Enterprise Kyverno Images
Container images for N4K v1.14.3-n4k.nirmata.2
The latest version of the 1.13 release of Enterprise Kyverno is v1.14.3-n4k.nirmata.2.
For a complete list of changes, refer to the upstream Changelog.
Reports Server Updates:
(Kubernetes Issue #122668) where multiple components serving the same CustomResourceDefinitions (CRDs) via an APIService can lead to OpenAPI handler failures during cluster startup.
Reports Server serves the same report-related CRDs that Kyverno uses. When these CRDs are present both via the APIService (Reports Server) and within Kyverno’s installation, the Kubernetes apiserver may detect duplicate API paths, resulting in temporary failures, including potential crash loops of Kyverno pods until the APIService becomes fully available.
To mitigate this, native reports server installation with n4k:
separate chart:
This installation sequence avoids CRD conflicts and ensures stable operation.
Controller Report Breaker Enhancement (PR #13641)
Fixed a critical issue where controller initialization would fail completely if ephemeral reports list+watch operations encountered errors. This problem particularly affected clusters that depend on the reports server, where server unavailability could block the admission flow and cause serious cluster failures.
The fix implements:
Important Note: This fix addresses initialization-time failures only. Runtime issues are already handled by the existing circuit breaker functionality, which allows the admission workflow to continue normally when reports become unavailable during operation.
Misc
values.yaml
file.helm install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set crds.reportsServer.enabled=true
Starting this release, the default value of crds.reportsServer.enabled
has changed from true
to false
.
Reports Server Updates:
config.etcd.autoCompaction.mode
and config.etcd.autoCompaction.retention
fields to override the default values.autoscaling.enabled
field to turn it on and also specify the HPA behavior.Report Server Installation Advisory
In N4K versions 1.13.6 and 1.14, we have removed the built-in Reports Server dependency from the N4K Helm chart to avoid installation conflicts. This change was driven by an upstream Kubernetes issue where multiple components serving the same CustomResourceDefinitions (CRDs) via an APIService can lead to OpenAPI handler failures during cluster startup.
In our case, the Reports Server serves the same report-related CRDs that Kyverno uses. When these CRDs are present both via the APIService (Reports Server) and within Kyverno’s installation, the Kubernetes apiserver may detect duplicate API paths, resulting in temporary failures, including potential crash loops of Kyverno pods until the APIService becomes fully available.
To mitigate this:
This installation sequence avoids CRD conflicts and ensures stable operation.
We strongly recommend keeping Reports Server and Enterprise Kyverno as separate Helm deployments until we deliver a patch that supports a consolidated Helm chart.
Refer to the following guides for separate deployments:
Container images for N4K v1.14.3-n4k.nirmata.2