This MR contains the following updates:

Package	Update	Change
bb-common	patch	`0.14.0` -> `0.14.1`
gatekeeper	minor	`3.21.1` -> `3.22.0`
gluon	patch	`0.9.7` -> `0.9.8`
registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper (source)	minor	`v3.21.1` -> `v3.22.0`

Complete MR checklist

Assignee

Followed upgrade instructions outlined in docs/DEVELOPMENT_MAINTENANCE.md
Update Docs with new/updated steps as needed
Tested and Validated Changes made with supporting info like logs or screenshots from test pipelines

Add supporting info below

Reviewer only

Tested and Validated changes

Release Notes

open-policy-agent/gatekeeper (gatekeeper)

`v3.22.0`

Compare Source

🚀 Notable Changes

✅ sync-vap-enforcement-scope now enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is now true by default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332).
🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access namespaceObject and Rego policies can access input.namespace for namespace-scoped policy decisions during both admission and audit (#4285)
⚡ gator bench — policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287)
📋 gator policy — brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g., pod-security-baseline), enforcement overrides, and dry-run previews (#4331)
🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced fake-reader sidecar when audit file-based logging is enabled (#4280)
🌐 Out-of-cluster / remote cluster support: New --enable-remote-cluster flag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368)
⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)

Features

Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
support print statement in gator (#2949) (#3872) #3872 (Julian)
add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
gator policy (#4331) #4331 (Sertaç Özercan)

Bug Fixes

Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
add missing flags as helm values (#4385) #4385 (abhisheksheth28)

Documentation

add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
adding jfrog provide to external data (#4357) #4357 (carmit hershman)

Continuous Integration

add Slack meeting reminder workflow for OPA Gatekeeper weekly meetings (#4277) #4277 (Copilot)

Chores

bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
bump golang from 728cbef to a02d35e in /test/export/fake-reader (#4264) #4264 (dependabot[bot])
bump golang from 728cbef to a02d35e in /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot])
bump golang from 27e1c92 to a02d35e in /test/image (#4266) #4266 (dependabot[bot])
bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
bump golang from 27e1c92 to a02d35e (#4270) #4270 (dependabot[bot])
bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
bump golang from 27e1c92 to a02d35e in /test/export/fake-subscriber (#4267) #4267 (dependabot[bot])
bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
bump golang from 27e1c92 to a02d35e in /build/tooling (#4268) #4268 (dependabot[bot])
bump golang from a02d35e to 4f9d98e in /test/export/fake-reader (#4300) #4300 (dependabot[bot])
bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/export/fake-reader (#4299) #4299 (dependabot[bot])
bump distroless/static-debian12 from 87bce11 to 4b2a093 (#4291) #4291 (dependabot[bot])
bump golang from a02d35e to 4f9d98e in /test/image (#4296) #4296 (dependabot[bot])
remove vendor (#4201) #4201 (Sertaç Özercan)
bump golang from a02d35e to 4f9d98e in /test/externaldata/dummy-provider (#4292) #4292 (dependabot[bot])
bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/externaldata/dummy-provider (#4293) #4293 (dependabot[bot])
bump golang from a02d35e to 4f9d98e (#4294) #4294 (dependabot[bot])
bump golang from a02d35e to 4f9d98e in /test/export/fake-subscriber (#4298) #4298 (dependabot[bot])
bump distroless/static-debian12 from 87bce11 to 4b2a093 in /test/export/fake-subscriber (#4297) #4297 (dependabot[bot])
bump the all group across 1 directory with 8 updates (#4304) #4304 (dependabot[bot])
bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#4290) #4290 (dependabot[bot])
bump golang from 4f9d98e to 8e8f9c8 in /test/export/fake-reader (#4316) #4316 (dependabot[bot])
bump golang from b669435 to 8e8f9c8 in /test/image (#4314) #4314 (dependabot[bot])
bump golang from 5d35fb8 to 8e8f9c8 in /test/export/fake-subscriber (#4315) #4315 (dependabot[bot])
bump the all group with 3 updates (#4313) #4313 (dependabot[bot])
bump golang from 5d35fb8 to 8e8f9c8 (#4311) #4311 (dependabot[bot])
bump golang from 5d35fb8 to 8e8f9c8 in /test/externaldata/dummy-provider (#4310) #4310 (dependabot[bot])
bump kubectl from v1.34.2 to v1.34.3 (#4312) #4312 (dependabot[bot])
bump golang from 4f9d98e to 8e8f9c8 in /build/tooling (#4309) #4309 (dependabot[bot])
bump github.com/onsi/gomega from 1.38.2 to 1.38.3 (#4308) #4308 (dependabot[bot])
Update metrics docs to clarify different metrics backends (#4281) #4281 (Jorge Turrado Ferrero)
bump the k8s group with 5 updates (#4306) #4306 (dependabot[bot])
bump google.golang.org/protobuf from 1.36.10 to 1.36.11 (#4307) #4307 (dependabot[bot])
bump qs from 6.14.0 to 6.14.1 in /website (#4321) #4321 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 in /test/export/fake-subscriber (#4328) #4328 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 in /test/export/fake-reader (#4327) #4327 (dependabot[bot])
bump crate-ci/typos from 1.40.0 to 1.41.0 in the all group (#4326) #4326 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 in /test/externaldata/dummy-provider (#4325) #4325 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 in /test/image (#4324) #4324 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 (#4323) #4323 (dependabot[bot])
bump golang from 8e8f9c8 to ef151f0 in /build/tooling (#4322) #4322 (dependabot[bot])
Move to maintained yaml library (#4227) #4227 (Manuel Rüger)
bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4254) #4254 (dependabot[bot])
bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/export/fake-subscriber (#4338) #4338 (dependabot[bot])
bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/export/fake-reader (#4337) #4337 (dependabot[bot])
bump the all group across 1 directory with 3 updates (#4339) #4339 (dependabot[bot])
bump distroless/static-debian12 from 4b2a093 to cd64bec in /test/externaldata/dummy-provider (#4334) #4334 (dependabot[bot])
bump go.yaml.in/yaml/v2 from 2.4.2 to 2.4.3 (#4333) #4333 (dependabot[bot])
bump distroless/static-debian12 from 4b2a093 to cd64bec (#4335) #4335 (dependabot[bot])
bump golang from ef151f0 to 04741b0 in /test/export/fake-reader (#4345) #4345 (dependabot[bot])
bump the all group across 1 directory with 3 updates (#4347) #4347 (dependabot[bot])
bump golang from ef151f0 to 04741b0 in /build/tooling (#4342) #4342 (dependabot[bot])
bump golang from ef151f0 to 04741b0 (#4341) #4341 (dependabot[bot])
bump golang from ef151f0 to 04741b0 in /test/export/fake-subscriber (#4346) #4346 (dependabot[bot])
bump golang from ef151f0 to 04741b0 in /test/externaldata/dummy-provider (#4343) #4343 (dependabot[bot])
bump lodash from 4.17.21 to 4.17.23 in /website (#4349) #4349 (dependabot[bot])
bump golang from ef151f0 to 04741b0 in /test/image (#4340) #4340 (dependabot[bot])
bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.22.5 in the k8s group (#4352) #4352 (dependabot[bot])
bump golang from 04741b0 to fb4b74a in /test/export/fake-reader (#4353) #4353 (dependabot[bot])
bump the all group across 1 directory with 5 updates (#4355) #4355 (dependabot[bot])
bumping frameworks (#4356) #4356 (Jaydip Gabani)
bump the all group with 3 updates (#4363) #4363 (dependabot[bot])
bump github.com/onsi/gomega from 1.39.0 to 1.39.1 (#4362) #4362 (dependabot[bot])
Patch docs for 3.21.1 release (#4369) #4369 (github-actions[bot])
adding metrics for VAP integration (#4317) #4317 (Jaydip Gabani)
bump golang from fb4b74a to dfdd969 in /test/export/fake-subscriber (#4377) #4377 (dependabot[bot])
bump the all group with 4 updates (#4375) #4375 (dependabot[bot])
bump golang from fb4b74a to dfdd969 in /test/export/fake-reader (#4376) #4376 (dependabot[bot])
bump golang from fb4b74a to dfdd969 (#4374) #4374 (dependabot[bot])
bump golang from fb4b74a to dfdd969 in /test/externaldata/dummy-provider (#4373) #4373 (dependabot[bot])
bump webpack from 5.95.0 to 5.105.0 in /website (#4370) #4370 (dependabot[bot])
bump golang from fb4b74a to dfdd969 in /test/image (#4372) #4372 (dependabot[bot])
bump golang from fb4b74a to dfdd969 in /build/tooling (#4371) #4371 (dependabot[bot])
bump qs from 6.14.1 to 6.14.2 in /website (#4384) #4384 (dependabot[bot])
bump distroless/static-debian12 from cd64bec to 20bc6c0 (#4386) #4386 (dependabot[bot])
bump kubectl from v1.35.0 to v1.35.1 (#4387) #4387 (dependabot[bot])
bump golang from 1.25-trixie to 1.26-trixie in /test/externaldata/dummy-provider (#4388) #4388 (dependabot[bot])
bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/externaldata/dummy-provider (#4389) #4389 (dependabot[bot])
bump golang from 1.25-trixie to 1.26-trixie (#4390) #4390 (dependabot[bot])
bump the k8s group with 5 updates (#4391) #4391 (dependabot[bot])
bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/export/fake-subscriber (#4393) #4393 (dependabot[bot])
bump golang from 1.25-trixie to 1.26-trixie in /test/export/fake-reader (#4394) #4394 (dependabot[bot])
bump golang from 1.25-trixie to 1.26-trixie in /test/export/fake-subscriber (#4395) #4395 (dependabot[bot])
bump distroless/static-debian12 from cd64bec to 20bc6c0 in /test/export/fake-reader (#4396) #4396 (dependabot[bot])
bump the all group across 1 directory with 4 updates (#4398) #4398 (dependabot[bot])
parallelize unit-test CI into coverage, race, and bench jobs, update GH runners (#4397) #4397 (Jaydip Gabani)
bumping otel to 1.40 to fix GO-2026-4394 (#4404) #4404 (Jaydip Gabani)
bump the all group with 6 updates (#4403) #4403 (dependabot[bot])
bumping opa to 1.13.2 and frameworks to latest (#4406) #4406 (Jaydip Gabani)
bumping-cert-controller to latest (#4405) #4405 (Jaydip Gabani)
Prepare v3.22.0-rc.0 release (#4407) #4407 (github-actions[bot])
cherry-pick trivy bump to 0.69.3 for release-3.22 (#4437) #4437 (Jaydip Gabani)
bump golang from 100774d to ab8c494 (#4429) CP (#4436) #4436 (Jaydip Gabani)
Prepare v3.22.0 release (#4438) #4438 (github-actions[bot])

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this MR, check this box

This MR was automatically generated by Renovate Bot.

Upgrade Notices

(Include any relevant notes about upgrades here or write "N/A" if there are none)

Edited Mar 11, 2026 by Daniel Pritchett

Admin message

chore(deps): update gatekeeper