Bump github.com/kyverno/kyverno from 1.12.5 to 1.13.0

[dependabot]

Bumps github.com/kyverno/kyverno from 1.12.5 to 1.13.0.

Release notes

Sourced from github.com/kyverno/kyverno's releases.

v1.13.0

Overview of 1.13 highlights - Kyverno release blog.

❗ Breaking Changes ❗

This release contains the following breaking configuration changes:

• Removal of wildcard permissions: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default view role was added. See the documentation section on Role Based Access Controls for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
• Default exception settings: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See CVE-2024-48921 for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.

For upgrade guidance see here.

✨ Added ✨

• Added control names and images to policy reports for validate.podSecurity sub-rule (#9869)
• Support condition validations across multiple attestations or context entries for image verification (#9960)
• Added TSA cert chain support in Cosign for image verification (#9961)
• Added support to generate Policy Exceptions from policyreports (#9987)
• Supported the CLI apply command to continue on failure (#10036)
• Added support for signature algorithm in Cosign cert and KMS verification for image verification (#10086)
• Supported inline exceptions in CLI apply command (#10133)
• Enabled warnings for policy violations and mutations upon admission reviews (#10214)
• Advance supports for generating validatingadmissionpolicies (#9981, #10100, #10162, #10181, #10187, #10205, #10208, #10215, #10771)
• Supported Cosign experimental OCI 1.1 signatures (#10228)
• Supported background scanning of existing resource in image verification (#10287)
• Added the report-controller flag to configure aggregation workers (#10331)
• Updated default metrics in the Helm chart (#10459)
• Supported the default value for apiCall in policy context (#10594)
• Optimized Kyverno performance (#10700, #10701, #10702, #10703, #10723)
• Add an option to configure updateRequestThreshold (#10739)
• Added a new validate.assert sub-rule (#10763, #10777, #10780)
• Added a finalizer-based option for webhookconfigurations cleanup upon kyverno un-installation (#10782)
• Added full regexp support to Cosign (#10815)
• Supported explicit protocol selection with appProtocol (#10864)
• Enhanced logging (#10560, #10790, #10822, #10874, #10867)
• Supported Sigstore bundle verification (#10567, #10901)
• Supported custom data in policy reports (#10933)
• Added OpenAPI validation for Kyverno policy (#10990, #10993, #10997, #10998, #11013)
• Added the support for HTTP headers in service API calls (#11041)
• Supported shallow variables substitution (#11058)
• Added a flag to pass tuf root directly (#11103)
• Supported foreach for generate policies (#10875, #10888, #11140, #10963, #10964)
• Added Kyverno upgrade tests (#11163)
• Supported labelSelectors for mutate targets (#11208)
• Added dumpPatch flag for mutate policies (#11237)
• Added reporting to mutate and generate rules (#11265, #11339)
• Added a circuit breaker for the reports controller (#11329, #11271)
• Added --backgroundReports flag to disable background controller reports (#11361)

Helm

• Supported configurable hostNetwork settings for admission-controller and cleanup-controller (#9864)
• Supported configurable webhook pod annotations (#9875)

... (truncated)

Changelog

Sourced from github.com/kyverno/kyverno's changelog.

v1.13.0

Note

• Removed deprecated flag reportsChunkSize.
• Added --tufRootRaw flag to pass tuf root for custom sigstore deployments.

v1.11.0

v1.11.0-rc.1

Note

• Added --tufRoot and --tufMirror flags to configure tuf for custom sigstore deployments.
• Remove description from deprecated fields in CRDs
• Remove CLI kyverno test manifest ... commands (replaced by kyverno create ...).
• Added --caSecretName and --tlsSecretName flags to control names of certificate related secrets.
• Added match conditions support in kyverno config map.
• Deprecated flag --imageSignatureRepository. Will be removed in 1.12. Use per rule configuration verifyImages.Repository instead.
• Added --aggregateReports flag for reports controller to enable/disable aggregated reports (default value is true).
• Added --policyReports flag for reports controller to enable/disable policy reports (default value is true).
• Renamed CLI flag --compact to --detailed-results (and changed default value from true to false).
• Changed the default value of --enablePolicyException from false to true.

v1.10.0

v1.10.0-rc.1

Note

• Removed GenerateRequest CRD.
• Refactored kyverno chart, migration instructions are available in chart README.md.
• Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
• Added support for configuring webhook annotations in the config map through webhookAnnotations stanza.
• Added excludeRoles and excludeClusterRoles support in configuration.
• Added new flag skipResourceFilters to reports controller to enable/disable considering resource filters in the background (default value is true)
• Removed hardcoded defaults for excludeGroups and excludeUsernames. They are always read from the config map.

v1.9.0-rc.1

Note

• Flag backgroundScanInterval was added to force background scans at regular intervals (default value is 1h).
• Flag splitPolicyReport was removed, was unused and marked for removal in 1.9.
• Webhook is no longer updated to match pods/ephemeralcontainers when policy only specifies pods. If users want to match on pods/ephemeralcontainers, they must specify pods/ephemeralcontainers in the policy.
• Webhook is no longer updated to match services/status when policy only specifies services. If users want to match on services/status, they must specify services/status in the policy.
• Flag autogenInternals was removed, policy mutation has been removed.
• Flag leaderElectionRetryPeriod was added to control leader election renewal frequency (default value is 2s).
• Support upper case Audit and Enforce in .spec.validationFailureAction of the Kyverno policy, failure actions audit and enforce are deprecated and will be removed in v1.11.0.
• Flag profileAddress was added to configure address of profiling server (default value is "").

... (truncated)

Commits

• 978c2f3 release 1.13.0 (#11477)
• 0f03ba0 chore: bump sigstore/sigstore in release 1.13 (#11451)
• ae77806 feat: improve webhooks rules generation (#11419) (#11449)
• 33fedd5 release 1.13.0-rc.3 (#11447)
• 45d8d01 fix[breaking]: disable exceptions by default (#11426) (#11446)
• 7de05ec fix: update match logic for old object validation (#11427) (#11443)
• 5defef6 feat(ci): enhance load testing (#11429) (#11444)
• 5a82d68 Selector with mutate target (#11208) (#11425)
• 9e57320 feat: add options to configure resync period for informers in helm chart (#11...
• cb09968 feat: update engine response.generatedResources to support multiple resource ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[jpower432]

Closing in favor of #35

EDITED - PR 35 is actually for v1 and this is for main.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[jpower432]

@dependabot recreate

[dependabot]

Looks like this PR is closed. If you re-open it I'll rebase it as long as no-one else has edited it (you can use @dependabot reopen if the branch has been deleted).

[jpower432]

@dependabot reopen

[jpower432]

@dependabot rebase

[dependabot]

The dependabot.yml entry that created this PR has been deleted so this PR can't be rebased. Please close the PR so Dependabot can create a new one with the current dependabot.yml.