Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.2.0
This stable release has the same changes as v3.2.0-rc.1
Gateekeeper library is moved to it's own repo at https://github.com/open-policy-agent/gatekeeper-library.
v3.1.2
v3.2.0-rc.1
This release candidate release includes bug fixes and new features.
Gateekeeper library is moved to it's own repo at open-policy-agent/gatekeeper-library
Features 🌈
- [0c20f2f]: Switch to using cert-controller library (#852) (Max Smythe) #852
- [d247099]: Upgrading constraint framework to new version to include label mirror… (#860) (luke abraham) #860
- [aa64e74]: Add group and version to constraint logs and events (#855) (Marcin Mirecki) #855
- [b6f16d4]: Improve user agent for gatekeeper (#858) (Marwan Ahmed) #858
- [02f2af9]: Specify resource limits for audit and controller pod separately using helm values (#874) (Matej Kern) #874
Bug Fixes 🐞
v3.1.1
v3.1.0
🎁 First stable release of Gatekeeper v3! 🍾 🎆 🥳
This stable release is same as v3.1.0-rc.1.
v3.1.0-rc.1
This release candidate release includes bug fixes and new features.
Features 🌈
Bug Fixes 🐞
v3.1.0-beta.12
This beta release includes bug fixes.
Removes deprecated control-plane label selector from validating webhook configuration.
Bug Fixes 🐞
v3.1.0-beta.11
This beta release includes bug fixes and new features.
It updates the underlying OPA engine to v0.21.0.
Features 🌈
- [499e4ef]: Config namespace exclusion (#678) (Sertaç Özercan) #678
- [c8ed7d6]: update opa version to 0.21.0 (#716) (Vivek Bagade) #716
- [232f281]: Default multi-pod deployment for webhook (#723) (Rita Zhang) #723
- [694e0ec]: Create K8s Events from webhook denies and dryrun (#727) (Rita Zhang) #727
- [97c8f8e]: Add support for emit k8s events for audit (#739) (Rita Zhang) #739
- [d86432a]: Add missing watch metrics (#706) (Sertaç Özercan) #706
- [9e4ae8e]: add pprof profiling (#744) (Sertaç Özercan) #744
- [9a9e60a]: Add verbose logging option to readiness tracker (#736) (Oren Shomron) #736
- [5adaaf0]: Audit List chunking (#734) (Sertaç Özercan) #734
Bug Fixes 🐞
- [b6a4b2e]: Fix total violations count in logs (#709) (Sertaç Özercan) #709
- [429b4d8]: Mitigate race condition setting logger on webhook initialization (#712) (Max Smythe) #712
- [a208820]: set base helm chart url correctly to the release version (#714) (Will Salt) #714
- [ca05f89]: Ensure cluster scoped resources always match namespace filters (#623) (Robert Sheehy) #623
- [19888e5]: extract tracing logic into a method (#726) (Michael Grosser) #726
- [7de2e34]: Cancel expectation for deleted resources in sync and constraint controller (#722) (Varnika Goyal) #722
- [d5b30d1]: return early from audit if there are no constraints (#728) (Sertaç Özercan) #728
- [2f749ce]: Wrap API client in tests with rate-limit-respecting retry client to prevent transient failures. (#746) (Oren Shomron) #746
v3.1.0-beta.10
This beta release includes bug fixes and new features.
Features 🌈
- [18cb7ca]: Implement status resource design (#627) (Max Smythe) #627
- [d5434cf]: Log the username originating the request that is being denied (#651) (Jose Luis Pedrosa) #651
- [25ca799]: Add ability to set log severity format (#644) (Max Smythe) #644
- [10065e5]: Add helm flag to disable Validating Webhook (#643) (Ryan John Peck) #643
- [f6937bf]: adding docker buildx functionality into CI (#602) (Michael Fornaro) #602
- [606d5ba]: example on enforcing readiness and liveness probes (#632) (alexgaganashvili) #632
- [dc285d8]: Introduce circuit breaker into objectTracker (#683) (Oren Shomron) #683
- [a8b8f36]: Migrate to docker hub (#688) (Sertaç Özercan) #688
- [96145a2]: Add RunAsGroup, SupplementalGroups, and FSGroup functionality to Users PSP (#687) (Emma) #687
Bug Fixes 🐞
- [c4c6820]: Make sure status labels obey the 63 character limit (#674) (Max Smythe) #674
- [403ca4a]: update rbac to include psp (#645) (Rita Zhang) #645
- [f352dad]: Fix users psp for no securityContext (#649) (Rita Zhang) #649
- [5d590a4]: Ensure terminated are ignored for readiness (#662) (Robert Sheehy) #662
- [5fbf86b]: Update host-filesystem psp to block all when input empty (#669) (Emma) #669
- [be78b56]: Update proc-mount psp to allow all when set to unmasked (#668) (Emma) #668
- [324b0ed]: Add kubebuilder RBAC marker for ConstraintTemplate (#685) (Ivan Font) #685
- [d0d1719]: Re-add docker-build makefile target (#670) (Max Smythe) #670
- [8f56e0b]: Change SELinux PSP to block the setting of any SELinux options (#680) (Emma) #680
v3.1.0-beta.9
This beta release includes bug fixes and new features.
It updates the underlying OPA engine to v0.19.1
Warning
This release includes a breaking change that updates the label selector of the gatekeeper-controller-manager deployment yaml. If upgrading, we recommend you uninstall the previous version of Gatekeeper before deploying the new version.
Features 🌈
- [100034d]: Add example of using a deny-all template to view request obj (#544) (Max Smythe) #544
- [017e9ee]: Enable standalone audit (Rita Zhang) #546
- [bba52f9]: Add cross platform multi-architecture docker image support. (#548) (Michael Fornaro) #548
- [2c1ddc6]: Allow for 'm' memory unit in examples (#564) (Robert Sheehy) #564
- [218bc08]: Github Actions CI pipeline (#570) (Sertaç Özercan) #570
- [d7af532]: Upgrade OPA to v0.19.1 (#576) (Max Smythe) #576
- [9c74d2e]: Add sync metrics (#560) (Sertaç Özercan) #560
- [170b29e]: Sync cert generation before starting webhooks (#581) (yiqigao217) #581
- [2f7243d]: update ci to build and release multi-architecture images (#571) (Michael Fornaro) #571
- [1312aee]: Use "k" instead of "K" for mem parsing (Robert Sheehy) #587
- [8be120b]: Upgrade to controller-runtime 0.6.0, client-go v0.18.2. Rebase dynamiccache fork accordingly (#563) (#601) (Oren Shomron) #601
- [d1362f4]: Split helm output into multiple files (#595) (Max Smythe) #595
- [2c0d17f]: add helm repo generation (#611) (Sertaç Özercan) #611
- [4a9370e]: validation handler benchmark tests (#599) (Shravan Achar) #599
- [804c24b]: add node selector for linux os (#626) (Sertaç Özercan) #626
- [21b6b4a]: Add readiness tracker to ensure caches have been loaded before serving traffic (#541) (Oren Shomron) #541
Bug Fixes 🐞
- [480baac]: Use RWMutex in watch manager to increase parallelism (#547) (Max Smythe) #547
- [54c1139]: Fix PSP sysctls rego (#549) (Philip Laine) #549
- [913fa8b]: Fix certRotator early return bug (#559) (yiqigao217) #559
- [0adf257]: Always recreate manager_image_patch.yaml (#575) (Max Smythe) #575
- [c4c443e]: Decrease verbosity of ReconcileSync logging (#577) (Robert Sheehy) #577
- [93bb992]: Ensure AppArmor rego throws violations as expected (#586) (Emma) #586
- [404bced]: Fix expected service account name (#606) (Rita Zhang) #606
- [3251a59]: Update Seccomp PSP to work as expected (Emma McMillan) #612
- [33d1935]: fix cold cache problem by making a request to api-server (Shravan Achar) #613
- [1baf9f9]: Fix empty resource name for logDenies (#619) (Rita Zhang) #619
- [89f9f03]: Fix bleed-through of watches from other registrars when calling ReplaceWatch() (#620) (Oren Shomron) #620