chore(deps): update dependency kyverno to v1.18.0

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
KYVERNO	minor	v1.15.2 → v1.18.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kyverno/kyverno (KYVERNO)

v1.18.0

Compare Source

Kyverno 1.18 Release Notes

Highlights

• Secure HTTP calls with blocklist/allowlist: HTTP context loading now enforces a configurable blocklist and scoped token authorization, improving security posture for policies that perform external HTTP calls (#​15789, #​15779).
• Namespaced image registry credentials: imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets for image verification (#​15112).
• CLI expanded policy support: The kyverno apply and kyverno test commands now support cleanup policies, HTTP/Envoy authz policies, and mutateExisting MutatingPolicies (#​15732, #​15645, #​15691, #​15253).
• Success event filtering: A new successEventActions ConfigMap parameter allows fine-grained control over which success events are emitted (#​15466).

---

New Features

• Add support for gzip library and confidential containers example (#​15679)
• Add successEventActions parameter to filter which success events are emitted (#​15466)
• Add --exemplarFilter flag to control exemplar collection in metrics (#​15611)
• Add exceptions-with-policies flag to kyverno apply CLI (#​15167)
• Add projected service account token support in Helm chart (#​14766)
• Add admission-controller autoscaling based on memory utilization (#​15303)
• Add TLS encryption to /metrics endpoint (#​14232)
• Allow output for missing resources in CLI tests (#​14194)
• Support uri suffix for defaultRegistry in config (#​15258)
• Support mutateExisting MutatingPolicy in CLI test (#​15253)
• Support cleanup policies in kyverno apply command (#​15732)
• Support HTTP/Envoy authz policies in kyverno apply (#​15645)
• Support authz policies in kyverno test (#​15691)
• Permit imageRegistryCredentials to use namespaced secrets and pod-level imagePullSecrets (#​15112)
• Secure HTTP calls: enforce blocklist and add FLAG_HTTP_BLOCKLIST override (#​15789)
• Use scoped token for request authorization in HTTP context (#​15779)
• Add controller deployment labels to Helm chart (#​15083)
• Add extraVolumes and extraVolumeMounts support to Helm chart (#​14668)
• Add Global.PriorityClassName Helm value with pod templating (#​15712)

Policies Helm Chart

• Add support for excludes (namespace, subject, resource rules, and custom matchConditions) in ValidatingPolicies (#​15739)
• Allow auditAnnotation configuration of ValidatingPolicies (#​15777)
• Add perPolicy overrides for custom annotations (#​15805)

---

Bug Fixes

Image Verification

• Fix matchImageReferences not filtering images properly (#​15834)
• Fix ivpol: remove early return on matchImageReference so CEL evaluation is not skipped (#​15882)
• Fix processResourceWithPatches returning nil on patch failure, silently bypassing image verification (#​15705)
• Fix imageVerify multi-signature annotation validation bug (#​14500)
• Fix: set UseSignedTimestamps when TSACertChain is provided in IVPOL cosign verifier (#​15305)
• Fix: enable signed timestamp verification when TSA cert chain is provided (#​15192)
• Fix: relax EKU validation for DigiCert TSA (#​15093, #​15148)
• Fix: use kyverno namespace secrets in reports scanner for ivpol (#​15220)
• Fix: nil pointer dereference in Certificates branch of manifest validation (#​15152)
• Fix: add cert identity verification for buildpolicy (#​15239)
• Fix: close ReadCloser from layer.Uncompressed() in image verification (#​15161)
• Fix: add HTTP 429 retry in image data loader (#​15413)
• Fix: release RLock before early return in imageContext.Get (#​15404)
• Fix: add synchronization to TUF client initialization to prevent data race (#​14829)
• Fix: propagate errors in notary repositoryClient.Resolve() (#​15222)
• Fix: missing ivpol autogen for namespaced policies; simplify ivpol/vpol namespaced handling in CLI (#​15320)

CLI

• Fix: CLI CRD support without cluster connection (#​13565)
• Fix: bypass rule name matching for ruleless policies in CLI (#​15757)
• Fix: add list GVK to fake cluster scheme to prevent mutateExisting panic (#​15746)
• Fix: pass CRD-aware RESTMapper to GeneratingPolicy test path (#​15561)
• Fix: correct test result reporting for legacy policies and CEL engine errors (#​15361)
• Fix: display NonFatalErrors in CLI test command (#​15725)
• Fix: return error instead of panic when imageRegistryCredentials.secrets are used in CLI (#​15061)
• Fix: add default message when rule message is empty in CLI (#​14700)
• Fix: three bugs in CLI apply command (#​15317)
• Fix: CLI failing selector-based policies when they did not match the resource (#​15236)
• Fix: close leaked file handles in CLI apply command (#​15151, #​15150)
• Fix: return proper error on non-OK HTTP status in CLI resource and policy loading (#​15153)
• Fix: prevent segfault when applying K8s-mode policy to JSON payload (#​15332)
• Fix: support piped v1.List objects in apply command (#​13860)
• Fix: check all rules in the test in case no rule is specified (#​11739)

Policy Engine

• Fix: bypass blocklist for cluster-scoped HTTP policies (#​15880)
• Fix: HTTP CEL compilation error on NVPOL (#​15874)
• Fix: compile dpol variables before conditions to allow variable references (#​15843)
• Fix: use extended compiler for mpol variables and conditions (#​15669)
• Fix: inject namespaceObject into MutatingPolicy CEL context (#​15625)
• Fix: handle mutating policy variable compile errors (#​15453)
• Fix: polex filtering in vpol engine (#​15692)
• Fix vpol/ivpol: align auditAnnotation behaviour with upstream VAP (#​15817)
• Fix: fetch namespace-scoped enforce policies in audit query path (#​15080)
• Fix: UserInfo error in CEL expressions for VAPs and MAPs in background scanning (#​15449)
• Fix: include auditWarn policies in namespace selector check (#​15107)
• Fix: panic in ExpandInMetadata when metadata is not a map (#​15245)
• Fix: prevent nil pointer panic on malformed AdmissionReview request (#​15251)
• Fix: clear stale error in GlobalContextEntry after successful API call (#​15328)
• Fix: prevent defer from overwriting named return error in validateOld (#​15438)
• Fix: clusterRoles should only return applicable cluster roles for the namespace of the request (#​12584)
• Fix: incorrect policy exclusion reporting for Pod-targeted policies with autogen in vpol/mpol (#​13645)
• Fix: autogen to use fully-qualified GVKs to prevent matching non-Kubernetes resources (#​14246)
• Fix: global validationFailureActionOverrides being silently ignored (#​14733)
• Fix: add explicit policy-level validationFailureAction templating (#​14447)
• Fix: skip policy reports with PolicyException in background scan (#​14308)

Generation and Background Controller

• Fix: accumulate downstreams from all ForEachGeneration entries (#​15437)
• Fix: prevent deleteDownstream from silently overwriting Failed UR status (#​15698)
• Fix: propagate non-NotFound errors in generate clone target fetch (#​15600)
• Fix: use AddRateLimited instead of AddAfter in background controller handleErr to respect rate limiting (#​15632)
• Fix: track applyGenerate errors in failures slice (#​14806)
• Fix: copy properties map to prevent concurrent map writes in reports-controller (#​15634)

Webhook and Controller

• Fix: remove hard-wiring of v1alpha1 map informers (#​15799)
• Fix: use shared informers for webhook controller and handlers (#​15074)
• Fix: emit VAP generation events only when create/update occurred (#​13799)
• Fix: emit Resource Mutated event for MutatingPolicy (#​15573)
• Fix(event): warn on omitEvents/successEvents clash (#​15572)
• Fix: prevent deadlock in Recorder (#​15066)
• Fix: remove duplicate JSON log keys in validation handler (#​15740)
• Fix: background-controller metrics port ignoring config and going to 8080 (#​14531)

Reports

• Fix: prevent index out of range panic in enqueueReportsForPolicy for namespaced PolicyReports (#​15513)

Helm Chart

• Fix: restrict configmap access for namespaced policies (#​15850)
• Fix: make kyverno Helm chart PSS-compliant (#​15208)
• Fix: add app.kubernetes.io/name label to all pods in kyverno chart (#​14557)
• Fix: remove finalizers and workarounds around uninstall (#​15260)
• Fix: update require-run-as-nonroot ValidatingPolicy CEL expression (#​15744)

Security / CVEs

• Fix: limit intermediate certs to mitigate CVE-2026-32280 (#​15858)
• Fix CVE-2026-32283: upgrade Go toolchain to 1.26.2 (#​15844)
• Fix CVE-2026-24686: bump go-tuf/v2 to v2.4.1 (#​15579)
• Fix stdlib CVEs (#​15483)

Miscellaneous

• Fix: improve error handling for API calls to surface permission issues (#​14913)
• Fix: propagate context and add HTTP timeout in API/registry calls (#​14770)

---

Improvements

• Remove kubectl from webhook cleanup binary, replacing with client-go (#​15067, #​15132)
• Add output type validation for image extractors (#​15103)
• Replace the aerosound readiness image with a purpose-built readiness-checker image (#​15347)
• Enhance any block logs to include better context when no condition passes (#​14731)

---

Dependency Updates

Security and compatibility-relevant updates:

• Bump github.com/sigstore/cosign/v3 from 3.0.4 to 3.0.6 (#​15321, #​15798)
• Bump github.com/sigstore/sigstore to 1.10.5 (#​15751)
• Bump github.com/sigstore/rekor to 1.5.1 (#​15498)
• Bump github.com/google/go-containerregistry from 0.21.3 to 0.21.5 (#​15797, #​15852)
• Bump golang.org/x/crypto to 0.50.0 (#​15551, #​15830)
• Bump the Kubernetes group libraries (#​15408, #​15876)
• Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#​15376)
• Bump sigs.k8s.io/controller-runtime to 0.23.3 (#​15456)
• Routine dependency updates (grpc, otel, go-git, supercronic, zerolog, envoy, and GitHub Actions)

---

Breaking Changes

None identified in this release cycle. The removal of kubectl from the webhook cleanup binary (#​15067, #​15132) reduces the image footprint but is transparent at the API level.

v1.17.2

Compare Source

What's Changed

• fix: correct verbosity and type for dpol not match logging (Cherry-pick #​15354) by @​kyverno-bot in #​15371
• fix: report creation for namespaced policy at admission and background (Cherry-pick #​15370) by @​kyverno-bot in #​15372
• fix: handle empty results for target expressions (Cherry-pick #​15380) by @​kyverno-bot in #​15381
• fix: check object before usage (Cherry-pick #​15382) by @​kyverno-bot in #​15383
• Cherry pick #​15410 by @​fjogeleit in #​15425
• fix: CLI resource lookup for ivpol (Cherry-pick #​15418) by @​kyverno-bot in #​15419
• fix: CVE-2026-24051 (release 1.17) by @​lucchmielowski in #​15414
• feat: support subresource (Cherry-pick #​15431) by @​kyverno-bot in #​15433
• fix: CVES 2026-15558 for 1.17 by @​lucchmielowski in #​15464
• fix: create correct webhook key for nmpol (Cherry-pick #​15499) by @​kyverno-bot in #​15500
• chore: add trivy scan workflow by @​eddycharly in #​15502
• fix: bump go to fix stdlib CVEs by @​eddycharly in #​15529
• fix: CVE-2026-1229 by @​eddycharly in #​15530
• fix: respect policy namespace in webhook name generation (Cherry-pick #​15532) by @​kyverno-bot in #​15534
• fix: Ensure consistent order of webhooks and webhook rules to prevent reconciliation loops (Cherry-pick #​15547) by @​kyverno-bot in #​15559
• fix: filter mpols with target constraints at admission time (Cherry-pick #​15567) by @​kyverno-bot in #​15568
• fix: handle targets in multiple namespaces correctly (Cherry-pick #​15558) by @​kyverno-bot in #​15570
• fix: support resourceNames for TargetMatchConstraints (Cherry-pick #​15569) by @​kyverno-bot in #​15580
• cherry pick #​15613 by @​fjogeleit in #​15615
• fix: polex fetching in background mode (Cherry-pick #​15614) by @​kyverno-bot in #​15616
• fix: implement user info handling in MutatingPolicy and ValidatingPolicy policies and add test cases (Cherry-pick #​15589) by @​kyverno-bot in #​15619
• Wrong lister in GenerateNamespaced breaks sync for all NamespacedGeneratingPolicy on UPDATE (Cherry-pick #​15621) by @​kyverno-bot in #​15624
• fix: CVE-2026-33186 by @​eddycharly in #​15652
• chore: backport ci changes from main to release-1.17 branch by @​eddycharly in #​15664
• chore: remove unnecessary jobs in conformance tests (Cherry-pick #​15662) by @​kyverno-bot in #​15665
• chore: add missing scripts for ci by @​eddycharly in #​15667
• [backport] chore(security): disable HTTP in namespaced policies by default (CVE-2026-4789) by @​JimBugwadia in #​15802
• fix: use scoped token for request authz (cherry-pick #​15779 to release-1.17) by @​JimBugwadia in #​15800
• fix: CVE-2026-34986 by @​lucchmielowski in #​15823
• restrict configmap access for namespaced policies (Cherry-pick #​15850) by @​kyverno-bot in #​15867
• fix(engine): prevent forEach mutation panic [release-1.17] by @​realshuting in #​15888
• chore: release 1.17.2-rc.1 by @​realshuting in #​15890
• fix(release): set explicit cosign bundle path by @​realshuting in #​15900
• Fix/release cosign bundle release 1.17 by @​realshuting in #​15912
• ci: fix goreleaser for cosign v3 by @​lucchmielowski in #​15919
• chore: release v1.17.2 by @​realshuting in #​15945

Full Changelog: kyverno/kyverno@v1.17.1...v1.17.2

v1.17.1

Compare Source

What's Changed

• chore: remove Nirmata refs (Cherry-pick #​15114) by @​kyverno-bot in #​15115
• cli: simplify namespaced policy loading in CLI (Cherry-pick #​15118) by @​kyverno-bot in #​15122
• fix: panic in metrics wrapper when generating response does not provide a result (Cherry-pick #​15105) by @​kyverno-bot in #​15117
• fix: init dclient before using it (Cherry-pick #​15172) by @​kyverno-bot in #​15173
• populate registry consistently (Cherry-pick #​14632) by @​kyverno-bot in #​15184
• fix: eliminate memcache error spam from fake client discovery polling (Cherry-pick #​15187) by @​kyverno-bot in #​15193
• fix: restmapper for fakeclient (cherry-pick #​15177) by @​realshuting in #​15194
• cherry pick #​0ffed6f by @​fjogeleit in #​15206
• fix: CVE-2025-68121 (Cherry-pick #​15203) by @​kyverno-bot in #​15212
• fix: enable signed timestamp verification when TSA cert chain is provided (Cherry-pick #​15192) by @​kyverno-bot in #​15217
• fix: add default message for ValidatingPolicy when message field is empty (Cherry-pick #​13630) by @​kyverno-bot in #​15267
• fix: return errors from syncPolicy to enable workqueue retry (Cherry-pick #​15082) by @​kyverno-bot in #​15268
• fix: skip side effects on dry-run in gpol/mpol (Cherry-pick #​15143) by @​kyverno-bot in #​15270
• fix(ivpol): Unauthorized error when using a private repository (Cherry-pick #​15136) by @​kyverno-bot in #​15271
• fix(charts): add missing endpointslices list permission to cleanup controller role (Cherry-pick #​15140) by @​kyverno-bot in #​15272
• fix(admissionpolicygenerator): enqueue exceptions (Cherry-pick #​15038) by @​kyverno-bot in #​15274
• changed default value and helm values documentation from integer to duration string (Cherry-pick #​15124) by @​kyverno-bot in #​15275
• fix: nil pointer dereference in Certificates branch of manifest valid… (Cherry-pick #​15152) by @​kyverno-bot in #​15276
• Fix Empty list in policy exclusion result in excluding all resources (Cherry-pick #​13794) by @​kyverno-bot in #​15277
• fix: imageVerify Multi-Signature Annotation Validation Bug (Cherry-pick #​14500) by @​kyverno-bot in #​15279
• Fix Chainsaw test for MutatingPolicy add-label-applyconfiguration (Cherry-pick #​14587) by @​kyverno-bot in #​15282
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (Cherry-pick #​15164) by @​kyverno-bot in #​15278
• fix(ivpol): use Kyverno namespace secrets in reports scanner (Cherry-pick #​15220) by @​kyverno-bot in #​15287
• chore: run unit tests in verbose mode (cherry-pick #​15230) by @​eddycharly in #​15288
• fix: handler crash for nmpol (Cherry-pick #​15133) by @​kyverno-bot in #​15285
• chore(deps): bump the kubernetes group across 3 directories with 7 updates (Cherry-pick #​15183) by @​kyverno-bot in #​15284
• fix: race conditions in configuration.IsExcluded() and breaker.ReportsBreaker (Cherry-pick #​15145) by @​kyverno-bot in #​15289
• fix: make the mutating policy use its ConditionCompiler to produce the evaluator (Cherry-pick #​15242) by @​kyverno-bot in #​15291
• release: v1.17.1-rc.1 by @​eddycharly in #​15298
• change indentation of validationActions fields (cherry-pick #​15257) by @​eddycharly in #​15300
• fix: set UseSignedTimestamps when TSACertChain is provided in IVPOL cosign verifier (cherry pick #​15305) by @​lucchmielowski in #​15306
• release: v1.17.1 by @​eddycharly in #​15308

Full Changelog: kyverno/kyverno@v1.17.0...v1.17.1

v1.17.0

Compare Source

What's Changed

• restrict resource access in namespaced CEL policy types by @​fjogeleit in #​14217
• Add unit test for NamespacedValidatingPolicy by @​slashexx in #​14224
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in #​14229
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 in /.github/actions/publish-image by @​dependabot[bot] in #​14230
• Add NamespacedImageValidatingPolicy and common compiler interface by @​slashexx in #​14195
• chore(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @​dependabot[bot] in #​14227
• chore(deps): bump fluxcd/flux2 from 2.7.2 to 2.7.3 by @​dependabot[bot] in #​14240
• fix metadata path translation and translating paths in matchCondition by @​Mohab96 in #​14208
• chore(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 in /.github/actions/run-tests by @​dependabot[bot] in #​14226
• chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 by @​dependabot[bot] in #​14228
• chore: add namespaced-validating-policies conformance job by @​eddycharly in #​14245
• remove params reference in API docs by @​fjogeleit in #​14236
• describe validation actions in API docs by @​fjogeleit in #​14259
• chore: (CI) update k8s versions by @​realshuting in #​14264
• Add Okteto to the list of Kyverno adopters by @​rberrelleza in #​14269
• chore(deps): bump github.com/cyphar/filepath-securejoin from 0.5.0 to 0.6.0 by @​dependabot[bot] in #​14275
• feat: add Kubernetes v1.30-v1.32 support to Pod Security Standard by @​wertelyu in #​14255
• chore(deps): bump cbrgm/cleanup-stale-branches-action from 1.2.0 to 1.2.2 by @​dependabot[bot] in #​14274
• chore(deps): bump github/codeql-action from 4.31.0 to 4.31.2 by @​dependabot[bot] in #​14266
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.0 to 0.22.4 by @​dependabot[bot] in #​14287
• chore(deps): bump github.com/aptible/supercronic from 0.2.36 to 0.2.39 by @​dependabot[bot] in #​14288
• chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 in /.github/actions/run-tests by @​dependabot[bot] in #​14285
• fix: allow bind role to the background controller default by @​realshuting in #​14278
• chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by @​dependabot[bot] in #​14284
• feat: amend the ImageValidatingPolicy controller to work with NamespacedImageValidatingPolicy, configure admission controller and webhook by @​slashexx in #​14242
• bump nivpol to v1beta1 by @​fjogeleit in #​14306
• feat: add chainsaw test for namespaced deleting policy in the ci pipeline by @​slashexx in #​14315
• fix nil namespace initialization for cluster wide param resources by @​aerosouund in #​14327
• fix(devcontainer): add make+gcc and update go version in devcontainer by @​menzenski in #​14331
• Update devcontainer by @​lentzi90 in #​14248
• chore(deps): bump sigs.k8s.io/kustomize/api from 0.20.1 to 0.21.0 by @​dependabot[bot] in #​14321
• chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login from 0.10.1 to 0.11.0 by @​dependabot[bot] in #​14324
• fix: dont register the http request type by @​aerosouund in #​14238
• chore(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0 by @​dependabot[bot] in #​14322
• chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @​dependabot[bot] in #​14342
• fix: attempt to fix scale test k6 installation by @​realshuting in #​14338
• chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 by @​dependabot[bot] in #​14344
• chore(deps): bump the otel group across 1 directory with 10 updates by @​dependabot[bot] in #​14298
• chore: temporarily remove falky tests by @​realshuting in #​14346
• fix: handle namespace match with namespaceSelector by @​MariamFahmy98 in #​14339
• feat: generate and copy crd to cli for namespaced validating policy and namespaced deleting policy by @​slashexx in #​14316
• chore(deps): bump the kubernetes group across 3 directories with 7 updates by @​dependabot[bot] in #​14343
• feat: in-cluster concurrent resource loader by @​dhimanAbhi in #​13560
• chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​14318
• chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​14309
• chore(deps): bump actions/checkout from 4.2.2 to 5.0.1 by @​dependabot[bot] in #​14362
• chore(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 by @​dependabot[bot] in #​14365
• fix(admissionpolicy): handle nil MatchConstraints by @​thevilledev in #​14350
• fix: use namespaceObject in deletingpolicies by @​MariamFahmy98 in #​14381
• chore: minor fixes by @​MariamFahmy98 in #​14370
• fix: use context in deletingpolicies in the CLI by @​MariamFahmy98 in #​14382
• fix(controllers): duplicate error accumulation by @​thevilledev in #​14349
• supporting wildcards in resource namespace matching by @​iamsgarg-ob in #​14250
• feat: Implement failureActionOverrides namespaceSelector by @​fhielpos in #​13750
• fix(controllers): avoid cleanup on non-matching ns by @​thevilledev in #​14386
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in /.github/actions/run-tests by @​dependabot[bot] in #​14363
• chore(deps): bump github.com/sigstore/rekor from 1.3.10 to 1.4.3 by @​dependabot[bot] in #​14364
• feat: update codeowners by @​realshuting in #​14401
• chore(deps): bump svenstaro/upload-release-action from 2.11.2 to 2.11.3 by @​dependabot[bot] in #​14379
• chore(deps): bump github.com/go-git/go-git/v5 from 5.16.3 to 5.16.4 by @​dependabot[bot] in #​14408
• fix: cli test with context file from git by @​eddycharly in #​14414
• chore(deps): bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1 by @​dependabot[bot] in #​14407
• Add NamespacedMutatingPolicy and common compiler interface by @​slashexx in #​14225
• chore(deps): bump github/codeql-action from 4.31.3 to 4.31.5 by @​dependabot[bot] in #​14405
• chore: add a new test that uses both context and values by @​MariamFahmy98 in #​14416
• chore(deps): bump actions/checkout from 5.0.1 to 6.0.0 by @​dependabot[bot] in #​14419
• chore(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @​dependabot[bot] in #​14420
• chore: add chainsaw test for mutating subresource: mpol: by @​Rohanraj123 in #​13803
• chore(deps): bump github.com/google/go-containerregistry from 0.20.6 to 0.20.7 by @​dependabot[bot] in #​14421
• chore(deps): bump fluxcd/flux2 from 2.7.3 to 2.7.4 by @​dependabot[bot] in #​14404
• chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​14403
• chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 in /.github/actions/setup-build-env by @​dependabot[bot] in #​14375
• chore(deps): bump github.com/google/gnostic-models from 0.7.0 to 0.7.1 by @​dependabot[bot] in #​14406
• chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 by @​dependabot[bot] in #​14374
• fix: implement the fake image metadata for the CLI by @​MariamFahmy98 in #​14415
• Create a chainsaw test for creating a resource with custom label using the generating policy by @​aerosouund in #​14424
• feat: add NamespacedGeneratingPolicy to v1alpha1 by @​slashexx in #​14400
• chore(deps): bump cbrgm/cleanup-stale-branches-action from 1.2.2 to 1.2.3 by @​dependabot[bot] in #​14427
• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.6 by @​dependabot[bot] in #​14426
• chore(deps): bump fluxcd/flux2 from 2.7.4 to 2.7.5 by @​dependabot[bot] in #​14425
• chore(deps): bump the sigstore group across 1 directory with 4 updates by @​dependabot[bot] in #​14376
• chore: run autogen chainsaw tests concurrently by @​eddycharly in #​14429
• support nmpol for update requests by @​fjogeleit in #​14430
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 in /.github/actions/run-tests by @​dependabot[bot] in #​14434
• feat: bump ngpol to v1beta1 by @​eddycharly in #​14436
• chore(deps): bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @​dependabot[bot] in #​14433
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​14432
• make VAP/MAP reporting opt in instead of opt out by @​aerosouund in #​14353
• removing nancy tests by @​iamsgarg-ob in #​14440
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 in /hack/controller-gen by @​dependabot[bot] in #​14444
• chore: update go version in devcontainer by @​kartikangiras in #​14445
• chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 by @​dependabot[bot] in #​14443
• fix: add webhook compatibility and admission controller to work with NamespacedGeneratingPolicy by @​slashexx in #​14431
• test: add Filter webhook handler test by @​kartikangiras in #​14409
• test: add unit test for webhooks/handler by @​kartikangiras in #​13873
• add unit and chainsaw tests for ngpol and nmpol by @​slashexx in #​14449
• chore(deps): bump github/codeql-action from 4.31.6 to 4.31.7 by @​dependabot[bot] in #​14457
• chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.7.0 by @​dependabot[bot] in [#​14458](https://redirect.github.com/kyverno/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.