chore(deps): Bump github.com/kyverno/kyverno from 1.5.0-rc1.0.20230828120437-b374c0551770 to 1.11.0-beta.1 in /backend

[dependabot]

Bumps github.com/kyverno/kyverno from 1.5.0-rc1.0.20230828120437-b374c0551770 to 1.11.0-beta.1.

Release notes

Sourced from github.com/kyverno/kyverno's releases.

v1.11.0-beta.1

No release notes provided.

v1.10.3

🐛 Fixed 🐛

Fixed an issue where the error is not returned when the deferred loader is disabled. (kyverno/kyverno#7982)

v1.10.2

✨ Added ✨

• Added a new --policyReports flag to control if the Policy Reports system is enabled or not. When set to a value of false, only standard Events and log messages will contain policy violations both in admission mode as well as background scans.
• Booleans can now be properly compared in conditional operators without needing to be converted to string. (#7847)
• Added log messages for API call failures. (#7834)
• Events will now be created upon successful resource generation. (#7550)

Helm

• Added an additional check to the ServiceMonitor template to ensure that the cluster supports the monitoring.coreos.com/v1 API version and if not, it will silently not create the ServiceMonitor instead of failing deployment of the chart. (#7926)
• Added chart configurations for cleanup and webhooks. (#7871)
• Add nodeSelector and labels to the cleanup CronJobs. (#7851, #7808)

⚠️ Changed ⚠️

• (kyverno-policies chart) Added a precondition to skip DELETE operations on a couple policies to make them all consistent. (#7883)
• Schema validation for policies matching on CRDs will be skipped. (#7869)
• Performed better validation of policies which use the cloneList declaration in generate rules. (#7823)
• Removed an extra Event created by Kyverno in some verifyImages rules. (#7810)
• The Event created upon resource mutation has been updated to make more sense. (#7550)

🐛 Fixed 🐛

• Fixed an issue where higher log levels weren't being printed in the logs. (#7877)
• Fixed an issue with an entry in a nil map when validating a policy. (#7874)
• Fixed a type confusion problem. (#7857)
• Fixed an issue with namespaceSelector and matching on Namespaces. (#7837)
• Fixed an issue where category and severity annotations weren't being returned in policy reports from CLI tests. (#7828)
• Fixed an issue where some verifyImages rules may have broken in Audit mode. (#7806)
• Fixed an issue in target scope validations for generate rules. (#7800)
• Fixed an issue with aggregated admission reports having stale results. (#7798)
• Fixed an issue preventing a rollback when a verifyImages rule was in place. (#7752)
• Removed some obsolete structs from the CLI. (#6802)

Helm

• Fixed a minor chart templating issue in RBAC. (#7774)

... (truncated)

Changelog

Sourced from github.com/kyverno/kyverno's changelog.

v1.11.0

v1.11.0-rc.1

Note

• Added --tufRoot and --tufMirror flags to configure tuf for custom sigstore deployments.
• Remove description from deprecated fields in CRDs
• Remove CLI kyverno test manifest ... commands (replaced by kyverno create ...).
• Added --caSecretName and --tlsSecretName flags to control names of certificate related secrets.
• Added match conditions support in kyverno config map.
• Deprecated flag --imageSignatureRepository. Will be removed in 1.12. Use per rule configuration verifyImages.Repository instead.
• Added --aggregateReports flag for reports controller to enable/disable aggregated reports (default value is true).
• Added --policyReports flag for reports controller to enable/disable policy reports (default value is true).
• Renamed CLI flag --compact to --detailed-results (and changed default value from true to false).

v1.10.0

v1.10.0-rc.1

Note

• Removed GenerateRequest CRD.
• Refactored kyverno chart, migration instructions are available in chart README.md.
• Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
• Added support for configuring webhook annotations in the config map through webhookAnnotations stanza.
• Added excludeRoles and excludeClusterRoles support in configuration.
• Added new flag skipResourceFilters to reports controller to enable/disable considering resource filters in the background (default value is true)
• Removed hardcoded defaults for excludeGroups and excludeUsernames. They are always read from the config map.

v1.9.0-rc.1

Note

• Flag backgroundScanInterval was added to force background scans at regular intervals (default value is 1h).
• Flag splitPolicyReport was removed, was unused and marked for removal in 1.9.
• Webhook is no longer updated to match pods/ephemeralcontainers when policy only specifies pods. If users want to match on pods/ephemeralcontainers, they must specify pods/ephemeralcontainers in the policy.
• Webhook is no longer updated to match services/status when policy only specifies services. If users want to match on services/status, they must specify services/status in the policy.
• Flag autogenInternals was removed, policy mutation has been removed.
• Flag leaderElectionRetryPeriod was added to control leader election renewal frequency (default value is 2s).
• Support upper case Audit and Enforce in .spec.validationFailureAction of the Kyverno policy, failure actions audit and enforce are deprecated and will be removed in v1.11.0.
• Flag profileAddress was added to configure address of profiling server (default value is "").

v1.8.1-rc3

Note

• A new flag backgroundScanWorkers to configure the number of background scan workers (default value is 2).

v1.8.0-rc3

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.