Kubewarden

Retrieving OCI Image Manifests

Kubewarden’s latest version 1.11.0 introduces a new feature enabling policies to retrieve OCI image manifests. This function, supported in both Rust and Go SDKs, enhances the policy enforcement capabilities within Kubernetes environments. The update provides an additional layer of security inspection for containerized environments. Developers can now write policies using the updated SDKs to access OCI image manifests of container images. This access facilitates more detailed inspections and validations, aligning with security standards and organizational protocols. Read more...

Kubewarden 1.11 release

Today we’re glad to announce the release of Kubewarden 1.11. This release focuses on performance improvements, especially when running on big Kubernetes clusters. Audit Scanner A lot of work has been done on the audit scanner. The auditing of resources is now done in parallel, which means less time is required on big clusters to scan all the available resources. We’ve also changed how we handle Policy Reports. Kubewarden is still using the Policy Report format being defined inside the Kubernetes’s wg-policy group. Read more...

Kubewarden 1.10 release

We have the first release of 2024, Kubewarden 1.10.0! 🎉🥳 And this one contains a nice bag of goodies, let’s have a look! Reduced memory usage and increased reliability of Policy servers A nice graph is worth a thousand words! Note the slightly lower memory consumption, and unchanging consumption when scaling horizontally. This graph represents the memory consumption of one instance of policy-server, containing 13 policies: 4 instances of “verify-signatures” 5 of “pod-privileged” 2 of “go-wasi-template” (a 20MB policy, WASI being experimental) 1 Rego policy 1 ordinary Rust policy The policy-server was configured with one worker to start, progressing to eight. Read more...

Kubewarden 2023 Wrapped

The end of the year is around the corner. Let’s look at what the Kubewarden project achieved in 2023! Context-Aware graduation The context-aware feature graduated to stable during this year. We did this by performing a massive overhaul of the initial iteration. Context-aware policies can access information about Kubernetes resources defined inside the cluster. At evaluation time, these policies can make decisions based on this information. Such an example is the unique ingress host policy. Read more...

Raw policies

Kubewarden 1.9.0 has introduced even more features requested by the community, and we are excited to share them with you! In this blog post, we will introduce the new Raw policy type. Kubewarden as a generic policy engine Raw policies allow policy authors to write and execute policies that are not necessarily related to Kubernetes. This means that Kubewarden can be used as a general-purpose policy engine. For instance, you can use Kubewarden to validate any type of artifact: configurations, Terraform plans, test coverage, static analysis or even deploy Kubewarden alongside your web application to validate domain-specific requests. Read more...

Kubewarden 1.9.0 release

Not even a month after the 1.8.0 release, today we are happy to announce Kubewarden 1.9.0! 🎉🥳 This release includes two major features that have been requested by our community. Making Rego policies context-aware Context-aware policies have been introduced with Kubewarden 1.6.0. These policies can obtain information about other Kubernetes resources at evaluation time. This allows them to make decisions based not only on the information provided by the AdmissionReview object they receive. Read more...

Introducing Kubewarden WASI policies

Kubewarden policies can be written using either a traditional programming language (like Go, Rust, C#, Swift, …) or using a domain-specific language like Rego. It is required that the programming language can generate the necessary WebAssembly module for use by Kubewarden. When using a traditional programming language, the communication between the host executing the policy and the WebAssembly guest (the actual policy) uses the waPC communication protocol. This protocol provides a bidirectional channel between the host and guest. Read more...

Kubewarden 1.8.0 release

Today we are happy to announce the release of Kubewarden 1.8.0! 🎉🥳 This is a small release, focused on OpenTelemetry. The OpenTelemetry Protocol (OTLP) got its first 1.0.0 version in July 2023; several libraries got their first 1.0.0 release, such as the Go metric SDK or the .NET Automatic Instrumentation. Still, the OpenTelemetry stack is not yet stable, and unannounced backwards-incompatible changes still happen. You can have a look at the status of each of their libraries and protocols here. Read more...

Welcoming the Audit Scanner

Fresh in the already released Kubewarden v1.7.0 stack, we welcome a new module: the Audit Scanner! Audit Scanner? Up until the release of Audit Scanner, Kubewarden was strictly a Dynamic Admission Controller, checking requests made against the Kubernetes API server with the deployed policies. Yet policies evolve over time; new ones are deployed, and existing ones are updated. This can mean that resources that are inside the cluster are no longer compliant. Read more...

kwctl SHA support

Recently, we have focused on improving the Kubewarden developer experience. We have been implementing features requested by the community. Reference policies by their SHA Since kwctl release v1.7.0 we support referencing policies by their SHA. Container engines such as Docker and Podman allow users to refer to images by their SHA sum. As Kubewarden policies are distributed as OCI artifacts, we thought it would be a good idea to add the SHA support to kwctl, so that users have a familiar experience. Read more...

More