RATATOSKRATATOSK
ログイン

Kyverno

v1.18.1Security
2026年5月18日

Kyverno v1.18.1 is a targeted patch fixing two regressions in generate and mutate-existing policies introduced in v1.18.0.

  • breakingUpgrade immediately if you use generate policies on cluster-scoped resources

    If you upgraded to v1.18.0 and have GeneratingPolicy rules targeting cluster-scoped resources (ClusterRoles, Namespaces, CRDs, etc.), generation was silently broken. v1.18.1 restores correct behavior. Validate that expected resources were actually generated after upgrading — anything that should have been generated during the v1.18.0 window may need manual remediation or a policy re-trigger.

  • breakingMutate-existing policies on v1.18.0 may have produced incorrect results

    The AdmissionRequest context was not being forwarded to UpdateRequests in mutate-existing policies. This means any rule relying on request context (user info, object, oldObject) for conditional logic or patches would have behaved incorrectly. Audit mutations applied while running v1.18.0 and verify affected resources are in the expected state after upgrading to v1.18.1.

  • enhancementTreat v1.18.0 as effectively broken for generate and mutate-existing users

    Both fixes were cherry-picked from main, meaning v1.18.0 should be skipped entirely if you rely on either feature. Skip straight to v1.18.1. If you are still on v1.17.x and evaluating the v1.18 line, start your testing against v1.18.1 instead.

主な変更 (3)

  • Fixed cluster-scoped resource generation in GeneratingPolicy, which was broken in v1.18.0
  • Fixed AdmissionRequest not being passed to UpdateRequests for mutate-existing policies, causing incorrect or missing mutations
  • No new features or API changes — pure bug fixes only