Kubewarden

Securing the usage of volumeMounts

We present to you the new volumeMounts Policy: It inspects containers, init containers, and ephemeral containers, and restricts their usage of volumes by checking the volume name being used in the containers' volumeMounts[*].name. You can find it published in Artifact Hub. As usual, its artifact is signed with Sigstore in keyless mode, and if you are curious, you can peek into the policy’s implementation in Rust here. This new policy joins the already existing volumes-psp policy, which provides an allowlist of volume types, and hostpaths-psp policy, with an allowlist of hostPath volumes. Read more...

Enforcing compliance of container's environment variables

We’re glad to present the new environment-variable-policy to Kubewarden users. With this policy, you will now be able to inspect init containers and ephemeral containers. You can also restrict their usage by reviewing the names and values defined under the containers' env[*] field. As always, the policy can be found in ArtifactHub and all the artifacts, including the BOM files, are signed with Sigstore. What is so useful about the new environment-variable policy? Read more...

Kubewarden 1.3 is out!

The Kubewarden development team is happy to announce the release of the Kubewarden 1.3 stack. In addition to the usual amount of small fixes, this release focused on the following themes. Improve end users confidence We want our users to feel confident about using Kubewarden, knowing that good development and security practices are being followed by the Kubewarden project. We think this is particularly relevant to Kubewarden, given our users trust us to keep their Kubernetes clusters secure and compliant. Read more...

Scanning secrets in environment variables

We are thrilled to announce you can now scan your environment variables for secrets with the new env-variable-secrets-scanner-policy! This policy rejects a Pod or workload resources such as Deployments, ReplicaSets, DaemonSets , ReplicationControllers, Jobs, CronJobs etc. if a secret is found in the environment variable within a container, init container, or ephemeral container. Secrets that are leaked in plain text or in base64 encoded variables are detected. This policy uses rusty hog, an open source secret scanner from New Relic. Read more...

v1.1.1 is out 🎉

We are happy to announce the first minor release of v1.0: v1.1.1 is now available! Apart from being a nice looking number, v1.1.1 includes: Improved the policies API for Sigstore verification by adding new backwards-compatible WaPC host callback v2/verify functions to the API. Check them out here to add support for your language of choice. This has been used in the verify-image-signatures policy to simplify verification of GitHub Actions signatures and others. Read more...

Kubewarden policies, now on Artifact Hub!

Today we’re happy to announce that Artifact Hub now supports Kubewarden policies! 🤯 🥳 Artifact Hub is the de-facto place where Cloud Native users search for helm charts, container images, and other kinds of artifacts and configurations of different CNCF projects. That’s why we are super excited and honored to have Kubewarden policies listed on Artifact Hub. This would not have been possible without the work done by the Artifact Hub team. Read more...

Verify image signatures with GitHub Actions and KeylessPrefix

With the latest releases of Kubewarden v1.1.0 and the verify-image-signatures policy, it’s now possible to use GithubActions or KeylessPrefix for verifying images. Read our previous blog post if you want to learn more about how to verify container images with Sigstore using Kubewarden. Let’s see it in action! We want to verify the image ghcr.io/raulcabello/app-example which was built and signed inside a GitHub action using this GitHub Action. Out of the box, GitHub Actions have a specially crafted environment that makes Sigstore keyless signing work in a non-interactive way. Read more...

Migrate your PSPs to Kubewarden policies!

Warning: the code snippets shown inside of this blog post have become outdated. For up-to-date information checkout this section of the Kubewarden documentation. As announced in past blog posts, Kubewarden has 100% coverage of the deprecated, and soon to be removed, Kubernetes PSPs. If everything goes as expected the PSPs will be removed in Kubernetes v1.25 due for release on 23rd August 2022. The Kubewarden team has written a script that leverages the migration tool written by AppVia, to migrate PSP automatically. Read more...

Kubewarden reaches 1.0.0 release 🎉

Kubewarden is a policy engine for Kubernetes that is part of CNCF Sandbox. Never heard of Kubewarden before? Do you want to know what makes Kubewarden stand out among similar solutions? This is a high level overview of Kubewarden’s unique points: Boost Policy Authors' productivity: write policies using your favorite programming language. Leverage your knowledge, skills and tools. Policies are portable WebAssembly modules Reuse your existing Open Policy Agent / Gatekeeper policies Distribute policies using regular container registries Secure supply chain, leverage Sigstore to sign and verify policies Today, a year and a half since its conception, we’re thrilled to announce the release of Kubewarden v1. Read more...

CNCF Sandbox admission 🎊

Today the whole Kubewarden team is overjoyed because the Kubewarden project has just been accepted into the CNCF Sandbox!!! 🥳 This is a great achievement for the whole team and is the beginning of our journey into CNCF. Also, many thanks to the CNCF TOC for the feedback they provided during the project evaluation. What’s next? The admission happens at an interesting time since we are currently testing the 1.0.0-rc1 release of Kubewarden. Read more...

More