--- title: "Nirmata Enterprise for Kyverno" description: "Contains release notes for Nirmata Enterprise for Kyverno releases" diataxis: reference applies_to: product: "nirmata-control-hub" audience: ["platform-engineer"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/release-notes/n4k/ --- This section contains the major feature improvements and bug fixes for each release of Enterprise Kyverno. --- ## v1.17 The latest version of the 1.17 release of Enterprise Kyverno is **v1.17.0-n4k.nirmata.1**. For a complete list of changes, refer to the upstream Changelog. - [v1.17.0](https://github.com/kyverno/kyverno/releases/tag/v1.17.0) ## v1.17.0-n4k.nirmata.1 ### Kubernetes Compatibility - Added support for Kubernetes 1.35. --- ## v1.16 The latest version of the 1.16 release of Enterprise Kyverno is **v1.16.1-n4k.nirmata.4**. For a complete list of changes, refer to the upstream Changelog. - [v1.16.0](https://github.com/kyverno/kyverno/releases/tag/v1.16.0) - [v1.16.1](https://github.com/kyverno/kyverno/releases/tag/v1.16.1) ## v1.16.0-n4k.nirmata.5 ### Major Additions - Introduced namespaced policy types: **NamespacedValidatingPolicy**, **NamespacedImageValidatingPolicy**, and **NamespacedDeletingPolicy** for namespace-scoped policy enforcement. - Added `v1beta1` API versions for all CEL policy types (Validating, Mutating, Generating, Deleting, ImageValidating). - Support for fine-grained CEL exceptions, enabling precise and flexible policy exception handling. - Added new support for CEL performance metrics, CLI shell completion, and expanded policy reporting options. ### Fixes - Fixed CLI reporting issues and addressed multiple policy engine edge cases (including resource matching and panic handling). - Resolved reporting and queue handling issues in background scans for new policy types. - Patched bugs with namespace selector matching and improved log clarity. ### Other Improvements - Enhanced match logic by allowing CEL libraries to be used within `matchConditions`. - Added compatibility for Kubernetes v1.30–v1.32 podSecurity admission subrules. - Helm chart improvements, including CRDs and templating refinements. ## v1.16.1-n4k.nirmata.4 ### Fixes & Improvements - Fixed nil namespace initialization for cluster-wide param resources to avoid unexpected issues. - Fixed registration of HTTP request types to prevent unintended behavior. - Enhanced namespace matching including wildcards and namespaceSelector handling. - Various controller and admission fixes (duplicate error handling, cleanup logic, and MatchConstraints handling). - Fixed issue to ensure GVK (GroupVersionKind) information is set when recording metrics. - Fixed missing execution of metrics for some controllers. ### Features - Added support to generate and copy CRDs to CLI for NamespacedValidatingPolicy and NamespacedDeletingPolicy. --- ## v1.15 The latest version of the 1.15 release of Enterprise Kyverno is **v1.15.2-n4k.nirmata.1**. For a complete list of changes, refer to the upstream Changelog. - [v1.15.0](https://github.com/kyverno/kyverno/releases/tag/v1.15.0) - [v1.15.1](https://github.com/kyverno/kyverno/releases/tag/v1.15.1) - [v1.15.2](https://github.com/kyverno/kyverno/releases/tag/v1.15.2) ## v1.15.2-n4k.nirmata.1 **Bug Fixes** - Backport a bug fix for custom messages in pod controllers ([PR #13952](https://github.com/kyverno/kyverno/pull/13952)). ## v1.15.1-n4k.nirmata.1 **New Policy Types** - MutatingAdmissionPolicy (MPOL) with admission flow integration, background reporting, mutate existing resources, and CLI support - GeneratingPolicy (GPOL) with admission flow integration, background reporting, generate existing resources, and CLI support - DeletingPolicy (DPOL) with in-cluster and off-cluster cleanup capabilities via CLI operations **OpenReports Integration (Alpha)** - Switched policy reports to OpenReports implementation **CLI Enhancements** - Multiple output formats (JSON, YAML, Markdown, JUnit) for test command - Added `--cluster-wide-resources` flag to apply command - Added `skipColor` flag for CLI output - Support for cloning from private repositories in apply command - Fixed YAML separator support in LoadTest with proper error handling ### Changes - ValidatingAdmissionPolicy generation enabled by default - Renamed CEL operator `image()` to `parseImageReference` - Removed deprecated CLI APIs - Improved ValidatingAdmissionPolicy performance ### Bug Fixes - Fixed CVE-2025-47907 security vulnerability - Fixed JSON logging format issues - Fixed panic when resolving kinds fails for CEL-based policies - Fixed GlobalContextEntry refresh interval updates - Fixed reports controller wildcard resource matching - Fixed shallow variable escaping during validation - Updated OpenReports module references ### Helm Chart Updates - Added MutatingAdmissionPolicy and ValidatingAdmissionPolicy CRDs - Enhanced ServiceMonitor annotations support - Added PodDisruptionBudget configuration options - Service account token automount configuration - Support for Kubernetes 1.31+ traffic distribution ### Dependencies - Bumped Kubernetes dependencies to v1.33 - Updated security and tooling dependencies --- ## v1.14 The latest version of the 1.14 release of Enterprise Kyverno is **v1.14.4-n4k.nirmata.1**. The latest container images can be inferred from the `appVersion` of the Helm chart (https://github.com/nirmata/kyverno-charts/blob/release-1.14-n4k/charts/nirmata/Chart.yaml) For a complete list of changes, refer to the upstream Changelog. - [v1.14.0](https://github.com/kyverno/kyverno/releases/tag/v1.14.0) - [v1.14.1](https://github.com/kyverno/kyverno/releases/tag/v1.14.1) - [v1.14.2](https://github.com/kyverno/kyverno/releases/tag/v1.14.2) - [v1.14.3](https://github.com/kyverno/kyverno/releases/tag/v1.14.3) - [v1.14.4](https://github.com/kyverno/kyverno/releases/tag/v1.14.4) **Reports Server Updates:** ([Kubernetes Issue #122668](https://github.com/kubernetes/kubernetes/issues/122668#issuecomment-2577138150)) where multiple components serving the same CustomResourceDefinitions (CRDs) via an APIService can lead to OpenAPI handler failures during cluster startup. Reports Server serves the same report-related CRDs that Kyverno uses. When these CRDs are present both via the APIService (Reports Server) and within Kyverno’s installation, the Kubernetes apiserver may detect duplicate API paths, resulting in temporary failures, including potential crash loops of Kyverno pods until the APIService becomes fully available. To mitigate this, native reports server installation with n4k(Recommended): * **Nirmata Enterprise for Kyverno** chart can install reports server natively, init containers for Nirmata Enterprise for Kyverno controllers will wait till it's APIService registers the report CRDs. separate chart: * Install **Reports Server first**, allowing its APIService to register the report CRDs. * Once the Reports Server is fully up and its APIService is ready, install **Nirmata Enterprise for Kyverno** separately, so that Kyverno can detect the existing CRDs without attempting to install them again. This installation sequence avoids CRD conflicts and ensures stable operation. * [Nirmata Enterprise for Kyverno with Reports Server](/docs/controllers/n4k/reports-server/#installation) * [Nirmata Enterprise for Kyverno without Reports Server](/docs/controllers/n4k/getting-started-with-n4k/) ## v1.14.4-n4k-nirmata.1 * Contains the backport fix for `lastRefreshInterval` of `GlobalContextEntry` [(**PR #13700**)](https://github.com/kyverno/kyverno/pull/13700). ## v1.14.3-n4k.nirmata.4 ### Bug Fixes **Controller Report Breaker Enhancement ([PR #13641](https://github.com/kyverno/kyverno/pull/13641))** Fixed a critical issue where controller initialization would fail completely if ephemeral reports list+watch operations encountered errors. This problem particularly affected clusters that depend on the reports server, where server unavailability could block the admission flow and cause serious cluster failures. The fix implements: - Centralized access to the reports creation entity (reports breaker) - Mock entity replacement when initialization fails - Background retry mechanism to continuously attempt watch establishment - Improved resilience during controller startup **Important Note:** This fix addresses initialization-time failures only. Runtime issues are already handled by the existing circuit breaker functionality, which allows the admission workflow to continue normally when reports become unavailable during operation. **Misc** - Additional security vulnerability patches - Fixed FIPS image workflow ## v1.14.3-n4k.nirmata.2 ### Major Changes * Reports server is now disabled by default. If you are using Nirmata Enterprise for Kyverno, and want to install the reports-server chart, set the following values in the `values.yaml` file. ```sh helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set crds.reportsServer.enabled=true ```text Starting this release, the default value of `crds.reportsServer.enabled` has changed from `true` to `false`. **Reports Server Updates:** * Added support for etcd compaction (auto compaction enabled by default). Use the `config.etcd.autoCompaction.mode` and `config.etcd.autoCompaction.retention` fields to override the default values. * Optionally configure HPA for reports-server. Autoscaling is disabled by default. Use the `autoscaling.enabled` field to turn it on and also specify the HPA behavior. * Added default resource requests and limits for reports-server pod. However, it is recommended to monitor for these values in production and adjust accordingly. ## v1.14.3-n4k.nirmata.1 ### Known Issues **Report Server Installation Advisory** In Nirmata Enterprise for Kyverno versions 1.13.6 and 1.14, we have removed the built-in Reports Server dependency from the Nirmata Enterprise for Kyverno Helm chart to avoid installation conflicts. This change was driven by an upstream Kubernetes issue where multiple components serving the same CustomResourceDefinitions (CRDs) via an APIService can lead to OpenAPI handler failures during cluster startup. In our case, the Reports Server serves the same report-related CRDs that Kyverno uses. When these CRDs are present both via the APIService (Reports Server) and within Kyverno’s installation, the Kubernetes apiserver may detect duplicate API paths, resulting in temporary failures, including potential crash loops of Kyverno pods until the APIService becomes fully available. To mitigate this: * Install **Reports Server first**, allowing its APIService to register the report CRDs. * Once the Reports Server is fully up and its APIService is ready, install **Nirmata Enterprise for Kyverno** separately, so that Kyverno can detect the existing CRDs without attempting to install them again. This installation sequence avoids CRD conflicts and ensures stable operation. We **strongly recommend** keeping Reports Server and Enterprise Kyverno as separate Helm deployments until we deliver a patch that supports a consolidated Helm chart. Refer to the following guides for separate deployments: * [Nirmata Enterprise for Kyverno with Reports Server](/docs/controllers/n4k/reports-server/#installation) * [Nirmata Enterprise for Kyverno without Reports Server](/docs/controllers/n4k/getting-started-with-n4k/) --- ## v1.13 The latest version of the 1.13 release of Enterprise Kyverno is **v1.13.6-n4k.nirmata.2**. For a complete list of changes, refer to the upstream Changelog. - [v1.13.0](https://github.com/kyverno/kyverno/releases/tag/v1.13.0) - [v1.13.1](https://github.com/kyverno/kyverno/releases/tag/v1.13.1) - [v1.13.2](https://github.com/kyverno/kyverno/releases/tag/v1.13.2) - [v1.13.4](https://github.com/kyverno/kyverno/releases/tag/v1.13.4) - [v1.13.5](https://github.com/kyverno/kyverno/releases/tag/v1.13.5) - [v1.13.6](https://github.com/kyverno/kyverno/releases/tag/v1.13.6) **Report Server Installation Advisory** ([Kubernetes Issue #122668](https://github.com/kubernetes/kubernetes/issues/122668#issuecomment-2577138150)) where multiple components serving the same CustomResourceDefinitions (CRDs) via an APIService can lead to OpenAPI handler failures during cluster startup. Reports Server serves the same report-related CRDs that Kyverno uses. When these CRDs are present both via the APIService (Reports Server) and within Kyverno’s installation, the Kubernetes apiserver may detect duplicate API paths, resulting in temporary failures, including potential crash loops of Kyverno pods until the APIService becomes fully available. To mitigate this, native reports server installation with n4k(Recommended): * **Nirmata Enterprise for Kyverno** chart can install reports server natively, init containers for Nirmata Enterprise for Kyverno controllers will wait till it's APIService registers the report CRDs. separate chart: * Install **Reports Server first**, allowing its APIService to register the report CRDs. * Once the Reports Server is fully up and its APIService is ready, install **Nirmata Enterprise for Kyverno** separately, so that Kyverno can detect the existing CRDs without attempting to install them again. This installation sequence avoids CRD conflicts and ensures stable operation. * [Nirmata Enterprise for Kyverno with Reports Server](/docs/controllers/n4k/reports-server/#installation) * [Nirmata Enterprise for Kyverno without Reports Server](/docs/controllers/n4k/getting-started-with-n4k/) ## v1.13.6-n4k.nirmata.10 **Targeted Report Reconciliation on Policy Changes ([PR #13664](https://github.com/kyverno/kyverno/pull/13664))** Previously, the reports controller would reprocess all reports whenever any policy changed, leading to significant performance issues in large clusters. This update introduces: - A cache mapping report UUIDs to the policies that affect them - Replacement of `enqueueAll()` with a targeted `enqueueReportsForPolicy()` method - Reconciliation now only processes reports actually impacted by a given policy change - A background cleanup routine to prevent memory leaks in the cache **Impact:** This change dramatically reduces CPU usage and reconciliation latency by ensuring that only relevant reports are processed when policies change, rather than all reports in the cluster. **Dynamic Watcher Resource Hash Optimization ([PR #13693](https://github.com/kyverno/kyverno/pull/13693))** Switched to a lazy loading model for updating dynamic watcher resource hashes, eliminating the need for expensive list calls on every update. Improvements include: - Resource hashes are now updated only when required, rather than proactively on every event - Avoids unnecessary list calls, reducing API server load and improving scalability ### Security Fixes - [GHSA-fv92-fjc5-jj9h](https://github.com/advisories/GHSA-fv92-fjc5-jj9h) - [CVE-2025-47907](https://nvd.nist.gov/vuln/detail/CVE-2025-47907) ## v1.13.6-n4k.nirmata.7 ### Bug Fixes **Controller Report Breaker Enhancement ([PR #13641](https://github.com/kyverno/kyverno/pull/13641))** Fixed a critical issue where controller initialization would fail completely if ephemeral reports list+watch operations encountered errors. This problem particularly affected clusters that depend on the reports server, where server unavailability could block the admission flow and cause serious cluster failures. The fix implements: - Centralized access to the reports creation entity (reports breaker) - Mock entity replacement when initialization fails - Background retry mechanism to continuously attempt watch establishment - Improved resilience during controller startup **Important Note:** This fix addresses initialization-time failures only. Runtime issues are already handled by the existing circuit breaker functionality, which allows the admission workflow to continue normally when reports become unavailable during operation. **JMESPath Expression Safety ([PR #13138](https://github.com/kyverno/kyverno/pull/13138))** Resolved panic conditions in the `getValueAsStringMap` function when processing malformed JMESPath expressions. The function would previously crash when encountering nil or non-string values in map structures, particularly when using the `{{@}}` variable with non-existent functions. Improvements include: - Added proper nil checking before type assertions - Implemented safe type switching for non-string values - Comprehensive test coverage (increased from 16% to 70%) - Enhanced error handling for malformed expressions **Misc** - Additional security vulnerability patches - Fixed FIPS image workflow ## v1.13.6-n4k.nirmata.2 ### Breaking Changes **Default exception settings:** the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See [CVE-2024-48921](https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm) for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces. If you do not want to use Policy Exceptions, you can continue to use the default installation settings. If you were not using Policy Exceptions previously and want to use it from 1.13 onwards, it is advised to set `features.policyExceptions.enabled` to `true` in the `values.yaml` file and store exceptions in a dedicated namespace by setting `features.policyExceptions.namespace` to `nirmata-exceptions`. If you were using Policy Exceptions previously, when upgrading to this new version, set `features.policyExceptions.enabled` to `true` in the `values.yaml` file, and set the exception namespace value to the namespace that you used for storing exceptions. For example, if exceptions were stored in the `kyverno` namespace, then set `features.policyExceptions.namespace` to `kyverno`. Since it was possible to create exceptions in any namespace before, in order to maintain backwards compatibility, you can also set `features.policyExceptions.namespace` to `*`. > NOTE: Limiting exceptions to a specific namespace is recommended. **disableAutoWebhookGeneration flag:** The disableAutoWebhookGeneration flag in Kyverno is a configuration option that allows users to prevent Kyverno from automatically generating webhooks for policies during or after installation. By default, Kyverno manages webhooks to ensure its policies are applied to Kubernetes resources, but in certain cases, users may want to control or manage webhooks manually. When this flag is set to true, Kyverno will not automatically create or modify the webhooks that connect its policies to the Kubernetes API server. This can be useful in scenarios where: - Manual control over webhook management is desired. - Custom webhook configurations are needed for specific use cases, such as integrating with third-party systems or configuring webhooks differently. - A user wants to avoid webhook generation on clusters where webhooks are already in place or managed separately. You can enable the `disableAutoWebhookGeneration` flag by setting the `config.disableAutoWebhookGeneration.enable` to `true` and specifying name of the webhooks to disable by adding values to `config.disableAutoWebhookGeneration.webhooks` in `values.yaml` file. Or You can directly enable the flag and specify the webhook names to disable while installing n4k charts. Example: ```bash helm install kyverno nirmata/kyverno -n kyverno --create-namespace --set config.disableAutoWebhookGeneration.enable=true --set "config.disableAutoWebhookGeneration.webhooks={ kyverno-policy-validating-webhook-cfg,kyverno-exception-validating-webhook-cfg}" ``` This setting can be especially helpful when integrating Kyverno in environments where other tools or manual processes already manage webhook configurations, ensuring that Kyverno does not interfere with or overwrite those setups. ### Major Changes * Reports server is now disabled by default. If you are using Nirmata Enterprise for Kyverno, and want to install the reports-server chart, set the following values in the `values.yaml` file. ```sh helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set crds.reportsServer.enabled=true ```text Starting this release, the default value of `crds.reportsServer.enabled` has changed from `true` to `false`. **Reports Server Updates:** * Added support for etcd compaction (auto compaction enabled by default). Use the `config.etcd.autoCompaction.mode` and `config.etcd.autoCompaction.retention` fields to override the default values. * Optionally configure HPA for reports-server. Autoscaling is disabled by default. Use the `autoscaling.enabled` field to turn it on and also specify the HPA behavior. * Added default resource requests and limits for reports-server pod. However, it is recommended to monitor for these values in production and adjust accordingly. ### CVE Fixes * Fixed High CVEs (2025-22874 , 2025-26569) * Fixed Medium CVEs (2025-0913, 2025-4673) --- ## v1.12 The latest version of the 1.12 release of Enterprise Kyverno is **v1.12.6-n4k.nirmata.1**. ## v1.12.6-n4k.nirmata.5 ### CVE Fixes * Fixed High CVEs (2025-22874 , 2025-26569) * Fixed Medium CVEs (2025-0913, 2025-4673) ## v1.12.6-n4k.nirmata.1 ### Nirmata Enterprise for Kyverno-only Improvements * [Feature] Remove cleanup cronjobs for updateRequests and ephemeralReports [#10694](https://github.com/kyverno/kyverno/issues/10694) * [Feature] Remove wildcard permissions in Kyverno [#10785](https://github.com/kyverno/kyverno/pull/10785) The updates below can also be found on the Kyverno [GitHub release page](https://github.com/kyverno/kyverno/releases/tag/v1.12.6). ### Fixed * Change: Disable updaterequest cleanup cronjob ([#10678](https://github.com/kyverno/kyverno/pull/10678)) * Fix(helm): Remove namespace from RoleBinding/roleRef field ([#10685](https://github.com/kyverno/kyverno/pull/10685)) * Fix: Properly use useCache field in image verification policies ([#10709](https://github.com/kyverno/kyverno/pull/10709)) * Fix: Check for the client being nil before applying a mutation ([#10726](https://github.com/kyverno/kyverno/pull/10726)) * Fix: Resource namespace checks for Kyverno CLI ([#10738](https://github.com/kyverno/kyverno/pull/10738)) * Fix: Range through all resources to build webhook ([#10748](https://github.com/kyverno/kyverno/pull/10748)) * Fix: Get namespace labels before creating a policy context ([#10773](https://github.com/kyverno/kyverno/pull/10773)) * Fix: Wrong evaluation of pod security standard version ([#10924](https://github.com/kyverno/kyverno/pull/10924)) * Fix: Frequent API GET/UPDATE requests regarding webhooks reconciliation when no policies ([#11203](https://github.com/kyverno/kyverno/pull/11203), [#11225](https://github.com/kyverno/kyverno/pull/11225), [#11230](https://github.com/kyverno/kyverno/pull/11230), [#11233](https://github.com/kyverno/kyverno/pull/11233)) ### Others * Fix: Bump docker in release 1.12 ([#11088](https://github.com/kyverno/kyverno/pull/11088)) * Fix: Updated Go version to v1.22.7 to address [CVE-2024-34156](https://github.com/advisories/GHSA-crqm-pwhx-j97f) ([#11142](https://github.com/kyverno/kyverno/pull/11142)) * Chore: Bump chainsaw ([#10687](https://github.com/kyverno/kyverno/pull/10687)) * Chore: Bump github.com/docker/docker from 26.1.3+incompatible to 26.1.4+incompatible ([#10750](https://github.com/kyverno/kyverno/pull/10750)) ## v1.12.3-n4k.nirmata.2 The major improvements of the above version are mentioned below. For a complete list of all the changes made in Kyverno v1.12.0, refer to its [GitHub release page](https://github.com/kyverno/kyverno/releases/tag/v1.12.0). - Starting from v1.12, the Nirmata Enterprise for Kyverno repository is now private. - Availability of Reports Server from Nirmata Enterprise for Kyverno v1.12. Learn more about Reports Server from the [official Nirmata documentation](https://docs.nirmata.io/docs/n4k/getting-started-with-n4k/reports-server/). - Fixed [issue 10556](https://github.com/kyverno/kyverno/issues/10556) in v1.12. --- ## EOL Releases ## v1.12.6-n4k.nirmata.5 Enterprise Kyverno 1.12 reached End of Support on January 24, 2026. ### CVE Fixes * Fixed High CVEs (2025-22874 , 2025-26569) * Fixed Medium CVEs (2025-0913, 2025-4673) ### Nirmata Enterprise for Kyverno-only Improvements (v1.12.6-n4k.nirmata.1) * [Feature] Remove cleanup cronjobs for updateRequests and ephemeralReports [#10694](https://github.com/kyverno/kyverno/issues/10694) * [Feature] Remove wildcard permissions in Kyverno [#10785](https://github.com/kyverno/kyverno/pull/10785) For a complete list of all the changes, refer to the [GitHub release page](https://github.com/kyverno/kyverno/releases/tag/v1.12.6). ## v1.11.4-n4k.nirmata.6 The major improvements in this version are listed below. For a complete list of all changes made in Kyverno v1.11.0, refer to its [GitHub release page](https://github.com/kyverno/kyverno/releases/tag/v1.11.0). - Optimization of JSON context using in-memory map ([#79](https://github.com/nirmata/kyverno/pull/79/commits/0517776e52444fb42ac1d5ec86bb5cebcee12458)) - Interpreter once created can be reused across searches ([#79](https://github.com/nirmata/kyverno/pull/79/commits/7d96e3b18d197d34566d03407bb729af47318e52)) - Configured operations in webhooks dynamically based on policy rules - Allows disabling of automatic webhook generation ## v1.10.7-n4k.nirmata.11 The major improvements in this version are listed below. For a complete list of all changes made in Kyverno v1.10.0, refer to its [GitHub release page](https://github.com/kyverno/kyverno/releases/tag/v1.10.0). - Skipping of other checks if there is a mismatch in operations ([#23](https://github.com/nirmata/kyverno/pull/23)) - Interpreter added for reuse of JMESPath ([#24](https://github.com/nirmata/kyverno/pull/24)) - Optimization of JSON context using in-memory map ([#25](https://github.com/nirmata/kyverno/pull/25)) - Configured operations in webhooks dynamically based on policy rules - Admission reports can have labels beyond 63 characters - Provides the option to selectively install components - Allows disabling of automatic webhook generation - SBOM generation is made optional