Headline
CVE-2023-34091: Release v1.10.0 · kyverno/kyverno
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the deletionTimestamp
field defined can bypass validate, generate, or mutate-existing policies, even in cases where the validationFailureAction
field is set to Enforce
. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the deletionTimestamp
and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
Kyverno 1.10 is a huge release which brings breaking changes in both the application and Helm chart. Please read these release notes carefully!
Major features:
- Split the main Kyverno Deployment into 3 separate controllers/Deployments
- Intra-cluster Service calls
- Notary support
- Major reworking of generate and “mutate existing” policies
NOTE: There is a limited upgrade path available when using the Helm chart, which requires manual intervention and NO upgrade path when using raw YAML manifests.
PLEASE REVIEW THE HELM V2 TO V3 MIGRATION GUIDE FOR FULL DETAILS.
❗ Breaking ❗
- This release separates Kyverno into its 3 main components: admission controller, reporting controller, and background controller. As a result, there is no direct upgrade path from previous versions. When deploying with Helm, we recommend either backing up and restoring Kyverno policies (kubectl get pol,cpol,cleanpol,ccleanpol,polex -A > backup.yaml) or scaling the Kyverno deployment(s) to zero first. Policy reports will be regenerated from existing resources when policies are reinstalled. Regardless of the option, this upgrade should be performed in a maintenance window as there will be downtime involved.
- As a result of this decomposition, aggregated ClusterRoles may need to be updated to use the new label values depending on the controller which requires those permissions.
- Policies which matched on some types of subresources (such as PodExecOptions) will need to be updated to use the standardized form of <parent>/<subresource> (Pod/exec).
- The following fields in a generate rule are now immutable once created: spec.rules.name, spec.rules.match, spec.rules.exclude, spec.rules.preconditions, spec.generate.apiVersion, spec.generate.kind, spec.generate.namespace, spec.generate.name, spec.generate.clone, and spec.generate.cloneList (#6328, #6451)
- Variables in these portions of a generate rule will now be disallowed: clone, cloneList, generate.kind, and generate.apiVersion (#6438)
- Generate and “mutate existing” policies, once installed, will check to see if Kyverno has the necessary permissions to successfully execute them. If not, Kyverno will block their creation until the permissions are available. This is added to bring behavior in alignment with how cleanup policies work and provide a better UX (#6610)
- Properly enforcing that “mutate existing” rules, when mutateExistingOnPolicyUpdate is set to true, also has mutate.targets[] defined or else the policy creation will be blocked (#6693)
- When a verifyImages policy is created in Audit mode, its creation will be rejected unless mutateDigest is set to false (#6757)
- Mutation rules which change the image field in a Pod spec and which relied on docker.io being silently added by Kyverno (when it was not explicitly defined in the image) will need to be adjusted to either use the images.*.registry predefined variable or the new normalize_image() JMESPath filter. To address other discovered issues with mutation, Kyverno can no longer add the default registry to the context. It will only be accessible to internal variables and JMESPath.
- The generate.apiVersion field is now required in a generate rule. Policies/rules without this defined will need to set it. (#7080)
✨ Added ✨
- validationFailureActionOverrides can now use namespaceSelector with expressions like is possible in match/exclude (#4461)
- The default registry Kyverno uses can now be configured in the ConfigMap (#4715)
- Separated the Kyverno Deployment into 3 new Deployments: kyverno-admission-controller, kyverno-reports-controller, and kyverno-background-controller (#5352, #6045, #6050, #6157, #6194)
- Kyverno can now make calls to any Kubernetes Service including specifying the verb (#5755)
- Support for verifying Notary signatures (#6011)
- Operations are now possible to specify in match/exclude blocks without the use of preconditions (#6658)
- Mutate existing rules now support context variables and preconditions (#6754)
- PolicyExceptions now support background mode scanning (#6127)
- PolicyExceptions now support wildcards in the ruleNames field (#6773)
- Added a new --skipResourceFilters flag to the reports controller Deployment, set to true by default, which allows PolicyReports to not be created in background mode for anything in the resourceFilters ConfigMap (#6778)
- Added a new --backgroundServiceAccountName flag to the admission controller Deployment, replacing a ConfigMap key of a similar name, which is used to specify the ServiceAccount name for the background controller (#6790)
- New keys excludeRoles and excludeClusterRoles can be set in the Kyverno ConfigMap which allows global exclusion of Roles/ClusterRoles (#6779)
- Events are created for policies in Audit mode (#6125)
- New trim_prefix() JMESPath filter (#6183)
- New to_boolean() JMESPath filter (#6292)
- New sum() JMESPath filter (augments the existing) which supports summing duration and quantities (#6552)
- New image extractor field is available when using verifyImages rules to define, for Custom Resources, where Kyverno should locate the image for verification (#6183)
- Support for the DELETE operation as a trigger for use in generate and mutate existing rules (#6508, #6197, #6736)
- Support for using subresources as a triggering type (#6760, #6544)
- For a generate rule, when synchronize: true, if the triggering resource is either deleted or changed to no longer match, it will result in the generated resource being removed (#6508)
- Kyverno container images are now built for all supported platforms (#6297)
- Support for YAML manifest signing in GitHub Actions workflows using keyless signing (#6320)
- Role aggregation for the view ClusterRole (#6350)
- SLSA provenance generated for all decomposed controllers (#6384)
- Added a log message whenever a policy is added, updated, or deleted (#6601)
- A new Message column will be printed when showing Kyverno policies which can show details on if a policy is ready and why, if not (#6670)
- Added a --warn-no-pass flag in the CLI to the kyverno apply command (#6678)
- Added a new cleanup metric called cleanup_controller_deletedobjects which counts the number of resources deleted by a cleanup rule (#6338)
- Added a deployment manifest called install-latest-testing.yaml for quick and easy testing of the bleeding-edge code. This is NOT to be used for normal installations! (#6578)
- The Kyverno ConfigMap now has an entry called webhookAnnotations which can be used to add annotations to webhooks for AKS compatibility issues (#6579)
- Added ability to pin podSecurity subrule to version 1.26 (#6762)
- Introduced an engine API package (#6154, #6156, #6162, #6163, #6164, #6177, #6181, #6199, #6205, #6212)
- Introduced an internal engine package (#6241)
- Add response helpers in engine (#6262)
- Add error logs in wait for cache sync helper (#6279)
- Added new fields into the UpdateRequest resource to support changed functionality (#6294)
- New instrumented clients for API extensions and aggregation layer (#6302)
- A new kind selector is used which supports GVK and subresource (#6514)
- New container flag --enableConfigMapCaching to enable/disable the ConfigMap caching feature. (#6837)
- Begin testing against Kubernetes 1.27 (#6872)
- Added a new JMESPath filter image_normalize() which can be used to show the fully normalized image string which includes things like default registry (configurable in the Kyverno ConfigMap) and latest tag when no tag is defined. (#6911)
- The apiCall context variable, exclusively used for Kubernetes API communication, now can perform POST operations similar to the new apiCall.service (external) call. When using this new method, it is not necessary to specify a CA certificate for trust. (#6948)
- New Policy Report cleanup jobs are added as a safeguard to remove excessive intermediate reports (not final Policy Reports) in case reconciliation doesn’t happen fast enough. In almost all cases, these jobs are expected to do nothing. (#6960)
- Added a new flag --registryCredentialHelpers with image registry specific credential helpers. This flag is passed by default. (#6974, #7002)
- Added a new --omit-events flag which allows defining which type of Kyverno events should not be emitted. (#7010)
- Context variables are now lazy loaded (just in time) which prevents failures of some policies. Context variables will now only be evaluated when they are needed in a policy and not all at once in the very beginning. (#7071)
- Added a new ConfigMap key called excludeUsernames which is used to exclude certain requests with these usernames from processing. The value also supports a negation operator (!) which allows inclusion of a username in cases where it might have been excluded in a different setting elsewhere. (#7082)
- Significant changes with how mutations work (#7095):
- Added a new foreach.order field to control how patches are applied internally, either Ascending or Descending.
- Instead of Kyverno patching the “final” version of the resource after every patch, it will only do so internally. All patches will be summarized and combined at the end.
- When using multiple foreach loops, they will be evaluated from top down so the result of one loop will only be available to the next after the first loop completes. They will no longer iterate independently over the same input.
- Rules which need mutations over the result of prior mutations should be separated into separate rules.
- Kyverno will now ensure that generate rules are written appropriately for namespaced and cluster-scoped resources to prevent bad policies from being accepted. (#7098)
- Conditions expressions now have an optional new field message which will be shown if that particular expression fails. Anywhere conditions are used (ex., verifyImages or validate) will have access to this field. (#7113, #7126)
Helm
- Added test for reports controller (#6081)
- Added tests for cleanup controller (#6085)
- Added names and securityContext helpers (#6136)
- Installation of the chart now displays the components selected for install (#6153)
- Enforce that the admission controller must be deployed with at least one replica (#6213)
- Added annotation support to all ServiceAccounts deployed by the chart (#6585)
- Added custom label support back to chart (#6597)
- Linting the chart for Artifact Hub (#6758)
- Added a new features section in the v3 Helm chart as an easier abstraction for feature enablement. Doesn’t require knowing which controllers need which flags. (#6935)
- Split out chart values per component. (#6936)
- Added a logging.verbosity flag in the chart to control logging verbosity without the need for an extraArg. (#6940)
- Added a new upgrade.fromV2 flag in the Helm chart which is REQUIRED when upgrading from v2 of the chart. Please read the Helm migration guide for very important details on migrating from v2 to v3. (#7066, #7144)
- Added the new omit-events flag to the features section making it easier to set and not worry about which controllers need that flag. (#7185)
- Add a logging section to the features section making it easier to configure verbosity levels across all controllers without having to set the flag individually. (#7181)
- Added ability to assign labels and annotations to all controllers (#7312)
⚠️ Changed ⚠️
- For “generate existing” policies, the field spec.generateExistingOnPolicyUpdate has been deprecated in favor of spec.generateExisting. Please update your policies to use spec.generateExisting (#6321, #6655, #7324)
- Deletion of a clone source, in a generate rule, with synchronization enabled will now result in deletion of the downstream resource (#6322, issue #6266)
- Getting the “classic” behavior in a generate rule with a data type whereby changes to the rule are propagated to downstream resources (sync enabled) no longer requires setting spec.generateExistingOnPolicyUpdate. This change effectively restores the same behavior to how it was up until Kyverno 1.7 (#6322, issue #4222)
- Creation of a new generate existing rule within a policy now correctly triggers that behavior (#6472)
- Leader election is enabled for the background controller (generate and mutate existing rules) (#6237)
- Images which no longer match a verifyImages rule will no longer produce Skip results in a PolicyReport (#6733)
- Standard operators have enhanced support for duration (#5958)
- Burst limit (–clientRateLimitBurst) has its defaults increased from 50 to 300 and QPS (–clientRateLimitQPS) from 20 to 300 which should fix issues in very large clusters with admission reports not getting aggregated quickly enough to the final Policy Report (#6522)
- Report controller workers have been increased from 2 to 10 which, along with the burst and QPS increases listed above, should help reconcile reports much faster (#6522)
- Refactored how AdmissionReports are aggregated to improve performance and fix issues (#6568)
- AdmissionReview requests created as a result of Kyverno’s own behavior in generate or mutate existing rules will now be ignored but configurable through a new excludeBackgroundUsernames key in the ConfigMap (#6499)
- Updated the ConfigMap resourceFilters with all the new and changed names as of this release (#6765)
- Changed matching syntax when it comes to subresources. A subresource must be specified in context of its parent (#6625)
- Policies matching on subresources are now properly rejected if background scanning is enabled (#6571)
- Controllers will quit when losing leader election (#6718)
- Policy readiness is now reflected as a condition in the .status object and the .status.ready field is deprecated (#6071)
- Changed the way anchor logic with matching is done (#6133)
- The items() JMESPath filter now supports arrays in addition to maps as the input. When an array is used, the output will contain the index number (#6180)
- The install.yaml manifest has been removed from the main branch. It is now an official release artifact for every release (#6217)
- Kyverno will use client instead of discovery for sanity checks which helps in some cases when finding CRDs (#6296)
- Image references in the JSON context are not mutated to canonical form anymore (#6397)
- Enhance the events created by PolicyExceptions to add kind and Namespace making them more consistent with other events (#6459)
- Webhook configuration has been changed to better support wildcard policies (#6534)
- Go bumped to 1.20 (#6683)
- Refactoring of the match package (#5961)
- Removed the GenerateRequest CRD since Kyverno uses a unified UpdateRequest CRD (#6043)
- Event package refactoring (#6124)
- Reduced dependency from engine to CLI (#6134)
- Renamed initContainer to kyverno-init (#6139)
- Removed PolicySpec from engine API (#6159)
- Merge engine common and utils package (#6160)
- Removed dependency on github.com/pkg/errors (#6165)
- Move client out of policy context (#6233)
- Moved engine functions to methods (#6235)
- Minor logging enhancements (#5929)
- Use more engine internals (#6247)
- Refactor of context loading and engine methods (#6253)
- Remove store dependency in engine pkg (#6260)
- Improve engine logger management (#6280)
- Cleanups in the generate controller (#6281)
- Refactor engine matching and filtering logic (#6289)
- Add label keys for generate rules (#6291)
- Refactor original resource tracking in engine response (#6293)
- Exceptions in rule responses will be propagated (#6298)
- Make engine stats standard fields (#6301)
- Removes validationFailureAction from response and take from policy directly (#6304)
- Refactored how users and group exclusions are done (#6357)
- OpenTelemetry upgraded to 0.39 (#6383)
- Refactored some userinfo dependencies (#6524)
- As part of the massive work done on the background controller (responsible for generate and “mutate existing” rules), we removed a bunch of stale code and trimmed down the permissions needed (#6598)
- Refactored more matching (#6633)
- Return structs instead of pointer in engine API (#6647)
- Removed more pointers from engine API (#6651)
- Refactored discovery client (#6652)
- Introduced engine, mutation, image validation, and validation handlers, factorize, (#6680, #6684, #6694, #6695, #6697, #6735)
- Start applying a validation when a policy is created with an invalid webhook timeout value (#6715)
- Add preconditions check to engine invokeHandler (#6721)
- Remove rules pointer (#6722)
- Introduced a PSS validation handler (#6724)
- Refactored engine responses (#6738)
- Changed context and precondition handling in invokeHandler (#6751)
- Removed admission request/response pointers (#6769, #6774)
- Resolve Roles/ClusterRoles earlier in the admission chain (#6775)
- The resourceFilters now supports subresources and the ConfigMap is updated to include some (#6780)
- Refactored engine rule response creation (#6784)
- Removed hard-coded defaults for excluded groups and excluded usernames. These will always be read from the ConfigMap now in keys excludeGroups and excludeUsernames (#6789)
- Refactored engine execution and response stats (#6796, #6792)
- Simplified engine responses (#6804)
- Optimized and improved config management (#6808)
- Engine response refactoring (#5958)
- Policies will be applied to UPDATE ops now even when the deletionTimestamp is set. (#6878)
- The x509_decode() JMESPath filter now supports decoding of CertificateSigning Requests (#6744)
- Refactored configuration ConfigMap controller. (#6829)
- Refactored engine creation code. (#6837)
- Refactored policy response. (#6877)
- Refactored Namespace labels in engine response. (#6880)
- Introduced a JMESPath interface. (#6882)
- Moved Cosign init code to an internal package. (#6846)
- Moved registry client init to an internal package. (#6853)
- Moved leader election code to an internal package. (#6854)
- Moved clients creation to an internal package. (#6924)
- Bumped Kubernetes dependencies to 1.27 (#6868)
- Tighten up permissions needed by Kyverno. (#6957, #6970, #6972)
- Improved instrumented clients by adding an UpstreamInterface that is an alias to the bare upstream interface. (#7006)
- Updated the internal Kubernetes resource schemas which will prevent some calls to deprecated/removed APIs. (#7014)
- Standardize on use of github.com/evanphx/json-patch/v5 for JSON patches. (#7015)
- Refactor of engine patchers. (#7030)
- Refactor of the engine response policy. (#7063)
- Remove the deletionTimestamp check in rules handled by the background controller. (#7039)
- All controllers’ containers will print their container flags and values at the default log level upon startup. (#7127)
- Removed the --genWorker flag from the admission controller as this is only applicable to the background controller. (#7132)
- Changed the wording of the log message in the background controller when periodic reconciliation fires so it’s not confused with the reporting controller’s background scan ability. (#7142)
- Improved readability of a returned message in a verifyImages rule by addition of single quotes. (#7259)
- Variables used in conditions (preconditions, deny conditions, verifyImages conditions, etc) will now only be evaluated just in time (lazy) rather than up front which either prevented some types of policies from being written or made them more complex. (#7238)
- Changed the name of the metrics from the cleanup controller to be prefixed with kyverno_ like they should have been from the beginning. (#7198)
Helm
- Changed webhooksCleanup key from enable to enabled for consistency (#5837)
- Refactored the way ConfigMap is managed (#6064)
- The namespace field is renamed to namespaceOverride (#6065)
- Changed how CRDs are managed (#6067)
- Moved the imagepullsecret to a different folder (#6069)
- Refactored Helm labels (#6073)
- Refactored Helm tests (#6074)
- Refactored Helm templating management (#6076)
- Refactored Helm RBAC components with respect to role aggregation and config (#6096, #6582)
- Refactored logging, tracing, and metering configs (#6613)
- Make the Grafana ConfigMap name configurable (#6110)
- Refactored admission controller component (#6119, #6130)
- Use image registry in Helm values (#6138)
- Make the Sigstore (TUF root) volume configurable (#6211)
- Changed title of Grafana dashboard (#6236)
- Changed name of Kyverno Deployment after decomposition to kyverno-admission-controller (#6356)
- Refactored admission controller replicas (#6453)
- Refactored admission controller config (#6454, #6457, #6460, #6473, #6474, #6501, #6504)
- Refactored config (#6596)
- Refactored NetworkPolicies (#6599)
- Changed reports controller --clientRateLimitBurst flag to a value of 300 making consistent with other changes (#6541)
- Changed extraArgs to be objects rather than arrays making them easier to override individually (#6588)
- Allow overriding of the PodDisruptionBudget API version (#6708)
- Changed the chart to not kyverno.fullname over use .Release.name (#7303)
🐛 Fixed 🐛
- Fixed an issue with the new Secret type in Kyverno 1.9.0. Now, older self-managed Secrets will be deleted and recreated with the new TLS type (#6368)
- Fixed removal of generated resource when the generate rule itself was deleted with sync enabled (#6393)
- Fixed numerous issues with UpdateRequests as part of massive refactoring (#6393, #6676)
- Fixed an issue with a generate rule using a clone whereby synchronization would only happen if the source existed before the rule was created (#6439)
- Fixed an issue with a namespaced Policy generate existing rule getting triggered by matching resources in different namespaces (#6530)
- Fixed cascading mutations when one rule uses a foreach statement (#6411)
- Fixed an issue in mutate existing rules which resulted in schema validation happening on the wrong resource (#6602)
- Fixed issue with the range operator (#5962)
- Fixed an issue with events not being created for podSecurity subrule policies in Audit mode (#6083)
- Fixed ConfigMap context lookups so they can use other portions of a ConfigMap (#6120)
- Fixed an issue with namespaceSelector when used in generate or mutate existing rules (#6188)
- Fixed an issue with the items() JMESPath filter (#6196)
- Fixed an issue where excluding user names in the ConfigMap wasn’t working (#6204)
- Fixed an issue with namespaceSelector for rules in Audit mode (#6216)
- Fixed an issue resulting in mutations firing when incorrectly matched (#6242)
- Fixed how Role matching is done (#6358)
- Policies in Audit mode are processed correctly when admission reports are disabled (#6531)
- Fixed an issue where PolicyExceptions didn’t apply to manifest validation subrule policies (#6704)
- Fixed some issues with parsing of the image field in Pods in cases where the tag is incorrect, the image is not present, or the image is unset (#6706, #6707, #6767)
- Fixed an issue with the name of the image not being shown in an event created as a result of a blocked Pod from a verifyImages rule (#6734)
- Fixed an issue with wildcard policies which prevented TokenRequests from being created (#6766)
- Fixed an issue preventing failing resources in background mode from being reflected in the kyverno_policy_results_total metric (#6781)
- Fixed duplicate messages in a policy report message field when using a podSecurity subrule (#6634)
- Shutdown gracefulness has been improved (#5107)
- Fixed an issue where even setting --maxQueuedEvents=0 still created some events (#5994)
- Fixed comment format (#6042)
- Fixed leader election issues (#6048)
- Fixed distributed tracing length and name (#6117)
- Fixed some error management issues in JMESPath functions (#6239)
- Use apiserver instrumented client (#6303)
- Use labels.Everything() in userinfo clusterroles matching (instead of labels.NewSelector()) (#6351)
- Fixed an issue showing the kyverno_policy_results_total metric with policies in Audit mode (#6363)
- Fixes a logger call where key/value are in the wrong order (#6365)
- Remove dynamic config from match helpers (#6381)
- Fixed a panic when fetching GVK (#6424)
- Fixed an error log (#6429)
- Regexes will now be compiled globally rather than on every call (#6510)
- Fixed looking up GVK from GVR (#6516)
- Fixed looking up GVR from GVK (#6517)
- Fixed policy cache by using GVR instead of kind (#6543)
- Fixed the source of the apiVersion column in an AdmissionReport to not come from an ownerReferences (#6555)
- Fixed to use GVR when loading mutation targets (#6576)
- Map APIResource in FindResources results (#6611)
- Use GVR in reporting controller (#6612)
- Fixed a check for duplicate resources when testing in the CLI (#6630)
- Fixed an incorrect old resource check (#6635)
- Fixed a deletion check (#6640)
- Fixed a check for empty resource when matching (#6644)
- Fixed GVK fallback in policy context (#6648)
- Fixed creation of UpdateRequests in dryrun mode of admission requests (now prevented) (#6649)
- Use FindResources in CLI (#6650)
- Fixed the HasVerifyImages check (#6668)
- Fixed replacing more reflect.DeepEqual calls (#6674)
- Fixed histogram buckets (#6783)
- Added logs in webhook middleware (#6797)
- Fixed an issue in loading the config when the data is nil. (#6818)
- Fixes and improvements with SLSA provenance generation (#6821, #6824, #6825)
- Fixed an issue with the new service call feature to use the correct ServiceAccount token. (#6842)
- Fixed an issue with considering a customized Cosign image signature repository. (#6849)
- Fixed an issue where the clone source was inadvertently deleted when trigger no longer matched. (#6869)
- Fixed the auth check upon creation of generate and mutate existing rules. (#6874)
- Defaults for flags --clientRateLimitQPS and --clientRateLimitBurst are configurable. (#6883)
- Fixed the context in an API call. (#6885)
- Fixed an issue with namespace selectors not working properly in a verifyImages rule. (#6887)
- Fixed a deletion panic when a resource matched a podSecurity subrule. (#6902)
- Removed the --imageSignatureRepository flag from the background controller as it wasn’t applicable here. (#6925)
- Fixed an issue with API calls showing up in traces. (#6930)
- Remove /status subresource from policy webhooks as this wasn’t needed. (#6939)
- Fixed/reverted a previous check that was preventing JSON patches (mutate) with single quotes from being accepted. JSON patches can be written more simply as YAML rather than in-line JSON. (#6941)
- Fixed an issue matching on ephemeralContainers. (#6963)
- Fixed an issue validating variables in policies which disabled background scanning. (#6978)
- Fixed an issue where autogen would fire in a foreach mutation rule causing an invalid schema policy. (#6996)
- Fixed a missing serverIP parameter in the cert renewer for the cleanup controller. (#6999)
- Fixed when Kyverno reloads its ConfigMap to reduce log noise. (#7007)
- Fixed a loop prevention check in generate rules. (#7026)
- Fixed not showing the background scan interval in the report controller logs. (#7065)
- Fixed removing entries in excludeGroups from matching. (#7083)
- Removed a duplicate entry in the admission controller’s ClusterRole for Leases. (#7125)
- Fixed report controller quitting when losing the lead. (#7153)
- Fixed an issue with the podSecurity subrule (validate.podSecurity) in which using the latest version of the PSS caused the Seccomp control to not be evaluated properly. (#7263)
- Fixed an issue when using the container flag --autoUpdateWebhooks=false whereby resources weren’t getting blocked if a matching validate policy existed in Enforce mode. (#7261)
- Remove (i.e., include) ServiceAccounts in the kube-system Namespace from the exclusion filter in the ConfigMap. (#7225)
- Fixed a panic in the reports controller. (#7220)
- Fixed an authZ check when evaluating mutate existing rules when the targets were defined with a variable in the namespace field. (#7219)
- Fixed a matching logic issue which resulted in applying a rule when it matched the oldObject state of the resource. (#7218)
- Fixed the output message of a validate rule’s message field when blocking a resource. (#7208)
- Fixed when to show the new message field in a condition (expression) in deny conditions. Now it’ll be displayed when the condition evaluates to TRUE rather than when it evaluates to FALSE like it will be in other areas of Kyverno rules. (#7204)
- Removed some duplicate code. (#7203)
- Fixed an issue with the kyverno_http_requests metrics having the wrong name and not being registered. (#7197)
- Fixed an issue with evaluating preconditions in mutate existing rules. (#7183)
- Fixed a policy variable validation issue that might arise if a policy was somehow installed when Kyverno didn’t run its validation checks. (#7079)
- Bumped some deps to address transient vulns. (#7171, #7172, #7177)
- Removed some insecure TLS ciphers which used 3DES (#7308)
Helm
- Fixed an issue with the test pod (#6061)
- Fixed default values file name (#6066)
- Fixed ability to override service port (#6118)
- Fixed pre-delete hook (#6121)
- Fixed an issue when adding more labels to the serviceMonitor during Helm deployment (#6414)
- Added the missing serviceMonitor for background controller (#6600)
- Fixed missing imagePullSecrets in Helm hooks (#6764)
- Fixed passing of image pull secrets to all the needed controllers. (#6858)
- Fixed an incompatible types error when deploying the chart. (#6905)
- Fixed an issue in templating of metricsRefreshInterval. (#7019)
- Fixed an issue with the registry string in the background controller (#7286)
- Fixed chart app.kubernetes.io/instance label value to use .Release.Name (#7315)
Click to expand all PRs
#7324 remove validation for deprecated field generateExistingOnPolicyUpdate
#7321 rename NotaryV2 to Notary
#7315 fix: chart app.kubernetes.io/instance label value
#7312 feat: [Feature] add podLabels and podAnnotations to background clean and reports controllers
#7308 fix: tls cipher suites
#7306 test: pod restart on configmap/secret update
#7303 fix: do not use release name in chart
#7298 update note
#7286 Fix: [Bug] registry is not defaulted to ghcr.io for backgroundController
#7283 chore: kuttl tests for podSecurity rule
#7276 feat: add yaml util to check empty document
#7263 fix: PSa latest version check
#7261 fix: auto update webhooks not configuring fail endpoint
#7259 fix: quote image in ImageInfo validation error
#7238 lazy evaluate vars in conditions
#7225 fix: do not exclude kube-system service accounts by default
#7220 fix: panic in reports controller
#7219 fix: mutate existing auth check
#7218 fix: match logic misbehave
#7208 [Bug] Enforce message wrong
#7204 handle Deny rules where conditions eval to true
#7203 remove duplicate code
#7198 fix: cleanup controller metrics name
#7197 fix: http request metrics
#7185 feat: add omit-events feature in helm chart
#7183 fix: preconditions in mutate existing rules
#7181 feat: add logging feature to helm chart
#7177 chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4
#7172 chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3
#7171 chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible
#7163 fixed typo in the v2 to v3 helm migration guide
#7153 fix: let reports controller quit when loosing the lead
#7144 Update chart with v2 to v3 migration guidance.
#7142 chore: update background scan logging messages
#7132 fix: remove the container flag genWorker from the admission controller
#7127 feat: print container flags and their values
#7126 add condition msg to v2beta1
#7125 fix: remove the duplicate entry from the admission clusterrole
#7113 Conditions message
#7098 feat: generate policy validation - target resource scope & namespace settings
#7095 fix: mutation code
#7083 fix: remove excluded groups from matching
#7082 feat: add config inclusions support
#7080 feat: require generate.apiVersion
#7079 fix: panic for policy variable validation
#7071 lazy loading of context vars
#7068 fix: flaky github action
#7066 feat: add opt-in setting to deploy v3 chart
#7065 fix: add background scan interval log
#7063 refactor: engine response policy
#7039 fix: remove deletionTimestamp checks
#7037 update development doc
#7030 refactor: engine patchers
#7026 fix: generate policy validation to prevent endless loop
#7019 fix: helm template with metricsRefreshInterval
#7015 chore: use github.com/evanphx/json-patch/v5
#7014 feat: update built-in resource schemas
#7010 Added omit-events flag to allow disabling of event emission
#7007 fix: record configmap resource version to not reload when version didn’t change
#7006 feat: improve instrumented clients
#7002 feat: add registry credential helpers feature
#6999 fix: add server ip config to cleanup controller
#6996 fix: disable autogen in foreach mutation with json patches
#6993 chore: bump kind image to 1.27.1
#6978 fix: variables validation for background enabled policies
#6974 feat: add credential helpers flags
#6972 chore: restrict default permissions
#6970 feat: new access checks for background policies
#6966 Add kuttl test for ephemeral containers
#6963 fix: match on ephemeral containers
#6960 feat: add reports cleanup jobs to prevent outage
#6957 fix: refine event permissions in default roles
#6948 add support for Kubernetes API server POST
#6941 fix: incorrect json patch validation
#6940 feat: add verbosity level in helm chart values
#6939 fix: remove status from policy webhooks
#6936 feat: split chart values in readme per component
#6935 feat: add features section in helm values
#6930 fix: enable tracing in api call
#6925 fix: remove imageSignatureRepository flag from the background controller
#6924 refactor: move clients creation in internal package
#6918 chore: add config with exceptions disabled
#6916 fix: kuttl test for the generate rule
#6914 chore: add kuttl test for namespace exclusion
#6911 feat: add image_normalize filter
#6905 Fix incompatible types error in Kyverno helm chart
#6902 fix: deletion panic for PSa rule
#6901 chore: split unit tests and linter jobs
#6900 chore: split generate kuttl tests
#6899 chore: bump k8s patch versions
#6895 chore: better matrix jobs
#6887 fix ns selector
#6885 fix: context in api call
#6883 fix: make flag default values configurable
#6882 refactor: introduce jmespath interface
#6880 refactor: namespace labels in engine response
#6878 fix: applies policies to the UPDATEs when resource deletionTimestamp is set
#6877 refactor: policy response
#6874 fix: auth check the generate policy when use variables in name/namespace
#6872 chore: add k8s 1.27 to the test grid
#6869 fix: preserve source on trigger deletion for a generate policy with clone, sync
#6868 feat: bump k8s deps to 1.27
#6858 fix: add missing image pull secrets
#6854 refactor: move leader election code in internal package
#6853 refactor: move registry client init in internal package
#6849 fix: account for cosign default repository
#6847 chore: add kuttl tests with default config
#6846 feat: move cosign init in internal package
#6842 fix API call SA token and response
#6840 fix: kuttl tests for force-failure-policy-ignore config
#6838 fix: makefile nit
#6837 refactor: factorise engine creation
#6829 refactor: configuration config map controller
#6828 chore: fix makefile nits
#6825 fix: slsa generator for reports controller
#6824 chore: add slsa provenance jobs to all images published
#6822 chore: implement expected tagging strategy (cherry-pick #6820)
#6821 fix: slsa provenance generation
#6820 chore: implement expected tagging strategy
#6818 fix: incorrect config loading when data is nil
#6811 chore: run conformance tests with multiple configs
#6810 chore: support multiple helm values
#6808 fix: improve config management
#6804 refactor: simplify engine responses
#6799 feat: add policy reporter to the dev lab
#6798 reinstate Sam as a maintainer
#6797 fix: add logs in webhook middlewares
#6796 refactor: engine response stats
#6792 refactor: engine execution stats
#6791 chore: improve a few kuttl tests using shouldFail instead of commands
#6790 fix: replace background sa name in config by a flag
#6789 fix: drop hardcoded default exclusions
#6788 test: new kuttl test for image verify failure policy
#6785 chore: bump a couple of deps
#6784 refactor: engine rule response creation
#6783 fix: histogram buckets
#6782 refactor: kyverno_policy_execution_duration_seconds metric management
#6781 refactor: kyverno_policy_results metric management
#6780 feat: add subresource support to resource filters
#6779 feat: add exclude roles/cluster roles support in configmap
#6778 feat: add flag to skip resource filters in reports controller
#6777 fix: clone test
#6775 refactor: resolve roles/cluster roles/top level GVK earlier in the admission chain
#6774 refactor: remove more admission request pointers
#6773 feature: add wildcard support in policy exception rule names
#6771 chore: remove unnecessary cleanup steps from kuttl tests
#6770 chore: use Audit instead of audit in kuttl tests
#6769 refactor: remove admission request/response pointers
#6767 fix: allow empty image
#6766 fix: don’t filter on group when service based apiservice discovery fails
#6765 feat: update resource filters
#6764 fix: missing image pull secrets in helm hooks
#6763 chore: use Enforce instead of enforce in kuttl tests
#6762 dep: bump allowed PSa to 1.26
#6760 fix: Support subresources as the trigger in generate rules
#6758 feat: lint Helm charts for Artifact Hub
#6757 Adding validation to reject audit mode policy create/update when mutateDigest is set to true
#6754 feat: add context/preconditions support to mutate existing
#6752 test: kuttl new test for mutate foreach
#6751 refactor: don’t process context/preconditions in invokeHandler
#6744 Added Support for CSR in x509_decode()
#6739 fix: missing source in polex events
#6738 refactor: engine responses
#6737 chore: update install.yaml
#6736 refactor - fire generate upon trigger deletion
#6735 refactor: introduce image mutation handler
#6734 fix: event message for the image verify rule
#6733 fix: no skip result when no image match the rule
#6728 test: bgscan report with image verification rule passing
#6727 chore: bump default k8s version to v1.26.2
#6726 fix: missing volume for sigstore in reports controller
#6725 chore: remove unused context variable
#6724 refactor: introduce pss validation handler
#6722 refactor: remove rules pointer
#6721 refactor: add preconditions check to engine invokeHandler
#6720 chore: update tools versions
#6719 test: add kuttl test for bad manifest signatures
#6718 fix: quit when losing leadership
#6715 fix: cap and validate webhook timeout
#6710 chore: remove dead code
#6708 fix: allow overriding PDB api version
#6707 fix: allow image to be not present
#6706 fix: propagate error when parsing an image fails
#6704 refactor: make use of handlers in engine validation
#6701 test: add kuttl tests for manifests verification
#6698 chore: update argocd lab
#6697 refactor: introduce image validation handler
#6696 fix: auth validation for mutate existing policies
#6695 refactor: introduce validation handler
#6694 refactor: factorise rule handler invocation code
#6693 fix: validate mutate.targets
#6684 refactor: implement mutation rule handlers
#6683 [Chore] Bump to Go 1.20
#6680 refactor: introduce engine handler
#6678 Exit with WARN code if no objects satisfy a policy
#6676 fix: failed to update UR status
#6674 fix: replace more refect.DeepEqual
#6670 feat: add support for ready message
#6668 fix: HasVerifyImages check
#6663 fix: add missing config controller to reports and background controllers
#6662 add kuttl generate tests for Namespaced policy
#6659 chore: bump a couple of deps
#6658 feat: add operations support in match/exclude
#6657 fix: filter name in add/sum error
#6655 fix: handle upgrade for generateExisting policies
#6653 test: add test case for duplicate check and report unused resources
#6652 refactor: discovery client
#6651 refactor: remove more pointers from engine api
#6650 fix: use FindResources in CLI
#6649 fix: do not create UR for dryrun admission requests
#6648 fix: GVK fallback in policy context
#6647 refactor: return structs instead of pointer in engine api
#6646 created dev container
#6644 fix: check if resource is empty when matching
#6640 fix: remove a couple DeepEqual and fix deletion check bug
#6639 chore: add vscode config to debug background controller
#6635 fix: incorrect old resource check
#6634 fix: skip duplicate PSa checks for the latest version
#6633 refactor: implement matching based on top level GVK + subresource
#6631 test: add kuttl tests for ephemeral containers
#6630 fix: correct cli test duplicate check
#6627 chore: add reports controller debug logs
#6626 fix: pods logs in ci debug step
#6625 refactor: do not allow matching with subresource kind
#6622 [test] test events creation upon generate rule application
#6613 refactoring: helm logging, tracing and metering config
#6612 fix: use GVR in reports resource controller
#6611 fix: map APIResource in FindResources results
#6610 fix: block generate policies when lack of permission to operate downstream resources
#6602 fix: schema validation for mutateExisting type of policy
#6601 feat: log when changes happen in policies
#6600 fix: add missing service monitor for background controller
#6599 refactor: helm chart network policies
#6598 chore: cleanup generate codebase
#6597 fix: add custom labels support back in helm chart
#6596 refactor: helm chart config
#6595 test: add config package unit test
#6588 refactor: make extraArgs objects in helm chart
#6586 fix: remove obsolete generatecontrollerExtraResources from helm chart
#6585 fix: add annotations support for all SA in helm chart
#6582 refactor: helm admission controller rbac config
#6581 test: add config package unit tests
#6580 fix: adding verbosity to openapi unit tests
#6579 feat: add webhook annotations support in config map
#6578 chore: bring back install-latest-testing.yaml
#6577 chore: remove unused discovery method GetServerVersion
#6576 fix: use GVRS to load mutation targets
#6575 fix: add back default generate permissions
#6571 fix: policy validation with subresource and background scan enabled
#6570 chore: add vscode config to debug reports controller
#6568 refactor: admission reports aggregation
#6566 fix: adding verbosity to the ./pkg/autogen unit tests
#6564 Add Roadmap.md and link to active releases / roadap
#6563 fix: remove hasVerifyYaml from policy cache
#6555 fix: admission reports apiVersion column
#6553 test: clean up a couple kuttl tests
#6552 [Feature] The ability to sum quantities
#6547 test: add kuttl tests for policy kinds validation
#6546 chore: bump a couple of deps
#6544 fix: Don’t check for subresource existence when it is the trigger.
#6543 fix: policy cache use GVR instead of kind
#6541 fix: increase reports controller default burst
#6534 feat: change webhook configuration to better support wildcards
#6531 fix: process audit policies when admission reports are disabled
#6530 fix: namespace matching for background namespaced policies
#6529 test: add a kuttl test for rule deletion
#6524 refactor: reduce userinfos deps and add unit tests
#6523 fix: file name
#6522 fix: improve reports controller default values and workers
#6518 chore: upload install manifest
#6517 fix: lookup GVR from GVK
#6516 fix: lookup GVK from GVR
#6514 feat: use kind selectors
#6510 fix: compile regex globally
#6508 feat: apply generate rules on trigger events
#6504 refactor: helm admission controller config
#6501 refactor: helm admission controller config
#6499 feat: ignore admission requests sent by the kyverno background controller
#6490 Add license scanning
#6487 ArtifactHub badge added
#6474 refactor: helm admission controller config
#6473 refactor: helm admission controller config
#6472 fix: apply generate existing when a new rule is added
#6470 chore: rename generateExistingOnPolicyUpdate to generateExisting in tests
#6460 refactor: helm admission controller config
#6459 fix: update resource info in polex events
#6457 refactor: helm admission controller config
#6454 refactor: helm admission controller config
#6453 refactor: helm admission controller replicas
#6451 feat: validate immutable fields for a generate rule - 2
#6439 fix: remove timestamp checks for the clone rule
#6438 feat: disallow variables for a generate rule
#6429 fix: error log
#6425 chore: add cascading kuttl test
#6424 fix: panic when fails to fetch resource GVK
#6423 chore: split kuttl tests
#6416 fix: makefile build/kind targets and add target to save built images to files
#6414 Fix ServiceMonitor additionalLabels don’t render properly
#6411 fix: cascading mutations
#6407 test: add the kuttl test pol-clone-sync-modify-source
#6397 refactor: remove MutateResourceWithImageInfo
#6395 chore: remove dead code
#6393 fix: delete downstream for a generate rule removal, with data and sync
#6389 Redirection in kuttl readme fixed
#6387 feat: add the kuttl test for Policy (Namespaced) with generate rule, data, and sync
#6386 feat: add kuttl test for Policy (Namespaced) with generate rule, clone and sync
#6384 SLSA provenance added for background and reports controller
#6383 feat: upgrade otel
#6381 fix: remove dynamic config from match helpers
#6380 fix: remove dead code
#6368 fix: delete certificate secret if type is not TLS
#6365 fix: logger key value in wrong order
#6363 fix: missing metrics for policies in audit mode
#6361 chore(deps): bump github.com/notaryproject/notation-go from 1.0.0-rc.1 to 1.0.0-rc.3
#6358 fix: role matching from authentication infos
#6357 refactor: user/groups exclusions
#6356 refactor: change admission controller deployment name
#6351 fix: use labels.Everything in userinfo clusterroles matching
#6350 feat: add view aggregated cluster role support
#6341 chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
#6340 Update k8s.gcr.io to registry.k8s.io
#6338 cleanup-controller metrics
#6336 feat: add a kuttl test for ClusterPolicy with generate rule, data and sync
#6335 feat: Removal of multiple elements using JSON patch in a foreach loop
#6334 chore(deps): bump github.com/onsi/gomega from 1.26.0 to 1.27.0
#6328 feat: add validations for generate immutable fields
#6322 feat: change mapping strategy for generate URs
#6321 [BREAKING CHANGE] fix: rename GenerateExistingOnPolicyUpdate to GenerateExisting
#6320 chore(deps): bump github.com/sigstore/k8s-manifest-sigstore from 0.4.3 to 0.4.4
#6304 refactor: remove validate failure actions from response
#6303 fix: use apiserver instrumented client
#6302 feat: add new instrumented clients
#6301 refactor: make engine stats standard fields
#6300 chore: bump a couple of deps
#6298 refactor: propagate exception in rule response
#6297 chore: build docker images for all supported platforms
#6296 fix: use client instead of discovery for sanity checks
#6294 feat: add new fields to UR for generate rule details
#6293 refactor: original resource tracking in engine response
#6292 Added JMESPath filter to_boolean()
#6291 chore: add label keys for generate policies
#6289 refactor: engine matching/filtering
#6283 chore: remove testrunner package
#6281 chore: generate controller cleanups
#6280 refactor: improve engine logger management
#6279 chore: add error logs in wait for cache sync helper
#6278 chore: support merge queue
#6277 test: add pattern pkg unit tests
#6271 chore(deps): bump golang.org/x/crypto from 0.5.0 to 0.6.0
#6268 chore(deps): bump github/codeql-action from 2.2.2 to 2.2.3
#6267 chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0
#6263 move from k8s.gcr.io to registry.k8s.io
#6262 refactor: add a few response helpers in engine internal
#6260 refactor: remove store dependency in engine pkg
#6254 chore(deps): bump go.opentelemetry.io/otel from 1.12.0 to 1.13.0
#6253 refactor: context loading and engine methods
#6252 test: add a couple pattern unit tests
#6247 refactor: use more engine internals
#6245 chore(deps): bump github/codeql-action from 2.2.1 to 2.2.2
#6242 fix: do not pass dynamicConfig to matchesResourceDescriptionMatchHelper (#6231)
#6241 refactor: introduce internal engine package
#6240 fix: add tests for jp arithmetic funcs
#6239 fix: error management in jp functions
#6237 feat: enable leader election for the background controller
#6236 chore(helm): change title of grafana dashboard
#6235 refactor: make funcs part of engine struct to reduce parameter passing
#6233 refactor: move client out of policy context
#6230 fix: add more jp unit tests and check for out of bounds argument
#6227 chore(deps): bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1
#6226 chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.4
#6225 chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.6.0
#6219 chore: add a few unit tests for jp functions
#6218 fix: ko publish image targets
#6217 chore: remove install manifest
#6216 fix: namespaceSelector for audit rules
#6213 feat: Check if admission controller replica count is set to zero
#6212 refactor: add more functionnalities to engine interface
#6211 [kyverno helm chart] make sigstore volume configurable
#6205 fix: add engine api unit tests
#6204 fix: exclude user names in configmap not working
#6202 test: add a couple unit tests
#6199 refactor: more engine interface
#6197 fix: admission review variables for DELETE operations
#6196 fix: jp items function
#6194 chore: publish images for the reports and the background controller
#6193 chore(deps): bump svenstaro/upload-release-action from 2.4.0 to 2.4.1
#6192 chore(deps): bump aquasecurity/trivy-action from 0.8.0 to 0.9.0
#6188 fix: namespaceSelector for background policies
#6187 fix: remove exceptionNamespace from init-container
#6184 chore: the linter structcheck varcheck and deadcode are deprecated (since v1.49.0)
#6183 #6055 Add JMESPath support to imageExtractors
#6181 refactor: introduce engine interface in engine api
#6180 feat: support arrays in jp items() function
#6177 refactor: introduce policy context interface in engine api
#6175 optimize the document for readability
#6173 chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.1 to 0.14.2
#6171 chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0
#6167 chore: clean up the unnecessary package import rename found
#6166 chore: clean up the unnecessary package import rename
#6165 chore: remove dependency on github.com/pkg/errors
#6164 refactor: introduce context loader interface in engine api
#6163 refactor: complete engine api tests
#6162 refactor: move resolver interface and utils into engine api package
#6161 test: add more engine api package tests
#6160 refactor: merge engine common and utils packages
#6159 refactor: remove PolicySpec from engine api
#6158 chore: remove unused functions from engine package
#6157 feat: template background controller
#6156 refactor: clean engine api package
#6154 refactor: introduce engine api package
#6153 chore: add deployed components to helm chart notes
#6151 chore(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.1.1
#6150 chore(deps): bump github/codeql-action from 2.2.0 to 2.2.1
#6147 chore(deps): bump go.opentelemetry.io/otel from 1.11.2 to 1.12.0
#6141 fix: missing image tag values in makefile
#6140 chore: remove obsolete targets from makefile
#6139 refactor: rename initContainer to kyverno-init
#6138 refactor: use image registry in helm values
#6136 refactor: add names and security context helpers to helm chart
#6134 fix: reduce dependency from engine to cli
#6133 Replaces manually written logic with regex for matching anchor elements
#6130 refactor: helm admission controller part 2
#6127 spec.background field implementation for PolicyExceptions
#6126 fix: update kuttl to fix deletion race
#6125 fix: create events for audit mode policies
#6124 refactor: event package
#6121 fix: helm pre-delete hook
#6120 fix: allow configmap.data/configmap.metadata in policy validation
#6119 refactor: helm admission controller (part 1)
#6118 fix: Overriding .Values.service.port doesn’t work
#6117 fix: tracing attributes length and tracer name
#6110 Make the grafana dashboard configmap name customizable
#6101 fix: new binaries version
#6096 refactor: helm rbac component
#6094 chore: add rollout targets to makefile
#6085 feat: add helm tests for cleanup controller
#6083 fix: run event generator to add audit mode events
#6081 feat: add helm test for reports controller
#6079 chore: improve a couple kuttl tests
#6076 refactor: helm templating management
#6075 fix: helm test workflow cache key
#6074 refactor: helm tests
#6073 refactor: helm labels management
#6071 fix: use conditions to show policy ready status
#6069 refactor: move helm image pull secrets in config folder
#6067 refactor: helm chart crds management
#6066 fix: helm default values ci file name
#6065 refactor: helm namespace override
#6064 refactor: helm configmaps
#6061 Add namespace in test pod and webhooks cleanup job helm template
#6058 fix: dev lab
#6057 chore: bump a couple of deps
#6054 chore: bump a couple of deps
#6053 chore: run helm test
#6050 feat: add new updaterequest_controller entrypoint
#6048 fix: don’t release leader lock on context cancelled
#6045 feat: remove report controllers from kyverno admission controller
#6044 chore: remove prateek and vyanky from codeowners
#6043 feat: remove generate request CRD
#6042 fix: comment format
#6041 docs: add tagging strategy in DEVELOPMENT.md
#6031 chore: simplify release workflow
#6029 chore: improve publish images workflow
#6025 chore: simplify images build workflow
#6024 chore: simplify pr update workflow
#6019 chore(deps): bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1
#6018 chore(deps): bump github.com/onsi/gomega from 1.24.2 to 1.25.0
#6017 optimize the tables and partial descriptions in the document
#6011 Notary v2
#6009 chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions from 2.0.4 to 2.0.5
#6007 Update goversion
#5994 fix: drop events when queue size is zero
#5993 chore(deps): bump github/codeql-action from 2.1.37 to 2.1.38
#5992 chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0
#5972 chore(deps): bump fluxcd/flux2 from 0.38.2 to 0.38.3
#5971 chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0
#5964 [Enhancement] Removes dead code from pkg/policy
#5962 fix: change inrange operator regexs
#5961 refactor: match utils package
#5958 refactor: engine pattern package and add duration support
#5929 Makefile and log
#5927 chore: do not run scorecard workflow if token is not defined
#5926 fix: condition jobs in gh workflows
#5925 fix: condition jobs in gh workflows
#5923 chore: improve fossa gh workflow
#5921 chore: do not run pr update workflow if token is not defined
#5918 chore: do not run sonar workflow if token is not defined
#5898 switch app version to latest
#5878 chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0
#5837 fix webhookCleanup enable switch syntax
#5755 Service call
#5700 add kuttl validate use case test for allnotin
#5352 feat: add separate reports-controller
#5107 fix: improve shutdown gracefulness
#4715 Adding configuration option for default registry domain
#4461 feat: Use standard selector for validationFailureActionOverrides
Related news
### Impact In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the [Kubernetes finalizers feature](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to byp...