Changes since alpha.1

Kyverno 1.10 is a huge release which brings breaking changes in both the application and Helm chart. This is a pre-release.

Major features:

• Split the main Kyverno Deployment into 3 separate controllers/Deployments
• Intra-cluster Service calls
• Notary v2 support
• Major reworking of generate and "mutate existing" policies

NOTE: There is a limited upgrade path available when using the Helm chart, which requires manual intervention and NO upgrade path when using raw YAML manifests. Please see the Helm v2 to v3 migration guide here for full details.

✨ Added ✨

• New container flag --enableConfigMapCaching to enable/disable the ConfigMap caching feature. (#6837)
• Begin testing against Kubernetes 1.27 (#6872)
• Added a new JMESPath filter image_normalize() which can be used to show the fully normalized image string which includes things like default registry (configurable in the Kyverno ConfigMap) and latest tag when no tag is defined. (#6911)

⚠️ Changed ⚠️

• Policies will be applied to UPDATE ops now even when the deletionTimestamp is set. (#6878)
• The x509_decode() JMESPath filter now supports decoding of CertificateSigning Requests (#6744)
• Refactored configuration ConfigMap controller. (#6829)
• Refactored engine creation code. (#6837)
• Refactored policy response. (#6877)
• Refactored Namespace labels in engine response. (#6880)
• Introduced a JMESPath interface. (#6882)
• Moved Cosign init code to an internal package. (#6846)
• Moved registry client init to an internal package. (#6853)
• Moved leader election code to an internal package. (#6854)
• Moved clients creation to an internal package. (#6924)

🐛 Fixed 🐛

• Fixed an issue in loading the config when the data is nil. (#6818)
• Fixes and improvements with SLSA provenance generation (#6821, #6824, #6825)
• Fixed an issue with the new service call feature to use the correct ServiceAccount token. (#6842)
• Fixed an issue with considering a customized Cosign image signature repository. (#6849)
• Fixed an issue where the clone source was inadvertently deleted when trigger no longer matched. (#6869)
• Fixed the auth check upon creation of generate and mutate existing rules. (#6874)
• Defaults for flags --clientRateLimitQPS and --clientRateLimitBurst are configurable. (#6883)
• Fixed the context in an API call. (#6885)
• Fixed an issue with namespace selectors not working properly in a verifyImages rule. (#6887)
• Fixed a deletion panic when a resource matched a podSecurity subrule. (#6902)
• Removed the --imageSignatureRepository flag from the background controller as it wasn't applicable here. (#6925)
• Fixed an issue with API calls showing up in traces. (#6930)

Helm

• Fixed passing of image pull secrets to all the needed controllers. (#6858)
• Fixed an incompatible types error when deploying the chart. (#6905)