v1.10.1-rc.1
版本发布时间: 2023-06-29 22:21:10
kyverno/kyverno最新发布版本:v1.12.5(2024-07-12 17:56:17)
Kyverno 1.10.1-rc.1 is the first release candidate for the 1.10.1 patch version. It addresses many issues reported in the 1.10.0 release, both app and v3 Helm chart, and also enables a migration to 1.10 for users of clone-type generate rules. Thank you to all users and contributors who tested 1.10.0 and provided feedback!
✨ Added ✨
- Added the ability to assign custom labels to policy reports (#7416)
- All release artifacts are now signed (#7478, #7711)
- Added a new environment variable, settable on the background controller, called
BACKGROUND_SCAN_INTERVAL
which can override the background scan interval from its default of one hour (#7504) - Added a new container flag called
--enableDeferredLoading
(true
by default) which allows disabling of the new deferred/lazy context variable loading system introduced in 1.10.0 (#7694, #7691)
Helm
- Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs (#7331, #7337, #7366)
- Added missing
delete
verb to the admission reports cleanup job ClusterRole (#7375) - Added the ability to set verbs for the
additionalresources
ClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles (#7380) - Removal of the Helm chart will now properly remove all Kyverno webhooks (#7633)
- Added ability to select cluster on the Grafana dashboard (#7659)
- Add
relabelings
andmetricRelabelings
config to all ServiceMonitors (#7659) - Make ConfigMap labels for the Grafana dashboard ConfigMap configurable (#7659)
- Added ability to use imagePullSecrets for the admission reports cleanup CronJobs (#7730)
⚠️ Changed ⚠️
- The new
order
field available underforeach
loops will now be respected when the mutation method ispatchStrategicMerge
(#7336) - Changed the message returned from a failed permissions check so it's more general in nature (#7362)
- Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate (#7388)
- Performed some internal refactoring of the generate rule type (#7417)
- Make it so that setting
--webhookTimeout
affects all of Kyverno's webhooks and not just the resource webhooks (#7435) - Made it so that the
name
field for a rule is required (#7464) - Log kind, namespace, and name in processed resources (#7498)
- Refactored some reconciliation logic for generate rules (#7531)
- Mutation failures, when occurring within a
foreach
loop, will show the cause (#7563) - Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 (#7666)
- Misc. refactors related to the changes/fixes in deferred/lazy loading (#7675, #7678, #7690)
🐛 Fixed 🐛
- Fixed a panic when a user installs a policy with an invalid schema (#6526)
- Fixed an issue where the
default
field in avariable
-type context variable was not being used when the result wasnil
(#7251) - Fixed a panic in the reports controller when it encounters an invalid image (#7332)
- Fixed an issue when
--protectManagedResources
was enabled which prevented generation of bindings (#7363) - Fixed a panic when environment variables weren't passed (#7383)
- Fixed an inability to use the
target.*
variable in a mutate existing rule (#7387) - Fixed a sync issue if an array element was removed from a clone source (#7417)
- Fixed an issue preventing background reports from being created if an empty response is received for a given API group (#7428)
- Fixed an issue where Policy Exceptions weren't being considered for deletes (#7433)
- Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets (#7436)
- Fixed an issue with generate rules failing when the trigger resource kind used a forward slash (#7436)
- Fixed a generate issue in which removal of a single trigger would remove generated resources it shouldn't have (#7579)
- Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD (#7439)
- Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation (#7455)
- Fixed another issue with auto-gen in which CronJob translated rules weren't translating variables correctly (#7571)
- Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly (#7466)
- Fixed a panic when the background controller substitutes a variable with
nil
(#7473) - Fixed the scope validation check for a generate rule so it detects the correct resource kind (#7479)
- Fixed an issue preventing generated resources from being removed when preconditions no longer matched (#7496)
- Fixed a slightly misleading error message in deny conditions (#7503)
- Fixed it (finally) so that no informational logs are produced when logging is set to
0
(#7515) - Fixed removal of ownerReferences when generating via clone a resource across Namespaces (#7517)
- Fixed residual issues from 1.10.0 for lazy/deferred loading of context variables (#7552, #7597)
- Fixed an issue performing image verification in background mode (#7564)
- Make configuring max procs not exit in case of error (#7588)
- Fixed some typos in the descriptions of flags applicable to the reports controller (#7617)
- Fixed a permissions check when installing a generate policy due to incorrect API group matching (#7628)
- Fixed an issue where the service name in a tracer configuration could not be customized (#7644)
- Fixed an issue with an image verification rule which would cause updating a Deployment with more than one container to fail (#7692)
- Fixed a minor issue in an error message (#7688)
- Fixed an issue with locking the schema manager which could result in CRDs not being found (#7704)
Helm
- Fixed missing environment variables in the admission controller (#7383)
- Fixed missing
extraEnvVars
on all controllers (#7403) - Fixed an issue templating the new reports cleanup job image (#7430)
- Fixed a typo when enabling anti-affinity (#7440)
- Fixed missing imagePullSecrets (#7474)
- Fixed missing
delete
verb for Secrets in the admission controller and cleanup controller (#7527, #7679)
Click to expand all PRs
7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick #7597) 7692 fix: image verification (cherry-pick #7652) 7691 feat: add lazy loading feature flag (cherry-pick #7680) 7690 refactor: migrate context loaders (part 2) from #7597 (cherry-pick #7677) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick #7669) 7678 refactor: migrate context loaders (part 1) from #7597 (cherry-pick #7676) 7677 refactor: migrate context loaders (part 2) from #7597 7676 refactor: migrate context loaders (part 1) from #7597 7675 refactor: add specific loaders from #7597 (cherry-pick #7671) 7671 refactor: add specific loaders from #7597 7669 fix: cleanup controller rbac 7666 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for… 7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: [Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panic
1、 checksums.txt 761B
2、 checksums.txt.pem 3.08KB
3、 checksums.txt.sig 96B
4、 install.yaml 2.13MB
5、 kyverno-cli-1.10.1-rc.1.tar.gz 2MB
6、 kyverno-cli-1.10.1-rc.1.tar.gz.pem 3.08KB
7、 kyverno-cli-1.10.1-rc.1.tar.gz.sig 96B
8、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz 25.17MB
9、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz.pem 3.08KB
10、 kyverno-cli_v1.10.1-rc.1_darwin_arm64.tar.gz.sig 96B
11、 kyverno-cli_v1.10.1-rc.1_darwin_x86_64.tar.gz 26.05MB
12、 kyverno-cli_v1.10.1-rc.1_darwin_x86_64.tar.gz.pem 3.08KB
13、 kyverno-cli_v1.10.1-rc.1_darwin_x86_64.tar.gz.sig 96B
14、 kyverno-cli_v1.10.1-rc.1_linux_arm64.tar.gz 22.57MB
15、 kyverno-cli_v1.10.1-rc.1_linux_arm64.tar.gz.pem 3.08KB
16、 kyverno-cli_v1.10.1-rc.1_linux_arm64.tar.gz.sig 96B
17、 kyverno-cli_v1.10.1-rc.1_linux_s390x.tar.gz 23.97MB
18、 kyverno-cli_v1.10.1-rc.1_linux_s390x.tar.gz.pem 3.08KB
19、 kyverno-cli_v1.10.1-rc.1_linux_s390x.tar.gz.sig 96B
20、 kyverno-cli_v1.10.1-rc.1_linux_x86_64.tar.gz 24.85MB
21、 kyverno-cli_v1.10.1-rc.1_linux_x86_64.tar.gz.pem 3.08KB
22、 kyverno-cli_v1.10.1-rc.1_linux_x86_64.tar.gz.sig 96B
23、 kyverno-cli_v1.10.1-rc.1_windows_x86_64.zip 25.04MB
24、 kyverno-cli_v1.10.1-rc.1_windows_x86_64.zip.pem 3.08KB
25、 kyverno-cli_v1.10.1-rc.1_windows_x86_64.zip.sig 96B
26、 kyverno.io_admissionreports.yaml 16.77KB
27、 kyverno.io_backgroundscanreports.yaml 14.89KB
28、 kyverno.io_cleanuppolicies.yaml 64.02KB
29、 kyverno.io_clusteradmissionreports.yaml 16.82KB
30、 kyverno.io_clusterbackgroundscanreports.yaml 14.94KB
31、 kyverno.io_clustercleanuppolicies.yaml 64.06KB
32、 kyverno.io_clusterpolicies.yaml 927.67KB
33、 kyverno.io_policies.yaml 927.93KB
34、 kyverno.io_policyexceptions.yaml 29.47KB
35、 kyverno.io_updaterequests.yaml 19.3KB
36、 wgpolicyk8s.io_clusterpolicyreports.yaml 17.98KB
37、 wgpolicyk8s.io_policyreports.yaml 17.93KB