v3.21.0
·
206 commits
to master
since this release
π Notable Changes
- π οΈ New flag:
sync-vap-enforcement-scopehas been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper'sValidatingWebhookConfigurations,Configresource exclusions, andexempt-namespaceβbasedexemptions. This improves enforcement consistency across all policy mechanisms. - 𧩠Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
- π Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.
Call to action
Beginning in v3.22 (February 18, 2026), the sync-vap-enforcement-scope flag will default to true and will be removed in a future release. When this flag is removed, Gatekeeper will always generate Validating Admission Policy (VAP) resources by combining enforcement inputs from the admission webhook configuration, Gatekeeperβs configuration resource, and namespace-exemption settings. All applicable enforcement criteria will be merged into the resulting VAP resource.
Impact:
If you have explicitly set this flag to false, the enforcement scope of Gatekeeper-managed VAP resources will change, which may cause unexpected behavior in your environment. If you have concerns about removing this flag and would prefer it to remain, please add your feedback in #4302.
Features
- Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
gator verify- support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)- Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
- External data status metrics (#4115) #4115 (Jaydip Gabani)
- Add extraEnvs support to helm chart (#4185) #4185 (Kristian GrΓΈnΓ₯s)
- support DELETE operation type when generate VAP (#4030) #4030 (DahuK)
Bug Fixes
- spelling errors in deprecated documentation (#4138) #4138 (Copilot)
- updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
- Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
- Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
- load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)
Documentation
- update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
- add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
- adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)
Continuous Integration
- adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)
Chores
- Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
- bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
- bump golang from
69adc37toef8c5c7in /test/export/fake-reader (#4072) #4072 (dependabot[bot]) - bump golang from
69adc37toef8c5c7in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot]) - bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
- updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot]) - bump golang from
ef8c5c7to2679c15in /test/export/fake-reader (#4097) #4097 (dependabot[bot]) - bump frameworks (#4104) #4104 (Noah Reisch)
- updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
- bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
- bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
- bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
- bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
- bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-reader (#4091) #4091 (dependabot[bot]) - bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2(#4096) #4096 (dependabot[bot]) - bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot]) - bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-subscriber (#4112) #4112 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/externaldata/dummy-provider (#4113) #4113 (dependabot[bot])
- Patch docs for 3.20.1 release (#4134) #4134 (github-actions[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/image (#4110) #4110 (dependabot[bot])
- bump golang from
81dc45dto6ad9415in /test/export/fake-subscriber (#4146) #4146 (dependabot[bot]) - bump golang from
81dc45dto6ad9415in /test/export/fake-reader (#4145) #4145 (dependabot[bot]) - bump golang from
81dc45dto6ad9415in /test/image (#4144) #4144 (dependabot[bot]) - bump golang from
81dc45dto6ad9415(#4143) #4143 (dependabot[bot]) - bump the all group with 5 updates (#4142) #4142 (dependabot[bot])
- bump golang from
81dc45dto6ad9415in /test/externaldata/dummy-provider (#4141) #4141 (dependabot[bot]) - bump distroless/static-debian12 from
2e114d2tof2ff10ain /test/externaldata/dummy-provider (#4140) #4140 (dependabot[bot]) - remove deprecated PodSecurityPolicy from helm chart (#4131) #4131 (Tyler Owens)
- bump golang from
6ad9415toc4bc074in /test/image (#4163) #4163 (dependabot[bot]) - bump distroless/static-debian12 from
f2ff10ato87bce11in /test/export/fake-reader (#4161) #4161 (dependabot[bot]) - bump golang from
6ad9415toc4bc074in /test/export/fake-reader (#4160) #4160 (dependabot[bot]) - bump distroless/static-debian12 from
f2ff10ato87bce11in /test/export/fake-subscriber (#4159) #4159 (dependabot[bot]) - bump golang from
6ad9415toc4bc074in /test/export/fake-subscriber (#4158) #4158 (dependabot[bot]) - bump golang from
6ad9415toc4bc074(#4157) #4157 (dependabot[bot]) - bump distroless/static-debian12 from
f2ff10ato87bce11(#4162) #4162 (dependabot[bot]) - bump golang from
08c8ac4toc4bc074in /test/externaldata/dummy-provider (#4154) #4154 (dependabot[bot]) - bump google.golang.org/protobuf from 1.36.8 to 1.36.9 (#4153) #4153 (dependabot[bot])
- bump kubectl from v1.34.0 to v1.34.1 (#4152) #4152 (dependabot[bot])
- bump google.golang.org/grpc from 1.74.2 to 1.74.3 (#4156) #4156 (dependabot[bot])
- bump the k8s group with 5 updates (#4151) #4151 (dependabot[bot])
- support cert rotation for multiple whcs (#4139) #4139 (Anlan Du)
- bump the all group with 6 updates (#4169) #4169 (dependabot[bot])
- bump algoliasearch-helper from 3.10.0 to 3.26.0 in /website (#4171) #4171 (dependabot[bot])
- bump the all group across 1 directory with 5 updates (#4186) #4186 (dependabot[bot])
- remove go.uber.org/automaxprocs (#4172) #4172 (Eng Zer Jun)
- bump golang from
c8c8d55to61226c6in /test/externaldata/dummy-provider (#4181) #4181 (dependabot[bot]) - bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 (#4175) #4175 (dependabot[bot])
- bump the all group across 1 directory with 3 updates (#4196) #4196 (dependabot[bot])
- bump oras.land/oras-go from 1.2.5 to 1.2.7 (#4191) #4191 (dependabot[bot])
- bump golang from
c8c8d55to61226c6in /build/tooling (#4180) #4180 (dependabot[bot]) - bump golang from
ec34da7to7534a62in /test/externaldata/dummy-provider (#4195) #4195 (dependabot[bot]) - bump golang from
c8c8d55to61226c6in /test/image (#4178) #4178 (dependabot[bot]) - bumping frameworks and k8s to 0.34.1 (#4199) #4199 (Jaydip Gabani)
- bump golang from
c8c8d55to61226c6(#4179) #4179 (dependabot[bot]) - bump google.golang.org/protobuf from 1.36.9 to 1.36.10 (#4176) #4176 (dependabot[bot])
- bump golang from
c8c8d55to61226c6in /test/export/fake-subscriber (#4183) #4183 (dependabot[bot]) - bump golang from
c8c8d55to61226c6in /test/export/fake-reader (#4182) #4182 (dependabot[bot]) - bump golang from
61226c6to7534a62in /build/tooling (#4210) #4210 (dependabot[bot]) - bump the all group with 2 updates (#4209) #4209 (dependabot[bot])
- bumping frameworks (#4208) #4208 (Jaydip Gabani)
- bumping cert-controller (#4213) #4213 (Jaydip Gabani)
- Prepare v3.21.0-rc.0 release (#4214) #4214 (github-actions[bot])