Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.14.0
Notable Changes
- 🧪 Improves experimental Validating Admission Policy (VAP) support
- 🚂 Updates OPA to v0.57.1
Features
- Add Recommended Helm/K8s labels (#2788) #2788 (James Bruce)
- allow changing the default revisionHistoryLimit (#2920) #2920 (tberreis)
- Upgrade constraint framework to add new K8s Native Validation driver schema by @maxsmythe in #2951
- Support multiple sync sources by @acpana in #2852
- Exposes --external-data-provider-response-cache-ttl via helm chart by @nilekhc in #2978
- Enhance replay by @acpana in #2984
- Print object name on test output by @Duologic in #3018
- Disables provider response cache when TTL is set to 0 by @nilekhc in #3028
Bug Fixes
- helm-chart: controller-manager wh name flags (#2879) #2879 (Ugur Can Ozturk)
- enable cert rotation for audit by default (#2875) #2875 (Jaydipkumar Arvindbhai Gabani)
- rework ns check, refactor: bubble up match err for mut (#2812) #2812 (alex)
- fixes disable cache flow (#3134) #3134 (Nilekh Chaudhari)
- ns exclusion audit from cache (#3129) cherry-pick for 3.14 (#3141) #3141 (alex)
- Remove readiness tracker deadlock caused by duplicate syncs by @maxsmythe in #2970
- Update audit-from-cache flag description by @ssheladiya in #2989
- Mutation: use
generateName
for generated resources when logging by @acpana in #2974 - Adding flag to validate rego for templates by @JaydipGabani in #3026
- Use log level 1 for debug by @acpana in #3039
- Protect agg against empty gvks by @acpana in #3040
Refactoring
- Use buildinfo to get opa and frameworks version by @sozercan in #2950
- Adder interface, rename data client by @acpana in #2991
Continuous Integration
- cherry-pick #3074 for release-3.14 (#3076) #3076 (Sertaç Özercan)
- Group dependabot prs by @sozercan in #2969
- Validate docs by @sozercan in #2968
- Lint timeout m 5->7 by @acpana in #3005
- Filter out helm gh pages image from release cleanup by @sozercan in #3053
- Cherry-pick #3074 for release-3.14 by @sozercan in #3076
Documentation
- adding doc for pubsub (#2808) #2808 (Jaydipkumar Arvindbhai Gabani)
- update release cadence to three months (#2914) #2914 (Xander Grzywinski)
- add config alpha state and exempt-namespace docs (#2890) #2890 (Xander Grzywinski)
- Add status tag for expansion metric (#2919) #2919 (Rita Zhang)
- Non default ns eg by @acpana in #2939
- Add docs for cel based Validating Admission Policy support by @ritazh in #2960
- Update vap by @ritazh in #2961
- Removing quotes from the title in expansion template doc by @JaydipGabani in #2964
- Adds documentation about provider response caching by @nilekhc in #2927
- Add opa version map to site and version badge to README by @salaxander in #2982
- Add docs on mutation annotations by @salaxander in #2999
Chores
- cherry pick #3083 for release 3.14 (#3086) #3086 (Sertaç Özercan)
- bump k8s.io/client-go from 0.27.2 to 0.27.4 (#2898) #2898 (dependabot[bot])
- bump go.uber.org/automaxprocs from 1.5.2 to 1.5.3 (#2897) #2897 (dependabot[bot])
- removing pubsub design from proposed section (#2904) #2904 (Jaydipkumar Arvindbhai Gabani)
- bump golang from
851af0a
to2ae255c
in /build/tooling (#2912) #2912 (dependabot[bot]) - bump golang from
851af0a
to2ae255c
in /test/image (#2913) #2913 (dependabot[bot]) - bump actions/setup-node from 3.6.0 to 3.7.0 (#2886) #2886 (dependabot[bot])
- bump actions/setup-go from 3 to 4 (#2795) #2795 (dependabot[bot])
- bump golangci/golangci-lint-action from 3.4.0 to 3.6.0 (#2829) #2829 (dependabot[bot])
- bump step-security/harden-runner from 2.4.0 to 2.5.0 (#2902) #2902 (dependabot[bot])
- bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#2887) #2887 (dependabot[bot])
- bump semver from 5.7.1 to 5.7.2 in /website (#2870) #2870 (dependabot[bot])
- bump k8s.io/apiextensions-apiserver from 0.27.2 to 0.27.4 (#2910) #2910 (dependabot[bot])
- bump github/codeql-action from 2.20.4 to 2.21.2 (#2923) #2923 (dependabot[bot])
- bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#2921) #2921 (dependabot[bot])
- bump peter-evans/create-or-update-comment from 3.0.1 to 3.0.2 (#2922) [#2922](https://...
v3.14.0-rc.2
This release candidate release updates OPA to v0.57.1
Chores
- cherry pick #3083 for release 3.14 (#3086) #3086 (Sertaç Özercan)
- Prepare v3.14.0-rc.2 release (#3091) #3091 (github-actions[bot])
v3.14.0-rc.1
Continuous Integration
- cherry-pick #3074 for release-3.14 (#3076) #3076 (Sertaç Özercan)
v3.13.3
This patch release fixes CVE-2023-39325
Bug Fixes
- cherry pick #3060 (#3061) #3061 (Sertaç Özercan)
Chores
- Prepare v3.13.3 release (#3063) #3063 (github-actions[bot])
v3.13.2
ℹ️ This release is same as v3.13.1 but this release (v3.13.2) contains a Helm chart. There are no other changes.
Continuous Integration
- cherry pick #3053 (#3054) #3054 (Sertaç Özercan)
Chores
- Prepare v3.13.2 release (#3055) #3055 (github-actions[bot])
v3.13.1
Features
- disables provider response cache when TTL is set to 0 (#3028) (#3033) #3033 (Nilekh Chaudhari)
Bug Fixes
- adding flag to validate rego for templates (#3026) (#3032) #3032 (Jaydipkumar Arvindbhai Gabani)
Chores
- Prepare v3.13.1 release (#3035) #3035 (github-actions[bot])
- chery pick #3042 (#3052) #3052 (Sertaç Özercan)
v3.14.0-beta.0
Features
- Add Recommended Helm/K8s labels (#2788) #2788 (James Bruce)
- allow changing the default revisionHistoryLimit (#2920) #2920 (tberreis)
Bug Fixes
- helm-chart: controller-manager wh name flags (#2879) #2879 (Ugur Can Ozturk)
- enable cert rotation for audit by default (#2875) #2875 (Jaydipkumar Arvindbhai Gabani)
- rework ns check, refactor: bubble up match err for mut (#2812) #2812 (alex)
Documentation
- adding doc for pubsub (#2808) #2808 (Jaydipkumar Arvindbhai Gabani)
- update release cadence to three months (#2914) #2914 (Xander Grzywinski)
- add config alpha state and exempt-namespace docs (#2890) #2890 (Xander Grzywinski)
- Add status tag for expansion metric (#2919) #2919 (Rita Zhang)
Chores
- bump k8s.io/client-go from 0.27.2 to 0.27.4 (#2898) #2898 (dependabot[bot])
- bump go.uber.org/automaxprocs from 1.5.2 to 1.5.3 (#2897) #2897 (dependabot[bot])
- removing pubsub design from proposed section (#2904) #2904 (Jaydipkumar Arvindbhai Gabani)
- bump golang from
851af0a
to2ae255c
in /build/tooling (#2912) #2912 (dependabot[bot]) - bump golang from
851af0a
to2ae255c
in /test/image (#2913) #2913 (dependabot[bot]) - bump actions/setup-node from 3.6.0 to 3.7.0 (#2886) #2886 (dependabot[bot])
- bump actions/setup-go from 3 to 4 (#2795) #2795 (dependabot[bot])
- bump golangci/golangci-lint-action from 3.4.0 to 3.6.0 (#2829) #2829 (dependabot[bot])
- bump step-security/harden-runner from 2.4.0 to 2.5.0 (#2902) #2902 (dependabot[bot])
- bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#2887) #2887 (dependabot[bot])
- bump semver from 5.7.1 to 5.7.2 in /website (#2870) #2870 (dependabot[bot])
- bump k8s.io/apiextensions-apiserver from 0.27.2 to 0.27.4 (#2910) #2910 (dependabot[bot])
- bump github/codeql-action from 2.20.4 to 2.21.2 (#2923) #2923 (dependabot[bot])
- bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#2921) #2921 (dependabot[bot])
- bump peter-evans/create-or-update-comment from 3.0.1 to 3.0.2 (#2922) #2922 (dependabot[bot])
- update cf to 0200614 (#2928) #2928 (alex)
- bump golang from
2ae255c
to74b09b3
in /build/tooling (#2932) #2932 (dependabot[bot]) - bump golang from
2ae255c
to74b09b3
in /test/image (#2931) #2931 (dependabot[bot]) - Prepare v3.14.0-beta.0 release (#2935) #2935 (github-actions[bot])
v3.13.0
This stable release has no other functional changes from v3.13.0-rc.1.
Notable Changes
- 📚 Added PubSub support for audit.
- 🎓 ExpansionTemplates that validate workload resources has graduated to beta!
- 🧪 Added experimental
ValidatingAdmissionPolicy
(VAP) driver. - 🗃️ Added support for External Data Provider Audit Cache.
- 🔭 Observability statistics for admission, audit and gator CLI is now available!
Features
- add syncset crd (#2775) #2775 (alex)
- log details on log denies (#2813) #2813 (alex)
- Support adding priority class to Jobs (#2822) #2822 (Grace Do)
- Upgrade to k8s v1.27.2; controller-runtime v0.15.0; add VAP prototype (#2819) #2819 (Max Smythe)
- Graduate ExpansionTemplate CRD to beta (#2857) #2857 (Davis Haba)
- implements external data response cache (#2823) #2823 (Nilekh Chaudhari)
- stats in webhook, audit & gator (#2686) #2686 (alex)
- recursive expansion (#2679) #2679 (Davis Haba)
- add webhookURL helm option (#2722) #2722 (Navid)
- activate stats when flag is on in audit, webhook (#2749) #2749 (alex)
- add gvk aggregator (#2733) #2733 (alex)
- Sync annotation unmarshaling in gator (#2734) #2734 (Anlan Du)
- Adding pubsub interface (#2538) #2538 (Jaydipkumar Arvindbhai Gabani)
- implement expansion template pod status (#2598) #2598 (Davis Haba)
Bug Fixes
- Pkg Wildcard Validation to allow the ':' character (#2797) #2797 (Nobu)
- correct identation for webhook-configs-pre-delete.yaml (#2817) #2817 (Vaishnav Gaikwad)
- statically link gator binary (#2840) #2840 (alex)
- name matcher to match generate names as well (#2841) #2841 (Jaydipkumar Arvindbhai Gabani)
- security context value indentation for gatekeeper-delete-webhook-configs job (#2862) #2862 (Vardhaman Surana)
- helm probe webhook retry logic (#2873) #2873 (Eshaan Mathur)
- eliminate deadlock-on-exit (#2708) #2708 (Max Smythe)
- duplicate gator version (#2743) #2743 (Sertaç Özercan)
- memory leak in the webhook TLS healthcheck (#2690) #2690 (Thibault Deutsch)
Documentation
- Gator syncset doc (#2833) #2833 (Anlan Du)
- fix link coloring issue in dark mode (#2867) #2867 (Rajeesh C V)
- adding doc for benchmarking (#2866) #2866 (Jaydipkumar Arvindbhai Gabani)
- update all design doc links to new drive locations (#2791) #2791 (Xander Grzywinski)
- Fix typo in ExpansionTemplate (#2884) #2884 (Calle Pettersson)
- Add External Data Response Cache design doc and reorg links based on … (#2724) #2724 (Rita Zhang)
- add landing page to website (#2677) #2677 (Xander Grzywinski)
- add assignImage mutation demo (#2694) #2694 (Rita Zhang)
- Fix meeting link in website bottom bar (#2736) #2736 (Max Smythe)
- remove old redirect for website (#2729) #2729 (Xander Grzywinski)
- expansion docs rewrite (#2707) #2707 (alex)
- fix link to policy library on website (#2738) #2738 (Xander Grzywinski)
- Adding pubsub design to docs (#2732) #2732 (Jaydipkumar Arvindbhai Gabani)
- add docs about stats (#2776) #2776 (alex)
- update applyTo description to mention AssignImage (#2648) #2648 (Davis Haba)
- add sbom and provenance (#2665) #2665 (Sertaç Özercan)
- Add sync resource proposal to design docs (#2674) #2674 ([Anlan Du](https://github.com/open-po...
v3.13.0-rc.1
Features
- add syncset crd (#2775) #2775 (alex)
- log details on log denies (#2813) #2813 (alex)
- Support adding priority class to Jobs (#2822) #2822 (Grace Do)
- Upgrade to k8s v1.27.2; controller-runtime v0.15.0; add VAP prototype (#2819) #2819 (Max Smythe)
- Graduate ExpansionTemplate CRD to beta (#2857) #2857 (Davis Haba)
- implements external data response cache (#2823) #2823 (Nilekh Chaudhari)
Bug Fixes
- Pkg Wildcard Validation to allow the ':' character (#2797) #2797 (Nobu)
- correct identation for webhook-configs-pre-delete.yaml (#2817) #2817 (Vaishnav Gaikwad)
- statically link gator binary (#2840) #2840 (alex)
- name matcher to match generate names as well (#2841) #2841 (Jaydipkumar Arvindbhai Gabani)
- security context value indentation for gatekeeper-delete-webhook-configs job (#2862) #2862 (Vardhaman Surana)
- helm probe webhook retry logic (#2873) #2873 (Eshaan Mathur)
Documentation
- Gator syncset doc (#2833) #2833 (Anlan Du)
- fix link coloring issue in dark mode (#2867) #2867 (Rajeesh C V)
- adding doc for benchmarking (#2866) #2866 (Jaydipkumar Arvindbhai Gabani)
- update all design doc links to new drive locations (#2791) #2791 (Xander Grzywinski)
- Fix typo in ExpansionTemplate (#2884) #2884 (Calle Pettersson)
Code Refactoring
- loggers in webhook handlers (#2786) #2786 (alex)
- introduce CacheManager (#2785) #2785 (alex)
- move util.Wildcard into its own package (#2853) #2853 (Christoph Mewes)
Tests
- adding unit tests for dapr and updating dapr sdk version (#2846) #2846 (Jaydipkumar Arvindbhai Gabani)
Chores
- upgrade cf to have the defaults injection (#2811) #2811 (alex)
- pkg imported more than once (#2851) #2851 (guangwu)
- bump golang from
918857f
to419bc89
in /test/image (#2830) #2830 (dependabot[bot]) - bump golang from
918857f
to419bc89
in /build/tooling (#2831) #2831 (dependabot[bot]) - add ability to choose deployment strategy for controller-manager (#2777) #2777 (Patrik Chadima)
- bump golang from
a3598b9
tod9f7519
in /test/image (#2868) #2868 (dependabot[bot]) - bump golang from
a3598b9
tod9f7519
in /build/tooling (#2869) #2869 (dependabot[bot]) - update cert-controller (#2876) #2876 (alex)
- bump golang from
d9f7519
to851af0a
in /test/image (#2882) #2882 (dependabot[bot]) - bump golang from
d9f7519
to851af0a
in /build/tooling (#2880) #2880 (dependabot[bot]) - bump github/codeql-action from 2.3.3 to 2.20.4 (#2883) #2883 (dependabot[bot])
- bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#2815) #2815 (dependabot[bot])
- bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 (#2756) #2756 (dependabot[bot])
- bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible (#2752) #2752 (dependabot[bot])
- bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#2809) #2809 (dependabot[bot])
- bump actions/checkout from 3.3.0 to 3.5.3 (#2828) #2828 (dependabot[bot])
- Prepare v3.13.0-rc.1 release (#2901) #2901 (github-actions[bot])
New Contributors
- @Mitsuwa made their first contribution in #2797
- @doflamingo721 made their first contribution in #2817
- @testwill made their first contribution in #2851
- @xrstf made their first contribution in #2853
- @Hy3n4 made their first contribution in #2777
- @vardhaman-surana made their first contribution in #2862
- @cvrajeesh made their first contribution in #2867
- @carlpett made their first contribution in #2884
- @eshaanm25 ma...
v3.13.0-beta.1
Features
- stats in webhook, audit & gator (#2686) #2686 (alex)
- recursive expansion (#2679) #2679 (Davis Haba)
- add webhookURL helm option (#2722) #2722 (Navid)
- activate stats when flag is on in audit, webhook (#2749) #2749 (alex)
- add gvk aggregator (#2733) #2733 (alex)
- Sync annotation unmarshaling in gator (#2734) #2734 (Anlan Du)
- Adding pubsub interface (#2538) #2538 (Jaydipkumar Arvindbhai Gabani)
Bug Fixes
- eliminate deadlock-on-exit (#2708) #2708 (Max Smythe)
- duplicate gator version (#2743) #2743 (Sertaç Özercan)
Documentation
- Add External Data Response Cache design doc and reorg links based on … (#2724) #2724 (Rita Zhang)
- add landing page to website (#2677) #2677 (Xander Grzywinski)
- add assignImage mutation demo (#2694) #2694 (Rita Zhang)
- Fix meeting link in website bottom bar (#2736) #2736 (Max Smythe)
- remove old redirect for website (#2729) #2729 (Xander Grzywinski)
- expansion docs rewrite (#2707) #2707 (alex)
- fix link to policy library on website (#2738) #2738 (Xander Grzywinski)
- Adding pubsub design to docs (#2732) #2732 (Jaydipkumar Arvindbhai Gabani)
- add docs about stats (#2776) #2776 (alex)
Continuous Integration
- bump trivy version (#2737) #2737 (Sertaç Özercan)
- [StepSecurity] Apply security best practices (#2726) #2726 (StepSecurity Bot)
- fix release action (#2807) #2807 (Sertaç Özercan)
Chores
- bump k8s.io/apiextensions-apiserver from 0.26.3 to 0.26.4 (#2704) #2704 (dependabot[bot])
- bump github/codeql-action from 2.2.11 to 2.2.12 (#2700) #2700 (dependabot[bot])
- bump github/codeql-action from 2.2.12 to 2.3.0 (#2714) #2714 (dependabot[bot])
- configure retries in pre-upgrade hook job (helm) (#2710) #2710 (Anish Ramasekar)
- add k8s 1.27 to tests (#2692) #2692 (Sertaç Özercan)
- bump github/codeql-action from 2.3.0 to 2.3.2 (#2728) #2728 (dependabot[bot])
- bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.4 (#2745) #2745 (dependabot[bot])
- bump github/codeql-action from 2.3.2 to 2.3.3 (#2741) #2741 (dependabot[bot])
- Replace ghodss/yaml with sigs.k8s.io/yaml (#2697) #2697 (Manuel Rüger)
- update go module with /v3 (#2742) #2742 (Sertaç Özercan)
- bump actions/checkout from 3.3.0 to 3.5.2 (#2764) #2764 (dependabot[bot])
- bump actions/setup-go from 4.0.0 to 4.0.1 (#2763) #2763 (dependabot[bot])
- bump codecov/codecov-action from 3.1.3 to 3.1.4 (#2766) #2766 (dependabot[bot])
- bump actions/dependency-review-action from 2.5.1 to 3.0.4 (#2765) #2765 (dependabot[bot])
- bump golang from
595c9af
to2dc5c56
in /build/tooling (#2761) #2761 (dependabot[bot]) - bump peter-evans/create-or-update-comment from 3.0.0 to 3.0.1 (#2762) #2762 (dependabot[bot])
- bump ossf/scorecard-action from 2.0.6 to 2.1.3 (#2770) #2770 (dependabot[bot])
- bump golang from
595c9af
to2dc5c56
in /test/image (#2760) #2760 (dependabot[bot]) - bump step-security/harden-runner from 2.3.1 to 2.4.0 (#2771) #2771 (dependabot[bot])
- bump github/codeql-action from 2.3.1 to 2.3.3 (#2772) #2772 (dependabot[bot])
- migrate to dl.k8s.io storage (#2759) #2759 (Sertaç Özercan)
- bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 (#2773) #2773 ([dependabot[bot]](https...