Update dependency kyverno/kyverno to v1.12.4

[renovate]

This PR contains the following updates:

Package	Update	Change
kyverno/kyverno	minor	v1.10.7 -> v1.12.4

---

Release Notes

kyverno/kyverno (kyverno/kyverno)

v1.12.4

Compare Source

❗Important Notice ❗

If you are running 1.12, please upgrade to this version to pick up the fix for the ephemeralreports piling-up issue. Check this post and
understand how to recover from an ETCD outage:

Amazon EKS- managing and fixing ETCD database size

[updated] If you are seeing consistent creation of ephemeralreports, you can:

1. disable reporting for admission events, please see this comment
2. tune --aggregationWorkers to increase the capacity of consuming ephemeralreports, see this comment. It can be configured directly via the container flag, or through Helm extraArgs.

🐛 Fixed 🐛

• Added condition checking to notary attestation verify chainsaw test (https://github.com/kyverno/kyverno/pull/10288)
• Fixed a CLI issue to apply namespace labels in the cluster mode (https://github.com/kyverno/kyverno/pull/10348)
• Fixed a gloabl context look up issue to return the error properly (https://github.com/kyverno/kyverno/pull/10398)
• Fixed logging verbosity got the background scanner (https://github.com/kyverno/kyverno/pull/10404)
• Shutdown the controller properly when the context is canceled (https://github.com/kyverno/kyverno/pull/10415)
• Fixed duplicate updaterequest creation for background policies (https://github.com/kyverno/kyverno/pull/10431)

🔧 Others 🔧

• Bumped chainsaw (https://github.com/kyverno/kyverno/pull/10345)
• Added chainsaw test for controllers leader election (https://github.com/kyverno/kyverno/pull/10416)

v1.12.3

Compare Source

✨ Added ✨

• Added support for background scanning of existing resource in image verification (#​10311)
• Added a cleanup cronjob to delete updaterequests (#​10326)
• Added cleanup cronjobs for (cluster)ephemeralreports (#​10334)
• Add aggregation workers flag to configure (cluster)ephemeralreports consumer (#​10343)

🔧 Others 🔧

• Removed unused parameters (#​10329)

v1.12.2

Compare Source

✨ Added ✨

• Added an option to allow kyverno apply command to continue on failure (#​10036)

Helm

• Added an option to configure webhook pod annotations (#​9875)

🐛 Fixed 🐛

• Fixed missing CONNECT operation in the webhook config for pod/exec subresource (#​9855)
• Fixed an issue to evaluate multiple policyexceptions regardless of condition failures (#​9994)
• Fixed the VAPs generation issues for pods/ephemeralcontainers, resourceNames field (#​10162, #​10187, #​10208)
• Fixed the mutate existing policies to be applied on matched resources only (#​10164)
• Fixed an issue to skip generating VAPs for policies that match multiple resources with a namespace/object selector (#​10181)
• Fixed a CLI issue when the level parameter of the apply and test commands does not work (#​10216)
• Fixed CVEs (#​10225)
• Fixed an issue when applying multiple validate rules produces the wrong result (#​10236)
• Fixed context canceled issue when creating reports (#​10245)
• Fixed an issue in foreach mutate policies with Descending order defined causing unexpected patches (#​10252)
• Fixed an event generation issue when the size exceeds the limit (#​10255)
• Fixed operation-based webhook configuration issue when there are multiple policies matching the same kind (#​10262)
• Fixed flake VAPs tests (#​10263)
• Fixed a CLI issue when loading policies from the filesystem (#​10270)
• Fixed webhook configuration update loop (#​10274)
• Fixed an issue when a rule has both conditional and equality anchors defined (https://github.com/kyverno/kyverno/issues/10117)

🔧 Others 🔧

• Made CLI results count public (#​10177)
• Added a new linter prealloc to enforce slice declarations best practice (#​10250)

v1.12.1

Compare Source

🐛 Fixed 🐛

• Fixed return status when celPreconditions.matchConditions aren't met (#​9940)
• Fixed the CLI to evaluate namespaceObject for Kyverno policies (#​9977, #​9978)
• Fixed concurrent policy applications (#​10139)
• Fixed endless updates of policy status (#​10140)
• Fixed empty operations in mutating webhook configuration for a policy with a mixed types of rules (#​10146)
• Fixed endless policy reports reconciliation issue (#​10148)
• Fixed type conversion in jmespath context variables (#​10152)

🔧 Others 🔧

• Fixed tests for codegen (#​9942)
• Removed unused parameters, packages (#​10007, #​10101)
• Refactored VAPs registration in the API server (#​10014)
• Updated performance testing docs for 1.12 (#​10116)

v1.12.0

Compare Source

1.12 Release Notes

❗ Importance Notice ❗

Several critical issues are found in 1.12.0 and are being closely monitored within the 1.12.1 milestone. Please hold your upgrade to this release until 1.12.1 comes out.

❗ Breaking (Potentially) ❗

• Policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked. Please see the current list of available operators here (#​8624)

✨ Added ✨

• Added a global cache via a new Custom Resource called GlobalContextEntry allowing caching of any resource (#​9591, #​9595, #​9601, #​9602, #​9614, #​9615, #​9618, #​9619, #​9620, #​9621, #​9643, #​9652, #​9678, #​9710, #​9813)
• Added the ability to configure the listening ports of webhooks for admission and cleanup controllers (#​7728)
• Several new and improved abilities to reduce the scope of webhooks based on policy configurations, including support for the CEL-based matchConditions available in Kubernetes 1.27+ (#​8065, #​8437, #​9483, #​9599)
• Added a new container flag --protectManagedResources to the cleanup controller (#​8566)
• Added a new container flag --renewBefore to the admission cleanup controllers to configure the cert renewal time (#​8567)
• Added a new container flag --loggingtsFormat which can be used to change the time format of logs (#​9276)
• Policy Exceptions now support conditions (#​8577)
• Policy Exceptions now support excluding specific controls when using a Pod Security sub-rule validate.podSecurity (#​9343, #​9817)
• Pod Security sub-rule (validate.podSecurity) has a new ability to exclude based on restricted fields (exclude.restrictedField and associated values (#​8585, #​9770, #​9658)
• Added a new field to verifyImages rules called skipImageReferences allowing you to exclude certain images (#​8633)
• Added a new field to generate rules (data-type) called orphanDownstreamOnPolicyDelete which will preserve downstream resources when the policy/rule is deleted (#​9579)
• Added the ability to deploy specific controllers with CRDs following suit (#​8849, #​9608)
• Added the ability to apply custom labels to Kyverno's webhooks, helpful especially for Argo CD users (#​9015)
• Added support for more types of JSON patch operations like "move", "copy", and "test" (#​9476)
• Policy Reports can now be generated from ValidatingAdmissionPolicies and their bindings (#​9506)
• Created a new API group reports.kyverno.io for storing new ephemeral report kinds EphemeralReports and ClusterEphemeralReports (#​9521, #​9537)
• New is_external_url() JMESPath function to determine whether a given URL is an external URL (#​8614)
• New sha256() JMESPath function to convert a string of any length to a fixed hash value (#​9144)
• Kyverno CLI: Added a new migrate command which is used to migrate Kyverno resources to the current API version (#​9296)
• Kyverno CLI: Added a new (experimental) json command which incorporates the Kyverno JSON subproject into the main CLI allowing for testing of any JSON content (#​9639, #​9651)
• Kyverno CLI: The test command now supports the same assertion trees available in Chainsaw (#​9380)
• Kyverno CLI: The apply command now supports ValidatingAdmissionPolicyBindings (#​9468, #​9751, #​9759)
• Kyverno CLI: apply and test commands now support Policy Exceptions (#​9525, #​9624, #​9714, #​9749)
• Kyverno CLI: Added a --resources flag as an alias for the existing --resource flag (#​9749)

Helm

• Add chart parameters for setting revisionHistoryLimit (#​8907)
• Allow excluding resources from config.resourceFilters (#​8946)
• Allow defining ca-certificates bundle for Kyverno deployments (#​8969)
• Clean up Helm change logs (#​9057)
• Added ability to set extra environment variables globally (#​9269)
• Added the ability to enable performance profiling to the chart (#​9338)
• Added a global nodeSelector to the chart (#​9339)
• Allow adding Pod labels to cleanup jobs in the chart (#​9391)
• Added a CRD migration capability via hooks to the chart (#​9481, #​9657)
• Added the ability to define additional resources to be excluded via resourceFilters (#​9530)
• Added a small note for AKS users when the chart is installed (#​9552)
• Added the ability to configure backoff limits in jobs in the chart (#​9569)
• Added default exclusions in webhooks (#​9950)

⚠️ Changed ⚠️

• Allow setting admission controller replica count to 2 (#​8932)
• The spec.schemaValidation field is formally deprecated. As of 1.11 it has no effect. (#​9189)
• The --reportsChunkSize flag is deprecated and has no effect since aggregation has changed (#​9697)
• The --imageSignatureRepository flag is deprecated and has no effect, use the verifyImages.Repository field instead (#​9698)
• Policy Exceptions will now be evaluated against existing resources when the exception is created (#​8659, #​8713, #​8544)
• Policy Exceptions API graduated to v2 (#​9208, #​9412)
• Cleanup Policies API graduated to v2 (#​9261, #​9420)
• Admission and Background reports APIs graduated to v2 (#​9262)
• UpdateRequests API graduated to v2 (#​9267)
• Reduced some logged messages (#​9509, #​9626)
• Default logging time format is changed to RFC3339 (#​9775)
• Updated the internal Pod Security Standards up through 1.29 (#​9783)
• The time_parse() JMESPath filter now supports epoch time (#​9173)
• Kyverno will validate ValidatingAdmissionPolicies' CEL expressions and show a warning, or block, if invalid (#​9566)
• Kyverno CLI: The CLI will now perform field defaulting in policies being tested, moving it out of experimental status (#​9220)

Helm

• Chart will now omit policy applied and skipped events by default (#​9493)
• Allow configuring the policy kind in kyverno-policies chart (#​8827)
• Refined permissions by removing wildcards (#​9507, #​9516)
• Rename the Grafana dashboard file from dashboard.json to kyverno-dashboard.json (#​9041)

Performance

• Initialize JMESPath interpreter once and reuse it across searches (#​8299)
• Optimize JSON context processing using in-memory maps (#​8322)
• Optimize how Events are created and processed (#​9323, #​9324)
• Optimize validate policy application by adding a worker pool (#​10056)

🐛 Fixed 🐛

• Fixed handling of escaped variables in an expression with multiple escaped variables (#​8311)
• Fixed an issue when verifying attestations using multiple keys (#​8880)
• Fixed an issue causing application of mutation policies to fail even when failurePolicy was set to Ignore (#​8952)
• Fixed an issue that allowed violating resources when a policy had validationFailureAction set to Enforce and failurePolicy of Ignore (#​8953)
• Fixed an issue causing premature skipping of resources in validate policies with anchors defined (#​9155)
• Fixed an issue where the -v container flag for logging was not honored (#​9163)
• Switched a logged error to info when preconditions didn't pass in a mutate existing rule (#​9232)
• Reports aggregation fixes and improvements (#​9697)
• Fixed an issue preventing of generating a ValidatingAdmissionPolicy when exclude was used in the rule (#​9331)
• Fixed an issue resulting in ValidatingAdmissionPolicies getting generated when there was a Policy Exception in place (#​9386)
• Fixed an issue where a ValidatingAdmissionPolicy was applied to the wrong resource in background scans (#​9468)
• Fixed an issue when generating Events associated with ValidatingAdmissionPolicies (#​9392)
• Fixed an issue with UpdateRequests getting stuck in a perpetual Pending state when using variables from admission (#​9355)
• Fixed an issue preventing validating image signatures on AWS with a FIPS endpoint from working (#​9416)
• Fixed an issue preventing variables from being substituted in messages when using anyPattern validate rules (#​9713)
• Fixed an issue where skipped policies due to preconditions were returned in denial response messages (#​9719)
• Removed an unnecessary podSecurity check (#​9790)
• Fixed an issue when verifying images from an insecure registry (#​9838)
• Fixed an issue with some validate rules and the UPDATE operation (#​9893)
• Kyverno CLI: Fixed an issue doing a test with an UPDATE operation (#​9191)
• Kyverno CLI: Fixed applying cloneList generate policies with apply command (#​9036)
• Kyverno CLI: Fixed a logging error (#​9238)
• Kyverno CLI: Testing of generate rules which use the useServerSideApply field now work properly (#​9385)
• Kyverno CLI: Fixed and issue causing the apply command to panic when applying a mutate existing rule (#​9492)
• Kyverno CLI: Fixed an issue with the apply command where some errors weren't shown (#​9533)
• Kyverno CLI: Fixed an issue with the apply command where a foreach with zero elements was a skip (#​9534, #​9543)
• Kyverno CLI: Fixed a regression where the --warn-exit-code stopped working (#​9828)
• Fixed cosign ctlog unit tests (#​9971)
• Fixed deferred loader panic when mutate and generate policies are applied (#​9968)
• Fixed an autogen issue where now Kyverno only generates rule for request kind (#​9997)
• Fixed the issue where the mutex is not added to mock policy context builder (#​10059)
• Fixed policy status reconciliation when it fails to set policy to ready (#​10047)
• Fixed the container flag maxQueuedEvents (#​10031)
• Fixed an issue where rekor opts are missing in cosign certificate verification and make rekor url optional (#​10025)

Helm

• Fixed an issue deploying ServiceMonitor CR with ArgoCD via the chart (#​8913)
• Fixed an issue preventing multiple replicas from being defined in the chart (#​9066)
• Make role and binding names consistent (#​9482)
• Fixed some minor issues with the Helm report cleanup jobs (#​9555)
• Fixed a typo in the Kyverno chart README (#​8911)

Click to expand all PRs

#​10013 chore: bump chainsaw to v0.1.9
#​10025 fix: add rekor opts to cosign certificate verification and make rekor url optional
#​10039 chore: bump cosign to v2.2.4
#​10031 fix: re-use the maxQueuedEvents
#​10047 fix: policy status reconciliation
#​10056 feat(audit): use a worker pool for Audit policies
#​10059 fix: add mutex to mock policy context builder
#​9989 chore: bump kyverno-json to latest
#​9997 fix(autogen): only generate rule for request kind
#​9950 feat: set default exclusions in webhooks
#​9968 fix: deferred loader panic when mutate and generate policies are applied
#​9971 fix: cosign ctlog unit tests
#​9903 fix(globalcontext): panics and validation
#​9893 fix: properly update policy context after preexisting resource in violation check
#​9849 fix: release CRDs manifests
#​9845 fix: add missing unit tests for podSecurity.hostpathVolume check
#​9838 fix: use gcr crane opts while fetching image descriptors
#​9835 fix: remove duplicate chainsaw tests for PSA
#​9828 [Bug] [CLI] Restore warn-exit-code functionality for apply command
#​9817 fix: add podSecurity validation checks for exceptions
#​9813 fix(globalcontext): old WaitGroup not stopping
#​9791 fix: remove unnecessary podSecurity chainsaw test
#​9790 fix: remove unnecessary validation check for podSecurity rule
#​9783 update versions
#​9781 chore: add tests for exceptions in the CLI
#​9775 chore: default logging format to rfc3339
#​9770 fix: add validation check for podSecurity subrule
#​9763 chore: bump chainsaw
#​9759 feat: support bindings in Kyvenro CLI test command
#​9751 feat: apply VAP bindings in CLI apply command in offline mode
#​9749 add plural form aliases for resources and exceptions flags
#​9719 fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses
#​9714 fix: add the support of v2alpha1 exceptions in the CLI
#​9713 Fix :variables are not getting processed in validation message for "anyPattern"
#​9710 feat: enhance global context
#​9709 chore: bump otel deps
#​9698 fix: remove deprecated imageSignatureRepository flag
#​9697 fix: reports aggregation
#​9691 fix: modify the conformance config name
#​9690 chore: rename admission to ephemeral in reports aggregation controller
#​9682 chore(deps): bump kyverno/action-install-chainsaw from 0.1.2 to 0.1.3
#​9680 chore: bump kind and k8s images
#​9679 fix: don't delete garbage collected policy reports
#​9678 feat(validation-webhook): validate global context reference
#​9677 feat: remove admission report controller
#​9672 feat: add chainsaw tests for exceptions
#​9667 feat: add chainsaw tests for pod security in exceptions
#​9661 test(globalcontext): add e2e tests
#​9658 [Bug] Fix message and formatting of podSecurity validation failure with restrictedField
#​9657 fix: add missing migrations
#​9652 chore(globalcontext): remove global context flag
#​9651 feat: add scan command for generic resources
#​9645 feat: add chainsaw test for policy webhook based configuration
#​9643 fix: global context validation
#​9639 feat: add root command to process generic json resources
#​9630 chore: remove renovate config
#​9628 feat: add chainsaw tests for global context crd validation
#​9626 changed the log level in match policy context
#​9624 support -e shorthand letter with --exception flag
#​9621 fix: global context crd improvements
#​9620 feat: consider maxAPICallResponseLength
#​9619 feat: add global context entry validation webhook
#​9618 chore: move global context package out of engine
#​9616 feat: use the check block for checking CLI output in chainsaw tests
#​9615 feat: update refreshInterval in globalcontext CRD to use a duration
#​9614 feat: add global context support in helm chart
#​9609 make exception in cli exportable
#​9608 sanity check in parent chart for crd-controller mismatch
#​9606 chore: enable chainsaw fail fast
#​9602 feat: add globalcontext loader and interface
#​9601 feat: add globalcontext controller
#​9600 chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3
#​9599 feat: apply .matchConditions when generating reports
#​9598 fix: client codegen not deleting old files
#​9597 fix: codecov missing token
#​9596 fix: make ApplyCommandConfig public again
#​9595 feat: add global context crd to codegen
#​9592 fix: codecov args
#​9591 feat: add global context crd
#​9585 fix: update cli docs
#​9583 test: added test for pkg/utils/policy/marshal.go
#​9579 feat (generate): add orphanDownstreamOnPolicyDelete to preserve downstream on policy deletion
#​9574 fix: nancy ignore
#​9573 chore: small nits in cli test command
#​9572 fix: omit events flag
#​9570 chore: remove reports aggregation per namespace
#​9569 configured backoff limit in chart cronjobs
#​9566 feat: Support CEL expression warnings
#​9561 chore: add chainsaw tests for policy based webhook configuration
#​9555 fix: helm chart jobs
#​9554 fix: nancy ignore
#​9553 fix: make alternate reports storage transparent
#​9552 Add Helm note for AKS users
#​9546 feat: add openapi-gen to policyreports
#​9543 fix: follow up for #​9534
#​9542 fix: CRDs codegen
#​9540 chore: bump a couple of deps
#​9539 chore: remove reference to kuttl
#​9538 test: added test for pkg/utils/admission/metadata.go
#​9537 refactor: use single type for ephemeral reports
#​9535 chore: configure gh workflows schemas
#​9534 fix: show skip when foreach with zero elements
#​9533 Fix: not showing error during policy validation error
#​9531 fix: move new reports api to top level folder
#​9530 #​9529 Support adding extra elements to the default resourceFilters list
#​9525 Support PolicyExceptions with CLI
#​9521 feat: add a new API group reports.kyverno.io
#​9520 test: added test for pkg/utils/admission/policy.go
#​9516 Move admission controller hardcoded wildcard permissions to new opt-out value
#​9515 ci: add load testing workflow
#​9509 fix: reduce logs in controllers when an item is not found
#​9507 feat: add more granular rbac rules to remove wildcards
#​9506 feat: support vap bindings in reports
#​9495 test: added test for pkg/utils/admission/exception.go
#​9493 chore(helm): omit normal events by default
#​9492 fix: kyverno apply panic for mutate policies
#​9487 chore: bump a couple of deps
#​9486 test: added test for pkg/utils/admission/cleanup.go
#​9483 feat: configure admission webhooks per policy
#​9482 fix: align clusterroles and bindings names
#​9481 feat: improve crd migration helm hooks
#​9476 feat: support all valid jsonpatches in validation webhook
#​9469 chore(contrib): add Khaled Emara as contributor
#​9468 feat: support validatingadmissionpolicybindings in CLI apply command
#​9467 update README for new features and OSS security index card
#​9465 chore: load cli image when deploying locally
#​9464 Update DEVELOPMENT.md
#​9463 fix: change generic policy to not return any
#​9461 Update CONTRIBUTORS.md
#​9459 added tests for validate foreach with 0 elements
#​9442 chore: bump otel deps
#​9440 chore: bump a couple of deps
#​9433 chore: use upstream cosign on main
#​9428 fix: nancy ignore list
#​9427 chore: bump json-patch
#​9426 chore: bump a couple of deps
#​9420 feat: migrate existing cleanup policies to the new storage version in helm hook
#​9416 feat: use awslabs keychain for AWS and gcr keychain for GCP
#​9412 feat: migrate existing policy exceptions to the new storage version in helm hook
#​9408 chore: bump bitnami/kubectl
#​9395 [Feature] Security Improvements based on CLOMonitor Checks
#​9392 fix: use the correct API version for VAPs in the generated events
#​9391 feat: add podLabels to the hook jobs pod template
#​9389 fix PSA chainsaw tests
#​9386 feat: skip generating VAP when an exception is defined
#​9385 fix: Allow generate cli tests to work with server-side apply policies
#​9380 feat: use assertion trees in cli test command
#​9362 chore(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
#​9360 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7
#​9355 fix: clean up URs if the trigger doesn't exist
#​9348 Fix report-on-vulnerabilities
#​9343 feat: support podSecurity exclusion in exceptions
#​9341 fix PSA chainsaw tests
#​9339 Add global nodeSelector
#​9338 feat: add profiling to the helm Chart
#​9332 fix a chainsaw test
#​9331 fix: remove the check of exclude in VAPs
#​9326 chore(deps): bump kubectl-validate version
#​9324 feat: use custom events watcher
#​9323 feat: add new client for events
#​9296 feat: add resource migration command
#​9279 fix: remove policy informer from vap controller
#​9276 Feat: Human readable timestamps in logs
#​9270 feat: stop serving v2alpha1 cleanup policies
#​9269 Support setting global extraEnvVars
#​9267 chore: introduce v2 for updaterequests
#​9262 chore: introduce v2 for internal reports resources
#​9261 feat: add cleanup policies v2
#​9260 chore: bump a couple of deps
#​9255 refactor: mutate checks
#​9254 fix: set v2beta1 of exceptions the storage version
#​9240 fix: remove unused file in a test
#​9238 move error message to log
#​9236 refactor: events controller
#​9232 Fixed error log
#​9220 feat: enable kubectl-validate by default in cli
#​9218 chore: add k8s 1.29 in custom-sigstore test
#​9213 chore: add missing context unit test
#​9212 (docs) changed docs tool to kubernetes-sigs/reference-docs
#​9211 chore: remove v2alpha1 version of policy exceptions
#​9208 feat: promote policy exceptions to v2
#​9200 refactor: make CLI store non static
#​9198 chore: bump a couple of deps
#​9192 chore: add cli update test
#​9191 fix: deep copy resource in cli when operation is update
#​9189 fix: deprecate spec.schemaValidation
#​9187 chore: fix conformance tests
#​9180 Minor fix
#​9179 chore: use sigstore/cosign 2.2.2 on main
#​9175 fix: updates make codegen-deepcopy back to make codegen-deepcopy-all flag back to api deep copy function generatio...
#​9173 feat(jmespath):time_parse() support epoch time
#​9165 chore: move a mutateExisting chainsaw test under its directory
#​9163 fix: set logger level
#​9161 chore: add 1.29 to all test grids and remove 1.25
#​9158 chore: add 1.29 to the test grid
#​9155 fix: validate pattern premature skip
#​9148 fix: chainsaw test
#​9144 support for SHA256 jmespath function
#​9143 chore: use new chainsaw github action
#​9140 chore: bump chainsaw
#​9130 chore: add myself to the maintainers list
#​9125 feat: add myself (vishal-chdhry) to maintainers list
#​9124 support for Add Variable unit test
#​9120 chore: bump chainsaw
#​9114 chore: bump chainsaw
#​9113 chore: convert chainsaw tests to Test resource
#​9109 chore: convert chainsaw tests to Test resource
#​9108 chore: update PR template to require documentation PR
#​9103 chore: improve cluster startup in conformance tests
#​9100 chore: convert chainsaw tests to Test resource
#​9099 chore: convert chainsaw tests to Test resource
#​9098 chore: improve ci perf
#​9094 chore: convert chainsaw tests to Test resource
#​9093 chore: install kind from binaries
#​9092 chore: remove kuttl from makefile
#​9088 fix: nancy ignore
#​9087 chore: convert chainsaw tests to Test resource
#​9086 chore: improve conformance tests ci perf
#​9085 fix: conformance tests
#​9071 chore: bump chainsaw
#​9066 Fix Helm chart to not error when replicas defined
#​9064 chore: bump chainsaw
#​9057 Update helm docs
#​9052 chore: use Kubernetes 1.28 by default
#​9046 Use nancy on actually included dependencies
#​9045 chore: add 1.10.4-6 & 1.11.1 to github issue templates
#​9041 fix(helm): Rename dashboard.json to kyverno-dashboard.json
#​9038 chore: bump chainsaw
#​9036 fix: Provide kind list hints to the fake dynamic client.
#​9028 chore: fix chainsaw tests cleanup timeout
#​9023 chore: remove kuttl tests folder
#​9018 chore: replace more kuttl tests by chainsaw
#​9017 chore: replace more kuttl tests by chainsaw
#​9016 chore: replace standard kuttl tests by chainsaw ones
#​9015 feat: webhook labels
#​9013 chore: fix chainsaw exec timeout issue
#​9012 chore: enable all chainsaw tests
#​9011 chore: all chainsaw tests
#​9008 fix: extend chainsaw cleanup timeout
#​8999 chore: cleanup go.mod
#​8998 chore: bump chainsaw
#​8997 chore: migrate tests to chainsaw
#​8987 chore: bump a couple of deps
#​8985 chore: bump otel libs
#​8969 Allow defining ca-certificates bundle for Kyverno deployments
#​8967 chore: bump chainsaw
#​8966 chore: run force-failure-policy-ignore test using chainsaw
#​8965 chore: run vap reports test suite using chainsaw
#​8958 chore: run generate VAP test suite using chainsaw
#​8956 chore: run range operators tests with chainsaw
#​8953 fix: update KeysAreMissing() to ignore negations in resource
#​8952 fix: block mutation only when failurePolicy is set to fail
#​8951 chore: run events test suite using chainsaw
#​8950 chore: run rbac testsuite using chainsaw
#​8947 fix: change names of fuzzing policies
#​8946 Allow excluding resources from config.resourceFilters
#​8937 chore: run autogen tests with chainsaw
#​8932 feat: allow setting admission controller replica count to 2
#​8929 chore: bump k8s package to 1.29
#​8913 Revert "fix(chart): only create ServiceMonitor if cluster supports it (#​7926)
#​8911 [Helm] correct typo in README for Kyverno 1.10+
#​8907 fix: Add chart parameters for setting revisionHistoryLimit
#​8903 Extended the Trivy scan for N-2 Kyverno versions
#​8894 Close reponse right after succesful request
#​8893 chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0
#​8880 fix: allow multiple keys in verifyImages.attestations.attestors.entries
#​8861 Adopters groww
#​8857 feat: added ability to bump version using in-file editing
#​8849 Deploy specific controllers
#​8827 Add policyKind option to kyverno-policies chart
#​8780 refactor: move resource loader package to ext
#​8772 chore: move utils/wildcard in ext
#​8769 refactor: move resource/convert in ext
#​8767 feat: add force color in color ext pkg
#​8766 feat: add utils packages in ext
#​8762 chore: run tests with chainsaw
#​8761 chore: fix nancy ignore
#​8760 feat: add ext/yaml package
#​8758 chore: init ext packages
#​8713 feat: compute policy exceptions as a part of the rule execution
#​8675 feat: add arm64 support in devcontainers
#​8672 feat: adds ci test for building devcontainer image
#​8659 feat: re-evaluate policy exceptions for existing resources and modify reports accordingly
#​8654 Reduce deps
#​8647 feat: use ubuntu:22.04 in devcontainer
#​8633 feat: add skipImageReferences in verify images
#​8624 feat: add fail/warn on deprecated/invalid operators
#​8614 feat: Add external_url_check custom JMESPath function
#​8585 [Feature] New restrictedField in podSecurity subrule
#​8577 feat: support conditions in PolicyException
#​8567 chore: set cert renewal time to 15 days before expiration
#​8566 feat: reuse --protectManagedResources flag in the cleanup controller
#​8544 fix: apply exceptions after executing the policy itself
[#​8518](https://togithub.co

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.