Gatekeeper v3.15.4

Gatekeeper v3.15.4

Gatekeeper is a validating webhook with auditing capabilities that can
enforce custom resource definition-based policies that are run with the
Open Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced
Cluster Management for Kubernetes subscription.

Starting in v3.15, the following namespaces are exempt from admission control:

- kube-*
- multicluster-engine
- hypershift
- hive
- rhacs-operator
- open-cluster-*
- openshift-*

To disable the default exempt namespaces, set the namespaces you want on the
object.

Security fix(es):

* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
 golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
 golang.org/x/crypto/ssh (CVE-2025-22869)

Additional Release Notes:

* v3.15.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0
* v3.15.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-22868: Improper Validation of Syntactic Correctness of Input
 (CWE-1286)
CVE-2025-22869: Allocation of Resources Without Limits or Throttling (CWE-770)