Skip to content

Conversation

gcp-cherry-pick-bot[bot]
Copy link

Cherry-picked fix: block mutation only when failurePolicy is set to fail (#8952)

  • fix: only block mutation when failurePolicy is set
    to fail

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • feat: kuttl test

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • fix: add else check

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • fix: there is another

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • fix: update policy

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • nit

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • feat: add logs

Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com

  • Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting shuting@nirmata.com


Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: shuting shuting@nirmata.com
Co-authored-by: shuting shuting@nirmata.com
Co-authored-by: shuting shutting06@gmail.com

* fix: only block mutation when failurePolicy is set
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: kuttl test

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add else check

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: there is another

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update policy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* nit

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add logs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting <shuting@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
Copy link

codecov bot commented Nov 22, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c86039d) 33.35% compared to head (3b7e914) 33.35%.

Additional details and impacted files
@@              Coverage Diff              @@
##           release-1.11    #8986   +/-   ##
=============================================
  Coverage         33.35%   33.35%           
=============================================
  Files               312      312           
  Lines             25070    25070           
=============================================
  Hits               8362     8362           
  Misses            15914    15914           
  Partials            794      794           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@realshuting realshuting enabled auto-merge (squash) November 22, 2023 17:23
@realshuting realshuting merged commit 53fa22b into release-1.11 Nov 22, 2023
@realshuting realshuting deleted the cherry-pick-87dd09-release-1.11 branch November 22, 2023 17:30
renovate bot referenced this pull request in allenporter/flux-local Dec 20, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [kyverno/kyverno](https://togithub.com/kyverno/kyverno) | minor |
`v1.10.0` -> `v1.11.1` |

---

### Release Notes

<details>
<summary>kyverno/kyverno (kyverno/kyverno)</summary>

###
[`v1.11.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.11.1)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.11.0...v1.11.1)

#### What's Changed

- Reduced verbosity of admission request filter INFO log message
(cherry-pick
[#&#8203;8712](https://togithub.com/kyverno/kyverno/issues/8712)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8882](https://togithub.com/kyverno/kyverno/pull/8882)
- Close reponse right after succesful request (cherry-pick
[#&#8203;8894](https://togithub.com/kyverno/kyverno/issues/8894)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8896](https://togithub.com/kyverno/kyverno/pull/8896)
- chore(deps): bump
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
from 0.45.0 to 0.46.0 (cherry pick:
[#&#8203;8893](https://togithub.com/kyverno/kyverno/issues/8893)) by
[@&#8203;vishal-chdhry](https://togithub.com/vishal-chdhry) in
[https://github.com/kyverno/kyverno/pull/8897](https://togithub.com/kyverno/kyverno/pull/8897)
- Add policyKind option to kyverno-policies chart (cherry-pick
[#&#8203;8827](https://togithub.com/kyverno/kyverno/issues/8827)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8923](https://togithub.com/kyverno/kyverno/pull/8923)
- \[Helm] correct typo in README for Kyverno 1.10+ (cherry-pick
[#&#8203;8911](https://togithub.com/kyverno/kyverno/issues/8911)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8927](https://togithub.com/kyverno/kyverno/pull/8927)
- Revert "fix(chart): only create ServiceMonitor if cluster supports it
([#&#8203;7926](https://togithub.com/kyverno/kyverno/issues/7926))
(cherry-pick
[#&#8203;8913](https://togithub.com/kyverno/kyverno/issues/8913)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8931](https://togithub.com/kyverno/kyverno/pull/8931)
- feat: add checks for max response size in API Call (cherry-pick
[#&#8203;8957](https://togithub.com/kyverno/kyverno/issues/8957)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8971](https://togithub.com/kyverno/kyverno/pull/8971)
- fix: update KeysAreMissing() to ignore negations in resource
(cherry-pick
[#&#8203;8953](https://togithub.com/kyverno/kyverno/issues/8953)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8982](https://togithub.com/kyverno/kyverno/pull/8982)
- fix: block mutation only when failurePolicy is set to fail
(cherry-pick
[#&#8203;8952](https://togithub.com/kyverno/kyverno/issues/8952)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/8986](https://togithub.com/kyverno/kyverno/pull/8986)
- fix: delete VAPs in case Kyverno policies can't be translated
(cherry-pick
[#&#8203;8887](https://togithub.com/kyverno/kyverno/issues/8887)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/9019](https://togithub.com/kyverno/kyverno/pull/9019)
- fix: use v2beta1 version of exceptions in kyverno create CLI
(cherry-pick
[#&#8203;8908](https://togithub.com/kyverno/kyverno/issues/8908)) by
[@&#8203;MariamFahmy98](https://togithub.com/MariamFahmy98) in
[https://github.com/kyverno/kyverno/pull/9020](https://togithub.com/kyverno/kyverno/pull/9020)
- fix: remove the additional dash in kyverno create exception
(cherry-pick
[#&#8203;8983](https://togithub.com/kyverno/kyverno/issues/8983)) by
[@&#8203;MariamFahmy98](https://togithub.com/MariamFahmy98) in
[https://github.com/kyverno/kyverno/pull/9021](https://togithub.com/kyverno/kyverno/pull/9021)
- fix: use the default namespace in case --namespace isn't set in
kyverno create exception (cherry-pick
[#&#8203;9014](https://togithub.com/kyverno/kyverno/issues/9014)) by
[@&#8203;MariamFahmy98](https://togithub.com/MariamFahmy98) in
[https://github.com/kyverno/kyverno/pull/9022](https://togithub.com/kyverno/kyverno/pull/9022)
- Remove var check (cherry-pick
[#&#8203;8990](https://togithub.com/kyverno/kyverno/issues/8990)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/9024](https://togithub.com/kyverno/kyverno/pull/9024)
- fix: use validate.message in case there is no message associated with
the CEL expression (cherry-pick
[#&#8203;8883](https://togithub.com/kyverno/kyverno/issues/8883)) by
[@&#8203;MariamFahmy98](https://togithub.com/MariamFahmy98) in
[https://github.com/kyverno/kyverno/pull/9025](https://togithub.com/kyverno/kyverno/pull/9025)
- fix: cleanup older policy reports (cherry-pick
[#&#8203;9026](https://togithub.com/kyverno/kyverno/issues/9026)) by
[@&#8203;gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot)
in
[https://github.com/kyverno/kyverno/pull/9035](https://togithub.com/kyverno/kyverno/pull/9035)
- Release 1.11.1 by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/9039](https://togithub.com/kyverno/kyverno/pull/9039)

**Full Changelog**:
kyverno/kyverno@v1.11.0...v1.11.1

###
[`v1.11.0`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v1110)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.7...v1.11.0)

###
[`v1.10.7`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.7)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.6...v1.10.7)

#### What's Changed

- chore: fix high vulnerabilities, in release 1.10 by
[@&#8203;vishal-chdhry](https://togithub.com/vishal-chdhry) in
[https://github.com/kyverno/kyverno/pull/9226](https://togithub.com/kyverno/kyverno/pull/9226)
    -   CVE-2023-30551 in `github.com/sigstore/rekor`
- CVE-2023-45142 in
`go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`
    -   GHSA-m425-mq94-257g in `google.golang.org/grpc`
- release 1.10.7 by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/9231](https://togithub.com/kyverno/kyverno/pull/9231)

**Full Changelog**:
kyverno/kyverno@v1.10.6...v1.10.7

###
[`v1.10.6`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.6)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.5...v1.10.6)

#### What's Changed

- feat: add checks for max response size in API Call (release 1.10.6) by
[@&#8203;vishal-chdhry](https://togithub.com/vishal-chdhry) in
[https://github.com/kyverno/kyverno/pull/8981](https://togithub.com/kyverno/kyverno/pull/8981)
- fix(test): random results when namespace is not specified
\[v1.9-v1.10] by [@&#8203;aslafy-z](https://togithub.com/aslafy-z) in
[https://github.com/kyverno/kyverno/pull/8989](https://togithub.com/kyverno/kyverno/pull/8989)
- Release 1.10.6 by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/9030](https://togithub.com/kyverno/kyverno/pull/9030)

**Full Changelog**:
kyverno/kyverno@v1.10.5...v1.10.6

###
[`v1.10.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.5)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.4...v1.10.5)

#### What's Changed

- feat: add GHSA-vfp6-jrw2-99g9 fixes in cosign v1.13.1 by
[@&#8203;vishal-chdhry](https://togithub.com/vishal-chdhry) in
[https://github.com/kyverno/kyverno/pull/8870](https://togithub.com/kyverno/kyverno/pull/8870)
- Release 1.10.5 by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/8881](https://togithub.com/kyverno/kyverno/pull/8881)

**Full Changelog**:
kyverno/kyverno@v1.10.4...v1.10.5

###
[`v1.10.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.4)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.3...v1.10.4)

#### What's Changed

- fix: backport CVE fixes by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/8798](https://togithub.com/kyverno/kyverno/pull/8798)
- Release 1.10.4 by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/8799](https://togithub.com/kyverno/kyverno/pull/8799)
- chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0
([#&#8203;8809](https://togithub.com/kyverno/kyverno/issues/8809)) by
[@&#8203;realshuting](https://togithub.com/realshuting) in
[https://github.com/kyverno/kyverno/pull/8811](https://togithub.com/kyverno/kyverno/pull/8811)
- fix: upgrade cosign installer version in release 1.10 and use cosign
1.13.1 by [@&#8203;vishal-chdhry](https://togithub.com/vishal-chdhry) in
[https://github.com/kyverno/kyverno/pull/8813](https://togithub.com/kyverno/kyverno/pull/8813)

**Full Changelog**:
kyverno/kyverno@v1.10.3...v1.10.4

###
[`v1.10.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.3)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.2...v1.10.3)

#### 🐛 Fixed 🐛

Fixed an issue where the error is not returned when the deferred loader
is disabled.
([https://github.com/kyverno/kyverno/pull/7982](https://togithub.com/kyverno/kyverno/pull/7982))

###
[`v1.10.2`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.2)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.1...v1.10.2)

#### ✨ Added ✨

- Added a new `--policyReports` flag to control if the Policy Reports
system is enabled or not. When set to a value of `false`, only standard
Events and log messages will contain policy violations both in admission
mode as well as background scans.
- Booleans can now be properly compared in conditional operators without
needing to be converted to string.
([#&#8203;7847](https://togithub.com/kyverno/kyverno/issues/7847))
- Added log messages for API call failures.
([#&#8203;7834](https://togithub.com/kyverno/kyverno/issues/7834))
- Events will now be created upon successful resource generation.
([#&#8203;7550](https://togithub.com/kyverno/kyverno/issues/7550))

##### Helm

- Added an additional check to the ServiceMonitor template to ensure
that the cluster supports the `monitoring.coreos.com/v1` API version and
if not, it will silently not create the ServiceMonitor instead of
failing deployment of the chart.
([#&#8203;7926](https://togithub.com/kyverno/kyverno/issues/7926))
- Added chart configurations for cleanup and webhooks.
([#&#8203;7871](https://togithub.com/kyverno/kyverno/issues/7871))
- Add nodeSelector and labels to the cleanup CronJobs.
([#&#8203;7851](https://togithub.com/kyverno/kyverno/issues/7851),
[#&#8203;7808](https://togithub.com/kyverno/kyverno/issues/7808))

#### ⚠️ Changed ⚠️

- (kyverno-policies chart) Added a precondition to skip DELETE
operations on a couple policies to make them all consistent.
([#&#8203;7883](https://togithub.com/kyverno/kyverno/issues/7883))
- Schema validation for policies matching on CRDs will be skipped.
([#&#8203;7869](https://togithub.com/kyverno/kyverno/issues/7869))
- Performed better validation of policies which use the `cloneList`
declaration in generate rules.
([#&#8203;7823](https://togithub.com/kyverno/kyverno/issues/7823))
- Removed an extra Event created by Kyverno in some verifyImages rules.
([#&#8203;7810](https://togithub.com/kyverno/kyverno/issues/7810))
- The Event created upon resource mutation has been updated to make more
sense.
([#&#8203;7550](https://togithub.com/kyverno/kyverno/issues/7550))

#### 🐛 Fixed 🐛

- Fixed an issue where higher log levels weren't being printed in the
logs. ([#&#8203;7877](https://togithub.com/kyverno/kyverno/issues/7877))
- Fixed an issue with an entry in a nil map when validating a policy.
([#&#8203;7874](https://togithub.com/kyverno/kyverno/issues/7874))
- Fixed a type confusion problem.
([#&#8203;7857](https://togithub.com/kyverno/kyverno/issues/7857))
- Fixed an issue with namespaceSelector and matching on Namespaces.
([#&#8203;7837](https://togithub.com/kyverno/kyverno/issues/7837))
- Fixed an issue where category and severity annotations weren't being
returned in policy reports from CLI tests.
([#&#8203;7828](https://togithub.com/kyverno/kyverno/issues/7828))
- Fixed an issue where some verifyImages rules may have broken in
`Audit` mode.
([#&#8203;7806](https://togithub.com/kyverno/kyverno/issues/7806))
- Fixed an issue in target scope validations for generate rules.
([#&#8203;7800](https://togithub.com/kyverno/kyverno/issues/7800))
- Fixed an issue with aggregated admission reports having stale results.
([#&#8203;7798](https://togithub.com/kyverno/kyverno/issues/7798))
- Fixed an issue preventing a rollback when a verifyImages rule was in
place.
([#&#8203;7752](https://togithub.com/kyverno/kyverno/issues/7752))
- Removed some obsolete structs from the CLI.
([#&#8203;6802](https://togithub.com/kyverno/kyverno/issues/6802))

##### Helm

- Fixed a minor chart templating issue in RBAC.
([#&#8203;7774](https://togithub.com/kyverno/kyverno/issues/7774))

<details>
  <summary>Click to expand all PRs</summary>

[#&#8203;7926](https://togithub.com/kyverno/kyverno/issues/7926)
fix(chart): only create ServiceMonitor if cluster supports it
[#&#8203;7888](https://togithub.com/kyverno/kyverno/issues/7888) add
flag for policy reports
[#&#8203;7883](https://togithub.com/kyverno/kyverno/issues/7883)
fix(policy chart): Skip DELETE requests on policies using deny
statements
[#&#8203;7877](https://togithub.com/kyverno/kyverno/issues/7877) fix log
level in `logging` package
[#&#8203;7874](https://togithub.com/kyverno/kyverno/issues/7874) policy
validation: fix assignment to entry in nil map
[#&#8203;7871](https://togithub.com/kyverno/kyverno/issues/7871)
feat(chart) Add configurations for cleanup jobs and webhooks
[#&#8203;7869](https://togithub.com/kyverno/kyverno/issues/7869) feat:
skip schema validation for CRD
[#&#8203;7858](https://togithub.com/kyverno/kyverno/issues/7858) fix:
add tekton/pipeline to nancy ignore list
[#&#8203;7857](https://togithub.com/kyverno/kyverno/issues/7857) fix
type confusion in policy validation
[#&#8203;7851](https://togithub.com/kyverno/kyverno/issues/7851) Add
nodeSelector for cleanupJob CronJob resources
[#&#8203;7847](https://togithub.com/kyverno/kyverno/issues/7847) feat:
enable operator boolean comparison
[#&#8203;7837](https://togithub.com/kyverno/kyverno/issues/7837) fix:
namespace label matching for Namespace
[#&#8203;7834](https://togithub.com/kyverno/kyverno/issues/7834) Added
log message for API call failures
[#&#8203;7828](https://togithub.com/kyverno/kyverno/issues/7828) bug:
add severity and category in cluster policy report
[#&#8203;7823](https://togithub.com/kyverno/kyverno/issues/7823) Feat:
cloneList rule validation
[#&#8203;7810](https://togithub.com/kyverno/kyverno/issues/7810) fix:
skip creating event for an empty resource name
[#&#8203;7808](https://togithub.com/kyverno/kyverno/issues/7808) feat:
allow pod labels for cleanup jobs
[#&#8203;7806](https://togithub.com/kyverno/kyverno/issues/7806)
refactor: remove manual keychain refresh from client
[#&#8203;7800](https://togithub.com/kyverno/kyverno/issues/7800) fix:
target scope validation for the generate rule
[#&#8203;7798](https://togithub.com/kyverno/kyverno/issues/7798) fix:
aggregated admission report not updated correctly
[#&#8203;7774](https://togithub.com/kyverno/kyverno/issues/7774) chart:
fix admission controller rbac templating
[#&#8203;7752](https://togithub.com/kyverno/kyverno/issues/7752)
Modified annotation matching during rollback
[#&#8203;7550](https://togithub.com/kyverno/kyverno/issues/7550) feat:
add events for successful generation
[#&#8203;6802](https://togithub.com/kyverno/kyverno/issues/6802)
refactor: remove obsolete structs from CLI

</details>

###
[`v1.10.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.1)

[Compare
Source](https://togithub.com/kyverno/kyverno/compare/v1.10.0...v1.10.1)

This patch release of 1.10 unblocks users of generate rules using
[clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source)
declarations as mentioned in the [1.10 migration
guide](https://togithub.com/kyverno/kyverno/blob/release-1.10/charts/kyverno/README.md#migrating-from-v2-to-v3).

Please see the complete [1.10.0 release
notes](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.0) if you
are installing/upgrading to 1.10.1 without progressing through 1.10.0.

Please also see the security advisory
[here](https://togithub.com/kyverno/kyverno/security/advisories/GHSA-rw9c-qq4h-c24p)
acknowledging detected vulnerabilities in the 1.10 release to which
Kyverno is NOT susceptible.

#### ✨ Added ✨

- Added the ability to assign custom labels to policy reports
([#&#8203;7416](https://togithub.com/kyverno/kyverno/issues/7416))
- All release artifacts are now signed
([#&#8203;7478](https://togithub.com/kyverno/kyverno/issues/7478),
[#&#8203;7711](https://togithub.com/kyverno/kyverno/issues/7711))
- Added a new environment variable, settable on the background
controller, called `BACKGROUND_SCAN_INTERVAL` which can override the
background scan interval from its default of one hour
([#&#8203;7504](https://togithub.com/kyverno/kyverno/issues/7504))
- Added a new container flag called `--enableDeferredLoading` (`true` by
default) which allows disabling of the new deferred/lazy context
variable loading system introduced in 1.10.0
([#&#8203;7694](https://togithub.com/kyverno/kyverno/issues/7694),
[#&#8203;7691](https://togithub.com/kyverno/kyverno/issues/7691))

##### Helm

- Added the ability to configure tolerations, resources, and Pod
annotations for the admission report cleanup jobs
([#&#8203;7331](https://togithub.com/kyverno/kyverno/issues/7331),
[#&#8203;7337](https://togithub.com/kyverno/kyverno/issues/7337),
[#&#8203;7366](https://togithub.com/kyverno/kyverno/issues/7366))
- Added missing `delete` verb to the admission reports cleanup job
ClusterRole
([#&#8203;7375](https://togithub.com/kyverno/kyverno/issues/7375))
- Added the ability to set verbs for the `additionalresources`
ClusterRole used by the background controller to address the inability
to generate Roles and ClusterRoles
([#&#8203;7380](https://togithub.com/kyverno/kyverno/issues/7380))
- Removal of the Helm chart will now properly remove all Kyverno
webhooks
([#&#8203;7633](https://togithub.com/kyverno/kyverno/issues/7633))
- Added ability to select cluster on the Grafana dashboard
([#&#8203;7659](https://togithub.com/kyverno/kyverno/issues/7659))
- Add `relabelings` and `metricRelabelings` config to all
ServiceMonitors
([#&#8203;7659](https://togithub.com/kyverno/kyverno/issues/7659))
- Make ConfigMap labels for the Grafana dashboard ConfigMap configurable
([#&#8203;7659](https://togithub.com/kyverno/kyverno/issues/7659))
- Added ability to use imagePullSecrets for the admission reports
cleanup CronJobs
([#&#8203;7730](https://togithub.com/kyverno/kyverno/issues/7730))

#### ⚠️ Changed ⚠️

- The new `order` field available under `foreach` loops will now be
respected when the mutation method is `patchStrategicMerge`
([#&#8203;7336](https://togithub.com/kyverno/kyverno/issues/7336))
- Changed the message returned from a failed permissions check so it's
more general in nature
([#&#8203;7362](https://togithub.com/kyverno/kyverno/issues/7362))
- Removed the redundant loop protection introduced in 1.10.0 making it
possible to match on the same resource kind as Kyverno should generate
([#&#8203;7388](https://togithub.com/kyverno/kyverno/issues/7388))
- Performed some internal refactoring of the generate rule type
([#&#8203;7417](https://togithub.com/kyverno/kyverno/issues/7417))
- Make it so that setting `--webhookTimeout` affects all of Kyverno's
webhooks and not just the resource webhooks
([#&#8203;7435](https://togithub.com/kyverno/kyverno/issues/7435))
- Made it so that the `name` field for a rule is required
([#&#8203;7464](https://togithub.com/kyverno/kyverno/issues/7464))
- Log kind, namespace, and name in processed resources
([#&#8203;7498](https://togithub.com/kyverno/kyverno/issues/7498))
- Refactored some reconciliation logic for generate rules
([#&#8203;7531](https://togithub.com/kyverno/kyverno/issues/7531))
- Mutation failures, when occurring within a `foreach` loop, will show
the cause
([#&#8203;7563](https://togithub.com/kyverno/kyverno/issues/7563))
- Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6
([#&#8203;7666](https://togithub.com/kyverno/kyverno/issues/7666))
- Misc. refactors related to the changes/fixes in deferred/lazy loading
([#&#8203;7675](https://togithub.com/kyverno/kyverno/issues/7675),
[#&#8203;7678](https://togithub.com/kyverno/kyverno/issues/7678),
[#&#8203;7690](https://togithub.com/kyverno/kyverno/issues/7690))

#### 🐛 Fixed 🐛

- Fixed a panic when a user installs a policy with an invalid schema
([#&#8203;6526](https://togithub.com/kyverno/kyverno/issues/6526))
- Fixed an issue where the `default` field in a `variable`-type context
variable was not being used when the result was `nil`
([#&#8203;7251](https://togithub.com/kyverno/kyverno/issues/7251))
- Fixed a panic in the reports controller when it encounters an invalid
image ([#&#8203;7332](https://togithub.com/kyverno/kyverno/issues/7332))
- Fixed an issue when `--protectManagedResources` was enabled which
prevented generation of bindings
([#&#8203;7363](https://togithub.com/kyverno/kyverno/issues/7363))
- Fixed a panic when environment variables weren't passed
([#&#8203;7383](https://togithub.com/kyverno/kyverno/issues/7383))
- Fixed an inability to use the `target.*` variable in a mutate existing
rule ([#&#8203;7387](https://togithub.com/kyverno/kyverno/issues/7387))
- Fixed a sync issue if an array element was removed from a clone source
([#&#8203;7417](https://togithub.com/kyverno/kyverno/issues/7417))
- Fixed an issue preventing background reports from being created if an
empty response is received for a given API group
([#&#8203;7428](https://togithub.com/kyverno/kyverno/issues/7428))
- Fixed an issue where Policy Exceptions weren't being considered for
deletes
([#&#8203;7433](https://togithub.com/kyverno/kyverno/issues/7433))
- Fixed an issue preventing one clone source from being used in multiple
rules or for multiple targets
([#&#8203;7436](https://togithub.com/kyverno/kyverno/issues/7436))
- Fixed an issue with generate rules failing when the trigger resource
kind used a forward slash
([#&#8203;7436](https://togithub.com/kyverno/kyverno/issues/7436))
- Fixed a generate issue in which removal of a single trigger would
remove generated resources it shouldn't have
([#&#8203;7579](https://togithub.com/kyverno/kyverno/issues/7579))
- Fixed an issue with how Kyverno reports a failure when it cannot fetch
a CRD ([#&#8203;7439](https://togithub.com/kyverno/kyverno/issues/7439))
- Fixed an issue with auto-gen not generating the correct matching kinds
when overridden with the annotation
([#&#8203;7455](https://togithub.com/kyverno/kyverno/issues/7455))
- Fixed another issue with auto-gen in which CronJob translated rules
weren't translating variables correctly
([#&#8203;7571](https://togithub.com/kyverno/kyverno/issues/7571))
- Fixed an issue with a generate rule using a cloneList declaration so
that syncs are observed properly
([#&#8203;7466](https://togithub.com/kyverno/kyverno/issues/7466))
- Fixed a panic when the background controller substitutes a variable
with `nil`
([#&#8203;7473](https://togithub.com/kyverno/kyverno/issues/7473))
- Fixed the scope validation check for a generate rule so it detects the
correct resource kind
([#&#8203;7479](https://togithub.com/kyverno/kyverno/issues/7479))
- Fixed an issue preventing generated resources from being removed when
preconditions no longer matched
([#&#8203;7496](https://togithub.com/kyverno/kyverno/issues/7496))
- Fixed a slightly misleading error message in deny conditions
([#&#8203;7503](https://togithub.com/kyverno/kyverno/issues/7503))
- Fixed it (finally) so that no informational logs are produced when
logging is set to `0`
([#&#8203;7515](https://togithub.com/kyverno/kyverno/issues/7515))
- Fixed removal of ownerReferences when generating via clone a resource
across Namespaces
([#&#8203;7517](https://togithub.com/kyverno/kyverno/issues/7517))
- Fixed residual issues from 1.10.0 for lazy/deferred loading of context
variables
([#&#8203;7552](https://togithub.com/kyverno/kyverno/issues/7552),
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597))
- Fixed an issue performing image verification in background mode
([#&#8203;7564](https://togithub.com/kyverno/kyverno/issues/7564))
- Make configuring max procs not exit in case of error
([#&#8203;7588](https://togithub.com/kyverno/kyverno/issues/7588))
- Fixed some typos in the descriptions of flags applicable to the
reports controller
([#&#8203;7617](https://togithub.com/kyverno/kyverno/issues/7617))
- Fixed a permissions check when installing a generate policy due to
incorrect API group matching
([#&#8203;7628](https://togithub.com/kyverno/kyverno/issues/7628))
- Fixed an issue where the service name in a tracer configuration could
not be customized
([#&#8203;7644](https://togithub.com/kyverno/kyverno/issues/7644))
- Fixed an issue with an image verification rule which would cause
updating a Deployment with more than one container to fail
([#&#8203;7692](https://togithub.com/kyverno/kyverno/issues/7692))
- Fixed a minor issue in an error message
([#&#8203;7688](https://togithub.com/kyverno/kyverno/issues/7688))
- Fixed an issue with locking the schema manager which could result in
CRDs not being found
([#&#8203;7704](https://togithub.com/kyverno/kyverno/issues/7704))

##### Helm

- Fixed missing environment variables in the admission controller
([#&#8203;7383](https://togithub.com/kyverno/kyverno/issues/7383))
- Fixed missing `extraEnvVars` on all controllers
([#&#8203;7403](https://togithub.com/kyverno/kyverno/issues/7403))
- Fixed an issue templating the new reports cleanup job image
([#&#8203;7430](https://togithub.com/kyverno/kyverno/issues/7430))
- Fixed a typo when enabling anti-affinity
([#&#8203;7440](https://togithub.com/kyverno/kyverno/issues/7440))
- Fixed missing imagePullSecrets
([#&#8203;7474](https://togithub.com/kyverno/kyverno/issues/7474))
- Fixed missing `delete` verb for Secrets in the admission controller
and cleanup controller
([#&#8203;7527](https://togithub.com/kyverno/kyverno/issues/7527),
[#&#8203;7679](https://togithub.com/kyverno/kyverno/issues/7679))

<details>
  <summary>Click to expand all PRs</summary>

7730	feat: Add option to add imagePullSecrets to cleanup CronJobs
7712	fix: remove show goreleaser version step
7711	fix: release signing
7704	fix: lock schema manager when updating it
7694 Fix deferred loading (cherry-pick
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597))
7692 fix: image verification (cherry-pick
[#&#8203;7652](https://togithub.com/kyverno/kyverno/issues/7652))
7691 feat: add lazy loading feature flag (cherry-pick
[#&#8203;7680](https://togithub.com/kyverno/kyverno/issues/7680))
7690 refactor: migrate context loaders (part 2) from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
(cherry-pick
[#&#8203;7677](https://togithub.com/kyverno/kyverno/issues/7677))
7688	fix: Swap any/all in the error message.
7680	feat: add lazy loading feature flag
7679 fix: cleanup controller rbac (cherry-pick
[#&#8203;7669](https://togithub.com/kyverno/kyverno/issues/7669))
7678 refactor: migrate context loaders (part 1) from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
(cherry-pick
[#&#8203;7676](https://togithub.com/kyverno/kyverno/issues/7676))
7677 refactor: migrate context loaders (part 2) from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
7676 refactor: migrate context loaders (part 1) from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
7675 refactor: add specific loaders from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
(cherry-pick
[#&#8203;7671](https://togithub.com/kyverno/kyverno/issues/7671))
7671 refactor: add specific loaders from
[#&#8203;7597](https://togithub.com/kyverno/kyverno/issues/7597)
7669	fix: cleanup controller rbac
7666	\[Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6
7659	feat: add cluster select and relabling config for ServiceMonitors
7652	fix: image verification with 2+ containers
7644	fix: customizable tracer configuration
7633	feat: enable Helm webhook cleanup hook by default
7628	fix: auth checks with the APIVersion and the subresource
7617	fix: update the flag descriptions of the reports-controller
7597	Fix deferred loading
7596	fix: CLI tests
7590	Add nancy-ignore to make it pass with current dependencies
7589	chore: reduce sleep duration for generate kuttl tests
7588	fix: make configuring max procs not exit in case of error
7579	fix: deletion mismatch for the generate policy
7571	fix: autogen not working correctly with cronjob conditions
7564	fix: background image verification not working
7563	Fix: Mutate: Foreach: Error cause is missing
7552	fix: recursive lazy loading
7531	refactor: generate reconciliation on policy updates
7527 fix: update kyverno admission-controller role to have delete verb
for…
7517	fix: Remove ownerReferences when cloning across Namespaces
7515	fix: log level initialisation
7504	feat: add debug env BACKGROUND_SCAN_INTERVAL
7503	fix: misleading error message in deny conditions
7498	fix: log kind/namespace/name in scan errors
7496	fix: Delete downstream objects on precondition fail
7479	fix: target scope validation for the generate rule
7478	feat: sign released artifacts
7474	fix: image pull secrets in admission controller
7473	fix: background controller panics during variables substitution
7466	fix: cloneList sync behavior
7464	fix: rule name not required in the crd schema
7460	fix: flaky generate test
7455	fix: autogen not generating the correct kind
7440	fixed typo in admission controller chart template
7439	fix: error reported when sanity check fails
7436 fix: the same source cannot be used for multiple targets with a
generate clone rule
7435	fix: add missing webhook timeouts
7433	fix: exceptions not considered on delete
7430	fix: helm template for cleanup jobs image
7428	fix: reports discovery error
7417 fix: array element removal should be synced to the downstream
resource with a generate data sync rule
7416	feat: hold custom labels
7403	fix: missing extraEnvVars in helm chart
7388	Remove policy validation prevent loop for generate
7387	fix mutate targets validation
7383	fix: missing/incorrect env variables
7380 Allow setting verbs for clusterrole extraresources on
backgroundController
7375	Add missing delete verb to admission cleanup clusterrole
7366	feat(cronjobs): Enable podAnnotations on CronJobs
7363	fix: protect managed resource not considering other components
7362	fix: permission validation message
7338	fix: flaky kuttl test add-external-secret-prefix
7337	feat: cleanup jobs resources
7336	feat: obey the order field in patchStrategicMerge method
7332	fix: panic in background reports
7331	feat: cleanup job tolerations
7251 Fix: \[Bug] The default field in a context variable does not
replace nil results
6526	fix: add type conversion error judgment to avoid program panic

</details>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/flux-local).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants