Releases: open-policy-agent/gatekeeper
Release list
v3.23.0-rc.1
Features
- Mark semantic log lines with structured field (#4482) #4482 (Ogulcan Aydogan)
- Implemented status resource routing for remote cluster mode (#4579) #4579 (abhisheksheth28)
- Add operations field to mutation ApplyTo spec (#4135) #4135 (Sai Kiran Pikili)
Bug Fixes
- Update runner for release workflow (CP #4636) (#4638) #4638 (abhisheksheth28)
- Allow mutation-webhook only operation without constraint client (#4423) #4423 (Alan Diaz)
- Retry VAP API discovery on transient failures (#4455) #4455 (Jaydip Gabani)
- Share StatsReporter across mutator controllers (#4465) #4465 (Jaydip Gabani)
- Unexport SupportedDrivers to enforce mutex-protected access (#4468) #4468 (Raajhesh Kannaa Chidambaram)
- Migrate OCI pulls to oras-go v2 (#4489) #4489 (Jaydip Gabani)
- Restore mutator conflict propagation via events channel (#4478) #4478 (Jaydip Gabani)
- Clean up stale VAPB when vap.k8s.io removed from constraint (#4446) #4446 (Jaydip Gabani)
- Propagate caller context in System.Publish (#4508) #4508 (Vedant Madane)
- audit: Keep export publish state updates across helpers (#4500) #4500 (Sertaç Özercan)
- Reject negative
maxAuditResultsin disk exporter config (#4506) #4506 (Sertaç Özercan) - export: Synchronize disk cleanup map access in CloseConnection (#4505) #4505 (Sertaç Özercan)
- Cap gator Rego print buffering to prevent unbounded memory growth (#4503) #4503 (Sertaç Özercan)
- Avoid externaldata provider status reconcile loop (#4504) #4504 (Sertaç Özercan)
- Restore TLS readiness gate for webhook server (#4502) #4502 (Sertaç Özercan)
- Gh cli to support immutable releases (#4522) #4522 (abhisheksheth28)
- ci: Cve golang/net (#4562) #4562 (Nolan Emirot)
- Allow overlength status.gatekeeper.sh names in admission validation (#4529) #4529 (Copilot)
- Quote webhook exempt label values (#4557) #4557 (Zakhar Dvurechensky)
- Avoid ConstraintPodStatus update churn during VAPB generation wait (#4599) #4599 (Jaydip Gabani)
- Preserve admission operation for expanded reviews (#4560) #4560 (Zakhar Dvurechensky)
- Allow root file catalog content paths (#4583) #4583 (Immanuel Tikhonov)
Documentation
- Add Adoption and Integration section to website homepage (#4454) #4454 (Jaydip Gabani)
- Adding DELETE operation context for VAP integration (#4421) #4421 (Jaydip Gabani)
- Clarify validation and mutation scope (#4556) #4556 (Zakhar Dvurechensky)
- Guidance around how to safely disable audit #4483 (#4582) #4582 (Mallikarjuna Muchu)
Tests
- Add t.Parallel() to pkg/gator unit tests (#4610) #4610 (Ogulcan Aydogan)
Continuous Integration
- Publish fake-reader and fake-subscriber images to GHCR (#4408) #4408 (abhisheksheth28)
- Fix Slack meeting reminder schedule (#4584) #4584 (Jaydip Gabani)
- Fix license-lint checkout order (#4627) #4627 (Jaydip Gabani)
- Check out release PR workflow before Go setup (#4634) #4634 (Jaydip Gabani)
Dependencies
- Bump the k8s group with 5 updates (#4412) #4412 (dependabot[bot])
- Bump golang from
889885dto100774din /build/tooling (#4413) #4413 (dependabot[bot]) - Bump golang from
889885dto100774din /test/image (#4414) #4414 (dependabot[bot]) - Bump golang from
889885dto100774d(#4415) #4415 (dependabot[bot]) - Bump kubectl from v1.35.1 to v1.35.2 (#4416) #4416 (dependabot[bot])
- Bump golang from
889885dto100774din /test/externaldata/dummy-provider (#4417) #4417 (dependabot[bot]) - Bump golang from
889885dto100774din /test/export/fake-subscriber (#4418) [#4418](https://github.com/open-p...
v3.22.2
Bug Fixes
- Gh cli to support immutable releases (CP #4522) (#4541) #4541 (abhisheksheth28)
v3.22.1
Bug Fixes
- allow mutation-webhook only operation without constraint client … (#4453) #4453 (Alan Diaz)
- migrate OCI pulls to oras-go v2 CP(4489) (#4494) #4494 (Jaydip Gabani)
- retry VAP API discovery on transient failures CP(#4455) (#4485) #4485 (Jaydip Gabani)
- share StatsReporter across mutator controllers CP (#4465) (#4487) #4487 (Jaydip Gabani)
- restore mutator conflict propagation via events channel (CP #4478) (#4496) #4496 (Jaydip Gabani)
- clean up stale VAPB when vap.k8s.io removed from constraint (CP #4446) (#4507) #4507 (Jaydip Gabani)
Chores
- bumping on sha that pins deps to full commit (cherry-pick to release-3.22) (#4486) #4486 (Jaydip Gabani)
- bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#4488) #4488 (Jaydip Gabani)
- bump kubectl from v1.35.2 to v1.35.3 (CP #4458) (#4497) #4497 (Jaydip Gabani)
- bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.40.0 to 1.43.0 (CP #4499) (#4516) #4516 (abhisheksheth28)
- Prepare v3.22.1 release (#4517) #4517 (github-actions[bot])
v3.23.0-beta.0
Continuous Integration
- publish fake-reader and fake-subscriber images to GHCR (#4408) #4408 (abhisheksheth28)
Chores
- bump the k8s group with 5 updates (#4412) #4412 (dependabot[bot])
- bump golang from
889885dto100774din /build/tooling (#4413) #4413 (dependabot[bot]) - bump golang from
889885dto100774din /test/image (#4414) #4414 (dependabot[bot]) - bump golang from
889885dto100774d(#4415) #4415 (dependabot[bot]) - bump kubectl from v1.35.1 to v1.35.2 (#4416) #4416 (dependabot[bot])
- bump golang from
889885dto100774din /test/externaldata/dummy-provider (#4417) #4417 (dependabot[bot]) - bump golang from
889885dto100774din /test/export/fake-subscriber (#4418) #4418 (dependabot[bot]) - bump golang from
889885dto100774din /test/export/fake-reader (#4419) #4419 (dependabot[bot]) - bump the all group with 5 updates (#4420) #4420 (dependabot[bot])
- bumping trivy to 0.69.3 (#4424) #4424 (Jaydip Gabani)
- bump svgo from 2.8.0 to 2.8.2 in /website (#4425) #4425 (dependabot[bot])
- bump sigs.k8s.io/controller-runtime from 0.23.1 to 0.23.3 in the k8s group (#4427) #4427 (dependabot[bot])
- bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 (#4428) #4428 (dependabot[bot])
- bump golang from
100774dtoab8c494(#4429) #4429 (dependabot[bot]) - bump golang from
100774dtoab8c494in /test/externaldata/dummy-provider (#4430) #4430 (dependabot[bot]) - bump golang from
100774dtoab8c494in /test/image (#4431) #4431 (dependabot[bot]) - bump golang from
100774dtoab8c494in /build/tooling (#4432) #4432 (dependabot[bot]) - bump the all group with 5 updates (#4433) #4433 (dependabot[bot])
- bump golang from
100774dtoab8c494in /test/export/fake-subscriber (#4434) #4434 (dependabot[bot]) - bump golang from
100774dtoab8c494in /test/export/fake-reader (#4435) #4435 (dependabot[bot]) - Prepare v3.23.0-beta.0 release (#4439) #4439 (github-actions[bot])
v3.22.0
🚀 Notable Changes
- ✅
sync-vap-enforcement-scopenow enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is nowtrueby default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332). - 🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access
namespaceObjectand Rego policies can accessinput.namespacefor namespace-scoped policy decisions during both admission and audit (#4285) - ⚡
gator bench— policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287) - 📋
gator policy— brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g.,pod-security-baseline), enforcement overrides, and dry-run previews (#4331) - 🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced
fake-readersidecar when audit file-based logging is enabled (#4280) - 🌐 Out-of-cluster / remote cluster support: New
--enable-remote-clusterflag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368) - ⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)
Features
- Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
- add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
- Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
- set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
- support print statement in gator (#2949) (#3872) #3872 (Julian)
- add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
- gator policy (#4331) #4331 (Sertaç Özercan)
Bug Fixes
- Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
- remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
- updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
- chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
- enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
- run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
- thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
- add missing flags as helm values (#4385) #4385 (abhisheksheth28)
Documentation
- add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
- adding jfrog provide to external data (#4357) #4357 (carmit hershman)
Continuous Integration
Chores
- bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
- bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
- bump golang from
728cbeftoa02d35ein /test/export/fake-reader (#4264) #4264 (dependabot[bot]) - bump golang from
728cbeftoa02d35ein /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot]) - bump golang from
27e1c92toa02d35ein /test/image (#4266) #4266 (dependabot[bot]) - bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
- bump golang from
27e1c92toa02d35e(#4270) #4270 (dependabot[bot]) - bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
- bump golang from
27e1c92toa02d35ein /test/export/fake-subscriber (#4267) #4267 (dependabot[bot]) - bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
- migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
- bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
- bump golang from
27e1c92toa02d35ein /build/tooling (#4268) #4268 (dependabot[bot]) - bump golang from
a02d35eto4f9d98ein ...
v3.22.0-rc.0
🚀 Notable Changes
- ✅
sync-vap-enforcement-scopenow enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is nowtrueby default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332). - 🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access
namespaceObjectand Rego policies can accessinput.namespacefor namespace-scoped policy decisions during both admission and audit (#4285) - ⚡
gator bench— policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287) - 📋
gator policy— brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g.,pod-security-baseline), enforcement overrides, and dry-run previews (#4331) - 🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced
fake-readersidecar when audit file-based logging is enabled (#4280) - 🌐 Out-of-cluster / remote cluster support: New
--enable-remote-clusterflag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368) - ⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)
Features
- Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
- add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
- Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
- set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
- support print statement in gator (#2949) (#3872) #3872 (Julian)
- add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
- gator policy (#4331) #4331 (Sertaç Özercan)
Bug Fixes
- Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
- remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
- updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
- chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
- enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
- run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
- thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
- add missing flags as helm values (#4385) #4385 (abhisheksheth28)
Documentation
- add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
- adding jfrog provide to external data (#4357) #4357 (carmit hershman)
Continuous Integration
Chores
- bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
- bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
- bump golang from
728cbeftoa02d35ein /test/export/fake-reader (#4264) #4264 (dependabot[bot]) - bump golang from
728cbeftoa02d35ein /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot]) - bump golang from
27e1c92toa02d35ein /test/image (#4266) #4266 (dependabot[bot]) - bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
- bump golang from
27e1c92toa02d35e(#4270) #4270 (dependabot[bot]) - bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
- bump golang from
27e1c92toa02d35ein /test/export/fake-subscriber (#4267) #4267 (dependabot[bot]) - bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
- migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
- bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
- bump golang from
27e1c92toa02d35ein /build/tooling (#4268) #4268 (dependabot[bot]) - bump golang from
a02d35eto4f9d98ein ...
v3.21.1
Bug Fixes
- enforce timeout on external data provider requests cherry-pick (#4351) (#4359) #4359 (Jaydip Gabani)
Chores
- bump github.com/containerd/containerd from 1.7.28 to 1.7.29 cp #4223 (#4360) #4360 (Jaydip Gabani)
- bump golang.org/x/crypto from 0.43.0 to 0.45.0 CP(#4254) (#4364) #4364 (Jaydip Gabani)
- bump golang from
7534a62to04741b0CP(#4341) (#4365) #4365 (Jaydip Gabani) - bumping kubectl to resolve CVE CP(#4248) (#4366) #4366 (Jaydip Gabani)
- Prepare v3.21.1 release (#4367) #4367 (github-actions[bot])
v3.22.0-beta.0
Bug Fixes
- bumping frameworks (#4221) #4221 (Jaydip Gabani)
Documentation
- clarify message assertion expects regular expression (#4240) #4240 (Tommy Brunn)
Chores
- bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#4223) #4223 (dependabot[bot])
- bump golang from
7534a62to27e1c92in /test/image (#4228) #4228 (dependabot[bot]) - bump golang from
7534a62to27e1c92in /build/tooling (#4229) #4229 (dependabot[bot]) - bump golang from
7534a62to27e1c92in /test/export/fake-subscriber (#4236) #4236 (dependabot[bot]) - bump golang from
7534a62to27e1c92(#4231) #4231 (dependabot[bot]) - bump the k8s group across 1 directory with 6 updates (#4242) #4242 (dependabot[bot])
- bump the all group across 1 directory with 5 updates (#4244) #4244 (dependabot[bot])
- bump golang from
7534a62to27e1c92in /test/export/fake-reader (#4235) #4235 (dependabot[bot]) - bump golang from
7534a62to27e1c92in /test/externaldata/dummy-provider (#4234) #4234 (dependabot[bot]) - Prepare v3.22.0-beta.0 release (#4249) #4249 (github-actions[bot])
v3.21.0
🚀 Notable Changes
- 🛠️ New flag:
sync-vap-enforcement-scopehas been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper'sValidatingWebhookConfigurations,Configresource exclusions, andexempt-namespace–basedexemptions. This improves enforcement consistency across all policy mechanisms. - 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
- 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.
Call to action
Beginning in v3.22 (February 18, 2026), the sync-vap-enforcement-scope flag will default to true and will be removed in a future release. When this flag is removed, Gatekeeper will always generate Validating Admission Policy (VAP) resources by combining enforcement inputs from the admission webhook configuration, Gatekeeper’s configuration resource, and namespace-exemption settings. All applicable enforcement criteria will be merged into the resulting VAP resource.
Impact:
If you have explicitly set this flag to false, the enforcement scope of Gatekeeper-managed VAP resources will change, which may cause unexpected behavior in your environment. If you have concerns about removing this flag and would prefer it to remain, please add your feedback in #4302.
Features
- Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
gator verify- support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)- Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
- External data status metrics (#4115) #4115 (Jaydip Gabani)
- Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
- support DELETE operation type when generate VAP (#4030) #4030 (DahuK)
Bug Fixes
- spelling errors in deprecated documentation (#4138) #4138 (Copilot)
- updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
- Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
- Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
- load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)
Documentation
- update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
- add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
- adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)
Continuous Integration
- adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)
Chores
- Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
- bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
- bump golang from
69adc37toef8c5c7in /test/export/fake-reader (#4072) #4072 (dependabot[bot]) - bump golang from
69adc37toef8c5c7in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot]) - bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
- updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot]) - bump golang from
ef8c5c7to2679c15in /test/export/fake-reader (#4097) #4097 (dependabot[bot]) - bump frameworks (#4104) #4104 (Noah Reisch)
- updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
- bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
- bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
- bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
- bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
- bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-reader (#4091) #4091 (dependabot[bot]) - bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2(#4096) #4096 (dependabot[bot]) - bump ...
v3.21.0-rc.1
Bug Fixes
- bumping frameworks (#4221) (#4224) #4224 (Jaydip Gabani)
Chores
- Prepare v3.21.0-rc.1 release (#4226) #4226 (github-actions[bot])