v1.10.0-alpha.2
版本发布时间: 2023-04-14 21:13:48
kyverno/kyverno最新发布版本:v1.12.5(2024-07-12 17:56:17)
Changes since alpha.1
Kyverno 1.10 is a huge release which brings breaking changes in both the application and Helm chart. This is a pre-release.
Major features:
- Split the main Kyverno Deployment into 3 separate controllers/Deployments
- Intra-cluster Service calls
- Notary v2 support
- Major reworking of generate and "mutate existing" policies
NOTE: There is a limited upgrade path available when using the Helm chart, which requires manual intervention and NO upgrade path when using raw YAML manifests. Please see the Helm v2 to v3 migration guide here for full details.
✨ Added ✨
- New container flag
--enableConfigMapCaching
to enable/disable the ConfigMap caching feature. (#6837) - Begin testing against Kubernetes 1.27 (#6872)
- Added a new JMESPath filter
image_normalize()
which can be used to show the fully normalizedimage
string which includes things like default registry (configurable in the Kyverno ConfigMap) andlatest
tag when no tag is defined. (#6911)
⚠️ Changed ⚠️
- Policies will be applied to UPDATE ops now even when the deletionTimestamp is set. (#6878)
- The
x509_decode()
JMESPath filter now supports decoding of CertificateSigning Requests (#6744) - Refactored configuration ConfigMap controller. (#6829)
- Refactored engine creation code. (#6837)
- Refactored policy response. (#6877)
- Refactored Namespace labels in engine response. (#6880)
- Introduced a JMESPath interface. (#6882)
- Moved Cosign init code to an internal package. (#6846)
- Moved registry client init to an internal package. (#6853)
- Moved leader election code to an internal package. (#6854)
- Moved clients creation to an internal package. (#6924)
🐛 Fixed 🐛
- Fixed an issue in loading the config when the data is nil. (#6818)
- Fixes and improvements with SLSA provenance generation (#6821, #6824, #6825)
- Fixed an issue with the new service call feature to use the correct ServiceAccount token. (#6842)
- Fixed an issue with considering a customized Cosign image signature repository. (#6849)
- Fixed an issue where the clone source was inadvertently deleted when trigger no longer matched. (#6869)
- Fixed the auth check upon creation of generate and mutate existing rules. (#6874)
- Defaults for flags
--clientRateLimitQPS
and--clientRateLimitBurst
are configurable. (#6883) - Fixed the context in an API call. (#6885)
- Fixed an issue with namespace selectors not working properly in a verifyImages rule. (#6887)
- Fixed a deletion panic when a resource matched a podSecurity subrule. (#6902)
- Removed the
--imageSignatureRepository
flag from the background controller as it wasn't applicable here. (#6925) - Fixed an issue with API calls showing up in traces. (#6930)
Helm
- Fixed passing of image pull secrets to all the needed controllers. (#6858)
- Fixed an incompatible types error when deploying the chart. (#6905)
Click to expand all PRs
PR | Title |
---|---|
#6930 | fix: enable tracing in api call |
#6925 | fix: remove imageSignatureRepository flag from the background controller |
#6924 | refactor: move clients creation in internal package |
#6918 | chore: add config with exceptions disabled |
#6916 | fix: kuttl test for the generate rule |
#6914 | chore: add kuttl test for namespace exclusion |
#6911 | feat: add image_normalize filter |
#6905 | Fix incompatible types error in Kyverno helm chart |
#6902 | fix: deletion panic for PSa rule |
#6901 | chore: split unit tests and linter jobs |
#6900 | chore: split generate kuttl tests |
#6899 | chore: bump k8s patch versions |
#6895 | chore: better matrix jobs |
#6887 | fix ns selector |
#6885 | fix: context in api call |
#6883 | fix: make flag default values configurable |
#6882 | refactor: introduce jmespath interface |
#6880 | refactor: namespace labels in engine response |
#6878 | fix: applies policies to the UPDATEs when resource deletionTimestamp is set |
#6877 | refactor: policy response |
#6874 | fix: auth check the generate policy when use variables in name/namespace |
#6872 | chore: add k8s 1.27 to the test grid |
#6869 | fix: preserve source on trigger deletion for a generate policy with clone, sync |
#6858 | fix: add missing image pull secrets |
#6854 | refactor: move leader election code in internal package |
#6853 | refactor: move registry client init in internal package |
#6849 | fix: account for cosign default repository |
#6847 | chore: add kuttl tests with default config |
#6846 | feat: move cosign init in internal package |
#6842 | fix API call SA token and response |
#6840 | fix: kuttl tests for force-failure-policy-ignore config |
#6838 | fix: makefile nit |
#6837 | refactor: factorise engine creation |
#6829 | refactor: configuration config map controller |
#6828 | chore: fix makefile nits |
#6825 | fix: slsa generator for reports controller |
#6824 | chore: add slsa provenance jobs to all images published |
#6821 | fix: slsa provenance generation |
#6818 | fix: incorrect config loading when data is nil |
#6811 | chore: run conformance tests with multiple configs |
1、 checksums.txt 794B
2、 install.yaml 2.11MB
3、 kyverno-cli_v1.10.0-alpha.2_darwin_arm64.tar.gz 25MB
4、 kyverno-cli_v1.10.0-alpha.2_darwin_x86_64.tar.gz 25.87MB
5、 kyverno-cli_v1.10.0-alpha.2_linux_arm64.tar.gz 22.4MB
6、 kyverno-cli_v1.10.0-alpha.2_linux_s390x.tar.gz 23.81MB
7、 kyverno-cli_v1.10.0-alpha.2_linux_x86_64.tar.gz 24.69MB
8、 kyverno-cli_v1.10.0-alpha.2_windows_arm64.zip 22.57MB
9、 kyverno-cli_v1.10.0-alpha.2_windows_x86_64.zip 24.87MB
10、 kyverno.io_admissionreports.yaml 16.72KB
11、 kyverno.io_backgroundscanreports.yaml 14.89KB
12、 kyverno.io_cleanuppolicies.yaml 63.73KB
13、 kyverno.io_clusteradmissionreports.yaml 16.78KB
14、 kyverno.io_clusterbackgroundscanreports.yaml 14.94KB
15、 kyverno.io_clustercleanuppolicies.yaml 63.77KB
16、 kyverno.io_clusterpolicies.yaml 918.83KB
17、 kyverno.io_policies.yaml 919.09KB
18、 kyverno.io_policyexceptions.yaml 29.47KB
19、 kyverno.io_updaterequests.yaml 19.3KB
20、 wgpolicyk8s.io_clusterpolicyreports.yaml 17.98KB
21、 wgpolicyk8s.io_policyreports.yaml 17.93KB