v3.1.0-beta.8

This beta release removes all finalizers and deprecated flags.

It updates the underlying OPA engine to v0.17.2

New Features

• Implement dynamic watch manager responsible for event dispatch to watching controllers (#490)
• remove deprecated flags (#495)

Bug Fixes 🐞

• Fix race conditions (#528)
• Fix no-self-manage logic to compare username (#529)
• Add an owner reference and a watch to Constraint Template CRDs, remove finalizers (#459)
• Clear opa cache for CT
• Fix max retries error (#522)
• Remove unnecessary config writes (#521)
• Add seccomp profile (#518)
• Drop Linux capabilities (#517)
• Disallow negative values for audit (#512)
• Cache namespaces in audit (#485)
• Upgrade to controller-runtime 0.5.0 and kubernetes 1.17. (#506)
• Use default audit interval (#494)
• In the helm chart, allow setting pod annotations (#460)
• Change 'data will be added' from Info to Debug to be less spammy (#482)
• Add log-level value to manifests (#484)

v3.1.0-beta.7

This beta release includes bug fixes and stable api versions.

Bug Fixes 🐞

• Uniquify constraint kinds in audit (#470)
• Set "created" status on update for constraint templates (#468)
• Report constraint errors in ByPod status (#455)
• Use status client (#458)
• make tracing dump case insensitive (#461)

v3.1.0-beta.6

This beta release includes bug fixes and stable api versions.

Features 🌈

• Add ObservedGeneration field to ByPod status (#451)

Bug Fixes 🐞

• Fixes crashloop caused by cert gen (#454)
• Remove config finalizer (#439)
• Log constraint addition after successful add to OPA, not after error (#423)
• Only allow modification of the gatekeeper webhook configuration (#438)

v3.1.0-beta.5

DO NOT USE

This release has a race condition resulting in a crash. Fixed by #454

---

This beta release includes bug fixes and stable api versions.

Warning ⚠️

• This release updates flags for auditInterval to audit-interval and constraintViolationsLimit to constraint-violations-limit. Deprecated flags will be removed at the next release. (#409)

• By default, the audit will request each resource from the Kubernetes API during each cycle of the audit. To instead rely on the OPA cache, use the flag --audit-from-cache=true. (#407)

• A new validating admission webhook was added to reject the admission.gatekeeper.sh/ignore label on non-GK namespaces unless added to the --exempt-namespace flag. (#350)

Features 🌈

• Add semantic logging for audit (#434)
• Upgrade constraint framework/OPA (#435) (#441)
• Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces (#350)
• Add excludedNamespaces match type (#433)
• Audit resources using discovery client (#407)
• Add constraint template semantic logging (#420) 
• Use a designated ServiceAccount instead of the namespace default (#356)
• Add last audit runtime metric and use common audit timestamps across all metrics and logs (#415)
• Automatically shut off reconcilers when watch manager exits (#418) 

Bug Fixes 🐞

• Fix by-name namespace matching (#419)

v3.1.0-beta.4

This beta release includes bug fixes.

Warning

This release updates flags for auditInterval to audit-interval and constraintViolationsLimit to constraint-violations-limit. Deprecated flags will be removed at a future release. (#409)

Bug Fixes 🐞

• Fix dryrun denied admission (#426)

v3.1.0-beta.3

This beta release includes bug fixes and stable api versions.

Upgrade Instructions

• Remove your sync config before upgrading, so that finalizers on synced resources are cleaned up, otherwise they will need to be removed manually.

Features 🌈

• Add metrics to watch manager (#366)
• Add constraint template metrics (#377)
• Allow optional logging when admission was denied (#386)
• Health and ready checks (#396)

Bug Fixes 🐞

• Remove the sync finalizer (#369)
• Upgrade Constraint Framework (#384)
• Make sure label selectors are checked against both old and new objects (#368)
• OldObject defaults to null, assume null == missing (#406)
• Disable default Kubebuilder metrics (#397)

v3.1.0-beta.2

Bug Fixes 🐞

• Fix deadlock. (#361)

v3.1.0-beta.1

DO NOT USE

This release has a deadlock, fixed by: #361

Features 🌈

• Initial metrics integration (#290)

Bug Fixes 🐞

• Use patch to set finalizers (#317)
• Add security context to Gatekeeper container (#273)
• Clean up watch manager (#308)
• Use namespace of Pod as namespace for cert secret (#347)
• Inject namespace as part of the request. (#344)

v3.1.0-beta.0

Warning

This release is a migration to Kubebuilder V2, which changes the structure of the deployment. If upgrading, we recommend you uninstall the previous version of Gatekeeper before deploying the new version.

Features 🌈

• ValidatingAdmissionWebhookConfiguration can be fully configured from the manifest -- no more clobbering
• Certificate generation/rotation can be disabled by setting the flag: --disable-cert-rotation
• Gatekeeper is mangaged via a Deployment resource instead of a StatefulSet
• Migrate to Kubebuilder V2 (#292)
• Upgrade constraint framework, enabling multi-source constraints (#270)

Bug Fixes 🐞

• Stop caching constraint status to OPA (#313)
• Increase CPU limits (#309)
• Removed unnecessary layers/file copies from Docker images (#279)

v3.0.4-beta.2

This beta release includes bug fixes and stable api versions.

Features 🌈

• add psp library seccomp and apparmor annotations (#236)
• Add Https Only to library (#260)
• Add unique ingress host to library (#253)
• add psp library forbidden sysctls (#233)
• add psp library selinux (#234)

Bug Fixes 🐞

• Do not assume the operation is CREATE on audit (#267)
• Watch manager should ignore unrecognized groups (#263)
• Add make target-template-source to build pkg/target/target_template_source.go (#257)
• Image package update and run as a non-root user (#252)
• Dependency Updates (#251)
• Use struct literal instead of an interface for the client (#241)
• Service selector needs to not be in a system namespace in order to be denied (#227)