect namespace in report controller (#4637) (#4649) * fix: remove RCR from mutation webhook (#4636) (#4647) * chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) (#4633) * feat: add controller utils tools (#4639) (#4645) * fix: background printer column (#4617) (#4620) * enhance jmespath random-filter (#4591) (#4619) * fix: lock in policy report mapper (#4601) (#4611) * release v1.8.0-rc2 (#4607) * refactor: simplify RCR creator queue (#4578) (#4606) * chore: add messages in makefile kind targets (#4588) (#4604) * refactor: info in policyreport package (#4598) (#4603) * Fix multiple crd slowness issue (#4275) (#4600) * update helm releases path (#4596) (#4599) * enable autogen for validate.podsecurity with no exclude (#4594) (#4595) * chore: add a codegen-quick makefile target (#4583) (#4587) * chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) (#4586) * allow PSa validation with no exceptions (#4558) (#4585) * fix: typo (#4582) (#4584) * fix: split policy report flag (#4576) (#4581) * chore: add toggle package unit tests (#4577) (#4580) * chore: preserve pr title in cherry picks (#4573) (#4574) * refactor: move generation handler out of webhooks package (#4570) (#4572) * refactor: move image verification handler out of webhooks package (#4569) (#4571) * refactor: move mutation handler out of webhooks package (#4567) (#4568) * refactor: move validation audit out of webhooks package (#4562) (#4566) * chore: add kocache (#4482) (#4564) * refactor: move validation handler out of webhooks package (#4556) (#4561) * refactor: make webhook metrics helpers static (#4554) (#4555) * refactor: move webhook events utils in utils package (#4545) (#4548) * add new patterns for releases (#4551) * chore: add unit test for updating ur status (#4541) (#4544) * - tag v1.8.0-rc1; - remove "v" from Helm charts versions (#4538) * fix: defer ur update until validation passes (#4540) (#4543) * refactor: introduce ur updater (#4535) (#4539) * Support V2beta1 Version (#4514) * refactor: webhook block and unit tests (#4531) * refactor: webhook propagate start time along handlers (#4529) * refactor: webhook exclusion and unit tests (#4528) * feat: allow cloning multiple resource from a namespace (#4384) * add random filter (#4527) * chore: add protectManagedResources flag to changelog (#4522) * refactor: utils for warnings and unit tests (#4523) * refactor: use generics in client wrappers (#4525) * refactor: add auth interface and unit tests (#4518) * fix: api reference docs (#4490) * refactor: client wrappers (#4519) * feat: add kyverno managed resources protection (#4414) * fix: load policy and add tests (#4515) * chore: test for k8s 1.25 (#4503) * chore: add unit tests for pkg/utils/json (#4516) * chore: add unit tests for pkg/utils/yaml (#4512) * chore: add unit tests for pkg/utils/wildcard (#4510) * chore: add unit tests for pkg/utils/os (#4509) * chore: add unit tests for pkg/utils/image (#4508) * chore: update maintainers (#4511) * docs: add section for generating helm docs and crds (#4507) * chore: add wildcard unit test (#4506) * chore: upgrade golang to 1.18 (#4505) * docs: add section about switching between docker and ko (#4501) * Auto-detect Kyverno version in policies chart (#4460) * chore: refactor helm targets in makefile (#4498) * feat: support switchin build with docker or ko (#4492) * fix: incorrect kustomize call in makefile (#4493) * refactor: verify codegen targets in makefile (#4494) * fix: fetch history in pre-checks job (#4491) * Improve printer column name for validationFailureAction (#4488) * chore: Bump helm-docs version to v1.11.0 (#4489) * chore: publish helm charts to ghcr.io (#4479) * chore: bump cache action and improve paths (#4485) * chore: relax auto update PRs conditions (#4486) * fix: release workflow (#4483) * refactor: clean webhooks logs (#4484) * refactor: webhook policy context creation (#4480) * docs: add api docs generation (#4476) * fix: auto update pr workflow (#4478) * chore: add makefile help comments (#4477) * refactor: to remove generate cleanup controller (#4041) * Add PodSecurity description (#4475) * feat: remove context api call constraints (#4389) * fix logger format (#4474) * feat: enable autogen from makefile (#4467) * chore: speed up local image builds (#4468) * chore: enable cherry-pick bot (#4470) * docs: add section for generated code (#4465) * fix: local image build with docker (#4462) * fix: warning in all makefile targets (#4464) * Extend Pod Security Admission (#4364) * docs: add section for deploying a local build (#4458) * refactor: make toggles easier to define and use (#4456) * Add the metric "kyverno_client_queries_total" (#4359) * skip validate rules if conditional anchor key doesn't exist in the resource (#4451) * refactor: clearly separate makefile docker targets for build and publish (#4454) * Yaml signing and verification (#4235) * docs: add pushing images section (#4452) * refactor: clearly separate makefile ko targets for build and publish (#4450) * chore: fix workflows related to ko recent changes (#4441) * docs: add local image build section (#4449) * chore: fix workflows related to ko recent changes (#4438) * Update issue template drop-down version numbers (#4446) * docs: add section for local builds (#4445) * [Feature] Add ability to get additional policies from restricted (#4416) * fix: update go-wildcard to v1.5.0 (#4444) * docs: add section for dev tools (#4443) * chore: remove godownloader and install-cli script (#4442) * Added kubeconfig flag support (#4308) * fix: ko login (#4427) * fix: ko login (#4425) * fix: ko login (#4424) * fix: ko login (#4423) * fix: ko login (#4422) * fix: make ldflags optional in .ko.yaml (#4419) * refactor: makefile build targets (#4418) * fix: Add --bare for ko-build-dev targets (#4417) * Use ko to build images (#4366) * refactor: makefile (#4403) * [Feature] Add posibility to set validationFailureAction by Policy (#4400) * feat: enable autogen internals by default (#4381) * bump golang 1.18.5 version digest in Dockerfile (#4413) * bump cosign deps version to 1.11.1 (#4408) * chore: improve docker image tagging (#4409) * refactor: introduce wildcard utils package (#4406) * fix: chart docs for generatecontrollerExtraResources (#4405) * chore: enable asasalint linter (#4396) * bump cosign version to 1.11.0 (#4398) * Sync 1.7.3 Helm versions (#4395) * fix: goimports check not working in ci job (#4387) * chore: fix golangcilint timeout (#4388) * fix: duration metrics precision (#4393) * chore: add workflow to ensure github actions are pinned to a commit SHA (#4390) * feat: add raw api call support (#3820) * chore: update maintainers md (#4380) * chore: fix fossa ci job (#4382) * fix: missing aggregated role for UR (#4378) * fix: exclude autogen rules when autogen internals is enabled (#4370) * fix: prevent installing helm chart in namespace kube-system (#4368) * fix: fix the verbosity of reconciling logs in the config controller (#4362) * Update wgpolicyk8s.io CRDs (#4355) * Update pr_documentation.md (#4361) * Added remove-color flag for CLI-test (#4345) * Added appropriate logging levels to log.Info() calls wherever necessary (#4341) * update apply help message (#4344) * Fix deprecated api policy issue (#4349) * Treat normal and precondition variable equally (#4217) * fix: image verify logs (#4348) * Remove myself as codeowner (#4333) * Fix PEM delimiter parse (#4331) * [Helm] Added ability to remove namespaces from default resourceFilters list (#4299) * chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328) * support failurePolicy in kyverno-policies helm chart (#4323) * Context vars substitution in CLI (#4290) * Replaced status with message (#4315) * Changed resource names to plurals (#4312) * Fix pr image verify blocked (#4297) * feat: use tombstone helper (#4273) * Tightened scope on apiGroups for Kyverno:events Clusterrole (#4292) * trivial typo update (#4291) * use failurePolicy to block or allow requests, on policy errors (#4183) * update log levels (#4286) * added additional init and sidecar container config (#4283) * feat: auto optimize GOMAXPROCS (#4277) * add applyRules to control whether one or all rules are applied (#4196) * feature: added new type of event, PolicySkipped (#4251) * Reset policy status on termination (#4269) * fix: use an absolute path in docker entrypoint (#4263) * Add shutdown methods for exporters and controllers (#4214) * sync Helm versions (#4262) * fix: use only 1 kubernetes client (#4256) * Add Techcombank to adopters (#4260) * Implementing flag to show all failing tests only through the test command (#4227) * fix split policyreport name with background scan (#4237) * chore: use new distroless base image provided by distroless org (#4219) * fix check depreciated api issue (#4243) * Cherry-pick #4233 (#4236) * Revert "fix: metrics with invalid validationMode (#4198)" (#4241) * fix: metrics with invalid validationMode (#4198) * Corrected description for UpdateRequest struct (#4215) * Removed confusing output message for the apply and replaced no of policies by no of policy rules count in the output message (#4229) * fix kyverno cli policy-report typo (#4224) * feat: improve flag message for disableMetricsExport (#4194) * precondition failure will skip rule independent of audit or enforce mode (#4163) * Make method public (#4207) * Fix UpdateRequest labeling (from pull #4199) (#4212) * use the unstructured list instead of interface type (#4210) * feat: Opentelemetry support for metrics and traces (#3910) * Use non-blocking channel send for UpdateWebhookChan (#4204) * Fix merging JSON patches (#4202) * Resolve conflict introduced to contributing page (#4192) * return helpful error message on invalid patched resources. (#4129) * docs(contributing): add how to cherry-pick section (#4127) * refactor: finish refactoring generate e2e tests (#4090) * feat: policy status for autogen rules (#4173) * fix: use official controller-gen (#4171) * fix external.metrics.k8s.io/v1beta1 issue (#4139) * fix: add seccompProfile (#4178) * fix: add more verify images e2e test for bool fields (#4172) * delete policy reports on policy deletion (#4174) * chore: add myself into owners (#4170) * feat: split policy report per policy bases (#4147) * Clean up RCRs if the count exceeds the threshold (#4148) * Wait for informers' cache to be synced before starting controllers (#4155) * - Disable events generation on DELETE; - Reduce event generation retry from 10 to 3 (#4159) * Use kyverno namespace informer to list pods while processing URs (#4156) * Template updates (#4150) * release event memory (#4138) * fix: use dev tag for init container local build target (#4142) * added resource lists for test cli (#4082) * update contributing guide (#4119) * sync release versions (#4133) * bump cosign to 1.9.1 to fix fulcio panic (#4117) * fix: use policyName key to get the policy name (#4114) * fix imageVerify validation checks and conversion logic (#4038) * fix: Stop incorrect any block condition logging (#4107) * set test.namespace value implict as resource namespace until and unless explict value is added (#4100) * remove TUF initialization from main (#4098) * Update CODEOWNERS to include treydock (#4097) * feat: add e2e framework and verify image new test (#4094) * add chipzoller to CODEOWNERS (#4096) * refactor: generate e2e GeneratePolicyDeletionforCloneTests (#4071) * Exclude Kyverno namespace by default (#4079) * docs(chart): fix deadlink in NOTES.txt (#4085) * Updated jp command flags and also added URL for help. (#4084) * update drop-downs (#4081) * refactor: generate e2e tests (#4068) * refactor: use t.Cleanup in e2e tests (#4067) * Remove s390X (#4063) * fix: add missing release notes in helm chart (#4057) * fix: bool fields in image verification types (#4053) * Print for failed test cases (#4048) * Sync v1.7.0 release manifests (#4051) * refactor: bump KIND version to use v1.24.0 k8s release (#3877) * feat: add aggregated cluster role support (#3845) * chore(dockerfile): use buildx features for cross-compilation (#4023) * Ensure preconditions are present with default values (#4046) * Fix handling of kyverno-policies version check when port in image tag (#4042) * fix policy typo (#4039) * Fix labels with invalid charrs (#4034) * refactor: used typed admission request in ur (#4022) * fix vulnerable (#4027) * feat: Extend CLI to cover generate policies (#3456) * Request operation value by default to CREATE (#3894) * Feature: Add support for allowing insecure registries. (#3983) * refactor: move policy deletion code from policy controller to ur controller (#4013) * fix: bypass policy mutation if autogen internals enabled (#4007) * fix: use background helper in ur generator (#4009) * fix: remove update ur status in generator (#4008) * refactor: add policy event listener in ur controller (#4012) * chore: remove unused ur errors (#4011) * refactor: ur cleaner controller (#3974) * add validation check to ensure the annotations quoted (#3976) * Support `@` for mutate targets (#3998) * fix: stop mutation policies when autogen internals is enabled (#4004) * refactor: background controllers cleanup (#4001) * fix: stop mutating cached resource in ur controller (#4003) * refactor: move label helper utils from policy package to background package (#3996) * fix attestation checks (#3999) * fix: init container gr copy (#3995) * refactor: clean updaterequest generator (#3949) * chore: enable nosprintfhostport linter (#3989) * feat: add controller utils package (#3952) * refactor: make registry client variables private (#3975) * fix: ur is nil in ur controller (#3986) * chore: add previous pod logs in case of job failure (#3978) * fix: remove unused field (#3971) * fix: release ur when handler pod is gone (#3973) * fix: move ur controller filtering in reconciler (#3964) * fix: mark ur retry on conflict (#3961) * chore: enable paralleltest linter (#3946) * chore: enable goimports linter (#3959) * chore: make kyverno informers and listers import aliases consistent (#3958) * chore: enable ifshort linter (#3945) * fix: add helmignore (#3948) * fix: replica count in helm chart (#3954) * fix panic issue for ur (#3953) * Cleanup URs on trigger deletion (#3955) * chore: make kube informers and listers import aliases consistent (#3957) * chore: make clients import aliases consistent (#3956) * chore: make dclient import aliases consistent (#3951) * chore: make k8s api import aliases consistent (#3950) * fix: use admissionrequest subresource to filter webhooks (#3944) * chore: make kyverno api import aliases consistent (#3939) * chore: enable nolintlint linter (#3941) * chore: enable grouper linter (#3940) * fix: cache warmup log message (#3943) * fix: use patch to update handler status in UR (#3928) * chore: enable makezero linter (#3937) * fix: handle UR delete once trigger namespace deleted (#3934) * chore: enable gofmt and gofumpt linters (#3931) * chore: enble gci linter (#3930) * fix: return type changed to bool in jpfCompare fn (#3924) * refactor: separate policy cache and controller (#3925) * refactor: separate resource mutation/validation handlers from server (#3908) * chore: enable misspell linter (#3932) * chore: enable errname linter (#3926) * chore: enable decorder linter (#3920) * refactor: policy cache (#3919) * chore: enable dogsled linter (#3921) * Cleanup the UR for mutate policies once it's completed (#3912) * [Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917) * fix: gosec G304 file inclusion error (#3916) * refactor: separate policy mutation/validation handlers from server (#3905) * fix: docker build (#3907) * refactor: webhooks server logger (#3904) * feat: gracefull certificates rotation support (#3890) * chore: remove ca-certificates from our repository (#3859) * chore: enable wastedassign linter (#3898) * chore: enable goprintffuncname linter (#3899) * chore: remove unused function (#3902) * Remove permissions in helm-release workflow (#3901) * Timeout and init (#3893) * fix: write secret (#3891) * Fix subject match selector issue in cli (#3887) * refactor: remove deployment hash on certs secrets (#3886) * chore: enable noctx linter (#3888) * chore: enable importas linter (#3882) * skip var checks in attestations (#3876) * chore: enable gochecknoinits linter (#3874) * refactor: cleanup tls package (#3854) * chore: enable containedctx linter (#3873) * fix: include ca key in secret (#3804) * refactor: make config vars private (#3823) * fix: undo length validation check for generate rule resource name (#3865) * fix subjects in test cli (#3743) * chore: enable exportloopref linter (#3869) * chore: enable tenv thelper and tparallel linters (#3868) * chore: enable durationcheck linter (#3870) * chore: enable asciicheck and bidichk linters (#3871) * chore: add unconvert linter (#3867) * chore: enable whitespace linter (#3864) * Handle errors properly for mutate and generate on existing resources (#3863) * fix: remove code to load CA from kubeconfig (#3860) * chore: enable more linters (#3862) * chore: enable deadcode and unused linters (#3861) * chore: increase golangci-lint timeout (#3855) * refactor: init certs with certs renewer directly (#3853) * tests: add unit tests for utils functions (#3857) * chore: enable golangci-lint in ci (#3852) * feat: fetch tls certificate dynamically (#3851) * fix: golangci-lint warnings in pkg (#3846) * refactor: remove the need for self-signed annotation on cert secret (#3850) * handle subresources (#3841) * fix: golangci-lint warnings in cmd (#3843) * refactor: webhookconfig package (part 4) (#3835) * refactor: webhookconfig package (part 3) (#3834) * refactor: remove unused functions (#3840) * Tue Sep 27 2022 kastl@b1-systems.de - Update to version 1.7.4: * fix: update github action to use current workflow path (#4705) * tag v1.7.4 (#4698) * fix: incorrect namespace in report controller (#4637) (#4688) * Fix issue for wildcard versions (#4670) (#4674) * Wed Sep 07 2022 kastl@b1-systems.de - Update to version 1.7.3: * Cherry-pick #4398 - bump cosign to 1.11.0 (#4399) * Release v1.7.3 (#4394) * Fix deprecated api policy issue (#4349) (#4350) * precondition failure will skip rule independent of audit or enforce mode (#4163) (#4296) * Mon Jul 25 2022 kastl@b1-systems.de - Update to version 1.7.2: * tag v1.7.2 (#4261) * Use non-blocking channel send for UpdateWebhookChan (#4204) (#4247) * Release v1.7.2-rc2 (#4246) * fix split policyreport name with background scan (#4237) (#4245) * fix check depreciated api issue (#4243) (#4244) * fix kyverno cli policy-report typo (#4224) (#4232) * Limit queued events (#4233) * update cosign to v1.9.0 (#4231) * Only set up logging context if it will be used (#4213) * use the unstructured list instead of interface type (#4211) * Fix UpdateRequest labeling (#4199) * Release 1.7 (#4200) * external.metrics.k8s.io/v1beta1 issue (#4182) * delete policy reports on policy deletion (#4174) (#4175) * tag v1.7.2-rc1 (#4167) * feat: split policy report per policy bases (#4147) (#4166) * Re-implement #4159 (#4165) * Cherry pick #4155 (#4164) * Cherry-pick #4148 * Use kyverno namespace informer to list pods while processing URs (#4156) * Cherry-pick #4138 to 1.7 (#4160) * fix: use dev tag for init container local build target (#4141) * Wed Jun 22 2022 kastl@b1-systems.de - Update to version 1.7.1: * tag v1.7.1 (#4132) * fix build failures * fix: bool fields in image verification types (#4053) * cherry-pick #4013 * Release 1.7 (#4130) * fix: use policyName key to get the policy name (#4113) * chore(dockerfile): use buildx features for cross-compilation (#4023) (#4123) * Updated jp command flags and also added URL for help. (#4122) * fix: handle nil ur while retry (#4109) * Release 1.7 (#4099) * Bump Charts version to 2.5.0 (#4092) * bump chart versions to v2.4.2 (#4089) * cherry-pick #4079 (#4088) * Remove s390X (#4063) (#4064) * Bump charts version to 2.4.1 (#4061) * Ensure preconditions are present with default values (#4046) * Fix handling of kyverno-policies version check when port in image tag (#4042) * Sat Jun 04 2022 kastl@b1-systems.de - Update to version 1.7.0: * Tag v1.7.0 (#4050) * refactor: bump KIND version to use v1.24.0 k8s release (#4049) * fix policy typo (#4039) (#4045) * Tag 1.7.0-rc3 (#4036) * Fix labels with invalid charrs (#4034) (#4035) * Cherry-pick #4022 (#4033) * fix vulnerable (#4027) (#4028) * Request operation value by default to CREATE (#3894) (#4026) * Release v1.7.0-rc2 (#4021) * Cherry pick #4007 #4008 (#4020) * fix: stop mutation policies when autogen internals is enabled (#4004,#4009,#3996) (#4016) * cherry-pick fix attestation checks https://github.com/kyverno/kyverno/pull/3999 (#4015) * refactor: add policy event listener in ur controller (#4012) (#4014) * Support `@` for mutate targets (#3998) (#4010) * fix: stop mutating cached resource in ur controller (#4003) (#4006) * fix: move ur controller filtering in reconciler (#3964) (#3994) * fix: release ur when handler pod is gone (#3993) * fix: mark ur retry on conflict (#3961) (#3963) * fix: replica count in helm chart (#3954) (#3962) * Cherry pick #3953 #3955 (#3960) * fix: handle UR delete once trigger namespace deleted (#3934) (#3938) * fix: use patch to update handler status in UR (#3927) * Cleanup the UR for mutate policies once it's completed (#3923) * Remove permissions in helm-release workflow (#3901) (#3903) * Release v1.7.0-rc1 (#3896) * cherry-pick #3893 (#3895) * Fix subject match selector issue in cli (#3887) (#3892) * skip var checks in attestations (#3876) (#3885) * fix: undo length validation check for generate rule resource name (#3865) (#3872) * Handle errors properly for mutate and generate on existing resources (#3863) (#3866) * refactor: remove unused functions (#3844) * handle subresources (#3841) (#3848) * feat: trigger generate on existing matched resource (#3819) * refactor: webhook config package (part 2) (#3833) * refactor: webhookconfig package (part 1) (#3831) * fix check and add logs (#3838) * Allow variables of any kind to be defined (#3828) * fix: policy deletion in webhookconfig (#3832) * refactor: imported pkg redeclared and a few other unused func (#3827) * refactor: shell to prevent globbing and word splitting (#3829) * CLI should respect scored annotation for warnings (#3821) * Add an object_from_lists function (#3824) * Improve logging and error handling in json context (#3825) * Relax JMESPath variable validation (#3826) * Load `mutate.targets` via dclient (#3797) * Cert attestor (#3809) * handle duplicate images; use container name as key (#3779) * fix: autogen rules in status (#3728) * refact: disable leader for update request controller (#3807) * chore: remove broken .ca from helm chart (#3811) * fix: remove k8s apiserver from self-generated cert (#3803) * Policy Validation check for onPolicyUpdate flag (#3814) * Add `handler` to `UR.status` (#3791) * fix: remove kubeconfig (#3802) * fix: cleanup old dependencies from go.sum and go.mod (#3806) * feat: parse all root CA certs (#3808) * removed kubeconfig flags (#3744) * Fix issue with image registry when decoding OCI descriptors with out of spec keys (#3799) * refactor: move config controller in controllers package (#3790) * chore: add informer util (#3796) * chore: remove useless util NewKubeClient (#3795) * fix: pod stay in terminating when scaling to 0 (#3793) * Add JMESPath Function `items` (#3777) * Fix Cli test for image verification (#3760) * Add rule to PolicyViolation event messages (#3787) * chore: remove config flags (#3786) * fix: add missing tombstone calls (#3784) * refactor: create a package for controllers and move certmanager in it (#3782) * refactor: policycache package logger (#3783) * refactor: move ImageExtractorConfigs in api package (#3781) * refactor: dclient package logger (#3778) * Fix PR update flow and allow updates from release branches (#3780) * fix: cert manager duplicate event handler (#3772) * webhookconfig: if services resource, add services/status as well (#3740) * refactor: dclient package (#3775) * refactor: replace clientset by inteface (#3774) * refactor: cosign package logger (#3773) * Bump cosign and sigstore version (#3771) * Auto-update PRs which are enabled for auto-merging (#3766) * refactor: wait for cache sync (#3765) * Allow kyverno jp to take yaml files as inputs (#3768) * Allow non-object type elements for foreach rules (#3763) * fix: logger call depth (#3759) * Reduce log verbosity for image extractors (#3764) * chore: remove unused resourcecache package (#3762) * refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig (#3736) * Remove YAML multiline support in CM values (#3721) * cleanup event messages and sources (#3741) * Add tests for required checks for image verify (#3755) * Add error handling and log for image extractor errors (#3724) * Fix verify all images (#3748) * Retry policy creation to avoid flaky CRD readiness (#3752) * Fix test Summary printing for failure test cases (#3749) * Enable tests in makefile (#3699) * refactor: metrics package logger (#3734) * Use inclusive language (#3738) * fix: block policy for missing matched kind (#3733) * fix: missing image verification rules in autogen (#3729) * Convert GenerateRequest to UpdateRequest for backward compatibility (#3730) * refactor: autogen package logger (#3727) * fix: correct tombstone usage (#3718) * refactor: remove some api unnecessary pointers (4) (#3713) * Set policy kind to generate events in the webhook (#3726) * Create UR for both mutate and generate policies (#3717) * fix: remove supported from autogen status (#3714) * fix: generated api reference docs (#3711) * refactor: remove some api unnecessary pointers (3) (#3707) * Optimize UR listing on policy events (#3712) * - Create events for imageVerify rules (#3710) * refactor: remove some api unnecessary pointers (2) (#3705) * fix: remove unused type TargetMutation (#3706) * refactor: remove some api unnecessary pointers (#3704) * add e2e tests for mutate existing policies (#3703) * Verify digest (#3679) * fix: kind wash in mutate policy helper (#3698) * refactor: auth package logger (#3696) * chore: remove unused custom expansions from client (#3697) * refactor: client gen code (#3695) * Fix test command git issue (#3692) * Enable verifyImages and CLI registry tests (#3684) * Cherry-pick release-1.6 Helm changes (#3689) * Show warnings in Helm chart installation; update issue templates (#3673) * refactor: use typed k8s client in tls package (#3678) * refactor: config package logger (#3683) * Fix flaky e2e tests for generate policies (#3681) * Fix regression in wildcard matches in In/AnyIn operators (#3686) * feat: remove deprecated flags (#3680) * Logic of match service account is fixed for namespace (#3662) * fix test cli CI failures from main (#3682) * Fix issue pod should not be ready until the policy cache loaded (#3646) * bug: fix nil pointer when generating events (#3677) * remove Validate Cmd (#3674) * Support context variables when using foreach CLI (#3637) * fix: webhooks are not configured correctly (#3660) * bump to Go 1.17.9 (#3671) * fix: api reference docs link (#3664) * feat: mutate existing resources (#3669) * fix: pass logger by value (#3666) * Allow definition of inline variables in context (#3658) * fix: add char length validation for generate rule resource name (#3640) * chore: remove e2e tests for kube 1.20 (#3665) * chore: add support for artifacthub.io/changes in helm charts (#3652) * fix: policy controller missing GVK (#3659) * [imageVerify]: adding `digestMutate` to simplify tag-to-digest mutation (#3531) * Multiple keys (#3636) * fix: do not remove webhooks during initialization (#3641) * fix: prevent installing chart with 2 replicas (#3647) * fix: print helm install warnings (#3648) * chore: warn if kube version is too old in helm notes (#3650) * chore: add artifacthub operator and prerelease annotations (#3649) * refactor: use the typed ns informer in GR controller (#3554) * refactor: image utils (#3630) * Remove helm mode setting (#3628) * refact: remove unused Run function from generate (#3638) * Fix race condition in pCache (#3632) * Allow defining imagePullSecrets (#3633) * Image verify attestors (#3614) * Allow kyverno-policies to have preconditions defined (#3606) * updating version in Chart.yaml (#3618) * Update vulnerable dependencies (#3577) * Add support for custom image extractors (#3596) * add-kms-libraries for cosign (#3603) * refactor cli code from pkg to cmd (#3591) * fix missing policy.kyverno.io/policy-name label (#3599) * refactor generate controller (#3589) * change/suppress warning messages (#3593) * Feat - add the new CR UpdateRequest for post mutation (#3592) * Update to cosign 1.7.1 (#3587) * Update GH workflow config (#3588) * Update CODEOWNER folders for @samj1912 (#3586) * Update hash of dependencies instead of mutable version (#3582) * add support for roles, cluster roles and subjects (#3188) * fix imageVerify rule conversion (#3583) * update imageVerify schema (#3574) * Refactor image extraction to allow extracting custom resources (#3572) * chore: remove dead code (#3561) * Add returnType for regexMatch in kyverno jp output (#3575) * refactor: engine context (#3563) * Fixes #3555 (#3558) * update image pull policy for YAML install which uses :latest (#3565) * add @eddycharly as a maintainer! (#3566) * chore: add some make help comments (#3560) * refactor: switch to admission v1 (#3526) * refactor: make response type (RuleType) typed (#3556) * refactor: metrics package (#3549) * refactor: webhooks metrics reporting (#3548) * test: pass lock by value (#3481) * refactor: simplify autogen package (#3532) * refactor: move common utils (#3553) * refactor: add engine utils sub package (#3552) * fix: checkEngineResponse in webhooks (#3551) * Do not generate preconditions not met warning for audit policies (#3487) * refactor: reduce policy mutations (#3550) * fix: annotation path (#3547) * refactor: use GetFailurePolicy method (#3545) * refactor: use BackgroundProcessingEnabled method (#3544) * refactor: move some helpers in utils package (#3539) * refactor: use GetValidationFailureAction method (#3546) * fix: disallow all in autogen annotation (#3537) * refactor: use existing ContainsString util (#3543) * Create `poddisruptionbudget.yaml` when `mode=ha` (#3536) * fix wildcards in value arrays (#3486) * refactor: separate yaml utils package (#3520) * refactor: separate kube utils package (#3527) * refactor: add os utils sub package (#3528) * refactor: add a json patch util and use it in autogen package (#3524) * fix: tls min version (#3521) * refactor: separate json utils package (#3523) * refactor: webhooks package (#3516) * refactor: use policy interface and introduce admission utils package (#3512) * fix: use github repo env instead of hardcoded repo name (#3513) * fix: reduce dependency to ns lister (#3509) * refactor: use more policy interface (#3510) * refactor: use policy interface in policycache package (#3503) * refactor: make use of policy interface (#3499) * refactor: improve policycache package (#3495) * chore: add autogen internals e2e tests (#3492) * refactor: factorize policy interface (#3496) * feat: add webhooks object selector support (#3413) * feat: generate support for namespace policy (#3472) * chore: simplify validation with named return (#3493) * add missing namespace to role and rolebinding (#3389) (#3429) (#3485) * chore(deps): add renovate.json (#3471) * feat: stop mutating rules (#3410) * use mutex as field instead of embedded (#3480) * refactor: create e2e infra using make to speed up e2e tests (#3470) * fix ordering of mutate element (#3468) * refactor: use abstract policy interface in webhookconfig (#3466) * adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) * clean up dependencies (#3469) * fix: use RWMutex lock while concurrent read/write (#3462) * refactor: match and exclude conflict validation (#3454) * refactor: add ValidationFailureAction to the api (#3451) * refactor: remove ns lister from webhookconfig (#3452) * refactor: add IsNamespaced() method to API policy types (#3450) * fix: use PodControllersAnnotation constant (#3448) * Update MAINTAINERS.md (#3449) * support for deprecated API's (#3439) * Drop v1alpha1 PolicyReport CRD (#3437) * refactor: ExcludeResources validation (#3445) * refactor: replace ExcludeResources by MatchResources (#3444) * refactor: ResourceDescription validation (#3446) * Fix incorrectly renamed file (#3443) * Remove support for test.yaml (#3442) * fix cli panic for --cluster flag (#3436) * Fix check for generated webhook rules being equal to what the API server has (#3407) * refactor: MatchResources validation (#3422) * feat: use IsReady method (#3426) * refactor: ValidationFailureActionOverrides validation (#3421) * PR and issue template updates per contributors' meetings (#3428) * [imageVerify]: correcting error msg (#3398) * feat: add toggle package for feature flags (#3419) * feat: move GetRules() at the policy level (#3420) * feat: add conditions support (#3378) * feat: stop adding autogen annotation (#3379) * fix webhook configuration issue when auto update is disabled (#3417) * Ignore test files that do not end in test.yaml (#3402) * refactor: Policy name validation (#3409) * Replace `ToUnstructured()` with Marshal/Unmarshal (#3150) * [ImageVerify] Verify additional certificate-extensions (#3404) * fix: filter resources names with helm custom release name (#3361) * refactor: Rule names validation (#3406) * refactor: Rule type validation (#3400) * chore: remove check-helm-docs workflow (#3408) * refactor: UserInfo validation (#3399) * Fix webhook re-creation error (#3403) * chore: add make help target (#3405) * Only queue one retry if webhook update fails (#3353) * chore: add more codegen target and verifications (#3393) * Return warning on admission response when mutating pods (#3272) * Add a registry flag to allow direct access to container registries in the CLI (#3396) * feat: add rules to status (#3376) * chore: makefile should not makefile go.mod (#3394) * refactor: ImageVerification validation (#3372) * Cli Apply command support Dir as resources (#3391) * chore: add helm crds to make codegen target (#3375) * fix: metrics config defaults (#3387) * fix for gvk not working for existing resources policy (#3384) * e2e test for mutate global anchor Policy (#2574) * Add `codecov` to CI (#3382) * Update cosign to v1.6.0 (#3341) * fix: generate api reference docs (#3377) * fix PodExecOptions issue (#3373) * Update OWNERS.md (#3371) * feat: add autogen controllers to policy status (#3332) * chore: gen helm crds from config crds (#3356) * refactor: introduce api common types (#3365) * adding emptyDir vol for keyless signing (#3366) * refactor: move api functions closer to the struct they belong to (#3363) * refactor: introduce rules getters and setters (#3350) * refactor: move controller autogen annotation in api package (#3364) * Add new test-case-selector flag to test command (#3183) * support RSA, ECDSA and EDDSA public key verification (#3362) * fix: configmap resource filters generated by helm does not account for namespace (#3358) * chore: check helm docs are up to date (#3310) * Fix any_all wildcard issue (#3352) * fix: invalid path in helm-test workflow (#3344) * Add Bloomberg to adopters (#3348) * updated description field of foreach (#3157) * chore: verify codegen in CI (#3343) * Update generate clusterrole (#3336) * fix: CRD generation (#3334) * refactor: reduce usage of reflect.DeepEqual (#3328) * fix: update codegen (#3329) * fix: naming typos (#3327) * refactor: introduce autogen package (#3316) * refactor: pass only spec instead of whole policy when possible (#3315) * fetch tag across all branches instead of current branch (#3324) * add separate step for digest (#3321) * adding check for digest and update git command * correcting makefile latest tag (#3314) * fix: helm install docs (#3312) * fix: seccomp profile (#3313) * chore: drop helm v2 (#3311) * feat: gen kyverno helm chart docs (#3309) * feat: gen kyverno-policies helm chart docs (#3301) * Fix workflow using regex in `main` (#3306) * arranging permissions (#3293) * fix: helm chart broken when use generatecontrollerExtraResources (#3302) * feat: support background mode configuration in kyverno-policies chart (#3299) * Improve CLI test times by instantiating openapi controller once (#3297) * Fix namespace typo (#3298) * fix: add support for other platforms before executing docker buildx (#3296) * validate and block policy based on the matched kind cache (#3283) * fix: comma separated lists in config (#3290) * Run E2E tests on all supported k8s versions (#3256) * latest will point to main (#3285) * Shallow clone git repositories for kyverno test command * update trivy scanning (#3284) * feat: add linux/s390x builds (#3277) * Fix label mutation while updating the secret (#3273) * Modify capabilities for compatibility with Pod Security (#3274) * Fix Helm releasing to preserve creation timestamps (#3268) * Added `kyverno test` subcommand for test manifest file (#3264) * Clean up commented out lines of code (#3263) * Add .DS_store to gitignore (#3255) * fix mutate wildcard issue (#3193) * Fix foreach validations precondition issue (#3228) * Fix policy report OwnerReference (#3249) * Improve E2E test CI timings (#3250) * Add openssf badge (#3246) * Fix old object validation check (#3248) * Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229) * add helm pre-delete hook which deletes all the webhooks (#3148) * Skip updating webhook configs if namespaceSelector is nil (#3237) * Sync latest changes to release/install.yaml (#3239) * add aggregated role for generaterequest (#3240) * Remove abstraction that doesn't work anyway (#3209) * Fix image parsing for image referenced as digests (#3196) * feat: ha mode support in helm chart (#3207) * Fix keyless attest (#3219) * update dependencies (#3221) * Issue forms and PR template adjustment (#3213) * add prateekpandey14 to codeowners (#3205) * Added e2e test for JSON patch mutate policy (#2966) * fixing bug to handle two different types of rules (#2954) * Allow setting validationFailureActionOverrides for policies (#3201) * feat: fix app version in NOTES.txt (#3189) * Indentation fix (#3179) * Fix unused tagTest in helm chart tests (#3174) * Update kyverno-policies chart with latest pod-security policies (#3126) * Add a kyverno jp command to test jmespath expressions (#3169) * test-cases for wildcard match label selector (#3165) * Filter kyverno resources instead of entire kyverno namespace (#3170) * Fix panic for provides a set to the key of a precondition and deny condition (#3162) * Bump up verbosity for `patched resource mismatch` (#3127) * bump chart versions (#3160) * Update dev image tag in Make targets (#3159) * Add sam (#3155) * add missing patch verbs in event clusterrole (#3151) * fix filtered and sort patches index (#3146) * Fix kyverno panic with `PodSpec.containers` JSON merge patch w/o image (#3143) * Relax rule context validation to follow JMESPath grammar (#3129) * Fixed kyverno panic at JMESPath zero division (#3137) * Fix variable substitution when curly braces are used in jmespath (#3133) * Fix parsing of resources in preconditions (#3108) * Add cloud provider keychains to DefaultKeychain (#3116) * improve antiAffinity and add podAffinity and nodeAffinity for kyverno helm chart (#3067) * fixing and adding tests (#3112) * update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (#3100) * Fix the kyverno default keychain value to be the ggcr default keychain (#3096) * fix: typo Cluter to Cluster (#3092) * Fix memory leak when updating ggcr keychain (#3088) * Support registry keychain from cloud providers (#3036) * Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045) * Add KYVERNO_DEPLOYMENT to initContainer (#3086) * apply patches cumulatively (#3083) * Fix CLI test/apply when any/all use namespaceSelector (#3050) * fix mutating ownerReferenecs (#3061) * update workflow configurations to fix CI failure (#3060) * Fix documentation for helm charts (#3056) * Fri Apr 01 2022 kastl@b1-systems.de - Update to version 1.6.2: * tag v1.6.2 (#3511) * Cherry-pick #3111 and release v1.6.2-rc3 (#3506) * tag v1.6.2-rc2 (#3500) * feat: generate support for namespace policy (#3498) * use mutex as field instead of embedded (#3480) (#3489) * release v1.6.2-rc1 (#3482) * Cherry-pick #3477 (#3479) * adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) (#3478) * fix: use RWMutex lock while concurrent read/write (#3462) (#3467) * support for deprecated API's (#3439) (#3453) * fix cli panic for --cluster flag (#3436) (#3438) * add missing namespace to role and rolebinding (#3389) (#3429) * fix webhook configuration issue when auto update is disabled (#3417) (#3418) * Cli Apply command support Dir as resources (#3391) (#3392) * fix for gvk not working for existing resources policy (#3384) (#3386) * Cherry pick/3366 (#3367) * Update generate clusterrole (#3336) (#3359) * fixing bug to handle two different types of rules (#2954) (#3357) * Fix any_all wildcard issue (#3352) * Wed Mar 02 2022 kastl@b1-systems.de - Update to version 1.6.1: * fix release tag command (#3323) * fetching proper digest for release images (#3319) * update release v1.6.1 manifest (#3318) * changing git command to fetch the tag (#3317) * release v1.6.1-rc2 * cherry-pick c4075af3d17c59fe73b50083bb206d85a1cb38ba * Run E2E tests on all supported k8s versions (#3256) * Fix namespace typo (#3298) * feat: support background mode configuration in kyverno-policies chart (#3299) * fix: helm chart broken when use generatecontrollerExtraResources (#3302) * Shallow clone git repositories for kyverno test command * fix: add support for other platforms before executing docker buildx (#3296) * latest pointing to main * added condition * using regex * updated workflows * validate and block policy based on the matched kind cache (#3283) (#3291) * Filter kyverno resources instead of entire kyverno namespace (#3170) (#3171) * update trivy scanning (#3284) * tag v1.6.1-rc1 * Fix label mutation while updating the secret (#3273) (#3278) * Modify capabilities for compatibility with Pod Security (#3274) (#3275) * Fix Helm releasing to preserve creation timestamps (#3268) * fix mutate wildcard issue (#3193) * Fix foreach validations precondition issue (#3228) * Fix policy report OwnerReference (#3249) (#3257) * Fix old object validation check (#3248) * Skip updating webhook configs if namespaceSelector is nil (#3237) (#3243) * bump chart versions to v2.3.0 * cherry-pick #3209 * Fix image parsing for image referenced as digests (#3196) (#3233) * Fix keyless attest (#3219) * update dependencies (#3221) * release Helm chart v2.2.1 * Allow setting validationFailureActionOverrides for policies (#3201) * Fri Feb 18 2022 Johannes Kastl <kastl@b1-systems.de> - link /usr/bin/kyverno to /usr/bin/kubectl-kyverno to make this usable as a kubectl plugin * Fri Feb 18 2022 Johannes Kastl <kastl@b1-systems.de> - new package kyverno: CLI and kubectl plugin for the Kyverno Policy engine
/usr/bin/kubectl-kyverno /usr/bin/kyverno /usr/share/doc/packages/kyverno /usr/share/doc/packages/kyverno/README.md /usr/share/licenses/kyverno /usr/share/licenses/kyverno/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 22:58:29 2025