Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.13.0-beta.1
Features
- stats in webhook, audit & gator (#2686) #2686 (alex)
- recursive expansion (#2679) #2679 (Davis Haba)
- add webhookURL helm option (#2722) #2722 (Navid)
- activate stats when flag is on in audit, webhook (#2749) #2749 (alex)
- add gvk aggregator (#2733) #2733 (alex)
- Sync annotation unmarshaling in gator (#2734) #2734 (Anlan Du)
- Adding pubsub interface (#2538) #2538 (Jaydipkumar Arvindbhai Gabani)
Bug Fixes
- eliminate deadlock-on-exit (#2708) #2708 (Max Smythe)
- duplicate gator version (#2743) #2743 (Sertaç Özercan)
Documentation
- Add External Data Response Cache design doc and reorg links based on … (#2724) #2724 (Rita Zhang)
- add landing page to website (#2677) #2677 (Xander Grzywinski)
- add assignImage mutation demo (#2694) #2694 (Rita Zhang)
- Fix meeting link in website bottom bar (#2736) #2736 (Max Smythe)
- remove old redirect for website (#2729) #2729 (Xander Grzywinski)
- expansion docs rewrite (#2707) #2707 (alex)
- fix link to policy library on website (#2738) #2738 (Xander Grzywinski)
- Adding pubsub design to docs (#2732) #2732 (Jaydipkumar Arvindbhai Gabani)
- add docs about stats (#2776) #2776 (alex)
Continuous Integration
- bump trivy version (#2737) #2737 (Sertaç Özercan)
- [StepSecurity] Apply security best practices (#2726) #2726 (StepSecurity Bot)
- fix release action (#2807) #2807 (Sertaç Özercan)
Chores
- bump k8s.io/apiextensions-apiserver from 0.26.3 to 0.26.4 (#2704) #2704 (dependabot[bot])
- bump github/codeql-action from 2.2.11 to 2.2.12 (#2700) #2700 (dependabot[bot])
- bump github/codeql-action from 2.2.12 to 2.3.0 (#2714) #2714 (dependabot[bot])
- configure retries in pre-upgrade hook job (helm) (#2710) #2710 (Anish Ramasekar)
- add k8s 1.27 to tests (#2692) #2692 (Sertaç Özercan)
- bump github/codeql-action from 2.3.0 to 2.3.2 (#2728) #2728 (dependabot[bot])
- bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.4 (#2745) #2745 (dependabot[bot])
- bump github/codeql-action from 2.3.2 to 2.3.3 (#2741) #2741 (dependabot[bot])
- Replace ghodss/yaml with sigs.k8s.io/yaml (#2697) #2697 (Manuel Rüger)
- update go module with /v3 (#2742) #2742 (Sertaç Özercan)
- bump actions/checkout from 3.3.0 to 3.5.2 (#2764) #2764 (dependabot[bot])
- bump actions/setup-go from 4.0.0 to 4.0.1 (#2763) #2763 (dependabot[bot])
- bump codecov/codecov-action from 3.1.3 to 3.1.4 (#2766) #2766 (dependabot[bot])
- bump actions/dependency-review-action from 2.5.1 to 3.0.4 (#2765) #2765 (dependabot[bot])
- bump golang from
595c9afto2dc5c56in /build/tooling (#2761) #2761 (dependabot[bot]) - bump peter-evans/create-or-update-comment from 3.0.0 to 3.0.1 (#2762) #2762 (dependabot[bot])
- bump ossf/scorecard-action from 2.0.6 to 2.1.3 (#2770) #2770 (dependabot[bot])
- bump golang from
595c9afto2dc5c56in /test/image (#2760) #2760 (dependabot[bot]) - bump step-security/harden-runner from 2.3.1 to 2.4.0 (#2771) #2771 (dependabot[bot])
- bump github/codeql-action from 2.3.1 to 2.3.3 (#2772) #2772 (dependabot[bot])
- migrate to dl.k8s.io storage (#2759) #2759 (Sertaç Özercan)
- bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 (#2773) #2773 ([dependabot[bot]](https...
Contributors
golpa and step-security-bot
Assets 7
v3.11.1
Bug Fixes
- cutpath for ../ paths (#2508) #2508 (alex)
- [release-3.11] fix golang.org/x/net and github.com/containerd/containerd vulns (#2711) #2711 (Sertaç Özercan)
- [release-3.11] cherry pick #2690 (#2717) #2717 (Sertaç Özercan)
Chores
- Prepare v3.11.1 release (#2718) #2718 (github-actions[bot])
v3.13.0-beta.0
Features
- implement expansion template pod status (#2598) #2598 (Davis Haba)
Bug Fixes
- memory leak in the webhook TLS healthcheck (#2690) #2690 (Thibault Deutsch)
Documentation
- update applyTo description to mention AssignImage (#2648) #2648 (Davis Haba)
- add sbom and provenance (#2665) #2665 (Sertaç Özercan)
- Add sync resource proposal to design docs (#2674) #2674 (Anlan Du)
- Fix typo (#2669) #2669 (Matthias Teich)
Tests
Continuous Integration
- Upgrade checkout action to v3 (#2658) #2658 (Benjamin Muschko)
- fix gator cli build (#2657) #2657 (Sertaç Özercan)
Chores
- bump @docusaurus/core from 2.3.1 to 2.4.0 in /website (#2640) #2640 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.3.1 to 2.4.0 in /website (#2639) #2639 (dependabot[bot])
- bump github.com/onsi/gomega from 1.27.4 to 1.27.5 (#2644) #2644 (dependabot[bot])
- bump github/codeql-action from 2.2.8 to 2.2.9 (#2651) #2651 (dependabot[bot])
- bump peaceiris/actions-gh-pages from 3.9.2 to 3.9.3 (#2664) #2664 (dependabot[bot])
- bump webpack from 5.73.0 to 5.76.3 in /website (#2652) #2652 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#2673) #2673 (dependabot[bot])
- bump github.com/onsi/gomega from 1.27.5 to 1.27.6 (#2671) #2671 (dependabot[bot])
- bump github.com/go-logr/logr from 1.2.3 to 1.2.4 (#2672) #2672 (dependabot[bot])
- bump peter-evans/create-or-update-comment from 2 to 3 (#2680) #2680 (dependabot[bot])
- bump github/codeql-action from 2.2.9 to 2.2.11 (#2689) #2689 (dependabot[bot])
- bump peter-evans/create-pull-request from 4 to 5 (#2681) #2681 (dependabot[bot])
- bump github.com/docker/docker from 20.10.21+incompatible to 20.10.24+incompatible (#2676) #2676 (dependabot[bot])
- upgrade CF for stats (#2698) #2698 (alex)
- Prepare v3.13.0-beta.0 release (#2701) #2701 (github-actions[bot])
v3.12.0
This stable release has no other functional changes from v3.12.0-rc.0.
Notable changes
- 📦 New
AssignImagemutator #2429 - 📢 Emit events in the involved objects namespace #2360
- 🥳 Update to Open Policy Agent (OPA) v0.49.2 #2611
- 🚂 Added multi-engine support to allow integration with Kubernetes CEL
ValidatingAdmissionPolicyin the future #2616 - 👏 Enable exempt namespace suffix with
--exempt-namespace-suffixflag #2636
Features
- Allow writing logs to custom file (#2473) #2473 (Max Smythe)
- More verbose logging for audit (#2503) #2503 (Max Smythe)
- helm: Add a network policy for the controller manager (#2514) #2514 (Kyle Michel)
- enforce kind on admission review (#2512) #2512 (alex)
- add the errorlint check for golangci-lint (#2519) #2519 (Fish-pro)
- implement AssignImage mutator (#2429) #2429 (Davis Haba)
- introduce
gcito unify the order of package import (#2545) #2545 (Fish-pro) - add unconvert check for golang-lint (#2554) #2554 (Fish-pro)
- Emit events in the involved objects namespace (#2360) #2360 (Craig Trought)
- add support for exempt namespace suffix (#2636) #2636 (Janusz Marcinkiewicz)
Bug Fixes
- cutpath for ../ paths (#2498) #2498 (alex)
- when docker build in arm or other not amd64 env. (#2492) #2492 (yanggang)
- high-risk vulnerabilities caused by low version of kubebuilder and yq (#2505) #2505 (fsl)
- syntax errors in the document (#2520) #2520 (Fish-pro)
- updating url in doc config (#2549) #2549 (Jaydipkumar Arvindbhai Gabani)
- add --operation=mutation-controller flag (#2542) #2542 (Davis Haba)
- add vendor manifests back (#2558) #2558 (Sertaç Özercan)
- add missing namespace to static Helm templates (#2593) #2593 (Devon Crouse)
- handle empty spec for modifyset (#2585) #2585 (alex)
- piping input in gator (#2589) #2589 (alex)
- generate mock name for expanded resources (#2529) #2529 (Davis Haba)
- Allow to change WebhookConfiguration name and change preInstall crd image (#2563) #2563 (Jiri Tyr)
- support source field in Constraints (#2552) #2552 (Davis Haba)
- helm: switch to curl as ENTRYPOINT for probeWebhook (#2632) #2632 (thomasmckay)
- index readiness trackers by GK (not GVK) (#2635) #2635 (Davis Haba)
Documentation
- generate 3.11 docs (#2501) #2501 (Sertaç Özercan)
- fix syntax errors (#2513) #2513 (Nico Wang)
- Fix typo in website docs (#2528) #2528 (triangularcover)
- fix example code snippet for docs (#2539) #2539 (triangularcover)
- fix expansion yaml example (#2551) #2551 (Sertaç Özercan)
- update k8s.gcr.io to registry.k8s.io (#2588) #2588 (Rita Zhang)
- Add background information on mutation (#2387) #2387 (Max Smythe)
- Add mutation background to 3.11 (#2590) #2590 (Max Smythe)
- helm: Fix helm chart documentation for setting audit and webhook selectors and affinity (#2617) #2617 (Max Falk)
Code Refactoring
- use Go 1.18 buildinfo (#2541) #2541 (Sertaç Özercan)
Tests
- add some audit tests (#2489) #2489 (Sertaç Özercan)
Continuous Integration
- Releasing benchmarks and benchmarking PR (#2432) #2432 (Jaydipkumar Arvindbhai Gabani)
- add license lint wf for cncf approved licenses (#2461) #2461 ...
Contributors
gmdfalk, devoncrouse, and 10 other contributors
Assets 7
v3.12.0-rc.0
Features
- Allow writing logs to custom file (#2473) #2473 (Max Smythe)
- More verbose logging for audit (#2503) #2503 (Max Smythe)
- helm: Add a network policy for the controller manager (#2514) #2514 (Kyle Michel)
- enforce kind on admission review (#2512) #2512 (alex)
- add the errorlint check for golangci-lint (#2519) #2519 (Fish-pro)
- implement AssignImage mutator (#2429) #2429 (Davis Haba)
- introduce
gcito unify the order of package import (#2545) #2545 (Fish-pro) - add unconvert check for golang-lint (#2554) #2554 (Fish-pro)
- Emit events in the involved objects namespace (#2360) #2360 (Craig Trought)
- add support for exempt namespace suffix (#2636) #2636 (Janusz Marcinkiewicz)
Bug Fixes
- cutpath for ../ paths (#2498) #2498 (alex)
- when docker build in arm or other not amd64 env. (#2492) #2492 (yanggang)
- high-risk vulnerabilities caused by low version of kubebuilder and yq (#2505) #2505 (fsl)
- syntax errors in the document (#2520) #2520 (Fish-pro)
- updating url in doc config (#2549) #2549 (Jaydipkumar Arvindbhai Gabani)
- add --operation=mutation-controller flag (#2542) #2542 (Davis Haba)
- add vendor manifests back (#2558) #2558 (Sertaç Özercan)
- add missing namespace to static Helm templates (#2593) #2593 (Devon Crouse)
- handle empty spec for modifyset (#2585) #2585 (alex)
- piping input in gator (#2589) #2589 (alex)
- generate mock name for expanded resources (#2529) #2529 (Davis Haba)
- Allow to change WebhookConfiguration name and change preInstall crd image (#2563) #2563 (Jiri Tyr)
- support source field in Constraints (#2552) #2552 (Davis Haba)
- helm: switch to curl as ENTRYPOINT for probeWebhook (#2632) #2632 (thomasmckay)
- index readiness trackers by GK (not GVK) (#2635) #2635 (Davis Haba)
Documentation
- generate 3.11 docs (#2501) #2501 (Sertaç Özercan)
- fix syntax errors (#2513) #2513 (Nico Wang)
- Fix typo in website docs (#2528) #2528 (triangularcover)
- fix example code snippet for docs (#2539) #2539 (triangularcover)
- fix expansion yaml example (#2551) #2551 (Sertaç Özercan)
- update k8s.gcr.io to registry.k8s.io (#2588) #2588 (Rita Zhang)
- Add background information on mutation (#2387) #2387 (Max Smythe)
- Add mutation background to 3.11 (#2590) #2590 (Max Smythe)
- helm: Fix helm chart documentation for setting audit and webhook selectors and affinity (#2617) #2617 (Max Falk)
Code Refactoring
- use Go 1.18 buildinfo (#2541) #2541 (Sertaç Özercan)
Tests
- add some audit tests (#2489) #2489 (Sertaç Özercan)
Continuous Integration
- Releasing benchmarks and benchmarking PR (#2432) #2432 (Jaydipkumar Arvindbhai Gabani)
- add license lint wf for cncf approved licenses (#2461) #2461 (alex)
- remove kubebuilder dependency (#2524) #2524 (Sertaç Özercan)
- helm: remove unused kustomize step when upgrading (#2564) #2564 (Sertaç Özercan)
- pin golang image to unblock ci (#2573) #2573 (Sertaç Özercan)
- move k8s.gcr.io to registry.k8s.io (#2572) #2572 (Sertaç Özercan)
- remove k8s 1.23 from matrix (#2609) #2609 (Sertaç Özercan)
- bump ci t...
v3.12.0-beta.0
Features
- log constraint annotations (#2464) #2464 (alex)
- helm: extra annotations for postInstall/postUpgrade jobs (#2468) #2468 (Mathieu Parent)
- allow for log-level to be independently configured (#2389) #2389 (congiv)
Bug Fixes
- audit merge errors (#2478) #2478 (Sertaç Özercan)
- include cmd/gator in native-test and fix gatortest_test.go (#2486) #2486 (Davis Haba)
- setup.Info not support format and use
%sformatint(#2484) #2484 (Fish-pro)
Documentation
- clarify supported k8s versions (#2475) #2475 (Sertaç Özercan)
- audit-from-cache uses the informer cache instead of opa cache (#2479) #2479 (Rita Zhang)
Continuous Integration
- fix tagged release test (#2466) #2466 (Sertaç Özercan)
- bump release timeout to 45m (#2470) #2470 (Sertaç Özercan)
Chores
- bump github/codeql-action from 2.1.36 to 2.1.37 (#2463) #2463 (dependabot[bot])
- use errors.Is to check for a specific error (#2483) #2483 (Fish-pro)
- bump oras.land/oras-go from 1.2.1 to 1.2.2 (#2480) #2480 (dependabot[bot])
- bump json5 from 2.2.1 to 2.2.3 in /website (#2494) #2494 (dependabot[bot])
- Prepare v3.12.0-beta.0 release (#2493) #2493 (github-actions[bot])
v3.11.0
This stable release has no other changes from v3.11.0-rc.1.
Notable changes
- External data is promoted to beta ✨
- 📢 It is now required to use TLS/mTLS with external data providers
- Gator CLI is promoted to beta 🐊
- Gator CLI now supports
trace,AdmissionReviewand specifying an OCI image 🎉
Features
- add resource labels to audit logs (#2354) #2354 (davis-haba)
- expose AdmissionReview for gator verify (#2348) #2348 (alex)
- add tracing to gator test, verify (#2364) #2364 (alex)
- add --image flag in gator test|expand (#2398) #2398 (davis-haba)
Bug Fixes
- helm: allow installation of post-install and post-upgrade jobs (#2351) #2351 (Mathieu Parent)
- exclude gs namespace in matchExpressions (#2385) #2385 (Rita Zhang)
- log constraint violations on log denies (#2428) #2428 (alex)
- make gator output relative paths (#2443) #2443 (alex)
- make audit fault tolerant (#2447) #2447 (Rita Zhang)
- docs: adjust link to the mutation docs (#2445) #2445 (Tolleiv Nietsch)
- helm: do not mix ignore and podSecurity labels (#2451) #2451 (Mathieu Parent)
Documentation
- update required version for expansion and rel link for versione… (#2350) #2350 (Rita Zhang)
- search docs (#2362) #2362 (Sertaç Özercan)
- add external data provider list (#2369) #2369 (Sertaç Özercan)
- add expansion and warn to demo (#2368) #2368 (Rita Zhang)
- clairfy g8r requires user for tracing (#2358) #2358 (alex)
- adding doc to enable apiserver authentication in versioned docs (#2378) #2378 (Jaydipkumar Arvindbhai Gabani)
- rename policy library on website (#2414) #2414 (Rita Zhang)
- add library and new features to website (#2417) #2417 (Sertaç Özercan)
- gator: add addmission review doc (#2388) #2388 (alex)
Tests
Continuous Integration
- add k8s 1.26 (#2446) #2446 (Sertaç Özercan)
- bump bats to v1.8.2 🦇 (#2441) #2441 (Sertaç Özercan)
- fix tagged release test for release-3.11 (#2467) #2467 (Sertaç Özercan)
- bump release timeout to 45m (release-3.11) (#2471) #2471 (Sertaç Özercan)
Chores
- bump peaceiris/actions-gh-pages from 3.8.0 to 3.9.0 (#2356) #2356 (dependabot[bot])
- bump github/codeql-action from 2.1.28 to 2.1.29 (#2361) #2361 (dependabot[bot])
- bump @docusaurus/core from 2.1.0 to 2.2.0 in /website (#2371) #2371 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.1.0 to 2.2.0 in /website (#2370) #2370 (dependabot[bot])
- Authenticating api server against webhook (#2359) #2359 (Jaydipkumar Arvindbhai Gabani)
- bump github/codeql-action from 2.1.29 to 2.1.30 (#2383) #2383 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.13.0 to 1.13.1 (#2384) #2384 (dependabot[bot])
- adding a tag to indicate dry run requests in valication request count metric (#2379) #2379 (Jaydipkumar Arvindbhai Gabani)
- bump loader-utils from 2.0.2 to 2.0.3 in /website (#2392) #2392 (dependabot[bot])
- bump github/codeql-action from 2.1.30 to 2.1.31 (#2391) #2391 (dependabot[bot])
- bump k8s.io/client-go from 0.24.7 to 0.24.8 (#2405) #2405 (dependabot[bot])
- bump github/codeql-action from 2.1.31 to 2.1.32 (#2409) #2409 (dependabot[bot])
- bump loader-utils from 2.0.3 to 2.0.4 in /website (#2411) #2411 (dependabot[bot])
- bump stefanprodan/helm-gh-pages from 1.6.0 to 1.7.0 (#2412) #2412 (dependabot[bot])
- bump github/codeql-action from 2.1.32 to 2.1.33 (#2415) #2415 ([dependabot[b...
Contributors
tolleiv, madmatt112, and JaydipGabani
Assets 7
v3.11.0-rc.1
Notable changes
- External data is promoted to beta ✨
- 📢 It is now required to use TLS/mTLS with external data providers
- Gator CLI is promoted to beta 🐊
- Gator CLI now supports
trace,AdmissionReviewand specifying an OCI image 🎉
Features
- add resource labels to audit logs (#2354) #2354 (davis-haba)
- expose AdmissionReview for gator verify (#2348) #2348 (alex)
- add tracing to gator test, verify (#2364) #2364 (alex)
- add --image flag in gator test|expand (#2398) #2398 (davis-haba)
Bug Fixes
- helm: allow installation of post-install and post-upgrade jobs (#2351) #2351 (Mathieu Parent)
- exclude gs namespace in matchExpressions (#2385) #2385 (Rita Zhang)
- log constraint violations on log denies (#2428) #2428 (alex)
- make gator output relative paths (#2443) #2443 (alex)
- make audit fault tolerant (#2447) #2447 (Rita Zhang)
- docs: adjust link to the mutation docs (#2445) #2445 (Tolleiv Nietsch)
- helm: do not mix ignore and podSecurity labels (#2451) #2451 (Mathieu Parent)
Documentation
- update required version for expansion and rel link for versione… (#2350) #2350 (Rita Zhang)
- search docs (#2362) #2362 (Sertaç Özercan)
- add external data provider list (#2369) #2369 (Sertaç Özercan)
- add expansion and warn to demo (#2368) #2368 (Rita Zhang)
- clairfy g8r requires user for tracing (#2358) #2358 (alex)
- adding doc to enable apiserver authentication in versioned docs (#2378) #2378 (Jaydipkumar Arvindbhai Gabani)
- rename policy library on website (#2414) #2414 (Rita Zhang)
- add library and new features to website (#2417) #2417 (Sertaç Özercan)
- gator: add addmission review doc (#2388) #2388 (alex)
Tests
Continuous Integration
- add k8s 1.26 (#2446) #2446 (Sertaç Özercan)
- bump bats to v1.8.2 🦇 (#2441) #2441 (Sertaç Özercan)
- fix tagged release test for release-3.11 (#2467) #2467 (Sertaç Özercan)
Chores
- bump peaceiris/actions-gh-pages from 3.8.0 to 3.9.0 (#2356) #2356 (dependabot[bot])
- bump github/codeql-action from 2.1.28 to 2.1.29 (#2361) #2361 (dependabot[bot])
- bump @docusaurus/core from 2.1.0 to 2.2.0 in /website (#2371) #2371 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.1.0 to 2.2.0 in /website (#2370) #2370 (dependabot[bot])
- Authenticating api server against webhook (#2359) #2359 (Jaydipkumar Arvindbhai Gabani)
- bump github/codeql-action from 2.1.29 to 2.1.30 (#2383) #2383 (dependabot[bot])
- bump github.com/prometheus/client_golang from 1.13.0 to 1.13.1 (#2384) #2384 (dependabot[bot])
- adding a tag to indicate dry run requests in valication request count metric (#2379) #2379 (Jaydipkumar Arvindbhai Gabani)
- bump loader-utils from 2.0.2 to 2.0.3 in /website (#2392) #2392 (dependabot[bot])
- bump github/codeql-action from 2.1.30 to 2.1.31 (#2391) #2391 (dependabot[bot])
- bump k8s.io/client-go from 0.24.7 to 0.24.8 (#2405) #2405 (dependabot[bot])
- bump github/codeql-action from 2.1.31 to 2.1.32 (#2409) #2409 (dependabot[bot])
- bump loader-utils from 2.0.3 to 2.0.4 in /website (#2411) #2411 (dependabot[bot])
- bump stefanprodan/helm-gh-pages from 1.6.0 to 1.7.0 (#2412) #2412 (dependabot[bot])
- bump github/codeql-action from 2.1.32 to 2.1.33 (#2415) #2415 (dependabot[bot])
- Verify CN name as part of client cert check while authenticating api server (#2396) #2396 ([Jaydipkumar Arvindbhai Gabani](21345e1...
Contributors
tolleiv, madmatt112, and JaydipGabani
Assets 7
v3.11.0-beta.0
Features
- Add extraEnv support to deployments (#2330) #2330 (Matthew Field)
Bug Fixes
- fix CVE-2022-32149 (#2332) #2332 (Sertaç Özercan)
- inject namespace into review data when auditing from cache (#2335) #2335 (davis-haba)
Documentation
- Updating slack community ref in footer (#2336) #2336 (Jaydipkumar Arvindbhai Gabani)
- update audit userinfo (#2340) #2340 (Rita Zhang)
- Change mutation to Stable (#2308) #2308 (Max Smythe)
Styles
Performance Improvements
- Upgrade constraint framework to v0.8.0 (#2317) #2317 (Max Smythe)
- unset CPU limit (#2326) #2326 (alex)
- set mem request and limit to the same value (#2327) #2327 (alex)
Continuous Integration
- bump trivy to 0.32.1 (#2312) #2312 (Sertaç Özercan)
- update set-output usage (#2337) #2337 (Stephan Renatus)
Chores
- bump github/codeql-action from 2.1.26 to 2.1.27 (#2320) #2320 (dependabot[bot])
- bump stefanprodan/helm-gh-pages from 1.5.0 to 1.6.0 (#2321) #2321 (dependabot[bot])
- bump actions/checkout from 3 to 3.1.0 (#2323) #2323 (dependabot[bot])
- bump k8s.io/client-go from 0.24.6 to 0.24.7 (#2343) #2343 (dependabot[bot])
- Adding version info for gk, opa, and frameworks in gator cmd (#2338) #2338 (Jaydipkumar Arvindbhai Gabani)
- bump github/codeql-action from 2.1.27 to 2.1.28 (#2346) #2346 (dependabot[bot])
- Prepare v3.11.0-beta.0 release (#2349) #2349 (github-actions[bot])
v3.10.0
Notable changes
- If you are using Kubernetes v1.25 or later, this release includes removal of Pod Security Policies and migration to Pod Security Admission 🔐
- Mutation is promoted to stable 🦠
- Introducing Validation of Workload Resources as alpha 🚀
- Performance improvements 🏃
Features
- Promote mutation to v1 (#2305) #2305 (Max Smythe)
- Expose options to allow injection of external certificates (#2249) #2249 (Ethan Range)
- Expanding generator resources (#2062) #2062 (davis-haba)
- Return violating resource in pkg/gator/test.Test (#2198) #2198 (Julian Katz)
- Add controllerManager tlsMinVersion option to values (#2289) #2289 (Grace Do)
- Add metric reporting to ExpansionTemplate controller (#2276) #2276 (davis-haba)
- enforcement action override for ExpansionTemplates (#2277) #2277 (davis-haba)
- helm: add topologySpread to controller (#2206) #2206 (Viktor Oreshkin)
- helm: unify and extend hook job pod labels (#2205) #2205 (Viktor Oreshkin)
- helm: add options for hook jobs (#2202) #2202 (Viktor Oreshkin)
- helm: Allow configuration of probe timeouts in Helm Chart (#2220) #2220 (Ethan Range)
- helm: Allow setting annotations for mutating and validating webhook configurations (#2231) #2231 (Ethan Range)
- add audit_last_run_end_time metric (#2235) #2235 (Viktor Oreshkin)
- Add --host as a command line flag (#2227) #2227 (Max Smythe)
- remove PSP and migrate to PSA (#2174) #2174 (Sertaç Özercan)
Bug Fixes
- Ignore all stackdriver errors if --stackdriver-only-when-available is set (#2304) #2304 (Max Smythe)
- fix CVE-2022-27664 (#2310) #2310 (Sertaç Özercan)
- Namespace should be nil for audited cluster-scoped resources (#2243) #2243 (Max Smythe)
- skip empty k8s resources (#2247) #2247 (qa-ship-it)
- helm: Fix "Label exempted namespaces" (#2246) #2246 (Mathieu Parent)
- helm upgrade test (#2263) #2263 (Sertaç Özercan)
- Change 'securityContext/capabilities/drop' from 'all' to 'ALL'. (#2273) #2273 (BoatMisser)
- helm: Fix "Label exempted namespaces" (#2290) #2290 (Zhimin Xiang)
- update website/versions.json (#2175) #2175 (Ernest Wong)
- chart always use v1beta1 as pdb api version (#2164) #2164 (Mingfei Huang)
- Set spec.hard.pod value to string (#1928) #1928 (Ahmed)
- document mutations name matcher (#2168) #2168 (Nicholas Blott)
- helm: helm chart updates for disabling psp and default api for poddisruptionbudget (#2187) #2187 (Boojapho)
- helm: explicitly specify curl in probeWebhook (#2207) #2207 (Viktor Oreshkin)
- Docker related Makefile improvements (#2209) #2209 (Viktor Oreshkin)
- Only set ConstraintTemplate's status.created on success (#2208) #2208 (Viktor Oreshkin)
- sed on specific tag in
make release-manifest(#2153) #2153 (Ernest Wong) - make audit more fault tolerant, log error instead of skipping update (#2162) #2162 (Rita Zhang)
Documentation
- Update default auditChunkSize in readme (#2303) #2303 (Simeon Bobylev)
- enforcement action override in ExpansionTemplate (#2300) #2300 (davis-haba)
- update feature state for alpha and beta things (#2260) #2260 (Rita Zhang)
- add brew install instructions to gator docs (#2255) #2255 (Xander Grzywinski)
- Update library links to point to website (#2264) #2264 (Max Smythe)
- Update contributing guide (#2275) #2275 (Rita Zhang)
- documentation for generator resource expansion feature (#2229) [#2229](https://github.com/open-policy-agen...
Contributors
JAORMX, salaxander, and 9 other contributors