Kyverno
v1.17.2Securityv1.17.2 is a security-heavy patch release addressing multiple CVEs and fixing critical bugs in MutatingPolicy, ValidatingPolicy, webhook reconciliation, and namespaced policy handling.
securityUpgrade immediately — 6+ CVEs fixed in this release
This release patches at least six CVEs across dependencies and Go stdlib, plus CVE-2026-4789 which disables HTTP in namespaced policies by default. If you run namespaced policies that rely on HTTP-based external data sources or webhooks, audit those configurations before upgrading — they will stop working silently. Upgrade path: update your Helm chart or manifests to v1.17.2 and validate policy behavior in a staging environment first.
breakingNamespaced policies: HTTP disabled and ConfigMap access restricted
Two separate hardening changes affect namespaced policies. HTTP is now disabled by default (CVE-2026-4789), and ConfigMap access has been scoped down. If your namespaced policies fetch context from HTTP endpoints or read ConfigMaps outside their namespace, those policies will fail silently or error post-upgrade. Run a dry-run or audit scan against your namespaced policies before deploying to production.
enhancementWebhook reconciliation loop fix — reduces controller churn in large clusters
Inconsistent webhook rule ordering was causing repeated reconciliation loops, which generates excess API server load and noisy controller logs. This is fixed. If you've been seeing constant webhook object churn in your audit logs or elevated kyverno-controller CPU, this release resolves it. No action needed post-upgrade, but worth monitoring controller metrics after rollout to confirm stabilization.
Key changes (5)
- Multiple CVEs patched: CVE-2026-24051, CVE-2026-15558, CVE-2026-1229, CVE-2026-33186, CVE-2026-34986, CVE-2026-4789 — plus Go stdlib CVE bumps
- HTTP disabled by default in namespaced policies (CVE-2026-4789) — behavioral change for existing namespaced policy configurations
- ConfigMap access restricted for namespaced policies — scope reduction to limit blast radius
- Webhook reconciliation loop fixed: webhooks and webhook rules now maintain consistent ordering to prevent endless reconciliation cycles
- forEach mutation engine panic prevented, wrong lister for NamespacedGeneratingPolicy on UPDATE fixed, and user info handling added to MutatingPolicy/ValidatingPolicy