✨ Added ✨

• Added the validation check for webhook configurations using CEL (#11461)

🐛 Fixed 🐛

• Skipped Azure keychain-based login for MCR registry (#11480)
• Fixed a validate issue to match failure action case-insensitively when validating an old object (#11486)
• Fixed the missing emitWarning field in the v2beta1 policy (#11489)
• Fixed the CLI to support VAP stable version v1 (#11501)
• Fixed the auto-gen rules regarding celPreconditions (#11503)
• Fixed a CLI issue by setting the default namespace for namespaced policies (#11505)
• Fixed the configurable namespaceSelector list in the webhook (#11516)
• Fixed an issue that the image verification rule blocks resource's update (#11529)
• Fixed the policy validation message to include keywords "immutable fields" (#11549)
• Fixed a panic issue for the admission controller when processing the validate rule (#11550)

Helm

• Corrected Helm configuration behavior for global image registry (#11482)

🔧 Others 🔧

• Switched to use the digest instead of the tag (#11492)

v1.13.0

Overview of 1.13 highlights - Kyverno release blog.

❗ Breaking Changes ❗

This release contains the following breaking configuration changes:

• Removal of wildcard permissions: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default view role was added. See the documentation section on Role Based Access Controls for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
• Default exception settings: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See CVE-2024-48921 for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.

For upgrade guidance see here.

✨ Added ✨

• Added control names and images to policy reports for validate.podSecurity sub-rule (#9869)
• Support condition validations across multiple attestations or context entries for image verification (#9960)
• Added TSA cert chain support in Cosign for image verification (#9961)
• Added support to generate Policy Exceptions from policyreports (#9987)
• Supported the CLI apply command to continue on failure (#10036)
• Added support for signature algorithm in Cosign cert and KMS verification for image verification (#10086)
• Supported inline exceptions in CLI apply command (#10133)
• Enabled warnings for policy violations and mutations upon admission reviews (#10214)
• Advance supports for generating validatingadmissionpolicies (#9981, #10100, #10162, #10181, #10187, #10205, #10208, #10215, #10771)
• Supported Cosign experimental OCI 1.1 signatures (#10228)
• Supported background scanning of existing resource in image verification (#10287)
• Added the report-controller flag to configure aggregation workers (#10331)
• Updated default metrics in the Helm chart (#10459)
• Supported the default value for apiCall in policy context (#10594)
• Optimized Kyverno performance (#10700, #10701, #10702, #10703, #10723)
• Add an option to configure updateRequestThreshold (#10739)
• Added a new validate.assert sub-rule (#10763, #10777, #10780)
• Added a finalizer-based option for webhookconfigurations cleanup upon kyverno un-installation (#10782)
• Added full regexp support to Cosign (#10815)
• Supported explicit protocol selection with appProtocol (#10864)
• Enhanced logging (#10560, #10790, #10822, #10874, #10867)
• Supported Sigstore bundle verification (#10567, #10901)
• Supported custom data in policy reports (#10933)
• Added OpenAPI validation for Kyverno policy (#10990, #10993, #10997, #10998, #11013)
• Added the support for HTTP headers in service API calls (#11041)
• Supported shallow variables substitution (#11058)
• Added a flag to pass tuf root directly (#11103)
• Supported foreach for generate policies (#10875, #10888, #11140, #10963, #10964)
• Added Kyverno upgrade tests (#11163)
• Supported labelSelectors for mutate targets (#11208)
• Added dumpPatch flag for mutate policies (#11237)
• Added reporting to mutate and generate rules (#11265, #11339)
• Added a circuit breaker for the reports controller (#11329, #11271)
• Added --backgroundReports flag to disable background controller reports (#11361)

Helm

• Supported configurable hostNetwork settings for admission-controller and cleanup-controller (#9864)
• Supported configurable webhook pod annotations (#9875)
• Supported custom ports for background-controller & reports-controller (#9939)
• Updated flowcontrol API version to v1 (#10061)
• Added Helm options in GrafanaDashboard configuration for custom importing (#10254)
• Supported custom policies in kyverno/policies Helm chart (#10320)
• Added global tolerations (#10368)
• Added global.image.imagePullSecrets config (#10868)
• Added the sleep duration configuration to manage deployments (#10965, #11028)
• Supported custom annotations on Kyverno deployments (#10971)
• Updated dashboard to support Grafana 11 (#11070)
• Added test.imagePullSecrets config in Helm for custom images (#11195)
• Removed cleanupJobs keys from Helm chart (#11242)
• Added options to configure resync period for informers in Helm chart (#11420)
• Added a Helm configuration for reporting in different rules (#11376)

⚠️ Changed ⚠️

• Changed to allow updates for preexisting resources which violate a validate foreach, cel or pss policy (#10033)
• (API) Migrated generateExisting field for the generate rule (#10441)
• (API) Migrated mutateExistingOnPolicyUpdate field for the mutate rule (#10461)
• Removed old intermediate reports types admissionreports and backgroundscanreports (#10083, #10500, #10504)
• (API) Migrated webhookTimeoutSeconds and failurePolicy (#10515)
• Removed old reports from Helm chart and disable cleanup jobs by default (#10533)
• Remove reports chunking (#10597)
• Removed cleanup cronjobs for updaterequests and ephemeralreports (#10249, #10325, #10760)
• Removed wildcard permissions (#10785)
• (API) Removed v1alpha1 of validatingadmissionpolicies and use v1beta1 as the default (#10955)
• (API) Deprecated the policy status.ready (#10999)
• (API) Migrated spec.validationFailureAction to spec.rules.validate.failureAction, spec.validationFailureActionOverrides to spec.rules.validate.failureActionOverrides (#10667, #10528, #10893, #10941, #11011)
• Allowed rule patterns to be changed in generate policies (#11202)
• Overwrote the managed-by label for target resources in mutate existing rules (#11267)

🐛 Fixed 🐛

• Fixed CLI apply command to print failure messages (#9166)
• Fixed many-to-one comparisons for AnyNotIn operator (#9462)
• Fixed the report in CLI to include validate.podSecurity control details (#9785)
• Fixed CONNECT operation in the webhook config for pod/exec subresource (#9855)
• Fixed a parsing issue for BACKGROUND_SCAN_INTERVAL (#9933)
• Fixed return status when celPreconditions/matchConditions are not met (#9940)
• Fixed the CLI to evaluate namespaceObject (#9978)
• Fixed metrics exposure inconsistencies and unwanted side-effects (#10016)
• Fixed a panic issue by adding an error check in jmespath type conversion for context variables (#10152)
• Fixed to check the CA certificate ConfigMaps get defined (#10156)
• Fixed mutate existing policies to process matched resources only (#10164)
• Fixed the level parameter of the CLI apply and test commands (#10216)
• Added the resource name to the SubjectAccessReview (#10221)
• Fixed an inconsistency issue for policy reporting (#10233)
• Truncated event messages to 1024 chars (#10255)
• Fixed a CLI issue to load policies from filesystem (#10270)
• Fixed webhook reconciliation bugs (#10140, #10146, #10262, #10274)
• Fixed BuildTime and BuildHash in version info (#10474)
• Fixed the default value for orphandownstream (#10478)
• Fixed the error message when policy context creation fails (#10566)
• Fixed the missing group in GlobalContextEntry (#10572)
• Fixed to return all exceptions that match the incoming resource (#10722)
• Fixed an events generation issue regarding generateSuccessEvents configuration (#10741)
• Fixed the policy exception to match Pod/ephemeralcontainers subresource by default (#10778)
• Enabled missing tests for the policy validation (#10784)
• Enabled deferred loading for image variables in policy context (#10787)
• Switched to create an updaterequest per generate policy (#10793)
• Fixed an issue to reconciliation Kyverno managed policyreports only (#10794)
• Fixed global context retry logic (#10796)
• Fixed resource names auth check for mutateExisting policies (#10808)
• Fixed permission checks for validate.cel subrules (#10829)
• Added image names in logs (#10837)
• Updated policy status message (#10862)
• Reduced recursions for nested variable substitution (#10877)
• Fixed the pinned dependencies issue (#10910)
• Fixed policy reports generation for namespaced policies in CLI (#10923)
• Fixed variable substitution error handling in policy validation (#10936)
• Fixed wildcard matching for trigger's name of the generate policy (#10945)
• Added validation check to require the context entry name (#10995)
• Fixed a panic issue regarding the validate.podSecurity subrule (#11012)
• Fixed the policy status reconciliation issue by removing duplicate fetches (#11026)
• Fixed an issue to make match field required in rule API (#11048)
• Fixed an issue to not generate empty urs (#11065)
• Fixed an issue to use base64 string in raw tuf root (#11117)
• Added the missing label info in the cleanup metrics (#11147)
• Fixed fix(status): status comparison is wrong (#11203)
• Printed out errors when starting admission reports watcher (#11218)
• Fixed a foreach list validation issue (#11222)
• Fixed an issue when reconciling webhooks configurations per installed policies (#11225, #11230, #11233)
• Fixed policy status reconciliation issues (#11203, #11236)
• Fixed an issue to allow images to be pulled from insecure registry when allowInsecureRegistry flag is set to true (#11243)
• Fixed a performance issue by using shallow copy instead of deep copy (#11378)
• Fixed and improved webhooks rules generation (#11419)
• Fixed match logic for old object validatio...

🐛 Fixed 🐛

• Change: Disable updaterequest cleanup cronjob (#10678)
• Fix(helm): Remove namespace from RoleBinding/roleRef field (#10685)
• Fix: Properly use useCache field in image verification policies (#10709)
• Fix: Check for the client being nil before applying a mutation (#10726)
• Fix: Resource namespace checks for Kyverno CLI (#10738)
• Fix: Range through all resources to build webhook (#10748)
• Fix: Get namespace labels before creating a policy context (#10773)
• Fix: Wrong evaluation of pod security standard version (#10924)
• Fix: Frequent API GET/UPDATE requests regarding webhooks reconciliation when no policies (#11203, #11225, #11230, #11233)

🔧 Others 🔧

• Fix: Bump docker in release 1.12 (#11088)
• Fix: Updated Go version to v1.22.7 to address CVE-2024-34156 (#11142)
• Chore: Bump chainsaw (#10687)
• Chore: Bump github.com/docker/docker from 26.1.3+incompatible to 26.1.4+incompatible (#10750)