v1.13
The latest version of the 1.13 release of Enterprise Kyverno is v1.13.4-n4k.nirmata.2.
For a complete list of changes, refer to the upstream Changelog.
v1.13.4-n4k.nirmata.2
Breaking Changes
Default exception settings: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See CVE-2024-48921 for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.
If you do not want to use Policy Exceptions, you can continue to use the default installation settings.
If you were not using Policy Exceptions previously and want to use it from 1.13 onwards, it is advised to set features.policyExceptions.enabled to true in the values.yaml file and store exceptions in a dedicated namespace by setting features.policyExceptions.namespace to nirmata-exceptions.
If you were using Policy Exceptions previously, when upgrading to this new version, set features.policyExceptions.enabled to true in the values.yaml file, and set the exception namespace value to the namespace that you used for storing exceptions. For example, if exceptions were stored in the kyverno namespace, then set features.policyExceptions.namespace to kyverno. Since it was possible to create exceptions in any namespace before, in order to maintain backwards compatibility, you can also set features.policyExceptions.namespace to *.
NOTE: Limiting exceptions to a specific namespace is recommended.
disableAutoWebhookGeneration flag: The disableAutoWebhookGeneration flag in Kyverno is a configuration option that allows users to prevent Kyverno from automatically generating webhooks for policies during or after installation. By default, Kyverno manages webhooks to ensure its policies are applied to Kubernetes resources, but in certain cases, users may want to control or manage webhooks manually.
When this flag is set to true, Kyverno will not automatically create or modify the webhooks that connect its policies to the Kubernetes API server. This can be useful in scenarios where:
- Manual control over webhook management is desired.
- Custom webhook configurations are needed for specific use cases, such as integrating with third-party systems or configuring webhooks differently.
- A user wants to avoid webhook generation on clusters where webhooks are already in place or managed separately.
You can enable the disableAutoWebhookGeneration flag by setting the config.disableAutoWebhookGeneration.enable to true and specifying name of the webhooks to disable by adding values to config.disableAutoWebhookGeneration.webhooks in values.yaml file.
Or
You can directly enable the flag and specify the webhook names to disable while installing n4k charts.
Example:
helm install kyverno nirmata/kyverno -n kyverno --create-namespace --set config.disableAutoWebhookGeneration.enable=true --set "config.disableAutoWebhookGeneration.webhooks={
kyverno-policy-validating-webhook-cfg,kyverno-exception-validating-webhook-cfg}"
This setting can be especially helpful when integrating Kyverno in environments where other tools or manual processes already manage webhook configurations, ensuring that Kyverno does not interfere with or overwrite those setups.