v1.10.1-rc.1

版本发布时间: 2023-06-29 22:21:10

kyverno/kyverno最新发布版本:v1.12.5(2024-07-12 17:56:17)

Kyverno 1.10.1-rc.1 is the first release candidate for the 1.10.1 patch version. It addresses many issues reported in the 1.10.0 release, both app and v3 Helm chart, and also enables a migration to 1.10 for users of clone-type generate rules. Thank you to all users and contributors who tested 1.10.0 and provided feedback!

✨ Added ✨

Added the ability to assign custom labels to policy reports (#7416)
All release artifacts are now signed (#7478, #7711)
Added a new environment variable, settable on the background controller, called BACKGROUND_SCAN_INTERVAL which can override the background scan interval from its default of one hour (#7504)
Added a new container flag called --enableDeferredLoading (true by default) which allows disabling of the new deferred/lazy context variable loading system introduced in 1.10.0 (#7694, #7691)

Helm

Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs (#7331, #7337, #7366)
Added missing delete verb to the admission reports cleanup job ClusterRole (#7375)
Added the ability to set verbs for the additionalresources ClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles (#7380)
Removal of the Helm chart will now properly remove all Kyverno webhooks (#7633)
Added ability to select cluster on the Grafana dashboard (#7659)
Add relabelings and metricRelabelings config to all ServiceMonitors (#7659)
Make ConfigMap labels for the Grafana dashboard ConfigMap configurable (#7659)
Added ability to use imagePullSecrets for the admission reports cleanup CronJobs (#7730)

⚠️ Changed ⚠️

The new order field available under foreach loops will now be respected when the mutation method is patchStrategicMerge (#7336)
Changed the message returned from a failed permissions check so it's more general in nature (#7362)
Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate (#7388)
Performed some internal refactoring of the generate rule type (#7417)
Make it so that setting --webhookTimeout affects all of Kyverno's webhooks and not just the resource webhooks (#7435)
Made it so that the name field for a rule is required (#7464)
Log kind, namespace, and name in processed resources (#7498)
Refactored some reconciliation logic for generate rules (#7531)
Mutation failures, when occurring within a foreach loop, will show the cause (#7563)
Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 (#7666)
Misc. refactors related to the changes/fixes in deferred/lazy loading (#7675, #7678, #7690)

🐛 Fixed 🐛

Fixed a panic when a user installs a policy with an invalid schema (#6526)
Fixed an issue where the default field in a variable-type context variable was not being used when the result was nil (#7251)
Fixed a panic in the reports controller when it encounters an invalid image (#7332)
Fixed an issue when --protectManagedResources was enabled which prevented generation of bindings (#7363)
Fixed a panic when environment variables weren't passed (#7383)
Fixed an inability to use the target.* variable in a mutate existing rule (#7387)
Fixed a sync issue if an array element was removed from a clone source (#7417)
Fixed an issue preventing background reports from being created if an empty response is received for a given API group (#7428)
Fixed an issue where Policy Exceptions weren't being considered for deletes (#7433)
Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets (#7436)
Fixed an issue with generate rules failing when the trigger resource kind used a forward slash (#7436)
Fixed a generate issue in which removal of a single trigger would remove generated resources it shouldn't have (#7579)
Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD (#7439)
Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation (#7455)
Fixed another issue with auto-gen in which CronJob translated rules weren't translating variables correctly (#7571)
Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly (#7466)
Fixed a panic when the background controller substitutes a variable with nil (#7473)
Fixed the scope validation check for a generate rule so it detects the correct resource kind (#7479)
Fixed an issue preventing generated resources from being removed when preconditions no longer matched (#7496)
Fixed a slightly misleading error message in deny conditions (#7503)
Fixed it (finally) so that no informational logs are produced when logging is set to 0 (#7515)
Fixed removal of ownerReferences when generating via clone a resource across Namespaces (#7517)
Fixed residual issues from 1.10.0 for lazy/deferred loading of context variables (#7552, #7597)
Fixed an issue performing image verification in background mode (#7564)
Make configuring max procs not exit in case of error (#7588)
Fixed some typos in the descriptions of flags applicable to the reports controller (#7617)
Fixed a permissions check when installing a generate policy due to incorrect API group matching (#7628)
Fixed an issue where the service name in a tracer configuration could not be customized (#7644)
Fixed an issue with an image verification rule which would cause updating a Deployment with more than one container to fail (#7692)
Fixed a minor issue in an error message (#7688)
Fixed an issue with locking the schema manager which could result in CRDs not being found (#7704)

Helm

Fixed missing environment variables in the admission controller (#7383)
Fixed missing extraEnvVars on all controllers (#7403)
Fixed an issue templating the new reports cleanup job image (#7430)
Fixed a typo when enabling anti-affinity (#7440)
Fixed missing imagePullSecrets (#7474)
Fixed missing delete verb for Secrets in the admission controller and cleanup controller (#7527, #7679)

Click to expand all PRs

7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick #7597) 7692 fix: image verification (cherry-pick #7652) 7691 feat: add lazy loading feature flag (cherry-pick #7680) 7690 refactor: migrate context loaders (part 2) from #7597 (cherry-pick #7677) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick #7669) 7678 refactor: migrate context loaders (part 1) from #7597 (cherry-pick #7676) 7677 refactor: migrate context loaders (part 2) from #7597 7676 refactor: migrate context loaders (part 1) from #7597 7675 refactor: add specific loaders from #7597 (cherry-pick #7671) 7671 refactor: add specific loaders from #7597 7669 fix: cleanup controller rbac 7666 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for… 7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: [Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panic

相关地址：原始地址下载(tar) 下载(zip)

1、 checksums.txt 761B

2、 checksums.txt.pem 3.08KB

3、 checksums.txt.sig 96B

4、 install.yaml 2.13MB

5、 kyverno-cli-1.10.1-rc.1.tar.gz 2MB

6、 kyverno-cli-1.10.1-rc.1.tar.gz.pem 3.08KB

7、 kyverno-cli-1.10.1-rc.1.tar.gz.sig 96B

8、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz 25.17MB

9、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz.pem 3.08KB

10、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz.sig 96B

11、 kyverno-cli_v1.10.1-rc.1_darwin_x86_64.tar.gz 26.05MB