v3.21.0

🚀 Notable Changes

• 🛠️ New flag: sync-vap-enforcement has been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper's ValidatingWebhookConfigurations, Config resource exclusions, and exempt-namespace–based exemptions. This improves enforcement consistency across all policy mechanisms.
• 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
• 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/e...

v3.21.0-rc.1

Bug Fixes

• bumping frameworks (#4221) (#4224) #4224 (Jaydip Gabani)

Chores

• Prepare v3.21.0-rc.1 release (#4226) #4226 (github-actions[bot])

v3.21.0-rc.0

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-subscriber (#4112) #4112 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/externaldata/dummy-provider (#4113) #4113 (dependabot[bot])
• Patch docs for 3.20.1 release (#4134) #4134 (github-actions[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/image (#4110) #4110 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/export/fake-subscriber (#4146) [#4146](https://github.com/open-poli...

v3.20.1

Bug Fixes

• bumping kubectl and golang through cherry-picks (#4132) #4132 (Jaydip Gabani)

Chores

• bump frameworks v0.18.1 (#4117) #4117 (Noah Reisch)
• Prepare v3.20.1 release (#4133) #4133 (github-actions[bot])

v3.21.0-beta.0

Bug Fixes

• increase webhook latency buckets up to 10 seconds (#4037) #4037 (David Blum)
• removing readinessprobe for webhook at start of the pod (#4059) #4059 (Jaydip Gabani)

Chores

• bump golang from ee7ff13 to 10f549d in /test/export/fake-reader (#4046) #4046 (dependabot[bot])
• bump the all group with 2 updates (#4044) #4044 (dependabot[bot])
• bump golang from ee7ff13 to 10f549d in /test/export/fake-subscriber (#4045) #4045 (dependabot[bot])
• bump golang from 10f549d to 69adc37 in /test/export/fake-subscriber (#4053) #4053 (dependabot[bot])
• bump golang from 10f549d to 69adc37 in /test/export/fake-reader (#4052) #4052 (dependabot[bot])
• Patch docs for 3.19.3 release (#4056) #4056 (github-actions[bot])
• bump the all group across 1 directory with 2 updates (#4066) #4066 (dependabot[bot])
• bump kubectl from v1.33.2 to v1.33.3 (#4063) #4063 (dependabot[bot])
• bump the k8s group with 5 updates (#4062) #4062 (dependabot[bot])
• Prepare v3.21.0-beta.0 release (#4068) #4068 (github-actions[bot])

v3.20.0

Notable Changes

• 💾 A new driver to export violations on disk.
• 🎓 VAP integration is beta and enabled by default, hence VAP/VAPB resources will be generated by default for CT/C with K8sNativeValidation engine with CEL code.
• 🔗 A new Connection CRD replaced ConfigMap in order to establish connections with export backends.

Features

• mapping dryrun to audit in vapb (#3915) #3915 (Jaydip Gabani)
• adding driver to export to disk (#3832) #3832 (Jaydip Gabani)
• Graduating VAP generation to beta (#3995) #3995 (Jaydip Gabani)
• Export Connection CR (#3999) #3999 (Noah Reisch)

Bug Fixes

• removing readinessprobe for webhook at start of the pod (#4059) (#4065) #4065 (Jaydip Gabani)
• only enabling CEL driver with flag value (#3900) #3900 (Jaydip Gabani)
• error on deleting GK resources when delete operation is enabled (#3921) #3921 (Jaydip Gabani)
• scope of webhook configurations (#3676) #3676 (plavy)
• making sure latest CT version is updated in CT controller to avoid writing errors (#3983) #3983 (Jaydip Gabani)
• add RBAC for finalizers when running with OwnerReferencesPermissionEnforcement admission plugin (#3961) #3961 (Jaydip Gabani)
• unreliable webhook behaviour on gatekeeper pod startup and shutdown (#3780) #3780 (Benjamin Ritter)
• removing connection from map before closing it to avoid locking on latest connection update (#3946) #3946 (Jaydip Gabani)
• making sure VAPB is only deleted for constraints if it was enabled (#4034) #4034 (Jaydip Gabani)
• disk export path to handle dir deletes (#4021) #4021 (Noah Reisch)

Documentation

• adding opa v1 docs and tests (#3908) #3908 (Jaydip Gabani)
• adding available variables and updating faq (#3927) #3927 (Jaydip Gabani)
• Add Flags Reference (#3782) #3782 (Ian Stanton)

Continuous Integration

• bumping k8s version in testing and crd.Dockerfile (#3925) #3925 (Jaydip Gabani)
• release checklist (#3990) #3990 (Sertaç Özercan)

Chores

• Prepare v3.20.0 release (#4067) #4067 (github-actions[bot])
• bump golang from 75e6700 to 00eccd4 in /test/externaldata/dummy-provider (#3914) #3914 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 in /test/image (#3913) #3913 (dependabot[bot])
• bump the all group with 2 updates (#3912) #3912 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 (#3911) #3911 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 in /build/tooling (#3910) #3910 (dependabot[bot])
• Add pods/resize subresource to mutating and validating webhooks (#3778) #3778 (Ian Stanton)
• bump golang.org/x/net from 0.37.0 to 0.38.0 (#3920) #3920 (dependabot[bot])
• bump codecov/codecov-action from 5.4.0 to 5.4.2 in the all group (#3924) #3924 (dependabot[bot])
• bump http-proxy-middleware from 2.0.7 to 2.0.9 in /website (#3922) #3922 (dependabot[bot])
• adding helm variable for mutating subresources (#3916) #3916 (Jaydip Gabani)
• Patch docs for 3.19.1 release (#3937) #3937 (github-actions[bot])
• Patch docs for 3.18.3 release (#3938) #3938 (github-actions[bot])
• bump the all group with 2 updates (#3940) #3940 (dependabot[bot])
• bump the k8s group with 5 updates (#3939) #3939 (dependabot[bot])
• removing gator test alpha note from gator test --help (#3943) #3943 (Martin Alexander)
• bump the all group with 2 updates (#3951) #3951 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-reader (#3955) #3955 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm (#3957) #3957 (dependabot[bot])
• bump actions/upload-artifact from 4.6.0 to 4.6.2 in the all group (#3959) #3959 (dependabot[bot])
  ...

v3.20.0-rc.1

Bug Fixes

• removing readinessprobe for webhook at start of the pod (#4059) (#4065) #4065 (Jaydip Gabani)

v3.19.3

Bug Fixes

• making sure VAPB is only deleted for constraints if it was enabled (#4034) (#4039) #4039 (Jaydip Gabani)

Chores

• Prepare v3.19.3 release (#4054) #4054 (github-actions[bot])

v3.20.0-rc.0

Features

• mapping dryrun to audit in vapb (#3915) #3915 (Jaydip Gabani)
• adding driver to export to disk (#3832) #3832 (Jaydip Gabani)
• Graduating VAP generation to beta (#3995) #3995 (Jaydip Gabani)
• Export Connection CR (#3999) #3999 (Noah Reisch)

Bug Fixes

• only enabling CEL driver with flag value (#3900) #3900 (Jaydip Gabani)
• error on deleting GK resources when delete operation is enabled (#3921) #3921 (Jaydip Gabani)
• scope of webhook configurations (#3676) #3676 (plavy)
• making sure latest CT version is updated in CT controller to avoid writing errors (#3983) #3983 (Jaydip Gabani)
• add RBAC for finalizers when running with OwnerReferencesPermissionEnforcement admission plugin (#3961) #3961 (Jaydip Gabani)
• unreliable webhook behaviour on gatekeeper pod startup and shutdown (#3780) #3780 (Benjamin Ritter)
• removing connection from map before closing it to avoid locking on latest connection update (#3946) #3946 (Jaydip Gabani)
• making sure VAPB is only deleted for constraints if it was enabled (#4034) #4034 (Jaydip Gabani)
• disk export path to handle dir deletes (#4021) #4021 (Noah Reisch)

Documentation

• adding opa v1 docs and tests (#3908) #3908 (Jaydip Gabani)
• adding available variables and updating faq (#3927) #3927 (Jaydip Gabani)
• Add Flags Reference (#3782) #3782 (Ian Stanton)

Continuous Integration

• bumping k8s version in testing and crd.Dockerfile (#3925) #3925 (Jaydip Gabani)
• release checklist (#3990) #3990 (Sertaç Özercan)

Chores

• bump golang from 75e6700 to 00eccd4 in /test/externaldata/dummy-provider (#3914) #3914 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 in /test/image (#3913) #3913 (dependabot[bot])
• bump the all group with 2 updates (#3912) #3912 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 (#3911) #3911 (dependabot[bot])
• bump golang from 75e6700 to 00eccd4 in /build/tooling (#3910) #3910 (dependabot[bot])
• Add pods/resize subresource to mutating and validating webhooks (#3778) #3778 (Ian Stanton)
• bump golang.org/x/net from 0.37.0 to 0.38.0 (#3920) #3920 (dependabot[bot])
• bump codecov/codecov-action from 5.4.0 to 5.4.2 in the all group (#3924) #3924 (dependabot[bot])
• bump http-proxy-middleware from 2.0.7 to 2.0.9 in /website (#3922) #3922 (dependabot[bot])
• adding helm variable for mutating subresources (#3916) #3916 (Jaydip Gabani)
• Patch docs for 3.19.1 release (#3937) #3937 (github-actions[bot])
• Patch docs for 3.18.3 release (#3938) #3938 (github-actions[bot])
• bump the all group with 2 updates (#3940) #3940 (dependabot[bot])
• bump the k8s group with 5 updates (#3939) #3939 (dependabot[bot])
• removing gator test alpha note from gator test --help (#3943) #3943 (Martin Alexander)
• bump the all group with 2 updates (#3951) #3951 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-reader (#3955) #3955 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm (#3957) #3957 (dependabot[bot])
• bump actions/upload-artifact from 4.6.0 to 4.6.2 in the all group (#3959) #3959 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/externaldata/dummy-provider (#3958) #3958 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/export/fake-subscriber (#3956) #3956 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /build/tooling (#3954) #3954 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.24.2-bookworm in /test/image (#3953) [#3953](https://gith...

v3.19.2

⚠ Warning: Operation generate is now required to guard CRD and VAP/VAPB generation. Please update your singleton deployment (e.g. gatekeeper-audit) to include --operation=generate. If you are not using audit, you need to add it to the controller manager deployment. https://open-policy-agent.github.io/gatekeeper/website/docs/operations/#generation

Chores

• bump opa to 1.5.1 and kubectl to 1.33.1 (#4001) #4001 (Jaydip Gabani)
• Prepare v3.19.2 release (#4011) #4011 (github-actions[bot])