Skip to content

Commit

Permalink
Merge pull request #112 from sighupio/feat/release-v1.13.0
Browse files Browse the repository at this point in the history 
feat: prepare for releasing v1.13.0
  • Loading branch information
@ralgozino
ralgozino authored Nov 5, 2024
2 parents 3f352d7 + f080aba commit 390b0db
Show file tree
Hide file tree
Showing 5 changed files with 75 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .bumpversion.cfg
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[bumpversion]
commit = True
tag = True
current_version = 1.12.0
current_version = 1.13.0
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-rc(?P<rc>\d+))?
serialize =
{major}.{minor}.{patch}-rc{rc}
Expand Down
35 changes: 25 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
</h1>
<!-- markdownlint-enable MD033 -->

![Release](https://img.shields.io/badge/Latest%20Release-v1.12.0-blue)
![Release](https://img.shields.io/badge/Latest%20Release-v1.13.0-blue)
![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-opa?label=License)
![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack)

Expand All @@ -17,6 +17,11 @@ If you are new to KFD please refer to the [official documentation][kfd-docs] on

## Overview

> [!TIP]
> [Starting from Kubernetes v1.25][kubernetes-pss-stable], [Pod Security Standards (PSS)][kubernetes-pss] are promoted to stable. For most use cases, the policies defined in the Pod Security Standards are a great starting point, consider applying them before switching to one the of tools provided by this module.
>
> For more advanced use-cases, where custom policies that are not included in the PSS must be enforced, this module is the right choice.
The Kubernetes API server provides a mechanism to review every request that is made (object creation, modification, or deletion). To use this mechanism the API server allows us to create a [Validating Admission Webhook][kubernetes-vaw-docs] that, as the name says, will validate every request and let the API server know if the request is allowed or not based on some logic (policy).

**Kubernetes Fury OPA** module is based on [OPA Gatekeeper][gatekeeper-page] and [Kyverno][kyverno-page], two popular open-source Kubernetes-native policy engines that runs as a Validating Admission Webhook. It allows writing custom constraints (policies) and enforcing them at runtime.
Expand Down Expand Up @@ -72,7 +77,7 @@ Check the [compatibility matrix][compatibility-matrix] for additional informatio
```yaml
bases:
- name: opa/gatekeeper
version: "1.12.0"
version: "1.13.0"
```
> See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format.
Expand All @@ -96,9 +101,11 @@ resources:
kustomize build . | kubectl apply -f -
```

> ⚠️ Gatekeeper is deployed by default as a Fail open (also called `Ignore` mode) Admission Webhook. Should you decide to change it to `Fail` mode read carefully [the project's documentation on the topic first][gatekeeper-failmode].
> [!WARNING]
> Gatekeeper is deployed by default as a Fail open (also called `Ignore` mode) Admission Webhook. Should you decide to change it to `Fail` mode read carefully [the project's documentation on the topic first][gatekeeper-failmode].
<!-- space intentionally left blank -->
> ⚠️ If you decide to deploy Gatekeeper to a different namespace than the default `gatekeeper-system`, you'll need to patch the file `vwh.yml` to point to the right namespace for the webhook service due to limitations in the `kustomize` tool.
> [!TIP]
> If you decide to deploy Gatekeeper to a different namespace than the default `gatekeeper-system`, you'll need to patch the file `vwh.yml` to point to the right namespace for the webhook service due to limitations in the `kustomize` tool.

#### Common Customizations

Expand All @@ -110,7 +117,8 @@ Gatekeeper supports 3 levels of granularity to exempt a namespace from policy en
2. Global exemption at Gatekeeper configuration level: requests to the API server for the namespace will be sent to Gatekeeper's webhook, but Gatekepeer will not enforce constraints for the namespace. It is the equivalent of exempting the namespace in all the constraints. Useful when you don't want any of the constraints enforced in a namespace.
3. Exemption at constraint level: you can exempt namespaces in the definition of each constraint. Useful when you may want only a subset of all the constraints to be enforced in a namespace.

> ⚠️ Exempting critical namespaces like `kube-system` or `logging` [won't guarantee that the cluster will function properly when Gatekeeper webhook is in `Fail` mode][gatekeeper-failmode].
> [!CAUTION]
> Exempting critical namespaces like `kube-system` or `logging` [won't guarantee that the cluster will function properly when Gatekeeper webhook is in `Fail` mode][gatekeeper-failmode].

For more details on how to implement the exemption, please refer to the [official Gatekeeper documentation site][gatekeeper-exemption].

Expand Down Expand Up @@ -183,7 +191,7 @@ Notice that the alert for when the Gatekeeper webhook is in `Ignore` mode (the d
```yaml
bases:
- name: opa/kyverno
version: "1.12.0"
version: "1.13.0"
```

> See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format.
Expand All @@ -206,19 +214,26 @@ kustomize build . | kubectl apply --server-side -f -
```

<!-- Links -->

[kubernetes-pss-stable]: https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/
[kubernetes-pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/

[gatekeeper-page]: https://github.com/open-policy-agent/gatekeeper
[gatekeeper-failmode]: https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/
[gatekeeper-exemption]: https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/

[kyverno-page]: https://github.com/kyverno/kyverno
[kubernetes-vaw-docs]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
[kfd-monitoring]: https://github.com/sighupio/fury-kubernetes-monitoring

[core-kustomization]: ./katalog/gatekeeper/core/kustomization.yaml
[furyctl-repo]: https://github.com/sighupio/furyctl
[compatibility-matrix]: https://github.com/sighupio/fury-kubernetes-opa/blob/main/docs/COMPATIBILITY_MATRIX.md

[sighup-page]: https://sighup.io
[kfd-repo]: https://github.com/sighupio/fury-distribution
[kustomize-repo]: https://github.com/kubernetes-sigs/kustomize
[kfd-docs]: https://docs.kubernetesfury.com/docs/distribution/
[compatibility-matrix]: https://github.com/sighupio/fury-kubernetes-opa/blob/main/docs/COMPATIBILITY_MATRIX.md
[kfd-monitoring]: https://github.com/sighupio/fury-kubernetes-monitoring
[furyctl-repo]: https://github.com/sighupio/furyctl
[kustomize-repo]: https://github.com/kubernetes-sigs/kustomize

<!-- </KFD-DOCS> -->

Expand Down
27 changes: 14 additions & 13 deletions docs/COMPATIBILITY_MATRIX.md
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@

# Compatibility Matrix

| Module Version / Kubernetes Version | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | 1.26.X | 1.27.X | 1.28.X | 1.29.X |
|-------------------------------------| :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
| v1.6.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | |
| v1.7.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | |
| v1.7.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.7.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.7.3 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.8.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.9.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | |
| v1.10.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | |
| v1.11.0 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | |
| v1.11.1 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | |
| v1.12.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| Module Version / Kubernetes Version | 1.19.X | 1.20.X | 1.21.X | 1.22.X | 1.23.X | 1.24.X | 1.25.X | 1.26.X | 1.27.X | 1.28.X | 1.29.X | 1.30.X | 1.31.X |
| ----------------------------------- | :----------------: | :----------------: | :----------------: | :----------------: | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
| v1.6.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :warning: | | | | | | | | |
| v1.7.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | | | |
| v1.7.1 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | |
| v1.7.2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | |
| v1.7.3 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | |
| v1.8.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | | |
| v1.9.0 | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | | |
| v1.10.0 | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.11.0 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.11.1 | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | | |
| v1.12.0 | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
| v1.13.0 | | | | | | | | | | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |

:white_check_mark: Compatible

Expand Down
34 changes: 34 additions & 0 deletions docs/releases/v1.13.0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# OPA Core Module Release 1.13.0

Welcome to the latest release of `OPA` module of [Kubernetes Fury Distribution](https://github.com/sighupio/fury-distribution) maintained by team SIGHUP.

This is a minor release including the following changes:

- Added support for Kubernetes 1.31
- Added support for Kubernetes 1.30
- Update Gatekeeper to version 3.17.1
- Update Gatekeeper Policy Manager to version 1.0.13
- Update Kyverno to version 1.12.6

## Component Images 🚢

| Component | Supported Version | Previous Version |
| --------------------------- | --------------------------------------------------------------------------------------- | ---------------- |
| `gatekeeper` | [`v3.17.1`](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1) | `v3.15.1` |
| `gatekeeper-policy-manager` | [`v1.0.13`](https://github.com/sighupio/gatekeeper-policy-manager/releases/tag/v1.0.13) | `v1.0.10` |
| `kyverno` | [`v1.12.6`](https://github.com/kyverno/kyverno/releases/tag/v1.12.6) | `1.11.4` |

> Please refer the individual release notes to get a detailed information on each release.
## Update Guide 🦮

### Process

To upgrade this core module from `v1.12.0` to `v1.13.0`, you need to download this new version, then apply the `kustomize` project. No further action is required.

> From Kyverno v1.12.0, policies using long-deprecated or invalid operators in conditions (ex., In and NotIn) will be blocked.
Here is the list of valid operators: [Kyverno Operators](https://kyverno.io/docs/writing-policies/preconditions/#operators)

```bash
kustomize build katalog/gatekeeper | kubectl apply -f -
```
2 changes: 1 addition & 1 deletion katalog/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ This module can easily be added to your existing Fury setup adding to your `Fury
bases:
(...)
- name: opa/gatekeeper
version: "1.12.0"
version: "1.13.0"
```
Once you'll do this, you can then proceed to integrate Gatekeeper into your Kustomize project.
Expand Down

0 comments on commit 390b0db

Please sign in to comment.