Releases: open-policy-agent/gatekeeper
Releases Β· open-policy-agent/gatekeeper
v3.18.0-rc.0
Features
- add logStatsAdmission and logStatsAudit into Helm chart (#3526) #3526 (Yuedong Wu)
- Implement config pod status (#3544) #3544 (avinash patnala)
- Gator sync test support (#3098) #3098 (Anlan Du)
- add generate operation and wait for VAPB generation (#3573) #3573 (Jaydip Gabani)
- moving CEL engine to GA (#3685) #3685 (Jaydip Gabani)
- Add commonLabels to Deployments (#3684) #3684 (Wyatt Fry)
- support expansion in gator verify (#3650) #3650 (David Lee)
Bug Fixes
- vap error logging for rego only templates (#3520) #3520 (Martijn van der Ploeg)
- liniting error in gatekeeper-controller-manager-poddisruptionbudget.yaml (#3519) #3519 (tberreis)
- helm warning when setting NetworkPolicy ingress rule(s) (#3541) #3541 (Sebastian Stephan)
- Move K8scel driver from framework (#3570) #3570 (avinash patnala)
Documentation
- add alibabacloud to the list of managed services using Gatekeeper in β¦ (#3521) #3521 (DahuK)
- refine alibaba cloud logo png (#3514) (#3524) #3524 (DahuK)
- update mutation docs (#3553) #3553 (m1schka-bdr)
- Update milestone release cadence (#3657) #3657 (Rita Zhang)
- Fix vapb argument (#3694) #3694 (Yi Rae Kim)
Code Refactoring
- Move setting up Obj to old obj on Delete logic to target handler (#3511) #3511 (avinash patnala)
Continuous Integration
- remove dockerfile buildplatform (#3491) #3491 (SertaΓ§ Γzercan)
- updating trivy version (#3691) #3691 (Jaydip Gabani)
- push container images to ghcr.io as well (#3658) #3658 (Takahiro Tsuruda)
- fix trivy throttling (#3696) #3696 (SertaΓ§ Γzercan)
- fix ghcr push (#3698) #3698 (SertaΓ§ Γzercan)
- fix gator image for ghcr (#3700) #3700 (SertaΓ§ Γzercan)
- bump to go 1.23 in gha (#3699) #3699 (SertaΓ§ Γzercan)
- gha to check for typos in docs (#3703) #3703 (SertaΓ§ Γzercan)
Chores
- bump the k8s group with 5 updates (#3503) #3503 (dependabot[bot])
- bump micromatch from 4.0.5 to 4.0.8 in /website (#3517) #3517 (dependabot[bot])
- bump the all group across 1 directory with 3 updates (#3512) #3512 (dependabot[bot])
- bump golang from 1.22-bullseye to 1.23-bullseye in /test/image (#3505) #3505 (dependabot[bot])
- bump golang from 1.22-bookworm to 1.23-bookworm in /build/tooling (#3506) #3506 (dependabot[bot])
- adding design doc for exporting violation interface (#3515) #3515 (Jaydipkumar Arvindbhai Gabani)
- adding helm lint ci test (#3536) #3536 (Jaydipkumar Arvindbhai Gabani)
- Patch docs for 3.17.1 release (#3540) #3540 (github-actions[bot])
- bump kubectl from v1.30.3 to v1.31.1 (#3543) #3543 (dependabot[bot])
- bump golang from
31dc846
to1a5326b
in /build/tooling (#3533) #3533 (dependabot[bot]) - bump golang from
ecef830
to45b4337
in /test/image (#3531) #3531 (dependabot[bot]) - Updating GK -> opa versions (#3537) #3537 (Jaydip Gabani)
- adding common function for error reporting for constraint (#3486) #3486 (Jaydip Gabani)
- bumping opa to 0.68.0 (#3561) #3561 (Jaydip Gabani)
- bump webpack from 5.76.3 to 5.95.0 in /website (#3562) #3562 (dependabot[bot])
- bump golang from
45b4337
to1a26d5a
in /test/image (#3566) #3566 (dependabot[bot]) - bump golang from
1a5326b
todba79eb
in /build/tooling (#3565) #3565 (dependabot[bot]) - bump express from 4.19.2 to 4.21.0 in /website (#3542) [#3542](https://github.com/ope...
v3.17.1
Bug Fixes
- vap error logging for rego only templates, cherry-pick (#3520) (#3525) #3525 (Jaydipkumar Arvindbhai Gabani)
- liniting error in gatekeeper-controller-manager-poddisruptionbudget.yaml, cherry-pick (#3519) (#3535) #3535 (Jaydipkumar Arvindbhai Gabani)
Chores
- Prepare v3.17.1 release (#3539) #3539 (github-actions[bot])
v3.18.0-beta.0
Bug Fixes
- fixing error reporting for templates without CEL (#3493) #3493 (Jaydipkumar Arvindbhai Gabani)
Documentation
- update vap doc and demo (#3502) #3502 (Rita Zhang)
Chores
- Prepare v3.18.0-beta.0 release (#3510) #3510 (github-actions[bot])
v3.17.0
Notable Changes
- π CEL-based policies enforced through Gatekeeper is in beta!
- βοΈ Generating VAP (Validating Admission Policy) in Gatekeeper has transitioned from using annotations to specifying fields in ConstraintTemplate and Constraint. Please find out more details using VAP through Gatekeeper.
- π¬ Ability to enforce specific action for Gatekeeper webhook, audit, gator, or VAP in the same constraint through
scopedEnforcementActions
field underspec
in Constraints.
Features
- add support for CONNECT operations (#3459) #3459 (Thomas Chaplin)
- adding scopedenforcementactions (#3321) #3321 (Jaydipkumar Arvindbhai Gabani)
- separate podlabels in controller-manager and audit deployment (#3378) #3378 (Robert Bublik)
- moving k8s-native-validation feature to beta (#3476) #3476 (Jaydipkumar Arvindbhai Gabani)
- check for CT generateVap intent before generating vapbinding (#3479) #3479 (Jaydipkumar Arvindbhai Gabani)
- adding generateVAP field, removing annotations for vap (#3398) #3398 (Jaydipkumar Arvindbhai Gabani)
- Make service account configurable and add option to opt out of creation (#3404) #3404 (Stef Graces)
Bug Fixes
- fixing artifact upload error (#3437) #3437 (Jaydipkumar Arvindbhai Gabani)
- adding pod subresources in mutation rules (#3426) #3426 (Jaydipkumar Arvindbhai Gabani)
- include cel flags on audit deployment (#3414) #3414 (Noah Reisch)
- only set matchConditions on webhook when not empty (#3412) #3412 (Martijn van der Ploeg)
- #3146 Support close open/fail for Ready Tracker & surface errors swallowed by grp.Wait() (#3308) #3308 (David Lee)
- Remove crashOnFailureFetchingExpectations flag (#3453) #3453 (David Lee)
- fixing error reporting for templates without CEL, cherry-pick (#3493) (#3495) #3495 (Jaydipkumar Arvindbhai Gabani)
Documentation
- quote the subPath conditional (#3385) #3385 (JenTing)
- Update mutation assign doc (#3433) #3433 (Anlan Du)
Continuous Integration
- fix test storage url (#3427) #3427 (SertaΓ§ Γzercan)
- revert kubebuilder custom env (#3430) #3430 (SertaΓ§ Γzercan)
- adding k8s-1.30 (#3447) #3447 (Jaydipkumar Arvindbhai Gabani)
- fix dockerfile lint (#3474) #3474 (SertaΓ§ Γzercan)
Chores
- bump BASEIMAGE from static to static-debian12 (#3386) #3386 (Sahil Verma)
- bump google.golang.org/grpc from 1.62.1 to 1.62.2 (#3346) #3346 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.17.5 in the k8s group across 1 directory (#3382) #3382 (dependabot[bot])
- bump the k8s group across 1 directory with 5 updates (#3387) #3387 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 (#3381) #3381 (dependabot[bot])
- bump cloud.google.com/go/trace from 1.10.6 to 1.10.7 (#3373) #3373 (dependabot[bot])
- bump kubectl from v1.30.0 to v1.30.1 (#3390) #3390 (dependabot[bot])
- bumping to frameworks 2ece026 (#3392) #3392 (Jaydipkumar Arvindbhai Gabani)
- bump golang from
d996c64
to48b942a
in /build/tooling (#3347) #3347 (dependabot[bot]) - Patch docs for 3.16.1 release (#3395) #3395 (github-actions[bot])
- bumping frameworks/constraints to 5368a3b697f2 (#3399) #3399 (Jaydipkumar Arvindbhai Gabani)
- Patch docs for 3.16.3 release (#3407) #3407 (Jaydipkumar Arvindbhai Gabani)
- bump the all group across 1 directory with 12 updates (#3431) #3431 (dependabot[bot])
- bump braces from 3.0.2 to 3.0.3 in /website (#3424) #3424 (dependabot[bot])
- bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#3403) #3403 (dependabot[bot])
- bump the all group across 1 directory with 2 updates (#3444) #3444 (dependabot[bot])
- bump golang from
5c56bd4
toaec4784
in /build/tooling (#3417) #3417 (dependabot[bot]) - bump ws from 7.5.7 ...
v3.17.0-rc.1
Features
- add support for CONNECT operations (#3459) #3459 (Thomas Chaplin)
- adding scopedenforcementactions (#3321) #3321 (Jaydipkumar Arvindbhai Gabani)
- separate podlabels in controller-manager and audit deployment (#3378) #3378 (Robert Bublik)
- moving k8s-native-validation feature to beta (#3476) #3476 (Jaydipkumar Arvindbhai Gabani)
- check for CT generateVap intent before generating vapbinding (#3479) #3479 (Jaydipkumar Arvindbhai Gabani)
- adding generateVAP field, removing annotations for vap (#3398) #3398 (Jaydipkumar Arvindbhai Gabani)
- Make service account configurable and add option to opt out of creation (#3404) #3404 (Stef Graces)
Bug Fixes
- fixing artifact upload error (#3437) #3437 (Jaydipkumar Arvindbhai Gabani)
- adding pod subresources in mutation rules (#3426) #3426 (Jaydipkumar Arvindbhai Gabani)
- include cel flags on audit deployment (#3414) #3414 (Noah Reisch)
- only set matchConditions on webhook when not empty (#3412) #3412 (Martijn van der Ploeg)
- #3146 Support close open/fail for Ready Tracker & surface errors swallowed by grp.Wait() (#3308) #3308 (David Lee)
- Remove crashOnFailureFetchingExpectations flag (#3453) #3453 (David Lee)
- fixing error reporting for templates without CEL, cherry-pick (#3493) (#3495) #3495 (Jaydipkumar Arvindbhai Gabani)
Documentation
- quote the subPath conditional (#3385) #3385 (JenTing)
- Update mutation assign doc (#3433) #3433 (Anlan Du)
Continuous Integration
- fix test storage url (#3427) #3427 (SertaΓ§ Γzercan)
- revert kubebuilder custom env (#3430) #3430 (SertaΓ§ Γzercan)
- adding k8s-1.30 (#3447) #3447 (Jaydipkumar Arvindbhai Gabani)
- fix dockerfile lint (#3474) #3474 (SertaΓ§ Γzercan)
Chores
- bump BASEIMAGE from static to static-debian12 (#3386) #3386 (Sahil Verma)
- bump google.golang.org/grpc from 1.62.1 to 1.62.2 (#3346) #3346 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.17.5 in the k8s group across 1 directory (#3382) #3382 (dependabot[bot])
- bump the k8s group across 1 directory with 5 updates (#3387) #3387 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 (#3381) #3381 (dependabot[bot])
- bump cloud.google.com/go/trace from 1.10.6 to 1.10.7 (#3373) #3373 (dependabot[bot])
- bump kubectl from v1.30.0 to v1.30.1 (#3390) #3390 (dependabot[bot])
- bumping to frameworks 2ece026 (#3392) #3392 (Jaydipkumar Arvindbhai Gabani)
- bump golang from
d996c64
to48b942a
in /build/tooling (#3347) #3347 (dependabot[bot]) - Patch docs for 3.16.1 release (#3395) #3395 (github-actions[bot])
- bumping frameworks/constraints to 5368a3b697f2 (#3399) #3399 (Jaydipkumar Arvindbhai Gabani)
- Patch docs for 3.16.3 release (#3407) #3407 (Jaydipkumar Arvindbhai Gabani)
- bump the all group across 1 directory with 12 updates (#3431) #3431 (dependabot[bot])
- bump braces from 3.0.2 to 3.0.3 in /website (#3424) #3424 (dependabot[bot])
- bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#3403) #3403 (dependabot[bot])
- bump the all group across 1 directory with 2 updates (#3444) #3444 (dependabot[bot])
- bump golang from
5c56bd4
toaec4784
in /build/tooling (#3417) #3417 (dependabot[bot]) - bump ws from 7.5.7 to 7.5.10 in /website (#3425) #3425 (dependabot[bot])
- bump kubectl from v1.30.1 to v1.30.2 (#3420) #3420 (dependabot[bot])
- bump google.golang.org/protobuf from 1.34.0 to 1.34.2 (#3423) #3423 (dependabot[bot])
- bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#3422) #3422 ([dependa...
v3.17.0-rc.0
v3.16.3
Chores
- bumping frameworks/constraints (cp - 3399) (#3400) #3400 (Jaydipkumar Arvindbhai Gabani)
- Prepare v3.16.3 release (#3401) #3401 (github-actions[bot])
v3.16.2
v3.16.1
has been erroneously published for a wrong commit and it has been deleted to avoid any confusion. Please make sure to use v3.16.2
release instead.
Chores
- bumping to frameworks 2ece026, cherry-pick (#3392) (#3393) #3393 (Jaydipkumar Arvindbhai Gabani)
- Prepare v3.16.1 release (#3394) #3394 (github-actions[bot])
- Prepare v3.16.2 release (#3396) #3396 (github-actions[bot])
v3.17.0-beta.0
Documentation
- updates docs with new external data provider (#3356) #3356 (Nilekh Chaudhari)
Chores
- bump clsx from 2.1.0 to 2.1.1 in /website (#3371) #3371 (dependabot[bot])
- bump the k8s group across 1 directory with 4 updates (#3368) #3368 (dependabot[bot])
- bump kubectl from v1.29.3 to v1.30.0 (#3359) #3359 (dependabot[bot])
- adding design docs for scoped EA, VAP as EP, pubsub CRD (#3367) #3367 (Jaydipkumar Arvindbhai Gabani)
- Prepare v3.17.0-beta.0 release (#3379) #3379 (github-actions[bot])
v3.16.0
Notable Changes
- π As previously announced,
validate-template-rego
flag, which was used to validate Rego for constraint templates, is removed in this release. Please make use of Gator to validate constraint template in shift left manner to avoid any impact with this behavior change. - π Integration with Kubernetes Validating Admission Policy (VAP) is now alpha! We are working on changes to the Gatekeeper Policy Library to add CEL-based policies.
What's Changed
- chore: bump kubectl from v1.29.0 to v1.29.1 by @dependabot in #3232
- chore: bump golang from
6ac4c35
toadf7ccb
in /build/tooling by @dependabot in #3233 - chore: bump golang from
6ac4c35
toadf7ccb
in /test/image by @dependabot in #3231 - chore: bump golang from
adf7ccb
to47fa179
in /build/tooling by @dependabot in #3238 - chore: bump golang from
adf7ccb
to47fa179
in /test/image by @dependabot in #3236 - docs: add docs on how to contribute templates by @salaxander in #3242
- chore: Setting pubsub annotations using --set in makefile by @JaydipGabani in #3160
- fix: fixing panic in debug log by @JaydipGabani in #3244
- fix: fixing panic in error log by @JaydipGabani in #3246
- docs: add request input struct by @salaxander in #3234
- feat: Update audit and controller manager with pod labels in #3240
- ci: removing auto tagging workflow by @JaydipGabani in #3257
- chore: Prepare v3.16.0-beta.0 release by @github-actions in #3256
- ci: running ci with gatekeeper debug logs by @JaydipGabani in #3260
- fix: Remove validation of constraint template rego by @mzkhan in #3262
- ci: bump k8s matrix by @sozercan in #3267
- chore: bump kubectl from v1.29.1 to v1.29.2 by @dependabot in #3273
- chore: Upgrade controller-runtime to 0.17.2, remove fork by @maxsmythe in #3278
- ci: fix license lint by @sozercan in #3279
- fix #3261 Sort constraint status audit results by @prachirp in #3277
- chore: bump the k8s group with 4 updates by @dependabot in #3280
- chore: bump oras.land/oras-go from 1.2.4 to 1.2.5 by @dependabot in #3239
- chore: bump the all group with 10 updates by @dependabot in #3281
- feat: add disableAudit helm option by @DorB-P in #3270
- chore: bump cloud.google.com/go/trace from 1.10.4 to 1.10.5 by @dependabot in #3254
- feat: vap generation by @ritazh in #3266
- ci: pointing to correct versioned yaml on website creation by @JaydipGabani in #3258
- chore: bump the all group with 4 updates by @dependabot in #3292
- docs: document constraint match.source by @sozercan in #3291
- fix: update unit test for vap generation; add custom assets for envtest by @ritazh in #3289
- chore: bump github.com/golang/protobuf from 1.5.3 to 1.5.4 by @dependabot in #3301
- fix: fixing metrics views by @JaydipGabani in #3307
- chore: bump kubectl from v1.29.2 to v1.29.3 by @dependabot in #3317
- chore: bump the k8s group with 4 updates by @dependabot in #3318
- chore: bump the all group with 4 updates by @dependabot in #3313
- chore: bump follow-redirects from 1.15.4 to 1.15.6 in /website by @dependabot in #3316
- chore: bump google.golang.org/grpc from 1.61.0 to 1.61.1 by @dependabot in #3285
- chore: Prepare v3.16.0-beta.1 release by @github-actions in #3306
- fix: store constraint status audit results in sorted order by @prachirp in #3293
- chore: bump github.com/docker/docker from 25.0.1+incompatible to 25.0.2+incompatible by @dependabot in #3324
- chore: bump cloud.google.com/go/trace from 1.10.5 to 1.10.6 by @dependabot in #3319
- chore: bump frameworks to 359cf1b by @sozercan in #3326
- chore: bump github.com/docker/docker from 25.0.2+incompatible to 25.0.5+incompatible by @dependabot in #3327
- docs: fix go install gator by @sozercan in #3325
- chore: bump webpack-dev-middleware from 5.3.1 to 5.3.4 in /website by @dependabot in #3332
- chore: bump express from 4.18.1 to 4.19.2 in /website by @dependabot in #3334
- feat: enable vap in helm by @ritazh in #3329
- docs: update opa version in readme by @ritazh in #3330
- fix: over-restrictive validation of wildcard match patterns by @bencouture in #3310
- chore: bump to go 1.22 bookworm by @sozercan in #3323
- chore: update lint by @sozercan in #3338
- feat: Enable toggling of deferring to VAP by @maxsmythe in #3335
- feat(helm): matchConditions added in Validating & MutatingWebhookConfiguration by @leewoobin789 in #3343
- chore: Prepare v3.16.0-beta.2 release by @github-actions in #3344
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #3351
- chore: fix GO-2024-2687 by @sozercan in #3350
- docs: correcting metrics names by @JaydipGabani in #3353
- docs: add vap generation doc and demo by @ritazh in #3363
- chore: bump frameworks to c2efb0 by @sozercan in #3366
- chore: Prepare v3.16.0-rc.0 release by @github-actions in #3369
- chore: Prepare v3.16.0 release by @github-actions in #3375
New Contributors
- @mzkhan made their first contribution in #3262
- @DorB-P made their first contribution in #3270
- @bencouture made their first contribution in #3310
Full Changelog: v3.15.0...v3.16.0