Update module github.com/kyverno/kyverno to v1.9.5 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/kyverno/kyverno	v1.9.0 -> v1.9.5

---

Release Notes

kyverno/kyverno (github.com/kyverno/kyverno)

v1.9.5

Compare Source

🐛 Fixed 🐛

• Removed some insecure 3DES ciphers. (#​7308 )

Click to expand all PRs

#​7308 fix: tls cipher suites

v1.9.4

Compare Source

🐛 Fixed 🐛

• Fixed an issue with the podSecurity subrule (validate.podSecurity) in which using the latest version of the PSS caused the Seccomp control to not be evaluated properly. (#​7263)

Click to expand all PRs

#​7263 fix: PSa latest version check

v1.9.3

Compare Source

v1.9.3

#✨ Added ✨

• Added support for configuring webhook annotations via the ConfigMap's webhookAnnotations stanza. This should fix problems for AKS users with the Admission Enforcer entering a reconciliation war with Kyverno over its webhooks. (#​6579)

🐛 Fixed 🐛

• Bumped a Docker dependency (#​6787)
• Skip applying default exclude groups in the match evaluation (#​6242)

Click to expand all PRs

#​6787 chore(deps): bump github.com/docker/docker from 23.0.2+incompatible to 23.0.3+incompatible
#​6579 feat: add webhook annotations support in config map
#​6242 fix: do not pass dynamicConfig to matchesResourceDescriptionMatchHelper

v1.9.2

Compare Source

⚠️ Changed ⚠️

• Burst limit (--clientRateLimitBurst) has its defaults increased from 50 to 300 and QPS (--clientRateLimitQPS) from 20 to 300 which should fix issues in very large clusters with admission reports not getting aggregated quickly enough to the final Policy Report (#​6540, #​6532)
• Report controller workers have been increased from 2 to 10 which, along with the burst and QPS increases listed above, should help reconcile reports much faster (#​6532)
• Included a message on how to bypass Kyverno policy schema validation (spec.schemaValidation) when Kyverno is not able to validate if a rule is correct (#​6604)

🐛 Fixed 🐛

• Policies in Audit mode are processed correctly when admission reports are disabled (#​6545)
• Fixed duplicate messages in a policy report message field when using a podSecurity subrule (#​6634)
• Fixed a controller duration computation (#​6569)

Click to expand all PRs

#​6545 fix: process audit policies when admission reports are disabled
#​6540 fix: increase burst
#​6532 fix: improve reports controller default values and workers
#​6531 fix: process audit policies when admission reports are disabled
#​6522 fix: improve reports controller default values and workers
#​6332 More kuttl standard generate tests
#​6634 fix: skip duplicate PSa checks for the latest version
#​6604 fix: add message to bypass schema validation when it fails
#​6569 fix: controller duration computation

v1.9.1

Compare Source

⚠️ Changed ⚠️

• Enhance the events created by PolicyExceptions to add kind and Namespace making them more consistent with other events (#​6459)
• Added Roles and ClusterRoles when dumping out the AdmissionReview contents (#​6323, #​6319)
• Kyverno will use client instead of discovery for sanity checks which helps in some cases when finding CRDs (#​6296)
• Logs added in wait for cache sync helper (#​6275)
• Leader election is enabled in the background controller (responsible for generate and "mutate existing" rules) which should help or fix situations in which UpdateRequests may see unnecessary churn (#​6237)
• A DELETE operation will now work as the trigger for a generate or mutate existing rule (#​6214)

🐛 Fixed 🐛

• Fixed an error log (#​6429)
• Fixed a panic when fetching GVK (#​6424)
• Fixed an issue which caused policies to never report a Ready status if the --autoUpdateWebhooks flag was set to false (#​6374)
• Fixed an issue with the new Secret type in Kyverno 1.9.0. Now, older self-managed Secrets will be deleted and recreated with the new TLS type (#​6368)
• Fixed a logger call (#​6365)
• Fixed an issue with missing metric kyverno_policy_results_total when policies were in Audit mode (#​6363)
• Fixed an issue with outputting of the full AdmissionReview response (#​6349)
• Fixed an issue preventing rules with request.oldObject being translated properly by auto-gen (#​6305)
• Fixed how quantities were divided when using the JMESPath divide() filter (#​6229)
• Fixed use of the namespaceSelector for policies set to Audit mode (#​6216)
• Fixed use of the namespaceSelector in generate and "mutate existing" policies (#​6209)

🔧 Bumped 🔧

• Bumped github.com/sigstore/k8s-manifest-sigstore from 0.4.3 to 0.4.4 (#​6359)
• Bumped golang.org/x/net from v0.4.0 to v0.7.0 (#​6344, #​6341)
• Bumped golang.org/x/oauth2 from v0.3.0 to v0.4.0 (#​6344)
• Bumped golang.org/x/sys from v0.3.0 to v0.5.0 (#​6344)
• Bumped golang.org/x/term from v0.3.0 to v0.5.0 (#​6344)
• Bumped golang.org/x/text from v0.5.0 to v0.7.0 (#​6344)

Click to expand all PRs

#​6502 fix: release
#​6498 fix: release
#​6459 fix: update resource info in polex events
#​6429 fix: error log
#​6424 fix: panic when fails to fetch resource GVK
#​6374 fix: autoUpdateWebhooks=false causes ClusterPolicy to never be ready
#​6368 fix: delete certificate secret if type is not TLS
#​6365 fix: logger key value in wrong order
#​6363 fix: missing metrics for policies in audit mode
#​6359 chore(deps): bump github.com/sigstore/k8s-manifest-sigstore
#​6349 fix: dump admission response
#​6344 chore(deps): bump golang.org/x/net
#​6341 chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
#​6323 fix: add roles and clusterroles when dumping admission requests
#​6319 fix: add roles and clusterroles when dumping admission requests
#​6305 oldObject translation solved in autogen
#​6296 fix: use client instead of discovery for sanity checks
#​6275 chore: add error logs in wait for cache sync helper
#​6237 feat: enable leader election for the background controller
#​6229 fix: jp divide quantities
#​6216 fix: namespaceSelector for audit rules
#​6200 fix: image tagging strategy
#​6197 fix: admission review variables for DELETE operations
#​6188 fix: namespaceSelector for background policies

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.