Preview v1.9.0-rc.0

OPA Core Module Release 1.9.0

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This is a minor release including the following changes:

• Added support for Kubernetes 1.26

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.12.0	v3.11.0
gatekeeper-policy-manager	v1.0.4	vv1.0.3

Please refer the individual release notes to get a detailed information on each release.

Update Guide 🦮

Process

To upgrade this core module from v1.8.0 to v1.9.0, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.8.0

OPA Core Module Release 1.8.0

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This is a minor release including the following changes:

• Added support for Kubernetes 1.25
• Updated Gatekeeper to 3.11, including Mutation promoted to stable, External Data in beta, and Introducing Validation of Workload Resources as alpha
• Updated Gatekeeper Policy Manager to v1.0.3 and its deployment manifests to comply with Pod Security Standards

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.11.0	v3.9.2
gatekeeper-policy-manager	v1.0.3	v1.0.2

Please refer the individual release notes to get a detailed information on each release.

Update Guide 🦮

Process

To upgrade this core module from v1.7.3 to v1.8.0, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.7.3

OPA Core Module Release 1.7.3

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This is a patch release including the following changes:

• Removed references to deprecated Ingress API in Gatekeeper's config and custom rules (#88)
• Updated documentation

💡 Please refer to the release notes of the minor version v1.7.0 if you are upgrading from a version < v1.7.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.9.2	No update
gatekeeper-policy-manager	v1.0.2	No update

Please refer the individual release notes to get a detailed information on each release.

Update Guide 🦮

Process

To upgrade this core module from v1.7.2 to v1.7.3, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.7.2

OPA Core Module Release 1.7.2

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This is a patch release including the following changes:

• Added pomerium, calico-apiserver and vmware-system-csi namespaces to the default rules exclusions.
• Updated Gatekeeper to v3.9.2 from v3.9.0, fixing a CVE and improving performance.

💡 Please refer the release notes of the minor version v1.7.0 if you are upgrading from a version < v1.7.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.9.2	v3.9.0
gatekeeper-policy-manager	v1.0.2	No update

Please refer the individual release notes to get a detailed information on each release.

Update Guide 🦮

Process

To upgrade this core module from v1.7.1 to v1.7.2, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.7.1

OPA Core Module Release 1.7.1

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This is a patch release including the following changes:

• Updated the provided Grafana dashboard to use the new metrics from Gatekeeper.
• Added Tigera operator namespaces to the default exemptions of custom rules.
• Updated Gatekeeper Policy Manager to v1.0.2.
• Add official support for Kubernetes v1.24.x

💡 Please refer the release notes of the minor version v1.7.0 if you are upgrading from a version < v1.7.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.9.0	No update
gatekeeper-policy-manager	v1.0.2	v1.0.0

Please refer the individual release notes to get a detailed info on the releases.

Update Guide 🦮

Process

To upgrade this core module from v1.7.0 to v1.7.1, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.7.0

OPA Core Module Release v1.7.0

Welcome to the latest release of the OPA module of Kubernetes Fury Distribution maintained by team SIGHUP.

This release includes the following changes:

• Gatekeeper has been updated to v3.9.0 with mutating capabilities in beta.
• The custom rules have been updated to use constraintTemplates v1 and improved with added descriptions and better deny messages.
• The Gatekeeper audit process for the provided constraints now triggers violations for pre-existing resources.
• A set of custom Prometheus alerts that get triggered when the Gatekeeper webhooks are misbehaving for more than 5 min* has been added.
• The Grafana Dashboard for Gatekeeper has been updated.
• Gatekeeper Policy Manager has been updated to v1.0.0, including a revamped UI.
• Gatekeeper Policy Manager now uses local manifests instead of pulling them at kustomize build time.
• The module's documentation has been updated and improved.

* The alert for webhooks failing in Ignore mode requires Kubernetes version 1.24 or later.

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.9.0	v3.7.0
gatekeeper-policy-manager	v1.0.0	v0.5.1

Please refer the linked release notes to get more information on the changes for these versions.

Update Guide 🦮

Warnings

• The http.send OPA built-in is now disabled. See: https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata#motivation
• Enabled beta mutating capabilities. See: https://open-policy-agent.github.io/gatekeeper/website/docs/mutation

Upgrade from v1.6.2 should be straightforward and no downtime is expected.

Process

To upgrade this core module from v1.6.2 to v1.7.0, you need to download this new version, then apply the kustomize project. No further action is required.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.6.2

OPA Core Module Release 1.6.2

Welcome to the latest release of OPA module of Kubernetes Fury
Distribution maintained by team
SIGHUP.

This is a patch release fixing a bug with a missing mount for gatekeeper-audit and reverts the commonLabels applied in v1.6.0 because they break updating the module in the future.

💡 Please refer the release notes of the minor version
v1.6.0
if you are upgrading from a version < v1.6.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.7.0	No update
gatekeeper-policy-manager	v0.5.1	No update

Please refer the individual release notes to get a detailed info on the
releases. Eventhough gatekeeper v3.7.0 has no breaking changes, it is worth having a look at it.

Update Guide 🦮

Warnings

• Since the release rollbacks some changes to immutable fields, if deployments, statefulset and daemonsets, are not deleted first before applying the module, it will error out. Check the Process below for more info.

Process

If you are upgrading from version v1.6.0 or v1.6.1 to v1.6.2 you need to download this new version and then apply the kustomize project as shown below.

There will be downtime on the components.

# Delete the validating webhook to avoid downtime while performing the upgrade
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-validating-webhook-configuration
# Delete the deployments with the labels, so they can be upgraded
kubectl delete -n gatekeeper-system deployments.apps gatekeeper-policy-manager gatekeeper-audit gatekeeper-controller-manager
# Finally, apply the new version
kustomize build katalog/gatekeeper | kubectl apply -f -

If you are upgrading from a version < v1.6.0, you can simply apply the kustomize project as shown below.

kustomize build katalog/gatekeeper | kubectl apply -f -

Preview v1.6.2-rc0

OPA Core Module Release 1.6.2

Welcome to the latest release of OPA module of Kubernetes Fury
Distribution maintained by team
SIGHUP.

This is a patch release fixing a bug with a missing mount for gatekeeper-audit and reverts the commonLabels applied in v1.6.0 because they break updating the module in the future.

💡 Please refer the release notes of the minor version
v1.6.0
if you are upgrading from a version < v1.6.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.7.0	No update
gatekeeper-policy-manager	v1.5.1	No update

Please refer the individual release notes to get a detailed info on the
releases. Eventhough gatekeeper v3.7.0 has no breaking changes, it is worth having a look at it.

Update Guide 🦮

Warnings

• Since the release rollbacks some changes to immutable fields, if deployments, statefulset and daemonsets, are not deleted first before applying the module, it will error out. Check the Process below for more info.

Process

If you are upgrading from version v1.6.0 or v1.6.1 to v1.6.2 you need to download this new version and then apply the kustomize project as shown below.

There will be downtime on the components.

# Delete the validating webhook to avoid downtime while performing the upgrade
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-validating-webhook-configuration
# Delete the deployments with the labels, so they can be upgraded
kubectl delete -n gatekeeper-system deployments.apps gatekeeper-policy-manager gatekeeper-audit gatekeeper-controller-manager
# Finally, apply the new version
kustomize build katalog/gatekeeper | kubectl apply -f -

If you are upgrading from a version < v1.6.0, you can simply apply the kustomize project as shown below.

kustomize build katalog/gatekeeper | kubectl apply -f -

Release v1.6.1

❌ This release contains issues, please use the version v1.6.2 instead ❌

OPA Core Module Release 1.6.1

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team
SIGHUP.

This is a patch release fixing a bug and improving some documentation for the module.

💡 Please refer the release notes of the minor version
v1.6.0
if you are upgrading from a version < v1.6.0

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.7.0	No update
gatekeeper-policy-manager	v0.5.1	No update

Please refer the individual release notes to get a detailed info on the
releases. Eventhough gatekeeper v3.7.0 has no breaking changes, it is worth having a look.

Documentation 📕

• #45 Improve
  and restructure the documentation of the opa module

Update Guide 🦮

Since this is only a documentation update, no changes are to be made to the installment of this update.

Release v1.6.0

❌ This release contains issues, please use the version v1.6.2 instead ❌

OPA Core Module Release 1.6.0

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team
SIGHUP.

This latest release is an attempt on upgrading the components in the module to
its latest stable release along with adding the tech preview of the latest
kubernetes release v1.23.0.

Component Images 🚢

Component	Supported Version	Previous Version
gatekeeper	v3.7.0	v3.6.0
gatekeeper-policy-manager	v0.5.1	v0.5.0

Please refer the individual release notes to get a detailed info on the
releases. Eventhough gatekeeper v3.7.0 has no breaking changes, it is worth having a look.

Known Issues ⚠️

• This release involves recreation of certain resources like daemonset, deployments, etc. We recommend deleting it with --cascade=orphan, to avoid changes being made to the pods.
• We drop support of Kubernetes versions <= v1.19.x

Breaking Changes 💔

• #40 Added Kubernetes labels to all the components of the module: Since labels are immutable fields in deployments, daemonsets, etc., this change requires a recreation of those resources.

Features 💥

• #35 Protecting namespaces from accidental deletion (optional)

  • We added a Constraint Template and a Constraint to protect namespaces for being deleted. If you want to avoid accidental deletion of a namespace, you shuold add the following annotation to your namespace

    annotations:
    opa.sighup.io/indelible-ns: "yes"

    And to set the namespace as deletable use the annotation:

    annotations:
    opa.sighup.io/indelible-ns: "no"

    If you don't put any annotation, the default is to protect the namespace.

    This feature is provded as optional, to enable it there are two steps to follow:

    1. Deploy the Constraint by removing the comment in the following line of the kustomization.yaml
    2. Gatekeeper needs to watch also for DELETE events as well. Please notice that if this is enabled and you have custom constraints you have to consider in them that they will be evaluated also for DELETE events, for example you can use the follow rego code to discard the DELETE operations:

    operation := input.review.operation
    any([ operation == "CREATE", operation == "UPDATE" ])
    operation != "DELETE"

    To enable the watching of DELETE events (needed by the namespace protection rule) you have to remove the comment in the lines 37 and 62 in file vwh.yml

• #40 Added e2e-test support for k8s runtime 1.23
• #40 Added Makefile, JSON builder and .bumpversion config to the module
• #41 Upgrade gatekeeper image to v3.7.0
• #42 Add k8s 1.23 e2e-testing support for OPA module
• #43 update Gatekeeper Policy Manager to v0.5.1

Update Guide 🦮

Warnings

• Since the release ships changes to some immutable fields, if deployments and daemonsets, are not deleted first before applying the module, it will error out.
• The protected namespace Constraint Template implies the DELETE events filtering by Gatekeeper, this will increase the number of request that Gatekeeper will need to process. Please check that Gatekeeper's resources are set accordingly if you decide to use this new feature.

Process

To upgrade this core module from v1.11.x to v1.12.0, you need to download this new version, then apply the kustomize project.

kubectl -n gatekeeper-system delete deployment.apps/gatekeeper-audit deployment.apps/gatekeeper-controller-manager deployment.apps/gatekeeper-policy-manager --cascade=orphan # This delete deployments, ds, etc. so the newly added labels can be applied
kustomize build katalog/gatekeeper | kubectl apply -f- --force