Bump github.com/open-policy-agent/gatekeeper/v3 from 3.21.1 to 3.22.0 by dependabot[bot] · Pull Request #721 · Azure/draft

dependabot · 2026-03-16T12:54:15Z

Bumps github.com/open-policy-agent/gatekeeper/v3 from 3.21.1 to 3.22.0.

Release notes

Sourced from github.com/open-policy-agent/gatekeeper/v3's releases.

v3.22.0

🚀 Notable Changes

✅ sync-vap-enforcement-scope now enabled by default: The flag for syncing ValidatingAdmissionPolicy enforcement scope is now true by default, ensuring VAP resources reflect constraint enforcement actions out of the box (#4332).

🏷️ Namespace support for CEL and Rego engines: CEL expressions can now access namespaceObject and Rego policies can access input.namespace for namespace-scoped policy decisions during both admission and audit (#4285)

⚡ gator bench — policy performance benchmarking: New CLI command to benchmark Rego and CEL engines with latency percentiles, throughput metrics, memory profiling, concurrent load testing, and baseline comparison for CI/CD regression detection (#4287)

📋 gator policy — brew-inspired policy management: New CLI for discovering, installing, upgrading, and uninstalling policies from the gatekeeper-library with support for bundles (e.g., pod-security-baseline), enforcement overrides, and dry-run previews (#4331)

🔇 Disable audit sidecar support: Users who have their own log monitoring (e.g., OTel collector) can now disable the forced fake-reader sidecar when audit file-based logging is enabled (#4280)

🌐 Out-of-cluster / remote cluster support: New --enable-remote-cluster flag allows Gatekeeper to run outside the target cluster (e.g., nested/hosted control planes), fixing a crash when the Gatekeeper pod doesn't exist in the managed cluster (#4368)

⏱️ External data provider timeout enforcement: Mutation-path requests to external data providers now enforce the provider's configured timeout (default 5s), preventing unbounded requests that could outlive the webhook timeout and cause resource exhaustion (#4351)

Features

Support disabling audit sidecar (#4280) #4280 (Jorge Turrado Ferrero)

add namespace support for CEL and Rego engines (#4285) #4285 (Jaydip Gabani)

Support metrics backend configuration options to helm chart (#4282) #4282 (Jorge Turrado Ferrero)

set sync-vap-enforcement-scope flag to true (#4332) #4332 (abhisheksheth28)

support print statement in gator (#2949) (#3872) #3872 (Julian)

add gator bench command for policy performance benchmarking (#4287) #4287 (Sertaç Özercan)

gator policy (#4331) #4331 (Sertaç Özercan)

Bug Fixes

Refactor retries for disk driver failed connection removal to be exponential. (#4257) #4257 (devivasudevan)

remove deprecated spec.preserveUnknownFields (#4276) #4276 (Mohamed Meskine)

updating expansion templates to add owner ref in expanded resources (#4262) #4262 (Jaydip Gabani)

chart: Merge namespace exemption labels to fix GKE recommendation (#4348) #4348 (Oliver Karstoft)

enforce timeout on external data provider requests (#4351) #4351 (Jaydip Gabani)

run gatekeeper out of bounds (#4368) #4368 (abhisheksheth28)

thread webhook context through external data mutation requests (#4378) #4378 (Edvin N)

add missing flags as helm values (#4385) #4385 (abhisheksheth28)

Documentation

add field precedence documentation for ConstraintTemplate (#4246) #4246 (Copilot)

adding jfrog provide to external data (#4357) #4357 (carmit hershman)

Continuous Integration

add Slack meeting reminder workflow for OPA Gatekeeper weekly meetings (#4277) #4277 (Copilot)

Chores

bumping kubectl to resolve CVEs (#4248) #4248 (Jaydip Gabani)

bump go.uber.org/zap from 1.27.0 to 1.27.1 (#4263) #4263 (dependabot[bot])

bump golang from 728cbef to a02d35e in /test/export/fake-reader (#4264) #4264 (dependabot[bot])

bump golang from 728cbef to a02d35e in /test/externaldata/dummy-provider (#4265) #4265 (dependabot[bot])

bump golang from 27e1c92 to a02d35e in /test/image (#4266) #4266 (dependabot[bot])

bump the all group with 4 updates (#4269) #4269 (dependabot[bot])

bump golang from 27e1c92 to a02d35e (#4270) #4270 (dependabot[bot])

bump node-forge from 1.3.1 to 1.3.2 in /website (#4274) #4274 (dependabot[bot])

bump golang from 27e1c92 to a02d35e in /test/export/fake-subscriber (#4267) #4267 (dependabot[bot])

bump the all group with 2 updates (#4275) #4275 (dependabot[bot])

migrate from deprecated stale bot app to GitHub Actions stale action (#4245) #4245 (Copilot)

bump express from 4.21.0 to 4.22.1 in /website (#4278) #4278 (dependabot[bot])

... (truncated)

Commits

b417e91 chore: Prepare v3.22.0 release (#4438)
a6fc13a chore: bump golang from 100774d to ab8c494 (#4429) CP (#4436)
7a56f7a chore: cherry-pick trivy bump to 0.69.3 for release-3.22 (#4437)
06a5842 chore: Prepare v3.22.0-rc.0 release (#4407)
48d8b78 chore: bumping-cert-controller to latest (#4405)
c1fca88 chore: bumping opa to 1.13.2 and frameworks to latest (#4406)
348c98d chore: bump the all group with 6 updates (#4403)
9b237be chore: bumping otel to 1.40 to fix GO-2026-4394 (#4404)
730ecb9 fix: add missing flags as helm values (#4385)
e73f30f chore: parallelize unit-test CI into coverage, race, and bench jobs, update G...
Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [github.com/open-policy-agent/gatekeeper/v3](https://github.com/open-policy-agent/gatekeeper) from 3.21.1 to 3.22.0. - [Release notes](https://github.com/open-policy-agent/gatekeeper/releases) - [Changelog](https://github.com/open-policy-agent/gatekeeper/blob/master/docs/RELEASE.md) - [Commits](open-policy-agent/gatekeeper@v3.21.1...v3.22.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/gatekeeper/v3 dependency-version: 3.22.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Dependency Updates: - helm.sh/helm/v3 3.19.5 → 3.20.2 - google.golang.org/grpc 1.77.0 → 1.79.3 - github.com/open-policy-agent/gatekeeper/v3 3.21.1 → 3.22.0 - github.com/docker/cli 28.5.1 → 29.2.0 - sigs.k8s.io/kustomize/api 0.21.0 → 0.21.1 - sigs.k8s.io/kustomize/kyaml 0.21.0 → 0.21.1 - dawidd6/action-download-artifact 20 → 21 - github/codeql-action 4.32.6 → 4.35.4 - Azure/k8s-deploy 5 → 6 - azure/k8s-bake 3.0.4 → 4.0.0 - softprops/action-gh-release 2 → 3 - actions/download-artifact 8.0.0 → 8.0.1 Dependabot config: - Add 7-day cooldown on all entries - Group all updates per ecosystem/directory into single PRs - Replace duplicate directory: / with targeted /.github/actions Supersedes Azure#753 Azure#752 Azure#751 Azure#750 Azure#747 Azure#746 Azure#744 Azure#743 Azure#740 Azure#728 Azure#726 Azure#724 Azure#721 Azure#718 Azure#700 Azure#699

Dependency Updates: - helm.sh/helm/v3 3.19.5 → 3.20.2 - google.golang.org/grpc 1.77.0 → 1.79.3 - github.com/open-policy-agent/gatekeeper/v3 3.21.1 → 3.22.0 - sigs.k8s.io/kustomize/api 0.21.0 → 0.21.1 - sigs.k8s.io/kustomize/kyaml 0.21.0 → 0.21.1 - dawidd6/action-download-artifact 20 → 21 - github/codeql-action 4.32.6 → 4.35.4 - Azure/k8s-deploy 5 → 6 - azure/k8s-bake 3.0.4 → 4.0.0 - softprops/action-gh-release 2 → 3 - actions/download-artifact 8.0.0 → 8.0.1 Skipped: - github.com/docker/cli v29 (breaks oras-go v1 used by gatekeeper) Dependabot config: - Add 7-day cooldown on all entries - Group all updates per ecosystem/directory into single PRs - Replace duplicate directory: / with targeted /.github/actions Supersedes Azure#753 Azure#752 Azure#751 Azure#750 Azure#747 Azure#746 Azure#744 Azure#743 Azure#740 Azure#728 Azure#726 Azure#724 Azure#721 Azure#718 Azure#700 Azure#699

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 16, 2026

davidgamero mentioned this pull request May 18, 2026

chore: combine all dependabot updates + configure batching & cooldown #754

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/open-policy-agent/gatekeeper/v3 from 3.21.1 to 3.22.0#721

Bump github.com/open-policy-agent/gatekeeper/v3 from 3.21.1 to 3.22.0#721
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/open-policy-agent/gatekeeper/v3-3.22.0

dependabot Bot commented on behalf of github Mar 16, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.22.0

🚀 Notable Changes

Features

Bug Fixes

Documentation

Continuous Integration

Chores

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Mar 16, 2026 •

edited

Loading