Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Bump github.com/kyverno/kyverno from 1.12.1 to 1.13.1 #305

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): Bump github.com/kyverno/kyverno from 1.12.1 to 1.13.1 #305

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 13, 2024

Bumps github.com/kyverno/kyverno from 1.12.1 to 1.13.1.

Release notes

Sourced from github.com/kyverno/kyverno's releases.

v1.13.1

✨ Added ✨

  • Added the validation check for webhook configurations using CEL (#11461)

🐛 Fixed 🐛

  • Skipped Azure keychain-based login for MCR registry (#11480)
  • Fixed a validate issue to match failure action case-insensitively when validating an old object (#11486)
  • Fixed the missing emitWarning field in the v2beta1 policy (#11489)
  • Fixed the CLI to support VAP stable version v1 (#11501)
  • Fixed the auto-gen rules regarding celPreconditions (#11503)
  • Fixed a CLI issue by setting the default namespace for namespaced policies (#11505)
  • Fixed the configurable namespaceSelector list in the webhook (#11516)
  • Fixed an issue that the image verification rule blocks resource's update (#11529)
  • Fixed the policy validation message to include keywords "immutable fields" (#11549)
  • Fixed a panic issue for the admission controller when processing the validate rule (#11550)

Helm

  • Corrected Helm configuration behavior for global image registry (#11482)

🔧 Others 🔧

  • Switched to use the digest instead of the tag (#11492)

v1.13.1-rc.1

No release notes provided.

v1.13.0

Overview of 1.13 highlights - Kyverno release blog.

❗ Breaking Changes ❗

This release contains the following breaking configuration changes:

  • Removal of wildcard permissions: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default view role was added. See the documentation section on Role Based Access Controls for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
  • Default exception settings: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See CVE-2024-48921 for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.

For upgrade guidance see here.

✨ Added ✨

  • Added control names and images to policy reports for validate.podSecurity sub-rule (#9869)
  • Support condition validations across multiple attestations or context entries for image verification (#9960)
  • Added TSA cert chain support in Cosign for image verification (#9961)
  • Added support to generate Policy Exceptions from policyreports (#9987)
  • Supported the CLI apply command to continue on failure (#10036)
  • Added support for signature algorithm in Cosign cert and KMS verification for image verification (#10086)
  • Supported inline exceptions in CLI apply command (#10133)
  • Enabled warnings for policy violations and mutations upon admission reviews (#10214)
  • Advance supports for generating validatingadmissionpolicies (#9981, #10100, #10162, #10181, #10187, #10205, #10208, #10215, #10771)
  • Supported Cosign experimental OCI 1.1 signatures (#10228)
  • Supported background scanning of existing resource in image verification (#10287)
  • Added the report-controller flag to configure aggregation workers (#10331)
  • Updated default metrics in the Helm chart (#10459)

... (truncated)

Changelog

Sourced from github.com/kyverno/kyverno's changelog.

v1.13.0

Note

  • Removed deprecated flag reportsChunkSize.
  • Added --tufRootRaw flag to pass tuf root for custom sigstore deployments.

v1.11.0

v1.11.0-rc.1

Note

  • Added --tufRoot and --tufMirror flags to configure tuf for custom sigstore deployments.
  • Remove description from deprecated fields in CRDs
  • Remove CLI kyverno test manifest ... commands (replaced by kyverno create ...).
  • Added --caSecretName and --tlsSecretName flags to control names of certificate related secrets.
  • Added match conditions support in kyverno config map.
  • Deprecated flag --imageSignatureRepository. Will be removed in 1.12. Use per rule configuration verifyImages.Repository instead.
  • Added --aggregateReports flag for reports controller to enable/disable aggregated reports (default value is true).
  • Added --policyReports flag for reports controller to enable/disable policy reports (default value is true).
  • Renamed CLI flag --compact to --detailed-results (and changed default value from true to false).
  • Changed the default value of --enablePolicyException from false to true.

v1.10.0

v1.10.0-rc.1

Note

  • Removed GenerateRequest CRD.
  • Refactored kyverno chart, migration instructions are available in chart README.md.
  • Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
  • Added support for configuring webhook annotations in the config map through webhookAnnotations stanza.
  • Added excludeRoles and excludeClusterRoles support in configuration.
  • Added new flag skipResourceFilters to reports controller to enable/disable considering resource filters in the background (default value is true)
  • Removed hardcoded defaults for excludeGroups and excludeUsernames. They are always read from the config map.

v1.9.0-rc.1

Note

  • Flag backgroundScanInterval was added to force background scans at regular intervals (default value is 1h).
  • Flag splitPolicyReport was removed, was unused and marked for removal in 1.9.
  • Webhook is no longer updated to match pods/ephemeralcontainers when policy only specifies pods. If users want to match on pods/ephemeralcontainers, they must specify pods/ephemeralcontainers in the policy.
  • Webhook is no longer updated to match services/status when policy only specifies services. If users want to match on services/status, they must specify services/status in the policy.
  • Flag autogenInternals was removed, policy mutation has been removed.
  • Flag leaderElectionRetryPeriod was added to control leader election renewal frequency (default value is 2s).
  • Support upper case Audit and Enforce in .spec.validationFailureAction of the Kyverno policy, failure actions audit and enforce are deprecated and will be removed in v1.11.0.
  • Flag profileAddress was added to configure address of profiling server (default value is "").

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump github.com/kyverno/kyverno from 1.12.1 to 1.13.1
f8c121b 
Bumps [github.com/kyverno/kyverno](https://github.com/kyverno/kyverno) from 1.12.1 to 1.13.1.
- [Release notes](https://github.com/kyverno/kyverno/releases)
- [Changelog](https://github.com/kyverno/kyverno/blob/main/CHANGELOG.md)
- [Commits](kyverno/kyverno@v1.12.1...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/kyverno/kyverno
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants