Bump github.com/open-policy-agent/gatekeeper/v3 from 3.16.3 to 3.21.0

[dependabot]

Bumps github.com/open-policy-agent/gatekeeper/v3 from 3.16.3 to 3.21.0.

Release notes

Sourced from github.com/open-policy-agent/gatekeeper/v3's releases.

v3.21.0

🚀 Notable Changes

• 🛠️ New flag: sync-vap-enforcement-scope has been introduced to unify the ValidatingAdmissionPolicy(VAP) enforcement surface with the ConstraintTemplate enforcement surface. This syncs VAP resource scope with Gatekeeper's ValidatingWebhookConfigurations, Config resource exclusions, and exempt-namespace–based exemptions. This improves enforcement consistency across all policy mechanisms.
• 🧩 Granular Operation-Level Controls for ConstraintTemplates: ConstraintTemplates now support defining operations on which a template should be enforced (e.g., CREATE, UPDATE, DELETE).
• 📈 Enhanced Metrics & Status for External Data (Provider API): Added new metrics and status reporting for the External Data / Provider API feature, improving observability and overall user experience when integrating external data sources into policy evaluation.

Call to action

Beginning in v3.22 (February 18, 2026), the sync-vap-enforcement-scope flag will default to true and will be removed in a future release. When this flag is removed, Gatekeeper will always generate Validating Admission Policy (VAP) resources by combining enforcement inputs from the admission webhook configuration, Gatekeeper’s configuration resource, and namespace-exemption settings. All applicable enforcement criteria will be merged into the resulting VAP resource.

Impact: If you have explicitly set this flag to false, the enforcement scope of Gatekeeper-managed VAP resources will change, which may cause unexpected behavior in your environment. If you have concerns about removing this flag and would prefer it to remain, please add your feedback in open-policy-agent/gatekeeper#4302.

Features

• Added support for dual-stack for webhook service (#4043) #4043 (Fredrik Liv)
• gator verify - support multiple expansions for per test case (#3981) #3981 (Halvdan Hoem Grelland)
• Make automount service account token and deployment annotations configurable, add extra volumes and volumeMounts (#4124) #4124 (yivan-atl)
• External data status metrics (#4115) #4115 (Jaydip Gabani)
• Add extraEnvs support to helm chart (#4185) #4185 (Kristian Grønås)
• support DELETE operation type when generate VAP (#4030) #4030 (DahuK)

Bug Fixes

• spelling errors in deprecated documentation (#4138) #4138 (Copilot)
• updating to golang-1.25:trixie (#4165) #4165 (Jaydip Gabani)
• Add VAP/VAPB watches for immediate reconciliation when Gatekeeper-owned resources are deleted (#4119) #4119 (Copilot)
• Match scope vap to webhook config, config resource and exempt-ns flag (#4174) #4174 (Jaydip Gabani)
• load kubeconfig consistently with main controller for VAP check (#4194) #4194 (believening)

Documentation

• update link to install ORAS CLI (#4070) #4070 (Mayur Dave)
• add GitHub artifact attestations OPA provider to community providers list (#4061) #4061 (Copilot)
• adding post release checklist for cutting dep releases (#4212) #4212 (Jaydip Gabani)

Continuous Integration

• adding co-pilot instructions (#4081) #4081 (Jaydip Gabani)

Chores

• Prepare v3.21.0 release (#4247) #4247 (github-actions[bot])
• bump github/codeql-action from 3.29.3 to 3.29.4 in the all group (#4073) #4073 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-reader (#4072) #4072 (dependabot[bot])
• bump golang from 69adc37 to ef8c5c7 in /test/export/fake-subscriber (#4074) #4074 (dependabot[bot])
• bump github/codeql-action from 3.29.4 to 3.29.5 in the all group (#4079) #4079 (dependabot[bot])
• updating k8s version and dep verions in CI and Makefile (#4075) #4075 (Jaydip Gabani)
• bump distroless/static-debian12 from b7b9a69 to 2e114d2 in /test/externaldata/dummy-provider (#4098) #4098 (dependabot[bot])
• bump golang from ef8c5c7 to 2679c15 in /test/export/fake-reader (#4097) #4097 (dependabot[bot])
• bump frameworks (#4104) #4104 (Noah Reisch)
• updating AGENTS.md (#4086) #4086 (Jaydip Gabani)
• bumping docker indirect dep to fix CVE (#4128) #4128 (Jaydip Gabani)
• bump google.golang.org/protobuf from 1.36.6 to 1.36.8 (#4125) #4125 (dependabot[bot])

... (truncated)

Commits

• a50c1a2 chore: Prepare v3.21.0 release (#4247)
• dedfccc chore: Prepare v3.21.0-rc.1 release (#4226)
• 53cae28 fix: bumping frameworks (#4221) (#4224)
• db9de90 chore: Prepare v3.21.0-rc.0 release (#4214)
• 6f5c549 chore: bumping cert-controller (#4213)
• edb1fa4 docs: adding post release checklist for cutting dep releases (#4212)
• 912d5fb chore: bumping frameworks (#4208)
• 16c3467 chore: bump the all group with 2 updates (#4209)
• 97165ed chore: bump golang from 61226c6 to 7534a62 in /build/tooling (#4210)
• a941cea chore: bump golang from c8c8d55 to 61226c6 in /test/export/fake-reader (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Looks like github.com/open-policy-agent/gatekeeper/v3 is up-to-date now, so this is no longer needed.