feat: add Kubernetes v1.30-v1.32 support to Pod Security Standard (!14255) · Merge requests · vpe-public / forks / kyverno

Placeholder Aleksandr Molchanov requested to merge github/fork/wertelyu/feat/add-k8s-v1.30-v1.32-pss-support into main Oct 30, 2025

Extend the PodSecurity Version field enum to include v1.30, v1.31, and v1.32 to support recent Kubernetes releases.

Explanation

This PR adds support for Kubernetes versions v1.30, v1.31, and v1.32 to the PodSecurity validation enum. This allows users running recent Kubernetes releases to specify these versions when configuring Pod Security Standards in their Kyverno policies. The change is additive only - it extends the list of allowed versions without modifying existing behavior.

Related issue

N/A - Maintenance update to support recent Kubernetes releases.

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

I have sent the draft PR to add or update the documentation and the link is:

What type of PR is this

/kind feature

Proposed Changes

Updated the PodSecurity struct's Version field in api/kyverno/v1/common_types.go to include Kubernetes versions v1.30, v1.31, and v1.32 in the validation enum.

Background: The forked pod-security-admission library (referenced in go.mod) already supports these versions, as confirmed by checking its testdata. This PR simply exposes that support in Kyverno's API validation.

Changes:

Modified kubebuilder validation enum marker to include v1.30, v1.31, v1.32
Ran make codegen-all to regenerate CRD manifests and documentation
Updated CRD documentation automatically reflects the new allowed values

Proof Manifests

This is a validation-only change that extends the allowed enum values. The existing Pod Security Standard functionality remains unchanged. Users can now specify these versions in their policies:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: pod-security-example
spec:
  validationFailureAction: Audit
  background: true
  rules:
  - name: restricted-pss
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: restricted
        version: v1.32  # Now supported

No CLI test changes needed as this is purely an API validation extension.

Checklist

I have read the contributing guidelines.
I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
This is a bug fix and I have added unit tests that prove my fix is effective.
This is a feature and I have added CLI tests that are applicable.
My PR needs to be cherry picked to a specific release branch which is .
My PR contains new or altered behavior to Kyverno and
CLI support should be added and my PR doesn't contain that functionality.

Further Comments

This is a straightforward maintenance change that adds three new Kubernetes version values to an existing enum. The underlying pod-security-admission library already supports these versions. No behavioral changes to existing policies or functionality.

feat: add Kubernetes v1.30-v1.32 support to Pod Security Standard