Kubewarden v1.14.0 release We are thrilled to announce the release of Kubewarden v1.14.0! This version comes packed with new capabilities, enhancements, and fixes that make Kubewarden even more robust and user-friendly.
New Host Capability for Container Image Configuration One of the significant updates in this release is the introduction of a new host capability that allows policies to fetch the container image configuration. This update stems from a user request to enhance the user-group-psp-policy policy by enabling it to check the user defined to run the container in the image configuration.
Read more...
We are pleased to announce a new policy by the Kubewarden team: cel-policy.
This new policy uses the Common Expression Language (CEL). For those new to CEL, it is a general-purpose expression language designed to be fast, portable, and safe to execute. CEL as a language is memory-safe, side-effect free, terminating (as in “programs cannot loop forever”), and strong & dynamically typed.
CEL is a perfect candidate for extending the Kubernetes API, as CEL expressions can be easily inlined into CRD schemas, and compiled and type-checked “ahead-of-time” (when CRDs are created and updated).
Read more...
I’m pleased to announce a new release of Kubewarden, version 1.13. This release features a series of improvements and bug fixes that contribute to better performance and stability.
Let’s go through the most significant changes.
Policy Server memory usage A community member reported that the Kubewarden Policy Server was using a lot of memory, especially when running context aware policies on big clusters. The number of resources being accessed by the policies was significantly high, in the order of 3200 Namespaces, 10500 Ingresses, 200 ClusterRoleBindings and 11000 RoleBindings.
Read more...
Today we’re glad to announce the release of Kubewarden 1.12.
This release focuses on optimizations and high availability, both oriented to production.
Optimizing Gatekeeper policies The previous 1.11 release featured lots of optimizations for context aware policies.
The 1.12 release provides a further optimization for Gatekeeper policies that access Kubernetes resources. This optimization provides an extra 55% performance boost for these policies.
The benefits of this optimization are particularly noticeable when a huge number of Kubernetes resources are accessed by a Gatekeeper policy.
Read more...
The Kubewarden project has recently improved how it shares information and involves others by starting a new community repository. This move was made after a suggestion from the CNCF during their last yearly review. The aim is to bring together all the documentation in one place and make it easier for both new and current contributors to get involved.
This new repository is a place for finding out about the project’s rules, security measures, project components, and what’s happening in each Kubewarden GitHub organization repository.
Read more...
Kubewarden’s latest version 1.11.0 introduces a new feature enabling policies to retrieve OCI image manifests. This function, supported in both Rust and Go SDKs, enhances the policy enforcement capabilities within Kubernetes environments.
The update provides an additional layer of security inspection for containerized environments. Developers can now write policies using the updated SDKs to access OCI image manifests of container images. This access facilitates more detailed inspections and validations, aligning with security standards and organizational protocols.
Read more...
Today we’re glad to announce the release of Kubewarden 1.11.
This release focuses on performance improvements, especially when running on big Kubernetes clusters.
Audit Scanner A lot of work has been done on the audit scanner. The auditing of resources is now done in parallel, which means less time is required on big clusters to scan all the available resources.
We’ve also changed how we handle Policy Reports. Kubewarden is still using the Policy Report format being defined inside the Kubernetes’s wg-policy group.
Read more...
We have the first release of 2024, Kubewarden 1.10.0! 🎉🥳
And this one contains a nice bag of goodies, let’s have a look!
Reduced memory usage and increased reliability of Policy servers A nice graph is worth a thousand words!
Note the slightly lower memory consumption, and unchanging consumption when scaling horizontally.
This graph represents the memory consumption of one instance of policy-server, containing 13 policies:
4 instances of “verify-signatures” 5 of “pod-privileged” 2 of “go-wasi-template” (a 20MB policy, WASI being experimental) 1 Rego policy 1 ordinary Rust policy The policy-server was configured with one worker to start, progressing to eight.
Read more...
The end of the year is around the corner. Let’s look at what the Kubewarden project achieved in 2023!
Context-Aware graduation The context-aware feature graduated to stable during this year. We did this by performing a massive overhaul of the initial iteration. Context-aware policies can access information about Kubernetes resources defined inside the cluster. At evaluation time, these policies can make decisions based on this information. Such an example is the unique ingress host policy.
Read more...
Kubewarden 1.9.0 has introduced even more features requested by the community, and we are excited to share them with you!
In this blog post, we will introduce the new Raw policy type.
Kubewarden as a generic policy engine Raw policies allow policy authors to write and execute policies that are not necessarily related to Kubernetes. This means that Kubewarden can be used as a general-purpose policy engine. For instance, you can use Kubewarden to validate any type of artifact: configurations, Terraform plans, test coverage, static analysis or even deploy Kubewarden alongside your web application to validate domain-specific requests.
Read more...
