v3.23.0-beta.0

Continuous Integration

• publish fake-reader and fake-subscriber images to GHCR (#4408) #4408 (abhisheksheth28)

Chores

• bump the k8s group with 5 updates (#4412) #4412 (dependabot[bot])
• bump golang from 889885d to 100774d in /build/tooling (#4413) #4413 (dependabot[bot])
• bump golang from 889885d to 100774d in /test/image (#4414) #4414 (dependabot[bot])
• bump golang from 889885d to 100774d (#4415) #4415 (dependabot[bot])
• bump kubectl from v1.35.1 to v1.35.2 (#4416) #4416 (dependabot[bot])
• bump golang from 889885d to 100774d in /test/externaldata/dummy-provider (#4417) #4417 (dependabot[bot])
• bump golang from 889885d to 100774d in /test/export/fake-subscriber (#4418) #4418 (dependabot[bot])
• bump golang from 889885d to 100774d in /test/export/fake-reader (#4419) #4419 (dependabot[bot])
• bump the all group with 5 updates (#4420) #4420 (dependabot[bot])
• bumping trivy to 0.69.3 (#4424) #4424 (Jaydip Gabani)
• bump svgo from 2.8.0 to 2.8.2 in /website (#4425) #4425 (dependabot[bot])
• bump sigs.k8s.io/controller-runtime from 0.23.1 to 0.23.3 in the k8s group (#4427) #4427 (dependabot[bot])
• bump go.yaml.in/yaml/v2 from 2.4.3 to 2.4.4 (#4428) #4428 (dependabot[bot])
• bump golang from 100774d to ab8c494 (#4429) #4429 (dependabot[bot])
• bump golang from 100774d to ab8c494 in /test/externaldata/dummy-provider (#4430) #4430 (dependabot[bot])
• bump golang from 100774d to ab8c494 in /test/image (#4431) #4431 (dependabot[bot])
• bump golang from 100774d to ab8c494 in /build/tooling (#4432) #4432 (dependabot[bot])
• bump the all group with 5 updates (#4433) #4433 (dependabot[bot])
• bump golang from 100774d to ab8c494 in /test/export/fake-subscriber (#4434) #4434 (dependabot[bot])
• bump golang from 100774d to ab8c494 in /test/export/fake-reader (#4435) #4435 (dependabot[bot])
• Prepare v3.23.0-beta.0 release (#4439) #4439 (github-actions[bot])

v3.22.0

🚀 Notable Changes

• ✅ sync-vap-enforcement-scope now enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is now true by default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332).
• 🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access namespaceObject and Rego policies can access input.namespace for namespace-scoped policy decisions during both admission and audit (#4285)
• ⚡ gator bench — policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287)
• 📋 gator policy — brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g., pod-security-baseline), enforcement overrides, and dry-run previews (#4331)
• 🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced fake-reader sidecar when audit file-based logging is enabled (#4280)
• 🌐 Out-of-cluster / remote cluster support: New --enable-remote-cluster flag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368)
• ⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)

Features

• Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
• add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
• Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
• set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
• support print statement in gator (#2949) (#3872) #3872 (Julian)
• add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
• gator policy (#4331) #4331 (Sertaç Özercan)

Bug Fixes

• Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
• remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
• updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
• chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
• enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
• run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
• thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
• add missing flags as helm values (#4385) #4385 (abhisheksheth28)

Documentation

• add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
• adding jfrog provide to external data (#4357) #4357 (carmit hershman)

Continuous Integration

• add Slack meeting reminder workflow for OPA Gatekeeper weekly meetings (#4277) #4277 (Copilot)

Chores

• bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
• bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/export/fake-reader (#4264) #4264 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/image (#4266) #4266 (dependabot[bot])
• bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e (#4270) #4270 (dependabot[bot])
• bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/export/fake-subscriber (#4267) #4267 (dependabot[bot])
• bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
• migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
• bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /build/tooling (#4268) #4268 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e in ...

v3.22.0-rc.0

🚀 Notable Changes

• ✅ sync-vap-enforcement-scope now enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is now true by default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332).
• 🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access namespaceObject and Rego policies can access input.namespace for namespace-scoped policy decisions during both admission and audit (#4285)
• ⚡ gator bench — policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287)
• 📋 gator policy — brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g., pod-security-baseline), enforcement overrides, and dry-run previews (#4331)
• 🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced fake-reader sidecar when audit file-based logging is enabled (#4280)
• 🌐 Out-of-cluster / remote cluster support: New --enable-remote-cluster flag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368)
• ⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)

Features

• Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)
• add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)
• Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)
• set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)
• support print statement in gator (#2949) (#3872) #3872 (Julian)
• add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)
• gator policy (#4331) #4331 (Sertaç Özercan)

Bug Fixes

• Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)
• remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)
• updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)
• chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)
• enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)
• run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)
• thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)
• add missing flags as helm values (#4385) #4385 (abhisheksheth28)

Documentation

• add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)
• adding jfrog provide to external data (#4357) #4357 (carmit hershman)

Continuous Integration

• add Slack meeting reminder workflow for OPA Gatekeeper weekly meetings (#4277) #4277 (Copilot)

Chores

• bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)
• bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/export/fake-reader (#4264) #4264 (dependabot[bot])
• bump golang from 728cbef to a02d35e in /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/image (#4266) #4266 (dependabot[bot])
• bump the all group with 4 updates (#4269) #4269 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e (#4270) #4270 (dependabot[bot])
• bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /test/export/fake-subscriber (#4267) #4267 (dependabot[bot])
• bump the all group with 2 updates (#4275) #4275 (dependabot[bot])
• migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)
• bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])
• bump golang from 27e1c92 to a02d35e in /build/tooling (#4268) #4268 (dependabot[bot])
• bump golang from a02d35e to 4f9d98e in ...

v3.21.1

Bug Fixes

• enforce timeout on external data provider requests cherry-pick (#4351) (#4359) #4359 (Jaydip Gabani)

Chores

• bump github.com/containerd/containerd from 1.7.28 to 1.7.29 cp #4223 (#4360) #4360 (Jaydip Gabani)
• bump golang.org/x/crypto from 0.43.0 to 0.45.0 CP(#4254) (#4364) #4364 (Jaydip Gabani)
• bump golang from 7534a62 to 04741b0 CP(#4341) (#4365) #4365 (Jaydip Gabani)
• bumping kubectl to resolve CVE CP(#4248) (#4366) #4366 (Jaydip Gabani)
• Prepare v3.21.1 release (#4367) #4367 (github-actions[bot])

v3.22.0-beta.0

Bug Fixes

• bumping frameworks (#4221) #4221 (Jaydip Gabani)

Documentation

• clarify message assertion expects regular expression (#4240) #4240 (Tommy Brunn)

Chores

• bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#4223) #4223 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 in /test/image (#4228) #4228 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 in /build/tooling (#4229) #4229 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 in /test/export/fake-subscriber (#4236) #4236 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 (#4231) #4231 (dependabot[bot])
• bump the k8s group across 1 directory with 6 updates (#4242) #4242 (dependabot[bot])
• bump the all group across 1 directory with 5 updates (#4244) #4244 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 in /test/export/fake-reader (#4235) #4235 (dependabot[bot])
• bump golang from 7534a62 to 27e1c92 in /test/externaldata/dummy-provider (#4234) #4234 (dependabot[bot])
• Prepare v3.22.0-beta.0 release (#4249) #4249 (github-actions[bot])

v3.21.0

🚀 Notable Changes

• 🛠️ New flag: sync-vap-enforcement-scope has been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper's ValidatingWebhookConfigurations, Config resource exclusions, and exempt-namespace–based exemptions. This improves enforcement consistency across all policy mechanisms.
• 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
• 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.

Call to action

Beginning in v3.22 (February 18, 2026), the sync-vap-enforcement-scope flag will default to true and will be removed in a future release. When this flag is removed, Gatekeeper will always generate Validating Admission Policy (VAP) resources by combining enforcement inputs from the admission webhook configuration, Gatekeeper’s configuration resource, and namespace-exemption settings. All applicable enforcement criteria will be merged into the resulting VAP resource.

Impact:
If you have explicitly set this flag to false, the enforcement scope of Gatekeeper-managed VAP resources will change, which may cause unexpected behavior in your environment. If you have concerns about removing this flag and would prefer it to remain, please add your feedback in #4302.

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])
• bump ...

v3.21.0-rc.1

Bug Fixes

• bumping frameworks (#4221) (#4224) #4224 (Jaydip Gabani)

Chores

• Prepare v3.21.0-rc.1 release (#4226) #4226 (github-actions[bot])

v3.21.0-rc.0

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])
• bump the all group across 1 directory with 8 updates (#4127) #4127 (dependabot[bot])
• bump github.com/onsi/gomega from 1.38.0 to 1.38.1 (#4126) #4126 (dependabot[bot])
• bump the k8s group with 5 updates (#4111) #4111 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-reader (#4091) #4091 (dependabot[bot])
• bump kubectl from v1.33.3 to v1.33.4 (#4107) #4107 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 (#4096) #4096 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm (#4108) #4108 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-reader (#4114) #4114 (dependabot[bot])
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/export/fake-subscriber (#4093) #4093 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/export/fake-subscriber (#4112) #4112 (dependabot[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/externaldata/dummy-provider (#4113) #4113 (dependabot[bot])
• Patch docs for 3.20.1 release (#4134) #4134 (github-actions[bot])
• bump golang from 1.24-bookworm to 1.25-bookworm in /test/image (#4110) #4110 (dependabot[bot])
• bump golang from 81dc45d to 6ad9415 in /test/export/fake-subscriber (#4146) [#4146](https://github.com/open-poli...

v3.20.1

Bug Fixes

• bumping kubectl and golang through cherry-picks (#4132) #4132 (Jaydip Gabani)

Chores

• bump frameworks v0.18.1 (#4117) #4117 (Noah Reisch)
• Prepare v3.20.1 release (#4133) #4133 (github-actions[bot])

v3.21.0-beta.0

Bug Fixes

• increase webhook latency buckets up to 10 seconds (#4037) #4037 (David Blum)
• removing readinessprobe for webhook at start of the pod (#4059) #4059 (Jaydip Gabani)

Chores

• bump golang from ee7ff13 to 10f549d in /test/export/fake-reader (#4046) #4046 (dependabot[bot])
• bump the all group with 2 updates (#4044) #4044 (dependabot[bot])
• bump golang from ee7ff13 to 10f549d in /test/export/fake-subscriber (#4045) #4045 (dependabot[bot])
• bump golang from 10f549d to 69adc37 in /test/export/fake-subscriber (#4053) #4053 (dependabot[bot])
• bump golang from 10f549d to 69adc37 in /test/export/fake-reader (#4052) #4052 (dependabot[bot])
• Patch docs for 3.19.3 release (#4056) #4056 (github-actions[bot])
• bump the all group across 1 directory with 2 updates (#4066) #4066 (dependabot[bot])
• bump kubectl from v1.33.2 to v1.33.3 (#4063) #4063 (dependabot[bot])
• bump the k8s group with 5 updates (#4062) #4062 (dependabot[bot])
• Prepare v3.21.0-beta.0 release (#4068) #4068 (github-actions[bot])