v1.35.0

🔒 Security & 🚀 features

This release fixes GHSA-wqcw-g35j-j578.
Please have a look at the accompanying blogpost: https://kubewarden.io/blog/2026/04/adm-controller-1.35-release

• feat: Add host-capabilities whitelist (#1693)

🐛 Bug Fixes

• fix(deps): update rust crate wasmparser to 0.247 (#1676)
• fix(deps): update go dependencies to v0.35.4 (#1675)
• fix(ci): install kwctl version from Github Action. (#1662)
• fix(ci): fix breaking input name changes from kubewarden/github-actions (#1660)

🧰 Maintenance

• deps(ci): Bump syft-installer to v5.1.1 (#1697)
• fix: allow usage of Go WASI policies built by go 1.26 (#1683)
• ci: Don't bump container FROM tags with updatecli anymore (#1681)
• fix: shorten cluster name to fit into 32 chars limit (#1669)
• chore(ci): Actually use opa checksum for v1.12.2 (#1668)
• chore: Declare rancher 2.15 compatibility (#1664)
• Revert "fix(ci): install kwctl version from Github Action." (#1667)
• fix(ci): Set opa checksum, fixes burrego e2e tests (#1661)
• build: v1.35.0 release (#1695)
• build(deps): lock file maintenance (#1692)
• chore(deps): update rust dependencies (#1686)
• chore(deps): update golang:1.26.2 docker digest to b54cbf5 (#1685)
• chore(deps): update rust crate rustls-webpki to v0.103.13 [security] (#1684)
• deps(rust): update Rust toolchain to 1.95.0 (#1680)
• fix(deps): update rust crate wasmparser to 0.247 (#1676)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.150.1 (#1677)
• chore(deps): update golang:1.26.2 docker digest to 5f3787b (#1672)
• chore(deps): update alpine docker tag to v3.23.4 (#1673)
• chore(deps): update github actions (#1674)
• fix(deps): update go dependencies to v0.35.4 (#1675)
• build(deps): lock file maintenance (#1678)
• chore(deps): update rust crate rustls-webpki to v0.103.12 [security] (#1671)
• chore(deps): update github actions (#1666)
• chore(deps): update golang:1.26.2 docker digest to fcdb3e4 (#1654)
• build(deps): lock file maintenance (#1655)
• chore(deps): update github actions (major) (#1653)
• chore(deps): update rust dependencies (#1652)
• chore(deps): update github actions (#1651)

v1.34.2

• chore(deps): update wasmtime-provider (#1648)

🧰 Maintenance

• build: v1.34.2 release (#1650)

v1.34.1

• chore(deps): update wasmtime (#1642)
• chore: update go lang used in Dockerfile to v1.26.2 (#1643)

🧰 Maintenance

• build: v1.34.1 release (#1647)
• chore(deps): update rust dependencies (#1645)

v1.34.0

• chore: Port app-readme.md from helm-charts repo (#1632)
• ci: Check all autogenerated code (#1627)
• ci(release): Add contents read for build-kwctl step call (#1628)
• fix: pin versions and add checksum verifications (#1623)
• fix(ci): skip autolabeler in PR from forks (#1612)
• fix(ci): move permissions to job level (#1609)
• fix(ci): missing autolabeler permissions (#1608)
• fix(kwctl): normalize registry:// URIs to include explicit tag (#1595)
• feat(ci): Zizmor CI (#1596)
• chore: Remove unused GH workflows attestation.yml (#1606)
• feat: add workflow to inherit milestone from parent issue (#1573)

🐛 Bug Fixes

• fix(deps): update rust dependencies (#1636)
• fix(deps): update go dependencies (#1633)
• fix(deps): update rust dependencies (#1616)
• fix(deps): update rust dependencies (#1585)
• fix(deps): update go dependencies (#1600)

🧰 Maintenance

• build: v1.34.0 release (#1641)
• chore(deps): update github actions (#1634)
• build(deps): lock file maintenance (#1637)
• fix(deps): update rust dependencies (#1636)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.149.0 (#1635)
• fix(deps): update go dependencies (#1633)
• build: v1.34.0-rc2 release (#1630)
• build: v1.34.0-rc1 release (#1625)
• chore(deps): update github actions (#1624)
• fix(deps): update rust dependencies (#1616)
• build(deps): lock file maintenance (#1622)
• chore(deps): update github actions (#1620)
• refactor(charts): Change generation of RBAC templates (#1520)
• chore(deps): update github actions (major) (#1617)
• deps(rust): update Rust toolchain to 1.94.1 (#1619)
• build(deps): lock file maintenance (#1618)
• chore(deps): update github actions (major) (#1527)
• fix(deps): update rust dependencies (#1585)
• fix(deps): update go dependencies (#1600)
• chore(deps): update github actions (#1599)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.148.0 (#1601)
• build(deps): lock file maintenance (#1604)
• deps(rust): update Rust toolchain to 1.94.0 (#1605)

v1.34.0-rc2

• ci(release): Add contents read for build-kwctl step call (#1628)
• fix: pin versions and add checksum verifications (#1623)
• fix(ci): skip autolabeler in PR from forks (#1612)
• fix(ci): move permissions to job level (#1609)
• fix(ci): missing autolabeler permissions (#1608)
• fix(kwctl): normalize registry:// URIs to include explicit tag (#1595)
• feat(ci): Zizmor CI (#1596)
• chore: Remove unused GH workflows attestation.yml (#1606)
• feat: add workflow to inherit milestone from parent issue (#1573)

🐛 Bug Fixes

• fix(deps): update rust dependencies (#1616)
• fix(deps): update rust dependencies (#1585)
• fix(deps): update go dependencies (#1600)

🧰 Maintenance

• build: v1.34.0-rc2 release (#1630)
• build: v1.34.0-rc1 release (#1625)
• chore(deps): update github actions (#1624)
• fix(deps): update rust dependencies (#1616)
• build(deps): lock file maintenance (#1622)
• chore(deps): update github actions (#1620)
• chore(charts): controller-gen output file into charts. (#1520)
• chore(deps): update github actions (major) (#1617)
• deps(rust): update Rust toolchain to 1.94.1 (#1619)
• build(deps): lock file maintenance (#1618)
• chore(deps): update github actions (major) (#1527)
• fix(deps): update rust dependencies (#1585)
• fix(deps): update go dependencies (#1600)
• chore(deps): update github actions (#1599)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.148.0 (#1601)
• build(deps): lock file maintenance (#1604)
• deps(rust): update Rust toolchain to 1.94.0 (#1605)

v1.33.1

• fix: Use correct chart versions for 1.33.1 (#1594)
• test: Consume mirrored kalaksi:tinyproxy image (#1593)
• ci(release): Bump attestation GHA to 4.6.0 (#1592)
• fix(ci): fix broken release, address issue during attestation step (#1589)
• deps: Consume testcontainers tinyproxy image from gitlab registry (#1588)
• feat: foward image pull secrets (#1583)

🐛 Bug Fixes

• fix(deps): update rust crate cached to 0.58 (#1565)
• fix(deps): update go dependencies (#1568)

🧰 Maintenance

• chore(deps): Bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#1590)
• build: v1.33.1 release (#1587)
• build(deps): lock file maintenance (#1584)
• chore(deps): Update Helm chart dependencies (#1582)
• chore(deps): update module github.com/opencontainers/runc to v1.4.1 (#1578)
• build(deps): lock file maintenance (#1581)
• chore(deps): update rust dependencies (#1579)
• chore(deps): update github actions (#1577)
• fix(deps): update rust crate cached to 0.58 (#1565)
• fix(deps): update go dependencies (#1568)
• chore(deps): Update Helm chart dependencies (#1570)
• chore(deps): update golang docker tag to v1.26.1 (#1562)
• build(deps): lock file maintenance (#1569)
• chore(deps): update github actions (#1566)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.147.0 (#1567)

v1.33.0

• Remove Cargo.lock from policy-server crate directory (#1560)
• deps(policy-fetcher): Consume oci-client 0.16.1 (#1551)
• docs: Update CRDs generated docs (#1549)
• docs(chart): Mark .Values.installPolicyReportCRDs as deprecated (#1536)
• test(policy-evaluator,policy-server): Fix flaky tests (#1522)
• refactor(test): Pass proxy config in Sources instead of env vars (#1518)
• ci: Add coverage for rust code (#1497)
• ci: add automated spelling check to CI (#1492)
• CI: Add CI step to check kwctl doc build (#1481)
• CI: Restore cross-platform cargo checks for kwctl (#1484)
• ci: add Cargo.toml version check to release workflow (#1482)
• ci(open-release-pr): Obtain desired version from workflow dispatch (#1455)

⚠️ Breaking changes

• chore!: Don't install wgpolicyk8s reports by default (#1548)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• feat!: Switch chart default to openreports (#1510)

🚀 Features

• feat(scripts): add test-sigstore-e2e.sh e2e test script (#1559)

• feat(controller): flag to allow policies in kubewarden namespace (#1513)
  

• feat(kwctl,policy-server): Support reading proxies config from sources.yaml (#1516)
• feat(kwctl,policy-server): Honor proxy configuration for context aware calls (#1515)
• feat!: Switch chart default to openreports (#1510)
• feat: audit-scanner deletes old wgpolicyk8s reports when migrating to openreports (#1512)
• feat(kwctl,policy-server): Honour proxy env vars (#1487)
• feat(policy-evaluator): support field masks when querying k8s (#1503)
• feat(ci): update rust toolchain updatecli script. (#1508)
• feat: Version the format of policy-server cert Secrets via annot (#1501)
• feat(policy-server): add support for custom Sigstore trust roots. (#1485)

🐛 Bug Fixes

• fix(policy-server): initialize crypto provider. (#1556)
• fix(charts): allow evaluations in controller namespace. (#1542)
• fix(policy-server): Fix race condition on policy rehydration (#1529)
• fix(e2e-test): fix premature abort in wait.For on transient errors (#1523)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• fix(deps): update go dependencies (#1489)
• fix: correct PEM header for ECDSA private keys (#1498)
• fix(deps): update rust dependencies (#1490)
• fix(deps): lock file maintenance rust dependencies (#1464)
• fix(deps): update go dependencies to v1.40.0 (#1463)

🧰 Maintenance

• build: v1.33.0 release (#1571)
• build(deps): lock file maintenance (#1558)
• chore(ci): remove pull_request_target trigger from CI. (#1557)
• build: v1.33.0-rc3 release (#1553)
• chore(deps): update aws-lc-sys (#1555)
• build: v1.33.0-rc2 release (#1546)
• chore!: Don't install wgpolicyk8s reports by default (#1548)
• chore: rename allowInsideKubewardenNamespace spec field. (#1544)
• build(deps): lock file maintenance (#1507)
• build: v1.33.0-rc1 release (#1531)
• chore(deps): update rust dependencies (#1505)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• chore(deps): update github actions (#1526)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• chore(deps): update wasmtime (#1514)
• chore(deps): update github actions (#1504)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.146.1 (#1506)
• chore: refactor documentation and remove files (#1502)
• chore(deps): Update go to 1.26 (#1491)
• fix(deps): update go dependencies (#1489)
• chore(deps): Update Helm chart dependencies (#1496)
• build(deps): lock file maintenance (#1494)
• fix(deps): update rust dependencies (#1490)
• chore(ci): migrate kwctl sigstore e2e tests to monorepo CI (#1475)
• chore: remove .github directories from crates (#1473)
• chore: Add all GH issue templates from org (#1472)
• fix(deps): lock file maintenance rust dependencies (#1464)
• chore: Add GH issue template for release (#1471)
• fix(deps): update go dependencies to v1.40.0 (#1463)

v1.33.0-rc3

• deps(policy-fetcher): Consume oci-client 0.16.1 (#1551)
• docs: Update CRDs generated docs (#1549)
• docs(chart): Mark .Values.installPolicyReportCRDs as deprecated (#1536)
• test(policy-evaluator,policy-server): Fix flaky tests (#1522)
• refactor(test): Pass proxy config in Sources instead of env vars (#1518)
• ci: Add coverage for rust code (#1497)
• ci: add automated spelling check to CI (#1492)
• CI: Add CI step to check kwctl doc build (#1481)
• CI: Restore cross-platform cargo checks for kwctl (#1484)
• ci: add Cargo.toml version check to release workflow (#1482)
• ci(open-release-pr): Obtain desired version from workflow dispatch (#1455)

⚠️ Breaking changes

• chore!: Don't install wgpolicyk8s reports by default (#1548)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• feat!: Switch chart default to openreports (#1510)

🚀 Features

• feat(controller): flag to allow policies in kubewarden namespace (#1513)
  

• feat(kwctl,policy-server): Support reading proxies config from sources.yaml (#1516)
• feat(kwctl,policy-server): Honor proxy configuration for context aware calls (#1515)
• feat!: Switch chart default to openreports (#1510)
• feat: audit-scanner deletes old wgpolicyk8s reports when migrating to openreports (#1512)
• feat(kwctl,policy-server): Honour proxy env vars (#1487)
• feat(policy-evaluator): support field masks when querying k8s (#1503)
• feat(ci): update rust toolchain updatecli script. (#1508)
• feat: Version the format of policy-server cert Secrets via annot (#1501)
• feat(policy-server): add support for custom Sigstore trust roots. (#1485)

🐛 Bug Fixes

• fix(policy-server): initialize crypto provider. (#1556)
• fix(charts): allow evaluations in controller namespace. (#1542)
• fix(policy-server): Fix race condition on policy rehydration (#1529)
• fix(e2e-test): fix premature abort in wait.For on transient errors (#1523)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• fix(deps): update go dependencies (#1489)
• fix: correct PEM header for ECDSA private keys (#1498)
• fix(deps): update rust dependencies (#1490)
• fix(deps): lock file maintenance rust dependencies (#1464)
• fix(deps): update go dependencies to v1.40.0 (#1463)

🧰 Maintenance

• build: v1.33.0-rc3 release (#1553)
• chore(deps): update aws-lc-sys (#1555)
• build: v1.33.0-rc2 release (#1546)
• chore!: Don't install wgpolicyk8s reports by default (#1548)
• chore: rename allowInsideKubewardenNamespace spec field. (#1544)
• build(deps): lock file maintenance (#1507)
• build: v1.33.0-rc1 release (#1531)
• chore(deps): update rust dependencies (#1505)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• chore(deps): update github actions (#1526)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• chore(deps): update wasmtime (#1514)
• chore(deps): update github actions (#1504)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.146.1 (#1506)
• chore: refactor documentation and remove files (#1502)
• chore(deps): Update go to 1.26 (#1491)
• fix(deps): update go dependencies (#1489)
• chore(deps): Update Helm chart dependencies (#1496)
• build(deps): lock file maintenance (#1494)
• fix(deps): update rust dependencies (#1490)
• chore(ci): migrate kwctl sigstore e2e tests to monorepo CI (#1475)
• chore: remove .github directories from crates (#1473)
• chore: Add all GH issue templates from org (#1472)
• fix(deps): lock file maintenance rust dependencies (#1464)
• chore: Add GH issue template for release (#1471)
• fix(deps): update go dependencies to v1.40.0 (#1463)

v1.33.0-rc2

• docs(chart): Mark .Values.installPolicyReportCRDs as deprecated (#1536)
• test(policy-evaluator,policy-server): Fix flaky tests (#1522)
• refactor(test): Pass proxy config in Sources instead of env vars (#1518)
• ci: Add coverage for rust code (#1497)
• ci: add automated spelling check to CI (#1492)
• CI: Add CI step to check kwctl doc build (#1481)
• CI: Restore cross-platform cargo checks for kwctl (#1484)
• ci: add Cargo.toml version check to release workflow (#1482)
• ci(open-release-pr): Obtain desired version from workflow dispatch (#1455)

⚠️ Breaking changes

• chore!: Don't install wgpolicyk8s reports by default (#1548)
• feat!: Switch chart default to openreports (#1510)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)

🚀 Features

• feat(controller): flag to allow policies in kubewarden namespace (#1513)
• feat(kwctl,policy-server): Support reading proxies config from sources.yaml (#1516)
• feat(kwctl,policy-server): Honor proxy configuration for context aware calls (#1515)
• feat!: Switch chart default to openreports (#1510)
• feat: audit-scanner deletes old wgpolicyk8s reports when migrating to openreports (#1512)
• feat(kwctl,policy-server): Honour proxy env vars (#1487)
• feat(policy-evaluator): support field masks when querying k8s (#1503)
• feat(ci): update rust toolchain updatecli script. (#1508)
• feat: Version the format of policy-server cert Secrets via annot (#1501)
• feat(policy-server): add support for custom Sigstore trust roots. (#1485)

🐛 Bug Fixes

• fix(charts): allow evaluations in controller namespace. (#1542)
• fix(policy-server): Fix race condition on policy rehydration (#1529)
• fix(e2e-test): fix premature abort in wait.For on transient errors (#1523)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• fix(deps): update go dependencies (#1489)
• fix: correct PEM header for ECDSA private keys (#1498)
• fix(deps): update rust dependencies (#1490)
• fix(deps): lock file maintenance rust dependencies (#1464)
• fix(deps): update go dependencies to v1.40.0 (#1463)

🧰 Maintenance

• build: v1.33.0-rc2 release (#1546)
• chore!: Don't install wgpolicyk8s reports by default (#1548)
• chore: rename allowInsideKubewardenNamespace spec field. (#1544)
• build(deps): lock file maintenance (#1507)
• build: v1.33.0-rc1 release (#1531)
• chore(deps): update rust dependencies (#1505)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• chore(deps): update github actions (#1526)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• chore(deps): update wasmtime (#1514)
• chore(deps): update github actions (#1504)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.146.1 (#1506)
• chore: refactor documentation and remove files (#1502)
• chore(deps): Update go to 1.26 (#1491)
• fix(deps): update go dependencies (#1489)
• chore(deps): Update Helm chart dependencies (#1496)
• build(deps): lock file maintenance (#1494)
• fix(deps): update rust dependencies (#1490)
• chore(ci): migrate kwctl sigstore e2e tests to monorepo CI (#1475)
• chore: remove .github directories from crates (#1473)
• chore: Add all GH issue templates from org (#1472)
• fix(deps): lock file maintenance rust dependencies (#1464)
• chore: Add GH issue template for release (#1471)
• fix(deps): update go dependencies to v1.40.0 (#1463)

v1.33.0-rc1

• test(policy-evaluator,policy-server): Fix flaky tests (#1522)
• refactor(test): Pass proxy config in Sources instead of env vars (#1518)
• ci: Add coverage for rust code (#1497)
• ci: add automated spelling check to CI (#1492)
• CI: Add CI step to check kwctl doc build (#1481)
• CI: Restore cross-platform cargo checks for kwctl (#1484)
• ci: add Cargo.toml version check to release workflow (#1482)
• ci(open-release-pr): Obtain desired version from workflow dispatch (#1455)

⚠️ Breaking changes

• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• feat!: Switch chart default to openreports (#1510)

🚀 Features

• feat(controller): flag to allow policies in kubewarden namespace (#1513)
• feat(kwctl,policy-server): Support reading proxies config from sources.yaml (#1516)
• feat(kwctl,policy-server): Honor proxy configuration for context aware calls (#1515)
• feat: audit-scanner deletes old wgpolicyk8s reports when migrating to openreports (#1512)
• feat(kwctl,policy-server): Honour proxy env vars (#1487)
• feat(policy-evaluator): support field masks when querying k8s (#1503)
• feat(ci): update rust toolchain updatecli script. (#1508)
• feat: Version the format of policy-server cert Secrets via annot (#1501)
• feat(policy-server): add support for custom Sigstore trust roots. (#1485)

🐛 Bug Fixes

• fix(policy-server): Fix race condition on policy rehydration (#1529)
• fix(e2e-test): fix premature abort in wait.For on transient errors (#1523)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• fix(deps): update go dependencies (#1489)
• fix: correct PEM header for ECDSA private keys (#1498)
• fix(deps): update rust dependencies (#1490)
• fix(deps): lock file maintenance rust dependencies (#1464)
• fix(deps): update go dependencies to v1.40.0 (#1463)

🧰 Maintenance

• build: v1.33.0-rc1 release (#1531)
• chore(deps): update rust dependencies (#1505)
• fix(deps): update go dependencies to v0.35.2 (#1525)
• chore(deps): update github actions (#1526)
• chore(policy-evaluator)!: removes deprecated "kubernetes" wapc bindind. (#1519)
• chore(deps): update wasmtime (#1514)
• chore(deps): update github actions (#1504)
• chore(deps): update otel/opentelemetry-collector docker tag to v0.146.1 (#1506)
• chore: refactor documentation and remove files (#1502)
• chore(deps): Update go to 1.26 (#1491)
• fix(deps): update go dependencies (#1489)
• chore(deps): Update Helm chart dependencies (#1496)
• build(deps): lock file maintenance (#1494)
• fix(deps): update rust dependencies (#1490)
• chore(ci): migrate kwctl sigstore e2e tests to monorepo CI (#1475)
• chore: remove .github directories from crates (#1473)
• chore: Add all GH issue templates from org (#1472)
• fix(deps): lock file maintenance rust dependencies (#1464)
• chore: Add GH issue template for release (#1471)
• fix(deps): update go dependencies to v1.40.0 (#1463)