Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kyverno for openSUSE:Factory checked in at 2026-01-12 10:26:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kyverno (Old) and /work/SRC/openSUSE:Factory/.kyverno.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kyverno" Mon Jan 12 10:26:07 2026 rev:54 rq:1326634 version:1.16.2 Changes: -------- --- /work/SRC/openSUSE:Factory/kyverno/kyverno.changes 2025-12-05 16:54:17.314494794 +0100 +++ /work/SRC/openSUSE:Factory/.kyverno.new.1928/kyverno.changes 2026-01-12 10:34:48.498793174 +0100 @@ -1,0 +2,8 @@ +Sun Jan 11 12:57:52 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.16.2: + No CLI-related changes + Full changelog: + https://github.com/kyverno/kyverno/compare/v1.16.1...v1.16.2 + +------------------------------------------------------------------- Old: ---- kyverno-1.16.1.obscpio New: ---- kyverno-1.16.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kyverno.spec ++++++ --- /var/tmp/diff_new_pack.6YpD3y/_old 2026-01-12 10:34:49.806847007 +0100 +++ /var/tmp/diff_new_pack.6YpD3y/_new 2026-01-12 10:34:49.810847172 +0100 @@ -1,7 +1,7 @@ # # spec file for package kyverno # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: kyverno -Version: 1.16.1 +Version: 1.16.2 Release: 0 Summary: CLI and kubectl plugin for Kyverno License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.6YpD3y/_old 2026-01-12 10:34:49.870849641 +0100 +++ /var/tmp/diff_new_pack.6YpD3y/_new 2026-01-12 10:34:49.870849641 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/kyverno/kyverno</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.16.1</param> + <param name="revision">v1.16.2</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.6YpD3y/_old 2026-01-12 10:34:49.894850629 +0100 +++ /var/tmp/diff_new_pack.6YpD3y/_new 2026-01-12 10:34:49.898850793 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/kyverno/kyverno</param> - <param name="changesrevision">67f7f8c3f58d64e3c7b103de5f11ffe268250c55</param></service></servicedata> + <param name="changesrevision">2377cc562e43489b5e0927a492f96d26ed9c51d8</param></service></servicedata> (No newline at EOF) ++++++ kyverno-1.16.1.obscpio -> kyverno-1.16.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/Makefile new/kyverno-1.16.2/Makefile --- old/kyverno-1.16.1/Makefile 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/Makefile 2026-01-09 12:36:21.000000000 +0100 @@ -715,7 +715,7 @@ .PHONY: codegen-helm-docs codegen-helm-docs: ## Generate helm docs @echo Generate helm docs... >&2 - @docker run -v $(CURDIR):/work -w /work/charts jnorwood/helm-docs:$(HELM_DOCS_VERSION) -s file + @docker run -v $(CURDIR):/work -w /work jnorwood/helm-docs:$(HELM_DOCS_VERSION) --chart-search-root charts -s file .PHONY: codegen-helm-all codegen-helm-all: ## Generate helm docs and CRDs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/Chart.lock new/kyverno-1.16.2/charts/kyverno/Chart.lock --- old/kyverno-1.16.1/charts/kyverno/Chart.lock 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/Chart.lock 2026-01-09 12:36:21.000000000 +0100 @@ -1,12 +1,12 @@ dependencies: - name: grafana repository: "" - version: 3.6.1 + version: 3.6.2 - name: crds repository: "" - version: 3.6.1 + version: 3.6.2 - name: openreports repository: https://openreports.github.io/reports-api version: 0.1.0 -digest: sha256:afbdbd0d45f2ff5e4b969e8e88ef9cfd08a0c5b85fd9feaa1f36e491876447cd -generated: "2025-12-03T15:28:49.69941+08:00" +digest: sha256:f33c4343b006412ec9339e7708498ce3936c308a58e29cafb9ccc83f2068a9cc +generated: "2026-01-09T18:38:55.993346+08:00" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/Chart.yaml new/kyverno-1.16.2/charts/kyverno/Chart.yaml --- old/kyverno-1.16.1/charts/kyverno/Chart.yaml 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/Chart.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: 3.6.1 -appVersion: v1.16.1 +version: 3.6.2 +appVersion: v1.16.2 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: @@ -43,10 +43,10 @@ description: Enable the flag `--validatingAdmissionPolicyReports` by default in the reports controller. dependencies: - name: grafana - version: 3.6.1 + version: 3.6.2 condition: grafana.enabled - name: crds - version: 3.6.1 + version: 3.6.2 condition: crds.install - name: openreports version: "0.1.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/README.md new/kyverno-1.16.2/charts/kyverno/README.md --- old/kyverno-1.16.1/charts/kyverno/README.md 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/README.md 2026-01-09 12:36:21.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -   +   ## About @@ -881,8 +881,8 @@ | Repository | Name | Version | |------------|------|---------| -| | crds | 3.6.1 | -| | grafana | 3.6.1 | +| | crds | 3.6.2 | +| | grafana | 3.6.2 | | https://openreports.github.io/reports-api | openreports | 0.1.0 | ## Maintainers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/charts/crds/Chart.yaml new/kyverno-1.16.2/charts/kyverno/charts/crds/Chart.yaml --- old/kyverno-1.16.1/charts/kyverno/charts/crds/Chart.yaml 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/charts/crds/Chart.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.6.1 +version: 3.6.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/charts/crds/README.md new/kyverno-1.16.2/charts/kyverno/charts/crds/README.md --- old/kyverno-1.16.1/charts/kyverno/charts/crds/README.md 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/charts/crds/README.md 2026-01-09 12:36:21.000000000 +0100 @@ -1,6 +1,6 @@ # crds - + ## Values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/charts/grafana/Chart.yaml new/kyverno-1.16.2/charts/kyverno/charts/grafana/Chart.yaml --- old/kyverno-1.16.1/charts/kyverno/charts/grafana/Chart.yaml 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/charts/grafana/Chart.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 3.6.1 +version: 3.6.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno/charts/grafana/README.md new/kyverno-1.16.2/charts/kyverno/charts/grafana/README.md --- old/kyverno-1.16.1/charts/kyverno/charts/grafana/README.md 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno/charts/grafana/README.md 2026-01-09 12:36:21.000000000 +0100 @@ -1,6 +1,6 @@ # grafana - + ## Values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno-policies/Chart.yaml new/kyverno-1.16.2/charts/kyverno-policies/Chart.yaml --- old/kyverno-1.16.1/charts/kyverno-policies/Chart.yaml 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno-policies/Chart.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 3.6.1 -appVersion: v1.16.1 +version: 3.6.2 +appVersion: v1.16.2 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/charts/kyverno-policies/README.md new/kyverno-1.16.2/charts/kyverno-policies/README.md --- old/kyverno-1.16.1/charts/kyverno-policies/README.md 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/charts/kyverno-policies/README.md 2026-01-09 12:36:21.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -   +   ## About diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/commands/apply/command.go new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/commands/apply/command.go --- old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/commands/apply/command.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/commands/apply/command.go 2026-01-09 12:36:21.000000000 +0100 @@ -580,7 +580,7 @@ return nil, err } - contextProvider, err := processor.NewContextProvider(dclient, restMapper, c.ContextPath, c.RegistryAccess, !c.Cluster) + contextProvider, err := processor.NewContextProvider(dclient, restMapper, nil, c.ContextPath, c.RegistryAccess, !c.Cluster) if err != nil { return nil, err } @@ -697,7 +697,7 @@ return nil, err } - contextProvider, err := processor.NewContextProvider(dclient, restMapper, c.ContextPath, c.RegistryAccess, !c.Cluster) + contextProvider, err := processor.NewContextProvider(dclient, restMapper, nil, c.ContextPath, c.RegistryAccess, !c.Cluster) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/commands/test/test.go new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/commands/test/test.go --- old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/commands/test/test.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/commands/test/test.go 2026-01-09 12:36:21.000000000 +0100 @@ -7,12 +7,12 @@ "path/filepath" "reflect" + "github.com/go-git/go-billy/v5" "github.com/kyverno/kyverno-json/pkg/payload" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1" policiesv1beta1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1beta1" - clicontext "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/context" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log" @@ -29,7 +29,6 @@ "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/background/generate" celengine "github.com/kyverno/kyverno/pkg/cel/engine" - "github.com/kyverno/kyverno/pkg/cel/libs" "github.com/kyverno/kyverno/pkg/cel/matching" dpolcompiler "github.com/kyverno/kyverno/pkg/cel/policies/dpol/compiler" dpolengine "github.com/kyverno/kyverno/pkg/cel/policies/dpol/engine" @@ -37,7 +36,6 @@ "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" - gctxstore "github.com/kyverno/kyverno/pkg/globalcontext/store" eval "github.com/kyverno/kyverno/pkg/imageverification/evaluator" "github.com/kyverno/kyverno/pkg/imageverification/imagedataloader" utils "github.com/kyverno/kyverno/pkg/utils/restmapper" @@ -45,7 +43,6 @@ admissionv1 "k8s.io/api/admission/v1" authenticationv1 "k8s.io/api/authentication/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -69,6 +66,8 @@ contextPath := "" if testCase.Test.Context != "" { contextPath = filepath.Join(testDir, testCase.Test.Context) + fmt.Fprintln(out, "testDir", testDir) + fmt.Fprintln(out, "contextPath", contextPath) } // values/variables fmt.Fprintln(out, " Loading values/variables", "...") @@ -274,6 +273,7 @@ ParameterResources: paramObjectsArr, MutateLogPath: "", Variables: vars, + ContextFs: testCase.Fs, ContextPath: contextPath, UserInfo: userInfo, PolicyReport: true, @@ -300,6 +300,7 @@ &resultCounts, dClient, true, + testCase.Fs, contextPath, false, ) @@ -325,6 +326,7 @@ &resultCounts, dClient, true, + testCase.Fs, contextPath, ) if err != nil { @@ -354,6 +356,7 @@ CELExceptions: polexLoader.CELExceptions, MutateLogPath: "", Variables: vars, + ContextFs: testCase.Fs, ContextPath: contextPath, UserInfo: userInfo, PolicyReport: true, @@ -380,6 +383,7 @@ &resultCounts, dClient, true, + testCase.Fs, contextPath, false, ) @@ -405,6 +409,7 @@ &resultCounts, dClient, true, + testCase.Fs, contextPath, ) if err != nil { @@ -438,6 +443,7 @@ rc *processor.ResultCounts, dclient dclient.Interface, registryAccess bool, + f billy.Filesystem, contextPath string, continueOnFail bool, ) ([]engineapi.EngineResponse, error) { @@ -465,7 +471,7 @@ if err != nil { return nil, err } - contextProvider, err := newContextProvider(dclient, restMapper, contextPath, registryAccess) + contextProvider, err := processor.NewContextProvider(dclient, restMapper, f, contextPath, registryAccess, true) if err != nil { return nil, err } @@ -570,6 +576,7 @@ rc *processor.ResultCounts, dclient dclient.Interface, registryAccess bool, + f billy.Filesystem, contextPath string, ) ([]engineapi.EngineResponse, error) { provider, err := dpolengine.NewProvider(dpolcompiler.NewCompiler(), dps, celExceptions) @@ -582,7 +589,7 @@ return nil, err } - contextProvider, err := newContextProvider(dclient, restMapper, contextPath, registryAccess) + contextProvider, err := processor.NewContextProvider(dclient, restMapper, f, contextPath, registryAccess, true) if err != nil { return nil, err } @@ -679,35 +686,3 @@ } return resources } - -func newContextProvider(dclient dclient.Interface, restMapper meta.RESTMapper, contextPath string, registryAccess bool) (libs.Context, error) { - if dclient != nil { - return libs.NewContextProvider( - dclient, - []imagedataloader.Option{imagedataloader.WithLocalCredentials(registryAccess)}, - gctxstore.New(), - restMapper, - true, - ) - } - - fakeContextProvider := libs.NewFakeContextProvider() - if contextPath != "" { - ctx, err := clicontext.Load(nil, contextPath) - if err != nil { - return nil, err - } - - for _, resource := range ctx.ContextSpec.Resources { - gvk := resource.GroupVersionKind() - mapping, err := restMapper.RESTMapping(gvk.GroupKind(), gvk.Version) - if err != nil { - return nil, err - } - if err := fakeContextProvider.AddResource(mapping.Resource, &resource); err != nil { - return nil, err - } - } - } - return fakeContextProvider, nil -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/processor/policy_processor.go new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/processor/policy_processor.go --- old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/processor/policy_processor.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/processor/policy_processor.go 2026-01-09 12:36:21.000000000 +0100 @@ -9,6 +9,7 @@ "strings" json_patch "github.com/evanphx/json-patch/v5" + "github.com/go-git/go-billy/v5" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1" @@ -75,6 +76,7 @@ Variables *variables.Variables ParameterResources []runtime.Object // TODO + ContextFs billy.Filesystem ContextPath string Cluster bool UserInfo *kyvernov2.RequestInfo @@ -281,7 +283,7 @@ return nil, err } - contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextPath, true, !p.Cluster) + contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextFs, p.ContextPath, true, !p.Cluster) if err != nil { return nil, err } @@ -386,7 +388,7 @@ if err != nil { return nil, err } - contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextPath, true, !p.Cluster) + contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextFs, p.ContextPath, true, !p.Cluster) if err != nil { return nil, err } @@ -469,7 +471,7 @@ CompiledPolicy: compiled, }) } - contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextPath, true, !p.Cluster) + contextProvider, err := NewContextProvider(p.Client, restMapper, p.ContextFs, p.ContextPath, true, !p.Cluster) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/processor/utils.go new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/processor/utils.go --- old/kyverno-1.16.1/cmd/cli/kubectl-kyverno/processor/utils.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/cmd/cli/kubectl-kyverno/processor/utils.go 2026-01-09 12:36:21.000000000 +0100 @@ -1,6 +1,7 @@ package processor import ( + "github.com/go-git/go-billy/v5" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" clicontext "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/context" "github.com/kyverno/kyverno/pkg/cel/libs" @@ -20,7 +21,7 @@ return false } -func NewContextProvider(dclient dclient.Interface, restMapper meta.RESTMapper, contextPath string, registryAccess bool, isFake bool) (libs.Context, error) { +func NewContextProvider(dclient dclient.Interface, restMapper meta.RESTMapper, f billy.Filesystem, contextPath string, registryAccess bool, isFake bool) (libs.Context, error) { if dclient != nil && !isFake { return libs.NewContextProvider( dclient, @@ -33,7 +34,7 @@ fakeContextProvider := libs.NewFakeContextProvider() if contextPath != "" { - ctx, err := clicontext.Load(nil, contextPath) + ctx, err := clicontext.Load(f, contextPath) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/background/gpol/generate_controller.go new/kyverno-1.16.2/pkg/background/gpol/generate_controller.go --- old/kyverno-1.16.1/pkg/background/gpol/generate_controller.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/background/gpol/generate_controller.go 2026-01-09 12:36:21.000000000 +0100 @@ -91,6 +91,9 @@ c.watchManager.DeleteDownstreams(ur.Spec.GetPolicyKey(), &ur.Spec.RuleContext[i].Trigger) continue } + if ur.Spec.RuleContext[i].Synchronize { + c.watchManager.DeleteDownstreams(ur.Spec.GetPolicyKey(), &ur.Spec.RuleContext[i].Trigger) + } trigger, err := common.GetTrigger(c.client, ur.Spec, i, c.log) if err != nil || trigger == nil { logger.V(4).Info("the trigger resource does not exist or is pending creation") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/controllers/globalcontext/controller.go new/kyverno-1.16.2/pkg/controllers/globalcontext/controller.go --- old/kyverno-1.16.1/pkg/controllers/globalcontext/controller.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/controllers/globalcontext/controller.go 2026-01-09 12:36:21.000000000 +0100 @@ -152,7 +152,6 @@ ctx, gce, c.eventGen, - c.kubeClient, c.dclient.GetDynamicInterface(), logger, gvr, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/controllers/ttl/manager.go new/kyverno-1.16.2/pkg/controllers/ttl/manager.go --- old/kyverno-1.16.1/pkg/controllers/ttl/manager.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/controllers/ttl/manager.go 2026-01-09 12:36:21.000000000 +0100 @@ -13,6 +13,7 @@ "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/metrics" "go.opentelemetry.io/otel/metric" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" @@ -125,8 +126,38 @@ return nil } +// preflightCheck performs a lightweight authorization check before starting an informer. +// This prevents the informer from failing repeatedly if the service account lacks +// permission to list/watch the resource (403 Forbidden), which can cause cascading +// failures similar to those described in https://github.com/projectcalico/calico/issues/9527 +func (m *manager) preflightCheck(ctx context.Context, gvr schema.GroupVersionResource, logger logr.Logger) error { + opts := metav1.ListOptions{ + LabelSelector: kyverno.LabelCleanupTtl, + Limit: 1, + } + _, err := m.metadataClient.Resource(gvr).List(ctx, opts) + if err != nil { + // Check if it's a 403 Forbidden - don't start informer for forbidden resources + if apierrors.IsForbidden(err) { + return fmt.Errorf("preflight authorization check failed: %w", err) + } + // For NotFound errors, we can still proceed as the resource type might exist but have no items + if !apierrors.IsNotFound(err) { + return fmt.Errorf("preflight check failed: %w", err) + } + } + return nil +} + func (m *manager) start(ctx context.Context, gvr schema.GroupVersionResource, workers int) error { logger := m.logger.WithValues("gvr", gvr) + + // Perform preflight check before starting the informer + if err := m.preflightCheck(ctx, gvr, logger); err != nil { + logger.Error(err, "preflight check failed, skipping resource") + return nil + } + indexers := cache.Indexers{ cache.NamespaceIndex: cache.MetaNamespaceIndexFunc, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/globalcontext/k8sresource/entry.go new/kyverno-1.16.2/pkg/globalcontext/k8sresource/entry.go --- old/kyverno-1.16.1/pkg/globalcontext/k8sresource/entry.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/globalcontext/k8sresource/entry.go 2026-01-09 12:36:21.000000000 +0100 @@ -2,7 +2,6 @@ import ( "context" - "encoding/json" "fmt" "sync" @@ -14,12 +13,12 @@ "github.com/kyverno/kyverno/pkg/globalcontext/store" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/dynamic" "k8s.io/client-go/dynamic/dynamicinformer" - "k8s.io/client-go/informers" - "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" ) @@ -31,16 +30,17 @@ projections []store.Projection jp jmespath.Interface - objectsMu sync.RWMutex - objects map[string]interface{} - projected map[string]interface{} + // projected stores pre-computed projection results + // Only projections are cached since JMESPath computation is expensive + // Raw data is read directly from the lister to avoid memory duplication + projectedMu sync.RWMutex + projected map[string]interface{} } func New( ctx context.Context, gce *kyvernov2alpha1.GlobalContextEntry, eventGen event.Interface, - kubeClient kubernetes.Interface, dClient dynamic.Interface, logger logr.Logger, gvr schema.GroupVersionResource, @@ -51,12 +51,10 @@ namespace = metav1.NamespaceAll } - factory := informers.NewSharedInformerFactoryWithOptions(kubeClient, 0, informers.WithNamespace(namespace)) - informer, err := factory.ForResource(gvr) - if err != nil { - logger.Info("no built-in informer found, use dynamic informer", "gvr", gvr) - informer = dynamicinformer.NewFilteredDynamicInformer(dClient, gvr, namespace, 0, nil, nil) - } + // Use DynamicInformer for all resources + // DynamicInformer returns *unstructured.Unstructured which can be used directly for JMESPath queries + informer := dynamicinformer.NewFilteredDynamicInformer(dClient, gvr, namespace, 0, nil, nil) + logger.V(4).Info("using DynamicInformer", "gvr", gvr) var group wait.Group ctx, cancel := context.WithCancel(ctx) @@ -66,7 +64,7 @@ group.Wait() } - err = informer.Informer().SetWatchErrorHandler(func(r *cache.Reflector, err error) { + err := informer.Informer().SetWatchErrorHandler(func(r *cache.Reflector, err error) { eventErr := fmt.Errorf("failed to run informer for %s", gvr) eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ APIVersion: gce.APIVersion, @@ -104,17 +102,20 @@ eventGen: eventGen, projections: projections, jp: jp, - objects: make(map[string]interface{}), projected: make(map[string]interface{}), } - _, err = informer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: e.handleAdd, - UpdateFunc: func(oldObj, newObj interface{}) { e.handleUpdate(newObj) }, - DeleteFunc: e.handleDelete, - }) - if err != nil { - return nil, err + // Only add event handlers if projections are defined + // This avoids unnecessary processing when projections are not used + if len(projections) > 0 { + _, err := informer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { e.recomputeProjections() }, + UpdateFunc: func(oldObj, newObj interface{}) { e.recomputeProjections() }, + DeleteFunc: func(obj interface{}) { e.recomputeProjections() }, + }) + if err != nil { + return nil, err + } } group.StartWithContext(ctx, func(ctx context.Context) { @@ -134,104 +135,35 @@ return nil, err } - return e, nil -} - -func (e *entry) handleAdd(obj interface{}) { - key, err := cache.MetaNamespaceKeyFunc(obj) - if err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to get key for object: %w", err))) - return - } - - jsonData, err := json.Marshal(obj) - if err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to marshal object: %w", err))) - return - } - - var data any - if err := json.Unmarshal(jsonData, &data); err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to unmarshal object: %w", err))) - return + // Compute initial projections after cache sync + if len(projections) > 0 { + e.recomputeProjections() } - e.objectsMu.Lock() - e.objects[key] = data - e.objectsMu.Unlock() - - e.recomputeProjections() + return e, nil } -func (e *entry) handleUpdate(obj interface{}) { - key, err := cache.MetaNamespaceKeyFunc(obj) - if err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to get key for updated object: %w", err))) - return - } - - jsonData, err := json.Marshal(obj) - if err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to marshal object: %w", err))) - return +// listObjects retrieves all objects from the lister and returns them as a slice of map[string]interface{} +// Since we use DynamicInformer, objects are *unstructured.Unstructured and can be used directly +func (e *entry) listObjects() ([]interface{}, error) { + objs, err := e.lister.List(labels.Everything()) + if err != nil { + return nil, fmt.Errorf("failed to list objects: %w", err) } - var data any - if err := json.Unmarshal(jsonData, &data); err != nil { - e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ - APIVersion: e.gce.APIVersion, - Kind: e.gce.Kind, - Name: e.gce.Name, - Namespace: e.gce.Namespace, - UID: e.gce.UID, - }, fmt.Errorf("failed to unmarshal object: %w", err))) - return + list := make([]interface{}, 0, len(objs)) + for _, obj := range objs { + // DynamicInformer returns *unstructured.Unstructured + // We can use its Object field directly which is already map[string]interface{} + if u, ok := obj.(*unstructured.Unstructured); ok { + list = append(list, u.Object) + } } - - e.objectsMu.Lock() - e.objects[key] = data - e.objectsMu.Unlock() - - e.recomputeProjections() + return list, nil } -func (e *entry) handleDelete(obj interface{}) { - deletedObj, ok := obj.(cache.DeletedFinalStateUnknown) - if ok { - obj = deletedObj.Obj - } - - key, err := cache.MetaNamespaceKeyFunc(obj) +func (e *entry) recomputeProjections() { + list, err := e.listObjects() if err != nil { e.eventGen.Add(entryevent.NewErrorEvent(corev1.ObjectReference{ APIVersion: e.gce.APIVersion, @@ -239,25 +171,10 @@ Name: e.gce.Name, Namespace: e.gce.Namespace, UID: e.gce.UID, - }, fmt.Errorf("failed to get key for deleted object: %w", err))) + }, err)) return } - e.objectsMu.Lock() - delete(e.objects, key) - e.objectsMu.Unlock() - - e.recomputeProjections() -} - -func (e *entry) recomputeProjections() { - e.objectsMu.RLock() - list := make([]interface{}, 0, len(e.objects)) - for _, obj := range e.objects { - list = append(list, obj) - } - e.objectsMu.RUnlock() - for _, proj := range e.projections { result, err := proj.JP.Search(list) if err != nil { @@ -270,24 +187,22 @@ }, fmt.Errorf("failed to apply projection %q: %w", proj.Name, err))) continue } - e.objectsMu.Lock() + e.projectedMu.Lock() e.projected[proj.Name] = result - e.objectsMu.Unlock() + e.projectedMu.Unlock() } } func (e *entry) Get(projection string) (any, error) { - e.objectsMu.RLock() - defer e.objectsMu.RUnlock() - + // If no projection specified, return all objects directly from lister if projection == "" { - list := make([]interface{}, 0, len(e.objects)) - for _, obj := range e.objects { - list = append(list, obj) - } - return list, nil + return e.listObjects() } + // Return pre-computed projection result + e.projectedMu.RLock() + defer e.projectedMu.RUnlock() + if result, ok := e.projected[projection]; ok { return result, nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/metrics/admission.go new/kyverno-1.16.2/pkg/metrics/admission.go --- old/kyverno-1.16.1/pkg/metrics/admission.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/metrics/admission.go 2026-01-09 12:36:21.000000000 +0100 @@ -9,7 +9,6 @@ "go.opentelemetry.io/otel/attribute" "go.opentelemetry.io/otel/metric" admissionv1 "k8s.io/api/admission/v1" - "k8s.io/apimachinery/pkg/runtime/schema" ) func GetAdmissionMetrics() AdmissionMetrics { @@ -28,7 +27,7 @@ } type AdmissionMetrics interface { - RecordRequest(ctx context.Context, allowed bool, namespace string, operation admissionv1.Operation, gvk schema.GroupVersionKind, startTime time.Time, attrs ...attribute.KeyValue) + RecordRequest(ctx context.Context, allowed bool, namespace string, operation admissionv1.Operation, kind string, startTime time.Time, attrs ...attribute.KeyValue) } func (m *admissionMetrics) init(meter metric.Meter) { @@ -50,7 +49,7 @@ } } -func (m *admissionMetrics) RecordRequest(ctx context.Context, allowed bool, namespace string, operation admissionv1.Operation, gvk schema.GroupVersionKind, startTime time.Time, attrs ...attribute.KeyValue) { +func (m *admissionMetrics) RecordRequest(ctx context.Context, allowed bool, namespace string, operation admissionv1.Operation, kind string, startTime time.Time, attrs ...attribute.KeyValue) { if m.durationMetric == nil || m.requestsMetric == nil { return } @@ -60,7 +59,7 @@ } attributes := []attribute.KeyValue{ - attribute.String("resource_kind", gvk.Kind), + attribute.String("resource_kind", kind), attribute.String("resource_namespace", namespace), attribute.String("resource_request_operation", strings.ToLower(string(operation))), attribute.Bool("request_allowed", allowed), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/metrics/policy_engine.go new/kyverno-1.16.2/pkg/metrics/policy_engine.go --- old/kyverno-1.16.1/pkg/metrics/policy_engine.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/metrics/policy_engine.go 2026-01-09 12:36:21.000000000 +0100 @@ -126,7 +126,7 @@ attribute.String("rule_name", ruleName), attribute.String("rule_result", string(ruleResult)), attribute.String("rule_type", string(ruleType)), - attribute.String("execution_cause", string(executionCause)), + attribute.String("rule_execution_cause", string(executionCause)), attribute.String("dry_run", strconv.FormatBool(admissionInfo.DryRun)), } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/utils/controller/run.go new/kyverno-1.16.2/pkg/utils/controller/run.go --- old/kyverno-1.16.1/pkg/utils/controller/run.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/utils/controller/run.go 2026-01-09 12:36:21.000000000 +0100 @@ -65,6 +65,9 @@ func handleErr[T comparable](ctx context.Context, logger logr.Logger, controllerName string, queue workqueue.TypedRateLimitingInterface[T], maxRetries int, err error, obj T) { metric := metrics.GetControllerMetrics() + if metric != nil { + metric.RecordReconcileIncrease(ctx, controllerName) + } if err == nil { queue.Forget(obj) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/webhooks/handlers/metrics.go new/kyverno-1.16.2/pkg/webhooks/handlers/metrics.go --- old/kyverno-1.16.1/pkg/webhooks/handlers/metrics.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/webhooks/handlers/metrics.go 2026-01-09 12:36:21.000000000 +0100 @@ -22,7 +22,7 @@ return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse { response := inner(ctx, logger, request, startTime) - metrics.RecordRequest(ctx, response.Allowed, request.Namespace, request.Operation, request.GroupVersionKind, startTime, attrs...) + metrics.RecordRequest(ctx, response.Allowed, request.Namespace, request.Operation, request.Kind.Kind, startTime, attrs...) return response } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/webhooks/resource/gpol/handler.go new/kyverno-1.16.2/pkg/webhooks/resource/gpol/handler.go --- old/kyverno-1.16.1/pkg/webhooks/resource/gpol/handler.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/webhooks/resource/gpol/handler.go 2026-01-09 12:36:21.000000000 +0100 @@ -84,7 +84,7 @@ // delete downstream on trigger deletion in case synchronization is enabled if gpol.Spec.SynchronizationEnabled() { logger.V(4).Info("creating the UR to delete downstream on trigger's deletion", "operation", request.Operation, "policy", policy, "trigger", triggerSpec.String()) - urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, true) + urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, true, false) urSpec.Context = buildURContext(admissionRequest, userInfo) if err := h.urGenerator.Apply(ctx, urSpec); err != nil { logger.Error(err, "failed to create update request for generate policy", "policy", policy) @@ -95,7 +95,7 @@ } else { // fire generation on trigger deletion logger.V(4).Info("creating the UR to generate downstream on trigger's deletion", "operation", request.Operation, "policy", policy, "trigger", triggerSpec.String()) - urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, false) + urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, false, false) urSpec.Context = buildURContext(admissionRequest, userInfo) if err := h.urGenerator.Apply(ctx, urSpec); err != nil { logger.Error(err, "failed to create update request for generate policy", "policy", policy) @@ -104,8 +104,17 @@ } } } else { - logger.V(4).Info("creating the UR to generate downstream on trigger's operation", "operation", request.Operation, "policy", policy) - urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, false) + synchronize := false + if request.Operation == admissionv1.Update { + gpol, err := h.gpolLister.Get(policy) + if err != nil { + logger.Error(err, "failed to get generating policy", "policy", policy) + } else { + synchronize = gpol.Spec.SynchronizationEnabled() + } + } + logger.V(4).Info("creating the UR to generate downstream on trigger's operation", "operation", request.Operation, "policy", policy, "synchronize", synchronize) + urSpec := buildURSpecNew(kyvernov2.CELGenerate, policy, triggerSpec, false, synchronize) urSpec.Context = buildURContext(admissionRequest, userInfo) if err := h.urGenerator.Apply(ctx, urSpec); err != nil { logger.Error(err, "failed to create update request for generate policy", "policy", policy) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/webhooks/resource/gpol/utils.go new/kyverno-1.16.2/pkg/webhooks/resource/gpol/utils.go --- old/kyverno-1.16.1/pkg/webhooks/resource/gpol/utils.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/webhooks/resource/gpol/utils.go 2026-01-09 12:36:21.000000000 +0100 @@ -6,8 +6,8 @@ admissionv1 "k8s.io/api/admission/v1" ) -func buildURSpecNew(requestType kyvernov2.RequestType, policyName string, trigger kyvernov1.ResourceSpec, deleteDownstream bool) kyvernov2.UpdateRequestSpec { - ruleCtx := buildRuleContext(policyName, trigger, deleteDownstream) +func buildURSpecNew(requestType kyvernov2.RequestType, policyName string, trigger kyvernov1.ResourceSpec, deleteDownstream, synchronize bool) kyvernov2.UpdateRequestSpec { + ruleCtx := buildRuleContext(policyName, trigger, deleteDownstream, synchronize) return kyvernov2.UpdateRequestSpec{ Type: requestType, Policy: policyName, @@ -15,11 +15,12 @@ } } -func buildRuleContext(policyName string, trigger kyvernov1.ResourceSpec, deleteDownstream bool) kyvernov2.RuleContext { +func buildRuleContext(policyName string, trigger kyvernov1.ResourceSpec, deleteDownstream, synchronize bool) kyvernov2.RuleContext { return kyvernov2.RuleContext{ Rule: policyName, Trigger: trigger, DeleteDownstream: deleteDownstream, + Synchronize: synchronize, CacheRestore: false, } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/pkg/webhooks/server.go new/kyverno-1.16.2/pkg/webhooks/server.go --- old/kyverno-1.16.1/pkg/webhooks/server.go 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/pkg/webhooks/server.go 2026-01-09 12:36:21.000000000 +0100 @@ -80,9 +80,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(mpolLogger.WithName("mutate")). ToHandlerFunc("MPOL"), ) @@ -94,9 +94,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(vpolLogger.WithName("validate")). ToHandlerFunc("VPOL"), ) @@ -107,9 +107,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(vpolLogger.WithName("validate")). ToHandlerFunc("NVPOL"), ) @@ -120,9 +120,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(ivpolLogger.WithName("validate")). ToHandlerFunc("IVPOL"), ) @@ -133,10 +133,10 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect). WithMetrics(resourceLogger, metrics.WebhookMutating). + WithTopLevelGVK(discovery). WithAdmission(resourceLogger.WithName("mutate")). ToHandlerFunc("IVPOL"), ) @@ -147,9 +147,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(resourceLogger.WithName("generate")). ToHandlerFunc("GPOL"), ) @@ -163,10 +163,10 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect). WithMetrics(resourceLogger, metrics.WebhookMutating). + WithTopLevelGVK(discovery). WithAdmission(resourceLogger.WithName("mutate")) }, ) @@ -180,9 +180,9 @@ WithFilter(configuration). WithProtection(toggle.FromContext(ctx).ProtectManagedResources()). WithDump(debugModeOpts.DumpPayload). - WithTopLevelGVK(discovery). WithRoles(rbLister, crbLister). WithMetrics(resourceLogger, metrics.WebhookValidating). + WithTopLevelGVK(discovery). WithAdmission(resourceLogger.WithName("validate")) }, ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/scripts/config/standard/kyverno.yaml new/kyverno-1.16.2/scripts/config/standard/kyverno.yaml --- old/kyverno-1.16.1/scripts/config/standard/kyverno.yaml 2025-12-03 09:42:31.000000000 +0100 +++ new/kyverno-1.16.2/scripts/config/standard/kyverno.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -1,9 +1,6 @@ global: crdWatcher: true -metricsConfig: - metricsRefreshInterval: 1m - features: policyExceptions: enabled: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/chainsaw-test.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/chainsaw-test.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/chainsaw-test.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/chainsaw-test.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: sync-modify-source +spec: + steps: + - name: create permissions + try: + - apply: + file: permissions.yaml + - name: create namespace + try: + - apply: + file: namespace.yaml + - name: create policy + use: + template: ../../../../_step-templates/create-policy.yaml + with: + bindings: + - name: file + value: policy.yaml + - name: wait-generating-policy-ready + use: + template: ../../../../_step-templates/generating-policy-ready.yaml + with: + bindings: + - name: name + value: generate-secret + - name: sleep + try: + - sleep: + duration: 5s + - name: create the trigger + try: + - apply: + file: trigger.yaml + - name: check that the downstream is generated + try: + - assert: + file: downstream-assert.yaml + - name: modify the trigger + try: + - apply: + file: trigger-modified.yaml + - name: sleep + try: + - sleep: + duration: 5s + - name: check that the downstream is updated + try: + - assert: + file: updated-downstream-assert.yaml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/downstream-assert.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/downstream-assert.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/downstream-assert.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/downstream-assert.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: sync-modify-trigger + namespace: sync-modify-trigger +type: Opaque diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/namespace.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/namespace.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/namespace.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/namespace.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: sync-modify-trigger diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/permissions.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/permissions.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/permissions.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/permissions.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kqo1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/policy.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/policy.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/policy.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/policy.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,43 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: GeneratingPolicy +metadata: + name: generate-secret +spec: + evaluation: + synchronize: + enabled: true + matchConstraints: + objectSelector: + matchExpressions: + - key: argocd.argoproj.io/secret-type + operator: In + values: + - repository + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - secrets + matchConditions: + - name: only-default + expression: "object.metadata.namespace == 'default'" + generate: + - expression: | + generator.Apply("sync-modify-trigger", [ + { + "apiVersion": object.apiVersion, + "kind": object.kind, + "metadata": dyn({ + "name": dyn(object.metadata.name), + "labels": dyn(object.metadata.labels) + }), + "data": object.data, + "type": object.type + } + ]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger-modified.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger-modified.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger-modified.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger-modified.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: Z2l0bGFi +kind: Secret +metadata: + name: sync-modify-trigger + namespace: default + labels: + argocd.argoproj.io/secret-type: repository +type: Opaque \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/trigger.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: sync-modify-trigger + namespace: default + labels: + argocd.argoproj.io/secret-type: repository +type: Opaque \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/updated-downstream-assert.yaml new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/updated-downstream-assert.yaml --- old/kyverno-1.16.1/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/updated-downstream-assert.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.16.2/test/conformance/chainsaw/generating-policies/clone/sync/sync-modify-trigger/updated-downstream-assert.yaml 2026-01-09 12:36:21.000000000 +0100 @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: Z2l0bGFi +kind: Secret +metadata: + name: sync-modify-trigger + namespace: sync-modify-trigger +type: Opaque ++++++ kyverno.obsinfo ++++++ --- /var/tmp/diff_new_pack.6YpD3y/_old 2026-01-12 10:34:59.487245405 +0100 +++ /var/tmp/diff_new_pack.6YpD3y/_new 2026-01-12 10:34:59.519246723 +0100 @@ -1,5 +1,5 @@ name: kyverno -version: 1.16.1 -mtime: 1764751351 -commit: 67f7f8c3f58d64e3c7b103de5f11ffe268250c55 +version: 1.16.2 +mtime: 1767958581 +commit: 2377cc562e43489b5e0927a492f96d26ed9c51d8 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kyverno/vendor.tar.gz /work/SRC/openSUSE:Factory/.kyverno.new.1928/vendor.tar.gz differ: char 13, line 1
