Releases: open-policy-agent/gatekeeper
Releases · open-policy-agent/gatekeeper
v3.21.0
🚀 Notable Changes
- 🛠️ New flag:
sync-vap-enforcement-scopehas been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper'sValidatingWebhookConfigurations,Configresource exclusions, andexempt-namespace–basedexemptions. This improves enforcement consistency across all policy mechanisms. - 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
- 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.
Call to action
Beginning in v3.22 (February 18, 2026), the sync-vap-enforcement-scope flag will default to true and will be removed in a future release. When this flag is removed, Gatekeeper will always generate Validating Admission Policy (VAP) resources by combining enforcement inputs from the admission webhook configuration, Gatekeeper’s configuration resource, and namespace-exemption settings. All applicable enforcement criteria will be merged into the resulting VAP resource.
Impact:
If you have explicitly set this flag to false, the enforcement scope of Gatekeeper-managed VAP resources will change, which may cause unexpected behavior in your environment. If you have concerns about removing this flag and would prefer it to remain, please add your feedback in #4302.
Features
- Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
gator verify- support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)- Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
- External data status metrics (#4115) #4115 (Jaydip Gabani)
- Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
- support DELETE operation type when generate VAP (#4030) #4030 (DahuK)
Bug Fixes
- spelling errors in deprecated documentation (#4138) #4138 (Copilot)
- updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
- Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
- Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
- load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)
Documentation
- update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
- add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
- adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)
Continuous Integration
- adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)
Chores
- Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
- bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
- bump golang from
69adc37toef8c5c7in /test/export/fake-reader (#4072) #4072 (dependabot[bot]) - bump golang from
69adc37toef8c5c7in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot]) - bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
- updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot]) - bump golang from
ef8c5c7to2679c15in /test/export/fake-reader (#4097) #4097 (dependabot[bot]) - bump frameworks (#4104) #4104 (Noah Reisch)
- updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
- bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
- bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
- bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
- bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
- bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-reader (#4091) #4091 (dependabot[bot]) - bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2(#4096) #4096 (dependabot[bot]) - bump ...
v3.21.0-rc.1
Bug Fixes
- bumping frameworks (#4221) (#4224) #4224 (Jaydip Gabani)
Chores
- Prepare v3.21.0-rc.1 release (#4226) #4226 (github-actions[bot])
v3.21.0-rc.0
Features
- Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
gator verify- support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)- Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
- External data status metrics (#4115) #4115 (Jaydip Gabani)
- Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
- support DELETE operation type when generate VAP (#4030) #4030 (DahuK)
Bug Fixes
- spelling errors in deprecated documentation (#4138) #4138 (Copilot)
- updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
- Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
- Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
- load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)
Documentation
- update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
- add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
- adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)
Continuous Integration
- adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)
Chores
- bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
- bump golang from
69adc37toef8c5c7in /test/export/fake-reader (#4072) #4072 (dependabot[bot]) - bump golang from
69adc37toef8c5c7in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot]) - bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
- updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot]) - bump golang from
ef8c5c7to2679c15in /test/export/fake-reader (#4097) #4097 (dependabot[bot]) - bump frameworks (#4104) #4104 (Noah Reisch)
- updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
- bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
- bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
- bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
- bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
- bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-reader (#4091) #4091 (dependabot[bot]) - bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2(#4096) #4096 (dependabot[bot]) - bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
- bump distroless/static-debian12 from
b7b9a69to2e114d2in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot]) - bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-subscriber (#4112) #4112 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/externaldata/dummy-provider (#4113) #4113 (dependabot[bot])
- Patch docs for 3.20.1 release (#4134) #4134 (github-actions[bot])
- bump golang from 1.24-bookworm to 1.25-bookworm in /test/image (#4110) #4110 (dependabot[bot])
- bump golang from
81dc45dto6ad9415in /test/export/fake-subscriber (#4146) [#4146](https://github.com/open-poli...
v3.20.1
Bug Fixes
- bumping kubectl and golang through cherry-picks (#4132) #4132 (Jaydip Gabani)
Chores
- bump frameworks v0.18.1 (#4117) #4117 (Noah Reisch)
- Prepare v3.20.1 release (#4133) #4133 (github-actions[bot])
v3.21.0-beta.0
Bug Fixes
- increase webhook latency buckets up to 10 seconds (#4037) #4037 (David Blum)
- removing readinessprobe for webhook at start of the pod (#4059) #4059 (Jaydip Gabani)
Chores
- bump golang from
ee7ff13to10f549din /test/export/fake-reader (#4046) #4046 (dependabot[bot]) - bump the all group with 2 updates (#4044) #4044 (dependabot[bot])
- bump golang from
ee7ff13to10f549din /test/export/fake-subscriber (#4045) #4045 (dependabot[bot]) - bump golang from
10f549dto69adc37in /test/export/fake-subscriber (#4053) #4053 (dependabot[bot]) - bump golang from
10f549dto69adc37in /test/export/fake-reader (#4052) #4052 (dependabot[bot]) - Patch docs for 3.19.3 release (#4056) #4056 (github-actions[bot])
- bump the all group across 1 directory with 2 updates (#4066) #4066 (dependabot[bot])
- bump kubectl from v1.33.2 to v1.33.3 (#4063) #4063 (dependabot[bot])
- bump the k8s group with 5 updates (#4062) #4062 (dependabot[bot])
- Prepare v3.21.0-beta.0 release (#4068) #4068 (github-actions[bot])
v3.20.0
Notable Changes
- 💾 A new driver to export violations on disk.
- 🎓 VAP integration is beta and enabled by default, hence VAP/VAPB resources will be generated by default for CT/C with
K8sNativeValidationengine withCELcode. - 🔗 A new
ConnectionCRD replacedConfigMapin order to establish connections with export backends.
Features
- mapping dryrun to audit in vapb (#3915) #3915 (Jaydip Gabani)
- adding driver to export to disk (#3832) #3832 (Jaydip Gabani)
- Graduating VAP generation to beta (#3995) #3995 (Jaydip Gabani)
- Export Connection CR (#3999) #3999 (Noah Reisch)
Bug Fixes
- removing readinessprobe for webhook at start of the pod (#4059) (#4065) #4065 (Jaydip Gabani)
- only enabling CEL driver with flag value (#3900) #3900 (Jaydip Gabani)
- error on deleting GK resources when delete operation is enabled (#3921) #3921 (Jaydip Gabani)
- scope of webhook configurations (#3676) #3676 (plavy)
- making sure latest CT version is updated in CT controller to avoid writing errors (#3983) #3983 (Jaydip Gabani)
- add RBAC for finalizers when running with OwnerReferencesPermissionEnforcement admission plugin (#3961) #3961 (Jaydip Gabani)
- unreliable webhook behaviour on gatekeeper pod startup and shutdown (#3780) #3780 (Benjamin Ritter)
- removing connection from map before closing it to avoid locking on latest connection update (#3946) #3946 (Jaydip Gabani)
- making sure VAPB is only deleted for constraints if it was enabled (#4034) #4034 (Jaydip Gabani)
- disk export path to handle dir deletes (#4021) #4021 (Noah Reisch)
Documentation
- adding opa v1 docs and tests (#3908) #3908 (Jaydip Gabani)
- adding available variables and updating faq (#3927) #3927 (Jaydip Gabani)
- Add Flags Reference (#3782) #3782 (Ian Stanton)
Continuous Integration
- bumping k8s version in testing and crd.Dockerfile (#3925) #3925 (Jaydip Gabani)
- release checklist (#3990) #3990 (Sertaç Özercan)
Chores
- Prepare v3.20.0 release (#4067) #4067 (github-actions[bot])
- bump golang from
75e6700to00eccd4in /test/externaldata/dummy-provider (#3914) #3914 (dependabot[bot]) - bump golang from
75e6700to00eccd4in /test/image (#3913) #3913 (dependabot[bot]) - bump the all group with 2 updates (#3912) #3912 (dependabot[bot])
- bump golang from
75e6700to00eccd4(#3911) #3911 (dependabot[bot]) - bump golang from
75e6700to00eccd4in /build/tooling (#3910) #3910 (dependabot[bot]) - Add
pods/resizesubresource to mutating and validating webhooks (#3778) #3778 (Ian Stanton) - bump golang.org/x/net from 0.37.0 to 0.38.0 (#3920) #3920 (dependabot[bot])
- bump codecov/codecov-action from 5.4.0 to 5.4.2 in the all group (#3924) #3924 (dependabot[bot])
- bump http-proxy-middleware from 2.0.7 to 2.0.9 in /website (#3922) #3922 (dependabot[bot])
- adding helm variable for mutating subresources (#3916) #3916 (Jaydip Gabani)
- Patch docs for 3.19.1 release (#3937) #3937 (github-actions[bot])
- Patch docs for 3.18.3 release (#3938) #3938 (github-actions[bot])
- bump the all group with 2 updates (#3940) #3940 (dependabot[bot])
- bump the k8s group with 5 updates (#3939) #3939 (dependabot[bot])
- removing gator test alpha note from
gator test --help(#3943) #3943 (Martin Alexander) - bump the all group with 2 updates (#3951) #3951 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-reader (#3955) #3955 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm (#3957) #3957 (dependabot[bot])
- bump actions/upload-artifact from 4.6.0 to 4.6.2 in the all group (#3959) #3959 (dependabot[bot])
...
v3.20.0-rc.1
Bug Fixes
- removing readinessprobe for webhook at start of the pod (#4059) (#4065) #4065 (Jaydip Gabani)
v3.19.3
Bug Fixes
- making sure VAPB is only deleted for constraints if it was enabled (#4034) (#4039) #4039 (Jaydip Gabani)
Chores
- Prepare v3.19.3 release (#4054) #4054 (github-actions[bot])
v3.20.0-rc.0
Features
- mapping dryrun to audit in vapb (#3915) #3915 (Jaydip Gabani)
- adding driver to export to disk (#3832) #3832 (Jaydip Gabani)
- Graduating VAP generation to beta (#3995) #3995 (Jaydip Gabani)
- Export Connection CR (#3999) #3999 (Noah Reisch)
Bug Fixes
- only enabling CEL driver with flag value (#3900) #3900 (Jaydip Gabani)
- error on deleting GK resources when delete operation is enabled (#3921) #3921 (Jaydip Gabani)
- scope of webhook configurations (#3676) #3676 (plavy)
- making sure latest CT version is updated in CT controller to avoid writing errors (#3983) #3983 (Jaydip Gabani)
- add RBAC for finalizers when running with OwnerReferencesPermissionEnforcement admission plugin (#3961) #3961 (Jaydip Gabani)
- unreliable webhook behaviour on gatekeeper pod startup and shutdown (#3780) #3780 (Benjamin Ritter)
- removing connection from map before closing it to avoid locking on latest connection update (#3946) #3946 (Jaydip Gabani)
- making sure VAPB is only deleted for constraints if it was enabled (#4034) #4034 (Jaydip Gabani)
- disk export path to handle dir deletes (#4021) #4021 (Noah Reisch)
Documentation
- adding opa v1 docs and tests (#3908) #3908 (Jaydip Gabani)
- adding available variables and updating faq (#3927) #3927 (Jaydip Gabani)
- Add Flags Reference (#3782) #3782 (Ian Stanton)
Continuous Integration
- bumping k8s version in testing and crd.Dockerfile (#3925) #3925 (Jaydip Gabani)
- release checklist (#3990) #3990 (Sertaç Özercan)
Chores
- bump golang from
75e6700to00eccd4in /test/externaldata/dummy-provider (#3914) #3914 (dependabot[bot]) - bump golang from
75e6700to00eccd4in /test/image (#3913) #3913 (dependabot[bot]) - bump the all group with 2 updates (#3912) #3912 (dependabot[bot])
- bump golang from
75e6700to00eccd4(#3911) #3911 (dependabot[bot]) - bump golang from
75e6700to00eccd4in /build/tooling (#3910) #3910 (dependabot[bot]) - Add
pods/resizesubresource to mutating and validating webhooks (#3778) #3778 (Ian Stanton) - bump golang.org/x/net from 0.37.0 to 0.38.0 (#3920) #3920 (dependabot[bot])
- bump codecov/codecov-action from 5.4.0 to 5.4.2 in the all group (#3924) #3924 (dependabot[bot])
- bump http-proxy-middleware from 2.0.7 to 2.0.9 in /website (#3922) #3922 (dependabot[bot])
- adding helm variable for mutating subresources (#3916) #3916 (Jaydip Gabani)
- Patch docs for 3.19.1 release (#3937) #3937 (github-actions[bot])
- Patch docs for 3.18.3 release (#3938) #3938 (github-actions[bot])
- bump the all group with 2 updates (#3940) #3940 (dependabot[bot])
- bump the k8s group with 5 updates (#3939) #3939 (dependabot[bot])
- removing gator test alpha note from
gator test --help(#3943) #3943 (Martin Alexander) - bump the all group with 2 updates (#3951) #3951 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-reader (#3955) #3955 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm (#3957) #3957 (dependabot[bot])
- bump actions/upload-artifact from 4.6.0 to 4.6.2 in the all group (#3959) #3959 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/externaldata/dummy-provider (#3958) #3958 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-subscriber (#3956) #3956 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /build/tooling (#3954) #3954 (dependabot[bot])
- bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/image (#3953) [#3953](https://gith...
v3.19.2
⚠ Warning: Operation generate is now required to guard CRD and VAP/VAPB generation. Please update your singleton deployment (e.g. gatekeeper-audit) to include --operation=generate. If you are not using audit, you need to add it to the controller manager deployment. https://open-policy-agent.github.io/gatekeeper/website/docs/operations/#generation
Chores
- bump opa to 1.5.1 and kubectl to 1.33.1 (#4001) #4001 (Jaydip Gabani)
- Prepare v3.19.2 release (#4011) #4011 (github-actions[bot])