v1.12.0-rc.2

kyverno/kyverno

版本发布时间: 2024-03-15 18:24:04

kyverno/kyverno最新发布版本:v1.11.5(2024-05-09 19:09:28)

1.12 Release Notes

❗ Breaking (Potentially) ❗

Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators here (#8624)

✨ Added ✨

Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource (#9591, #9595, #9601, #9602, #9614, #9615, #9618, #9619, #9620, #9621, #9643, #9652, #9678, #9710, #9813)
Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#7728)
Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based matchConditions available in Kubernetes 1.27+ (#8065, #8437, #9483, #9599)
Added a new container flag --protectManagedResources to the cleanup controller (#8566)
Added a new container flag --renewBefore to the admission cleanup controllers to configure the cert renewal time (#8567)
Added a new container flag --loggingtsFormat which can be used to change the time format of logs (#9276)
Policy Exceptions now support conditions (#8577)
Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule validate.podSecurity (#9343, #9817)
Pod Security sub-rule (validate.podSecurity) has a new ability to exclude based on restricted fields (exclude.restrictedField and associated values (#8585, #9770, #9658)
Added a new field to verifyImages rules called skipImageReferences allowing you to exclude certain images (#8633)
Added a new field to generate rules (data-type) called orphanDownstreamOnPolicyDelete which will preserve downstream resources when the policy/rule is deleted (#9579)
Added the ability to deploy specific controllers with CRDs following suit (#8849, #9608)
Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#9015)
Added support for more types of JSON patch operations like "move", "copy", and "test" (#9476)
Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#9506)
Created a new API group reports.kyverno.io for storing new ephemeral report kinds EphemeralReports and ClusterEphemeralReports (#9521, #9537)
New is_external_url() JMESPath function to determine whether a given URL is an external URL (#8614)
New sha256() JMESPath function to convert a string of any length to a fixed hash value (#9144)
Kyverno CLI: Added a new migrate command which is used to migrate Kyverno resources to the current API version (#9296)
Kyverno CLI: Added a new (experimental) json command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#9639, #9651)
Kyverno CLI: The test command now supports the same assertion trees available in Chainsaw (#9380)
Kyverno CLI: The apply command now supports ValidatingAdmissionPolicyBindings (#9468, #9751, #9759)
Kyverno CLI: apply and test commands now support Policy Exceptions (#9525, #9624, #9714, #9749)
Kyverno CLI: Added a --resources flag as an alias for the existing --resource flag (#9749)

Helm

Add chart parameters for setting revisionHistoryLimit (#8907)
Allow excluding resources from config.resourceFilters (#8946)
Allow defining ca-certificates bundle for Kyverno deployments (#8969)
Clean up Helm change logs (#9057)
Added ability to set extra environment variables globally (#9269)
Added the ability to enable performance profiling to the chart (#9338)
Added a global nodeSelector to the chart (#9339)
Allow adding Pod labels to cleanup jobs in the chart (#9391)
Added a CRD migration capability via hooks to the chart (#9481, #9657)
Added the ability to define additional resources to be excluded via resourceFilters (#9530)
Added a small note for AKS users when the chart is installed (#9552)
Added the ability to configure backoff limits in jobs in the chart (#9569)

⚠️ Changed ⚠️

Allow setting admission controller replica count to 2 (#8932)
The spec.schemaValidation field is formally deprecated. As of 1.11 it has no effect. (#9189)
The --reportsChunkSize flag is deprecated and has no effect since aggregation has changed (#9697)
The --imageSignatureRepository flag is deprecated and has no effect, use the verifyImages.Repository field instead (#9698)
Policy Exceptions will now be evaluated against existing resources when the exception is created (#8659, #8713, #8544)
Policy Exceptions API graduated to v2 (#9208, #9412)
Cleanup Policies API graduated to v2 (#9261, #9420)
Admission and Background reports APIs graduated to v2 (#9262)
UpdateRequests API graduated to v2 (#9267)
Reduced some logged messages (#9509, #9626)
Default logging time format is changed to RFC3339 (#9775)
Updated the internal Pod Security Standards up through 1.29 (#9783)
The time_parse() JMESPath filter now supports epoch time (#9173)
Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid (#9566)
Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status (#9220)

Helm

Chart will now omit policy applied and skipped events by default (#9493)
Allow configuring the policy kind in kyverno-policies chart (#8827)
Refined permissions by removing wildcards (#9507, #9516)
Rename the Grafana dashboard file from dashboard.json to kyverno-dashboard.json (#9041)

🚀 Performance 🚀

Initialize JMESPath interpreter once and reuse it across searches (#8299)
Optimize JSON context processing using in-memory maps (#8322)
Optimize how Events are created and processed (#9323, #9324)

🐛 Fixed 🐛

Fixed handling of escaped variables in an expression with multiple escaped variables (#8311)
Fixed an issue when verifying attestations using multiple keys (#8880)
Fixed an issue causing application of mutation policies to fail even when failurePolicy was set to Ignore (#8952)
Fixed an issue that allowed violating resources when a policy had validationFailureAction set to Enforce and failurePolicy of Ignore (#8953)
Fixed an issue causing premature skipping of resources in validate policies with anchors defined (#9155)
Fixed an issue where the -v container flag for logging was not honored (#9163)
Switched a logged error to info when preconditions didn't pass in a mutate existing rule (#9232)
Reports aggregation fixes and improvements (#9697)
Fixed an issue preventing of generating a ValidatingAdmissionPolicy when exclude was used in the rule (#9331)
Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place (#9386)
Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans (#9468)
Fixed an issue when generating Events associated with ValidatingAdmissionPolicies (#9392)
Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission (#9355)
Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working (#9416)
Fixed an issue preventing variables from being substituted in messages when using anyPattern validate rules (#9713)
Fixed an issue where skipped policies due to preconditions were returned in denial response messages (#9719)
Removed an unnecessary podSecurity check (#9790)
Fixed an issue when verifying images from an insecure registry (#9838)
Fixed an issue with some validate rules and the UPDATE operation (#9893)
Kyverno CLI: Fixed an issue doing a test with an UPDATE operation (#9191)
Kyverno CLI: Fixed applying cloneList generate policies with apply command (#9036)
Kyverno CLI: Fixed a logging error (#9238)
Kyverno CLI: Testing of generate rules which use the useServerSideApply field now work properly (#9385)
Kyverno CLI: Fixed and issue causing the apply command to panic when applying a mutate existing rule (#9492)
Kyverno CLI: Fixed an issue with the apply command where some errors weren't shown (#9533)
Kyverno CLI: Fixed an issue with the apply command where a foreach with zero elements was a skip (#9534, #9543)
Kyverno CLI: Fixed a regression where the --warn-exit-code stopped working (#9828)

Helm

Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart (#8913)
Fixed an issue preventing multiple replicas from being defined in the chart (#9066)
Make role and binding names consistent (#9482)
Fixed some minor issues with the Helm report cleanup jobs (#9555)
Fixed a typo in the Kyverno chart README (#8911)

Click to expand all PRs

#9903 fix(globalcontext): panics and validation #9893 fix: properly update policy context after preexisting resource in violation check #9849 fix: release CRDs manifests #9845 fix: add missing unit tests for podSecurity.hostpathVolume check #9838 fix: use gcr crane opts while fetching image descriptors #9835 fix: remove duplicate chainsaw tests for PSA #9828 [Bug] [CLI] Restore warn-exit-code functionality for apply command #9817 fix: add podSecurity validation checks for exceptions #9813 fix(globalcontext): old WaitGroup not stopping #9791 fix: remove unnecessary podSecurity chainsaw test #9790 fix: remove unnecessary validation check for podSecurity rule #9783 update versions #9781 chore: add tests for exceptions in the CLI #9775 chore: default logging format to rfc3339 #9770 fix: add validation check for podSecurity subrule #9763 chore: bump chainsaw #9759 feat: support bindings in Kyvenro CLI test command #9751 feat: apply VAP bindings in CLI apply command in offline mode #9749 add plural form aliases for resources and exceptions flags #9719 fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses #9714 fix: add the support of v2alpha1 exceptions in the CLI #9713 Fix :variables are not getting processed in validation message for "anyPattern" #9710 feat: enhance global context #9709 chore: bump otel deps #9698 fix: remove deprecated imageSignatureRepository flag #9697 fix: reports aggregation #9691 fix: modify the conformance config name #9690 chore: rename admission to ephemeral in reports aggregation controller #9682 chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3 #9680 chore: bump kind and k8s images #9679 fix: don't delete garbage collected policy reports #9678 feat(validation-webhook): validate global context reference #9677 feat: remove admission report controller #9672 feat: add chainsaw tests for exceptions #9667 feat: add chainsaw tests for pod security in exceptions #9661 test(globalcontext): add e2e tests #9658 [Bug] Fix message and formatting of podSecurity validation failure with restrictedField #9657 fix: add missing migrations #9652 chore(globalcontext): remove global context flag #9651 feat: add scan command for generic resources #9645 feat: add chainsaw test for policy webhook based configuration #9643 fix: global context validation #9639 feat: add root command to process generic json resources #9630 chore: remove renovate config #9628 feat: add chainsaw tests for global context crd validation #9626 changed the log level in match policy context #9624 support -e shorthand letter with --exception flag #9621 fix: global context crd improvements #9620 feat: consider maxAPICallResponseLength #9619 feat: add global context entry validation webhook #9618 chore: move global context package out of engine #9616 feat: use the check block for checking CLI output in chainsaw tests #9615 feat: update refreshInterval in globalcontext CRD to use a duration #9614 feat: add global context support in helm chart #9609 make exception in cli exportable #9608 sanity check in parent chart for crd-controller mismatch #9606 chore: enable chainsaw fail fast #9602 feat: add globalcontext loader and interface #9601 feat: add globalcontext controller #9600 chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 #9599 feat: apply .matchConditions when generating reports #9598 fix: client codegen not deleting old files #9597 fix: codecov missing token #9596 fix: make ApplyCommandConfig public again #9595 feat: add global context crd to codegen #9592 fix: codecov args #9591 feat: add global context crd #9585 fix: update cli docs #9583 test: added test for pkg/utils/policy/marshal.go #9579 feat (generate): add orphanDownstreamOnPolicyDelete to preserve downstream on policy deletion #9574 fix: nancy ignore #9573 chore: small nits in cli test command #9572 fix: omit events flag #9570 chore: remove reports aggregation per namespace #9569 configured backoff limit in chart cronjobs #9566 feat: Support CEL expression warnings #9561 chore: add chainsaw tests for policy based webhook configuration #9555 fix: helm chart jobs #9554 fix: nancy ignore #9553 fix: make alternate reports storage transparent #9552 Add Helm note for AKS users #9546 feat: add openapi-gen to policyreports #9543 fix: follow up for #9534 #9542 fix: CRDs codegen #9540 chore: bump a couple of deps #9539 chore: remove reference to kuttl #9538 test: added test for pkg/utils/admission/metadata.go #9537 refactor: use single type for ephemeral reports #9535 chore: configure gh workflows schemas #9534 fix: show skip when foreach with zero elements #9533 Fix: not showing error during policy validation error #9531 fix: move new reports api to top level folder #9530 #9529 Support adding extra elements to the default resourceFilters list #9525 Support PolicyExceptions with CLI #9521 feat: add a new API group reports.kyverno.io #9520 test: added test for pkg/utils/admission/policy.go #9516 Move admission controller hardcoded wildcard permissions to new opt-out value #9515 ci: add load testing workflow #9509 fix: reduce logs in controllers when an item is not found #9507 feat: add more granular rbac rules to remove wildcards #9506 feat: support vap bindings in reports #9495 test: added test for pkg/utils/admission/exception.go #9493 chore(helm): omit normal events by default #9492 fix: kyverno apply panic for mutate policies #9487 chore: bump a couple of deps #9486 test: added test for pkg/utils/admission/cleanup.go #9483 feat: configure admission webhooks per policy #9482 fix: align clusterroles and bindings names #9481 feat: improve crd migration helm hooks #9476 feat: support all valid jsonpatches in validation webhook #9469 chore(contrib): add Khaled Emara as contributor #9468 feat: support validatingadmissionpolicybindings in CLI apply command #9467 update README for new features and OSS security index card #9465 chore: load cli image when deploying locally #9464 Update DEVELOPMENT.md #9463 fix: change generic policy to not return any #9461 Update CONTRIBUTORS.md #9459 added tests for validate foreach with 0 elements #9442 chore: bump otel deps #9440 chore: bump a couple of deps #9433 chore: use upstream cosign on main #9428 fix: nancy ignore list #9427 chore: bump json-patch #9426 chore: bump a couple of deps #9420 feat: migrate existing cleanup policies to the new storage version in helm hook #9416 feat: use awslabs keychain for AWS and gcr keychain for GCP #9412 feat: migrate existing policy exceptions to the new storage version in helm hook #9408 chore: bump bitnami/kubectl #9395 [Feature] Security Improvements based on CLOMonitor Checks #9392 fix: use the correct API version for VAPs in the generated events #9391 feat: add podLabels to the hook jobs pod template #9389 fix PSA chainsaw tests #9386 feat: skip generating VAP when an exception is defined #9385 fix: Allow generate cli tests to work with server-side apply policies #9380 feat: use assertion trees in cli test command #9362 chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0 #9360 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 #9355 fix: clean up URs if the trigger doesn't exist #9348 Fix report-on-vulnerabilities #9343 feat: support podSecurity exclusion in exceptions #9341 fix PSA chainsaw tests #9339 Add global nodeSelector #9338 feat: add profiling to the helm Chart #9332 fix a chainsaw test #9331 fix: remove the check of exclude in VAPs #9326 chore(deps): bump kubectl-validate version #9324 feat: use custom events watcher #9323 feat: add new client for events #9296 feat: add resource migration command #9279 fix: remove policy informer from vap controller #9276 Feat: Human readable timestamps in logs #9270 feat: stop serving v2alpha1 cleanup policies #9269 Support setting global extraEnvVars #9267 chore: introduce v2 for updaterequests #9262 chore: introduce v2 for internal reports resources #9261 feat: add cleanup policies v2 #9260 chore: bump a couple of deps #9255 refactor: mutate checks #9254 fix: set v2beta1 of exceptions the storage version #9240 fix: remove unused file in a test #9238 move error message to log #9236 refactor: events controller #9232 Fixed error log #9220 feat: enable kubectl-validate by default in cli #9218 chore: add k8s 1.29 in custom-sigstore test #9213 chore: add missing context unit test #9212 (docs) changed docs tool to kubernetes-sigs/reference-docs #9211 chore: remove v2alpha1 version of policy exceptions #9208 feat: promote policy exceptions to v2 #9200 refactor: make CLI store non static #9198 chore: bump a couple of deps #9192 chore: add cli update test #9191 fix: deep copy resource in cli when operation is update #9189 fix: deprecate spec.schemaValidation #9187 chore: fix conformance tests #9180 Minor fix #9179 chore: use sigstore/cosign 2.2.2 on main #9175 fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio... #9173 feat(jmespath):time_parse() support epoch time #9165 chore: move a mutateExisting chainsaw test under its directory #9163 fix: set logger level #9161 chore: add 1.29 to all test grids and remove 1.25 #9158 chore: add 1.29 to the test grid #9155 fix: validate pattern premature skip #9148 fix: chainsaw test #9144 support for SHA256 jmespath function #9143 chore: use new chainsaw github action #9140 chore: bump chainsaw #9130 chore: add myself to the maintainers list #9125 feat: add myself (vishal-chdhry) to maintainers list #9124 support for Add Variable unit test #9120 chore: bump chainsaw #9114 chore: bump chainsaw #9113 chore: convert chainsaw tests to Test resource #9109 chore: convert chainsaw tests to Test resource #9108 chore: update PR template to require documentation PR #9103 chore: improve cluster startup in conformance tests #9100 chore: convert chainsaw tests to Test resource #9099 chore: convert chainsaw tests to Test resource #9098 chore: improve ci perf #9094 chore: convert chainsaw tests to Test resource #9093 chore: install kind from binaries #9092 chore: remove kuttl from makefile #9088 fix: nancy ignore #9087 chore: convert chainsaw tests to Test resource #9086 chore: improve conformance tests ci perf #9085 fix: conformance tests #9071 chore: bump chainsaw #9066 Fix Helm chart to not error when replicas defined #9064 chore: bump chainsaw #9057 Update helm docs #9052 chore: use Kubernetes 1.28 by default #9046 Use nancy on actually included dependencies #9045 chore: add 1.10.4-6 & 1.11.1 to github issue templates #9041 fix(helm): Rename dashboard.json to kyverno-dashboard.json #9038 chore: bump chainsaw #9036 fix: Provide kind list hints to the fake dynamic client. #9028 chore: fix chainsaw tests cleanup timeout #9023 chore: remove kuttl tests folder #9018 chore: replace more kuttl tests by chainsaw #9017 chore: replace more kuttl tests by chainsaw #9016 chore: replace standard kuttl tests by chainsaw ones #9015 feat: webhook labels #9013 chore: fix chainsaw exec timeout issue #9012 chore: enable all chainsaw tests #9011 chore: all chainsaw tests #9008 fix: extend chainsaw cleanup timeout #8999 chore: cleanup go.mod #8998 chore: bump chainsaw #8997 chore: migrate tests to chainsaw #8987 chore: bump a couple of deps #8985 chore: bump otel libs #8969 Allow defining ca-certificates bundle for Kyverno deployments #8967 chore: bump chainsaw #8966 chore: run force-failure-policy-ignore test using chainsaw #8965 chore: run vap reports test suite using chainsaw #8958 chore: run generate VAP test suite using chainsaw #8956 chore: run range operators tests with chainsaw #8953 fix: update KeysAreMissing() to ignore negations in resource #8952 fix: block mutation only when failurePolicy is set to fail #8951 chore: run events test suite using chainsaw #8950 chore: run rbac testsuite using chainsaw #8947 fix: change names of fuzzing policies #8946 Allow excluding resources from config.resourceFilters #8937 chore: run autogen tests with chainsaw #8932 feat: allow setting admission controller replica count to 2 #8929 chore: bump k8s package to 1.29 #8913 Revert "fix(chart): only create ServiceMonitor if cluster supports it (#7926) #8911 [Helm] correct typo in README for Kyverno 1.10+ #8907 fix: Add chart parameters for setting revisionHistoryLimit #8903 Extended the Trivy scan for N-2 Kyverno versions #8894 Close reponse right after succesful request #8893 chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0 #8880 fix: allow multiple keys in verifyImages.attestations.attestors.entries #8861 Adopters groww #8857 feat: added ability to bump version using in-file editing #8849 Deploy specific controllers #8827 Add policyKind option to kyverno-policies chart #8780 refactor: move resource loader package to ext #8772 chore: move utils/wildcard in ext #8769 refactor: move resource/convert in ext #8767 feat: add force color in color ext pkg #8766 feat: add utils packages in ext #8762 chore: run tests with chainsaw #8761 chore: fix nancy ignore #8760 feat: add ext/yaml package #8758 chore: init ext packages #8713 feat: compute policy exceptions as a part of the rule execution #8675 feat: add arm64 support in devcontainers #8672 feat: adds ci test for building devcontainer image #8659 feat: re-evaluate policy exceptions for existing resources and modify reports accordingly #8654 Reduce deps #8647 feat: use ubuntu:22.04 in devcontainer #8633 feat: add skipImageReferences in verify images #8624 feat: add fail/warn on deprecated/invalid operators #8614 feat: Add external_url_check custom JMESPath function #8585 [Feature] New restrictedField in podSecurity subrule #8577 feat: support conditions in PolicyException #8567 chore: set cert renewal time to 15 days before expiration #8566 feat: reuse --protectManagedResources flag in the cleanup controller #8544 fix: apply exceptions after executing the policy itself #8518 fix: cache error in gh workflows #8437 Changes to dynamically configure webhooks #8322 optimize JSON context processing using in-memory maps #8311 fix: use ungreedy pattern to process all variables #8299 create interpreter once and reuse across searches #8065 feat: configure webhook scope based on resource and policy type #7728 Make server ports configurable, resolves #7279

相关地址：原始地址下载(tar) 下载(zip)

1、 checksums.txt 870B

2、 checksums.txt.pem 3.13KB

3、 checksums.txt.sig 96B

4、 install.yaml 3.21MB

5、 kyverno-cli-1.12.0-rc.2.tar.gz 2.88MB

6、 kyverno-cli-1.12.0-rc.2.tar.gz.pem 3.13KB

7、 kyverno-cli-1.12.0-rc.2.tar.gz.sig 96B

8、 kyverno-cli_v1.12.0-rc.2_darwin_arm64.tar.gz 33.61MB

9、 kyverno-cli_v1.12.0-rc.2_darwin_arm64.tar.gz.pem 3.13KB

10、 kyverno-cli_v1.12.0-rc.2_darwin_arm64.tar.gz.sig 96B

11、 kyverno-cli_v1.12.0-rc.2_darwin_x86_64.tar.gz 34.44MB