UNCLASSIFIED - NO CUI

Skip to content

Draft: Update Github - autoclosed

Cody Williams requested to merge renovate/github into main

This MR contains the following updates:

Package Update Change
FairwindsOps/pluto minor 5.16.4 -> 5.18.3
defenseunicorns/zarf minor v0.27.0 -> 0.29.1
fluxcd/flux2 minor 2.0.1 -> 2.1.0
google/go-containerregistry minor v0.15.2 -> 0.16.1
helm/helm patch 3.12.0 -> 3.12.3
kyverno/kyverno minor v1.9.2 -> 1.10.3
mikefarah/yq minor 4.34.1 -> 4.35.1
rancher/k3d minor 5.5.1 -> 5.6.0

Release Notes

FairwindsOps/pluto

v5.18.3

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.2

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.1

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.0

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.17.0

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub
defenseunicorns/zarf

v0.29.1

Compare Source

What's Changed

Features

Fixes

Development

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.29.0...v0.29.1

v0.29.0

Compare Source

What's Changed

Features

    

Rollup From v0.28 Patch Releases

Fixes

Rollup From v0.28 Patch Releases

Docs

Rollup From v0.28 Patch Releases

Dependencies

Rollup From v0.28 Patch Releases

Development

Rollup From v0.28 Patch Releases

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.4...v0.29.0

v0.28.4

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Developement

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.3...v0.28.4

v0.28.3

Compare Source

What's Changed

Features

Fixes

Docs

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.2...v0.28.3

v0.28.2

Compare Source

What's Changed

Features

Fixes

Dependencies

Development

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.1...v0.28.2

v0.28.1

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.0...v0.28.1

v0.28.0

Compare Source

What's Changed

Breaking Changes

This only impacts existing deployments using the k3s component from the default init package, and the deprecated APIs are outlined in the K8s Deprecated API Migration Guide. Chart manifests will need to be updated to support the new APIs and will need to be redeployed to the cluster ideally prior to upgrading k3s. Zarf-managed charts can detect deprecations and attempt migrations after a k3s update but any GitOps deployments will need to be updated manually (see the Helm mapkubeapis plugin if you need to do this after updating k3s)

Features

    

Rollup From v0.27 Patch Releases

Fixes

Rollup From v0.27 Patch Releases

Docs

Rollup From v0.27 Patch Releases

Dependencies

Rollup From v0.27 Patch Releases

Development

Rollup From v0.27 Patch Releases

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.27.1...v0.28.0

v0.27.1

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Development

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.27.0...v0.27.1

fluxcd/flux2

v2.1.0

Compare Source

Highlights

Flux v2.1.0 is a feature release. Users are encouraged to upgrade for the best experience.

The Flux APIs were extended with new opt-in features in a backwards-compatible manner.

The Flux Git capabilities have been improved with support for Git push options, Git refspec, Gerrit, HTTP/S and SOCKS5 proxies.

The Flux alerting capabilities have been extended with Datadog support.

The Flux controllers come with performance improvements when reconciling Helm repositories with large indexes (80% memory reduction), and when reconciling Flux Kustomizations with thousands of resources (x4 faster server-side apply). The load distribution has been improved when reconciling Flux objects in parallel to reduce CPU and memory spikes.

Big thanks to all the Flux contributors that helped us with this release!

Deprecations

Flux v2.1.0 comes with support for Kubernetes TLS Secrets when referring to secrets containing TLS certs, and deprecates the usage of caFile, keyFile and certFile keys.

For more details about the TLS changes please see the Kubernetes TLS Secrets section.

Flux v2.1.0 comes with major improvements to the Prometheus monitoring stack. Starting with this version, Flux is leveraging the kube-state-metrics CRD exporter to report metrics containing rich information about Flux reconciliation status e.g. Git revision, Helm chart version, OCI artifacts digests, etc. The gotk_reconcile_condition metrics was deprecated in favor of the gotk_resource_info.

For more details about the new monitoring stack please see the Flux Prometheus metrics documentation and the flux2-monitoring-example repository.

API changes

GitRepository v1

The GitRepository API was extended with the following fields:

  • .spec.proxySecretRef.name is an optional field used to specify the name of a Kubernetes Secret that contains the HTTP/S or SOCKS5 proxy settings.
  • .spec.verify.mode now support one of the following values HEAD, Tag, TagAndHEAD.
Kustomization v1

The Kustomization API was extended with two apply policies IfNotPresent and Ignore.

Changing the apply behaviour for specific Kubernetes resources, can be done using the following annotations:

Annotation Default Values Role
kustomize.toolkit.fluxcd.io/ssa Override - Override
- Merge
- IfNotPresent
- Ignore 		Apply policy
kustomize.toolkit.fluxcd.io/force Disabled - Enabled
- Disabled 		Recreate policy
kustomize.toolkit.fluxcd.io/prune Enabled - Enabled
- Disabled 		Delete policy

The IfNotPresent policy instructs the controller to only apply the Kubernetes resources if they are not present on the cluster. This policy can be used for Kubernetes Secrets and ValidatingWebhookConfigurations managed by cert-manager, where Flux creates the resources with fields that are later on mutated by other controllers.

ImageUpdateAutomation v1beta1

The ImageUpdateAutomation was extended with the following fields:

  • .spec.git.push.refspec is an optional field used to specify a Git refspec used when pushing commits upstream.
  • .spec.git.push.options is an optional field used to specify the Git push options to be sent to the Git server when pushing commits upstream.
Kubernetes TLS Secrets

All the Flux APIs that accept TLS data have been modified to adopt Secrets of type kubernetes.io/tls. This includes:

  • HelmRepository: The field .spec.secretRef has been deprecated in favor of a new field .spec.certSecretRef.
  • OCIRepository: Support for the caFile, keyFile and certFile keys in the Secret specified in .spec.certSecretRef have been deprecated in favor of ca.crt, tls.key and tls.crt.
  • ImageRepository: Support for thecaFile, keyFile and certFile keys in the Secret specified in .spec.certSecretRef have been deprecated in favor of ca.crt, tls.key and tls.crt.
  • GitRepository: CA certificate can now be provided in the Secret specified in .spec.secretRef using the ca.crt key, which takes precedence over the caFile key.

Upgrade procedure

Upgrade Flux from v2.0.x to v2.1.0 either by rerunning bootstrap or by using the Flux GitHub Action.

To upgrade Flux from v0.x to v2.1.0 please follow the Flux GA upgrade procedure.

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version Minimum required
v1.25 >= 1.25.0
v1.26 >= 1.26.0
v1.27 >= 1.27.1
v1.28 >= 1.28.0

Note that Flux may work on older versions of Kubernetes e.g. 1.21, but we don't recommend running end-of-life versions in production nor do we offer support for these versions.

New Documentation

Components changelog

CLI Changelog

google/go-containerregistry

v0.16.1

Compare Source

Release is broken due to goreleaser error, 0.16.1 has the fix

What's Changed

New Contributors

Full Changelog: https://github.com/google/go-containerregistry/compare/v0.15.2...v0.16.1

Container Images

https://gcr.io/go-containerregistry/crane:v0.16.1 https://gcr.io/go-containerregistry/gcrane:v0.16.1

For example:

docker pull gcr.io/go-containerregistry/crane:v0.16.1
docker pull gcr.io/go-containerregistry/gcrane:v0.16.1

v0.16.0

Compare Source

Release is broken due to goreleaser error, 0.16.1 has the fix

helm/helm

v3.12.3: Helm v3.12.3

Compare Source

Helm v3.12.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.3. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • bump kubernetes modules to v0.27.3 3a31588 (Joe Julian)
  • Add priority class to kind sorter fb74155 (Stepan Dohnal)

v3.12.2: Helm v3.12.2

Compare Source

Helm v3.12.2 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.2. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.12.3 is the next patch/bug fix release and will be on August 9, 2023.
  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • add GetRegistryClient method 1e210a2 (wujunwei)
  • chore(deps): bump oras.land/oras-go from 1.2.2 to 1.2.3 cfa7bc6 (dependabot[bot])

v3.12.1: Helm v3.12.1

Compare Source

Helm v3.12.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.1. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.12.2 is the next patch/bug fix release and will be on July 12, 2023.
  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • add some test case f32a527 (wujunwei)
  • fix comment grammar error. 91bb1e3 (wujunwei)
  • bugfix:(#​11391) helm lint infinite loop when malformed template object 5217482 (wujunwei)
  • chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 524a0e7 (dependabot[bot])
  • chore(deps): bump github.com/docker/distribution c60cdf6 (dependabot[bot])
  • update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart 321f71a (Dmitry Kamenskikh)
  • test(search): add mixedCase test case aca1e44 (Höhl, Lukas)
  • chore(deps): bump github.com/lib/pq from 1.10.7 to 1.10.9 c09e93f (dependabot[bot])
  • chore(deps): bump github.com/Masterminds/squirrel from 1.5.3 to 1.5.4 8eab82b (dependabot[bot])
  • chore(deps): bump github.com/Masterminds/semver/v3 from 3.2.0 to 3.2.1 aa6b8aa (dependabot[bot])
  • fix(search): print repo search result in original case 5b19d8e (Höhl, Lukas)
  • strict file permissions of repository.yaml dee1fde (shankeerthan-kasilingam)
  • update kubernetes dependencies from v0.27.0 to v0.27.1 4f32150 (Joe Julian)
kyverno/kyverno

v1.10.3

Compare Source

🐛 Fixed 🐛

Fixed an issue where the error is not returned when the deferred loader is disabled. (https://github.com/kyverno/kyverno/pull/7982)

v1.10.2

Compare Source

Added

  • Added a new --policyReports flag to control if the Policy Reports system is enabled or not. When set to a value of false, only standard Events and log messages will contain policy violations both in admission mode as well as background scans.
  • Booleans can now be properly compared in conditional operators without needing to be converted to string. (#​7847)
  • Added log messages for API call failures. (#​7834)
  • Events will now be created upon successful resource generation. (#​7550)
Helm
  • Added an additional check to the ServiceMonitor template to ensure that the cluster supports the monitoring.coreos.com/v1 API version and if not, it will silently not create the ServiceMonitor instead of failing deployment of the chart. (#​7926)
  • Added chart configurations for cleanup and webhooks. (#​7871)
  • Add nodeSelector and labels to the cleanup CronJobs. (#​7851, #​7808)

️ Changed

  • (kyverno-policies chart) Added a precondition to skip DELETE operations on a couple policies to make them all consistent. (#​7883)
  • Schema validation for policies matching on CRDs will be skipped. (#​7869)
  • Performed better validation of policies which use the cloneList declaration in generate rules. (#​7823)
  • Removed an extra Event created by Kyverno in some verifyImages rules. (#​7810)
  • The Event created upon resource mutation has been updated to make more sense. (#​7550)

🐛 Fixed 🐛

  • Fixed an issue where higher log levels weren't being printed in the logs. (#​7877)
  • Fixed an issue with an entry in a nil map when validating a policy. (#​7874)
  • Fixed a type confusion problem. (#​7857)
  • Fixed an issue with namespaceSelector and matching on Namespaces. (#​7837)
  • Fixed an issue where category and severity annotations weren't being returned in policy reports from CLI tests. (#​7828)
  • Fixed an issue where some verifyImages rules may have broken in Audit mode. (#​7806)
  • Fixed an issue in target scope validations for generate rules. (#​7800)
  • Fixed an issue with aggregated admission reports having stale results. (#​7798)
  • Fixed an issue preventing a rollback when a verifyImages rule was in place. (#​7752)
  • Removed some obsolete structs from the CLI. (#​6802)
Helm
  • Fixed a minor chart templating issue in RBAC. (#​7774)
Click to expand all MRs

#​7926 fix(chart): only create ServiceMonitor if cluster supports it #​7888 add flag for policy reports #​7883 fix(policy chart): Skip DELETE requests on policies using deny statements #​7877 fix log level in logging package #​7874 policy validation: fix assignment to entry in nil map #​7871 feat(chart) Add configurations for cleanup jobs and webhooks #​7869 feat: skip schema validation for CRD #​7858 fix: add tekton/pipeline to nancy ignore list #​7857 fix type confusion in policy validation #​7851 Add nodeSelector for cleanupJob CronJob resources #​7847 feat: enable operator boolean comparison #​7837 fix: namespace label matching for Namespace #​7834 Added log message for API call failures #​7828 bug: add severity and category in cluster policy report #​7823 Feat: cloneList rule validation #​7810 fix: skip creating event for an empty resource name #​7808 feat: allow pod labels for cleanup jobs #​7806 refactor: remove manual keychain refresh from client #​7800 fix: target scope validation for the generate rule #​7798 fix: aggregated admission report not updated correctly #​7774 chart: fix admission controller rbac templating #​7752 Modified annotation matching during rollback #​7550 feat: add events for successful generation #​6802 refactor: remove obsolete structs from CLI

v1.10.1

Compare Source

This patch release of 1.10 unblocks users of generate rules using clone-type declarations as mentioned in the 1.10 migration guide.

Please see the complete 1.10.0 release notes if you are installing/upgrading to 1.10.1 without progressing through 1.10.0.

Please also see the security advisory here acknowledging detected vulnerabilities in the 1.10 release to which Kyverno is NOT susceptible.

Added

  • Added the ability to assign custom labels to policy reports (#​7416)
  • All release artifacts are now signed (#​7478, #​7711)
  • Added a new environment variable, settable on the background controller, called BACKGROUND_SCAN_INTERVAL which can override the background scan interval from its default of one hour (#​7504)
  • Added a new container flag called --enableDeferredLoading (true by default) which allows disabling of the new deferred/lazy context variable loading system introduced in 1.10.0 (#​7694, #​7691)
Helm
  • Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs (#​7331, #​7337, #​7366)
  • Added missing delete verb to the admission reports cleanup job ClusterRole (#​7375)
  • Added the ability to set verbs for the additionalresources ClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles (#​7380)
  • Removal of the Helm chart will now properly remove all Kyverno webhooks (#​7633)
  • Added ability to select cluster on the Grafana dashboard (#​7659)
  • Add relabelings and metricRelabelings config to all ServiceMonitors (#​7659)
  • Make ConfigMap labels for the Grafana dashboard ConfigMap configurable (#​7659)
  • Added ability to use imagePullSecrets for the admission reports cleanup CronJobs (#​7730)

️ Changed

  • The new order field available under foreach loops will now be respected when the mutation method is patchStrategicMerge (#​7336)
  • Changed the message returned from a failed permissions check so it's more general in nature (#​7362)
  • Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate (#​7388)
  • Performed some internal refactoring of the generate rule type (#​7417)
  • Make it so that setting --webhookTimeout affects all of Kyverno's webhooks and not just the resource webhooks (#​7435)
  • Made it so that the name field for a rule is required (#​7464)
  • Log kind, namespace, and name in processed resources (#​7498)
  • Refactored some reconciliation logic for generate rules (#​7531)
  • Mutation failures, when occurring within a foreach loop, will show the cause (#​7563)
  • Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 (#​7666)
  • Misc. refactors related to the changes/fixes in deferred/lazy loading (#​7675, #​7678, #​7690)

🐛 Fixed 🐛

  • Fixed a panic when a user installs a policy with an invalid schema (#​6526)
  • Fixed an issue where the default field in a variable-type context variable was not being used when the result was nil (#​7251)
  • Fixed a panic in the reports controller when it encounters an invalid image (#​7332)
  • Fixed an issue when --protectManagedResources was enabled which prevented generation of bindings (#​7363)
  • Fixed a panic when environment variables weren't passed (#​7383)
  • Fixed an inability to use the target.* variable in a mutate existing rule (#​7387)
  • Fixed a sync issue if an array element was removed from a clone source (#​7417)
  • Fixed an issue preventing background reports from being created if an empty response is received for a given API group (#​7428)
  • Fixed an issue where Policy Exceptions weren't being considered for deletes (#​7433)
  • Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets (#​7436)
  • Fixed an issue with generate rules failing when the trigger resource kind used a forward slash (#​7436)
  • Fixed a generate issue in which removal of a single trigger would remove generated resources it shouldn't have (#​7579)
  • Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD (#​7439)
  • Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation (#​7455)
  • Fixed another issue with auto-gen in which CronJob translated rules weren't translating variables correctly (#​7571)
  • Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly (#​7466)
  • Fixed a panic when the background controller substitutes a variable with nil (#​7473)
  • Fixed the scope validation check for a generate rule so it detects the correct resource kind (#​7479)
  • Fixed an issue preventing generated resources from being removed when preconditions no longer matched (#​7496)
  • Fixed a slightly misleading error message in deny conditions (#​7503)
  • Fixed it (finally) so that no informational logs are produced when logging is set to 0 (#​7515)
  • Fixed removal of ownerReferences when generating via clone a resource across Namespaces (#​7517)
  • Fixed residual issues from 1.10.0 for lazy/deferred loading of context variables (#​7552, #​7597)
  • Fixed an issue performing image verification in background mode (#​7564)
  • Make configuring max procs not exit in case of error (#​7588)
  • Fixed some typos in the descriptions of flags applicable to the reports controller (#​7617)
  • Fixed a permissions check when installing a generate policy due to incorrect API group matching (#​7628)
  • Fixed an issue where the service name in a tracer configuration could not be customized (#​7644)
  • Fixed an issue with an image verification rule which would cause updating a Deployment with more than one container to fail (#​7692)
  • Fixed a minor issue in an error message (#​7688)
  • Fixed an issue with locking the schema manager which could result in CRDs not being found (#​7704)
Helm
  • Fixed missing environment variables in the admission controller (#​7383)
  • Fixed missing extraEnvVars on all controllers (#​7403)
  • Fixed an issue templating the new reports cleanup job image (#​7430)
  • Fixed a typo when enabling anti-affinity (#​7440)
  • Fixed missing imagePullSecrets (#​7474)
  • Fixed missing delete verb for Secrets in the admission controller and cleanup controller (#​7527, #​7679)
Click to expand all MRs

7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick #​7597) 7692 fix: image verification (cherry-pick #​7652) 7691 feat: add lazy loading feature flag (cherry-pick #​7680) 7690 refactor: migrate context loaders (part 2) from #​7597 (cherry-pick #​7677) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick #​7669) 7678 refactor: migrate context loaders (part 1) from #​7597 (cherry-pick #​7676) 7677 refactor: migrate context loaders (part 2) from #​7597 7676 refactor: migrate context loaders (part 1) from #​7597 7675 refactor: add specific loaders from #​7597 (cherry-pick #​7671) 7671 refactor: add specific loaders from #​7597 7669 fix: cleanup controller rbac 7666 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for… 7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: [Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panic

v1.10.0

Compare Source

v1.9.5

Compare Source

🐛 Fixed 🐛

  • Removed some insecure 3DES ciphers. (#​7308 )
Click to expand all MRs

#​7308 fix: tls cipher suites

v1.9.4

Compare Source

🐛 Fixed 🐛

  • Fixed an issue with the podSecurity subrule (validate.podSecurity) in which using the latest version of the PSS caused the Seccomp control to not be evaluated properly. (#​7263)
Click to expand all MRs

#​7263 fix: PSa latest version check

v1.9.3

Compare Source

v1.9.3

# Added

  • Added support for configuring webhook annotations via the ConfigMap's webhookAnnotations stanza. This should fix problems for AKS users with the Admission Enforcer entering a reconciliation war with Kyverno over its webhooks. (#​6579)
🐛 Fixed 🐛
  • Bumped a Docker dependency (#​6787)
  • Skip applying default exclude groups in the match evaluation (#​6242)
Click to expand all MRs

#​6787 chore(deps): bump github.com/docker/docker from 23.0.2+incompatible to 23.0.3+incompatible #​6579 feat: add webhook annotations support in config map #​6242 fix: do not pass dynamicConfig to matchesResourceDescriptionMatchHelper

mikefarah/yq

v4.35.1: - Lua Output!

Compare Source

  • Added Lua output support (Thanks @​Zash)!
    • Added BSD checksum format (Thanks @​viq)!
    • Bumped dependencies

v4.34.2

Compare Source

Bumped depedencies

rancher/k3d

v5.6.0

Compare Source

Added
  • add: iptables in DinD image (#​1298)
  • docs(podman): add usage for rootless mode on macOS (#​1314)
Changed
  • Potentially Breaking: For people using k3d as a module: switch from netaddr.af to netipx + netip (changed some code around host.k3d.internal and the docker runtime)
  • Potentially Breaking: K3d config directory may change for you: Adhere to XDG's configuration specification (#​1320)
Fixed
  • docs: fix go install command (#​1337)
  • fix docs links in CONTRIBUTING.md
  • chore: pkg imported more than once (#​1313)

v5.5.2

Compare Source

Fixed
Changed
  • change: proxy - update nginx-alpine base image (#​1309)
  • change: add empty /tmp to binary-only image to make it work with config files
Added
  • add: workflow to label issues/prs by sponsors

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI