v1.9.0

kyverno/kyverno

版本发布时间: 2023-02-01 18:02:22

kyverno/kyverno最新发布版本:v1.12.5(2024-07-12 17:56:17)

Check the release announcement blog here for an overview of this packed release!

✨ Added ✨

New PolicyException (alpha) resource introduced (#5662, #5680, #5712)
New CleanupPolicy (alpha) resource introduced (#5233, #5279)
Distributed Tracing (#5630, #5643, #5639, #5629, #5624, #5495, #5474, #5463, #5442, #5412, #5397, #5392, #5391)
Extended support for validating and mutating subresources in webhook and CLI (#4916)
ConfigMap caching (#5484)
Nested foreach loops (#5589)
Dump AdmissionReview payload using a new --dumpPayload flag (#5024)
New JMESPath filters for working with time (#5950, #5817, #5814, #5813)
Pod controller rule auto-generation for ReplicaSets and ReplicationControllers (#4975)
Kyverno CLI experimental support for pushing/pulling Kyverno policies as OCI artifacts (#5026)
Kyverno CLI now supports policy input from a git repo when used with the apply command (#4502)
New v2beta1 schema introduced which removes all deprecated fields (#5625)
Support for Kubernetes 1.26 (#5733, #5732)
SLSA provenance now generated, provisionally achieving SLSA Level 3, for all Kyverno container images (blog) (#4268, #5735)
Kyverno policy library up to over 260 policies
CRD manifests are now uploaded for each release (#5967)
Add --audit-warn and --warn-exit-code flags for use in the CLI (#5577, #5321)
A new --leaderElectionRetryPeriod flag is added to control leader election frequency (#5172)
A new --forceFailurePolicyIgnore flag is added to control the failure policy at a global level (#4991)
Some new controller metrics have been added (#5494)
Some new printer columns have been added when returning Kyverno policies including AGE and the count and type of rules (#5119, #5106)
Key signature algorithm can now be specified in verifyImages rules (#4855)
Attestors can now be specified sourced from a Kubernetes Secret in a verifyImages rule (#4733)
(Helm) Support for consuming existing imagePullSecrets for use in verifyImages rules (#5627)

⚠️ Changed ⚠️

A deprecation warning is now printed when setting enforce or audit (lower-case) in the validationFailureAction field (#5152, #5219)
A log message will now be printed when background scans occur (#5941)
Rules of type validate.podSecurity ("subrule") will show additional information in policy reports (#5908, #5719)
Background report scanning reconciliation improvements (#5871, #5865, #5810, #5808, #5807, #5727)
Cleaned up the CLI help messages a bit (#5843)
All CLI custom JMESPath functions now have notes (#5824)
The CLI's jp command has been split up into multiple subcommands (#5566, #5552)
The CLI can now accept a list of policies piped into it (#5227)
The CLI will now make API calls to the live cluster when using the apply command with the --cluster flag (#4938)
The CLI will now property detect when duplicate test resources are provided (#3612)
Removed the all category from Kyverno CRDs; they show with a kubectl get kyverno properly (#5731)
Log enhancements (#5701, #5687)
Removed deprecated flag --splitPolicyReport since this is now done automatically (#5686)
Removed deprecated flag --autogenInternals since this is now done automatically and no mutation to spec occurs.
If Kyverno is down, any new/changed policies will be blocked until it returns to service (#5677)
Improved some color and table things in the CLI's test command (#5609)
Several of the JMESPath arithmetic functions have been adjusted to provide better guardrails (#5544)
Admission metrics now have the webhook type and request_allowed added (#5493, #5478)
Start using AdmissionReview v1 instead of v1beta1 (#5464)
Webhooks now have separate rules per GVK (#4986)
The additionalExtensions field in a verifyImages rule can now use the cert extension as the key (#4854)
Some minor validation improvements when using mutate rules consisting of a JSON patch (#4469)

🐛 Fixed 🐛

Fixed allow deletion of resource when --protectManagedResources in use (#6098)
Fixed Namespace selector matching in policies which used wildcards (kind: "*") (#6020)
Fixed an issue with matching resources with lower case letters (#6008)
Fixed an image mismatch issue when using a verifyImages rule with multiple attestors (#5956)
Fixed mutate existing rules to set resourceVersion prior to update (#5906)
Fixed incorrect variable substitution in mutate existing rules (#5862)
Fixed an issue whereby deletion of a Policy (namespaced) with generate rule didn't result in deletion of generated resources (#5776)
Fixed empty rule type in metrics when using verifyImages (#5729)
Fixed a panic in verifyImages rules when loading a ConfigMap (#5710, #5705)
Fixed an issue when the message field of a policy had a variable that didn't resolve to a string (#5678)
Fixed an issue in the CLI which prevented policies from stdin from being applied (#5668)
Fixed an issue in the CLI in how global anchors were handled in the apply command (#5590)
Fixed an issue in the CLI with how request.operation was defaulted (#5423)
Fixed an issue in the CLI when testing for Pods which define the ownerReferences object (#5170)
Fixed use of AllNotIn operator with wildcards (#5636)
Fixed and improved some registry client issues (#5622, #5620, #5596)
Fixed a metrics panic issue when a null response was received (#5502)
Fixed an issue preventing creation of a verifyImages rule with multiple attestors (#5384)
Fixed validating a resource's schema when any/all is used (#5246)
Fixed how the global anchor was handled when used in anyPattern validate rules (#5191)
Fixed an issue preventing the use of a generateName field if used (#5146)
Fixed an issue in verifyImages rules allowing proper use of the {{image}} variable (#5122)
Leader election now runs in a loop preventing Pod termination when the lead is lost (#5173)
(Helm) Fixed using the kyverno-test Pod to test connection by pinning the busybox image (#6051)
(Helm) Replaced + with _ in the Chart.Version field to prevent Flux reconciliation failures (#6056, #5591)
(Helm) Fixed the cleanup process with Kyverno managed resources upon uninstall (#5974)
(Helm) Fixed an issue with selectors when upgrading from 1.8 (#5965)
(Helm) Fixed using multiple args in the initContainer (#5846)
(Helm) Fixed the Grafana dashboard to use delta instead of increase (#5645)
(Helm) Fixed the labels that got assigned to CRDs so they're correct per the release name (#5594)
(Helm) Fixed an issue with Pod anti-affinity when deploying the chart with a custom name (#5516)

❗ Breaking ❗

The new field verifyImages.attestations.attestors is added for verifying attestations. Note that the existing verifyImages.attestors field is only used to verify signatures (carry-over from release v1.8.3)

Click to expand

#6122 fix: policy exception event source #6112 fix: tracing attributes length and tracer name #6103 fix: flag added to init container mistake #6100 fix: cleanup-controller version #6098 fix: allow deletion of namespace containing managed resources #6051 fix: pin busybox image tag in helm tests #6047 fix: replace + with _ in Chart.Version label field #6046 validate polex activation and namespace #6030 feat: add missing polex flags #6020 fix: ns labels matching #6008 fix: policy match Kind case-senstive #5998 chore: log out cleanup policy events #5988 feat: create warning events on errors for cleanup policies #5987 fix: generate policy exception events #5982 feat: create events for cleanup policies #5980 fix: policy exceptions not working in background mode #5977 chore: log out deleted resources at default level for cleanup policies #5974 fix: invoke cleanup process during shutdown #5967 chore: upload CRDs manifests to GH release #5966 feat: add cluster role aggregation to cleanup controller #5965 fix: helm selector #5960 fix: chart kyverno-policies invalid annotations #5956 fix: imageRef mismatch #5950 feat: add more time jmespath filters #5948 fix: update policy exception CRD description #5943 fix: cleanup policies with user infos in match/exclude should be rejected #5941 chore: policy report - improve logging #5935 test: add kuttl test for policy exception #5931 fix: missing user info matching #5928 Fixes time_now failing #5920 chore: simplify tests workflow #5914 chore: add missing gh workflow #5913 fix: golangci-lint workflow #5910 chore: fix releaser badge #5909 fix: configure gh workflow permission #5908 feat: add violation details to report.results.properties for PSa policies #5907 chore: make check actions pinned by hash a standalone ci job #5906 fix: mutateExisting - set resourceVersion before update #5904 fix: cleanup controller - restrict cronjobs by PSS restricted checks #5897 chore: add setup test env gh action #5892 chore: add setup-build-env gh action #5888 fix: use var 'target.*' in cleanup policies #5886 fix: Configure webhook to add ephemeralcontainers for policies matching on Pod #5885 chore: use gh composite actions #5883 chore: small gh workflows improvements #5881 fix: Add group to subresources declaration in value.yaml file for CLI #5875 fix validation checks for foreach and nested foreach #5871 refactor: improve background scan reconciliation #5870 fix: add missing kuttl assert file #5865 fix: force background scan recomputation #5862 fix: incorrect variable substitutionrequest.object.* for mutateExisting policies #5851 feat: cleanup new validatingwebhooks #5847 chore: move ConvertToUnstructured from engine utils to kube utils #5846 fix(chart/kyverno): handle multiple extraArgs in init container #5844 chore: cleanup a couple workflows #5843 fix: improve cli help message #5840 chore: bump a couple of deps #5839 fix: Add subresources support to policy exceptions #5835 fix: enum values for ValidationFailureActionOverride #5834 chore: add a couple unit tests #5832 fix: default value for validationFailureAction #5829 chore: cleanup codecov workflow #5828 refactor: move utils into sub packages #5824 Adds notes to functions #5823 Walk back change in PSS policy to send to to_upper #5819 add source archive checksum into the checksums.txt #5817 Added a time_add() filter to add duration and absolute time #5814 Adds JMESPath filter for returning cron expression for absolute time #5813 Adds JMESPath filter for returning current time #5810 feat: improve background scan reports enqueue logic #5808 fix: error handling in last scan time parsing #5807 fix: background scan events #5801 fix arguments passed to DeepEqual #5797 enhance logging, fix pull flag description #5796 feat: cleanup enhancements-1 #5789 chore: update publicKey description #5787 fix cli output adjustments #5782 redirect stderr to get digest successfully #5776 fix delete policy #5765 Bump go-plugin #5762 fix: image digest #5756 refactor: cleanup controller validating webhook #5754 refactor: move util funcs in sub packages #5752 test: add unit test for GetResourceName util #5751 chore: bump deps including k8s ones #5750 refactor: remove common package #5749 refactor: auth package and add full unit test coverage #5747 refactor: policy controller package #5746 refactor: remove a couple of old util funcs #5743 refactor: use typed client in auth #5742 chore: remove e2e tests #5740 chore: remove autogen internals tests #5739 fix: cleanup controller image build #5737 chore: build cleanup controller image #5735 feat: generate SLSA provenance on releases #5733 feat: run conformance tests with different k8s versions #5732 chore: update k8s versions test grid #5731 fix: remove all category from all our CRDs #5729 fix: add rule type "ImageVerify" #5728 Bump Go 1.19.4 #5727 feat: force background scan regularly #5721 fix: add back install.yaml manifest #5719 feat: propagate psa checks results #5712 feat: add exception logic #5710 fix: missing assignment in configmap resolver #5707 feat: add kuttl tests for #5704 #5705 fix: Initializes configmap resolver in background components #5701 fix info kind error #5697 fix: exception validation follow up #5691 refactor: supress usage of kustomize in build #5688 chore: bump a couple of deps #5687 fix: bump log level for autogen debug logs #5686 chore: remove deprecated flag splitPolicyReport #5682 chore: remove secrets client from webhook controller #5681 chore: rename exclude into match in policy exception #5680 feat: Implement PolicyException #5679 feat: add policy exception validation webhook #5678 fix: case where deny message is not a string #5677 fix: block policy admission if kyverno is down #5671 feat: add certs controller to cleanup policies #5668 fix: allow policies from stdin in apply again #5662 feat: Introduce PolicyException CRD #5660 use camel case for ForEach naming #5653 feat: add metrics service and service monitor to cleanup controller #5647 feat: add dev config with support for prom loki and tempo #5646 fix: missing permission in cleanup controller role #5645 fix: grafana dashboard #5643 refactor: tracing package #5640 fix: Improve helm-test workflow #5639 feat: propagate context through engine #5636 fix AllNotIn operator #5630 feat: add http clients tracing #5629 fix: setup tracing and minor cleanup in tracing and metrics code #5628 feat: improve cleanup policies controller and chart #5627 Support existing imagePullSecrets for image verify functionality #5626 feat: add conditions matching to cleanup controller #5625 feat: introduce v2alpha1 #5624 fix: don't create orphan spans in instrumented clients #5622 fix: registry client not propagated correctly #5620 feat: use lister in registry client #5614 feat: implement cleanup policy matching #5610 chore: bump a couple of deps #5609 refactor: improve color and table printer management in cli test command #5605 Add api docs #5598 fix: use lister for CA secret #5596 refactor: registry client #5594 use helm values for CRD labels #5593 chore: bump a couple of deps #5591 fix: replace + symbol with _ symbol on the Chart.Version field #5590 Fix: handling unexpected global-anchor-variable for the apply command #5589 Nested foreach #5580 feat: add cleanup controller BYOSA and RBAC extensions #5578 chore: bump flux action #5577 adding --warn-exit-code flag #5576 feat: add cleanup handler #5567 chore: disable dependabot auto rebase #5566 refactor: split CLI jp command #5552 refactor: cli jp command #5550 refactor: cli test command #5544 refactor: jmespath arithmetic operations #5531 chore: enable dependabot #5530 Bump SLSA GitHub generator to 1.4.0 #5523 refactor: make policy context immutable and fields private #5516 fix: pod anti affinity #5514 fix: cleanup policy validation #5513 configure opentelemetry logger #5512 chore: bump a few deps #5510 chore: use builtin slices.Clone #5509 chore: improve cleanup controller #5507 refactor: use internal cmd package in kyverno #5506 refactor: add controller helper to internal package #5504 chore: switch to kyverno/kuttl #5503 chore: bump a couple of deps #5502 fix: panic when response is nil #5500 chore: stop using set-output in gh actions #5497 fix: add image extractor for ReplicationController #5496 chore: replace utils.ContainsString with builtin slices.Contains #5495 feat: propagate context in dynamic client #5494 feat: add controller metrics #5493 feat: add webhook type to admission metrics #5492 refactor: move metrics closer to the code that use them #5489 chore: refactor metrics namespace check #5484 issue-4613: Add support for cache enhancements with informers #5482 chore: bump kyverno version in argo lab #5479 feat: propagate context to the metrics package #5478 feat: add allowed label to admission metrics #5477 feat: add dynamic client support to internal cmd package #5475 refactor: metrics configuration code #5474 chore: improve tracing instrumented clients #5473 feat: create a policy utils package #5472 feat: add new filtering handlers #5464 feat: use admission review v1 #5463 feat: add engine traces #5462 fix: remove filtering for policy admission handlers #5461 feat: support flagsets in internal cmd package #5460 chore: add instrumented clients codegen verification #5448 docs: add reports troubleshooting tips #5446 fix: argocd lab monitoring namespace #5444 feat: add signal in internal cmd package #5443 feat: use client funcs from internal cmd package #5442 feat: improve handlers tracing code #5440 chore: bump a bunch of deps #5438 feat: add logging support to instrumented clients #5437 feat: add discovery support in instrumented clients #5436 refactor: dynamic client use instrumented clients #5435 fix: reading policies for oci command and pushing image #5434 docs: add controllers README #5428 refactor: improve instrumented clients code and support dynamic/metadata client #5427 ci: cancel redundant builds of workflow on push #5423 fix request.operation in globalValues is always set to CREATE #5419 Update SLSA to v1.3.0 #5417 refactor: improve instrumented clients creation #5415 fix: typo #5412 feat: make traces better #5410 refactor: split argocd lab into multiple steps #5404 refactor: introduce cmd internal package #5401 chore: remove obsolete metrics client code #5398 refactor: generated instrumented client code part 2 #5397 feat: add tracing middleware #5392 refactor: propagate context through admission handlers #5391 refactor: improve tracing package #5385 Add reconciling logic for creating cronjobs whenever a new cleanup policy is created #5384 fix: the entry length validation for the verify image rule #5376 chore: bump sigstore deps #5367 refactor: update otlp packages #5362 refactor: generate instrumented client code #5357 chore: add helm ci values with cleanup controller #5356 fix digest variable #5351 fix: add some missing options in cleanup helm chart #5343 test: simplify autogen kuttl tests #5338 feat: add CleanupPolicy validation code to CleanupPolicyHandler #5336 fix: add replicaset and replicationController kinds in podsecurity validation #5329 feat: add cleanup controller to helm chart #5327 feat: add cleanup controller makefile targets #5324 chore: remove docker support #5323 Update SLSA generator workflow to v1.2.2 #5321 adding --audit-warn flag #5279 feat: add cleanupPolicy validation code #5248 fix: kyverno Dockerfile base image tag and sha256 hash #5246 fix: resource schema validation in policies under any/all match #5243 fix: remove /approve from prow actions #5242 fix: remove unused code in config #5233 feat: create cleanup new CRDs #5228 Fixed description for secret name #5227 feat: allow list with policies in apply #5219 fix: add warning when using deprecated validation failure action #5191 Fix: handled skip rule processing in anyPattern field #5180 fix: do not cancel context when loosing the lead #5174 refactor: remove policyreport package #5173 feat: run leader election in loop #5172 feat: add flag to control leader election frequency #5170 [Cli Bug] fix cli issue for ownerReferences resources #5168 [Feature] Pin Dependencies by Hash #5154 Add ability to use commands in comments #5152 refactor: support Audit and Enforce validation failure actions #5146 fix metadata/generateName for mutation #5134 Corrected Kubernetes spelling #5123 feat: remove policy mutation for auto-gen rules #5122 Allows {{image}} var to be used in policies #5119 Add AGE in printer columns of CRDs #5106 Fixed issue-5102: Show rule count and type in output #5026 feat: oci pull/push support for policie(s) #5024 feat: enable/disable Debug mode which shows entire AdmissionReview payload #4991 [Feature] create command line option to set failurePolicy globally #4986 feat: separate webhook rules per GVK #4975 feat: add replicaset and replicationcontroller to autogen #4938 added apiCalls support in kyverno-apply command #4855 Added support to specify key signature algorithm in verifyImages #4854 feature: use cert extension oid as key #4733 Fixed issue-4530: Added separate attestor type for secrets and KMS #4502 To support gitURLs for "apply" command #4469 validate patchJSON6902 #4268 workflow file updated for slsa provenance generation #3612 Kyverno CLI: added method to detect duplicate resource in kyverno test #3491 Integrate Sonarcloud and Nancy github action

相关地址：原始地址下载(tar) 下载(zip)

1、 checksums.txt 822B

2、 install.yaml 1.88MB

3、 kyverno-cli-1.9.0.tar.gz 1.73MB

4、 kyverno-cli_v1.9.0_darwin_arm64.tar.gz 23.95MB

5、 kyverno-cli_v1.9.0_darwin_x86_64.tar.gz 24.94MB

6、 kyverno-cli_v1.9.0_linux_arm64.tar.gz 21.63MB

7、 kyverno-cli_v1.9.0_linux_s390x.tar.gz 22.97MB

8、 kyverno-cli_v1.9.0_linux_x86_64.tar.gz 23.82MB

9、 kyverno-cli_v1.9.0_windows_arm64.zip 21.8MB

10、 kyverno-cli_v1.9.0_windows_x86_64.zip 23.99MB

11、 kyverno.io_admissionreports.yaml 16.92KB