build(deps): bump github.com/kyverno/kyverno from 1.12.5 to 1.13.2

[dependabot]

Bumps github.com/kyverno/kyverno from 1.12.5 to 1.13.2.

Release notes

Sourced from github.com/kyverno/kyverno's releases.

v1.13.2

❗ Important Notice ❗

• Fixed the breaking change in the Kyverno Helm chart by adding the conversion function regarding the config.webhooks field (#11651)

✨ Added ✨

• Added manifestIndex to ImageRegistry context (#9883)
• Added a new field patchedResources in the test results to specify patched resources (#11297, #11686)
• Supported label selector context variable in the mutate existing rule (#11608)

Helm

• Added allowExistingViolations option in kyverno-policies chart (#11656,#11714)

🐛 Fixed 🐛

• Fixed webhook reconciliation by the policy type (#11580)
• Used generate name for background scan reports (#11586)
• Added missing error check for the generate rule(#11587)
• Returned nil error when trigger resource of a generate rule is not found for a subresource (#11594)
• Opened the mutated resources file in append mode to allow additions to it (#11619)
• Fixed the issue to print generate output in CLI (#11634)
• Properly verified precondition in old object validation (#11644, #11591)
• Fixed metrics-server Helm installation in Makefile (#11717)

Helm

• Fixed global image registry bug in 3.3.3 (#11604)
• Fixed the merging of policyExclude customizations to avoid wrong overrides in kyverno-policies chart (#11653)

🔧 Others 🔧

• Set the UserAgent in client-go based calls to kube-apiserver (#11569)
• Tested upgrade conformance in CI (#11498, #11602)
• Reduced logging for URs (#11616)
• Fixed API call chainsaw tests (#11682)

v1.13.2-rc.1

No release notes provided.

v1.13.1

✨ Added ✨

• Added the validation check for webhook configurations using CEL (#11461)

🐛 Fixed 🐛

• Skipped Azure keychain-based login for MCR registry (#11480)
• Fixed a validate issue to match failure action case-insensitively when validating an old object (#11486)
• Fixed the missing emitWarning field in the v2beta1 policy (#11489)
• Fixed the CLI to support VAP stable version v1 (#11501)
• Fixed the auto-gen rules regarding celPreconditions (#11503)
• Fixed a CLI issue by setting the default namespace for namespaced policies (#11505)
• Fixed the configurable namespaceSelector list in the webhook (#11516)
• Fixed an issue that the image verification rule blocks resource's update (#11529)
• Fixed the policy validation message to include keywords "immutable fields" (#11549)

... (truncated)

Changelog

Sourced from github.com/kyverno/kyverno's changelog.

v1.13.0

Note

• Removed deprecated flag reportsChunkSize.
• Added --tufRootRaw flag to pass tuf root for custom sigstore deployments.

v1.11.0

v1.11.0-rc.1

Note

• Added --tufRoot and --tufMirror flags to configure tuf for custom sigstore deployments.
• Remove description from deprecated fields in CRDs
• Remove CLI kyverno test manifest ... commands (replaced by kyverno create ...).
• Added --caSecretName and --tlsSecretName flags to control names of certificate related secrets.
• Added match conditions support in kyverno config map.
• Deprecated flag --imageSignatureRepository. Will be removed in 1.12. Use per rule configuration verifyImages.Repository instead.
• Added --aggregateReports flag for reports controller to enable/disable aggregated reports (default value is true).
• Added --policyReports flag for reports controller to enable/disable policy reports (default value is true).
• Renamed CLI flag --compact to --detailed-results (and changed default value from true to false).
• Changed the default value of --enablePolicyException from false to true.

v1.10.0

v1.10.0-rc.1

Note

• Removed GenerateRequest CRD.
• Refactored kyverno chart, migration instructions are available in chart README.md.
• Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present.
• Added support for configuring webhook annotations in the config map through webhookAnnotations stanza.
• Added excludeRoles and excludeClusterRoles support in configuration.
• Added new flag skipResourceFilters to reports controller to enable/disable considering resource filters in the background (default value is true)
• Removed hardcoded defaults for excludeGroups and excludeUsernames. They are always read from the config map.

v1.9.0-rc.1

Note

• Flag backgroundScanInterval was added to force background scans at regular intervals (default value is 1h).
• Flag splitPolicyReport was removed, was unused and marked for removal in 1.9.
• Webhook is no longer updated to match pods/ephemeralcontainers when policy only specifies pods. If users want to match on pods/ephemeralcontainers, they must specify pods/ephemeralcontainers in the policy.
• Webhook is no longer updated to match services/status when policy only specifies services. If users want to match on services/status, they must specify services/status in the policy.
• Flag autogenInternals was removed, policy mutation has been removed.
• Flag leaderElectionRetryPeriod was added to control leader election renewal frequency (default value is 2s).
• Support upper case Audit and Enforce in .spec.validationFailureAction of the Kyverno policy, failure actions audit and enforce are deprecated and will be removed in v1.11.0.
• Flag profileAddress was added to configure address of profiling server (default value is "").

... (truncated)

Commits

• a96b1a4 release 1.13.2 (#11736)
• e7e25c9 release 1.13.2-rc.1 (#11713)
• ab23718 fix: properly verify precondition in old object validation (#11644) (#11705)
• a61058b fix: add metrics-server Helm repo (#11717) (#11718)
• 05488bb add allowExistingViolations option in policy chart (#11656) (#11720)
• 96421c3 fix(readme): add changelog for spec.validate[*].allowExistingViolations field...
• ab79afe feat: Show textual diff when generate test fails (#11674) (#11704)
• fee0fad fix: api call chainsaw tests (#11682) (#11696)
• 8e354a3 fix: check the patchedResources in kyverno-test (#11686) (#11695)
• 75a6e8b Print generate output cli (#11634) (#11678)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)