Upgrading Kyverno

Upgrading Kyverno.

Upgrading Kyverno

Kyverno supports the same upgrade methods as those supported for installation. The below sections will cover both Helm and YAML manifest. Because new versions of Kyverno often have a number of supporting resources which change, including CRDs, an upgrade cannot be done by bumping the tag of any image.

Kyverno 1.10 brought breaking changes making upgrades to it or versions after 1.10 limited in nature. Always read the complete release notes for any version prior to upgrading. If skipping a minor version, be sure to read the release notes for each minor version in between.

Upgrade Kyverno with YAML

Direct upgrades from previous versions are not supported when using the YAML manifest approach. Please use the corresponding release manifest from the tagged release used to install to perform the uninstallation. Once Kyverno is removed, follow the installation instructions to install Kyverno.

Upgrade Kyverno with Helm

An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher using Helm requires manual intervention and cannot be performed via a direct upgrade process. Please see the Helm chart v2 to v3 migration guide here for more complete information.

Upgrading to Kyverno v1.13

Breaking Changes

Kyverno version 1.13 contains the following breaking configuration changes:

  1. Removal of wildcard permissions: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default view role was added. See the documentation section on Role Based Access Controls for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.

To upgrade to 1.13 and continue to allow wildcard view permissions for all Kyverno controllers, use a Helm values file that grants these permissions as specified below:

 1admissionController:
 2  clusterRole:
 3    extraResources:
 4      - apiGroups:
 5          - '*'
 6        resources:
 7          - '*'
 8        verbs:
 9          - get
10          - list
11          - watch
12backgroundController:
13  clusterRole:
14    extraResources:
15      - apiGroups:
16          - '*'
17        resources:
18          - '*'
19        verbs:
20          - get
21          - list
22          - watch
23reportsController:
24  clusterRole:
25    extraResources:
26      - apiGroups:
27          - '*'
28        resources:
29          - '*'
30        verbs:
31          - get
32          - list
33          - watch

NOTE: using wildcard permissions is not recommended. Use explicit permissions instead.

  1. Default exception settings: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See CVE-2024-48921 for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.

To maintain backwards compatibility, you can configure the Helm chart values to allow the same settings as the prior version. To upgrade to 1.13 and continue to allow configuring exceptions in all namespaces, set the Helm value features.policyExceptions.namespace to *:

1helm upgrade kyverno kyverno/kyverno -n kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace="*"

NOTE: limiting exceptions to a specific namespace is recommended.

Dropped API versions

Kyverno 1.13 drops deprecated API versions for its managed CustomResourceDefinitions. The migration is handled automatically through Helm hook. To upgrade Kyverno without Helm, or Helm hook, you can migrate existing resources via kube-storage-version-migrator.

See affected CRDs:

- cleanuppolicies.kyverno.io
- clustercleanuppolicies.kyverno.io
- clusterpolicies.kyverno.io
- globalcontextentries.kyverno.io
- policies.kyverno.io
- policyexceptions.kyverno.io
- updaterequests.kyverno.io