Skip to content

chore(deps): Bump github.com/kyverno/kyverno from 1.5.0-rc1.0.20260506125757-0739028b97c7 to 1.18.0 in /backend#1270

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/backend/github.com/kyverno/kyverno-1.18.0
Open

chore(deps): Bump github.com/kyverno/kyverno from 1.5.0-rc1.0.20260506125757-0739028b97c7 to 1.18.0 in /backend#1270
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/backend/github.com/kyverno/kyverno-1.18.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/kyverno/kyverno from 1.5.0-rc1.0.20260506125757-0739028b97c7 to 1.18.0.

Release notes

Sourced from github.com/kyverno/kyverno's releases.

v1.18.0

Kyverno 1.18 Release Notes

Highlights

  • Secure HTTP calls with blocklist/allowlist: HTTP context loading now enforces a configurable blocklist and scoped token authorization, improving security posture for policies that perform external HTTP calls (#15789, #15779).
  • Namespaced image registry credentials: imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets for image verification (#15112).
  • CLI expanded policy support: The kyverno apply and kyverno test commands now support cleanup policies, HTTP/Envoy authz policies, and mutateExisting MutatingPolicies (#15732, #15645, #15691, #15253).
  • Success event filtering: A new successEventActions ConfigMap parameter allows fine-grained control over which success events are emitted (#15466).

New Features

  • Add support for gzip library and confidential containers example (#15679)
  • Add successEventActions parameter to filter which success events are emitted (#15466)
  • Add --exemplarFilter flag to control exemplar collection in metrics (#15611)
  • Add exceptions-with-policies flag to kyverno apply CLI (#15167)
  • Add projected service account token support in Helm chart (#14766)
  • Add admission-controller autoscaling based on memory utilization (#15303)
  • Add TLS encryption to /metrics endpoint (#14232)
  • Allow output for missing resources in CLI tests (#14194)
  • Support uri suffix for defaultRegistry in config (#15258)
  • Support mutateExisting MutatingPolicy in CLI test (#15253)
  • Support cleanup policies in kyverno apply command (#15732)
  • Support HTTP/Envoy authz policies in kyverno apply (#15645)
  • Support authz policies in kyverno test (#15691)
  • Permit imageRegistryCredentials to use namespaced secrets and pod-level imagePullSecrets (#15112)
  • Secure HTTP calls: enforce blocklist and add FLAG_HTTP_BLOCKLIST override (#15789)
  • Use scoped token for request authorization in HTTP context (#15779)
  • Add controller deployment labels to Helm chart (#15083)
  • Add extraVolumes and extraVolumeMounts support to Helm chart (#14668)
  • Add Global.PriorityClassName Helm value with pod templating (#15712)

Policies Helm Chart

  • Add support for excludes (namespace, subject, resource rules, and custom matchConditions) in ValidatingPolicies (#15739)
  • Allow auditAnnotation configuration of ValidatingPolicies (#15777)
  • Add perPolicy overrides for custom annotations (#15805)

Bug Fixes

Image Verification

  • Fix matchImageReferences not filtering images properly (#15834)
  • Fix ivpol: remove early return on matchImageReference so CEL evaluation is not skipped (#15882)
  • Fix processResourceWithPatches returning nil on patch failure, silently bypassing image verification (#15705)
  • Fix imageVerify multi-signature annotation validation bug (#14500)

... (truncated)

Changelog

Sourced from github.com/kyverno/kyverno's changelog.

v1.13.0

Note

  • Removed deprecated flag reportsChunkSize.
  • Added --tufRootRaw flag to pass tuf root for custom sigstore deployments.

Bug Fixes

  • Fixed inconsistent ordering of imagePullSecrets in Helm charts which could cause GitOps tools like ArgoCD to show OutOfSync status (#12995)

v1.11.0

v1.11.0-rc.1

Note

  • Added --tufRoot and --tufMirror flags to configure tuf for custom sigstore deployments.
  • Remove description from deprecated fields in CRDs
  • Remove CLI kyverno test manifest ... commands (replaced by kyverno create ...).
  • Added --caSecretName and --tlsSecretName flags to control names of certificate related secrets.
  • Added match conditions support in kyverno config map.
  • Deprecated flag --imageSignatureRepository. Will be removed in 1.12. Use per rule configuration verifyImages.Repository instead.
  • Added --aggregateReports flag for reports controller to enable/disable aggregated reports (default value is true).
  • Added --policyReports flag for reports controller to enable/disable policy reports (default value is true).
  • Renamed CLI flag --compact to --detailed-results (and changed default value from true to false).
  • Changed the default value of --enablePolicyException from false to true.

v1.10.0

v1.10.0-rc.1

Note

  • Removed GenerateRequest CRD.
  • Refactored kyverno chart, migration instructions are available in chart README.md.
  • Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
  • Added support for configuring webhook annotations in the config map through webhookAnnotations stanza.
  • Added excludeRoles and excludeClusterRoles support in configuration.
  • Added new flag skipResourceFilters to reports controller to enable/disable considering resource filters in the background (default value is true)
  • Removed hardcoded defaults for excludeGroups and excludeUsernames. They are always read from the config map.

v1.9.0-rc.1

Note

  • Flag backgroundScanInterval was added to force background scans at regular intervals (default value is 1h).
  • Flag splitPolicyReport was removed, was unused and marked for removal in 1.9.
  • Webhook is no longer updated to match pods/ephemeralcontainers when policy only specifies pods. If users want to match on pods/ephemeralcontainers, they must specify pods/ephemeralcontainers in the policy.
  • Webhook is no longer updated to match services/status when policy only specifies services. If users want to match on services/status, they must specify services/status in the policy.
  • Flag autogenInternals was removed, policy mutation has been removed.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump github.com/kyverno/kyverno in /backend
7c16a6c 
Bumps [github.com/kyverno/kyverno](https://github.com/kyverno/kyverno) from 1.5.0-rc1.0.20260506125757-0739028b97c7 to 1.18.0.
- [Release notes](https://github.com/kyverno/kyverno/releases)
- [Changelog](https://github.com/kyverno/kyverno/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kyverno/kyverno/commits/v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/kyverno/kyverno
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 8, 2026
@dependabot dependabot Bot requested review from eddycharly and fjogeleit as code owners May 8, 2026 09:54
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 8, 2026
@codecov

codecov Bot commented May 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 4.99%. Comparing base (9d95549) to head (7c16a6c).

Additional details and impacted files 
@@          Coverage Diff          @@
##            main   #1270   +/-   ##
=====================================
  Coverage   4.99%   4.99%           
=====================================
  Files         55      55           
  Lines       2104    2104           
=====================================
  Hits         105     105           
  Misses      1962    1962           
  Partials      37      37

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@fjogeleit fjogeleit Awaiting requested review from fjogeleit fjogeleit is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants