Kyverno
v1.18.0SecurityKyverno 1.18 hardens HTTP context security with blocklist enforcement and scoped tokens, fixes multiple image verification bugs including a silent bypass, and expands CLI policy testing coverage.
securityAudit HTTP context policies before upgrading — blocklist is now enforced
Any policy using HTTP context loading will now be subject to a configurable blocklist. Calls that previously succeeded might be blocked after upgrade. Before rolling out 1.18, inventory all policies with HTTP context entries, verify their target URLs are not on the default blocklist, and configure FLAG_HTTP_BLOCKLIST overrides where needed. Also check that scoped token authorization doesn't break policies relying on broader token access. Test in a non-production cluster first.
securityImage verification silent bypass is patched — verify your policies are actually enforcing
A bug in processResourceWithPatches caused it to return nil on patch failure, which silently skipped image verification. If you've been running image verification policies and assumed they were enforcing, run a retroactive compliance scan after upgrading to confirm enforcement was working as expected. Also check the CVE fixes: CVE-2026-32280 (intermediate cert limiting) and CVE-2026-32283 (Go toolchain upgrade) are included in this release and warrant upgrading promptly.
enhancementUse successEventActions to reduce event spam in large clusters
High-traffic clusters with broad Kyverno policies generate enormous volumes of success events, which can overwhelm etcd and make event streams useless. The new successEventActions ConfigMap parameter lets you filter exactly which success events get emitted. Add this to your Kyverno ConfigMap after upgrading and tune it based on which policy actions actually need visibility. Pairs well with the existing omitEvents setting — watch out for the new warning if you configure conflicting values.
Key changes (5)
- HTTP context calls now enforce a configurable blocklist and use scoped tokens — policies making external HTTP calls need review against new security constraints
- imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets, removing a long-standing limitation for multi-tenant image verification setups
- Silent image verification bypass fixed: processResourceWithPatches was returning nil on patch failure, allowing images to slip through unverified
- successEventActions ConfigMap parameter lets you filter which success events Kyverno emits, useful for high-volume clusters drowning in event noise
- CLI now supports cleanup policies, HTTP/Envoy authz policies, and mutateExisting in kyverno apply and kyverno test — CI pipelines can finally test these policy types offline