Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.10.0-rc.2
Performance Improvements
- Upgrade constraint framework to v0.8.0 (#2319) #2319 (Max Smythe)
Chores
- Prepare v3.10.0-rc.1 release (#2313) #2313 (github-actions[bot])
- Prepare v3.10.0-rc.2 release (#2325) #2325 (github-actions[bot])
v3.9.2
Performance Improvements
- Upgrade constraint framework to v0.8.0 (#2318) #2318 (Max Smythe)
Chores
- Prepare v3.9.2 release (ritazh)
v3.9.1
Bug Fixes
- Automated cherry pick of #2272: perf: Upgrade Constraint Framework to v0.7.0 (#2299) #2299 (Rita Zhang)
- fix CVE-2022-27664 (#2316) #2316 (Sertaç Özercan)
Chores
- Prepare v3.9.1 release (#2315) #2315 (github-actions[bot])
v3.10.0-rc.1
Features
- Promote mutation to v1 (#2305) #2305 (Max Smythe)
Bug Fixes
- Ignore all stackdriver errors if --stackdriver-only-when-available is set (#2304) #2304 (Max Smythe)
- fix CVE-2022-27664 (#2310) #2310 (Sertaç Özercan)
Documentation
- Update default auditChunkSize in readme (#2303) #2303 (Simeon Bobylev)
- enforcement action override in ExpansionTemplate (#2300) #2300 (davis-haba)
Continuous Integration
- bump trivy to 0.32.1 (#2312) #2312 (Sertaç Özercan)
Chores
- bump github/codeql-action from 2.1.25 to 2.1.26 (#2306) #2306 (dependabot[bot])
New Contributors
Full Changelog: v3.10.0-beta.2...v3.10.0-rc.1
v3.10.0-beta.2
Features
- Expose options to allow injection of external certificates (#2249) #2249 (Ethan Range)
- Expanding generator resources (#2062) #2062 (davis-haba)
- Return violating resource in pkg/gator/test.Test (#2198) #2198 (Julian Katz)
- Add controllerManager tlsMinVersion option to values (#2289) #2289 (Grace Do)
- Add metric reporting to ExpansionTemplate controller (#2276) #2276 (davis-haba)
- enforcement action override for ExpansionTemplates (#2277) #2277 (davis-haba)
Bug Fixes
- Namespace should be nil for audited cluster-scoped resources (#2243) #2243 (Max Smythe)
- skip empty k8s resources (#2247) #2247 (qa-ship-it)
- helm: Fix "Label exempted namespaces" (#2246) #2246 (Mathieu Parent)
- helm upgrade test (#2263) #2263 (Sertaç Özercan)
- Change 'securityContext/capabilities/drop' from 'all' to 'ALL'. (#2273) #2273 (BoatMisser)
- helm: Fix "Label exempted namespaces" (#2290) #2290 (Zhimin Xiang)
Documentation
- update feature state for alpha and beta things (#2260) #2260 (Rita Zhang)
- add brew install instructions to gator docs (#2255) #2255 (Xander Grzywinski)
- Update library links to point to website (#2264) #2264 (Max Smythe)
- Update contributing guide (#2275) #2275 (Rita Zhang)
- documentation for generator resource expansion feature (#2229) #2229 (davis-haba)
Performance Improvements
- Upgrade Constraint Framework to v0.7.0 (#2272) #2272 (Max Smythe)
Continuous Integration
- bump e2e k8s version (#2258) #2258 (Sertaç Özercan)
Chores
- bump github/codeql-action from 2.1.19 to 2.1.20 (#2244) #2244 (dependabot[bot])
- bump github/codeql-action from 2.1.20 to 2.1.22 (#2251) #2251 (dependabot[bot])
- bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 (#2250) #2250 (dependabot[bot])
- bump @docusaurus/core from 2.0.1 to 2.1.0 in /website (#2253) #2253 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.1 to 2.1.0 in /website (#2254) #2254 (dependabot[bot])
- updates gatekeeper website reference (#2257) #2257 (Nilekh Chaudhari)
- bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#2259) #2259 (dependabot[bot])
- bump github/codeql-action from 2.1.22 to 2.1.23 (#2265) #2265 (dependabot[bot])
- bump k8s.io/client-go from 0.24.4 to 0.24.5 (#2267) #2267 (dependabot[bot])
- bump contrib.go.opencensus.io/exporter/stackdriver from 0.13.13 to 0.13.14 (#2269) #2269 (dependabot[bot])
- bump github/codeql-action from 2.1.23 to 2.1.24 (#2274) #2274 (dependabot[bot])
- bump k8s.io/client-go from 0.24.5 to 0.24.6 (#2284) #2284 (dependabot[bot])
- bump github/codeql-action from 2.1.24 to 2.1.25 (#2281) #2281 (dependabot[bot])
- Prepare v3.10.0-beta.2 release (#2297) #2297 (github-actions[bot])
New Contributors
- @qa-ship-it made their first contribution in #2247
- @salaxander made their first contribution in #2255
- @boatmisser made their first contribution in #2273
- @gracedo made their first contribution in #2289
Full Changelog: v3.10.0-beta.1...v3.10.0-beta.2
v3.10.0-beta.1
Notable changes in this pre-release:
Features
- helm: add topologySpread to controller (#2206) #2206 (Viktor Oreshkin)
- helm: unify and extend hook job pod labels (#2205) #2205 (Viktor Oreshkin)
- helm: add options for hook jobs (#2202) #2202 (Viktor Oreshkin)
- helm: Allow configuration of probe timeouts in Helm Chart (#2220) #2220 (Ethan Range)
- helm: Allow setting annotations for mutating and validating webhook configurations (#2231) #2231 (Ethan Range)
- add audit_last_run_end_time metric (#2235) #2235 (Viktor Oreshkin)
- Add --host as a command line flag (#2227) #2227 (Max Smythe)
Bug Fixes
- update website/versions.json (#2175) #2175 (Ernest Wong)
- chart always use v1beta1 as pdb api version (#2164) #2164 (Mingfei Huang)
- Set spec.hard.pod value to string (#1928) #1928 (Ahmed)
- document mutations name matcher (#2168) #2168 (Nicholas Blott)
- helm: helm chart updates for disabling psp and default api for poddisruptionbudget (#2187) #2187 (Boojapho)
- helm: explicitly specify curl in probeWebhook (#2207) #2207 (Viktor Oreshkin)
- Docker related Makefile improvements (#2209) #2209 (Viktor Oreshkin)
- Only set ConstraintTemplate's status.created on success (#2208) #2208 (Viktor Oreshkin)
Documentation
- link to template provider (#2190) #2190 (Sertaç Özercan)
- add fields that are not populated in audit (#2191) #2191 (Rita Zhang)
- add applyTo field for ModifySet in mutation docs (#2056) #2056 (davis-haba)
Performance Improvements
- Default --max-serving-threads to GOMAXPROCS (#2216) #2216 (Max Smythe)
Continuous Integration
- add stale bot config (#2183) #2183 (Sertaç Özercan)
Chores
- bump k8s.io/client-go from 0.24.2 to 0.24.3 (#2178) #2178 (dependabot[bot])
- bump frameworks to b0dbc52 (#2179) #2179 (Sertaç Özercan)
- bump terser from 5.12.1 to 5.14.2 in /website (#2180) #2180 (dependabot[bot])
- Run trivy scan on git repository and update version (#2169) #2169 (Juan Antonio Osorio)
- update stale tag (#2189) #2189 (Sertaç Özercan)
- bump github/codeql-action from 2.1.16 to 2.1.17 (#2199) #2199 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-rc.1 to 2.0.1 in /website (#2210) #2210 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-rc.1 to 2.0.1 in /website (#2211) #2211 (dependabot[bot])
- remove PSP and migrate to PSA (#2174) #2174 (Sertaç Özercan)
- use volume mounts for tests (#2213) #2213 (Viktor Oreshkin)
- bump github/codeql-action from 2.1.17 to 2.1.18 (#2217) #2217 (dependabot[bot])
- bump ci to Go 1.19 (#2222) #2222 (Sertaç Özercan)
- bump github/codeql-action from 2.1.18 to 2.1.19 (#2233) #2233 (dependabot[bot])
- update audit duration buckets (#2234) #2234 (Viktor Oreshkin)
- bump github.com/emicklei/go-restful from v2.15.0 to v2.16.0 (#2240) #2240 (MIchael Steputat)
- bump k8s.io/apimachinery from 0.24.3 to 0.24.4 (#2236) #2236 (dependabot[bot])
- bump k8s.io/client-go from 0.24.3 to 0.24.4 (#2237) #2237 (dependabot[bot])
- Prepare v3.10.0-beta.1 release (#2242) #2242 (github-actions[bot])
New Contributors
- @max0ne made their first contribution in #2164
- @OpenSourceZombie made their first contribution in #1928
- @JAORMX made their first contribution in #2169
- @Boojapho made their first contribution in #2187
- @stp-bsh made their first contribution in https://github.com/open-policy-agent/gatekeeper/...
v3.10.0-beta.0
Bug Fixes
- sed on specific tag in
make release-manifest
(#2153) #2153 (Ernest Wong) - make audit more fault tolerant, log error instead of skipping update (#2162) #2162 (Rita Zhang)
Documentation
- add singleton for audit (#2155) #2155 (Rita Zhang)
Chores
- bump @docusaurus/core from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2157) #2157 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.21 to 2.0.0-beta.22 in /website (#2156) #2156 (dependabot[bot])
- bump k8s.io/klog/v2 from 2.70.0 to 2.70.1 (#2159) #2159 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.12.2 to 0.12.3 (#2158) #2158 (dependabot[bot])
- bump github/codeql-action from 2.1.15 to 2.1.16 (#2167) #2167 (dependabot[bot])
- bump @docusaurus/core from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2170) #2170 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.22 to 2.0.0-rc.1 in /website (#2171) #2171 (dependabot[bot])
- Prepare v3.10.0-beta.0 release (#2173) #2173 (github-actions[bot])
v3.9.0
Notable changes
- External Data TLS/mTLS support 🔐
- Ability to validate subresources 🔎
- OpenCensus and Stackdriver exporters 🏹
- Performance improvements 🏃♂️
Features
- Add post-upgrade job for labeling namespace (#2113) #2113 (Zhimin Xiang)
- Add Constraint schema validation testing (#2092) #2092 (Will Beason)
- Add pod annotations specific for openshift environment (#2116) #2116 (Erez Tamam)
- Allow wildcard at start string and end together (#2130) #2130 (Erez Tamam)
- TLS support for External Data Providers (#2121) #2121 (Ernest Wong)
- Add extra rules to all roles (#2110) #2110 (Erez Tamam)
- adding pod security context variable (#2127) #2127 (ChrisFraun)
- Make gatekeeper validate subresources (#2054) #2054 (Mac Chaffee)
- Allow explicitly skipping tests in gator verify (#2078) #2078 (Will Beason)
- Added dockerfile for gator (#2077) #2077 (HenriWilliams)
- add opencensus and stackdriver exporters (#2017) #2017 (Max Smythe)
- charts: Add objectSelector to webhooks (#2034) #2034 (Nicholas Blott)
- Label exempted namespaces (#2029) #2029 (Mathieu Parent)
- Allow to set affinity for upgradeCRDs (#2015) (Bryan Pearson) #2015
- Add metrics backend flag to Helm chart (#2051) #2051 (Max Smythe)
Performance Improvements
- Integrate go.uber.org/automaxprocs (#2080) #2080 (Max Smythe)
Bug Fixes
- Fix Helm chart webhook exempt Namespace label templating (#2090) #2090 (Luke Addison)
- Validation error in all_ns_must_have_gatekeeper constraint (#2091) #2091 (Amit Raj)
- #2095 GV in constraint StatusViolation (#2098) #2098 (Prachi Pendse)
- Add kubernetes job annotations (#2115) #2115 (Ben Wells)
- remove prs from codeql (#2139) #2139 (Sertaç Özercan)
- Add CTs to sync unit test to avoid flakiness (#2065) #2065 (Max Smythe)
- Add gatekeeper-webhook post install hook to Helm chart (#2052) #2052 (Joao Ubaldo)
- Adding possibility to define extra Role rules (#2064) #2064 (Jiri Tyr)
- Update CF to fix unenforced violations on data deletion (#2038) (Max Smythe) #2038
- release branches shouldn't trigger prerelease job (#2041) (Sertaç Özercan) #2041
- Upgrade deps, including OPA to v0.40.0 (#2069) (Will Beason) #2069
Documentation
- clarify k8s support (#2112) #2112 (Sertaç Özercan)
- add group and version to audit status violations (#2134) #2134 (Rita Zhang)
- TLS and mTLS documentation (#2141) #2141 (Ernest Wong)
- document about using inventory in Case (#2068) #2068 (Jeongwook Park)
- use release-3.8 manifest in v3.8.x installation doc (#2025) #2025 (Ernest Wong)
- add compiler sharding (#2030) #2030 (Rita Zhang)
- mention NET_BIND_SERVICE in cloud-specific (#1983) #1983 (Viktor Oreshkin)
Continuous Integration
- add codeql action (#2138) #2138 (Sertaç Özercan)
- add buildx-builder to gator docker build (#2088) (Sertaç Özercan) #2088
- bump kind and k8s versions (#2048) #2048 (Sertaç Özercan)
Tests
- Use a different template kind per test (#2067) #2067 (Max Smythe)
Chores
- bump k8s.io/client-go from 0.24.1 to 0.24.2 (#2109) #2109 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.2 (#2124) #2124 (dependabot[bot])
- Update to opa v0.41 (#2093) #2093 (Manuel Rüger)
- bump github/codeql-action from 2.1.14 to 2.1.15 (#2140) #2140 (dependabot[bot])
- bump clsx from 1.1.1 to 1.2.0 in /website (#2143) #2143 (dependabot[bot])
- bump clsx from 1.2.0 to 1.2.1 in /website (#2148) #2148 ([dependabot[bot]](f5087a1fb1030f5022a0f6cff59...
v3.9.0-rc.1
This release candidate release includes bug fixes and new features. We are planning to release v3.9.0 next week, feedback is welcome!
Changes since v3.9.0-beta.2
Features
- Add post-upgrade job for labeling namespace (#2113) #2113 (Zhimin Xiang)
- Add Constraint schema validation testing (#2092) #2092 (Will Beason)
- Add pod annotations specific for openshift environment (#2116) #2116 (Erez Tamam)
- Allow wildcard at start string and end together (#2130) #2130 (Erez Tamam)
- TLS support for External Data Providers (#2121) #2121 (Ernest Wong)
- Add extra rules to all roles (#2110) #2110 (Erez Tamam)
- adding pod security context variable (#2127) #2127 (ChrisFraun)
Bug Fixes
- Fix Helm chart webhook exempt Namespace label templating (#2090) #2090 (Luke Addison)
- Validation error in all_ns_must_have_gatekeeper constraint (#2091) #2091 (Amit Raj)
- #2095 GV in constraint StatusViolation (#2098) #2098 (Prachi Pendse)
- Add kubernetes job annotations (#2115) #2115 (Ben Wells)
- remove prs from codeql (#2139) #2139 (Sertaç Özercan)
Documentation
- clarify k8s support (#2112) #2112 (Sertaç Özercan)
- add group and version to audit status violations (#2134) #2134 (Rita Zhang)
- TLS and mTLS documentation (#2141) #2141 (Ernest Wong)
Continuous Integration
- add codeql action (#2138) #2138 (Sertaç Özercan)
- add buildx-builder to gator docker build (#2088) (Sertaç Özercan) #2088
Chores
- bump k8s.io/client-go from 0.24.1 to 0.24.2 (#2109) #2109 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.2 (#2124) #2124 (dependabot[bot])
- Update to opa v0.41 (#2093) #2093 (Manuel Rüger)
- bump github/codeql-action from 2.1.14 to 2.1.15 (#2140) #2140 (dependabot[bot])
- bump clsx from 1.1.1 to 1.2.0 in /website (#2143) #2143 (dependabot[bot])
- bump clsx from 1.2.0 to 1.2.1 in /website (#2148) #2148 (dependabot[bot])
- Prepare v3.9.0-rc.1 release (#2152) #2152 (github-actions[bot])
New Contributors
- @dippynark made their first contribution in #2090
- @inboxamitraj made their first contribution in #2091
- @bvwells made their first contribution in #2115
- @erezo9 made their first contribution in #2116
- @ChrisFraun made their first contribution in #2127
Full Changelog: v3.9.0-beta.2...v3.9.0-rc.1
v3.9.0-beta.2
Changes since v3.9.0-beta.1
Features
- Make gatekeeper validate subresources (#2054) #2054 (Mac Chaffee)
- Allow explicitly skipping tests in gator verify (#2078) #2078 (Will Beason)
- Added dockerfile for gator (#2077) #2077 (HenriWilliams)
Bug Fixes
- Add CTs to sync unit test to avoid flakiness (#2065) #2065 (Max Smythe)
- Add gatekeeper-webhook post install hook to Helm chart (#2052) #2052 (Joao Ubaldo)
- Adding possibility to define extra Role rules (#2064) #2064 (Jiri Tyr)
Documentation
- document about using inventory in Case (#2068) #2068 (Jeongwook Park)
Performance Improvements
- Integrate go.uber.org/automaxprocs (#2080) #2080 (Max Smythe)
Tests
- Use a different template kind per test (#2067) #2067 (Max Smythe)
Chores
- bump @docusaurus/core from 2.0.0-beta.20 to 2.0.0-beta.21 in /website (#2072) #2072 (dependabot[bot])
- bump @docusaurus/preset-classic from 2.0.0-beta.20 to 2.0.0-beta.21 in /website (#2071) #2071 (dependabot[bot])
- Prepare v3.9.0-beta.2 release (#2079) #2079 (github-actions[bot])
Commits
- Add metrics backend flag to Helm chart (#2051) #2051 (Max Smythe)
- f597d37: Upgrade deps, including OPA to v0.40.0 (#2069) (Will Beason) #2069
New Contributors
- @henrysecond1 made their first contribution in #2068
- @joaoubaldo made their first contribution in #2052
- @jtyr made their first contribution in #2064
- @HenriWilliams made their first contribution in #2077
Full Changelog: v3.9.0-beta.1...v3.9.0-beta.2