Kyverno
v1.16.4Securityv1.16.4 is a security-focused patch release addressing 15+ CVEs across Kyverno's dependency chain, plus a critical behavioral change that disables HTTP in namespaced policies by default.
securityUpgrade immediately — 15+ CVEs patched, including supply chain components
This release patches CVEs across sigstore/rekor, go-tuf, docker/cli, Go stdlib, and Kyverno's own code. Several of these touch the image verification and policy fetch paths. If you're running any image signing workflows with Kyverno, the rekor and go-tuf bumps are directly relevant. Plan an upgrade in your next maintenance window — do not wait for the next major cycle.
breakingHTTP disabled by default in namespaced policies (CVE-2026-4789) — test before upgrading
Namespaced policies that fetch external data over plain HTTP will silently stop working after this upgrade. If you use URL context sources or external data fetches in namespaced ClusterPolicy or Policy resources, audit them for HTTP (non-HTTPS) endpoints before upgrading. This is a security hardening change, but it will break existing policies that relied on insecure endpoints. Switch those endpoints to HTTPS or migrate to HTTPS-capable data sources first.
breakingRestricted ConfigMap access for namespaced policies — RBAC may need review
Namespaced policies now have reduced ConfigMap access scope. If your policies rely on reading ConfigMaps outside their namespace for context or configuration, those reads will fail post-upgrade. Review your policy definitions for cross-namespace ConfigMap references and adjust either the policy logic or the access grants accordingly before rolling out this version.
Key changes (5)
- CVE-2026-4789: HTTP disabled by default in namespaced policies — this is a behavioral change, not just a dep bump
- Namespaced policies now have restricted ConfigMap access, tightening the blast radius of compromised policy controllers
- Scoped token used for request authorization, replacing broader token usage in policy evaluation
- forEach mutation panic fixed — previously could crash the engine on certain mutate rule configurations
- Dependency CVEs resolved: docker/cli, sigstore/rekor, go-tuf/v2, stdlib, and others updated