v2.14.0

ACM 2.14.0 was released August 1, 2025.

Caution

Known Issue: When you use both the objectSelector and the namespaceSelector fields in a ConfigurationPolicy resource, the objects that the objectSelector return get applied to all the namespaces that the namespaceSelector return. The ConfigurationPolicy incorrectly processes the results. To workaround this issue, apply the object-templates-raw field to iterate over the objects.

✨ Changes:

• Use lowercase APIMapping by @dhaiducek in ocm-io/346 via #1250
• Make spec required by @dhaiducek in ocm-io/349 via #1261
• Upgrade addon-framework to v0.12.0 by @yiraeChristineKim in ocm-io/353 for ACM-19001 via #1297
• Enable skipObject arguments by @dhaiducek in ocm-io/354 for ACM-19753 via #1302
• Refactor skipObject to report arg types by @dhaiducek in ocm-io/355 via #1307
• Adjust --no-colors behaviors by @dhaiducek in ocm-io/359 via #1322
• Refactor tests to walk embed.FS directly by @dhaiducek in ocm-io/360 via #1323
• Add Object context variable by @dhaiducek in ocm-io/361 for ACM-15970 via #1335
• Remove dryrun dev preview marker by @dhaiducek in ocm-io/364 for ACM-20097 via #1337
• Allow multiple versions in one entry by @JustinKuli in ocm-io/367 for ACM-20804 via #1360
• Add helpful errors for unwatchable resources by @JustinKuli in ocm-io/370 for ACM-19965 via #1371

♻️ CI changes:

• Upgrade golangci-lint to v1.64.8 by @yiraeChristineKim in ocm-io/347 for ACM-8341 via #1264
• Disable gomod updates by @dhaiducek in #1295
• Add multiarch build to konflux pipeline by @JustinKuli in #1354
• Update CEL to release-2.14 by @dhaiducek in #1398
• Update OWNERS by @dhaiducek in #1402

🛠️ Bug Fixes:

• Support policy resources in dryrun by @yiraeChristineKim in ocm-io/344 for ACM-18135 via #1245
• Fix Issue with Mapping File Not Working by @yiraeChristineKim in ocm-io/345 for ACM-18134 via #1248
• Watch correct openshift templates by @JustinKuli in ocm-io/350 for ACM-18827 via #1272
• Colored diffs are displayed as output. by @yiraeChristineKim in ocm-io/357 for ACM-18908 via #1309
• Add a flag to show the complete diff during dry run by @yiraeChristineKim in ocm-io/358 for ACM-18907 via #1315
• fix: address .Object bugs by @dhaiducek in ocm-io/368 for ACM-20863 via #1367
• fix: Record the diff for enforce by @dhaiducek in ocm-io/369 for ACM-19111 via #1368
• Use JSON instead of YAML for hub templates by @JustinKuli in ocm-io/371 for ACM-21394 via #1378
• Do a server-side dry-run check to know if resource updates are necessary by @JustinKuli in ocm-io/366 for ACM-19156 via #1380

⚠️ Vulnerability Fixes:

• Address oauth2 vuln by @dhaiducek for CVE-2025-22868 in ocm-io/351 via #1267
• Fix the crypto cve by @gparvin for CVE-2025-22869 in ocm-io/352 via #1276

Full Changelog: v2.13.0...v2.14.0

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)

v2.13.3

ACM 2.13.3 was released June 4, 2025.

Changes:

• Add shell and unicode sast pipeline tasks by @dhaiducek in #1306
• Enable skipObject arguments by @dhaiducek for ACM-19753 in #1308

Full Changelog: v2.13.2...v2.13.3

(Compiled manually by @JustinKuli - apologies for any omissions or errors)

v2.13.2

ACM 2.13.2 was released April 9, 2025.

Changes:

• Use lowercase APIMapping by @dhaiducek in ocm-io/346 via #1251
• Support policy resources in dryrun by @yiraeChristineKim in ocm-io/344 for ACM-18135 via #1273

Bug Fixes:

• Fix Issue with Mapping File Not Working by @yiraeChristineKim in ocm-io/345 for ACM-18134 via #1251
• Watch correct openshift templates by @JustinKuli in ocm-io/350 for ACM-18827 via #1273

Vulnerability Fixes:

• Address oauth2 vuln by @dhaiducek for CVE-2025-22868 in #1266
• Address crypto vuln by @dhaiducek for CVE-2025-22869 in #1274

Full Changelog: v2.13.0...v2.13.2

(Compiled manually by @JustinKuli - apologies for any omissions or errors)

v2.13.0

ACM 2.13.0 released March 19, 2025.

Changes:

• Use YAML to decode mappings files in dryrun tool by @mprahl in ocm-io/310 via #1068
• Set UnknownCompliancy to an empty string by @dhaiducek in ocm-io/309 via #1073
• Use LabelSelector directly in namespaceSelector by @dhaiducek in ocm-io/311 via #1078
• Remove the tech preview compliance history API integration by @mprahl in ocm-io/313 for ACM-15291 via #1082
• Clean up 2.12 Konflux pipelines by @dhaiducek in #1087
• Provide the ObjectNamespace template variable by @mprahl in ocm-io/314 for ACM-15392 via #1090
• Add templating to OperatorPolicy spec.versions by @mprahl in ocm-io/315 for ACM-15383 via #1091
• Add an objectSelector to ConfigurationPolicy by @dhaiducek in ocm-io/317 for ACM-15389 via #1107
• Add .ObjectName template context variable by @dhaiducek in ocm-io/319 for ACM-15809 via #1108
• Add the skipObject template function by @mprahl in ocm-io/320 for ACM-15937 via #1110
• Update OWNERS by @dhaiducek in ocm-io/322 via #1116
• Fix when context variable isn't used for metadata by @dhaiducek in ocm-io/321 via #1127
• Consolidate compliance messages by @yiraeChristineKim in ocm-io/323 for ACM-15773 via #1127
• Update OperatorPolicy operatorGroup description by @dhaiducek in ocm-io/324 via #1134
• Update net and crypto pkgs by @dhaiducek in ocm-io/326 via #1141
• Enable hermetic builds by @dhaiducek in #1155
• Add deprecation status in operatorpolicy by @yiraeChristineKim in ocm-io/327 for ACM-16120 via #1168
• Make inform default for remediationAction by @dhaiducek in ocm-io/330 via #1175
• Add status metric by @dhaiducek in ocm-io/331 for ACM-17519 via #1177
• Add DryCLI status comparison by @yiraeChristineKim in ocm-io/329 for ACM-17517 via #1184
• Implement standalone-hub-templating by @JustinKuli in ocm-io/332 for ACM-16091 via #1186
• Utilize dryrun CLI in configuration-policy-controller tests by @yiraeChristineKim in ocm-io/333 for ACM-17518 via #1187
• Fix: Cluster-scoped obj context variables by @dhaiducek in ocm-io/336 via #1203
• Consolidate status metric by @dhaiducek in ocm-io/337 for ACM-17519 via #1206
• Populate context on a non-empty basis by @dhaiducek in ocm-io/338 via #1208
• Trim dryrun status checking output by @JustinKuli in ocm-io/339 via #1209
• Add API group/version to mapping errors by @dhaiducek in ocm-io/341 via #1224

Bug Fixes:

• Send operator policy event if status is reset by @JustinKuli in ocm-io/306 for ACM-15049 via #1064
• Add logs to debug possible lock issue by @JustinKuli in ocm-io/308 for ACM-14617 via #1066
• Approve package dependencies if the top-level CSV is approved by @mprahl in ocm-io/307 for ACM-14540 via #1074
• Adopt existing sub when packagemanifest not found by @JustinKuli in ocm-io/312 for ACM-14617 via #1078
• Report other sub failures more consistently by @JustinKuli in ocm-io/316 for ACM-15394 via #1095
• Fix alreadyEvaluated check for dryrun by @JustinKuli in ocm-io/318 for ACM-15899 via #1098
• Fix objectSelector polling by @dhaiducek in ocm-io/325 for ACM-15952 via #1135
• Account for nil annotations in uninstall by @JustinKuli in ocm-io/328 for ACM-17562 via #1169
• Fix bug where deprecationsPresent config changes were not reflected by @yiraeChristineKim in ocm-io/334 for ACM-17661 via #1201
• Fix: Context vars only available with selector by @dhaiducek in ocm-io/335 for ACM-17933 via #1201
• Fix dryrun default namespaceSelector issue by @yiraeChristineKim in ocm-io/342 for ACM-18064 via #1225
• Fix resourceVersion error for create request in dryrun by @yiraeChristineKim in [ocm-io/343](https://github.com/open-clust...

v2.12.0

ACM 2.12.0 released November 6, 2024.

Changes:

• Update quay version in test by @JustinKuli in ocm-io/268 via #909
• Update the recreateOption documentation based on feedback by @mprahl in ocm-io/270 via #916
• Update kubernetes-dependency-watches to v0.8.1 by @mprahl in ocm-io/271 via #934
• Add renovate configuration by @dhaiducek in #942
• Make ConfigurationPolicy event driven by default by @mprahl in ocm-io/274 for ACM-11666 via #957
• Retry evaluating the policy if a mapping error occurs by @mprahl in ocm-io/275 via #959
• Refactor to split up handleObjectTemplates and help understandability by @JustinKuli in ocm-io/276 via #961
• Use controller-runtime to protect metrics endpoint by @zyjjay in ocm-io/261 for ACM-8346 via #963
• Address comments from #276 by @mprahl in ocm-io/278 via #964
• Modify metrics options to account for deprecation of kube-rbac-proxy by @zyjjay in ocm-io/281 for ACM-8346 via #968
• Add observedGeneration to OperatorPolicy status by @JustinKuli in ocm-io/282 for ACM-12804 via #970
• Add user-defined compliance messages by @JustinKuli in ocm-io/280 for ACM-12423 via #972
• E2E Tweaks/Fixes by @dhaiducek in ocm-io/279 via #974
• Fix a bug when no namespace selector is specified by @mprahl in ocm-io/283 via #974
• Split kind.yaml workflow into parallel jobs by @JustinKuli in #988
• Update go-template-utils to v6.1.1 by @mprahl in ocm-io/288 via #989
• Use --server-side for null test by @dhaiducek in ocm-io/289 via #997
• Update to Go v1.22 by @dhaiducek in #1016
• Add sprig functions to customMessage templating by @JustinKuli in ocm-io/293 via #1023
• Add ocm-polices namespace by @yiraeChristineKim in ocm-io/294 for ACM-13609 via #1028
• Clean policies in ocm namespace after test by @yiraeChristineKim in ocm-io/295 via #1035
• Update go-template-utils to v6.3.0 by @mprahl in ocm-io/297 via #1037
• Sync common Makefile by @dhaiducek in ocm-io/299 via #1039
• Add a DryRun CLI by @JustinKuli in ocm-io/298 for ACM-14161 via #1041
• Small dryrun improvements by @JustinKuli in ocm-io/300 via #1044
• More dryrun improvements by @JustinKuli in ocm-io/302 via #1048
• Uninstall scenario improvements by @JustinKuli in ocm-io/303 via #1056

Bug Fixes:

• Restrict reported overlaps to enforced policies by @JustinKuli in ocm-io/269 for ACM-12207 via #912
• Fix help messages in compliance messages getting removed on next eval by @mprahl in ocm-io/273 for ACM-12631 via #947
• Ignore imagePullSecrets and secrets on ServiceAccounts by @JeffeyL in ocm-io/272 for ACM-12270 via #950
• Use the controller-runtime cache to get the decryption key by @mprahl in ocm-io/284 for ACM-11497 via #978
• Ensure pod restart when target kubeconfig changes by @zyjjay in ocm-io/285 for ACM-12933 via #982
• BUG: event-driven mode not requeueing some enforcement errors by @JustinKuli in ocm-io/290 via #1015
• Guard against nil pointer value in status error by @mprahl in ocm-io/296 for ACM-14422 via #1036
• Correct details list when templates are removed by @JustinKuli in ocm-io/301 for ACM-14550 via #1044
• Handle SCC annotations in namespaces by @JustinKuli in ocm-io/305 for ACM-12507 via #1060

Full Changelog: v2.11.0...v2.12.0

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)

v2.11.0

ACM 2.11.0 was released July 18, 2024.

Changes:

• Upgrade controller-gen by @dhaiducek in ocm-io/206 via #733
• Reduce debug logs for operatorpolicy test by @JustinKuli in ocm-io/209 via #739
• Sync common Makefile by @dhaiducek in ocm-io/224 via #780
• MustNotHave mode for OperatorPolicy by @JustinKuli in ocm-io/222 for ACM-9287 via #793
• Validate the subscription name by @mprahl in ocm-io/225 via #794
• Fix handling of undefined fields for mustonlyhave by @dhaiducek in ocm-io/223 via #797
• Skip checking the operator group namespace existence when it's invalid by @mprahl in ocm-io/226 via #797
• Handle stuck deletes better in OperatorPolicy by @JustinKuli in ocm-io/227 for ACM-9287 via #806
• Set default subscription values when not specified by @mprahl in ocm-io/228 for ACM-10561 via #807
• Add a launch.json for local development by @mprahl in ocm-io/229 for ACM-10885 via #810
• Update the operator policy messages by @mprahl in ocm-io/231 via #824
• Update controller-runtime to 0.17.3 by @JeffeyL in ocm-io/232 for ACM-10835 via #829
• Make the capitalization consistent of operator policy messages by @mprahl in ocm-io/234 via #830
• Create missing namespaces for operator policy by @mprahl in ocm-io/237 for ACM-11403 via #840
• OperatorPolicy Templates by @JustinKuli in ocm-io/235 for ACM-10858 via #845
• Stop modifying spec.versions directly in musthaveInstallPlan by @mprahl in ocm-io/238 via #845
• Fix status reporting inconsistency in mustnothave mode by @zyjjay in ocm-io/240 via #853
• Hosted mode Testing for OperatorPolicy by @yiraeChristineKim in ocm-io/242 for ACM-11255 via #866
• Reduce number of related InstallPlans by @JustinKuli in ocm-io/239 for ACM-11025 via #866
• Add support for recording the diff in the ConfigurationPolicy status by @mprahl in ocm-io/246 for ACM-11421 via #870
• Small improvements to recordDiff by @mprahl in ocm-io/248 via #875
• Update kubernetes-dependency-watches to v0.7.0 by @mprahl in ocm-io/250 via #875
• Delete the hosting test namespace before the hosted test namespace by @mprahl in ocm-io/251 via #875
• Add upgradeApproval field to OperatorPolicy by @JustinKuli in ocm-io/249 for ACM-11268 via #875
• Upgrade addon-framework to 0.9.3 by @xuezhaojun in ocm-io/254 via #875
• Update to UBI 9 to match downstream by @mprahl in ocm-io/255 via #878
• Add the recreateOption to the object template by @mprahl in ocm-io/253 for ACM-11846 via #878
• Update Go packages by @dhaiducek in ocm-io/257 for ACM-11664 via #881
• Implement new ComplianceConfig field by @zyjjay in ocm-io/252 for ACM-11023 via #889
• Update CRD descriptions by @dhaiducek in ocm-io/218 for ACM-8992 via #893
• ACM-11453 Fix flaky subscription constraints not satisfiable condition by @JustinKuli in ocm-io/258 via #895
• Make the watch namespace on OperatorPolicy conditional by @mprahl in ocm-io/263 via #899
• Use suggested namespaces of packages by @JustinKuli in ocm-io/266 for ACM-12057 via #901
• Update quay version in test by @JustinKuli in ocm-io/268 via #911
• Update the recreateOption documentation based on feedback by @mprahl in ocm-io/270 via #917
• Update kubernetes-dependency-watches to v0.8.1 by @mprahl in ocm-io/271 via #935

Bug Fixes:

• Adjust polarity of condition when CSV not found by @JustinKuli in ocm-io/210 for ACM-10190 via #742
• Change undetermined OperatorPolicy names to '-' by @JustinKuli in ocm-io/211 for ACM-10202 via #743
• Change unnamed related object from * to - by @yiraeChristineKim in ocm-io/212 for ACM-8782 ACM-8782 via https://github.com/stolostron/conf...

v2.10.1

ACM 2.10.1 was released on April 11, 2024

Bug Fixes:

• Change unnamed related object from * to - by @yiraeChristineKim in ocm-io/212 for ACM-8782 via #763

Full Changelog: v2.10.0...v2.10.1

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)

v2.10.0

ACM 2.10.0 was released March 20, 2024

Changes:

• Allow OperatorPolicy to create OLM subscriptions by @zyjjay in ocm-io/162 for ACM-6597 via #577
• Update to go-template-utils v4.0.0 by @mprahl in ocm-io/167 for ACM-7652 ACM-7398 via #603
• Require objectDefinition and remediationAction by @dhaiducek in ocm-io/183 via #667
• Add diff logging by @dhaiducek in ocm-io/191 for ACM-9072 via #694
• Handle preexisting operator in ocm-io/192 for ACM-9283 via #701
• Return a subscription from handleSubscription by @JustinKuli in ocm-io/198 via #706
• Implement OperatorPolicy health checks for CSV by @JeffeyL in ocm-io/196 via #710
• Enable status reporting for CatalogSource in OperatorPolicy by @zyjjay in ocm-io/195 for ACM-9285 via #716
• Handle InstallPlan approval based on spec.versions by @JustinKuli in ocm-io/199 for ACM-9286 via #716
• Include the compliance history database IDs in compliance events by @mprahl in ocm-io/200 for ACM-6889 via #716
• Allow configuring a default namespace for operators by @JustinKuli in ocm-io/204 via #724
• Add more validation to the OperatorPolicy by @JustinKuli in ocm-io/207 for ACM-9993 via #726
• Emit fewer OperatorPolicy events by @JustinKuli in ocm-io/208 via #727

Bug Fixes:

• Fix compliance when created resource has a status by @JustinKuli in ocm-io/161 for ACM-7020 via #575
• Add an error when apiVersion is missing by @JustinKuli in ocm-io/163 for ACM-7127 via #580
• Check all items in lists by @JustinKuli in ocm-io/164 for ACM-7889 via #593
• Don't attempt to merge mustonlyhave list by @dhaiducek in ocm-io/165 for ACM-7799 via #595
• Fix items in nested lists not always being matched by @JustinKuli in ocm-io/168 via #608
• Handle values omitted from the API server in arrays of objects by @mprahl in ocm-io/172 for ACM-8391 via #622
• Verify with the API server if an empty map is equal to nil by @mprahl in ocm-io/171 for ACM-7810 via #627
• Fix a bug related to unnamed objects by @mprahl in ocm-io/178 for ACM-8731 via #646
• ACM-8739: ACM Policy that applies stringdata in a secret regression with templates by @JeffeyL in ocm-io/179 for ACM-8739 via #648
• Stop the NS controller manager during hosted mode uninstalls by @mprahl in ocm-io/180 for ACM-8826 via #656
• Fix checking the controller installation state at startup by @mprahl in ocm-io/181 for ACM-8826 via #661
• Stop getting the K8s version of target cluster in uninstall mode by @mprahl in ocm-io/184 for ACM-8826 via #671
• Stop refreshing the discovery when in uninstall mode by @mprahl in ocm-io/185 for ACM-8826 via #674
• Adjust polarity of condition when CSV not found by @JustinKuli in ocm-io/210 for ACM-10190 via #744
• Change undetermined OperatorPolicy names to '-' by @JustinKuli in ocm-io/211 for ACM-10202 via #745
• Filter out unrelated subscription resolution failures by @mprahl in ocm-io/214 for ACM-10195 via #749

Full Changelog: v2.9.0...v2.10.0

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)