Skip to content

Release Notes - 3.21.0📜

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.34.4 (EKS).

BBTOC📜

Big Bang will be hosting a BBTOC on 7 April @ 0900 CT and would appreciate more community involvement, please join us! (https://www.zoomgov.com/j/16109495076 Passcode: BigBang1)

Upgrade Notices📜

BigBang - MR📜

Alloy Metrics Scraping: Big Bang now supports using alloy-metrics as an alternative metrics scraper to Prometheus. Alloy autodiscovers ServiceMonitors/PodMonitors and forwards metrics via remote write to Prometheus and/or Mimir.

To enable alloy-metrics and disable Prometheus scraping (recommended to avoid duplicate metrics): 

monitoring:
  enabled: true
  prometheusMetrics:
    enabled: false

alloy:
  enabled: true
  alloyMetrics:
    enabled: true

NOTE: When prometheusMetrics.enabled=false, the Prometheus Targets UI will show no active scrape targets. PromQL queries still work as Prometheus receives metrics from Alloy via remote write.

WARNING: Enabling both alloy.alloyMetrics.enabled=true and monitoring.prometheusMetrics.enabled=true simultaneously will result in duplicate metrics collection.

BigBang - MR📜

Ztunnel Package Added📜

The ztunnel package has been added to Big Bang (disabled by default) to support Istio ambient mesh functionality.

Important: This package is not recommended for general use at this time. It is disabled by default and is being included strictly for internal development and testing of ambient mesh support.

Users should not enable this package unless they are specifically working on ambient mesh testing and development.

Anchore Enterprise - MR📜

When sso.saml.metadata is set in the umbrella values, the Anchore configure-sso job will use the provided XML directly for IdP metadata configuration instead of fetching it from the IdP metadata URL. If sso.saml.metadata is not set, the existing behavior of fetching metadata from the URL at deploy time is unchanged.

Kyverno Policies - MR📜

The default enabled and validationFailureAction settings for most policies have been updated to match those set in the bigbang umbrella chart. This change has no impact on those using the chart with bigbang, and only impacts those who may be using the chart independently.

  • disallow-image-tags is now enabled and enforced by default.
  • disallow-namespaces is now enabled and enforced by default.
  • disallow-nodeport-services is now enforced by default.
  • restrict-image-signature is now disabled and not enforced by default.
  • restrict-host-path-mount is now enforced by default.
  • restrict-host-path-mount-pv is now enforced by default.
  • restrict-host-path-write is now enforced by default.
  • restrict-image-registries is now enforced by default.

Kyverno Policies - MR📜

Simplified the way to pass exceptions via values.yaml. Default namespace kyverno is added and kind no longer needs to be passed. An example is in the comments of values.yaml:

additionalPolicyExceptions:
 # # -- Name of the policy. Additional policy exceptions can be added by adding a key.
 samplepolicyexception:
 # # -- Which namespace to target. The namespace must already exist.
 namespace:
 # # -- Policy annotations to add
 annotations:
 # # -- Human readable name of policyException
 policies.kyverno.io/title: Sample PolicyException
 # # -- Category of policy. Arbitrary.
 policies.kyverno.io/category: Examples
 # # -- Type of resource PolicyException applies to (e.g. Pod, Service, Namespace)
 policies.kyverno.io/subject: Pod
 # # -- Description of why the PolicyException is necessary and what items are allowed or unallowed.
 policies.kyverno.io/description: >-
 # This sample PolicyException allows pods from deploying busybox for debugging.
 spec:
 exceptions:

Monitoring - MR📜

Fixes a 3.19.0 to 3.20.0 Monitoring upgrade regression where Grafana could no longer query Prometheus when SSO/authservice was enabled without Istio hardened authorization policies.

Velero - MR📜

The Velero ServiceAccount name is no longer overridden with velero. Velero’s default name for this ServiceAccount of velero-server is now being used. No changes should be needed unless you specifically reference this ServiceAccount name in any of your installations.

Known Issues📜

  • bbctl Dashboards
  • CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
  • bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
    • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
  • Headlamp
  • Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
  • Loki/Elasticsearch-kibana
  • If loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
  • Prometheus
  • Target scraping for Fluentbit targets may encounter 503 Service Unavailable errors even though the pods are functioning as expected
  • Target scraping for Kube Operator may encounter errors. Issue
  • .Values.packages using kustomize: true, can fail if passBigBangValues is enabled (which it is by default). Set passBigBangValues: false for the affected package until the fix is available in your deployed Big Bang version (3.22.x).

Upgrades from previous releases📜

If coming from a version pre-3.20.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.20.0.

Packages📜

Click to show Packages Version Updates | Package | Type | Package Version | BB Version | | ------- | ---- | --------------- | ---------- | | updated [Alloy](https://repo1.dso.mil/big-bang/product/packages/alloy) | Core | `v1.14.0` | `3.8.4-bb.1` [🔗](#alloy) | | updated [Anchore Enterprise](https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise) | Addon | `5.25.1` | `3.21.3-bb.1` [🔗](#anchore-enterprise) | | [Argocd](https://repo1.dso.mil/big-bang/product/packages/argocd) | Addon | `v3.3.0` | `9.4.2-bb.0` | | [Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.1` | | [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.2` | | [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.3.1` | `3.0.1-bb.3` | | [Eck Operator](https://repo1.dso.mil/big-bang/product/packages/eck-operator) | Core | `3.3.1` | `3.3.1-bb.0` | | [Elasticsearch Kibana](https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana) | Core | Kibana: `9.2.4` Elasticsearch: `9.2.4` | `1.35.0-bb.2` | | [External Secrets Operator](https://repo1.dso.mil/big-bang/product/packages/external-secrets) | Addon | `1.3.1` | `1.3.1-bb.1` | | [Fluentbit](https://repo1.dso.mil/big-bang/product/packages/fluentbit) | Core | `4.2.3` | `0.56.0-bb.0` | | [Fortify](https://repo1.dso.mil/big-bang/product/packages/fortify) | Addon | `25.4.0.0137` | `25.4.0-bb.1` | | [Gatekeeper](https://repo1.dso.mil/big-bang/product/packages/policy) | Core | `v3.22.0` | `3.22.0-bb.0` | | updated [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.10.1` | `9.10.1-bb.0` [🔗](#gitlab) | | updated [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.9.0` | `0.86.0-bb.0` [🔗](#gitlab-runner) | | updated [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.4.1` | `10.5.15-bb.2` [🔗](#grafana) | | [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.14.2` | `1.18.2-bb.0` | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.40.0` | `0.40.0-bb.0` | | [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.29.1` | `1.29.1-bb.0` | | [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.29.1` | `1.29.1-bb.0` | | [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.29.1` | `1.29.1-bb.0` | | [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.29.1` | `1.29.1-bb.0` | | updated [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.5.6` | `7.1.9-bb.0` [🔗](#keycloak) | | updated [Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.23.0` | `2.23.0-bb.0` [🔗](#kiali) | | [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.17.0` | `3.7.0-bb.1` | | updated [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.24` [🔗](#kyverno-policies) | | updated [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.3` | `3.7.3-bb.1` [🔗](#kyverno-reporter) | | [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.5.5` | `6.46.0-bb.5` | | updated [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) | Addon | `11.5.1` | `11.5.1-bb.0` [🔗](#mattermost) | | [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) | Addon | `1.25.5` | `1.25.5-bb.0` | | [Metrics Server](https://repo1.dso.mil/big-bang/product/packages/metrics-server) | Addon | `v0.8.1` | `3.13.0-bb.5` | | [Mimir](https://repo1.dso.mil/big-bang/product/packages/mimir) | Addon | `2.17.1` | `5.8.0-bb.5` | | [Minio](https://repo1.dso.mil/big-bang/product/packages/minio) | Addon | `RELEASE.2025-10-15T17-29-55Z` | `7.1.1-bb.17` | | updated [Minio Operator](https://repo1.dso.mil/big-bang/product/packages/minio-operator) | Addon | `v7.1.1` | `7.1.1-bb.5` [🔗](#minio-operator) | | updated [Monitoring](https://repo1.dso.mil/big-bang/product/packages/monitoring) | Core | Prometheus: `3.10.0` Grafana: `12.4.1` Alertmanager: `0.31.1` | `82.14.1-bb.0` [🔗](#monitoring) | | updated [Neuvector](https://repo1.dso.mil/big-bang/product/packages/neuvector) | Core | `5.5.0` | `2.8.12-bb.0` [🔗](#neuvector) | | updated [Prometheus Operator Crds](https://repo1.dso.mil/big-bang/product/packages/prometheus-operator-crds) | Core | `v0.88.0` | `28.0.0-bb.0` [🔗](#prometheus-operator-crds) | | [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `26.2.0.119303-community` | `2025.6.1-bb.4` | | [Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.10.1` Tempo Query: `2.10.1` | `1.26.5-bb.0` | | [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.41.0` | `17.3.3-bb.4` | | updated [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.04.145` | `0.25.0-bb.0` [🔗](#twistlock) | | [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.2` | `0.32.0-bb.0` | | updated [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.18.0` | `12.0.0-bb.0` [🔗](#velero) | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` | | ![NEW](https://img.shields.io/badge/NEW-purple?style=flat-square) updated [Ztunnel](https://repo1.dso.mil/big-bang/product/packages/ztunnel) | Core | `1.29.1` | `1.29.1-bb.1` [🔗](#ztunnel) |

Changes in 3.21.0📜

Big Bang MRs📜

  • !7535 Resolve “Add Fluxing the Flux documentation”
  • !7519 keep serviceAccount.server.name for now until the package MR is ready
  • !7513 cleanup unneeded duplicates in velero test values
  • !7511 Resolve “Allow overrides of helmRelease dependencies”
  • !7502 Resolve “Bug: failing link check - Job Failed #55933816”
  • !7498 Adds bb-common platform configmap values
  • !7495 feat: Add Alloy metrics scraping and related configurations
  • !7493 Add ztunnel package
  • !7489 fix alloyMetrics comment in values.yaml
  • !7487 Add istio-cni as conditional dependency for all istio-dependent HelmReleases
  • !7476 remove invalid ingress_gateway_namespace field from kiali cr spec
  • !7475 docs: Updating package offboarding

Alloy📜

  • !7540: alloy update to 3.8.4-bb.1
Click to show Changelog 
# Changelog Updates

## [3.8.4-bb.1] (2026-03-30)
### Fixed
- Updated `bigbang.dev/applicationVersions` annotation from `v1.10.0` to `v1.14.0` to correctly reflect the IronBank alloy image version in use
- Updated `alloy-singleton` image tag from `v1.12.2` to `v1.14.0` to match all other alloy collector instances
- Fixed Renovate `bigbang.dev/applicationVersions` regex that was erroneously matching with single quotes and not detecting the current value
- Fixed Renovate not updating `prometheus-config-reloader` and other image tags in `values.yaml` by adding custom regex managers for split `registry/repository/tag` format
- Removed `helm-values` from Renovate `enabledManagers` to prevent erroneous cross-image tag assignments (e.g., `alloy-operator` version being applied to `alloy` image tag)
- Updated `docs/DEVELOPMENT_MAINTENANCE.md` `Chart.yaml` template to include `alloy-operator` and `helm-chart-toolbox-kubectl` images that were missing from the reference
### Changed
- Updated `prometheus-config-reloader` tag to correct tag from `Chart.yaml`

Anchore Enterprise📜

  • !7541: anchoreEnterprise update to 3.21.3-bb.1
  • !7509: anchoreEnterprise update to 3.21.3-bb.0
Click to show Changelog 
# Changelog Updates

## [3.21.3-bb.1] (2026-03-27)
### Changed
- Added `sso.idpMetadataXml` value to allow providing IdP metadata XML directly instead of fetching it from `sso.idpMetadataUrl` at deploy time.

## [3.21.3-bb.0] (2026-03-18)
### Changed
- enterprise 3.21.1 -> 3.21.3
- postgresql 18.5.6 -> 18.5.7
- registry1.dso.mil/ironbank/anchore/enterprise/enterprise 5.25.0 -> 5.25.1

Gitlab📜

  • !7545: gitlab update to 9.10.1-bb.0
  • !7518: gitlab update to 9.10.0-bb.0
Click to show Changelog 
# Changelog Updates

## [9.10.1-bb.0] (2026-03-31)
### Changed
- Updated gitlab `9.10.0` -> `9.10.1`
- Updated ironbank/gitlab/gitlab/gitlab-webservice 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.10.0 -> 18.10.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.10.0 -> 18.10.1

## [9.10.0-bb.0] (2026-03-23)
### Changed
- Updated gitlab `9.9.3` -> `9.10.0`
- Updated ironbank/gitlab/gitlab/certificates 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitaly 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-base 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-container-registry 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-exporter 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-mailroom 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-pages 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-shell 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-sidekiq 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-toolbox 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-webservice 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/gitlab-workhorse 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/kas 18.9.2 -> 18.10.0
- Updated ironbank/gitlab/gitlab/kubectl 18.9.2 -> 18.10.0

Gitlab Runner📜

  • !7529: gitlabRunner update to 0.86.0-bb.0
Click to show Changelog 
# Changelog Updates

## [0.86.0-bb.0] (2026-03-25)
### Changed
- Updated bb-common `0.14.0` -> `0.14.1`
- Updated [gitlab-runner](https://gitlab.com/gitlab-org/charts/gitlab-runner) `0.85.0` -> `0.86.0`
- Updated gluon `0.9.7` -> `0.9.8`
- Updated [ironbank/gitlab/gitlab-runner/gitlab-runner](https://about.gitlab.com/) ([source](https://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner)) `v18.8.0` -> `v18.9.0`
- Updated [ironbank/gitlab/gitlab-runner/gitlab-runner-helper](https://about.gitlab.com/) ([source](https://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner-helper)) `v18.8.0` -> `v18.9.0`
- Updated [registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner](https://about.gitlab.com/) ([source](https://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner)) `v18.8.0` -> `v18.9.0`
- Updated [registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper](https://about.gitlab.com/) ([source](https://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner-helper)) `v18.8.0` -> `v18.9.0`

## [0.85.0-bb.1] (2026-02-06)

Grafana📜

  • !7516: grafana update to 10.5.15-bb.2
Click to show Changelog 
# Changelog Updates

## [10.5.15-bb.2] (2026-03-23)
### Changed
- registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins updated from 12.4.0 -> 12.4.1
- registry1.dso.mil/ironbank/opensource/grafana/grafana-image-renderer updated from v5.6.0 -> v5.7.2

Keycloak📜

  • !7522: keycloak update to 7.1.9-bb.0
Click to show Changelog 
# Changelog Updates

## [7.1.9-bb.0] (2026-03-21)
### Changed
- keycloakx 7.1.8 -> 7.1.9
- postgresql 18.5.5 -> 18.5.11
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak 26.5.5 -> 26.5.6

Kiali📜

  • !7455: kiali update to 2.23.0-bb.0
Click to show Changelog 
# Changelog Updates

## [2.23.0-bb.0] (2026-03-10)
### Changed
- bb-common 0.14.0 -> 0.14.1
- kiali-operator 2.22.0 -> 2.23.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali v2.22.0 -> v2.23.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali-operator v2.22.0 -> v2.23.0
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.4 -> v1.34.5
- Fixed Kiali distributed tracing external URL to point to Grafana and resolved service entry name conflict when tracing and Grafana share the same hostname.

Kyverno Policies📜

  • !7532: kyvernoPolicies update to 3.3.4-bb.24
  • !7507: kyvernoPolicies update to 3.3.4-bb.22
Click to show Changelog 
# Changelog Updates

## [3.3.4-bb.24] (2026-03-26)
### Changed
- Changed the default `enabled` and `validatingFailureAction` values for the `disallow-image-tags`, `disallow-namespaces`, `disallow-nodeport-services`, `require-image-signature`, `restrict-host-path-mount`, `restrict-host-path-mount-pv`, `restrict-host-path-write`, and `restrict-image-registries` to match those specified in the bigbang umbrella chart.

## [3.3.4-bb.23] (2026-03-23)
### Added
- CEL-based ValidatingPolicy: `require-cpu-limit-cel`, gated behind `celPoliciesBeta.require-cpu-limit-cel.enabled` (disabled by default). Validates that all containers define CPU limits. Optional `maxCPU` parameter adds an upper-bound check via CEL `quantity()`. The CPol `parameters.require` JMESPath range-check syntax is not supported; `maxCPU` covers the common upper-bound case. Part of [Epic 578](https://repo1.dso.mil/groups/big-bang/-/epics/578).

## [3.3.4-bb.22] (2026-03-20)
### Changed
- Made changes to  `addtionalPolicyExceptions.yaml` template to simplifying passing exceptions from umbrella bigbang chart.

## [3.3.4-bb.21] (2026-03-16)
### Changed
- Renamed VPol to `disallow-privileged-containers-cel` so it can coexist with the CPol of the same name
- Added gluon bbtest scripts for VPols: `kyverno test` (offline CEL) and `chainsaw test` (live admission)
- Added `docs/dev-overrides.yaml` for local helm installs without the BB umbrella
- Test image changed from `kubectl:v1.34` to `devops-tester:1.1` (adds `kyverno`, `chainsaw`, `jq`)
- Renamed `ENABLED_POLICIES` env var to `ENABLED_CPOLS`, added `CPOL_ACTIONS`

## [3.3.4-bb.20] (2026-03-12)
### Added
- First CEL-based ValidatingPolicy (VPol): `disallow-privileged-containers`, gated behind `celPoliciesBeta.disallow-privileged-containers.enabled` (disabled by default). No VPol is rendered unless you explicitly opt in. To enable: set `celPoliciesBeta.disallow-privileged-containers.enabled: true` in your values. This is the first of ~50 planned ClusterPolicy-to-CEL migrations tracked in [Epic 578](https://repo1.dso.mil/groups/big-bang/-/epics/578). The `celPoliciesBeta` values key signals that this schema may change before GA.

Kyverno Reporter📜

  • !7530: kyvernoReporter update to 3.7.3-bb.1
Click to show Changelog 
# Changelog Updates

## [3.7.3-bb.1] (2026-03-20)
### Changed
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.5 -> v1.34.6
- registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter/kyverno-plugin 0.5.3 -> 0.6.0

Mattermost📜

  • !7497: mattermost update to 11.5.1-bb.0
Click to show Changelog 
# Changelog Updates

## [11.5.1-bb.0] (2026-03-17)
### Changed
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.4.2 -> 11.5.1

Minio Operator📜

  • !7490: minioOperator update to 7.1.1-bb.5
Click to show Changelog 
# Changelog Updates

## [7.1.1-bb.5] (2026-03-13)
### Fixed
- Updated `gluon` dependency to `0.9.8`
- Added explicit `bbtests.cypress` defaults so helm test resources still render with the updated Gluon Cypress runner
- Updated Renovate configuration to detect and update the `gluon` chart dependency

Monitoring📜

  • !7528: monitoring update to 82.14.1-bb.0
  • !7523: monitoring update to 82.13.2-bb.1
  • !7515: monitoring update to 82.13.2-bb.0
Click to show Changelog 
# Changelog Updates

## [82.14.1-bb.0] (2026-03-26)
### Changed
- kube-prometheus-stack 82.13.2 -> 82.14.1
- prometheus-blackbox-exporter 11.9.0 -> 11.9.1
- prometheus-snmp-exporter 9.13.0 -> 9.13.1
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator v0.89.0 -> v0.90.0

## [82.13.2-bb.1] (2026-03-24)
### Fixed
- Restored a minimal Prometheus AuthorizationPolicy fallback for SSO-enabled, non-hardened monitoring deployments so Grafana can query Prometheus

## [82.13.2-bb.0] (2026-03-23)
### Changed
- kube-prometheus-stack 82.10.4 -> 82.13.2
- prometheus-blackbox-exporter 11.8.0 -> 11.9.0
- prometheus-snmp-exporter 9.12.1 -> 9.13.0
- registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen v1.6.8 -> v1.6.9
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.5 -> v1.34.6
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader v0.89.0 -> v0.90.0

Neuvector📜

  • !7521: neuvector update to 2.8.12-bb.0
Click to show Changelog 
# Changelog Updates

## [2.8.12-bb.0] (2026-03-20)
### Changed
- bb-common 0.14.0 -> 0.14.1
- core 2.8.11 -> 2.8.12
- crd 2.8.11 -> 2.8.12
- monitor 2.8.11 -> 2.8.12
- registry1.dso.mil/ironbank/neuvector/neuvector/controller 5.4.9 -> 5.5.0
- registry1.dso.mil/ironbank/neuvector/neuvector/enforcer 5.4.9 -> 5.5.0
- registry1.dso.mil/ironbank/neuvector/neuvector/manager 5.4.9 -> 5.5.0
- registry1.dso.mil/ironbank/opensource/neuvector/registry-adapter v0.2.3 -> v0.2.4

Prometheus Operator Crds📜

  • !7514: prometheusOperatorCRDs update to 28.0.0-bb.0
Click to show Changelog 
# Changelog Updates

## [28.0.0-bb.0] (2026-03-20)
### Changed
- prometheus-operator-crds updated from 27.0.0 to 28.0.0

Twistlock📜

  • !7508: twistlock update to 0.25.0-bb.0
Click to show Changelog 
# Changelog Updates

## [0.25.0-bb.0] (2026-03-19)
### Changed
- bb-common 0.14.0 -> 0.14.1
- registry1.dso.mil/ironbank/twistlock/console/console 34.03.138 -> 34.04.145
- registry1.dso.mil/ironbank/twistlock/defender/defender 34.03.138 -> 34.04.145

Velero📜

  • !7520 velero upgrade to 12.0.0-bb.0
  • !7512: velero update to 11.3.2-bb.3
Click to show Changelog 
# Changelog Updates

## [12.0.0-bb.0] - 2026-03-25
### Changed
- Updated upstream velero chart 11.3.2 -> 12.0.0 (major)
- Updated velero appVersion v1.17.2 -> v1.18.0
- Updated gluon 0.9.7 -> 0.9.8
- Updated registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws v1.13.2 -> v1.14.0
- Updated registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure v1.13.2 -> v1.14.0
- Updated registry1.dso.mil/ironbank/opensource/velero/velero v1.17.2 -> v1.18.0
- Updated registry1.dso.mil/ironbank/big-bang/devops-tester 1.0 -> 1.1
- Updated registry1.dso.mil/ironbank/opensource/nginx/nginx 1.29.5 -> 1.29.6
- Removed `upstream.resources.upgradeJob` in favor of `upstream.upgradeJobResources` (fixes bigbang#3196)
- Removed default `configuration.backupStorageLocation` and `configuration.volumeSnapshotLocation` overrides
- Reduced default resource requests for velero container and nodeAgent
- Changed `imagePullPolicy` from `IfNotPresent` to `Always`
- Bumped `kubeVersion` constraint from >=1.16.0-0 to >=1.18.0-0
- Added passthrough annotations (`bigbang.dev/passthrough`, `bigbang.dev/passthrough-toplevel-key`)
### Removed
- Removed `chart/values.schema.json`, `chart/OWNERS`, `chart/README.md`, `velero_sbom.json`
- Removed `docs/istioHardened.md`, `docs/dev-overrides/minimal.yaml`
### Fixed
- Cleanup values and test-values overrides
- Cleanup and update docs
- Reorganized `docs/Backup-and-restore/` to `docs/backup/`

## [11.3.2-bb.3] - 2026-03-23
### Updated
- bb-common 0.14.0 -> 0.14.1
- Updated network policies for tempo and kube api egress

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.