Releases

Kyverno Release Notes

Kyverno v1.5.1

Bug Fixes

  • Updates Kyverno base image to use Go 1.17.2 to address CVE-2021-29923.

Kyverno v1.5.0

New

  • Dynamic webhooks. Admission webhooks are now built dynamically based on the source of Kyverno policies. Introduces a new status.ready field in a policy to indicate when it’s ready to serve.
  • foreach in both validate and mutate policies.
  • Configurable failure mode with a new failurePolicy field (either Ignore or Fail) so policies can now be customized based on the response desired.
  • Kyverno CLI test command now handles mutate policies
  • Cosign attestations to the verifyImages rule type.
  • New JMESPath functions base64_encode and base64_decode
  • Support for wildcards (*) in match/exclude blocks
  • See more

Changed

  • CRDs are now back in the main kyverno chart while the Pod Security Policies are in a new chart called kyverno-policies.
  • To add a consistent style in flag names the following flags have been deprecated: webhooktimeout, gen-workers, disable-metrics, background-scan, auto-update-webhooks, profile-port, metrics-port. These will be removed in 1.6.0. The new flags are webhookTimeout, genWorkers, disableMetrics, backgroundScan, autoUpdateWebhooks, profilePort, and metricsPort.
  • Move Grafana dashboard to its own repo
  • See more

Bug Fixes

  • Autogen-controllers does not work with “any” rules #2337
  • Use patchesJson6902 where path contains a non-zero index number causes validation failure #2100
  • CLI apply command - not filtering the resources from cluster #2417
  • Kyverno ConfigMap name not consistent in Helm/Docs and install.yaml #2347
  • Fixing helm chart documentation inconsistency #2419
  • Create/Update policy failing with custom JMESPath #2409
  • GenerateRequests are not cleaned up #2332
  • NetworkPolicy: from should be an array of objects #2423
  • Kyverno misinterprets pod spec environment variable placeholders as references #2413
  • CLI | skipped policy message is displayed even if variable is passed #2445
  • Update minio to address vulnerabilities #1953
  • No warning about background mode when using any / all in match or exclude blocks #2300
  • Flaky unit test #2406
  • Generating a Kyverno Policy throws error “Policy is unstructured” #2155
  • Network policy is not getting generated on creation of a pod #2095
  • Namespace generate policy fails with request.operation precondition #2226
  • Fix any/all matching logic in the background controller #2386
  • Run code-generator for 1.5 schema changes #2465
  • Generate policies with no Namespace field #2333
  • Excluding clusterRoles does not work if nested under any or all #2301
  • Fix auto-gen for validate.foreach #2464
  • “Auto-gen rules for pod controllers” fails when matching kind is “v1/Pod” #2415
  • Set Namespace environment variable for initContainer #2499

Kyverno v1.4.3

Notes Helm - helm upgrade command will be sufficient to upgrade.

Check more upgrade information at Upgrading Kyverno.

Changed

Bug Fixes

  • Fix policy gets blocked with 1.4.3-rc1 if any/all is defined in match block (#2388)
  • Fix upgrade issue from 1.4.2 to 1.4.3-rc1 (#2387).
  • Fix Added back V1alpha1 policy report resources (#2377).
  • Check Any and All ResourceFilters during policymutation {#2373).
  • Handling autogen test cases | CLI (#2367).
  • Fix supports gvk in CLI for policies applied on cluster #2364.
  • Fix added condition for all/any for match | CLI #2370.
  • Fix removed contains function #2346.
  • Kyverno CLI apply command improvement #2342.
  • Fix removed: resource_name label which is exposed as a part of Kyverno’s metrics#2351.
  • Fix added test case for non zero index patches with patchesJson6902 #2339.
  • Fix removed contains function #2346.
  • Clean up formatting in mutate test file #2338.
  • Add test case for non zero index patches with patchesJson6902 #2339.
  • Adding ownerRef with namespace for Kyverno managed webhook configurations #2263
  • Add Support for previous test file structure #2329.
  • Substitute vars in map keys #2344.
  • Bug fix background scan issue for any/all in match/exclude #2381.
  • Test cmd update #5, #6.
  • Bug fix | CLI panic | Context policy validation #2336.
  • Fixed networkPolicy customization #2334.
  • Fix remove ownerReferences when cloning resources to other namespace. #2298.
  • Cleanup kustomizations #2274.
  • Fixed precondition logic for mutating policies #2271.
  • Support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting with respect to metrics registration #2288.
  • Fix updated cosign #2369.
  • Only release Helm charts on tags #2281.
  • Adding ownerRef with namespace #2263.
  • Added labels to helm templates #2265.
  • Support GVK format is case sensitive #2261.
  • Block scalars for value files #2380.
  • Added test case using new variant of this policy with preconditions #2255.
  • Make Kyverno CRDs a separate Helm chart capable of being updated/deleted #2218.
  • Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 #1825.
  • Implement global anchor #2311.
  • Fix allowing users to skip policy validation when mutating resources #2365.
  • Validation for generate loops and support ClusterPolicy/Policy in match block #2275.
  • Added condition for resource sync #2247.
  • Fix added check for the forward slash #2270.
  • Resolving variables from the resource passed | CLI #2180.
  • Fix updated kyverno deployment strategy #2006.
  • Fix added pod anti-affinity to Kyverno #1985.
  • Fix add new test; remove unnecessary anchors #2217.
  • Make Kyverno CRDs a separate Helm chart capable of being updated/deleted #2218.
  • Only release Helm charts on tags #2281.
  • Remove contains function #2346.
  • Bug fix background scan issue for any/all in match/exclude #2381.
  • Updated kyverno deployment strategy #2006.
  • Update anti-affinity to the soft limit #2441.
  • Fix added pod anti-affinity to Kyverno #1985.

Kyverno v1.4.2

Note: With Helm installed Kyverno, upgrading to Kyverno 1.4.2+ (Helm chart v2.0.2) from a version prior to 1.4.2 (Helm chart v2.0.2) will require extra steps. Please refer to the official doc for the upgrade.

Changed

  • Add DurationOperator to handle duration comparison operations (#2213)
  • Add special variable substitution logic for preconditions (#1930)
  • Support disallow pod exec operation (#2146)
  • Metrics re-design to deal with cardinality explosion (#2121)

Bug Fixes

  • Fix removing engineresponses variable from Kyverno CLI, as it is not used by the policy report.(#2252)
  • Fix Updating cli comment for skipping request.object.* variables(#2242)
  • Fix Helm Chart - Network Policy Support(#2210)
  • Added backward compatibility | Resolving variables from the resource passed | CLI (#2222)
  • Rule changed by adding variable substituting deep copy logic (#2216)
  • Add ServiceMonitor in helm chart (#1984)
  • Fix iterates the chart version so that it’s built, and chart versions become incremented as part of the normal PR/merge process if chart elements are changed (#2111)
  • Configurable success events on policies & resources. Generating failure events on policies by default. (#1939)

Kyverno v1.4.1

Note: To upgrade from 1.4.0, you will need to manually remove the selector app: kyverno from the Deployment or delete the Deployment and then upgrade to 1.4.1.

main

Bug Fixes

  • Integrate LitmusChaos - Pod Memory Hog experiment (#2014)
  • Fix replacing pod security standard from default to baseline (#1977)
  • Fix adding loop for namespace to validate all the resources (#2024)
  • Fix Helm deployment name issue (#2045)(#2070)
  • Correction to ca and cert namespace (#2048)
  • Fix adding: http/https regex to kyverno CLI (#2054)
  • Move log to debug for wildcard pattern matching (#2064)
  • adding support for policies.kyverno.io/scored annotation (#1976)

Kyverno v1.4.0

Note: there was a selector app: kyverno added to the Deployment of the Kyverno Helm chart, it could impact the upgrade process as the selector field cannot be modified during an upgrade. This selector will be removed in 1.4.1, you can comment it out during the upgrade. Thanks to @andriktr for reporting the issue.

For HA, currently recommended minimum replicas is 3.

Changed

  • Develop and integrate Prometheus metrics-exporter for exposing Kyverno’s cluster-wide metrics (#1877)

Bug Fixes

  • Fix for recommended Kubernetes labels and custom labels (#1873)
  • Fix Helm chart metrics service to allow NodePort (#2035)
  • Fix enabling webhooks configuration via Helm (#2032)
  • Allow metrics service annotations to be defined separate from main service (#1988)
  • Fix updating the annotation lastRequestTimestamp from active instances (#2019)
  • Customize namespaceSelector of Webhookconfigurations (#2003)
  • Fix: mutate policies kept applying to these terminating Pods (#1978)
  • fix slack link (#2009)
  • Fix prometheus panics (#2015)
  • moved label bot yaml to workflows (#2021)
  • Improve log message for generate policies (#1993)
  • updating minio version (#1956)
  • Add e2e test cases for generate policy flow (#1951)
  • fix operator matching with spacing (#1946)
  • Update e2e tests to latest kind and Kubernetes versions (#1973)

Kyverno v1.3.6

Changed

  • Added validation check for ensuring the existence of only ‘any’/‘all’ (#1791).
  • Handle configmap and api variable cli (#1789).

Bug Fixes

  • Update to use gvk to store OpenAPI schema (#1906).
  • Pass by value in policy cache (#1895).
  • Fix Improving tests to allow skip status and fail if tested results do not exist (#1881).
  • Fix removing additionalProperties from policy schema (#1891).
  • Updating synchronize label in generated resource (#1860).
  • Fix removing debug log (#1857).
  • Fix Errors updating cluster policy (#1863).
  • Fix for commented yaml files in Kyverno CLI (#1849).
  • Support operators (>=, <, etc …) on list values (#1838).
  • Enable image substitution in the background mode (#1846).
  • Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847).
  • Fix mutate policy defaults and Fix endless look of auto-gen rules (#1839).
  • Fix resolved the variables in the pattern which are replaced by values using source resource.(#1804).
  • forceMutate does not handle StrategicMerge patchesJson6902 (#1775).
  • Make match.resources.kinds required (#1852).
  • Add matchedList to configure the matched resources in Kyverno (#1732).
  • Validate policy in cli according to policy schema (#1817).
  • test cases for match/exclude GVK (#1851).
  • Support variables in patchesJson6902 (#1774).
  • JMESPath custom functions (#1772).

Kyverno v1.3.5

Changed

  • Helm chart should support envVars with sane default (#1715).
  • (Update variable paths when auto generate the controller rules) and 1615 ( kyverno apply pipe through to kubectl) (#1735)
  • Added functionality for delimiting multi-line block by newline characters (#1597).

Bug Fixes

  • Fix variable substitution in NumericOperatorHandler (#1721).
  • fixes variable substitution in context.apiCall.jmesPath (#1728)
  • Fix Match endpoint to the exact Kyverno Pod’s IP (#1787).
  • Variable substitution (#1785).
  • Fix array variables substitution (#1800).
  • Remove namespace field on kind Namespace (#1766).
  • Add e2e test for mutation (#1761).
  • Add Support for policies.kyverno.io/severity annotation (#1763).
  • Set default image registry and tag if not present (#1762).
  • Fix Invalid variable validation (#1770).
  • Fix exclude logic (#1756)
  • Fix concurrent read/write when loading configmap data (#1755).
  • Check webhooks are present during liveness (#1748).
  • Fix removing permission (#1758)
  • Register webhooks only once service endpoint is ready (#1741).
  • Allow generatecontroller to handle Roles (#1739).
  • fix variable substitution in context.apiCall.jmesPath(#1728).
  • Add cleanup steps to remove webhook configurations (#118).
  • Fix variable substitution in NumericOperatorHandler (#1721).
  • Skip generate requests for spec being same in old and updated policy (#1723).
  • Kyverno CLI gives error on applying any policy on a resource (#1707).
  • Policy without namespace selector gives error in Kyverno CLI- “pass the namespace labels” (#1694).
  • Fix changed logic for In and NotIn for sets (#1704).
  • Auto-recover policy report (#1730).
  • Skipping schema check for unknown kinds (#1736).
  • Added validate logic for generate to handle multiple items in array (#1727).
  • Fix Adding validate logic for generate to handle multiple items in array (#1727).
  • Enhancement/existence anchor - should loop all the items in the array (#1719).
  • Fix to make the number of generate workers configurable (#1729).
  • Fix API path (#1678).
  • Added condition for slash in Kyverno CLI (#1667).
  • Update Dockerfile; remove securityContext runAsUser (#1695).
  • Fix validate on DELETE the oldResource (#1710).
  • Fix adding restrict-service-account sample policy (#30).
  • Remove logic that handles reinvocation policy (#1703).
  • Remove sample Dir and Remove test cases from test_runner (#1686).
  • Kyverno CLI - Namespace Selector (#1669).
  • Resolve path reference in entire rule (#1714).
  • Fix empty list of failed rules (#1709).
  • Failed to mutate policy (#1767).
  • Fix hostNetwork toggle to thedep. and values manifests (#1511).
  • Fix Namespace scope when extracting raw from the admission request (#1718).
  • Add certificate renewer in webhook registration controller (#1692).
  • Remove sample Dir and Remove test cases from test_runner (#1686).
  • Add certificate renewer in webhook registration controller (#1692).
  • Add Images info to variables context (#1725).

Kyverno v1.3.4

Changed

  • Support for logical operations over conditions and selectors over conditions and preconditions (#1604).
  • Supporting subset checking in set operations (#1613).

Bug Fixes

  • Fix for Null value doesn’t work on negation’s value(#1665).
  • Fix for policy validation, auto-generated rules, apiCall support in mutate and generate (#1629).
  • Fix for namespaceSelector in match prevents background scanning (#1644).
  • Generate policy fails if trigger resource name exceed 58 characters (#1631).
  • Fix Substituting variables in context.configMap (#1636).
  • Fix adding make target to auto generate code (#1603).
  • fix - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629).
  • fix listing operators in deny conditions (#1641).
  • Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625).
  • Fix policy validation, auto-generated rules, apiCall support in mutate and generate (#1629).
  • fix adding details regarding match.resources (#1654).
  • Support AllowMissingPathOnRemove and EnsurePathExistsOnAdd in patchesJSON6902 (#1645).
  • Fix Extends match / exclude to use apiGroup and apiVersion (#1656).

Kyverno v1.3.3

Bug Fixes

  • fix gofmt check over the existing github workflows (#1553).
  • Getting invalid memory address error while using kyverno with --set (#1609).
  • Panic Fix (#1601).
  • fix restricting empty value from passing through the validation checks (#1574).

Kyverno v1.3.2

Changed

  • Validation of ‘value’ field under ‘deny.conditions’ in the rule object (#1510).
  • Support for numeric operators (#1536).
  • Fix dev mode execution (#1477).

Bug Fixes

  • Panic fix in generation.go (#1563).
  • Fix performed cleanups (#1552).
  • Fix allowing watch from policy controller - cluster role kyverno:policycontroller (#1562).
  • Fix adding AND logical operator support (#1539).
  • Fix test command for kyverno (#1518).
  • Compare policy status before sending update request (#1523).
  • Upgrade client libraries to (0.20.2 #1547).
  • Reduce RCR Throttling (#1545).
  • Reduce throttling requests (GET) (#1522)
  • Fix handling discovery errors for metrics API group (#1494).
  • Fix namespace selector (#1532).
  • Upgrade client libraries to 0.20.2 (#1547).
  • Update Kyverno test command (#1608).
  • Adding cluster policies(default, restricted) to kyverno helm charts (#1493).
  • Fix modifications in generated resource are not overridden till the next sync (#1426).
  • Adding HTTP(git raw or any public url ) URL applying functionality to kyverno cli (#1527).
  • Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495).
  • Fix api server lookups (#1514).
  • Valid resource is blocked by namespace selector (#1558)

Kyverno v1.3.1

Bug Fixes

  • Fix support nested JMESPATH var substitution (#1471).
  • Remove unnecessary JSON patches; fixes strategicMergePatch for tolerations (#1478).

Kyverno v1.3.0

Bug Fixes

  • Fix handle anchors for wildcard annotations (#1458).
  • Fix mutation panic (#1462).
  • Improve / clean up code (#1444).
  • Fix memory leak - remove item from the cache once done (audit handler) (#1459).
  • Fix cleanup/generate_logs (#1439).
  • Fix memory leak in CRD sync controller (#1441).
  • Rename filterK8Resources to filterK8sResources (#1452).
  • Skip validation patterns for delete requests (#1428).
  • Bug/generate refactoring (#1440).
  • Fix invalid failure event for generate policy (#1413).
  • Fixes strategic merge patch (#1414).
  • Reduce RCR throttling requests (#1406).
  • Fix to increase default memory limit to 256 Mi (#1402)
  • Generate with multiple rules (#1400).
  • Reduce RCR throttling requests (#1406).
  • Allow generate with no data/status (#1391).
  • Added pipe for passing policy in apply (#1382).
  • Filter resources excluded in config (#1404).
  • Enqueing gr on getting deleted (#1405).
  • Disable updates of generated resource when synchronize is set to false (#1379).
  • Clean up stale RCRs (#1373).
  • Fix webhook registration (#1369).
  • Ignore non-policy files in CLI and improve validation messages (#1362).
  • Fix pkg/webhooks/server.go (#1372).
  • Fix policy report (#1359).
  • Use GR lister (#1387).
  • Clarify policy application behavior on pods that are managed by workload controllers (#1380).
  • Change validation to match on both new and old resources. (#1417).
  • Fix wildcard keys in patterns (#1361)
  • Fix to validate condition operators (#1331).
  • Fix panic when building ConfigMap cache (#1342).
  • Fix removing generate error message (#1364).
  • Fix throttling (#1341).
  • Fix validate rule (#1368).
  • Add nil checks and refactor schema lookups (#1309).
  • fix adding annotations check in validation (#1305).
  • Fix variable validation (#1303).
  • Fix updating webhook registration and monitor (#1318).
  • Fix triggering generate rule (#1355)
  • Match/exclude ns resource name (#1375).
  • Failed to update annotation through mutate policy (#1289).
  • Policy report cli test cases (#1412).
  • Add logging for policy creation and deletion events (#1445).
  • Failed to update annotation through mutate policy (#1289).
  • Fix generate panic (#1252).
  • Failed to generate reportChangeRequest due to exceeding the label size limit (#1275).
  • Fix to allow text after patch versions (#1230).
  • Improve logging message (#1232).
  • Print validationFailureAction with kubectl get (#1233).
  • Manage Kyverno CRDs by controller-gen (#1245).
  • Add Policy Report (#1229).
  • Helm namespace value (#1210).
  • Fix added log level for skipped policy (#1316).
  • Improve github action (#1385).
  • Policyreport cli (#1235).
  • Add Policy Report (#1229).
  • added validation for openapi_v3 (#1095).

Kyverno v1.2.1

Bug Fixes

  • Fix mutation failure should not block resource creation (#633).
  • Create Website for kyverno (#1250)[(#1196)](remove docs and update README.md).
  • Fix documentation for helm (#1187).
  • Update CONTRIBUTING.md (#1203).
  • Add link to quick start (#1204).
  • Add security context (#1208).
  • Cleanup cli output (#1180).
  • Publish test image (#1179).
  • Fix regex for allowed variable to support spaces (#1200)
  • Remove docs and update README.md (#1196).
  • Fixed panic while applying policy on cluster (#1195).

Kyverno v1.2.0

Changed

Bug Fixes

  • Use Self-signed certificate to build TLS webhook server (#1176).
  • Fixed yaml package for CLI validate (#1151).
  • Fixed adding conversion of overlay to patch strategic merge (#1138).
  • Parse string value to array from configMap (#1143).
  • Fixed yaml package for CLI validate (#1151).
  • Migrate github.com/nirmata/kyverno to github.com/kyverno/kyverno (#1175).
  • Use Self-signed certificate to build TLS webhook server (#1176).
  • Update best practice require-pod-probes (#1178).
  • Add links in chronological order (latest first) (#1148).
  • Added condition for exclude selector (#1169).
  • Added conversion of overlay to patch strategic merge (#1138).
  • Remove mutation message when no rules are applied (#1162).
  • Update installation guides (#1167)

Kyverno v1.1.12

Bug Fixes

  • Bugfix policymutation (#1119).
  • Fixed CLI bug - mutate resource and variable substitution (#1123)
  • Generate policy with backward compatibility (#1125).
  • Fixed duplicate name (#1109).
  • Fix converting patches to patchesJSON6902 (#1115).
  • Fixed additional anchor bug in patch strategic merge (#1114).
  • Fixed policy validation and patch strategic merge bug (#1136).
  • Skip policy mutation on status update (#1112).
  • Update operator doc (#1131).
  • Generate policy with backward compatibility (#1125).
  • Bugfix policymutation (#1119).

Kyverno v1.1.11

Bug Fixes

  • Fixed return (#1102)
  • Reconcile Generate request on policy update (#1096).
  • Generate policy does not work on namespace update (#1085).
  • Added autogen for patch strategic merge (#1104).
  • Fix conditional anchor preprocessing for patch strategic merge (#1090).
  • Set mutating webhook reinvocationPolicy to IfNeeded (#1097).
  • Fix support cronJob for auto-gen (#1089).
  • Supporting CRD validation in CLI (#1080).
  • Added invalid field validation for policy [(#1094)]
  • 810 support cronJob for auto-gen (#1089).
  • Allowing only few variables in the policies (#1063).
  • Events take several minutes to show on the resource (#1083).
  • Generate policy does not work on namespace update (#1085).
  • Added set and values_file flag in kyverno CLI to pass variable values. (#1030).
  • Added validation for openapi_v3 (#1095).
  • Replace Policy CRD AnyValue fields with empty dict (#1086).
  • Set mutating webhook reinvocationPolicy to IfNeeded (#1097).
  • Add watch permission of namespace policy to clusterrole kyverno:customresources (#1084).
  • Added autogen for patch strategic merge (#1104)
  • Fix rResolved conditional anchor issue and added validation to pattern labels (#1060).

Kyverno v1.1.10

Bug Fixes

  • Kyverno-cli and helm release step added in workflow (#1043).
  • Update mutation jsonPatch doc (#1049).
  • Git action added in goreleaser (#1078).
  • Not checking for cluster resources for CLI in policy validate (#1076).
  • Return early in CLI if generated patches from policy mutation is nil (#1072).
  • FilterK8Resources is not correctly configured using ConfigMap (#1059).
  • Default exclude group role added (#1052).
  • Replace CRD AnyValue fields with empty dict (#1047).
  • Fix cli docker images added (#1073)
  • Fix to automate release (#1044).
  • Update the doc on how excluded userInfo flags (#1035).
  • Fix improves the mutation webhook logic.(#1057).
  • Supporting annotations in match/exclude (#1045).
  • Setting validationFailureAction to enforce is going to enforce it for every Policy (#601).
  • Added helm chart icon (#1077).
  • Fix adds validateFailureAction to all (policies #1068).
  • Supporting annotations in match/exclude (#1045).

Kyverno v1.1.9

Changes

Bug Fixes

  • added api docs generator and docs html file (#1009).
  • Configurable rules added (#1017).
  • Default exclude group role added (#1052).
  • filterK8Resources is not correctly configured using ConfigMap (#1059).
  • Not checking for cluster resources for CLI in policy validate (#1076).
  • Fix replaces CRD AnyValue fields with empty dict (#1047).
  • cli docker images added (#1073)
  • Fix automating release (#1044)
  • Fix Updated the doc on how excluded userInfo flags (#1035).
  • Improvements in webhook (#1057).
  • Supporting annotations in match/exclude (#1045).
  • Fix updates mutation jsonPatch doc (#1049).
  • Fix mutation patch bytes (#563).
  • Setting validationFailureAction to enforce is going to enforce it for every Policy (#601).
  • Feature/namespaced policy 280 (#1058).
  • Generate request is not cleaned up after delete the generate policy (#1036).

Kyverno v1.1.8

Bug Fixes

  • Fix removed mutated policy (#1010).
  • krew yaml fixes (#1000).
  • Update selecting resource doc (#1005).
  • Fixed deployment name in config (#1004).
  • Policy name added in labels (#1001).
  • Feature/CLI saving mutate results (#1007).
  • Events fix (#1006).
  • Fix added api docs generator and docs html file (#1009).

Kyverno v1.1.7

Changes

  • Feature/new operators (#947).
  • Added goreleaser for managing lifecycle of kyverno plugin (#851).

Bug Fixes

  • Fix delete synchronized resources (#997).
  • Print mutated policy as yaml (#995).
  • Fix added Synchronize flag in Generate Request (#980).
  • Generate Policy from data is not behaving as expected (#977).
  • Resolve Kyverno panic when sync the generate request (#975).
  • Add policy cache based on policyType (#960).
  • Skip inserting auto-gen annotation into podController on UPDATE admission request (#953).
  • Update logging, naming, and event retry (#959).
  • Fix temp patch in client-go (#950).
  • Avoid generating violation on pre-exist pod (#952).
  • Update docs for add capabilities (#957).
  • Fix reading kyverno svc from environment variable (#962).
  • kyverno CLI accessible through krew (#941).
  • Synchronize data for generated resources (#933).

Kyverno v1.1.6

Changes

  • Added goreleaser for managing lifecycle of kyverno plugin (#851).
  • Add checks for k8s version when Kyverno starts (#831)
  • Change annotation for auto-generate pod controllers policy (#849)

Bug Fixes

  • fix resource schema not found error & fix violation updates when there’s no change(#895)
  • Note added for kubernetes version in README (#889).
  • Handling Multi YAML (Policies and Resources) (#890).
  • helm release workflow added (#881)
  • auto-gen annotation is not inserted correctly (#870).
  • Added cpu & memory resource requests and limits (#868).
  • Added readiness and liveness prob (#874)
  • Bug (#844).
  • helm docs added for helm repository (#901)
  • Fix parse CRD error: added CRD 1.16+ spec (#854).
  • skip adding crd if no schema is defined (#862).
  • Add Helm chart for Kyverno - (#839).
  • Annotation inserted to podTemplate by auto-gen should reflect the policy name (#850).
  • Fix duplicate pv create on both pod and pod-controller (#853).
  • Policy status is not being updated (#809).
  • Set kind in generate (#846)
  • remove cpu limit in BP require_pod_requests_limits.yaml (#807)
  • Fix removed unnecessary comments and reduce cache resync intervals(#855)
  • CRD sync panics on kubernetes versions 1.16 and below (#785)
  • Removing unneeded annotations (#803)
  • Validate conflicting match and exclude (#758)
  • golangci-lint changes (#761)
  • Validate conflicting match and exclude (#758)
  • Fixed policy violation updated without owner (#880)
  • update CLI executable name (#910)
  • Fix makes helm text consistent (#916)
  • Update helm chart docs (#913).

Kyverno v1.1.5

Bug Fixes

  • kyverno CLI (#737)
  • Fix error message for spec.background (#661)
  • Policy Mutation Validation (#736)
  • golangci-lint changes (#761).
  • Fix Access check & logging framework refactor & update code-gen version (#750).
  • Validate policy schema (#764)
  • Adding log level in “loading variable " (#648)
  • anyPattern error improvements (#738)
  • 1.1.5 doc updates (#756).
  • Resource field should be optional for exclude (#757).
  • Update clusterrole kyverno:webhook to approve csr for 1.18 cluster (#782).
  • CRD sync panics on kubernetes versions 1.16 and below (#785).
  • Fixed crd sync panic (#784).

Kyverno v1.1.4

Bug Fixes

  • Add rules to disallow default namespace for pod controllers. (#735).
  • Support nested variable resolution (#728).
  • refactor events (#713).
  • if match/resource/kinds is empty, then policy can only deal with metadata of a resource (#726).

Kyverno v1.1.3

Bug Fixes

  • Fix added runValidationInMutatingWebhook flag - v3 (#654)
  • Add doc on how to write policy to generate rule for pod controllers. (#665).
  • Fis added type in openapi schema (#629).
  • Cannot match or exclude clusterroles - remaining fixes (#707).
  • Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR (#662).
  • Fix updated docs (#675).

Kyverno v1.1.2

Bug Fixes

  • Mutation failure should not block resource creation (#633)
  • Default failurepolicy & bug fix (#632)
  • Fix added missing var for PACKAGE (#623).
  • Support nested variable resolution (#728)

Kyverno v1.1.1

Changes

  • Feature (#594).
  • Setting validationFailureAction to enforce is going to enforce it for every Policy (#601).

Bug Fixes

  • Fix annotation path error if applied to pod controller (#625).
  • Fix added annotation to ns-creator sample policy (#621).
  • Pass in original resource to validation if patches from mutation is nil (#618).
  • Check for multiple variables in a expression & serviceAccount variables (#610).

Kyverno v1.1.0

Changes

Bug Fixes

  • Fix the bugs and add pre-condition checks (#606).
  • Fetch annotation from resource annotation map (#602).
  • Fixed pod controller (#573).
  • Handle processing of policies in background (#569).
  • Support variable substitution (#549).
  • Fixed crd permission (#553).
  • Fix rename namespacedpolicyviolation to policyviolation (#547).
  • Refactor Policy violation owner logic (#534)
  • Fix removed newline from engine response strings (#537).
  • Policy validation userinfo (#540).
  • policy violation name format update (#502).
  • init container (#501).
  • Fix implemented quantity comparison (#558).
  • Handle json numbers resubmit (#427).
  • Fix test webhook (#525).
  • Fix Added best practice policies (#366)
  • Fix updated engineResponse Name (#369)
  • Added anchors for omitempty tag (#584).

Kyverno v1.0.0

NOTE: It is recommended to deploy the stable release v1.1.1.

Bug Fixes

  • fix mutation patches (#532)
  • Explicitly set resource version of policy violation when update (#517).

Last modified October 31, 2021 at 12:18 PM PST: adds 1.5.0 and 1.5.1 release notes (2871d9d)