v3.1.0-beta.4

This beta release includes bug fixes.

Warning

This release updates flags for auditInterval to audit-interval and constraintViolationsLimit to constraint-violations-limit. Deprecated flags will be removed at a future release. (#409)

Bug Fixes 🐞

• Fix dryrun denied admission (#426)

v3.1.0-beta.3

This beta release includes bug fixes and stable api versions.

Upgrade Instructions

• Remove your sync config before upgrading, so that finalizers on synced resources are cleaned up, otherwise they will need to be removed manually.

Features 🌈

• Add metrics to watch manager (#366)
• Add constraint template metrics (#377)
• Allow optional logging when admission was denied (#386)
• Health and ready checks (#396)

Bug Fixes 🐞

• Remove the sync finalizer (#369)
• Upgrade Constraint Framework (#384)
• Make sure label selectors are checked against both old and new objects (#368)
• OldObject defaults to null, assume null == missing (#406)
• Disable default Kubebuilder metrics (#397)

v3.1.0-beta.2

Bug Fixes 🐞

• Fix deadlock. (#361)

v3.1.0-beta.1

DO NOT USE

This release has a deadlock, fixed by: #361

Features 🌈

• Initial metrics integration (#290)

Bug Fixes 🐞

• Use patch to set finalizers (#317)
• Add security context to Gatekeeper container (#273)
• Clean up watch manager (#308)
• Use namespace of Pod as namespace for cert secret (#347)
• Inject namespace as part of the request. (#344)

v3.1.0-beta.0

Warning

This release is a migration to Kubebuilder V2, which changes the structure of the deployment. If upgrading, we recommend you uninstall the previous version of Gatekeeper before deploying the new version.

Features 🌈

• ValidatingAdmissionWebhookConfiguration can be fully configured from the manifest -- no more clobbering
• Certificate generation/rotation can be disabled by setting the flag: --disable-cert-rotation
• Gatekeeper is mangaged via a Deployment resource instead of a StatefulSet
• Migrate to Kubebuilder V2 (#292)
• Upgrade constraint framework, enabling multi-source constraints (#270)

Bug Fixes 🐞

• Stop caching constraint status to OPA (#313)
• Increase CPU limits (#309)
• Removed unnecessary layers/file copies from Docker images (#279)

v3.0.4-beta.2

This beta release includes bug fixes and stable api versions.

Features 🌈

• add psp library seccomp and apparmor annotations (#236)
• Add Https Only to library (#260)
• Add unique ingress host to library (#253)
• add psp library forbidden sysctls (#233)
• add psp library selinux (#234)

Bug Fixes 🐞

• Do not assume the operation is CREATE on audit (#267)
• Watch manager should ignore unrecognized groups (#263)
• Add make target-template-source to build pkg/target/target_template_source.go (#257)
• Image package update and run as a non-root user (#252)
• Dependency Updates (#251)
• Use struct literal instead of an interface for the client (#241)
• Service selector needs to not be in a system namespace in order to be denied (#227)

v3.0.4-beta.1

This beta release includes bug fixes and stable api versions.

Features 🌈

• Add dry run feature (#202)
• Add PSP constraints and CTs to library (#203)
• Add docs and update script for make release (#220)
• Add e2e with kind and bats tests (#211)
• Upgrade constraint framework (#218)
• Make logging configurable (#212)
• Add demo templates to the constraint template library (#205)

Bug Fixes 🐞

• Update templates and constraints version (#221)
• Fix handling of unrecognized constraints on deletion (#208)
• Always check for a tag update before building container (#201)
• Make gatekeeper namespace-agnostic (#200)

v3.0.4-beta.0

This beta release includes bug fixes and stable api versions.

Features 🌈

• Convert to using beta resources. (#190)
• Add enforcementAction to status (#180)

Bug Fixes 🐞

• Conversion errors should be fatal (#197)
• Update apiversion, input in yaml (#193)

v3.0.4-alpha.0

This alpha release includes breaking changes and bug fixes.

v3.0.3-alpha.0

This alpha release includes breaking changes and bug fixes.

Breaking Changes ⚠️

• Rename deny rule to violation (#169)
• Change to HA-Compatible Status Schemas (#159)
• Fix CT name validation (open-policy-agent/frameworks#27)
• Only require kind for Constraint Templates (open-policy-agent/frameworks#29)
• Handle namespaceselector and empty namespaces (open-policy-agent/frameworks#26)

Bug Fixes 🐞

• Detect/handle invalid syntax in k8scontainerlimits (#167)
• Handle namespaceselector failure (#155)

Please report any issues here: https://github.com/open-policy-agent/gatekeeper/issues/new