You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -612,188 +612,185 @@ Finally, to identify the AKS cluster version that you're using, follow the linke
612
612
613
613
#### 1.16.0
614
614
Introducing Validating Admission Policy (VAP) generation. [Validating Admission Policies](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) are Kubernetes-native validating policy resources that are evaluated in-process, allowing for reduced latency and fail-close evaluation. Azure Policies that contain Common Expression Language (CEL) will automatically generate VAPs. For more information, view the [Gatekeeper Documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/validating-admission-policy/).
615
-
Patch CVEs.
616
-
- Released Apr 2026
617
-
- Kubernetes 1.29+
618
-
##### Gatekeeper 3.22.1-1
615
+
Patch CVE-2026-25679, CVE-2026-27142, and CVE-2026-27139.
EU Data Boundary now supported by Azure Policy for Kubernetes on AKS. To learn more generally about the EU Data Boundary visit: [Overview of EU Data Boundary](/privacy/eudb/eu-data-boundary-learn).
Update the `policy-kubernetes-addon-prod` and `policy-kubernetes-webhook` images to patch [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) and [CVE-2025-22870](https://nvd.nist.gov/vuln/detail/CVE-2025-22870).
695
-
- Released April 2025
696
-
- Kubernetes 1.27+
697
-
- Gatekeeper 3.18.2
700
+
Patch CVE-2025-30204 and CVE-2025-22870.
701
+
Security improvements.
702
+
- Released: April 2025
703
+
- Kubernetes: 1.27+
704
+
- Gatekeeper: 3.18.2
698
705
699
706
#### 1.10.0
707
+
CEL is enabled by default, you can continue using Rego. New CRD `configpodstatuses.status.gatekeeper.sh` is introduced (Reference: https://github.com/open-policy-agent/gatekeeper/issues/2918).
700
708
Security improvements.
709
+
- Released: February 2025
710
+
- Kubernetes: 1.27+
711
+
- Gatekeeper: 3.18.2
701
712
702
-
CEL is enabled by default, you can continue using Rego. New CRD configpodstatuses.status.gatekeeper.sh is introduced (Reference: https://github.com/open-policy-agent/gatekeeper/issues/2918)
Policy can now be used to evaluate CONNECT operations, for instance, to deny `exec`s. Note that there is no brownfield compliance available for noncompliant CONNECT operations, so a policy with Audit effect that targets CONNECTs is a no op.
722
-
723
729
Security improvements.
724
-
- Released November 2024
725
-
- Kubernetes 1.27+
726
-
- Gatekeeper 3.17.1
730
+
- Released:November 2024
731
+
- Kubernetes:1.27+
732
+
- Gatekeeper:3.17.1
727
733
728
734
#### 1.7.1
729
735
Introducing CEL and VAP. Common Expression Language (CEL) is a Kubernetes-native expression language that can be used to declare validation rules of a policy. Validating Admission Policy (VAP) feature provides in-tree policy evaluation, reduces admission request latency, and improves reliability and availability. The supported validation actions include Deny, Warn, and Audit. Custom policy authoring for CEL/VAP is allowed, and existing users won't need to convert their Rego to CEL as they will both be supported and be used to enforce policies. To use CEL and VAP, users need to enroll in the feature flag `AKS-AzurePolicyK8sNativeValidation` in the `Microsoft.ContainerService` namespace. For more information, view the [Gatekeeper Documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/validating-admission-policy/).
730
-
731
736
Security improvements.
732
-
- Released September 2024
733
-
- Kubernetes 1.27+ (VAP generation is only supported on 1.30+)
734
-
- Gatekeeper 3.17.1
737
+
- Released:September 2024
738
+
- Kubernetes:1.27+ (VAP generation is only supported on 1.30+)
739
+
- Gatekeeper:3.17.1
735
740
736
741
#### 1.7.0
737
-
738
742
Introducing expansion, a shift left feature that lets you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc.) will produce admissible pods. Expansion shouldn't change the behavior of your policies; rather, it just shifts Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. However, to perform this evaluation it must generate and evaluate a what-if pod that is based on the pod spec defined in the workload, which might have incomplete metadata. For instance, the what-if pod won't contain the proper owner references. Because of this small risk of policy behavior changing, we're introducing expansion as disabled by default. To enable expansion for a given policy definition, set `.policyRule.then.details.source` to `All`. Built-ins will be updated soon to enable parameterization of this field. If you test your policy definition and find that the what-if pod being generated for evaluation purposes is incomplete, you can also use a mutation with source `Generated` to mutate the what-if pods. For more information on this option, view the [Gatekeeper documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/expansion#mutating-example).
739
-
740
743
Expansion is currently only available on AKS clusters, not Arc clusters.
741
-
742
744
Security improvements.
743
-
- Released July 2024
744
-
- Kubernetes 1.27+
745
-
- Gatekeeper 3.16.3
745
+
- Released:July 2024
746
+
- Kubernetes:1.27+
747
+
- Gatekeeper:3.16.3
746
748
747
749
#### 1.6.1
748
-
749
750
Security improvements.
750
-
- Released May 2024
751
-
- Gatekeeper 3.14.2
751
+
- Released:May 2024
752
+
- Gatekeeper:3.14.2
752
753
753
754
#### 1.5.0
754
-
755
755
Security improvements.
756
-
- Released May 2024
757
-
- Kubernetes 1.27+
758
-
- Gatekeeper 3.16.3
756
+
- Released:May 2024
757
+
- Kubernetes:1.27+
758
+
- Gatekeeper:3.16.3
759
759
760
760
#### 1.4.0
761
-
762
761
Enables mutation and external data by default. The additional mutating webhook and increased validating webhook timeout cap might add latency to calls in the worst case. Also introduces support for viewing policy definition and set definition version in compliance results.
763
-
764
-
- Released May 2024
765
-
- Kubernetes 1.25+
766
-
- Gatekeeper 3.14.0
762
+
Security improvements.
763
+
- Released:May 2024
764
+
- Kubernetes:1.25+
765
+
- Gatekeeper:3.14.0
767
766
768
767
#### 1.3.0
769
-
770
-
Introduces error state for policies in error, enabling them to be distinguished from policies in noncompliant states. Adds support for v1 constraint templates and use of the excludedNamespaces parameter in mutation policies. Adds an error status check on constraint templates post-installation.
771
-
772
-
- Released February 2024
773
-
- Kubernetes 1.25+
774
-
- Gatekeeper 3.14.0
768
+
Introduces error state for policies in error, enabling them to be distinguished from policies in noncompliant states. Adds support for v1 constraint templates and use of the `excludedNamespaces` parameter in mutation policies. Adds an error status check on constraint templates post-installation.
769
+
Security improvements.
770
+
- Released: February 2024
771
+
- Kubernetes: 1.25+
772
+
- Gatekeeper: 3.14.0
775
773
776
774
#### 1.2.1
777
-
778
-
- Released October 2023
779
-
- Kubernetes 1.25+
780
-
- Gatekeeper 3.13.3
775
+
Security improvements.
776
+
- Released:October 2023
777
+
- Kubernetes:1.25+
778
+
- Gatekeeper:3.13.3
781
779
782
780
#### 1.1.0
783
-
784
-
- Released July 2023
785
-
- Kubernetes 1.27+
786
-
- Gatekeeper 3.11.1
781
+
Security improvements.
782
+
- Released:July 2023
783
+
- Kubernetes:1.27+
784
+
- Gatekeeper:3.11.1
787
785
788
786
#### 1.0.1
789
-
790
-
- Released June 2023
791
-
- Kubernetes 1.24+
792
-
- Gatekeeper 3.11.1
787
+
Security improvements.
788
+
- Released:June 2023
789
+
- Kubernetes:1.24+
790
+
- Gatekeeper:3.11.1
793
791
794
792
#### 1.0.0
795
-
796
-
Azure Policy for Kubernetes now supports mutation to remediate AKS clusters at-scale!
793
+
Azure Policy for Kubernetes now supports mutation to remediate AKS clusters at-scale.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments