Kubewarden

A new architecture to ease Kubewarden administrators' lives

We are pleased to announce a new architecture for the Kubewarden stack, in line with its journey to maturity: The introduction of a PolicyServer Custom Resource Definition (CRD) which allows users to describe a policy-server Deployment, together with binding ClusterAdmissionPolicies to a specific PolicyServer instance. These 2 changes are accompanied by a multitude of improvements to make Kubewarden more comfortable for Kubernetes Administrators, such as validation for Kuberwarden Custom Resources, improvements in Helm Charts, Status and Conditions for ClusterAdmissionPolicies. Read more...

Towards a universal policy platform

Kubewarden is a policy framework for Kubernetes. It can be used to secure your clusters and to ensure they stay compliant with the rules your organization establishes over time. By leveraging the power of WebAssembly, Kubewarden allows policy authors to write policies using traditional programming languages such as Rust, Go, AssemblyScript and Swift. Kubewarden policies, once compiled into WebAssembly modules, are then distributed using regular OCI registries. This allows Operators to have a consistent way to securely distribute both container images and policies. Read more...

WebAssembly is coming to Cloud Native

Is the title of this post a pun inspired by Christmas or by the Games of Thrones? I can’t decide… Are my dad jokes as bad as my daughters claim? Probably… Is WebAssembly spreading inside of the Cloud Native ecosystem? 💯 I have no doubts about that! First of all, why am I so excited about seeing WebAssembly flourish inside of the Cloud Native ecosystem? Well, it’s no secret that I’m a huge fan of it. Read more...

Let's learn Kubewarden - Streaming Event

In case you missed, CNCF Ambassador Saiyam Pathak recently hosted a live streaming event on his YouTube channel about Kubewarden. Flavio had the pleasure to join Saiyam and give an overview of the project. We spoke about Kubernetes Admission Controllers, why we started the Kubewarden project and how it differentiates from other existing open source projects such as Open Policy Agent and Kyverno. The talk features also a brief overview of WebAssembly, what it is and what are the benefits it provides to Kubewarden. Read more...

Introducing the PSP host namespaces policy

As you probably know, Kubernetes Pod Security Policies (PSPs) are being deprecated in Kubernetes 1.21 – although these APIs will be served until Kubernetes 1.25 it’s a good time to start thinking about what you will use to replace them. At Kubewarden we have an ongoing effort to replace the Pod Security Policies with small, targeted Kubewarden policies. Up until now, we have implemented some policies that replace some Pod Security Policies: Read more...

Introducing kwctl to Kubernetes Administrators

We are pleased to announce the availability of a new tool within the Kubewarden project: kwctl. kwctl is a command line utility designed to help both policy authors and Kubernetes administrators. This blog post focuses on the user experience of Kubernetes administrators. Future ones will cover the policy developer side of the story. A Real-World Example: Controlling Container Capabilities The main character of today’s story is Alice. Alice is a Kubernetes administrator who wants to keep her Kubernetes cluster secure. Read more...

Writing your first policy with Kubewarden

Kubewarden is a project focused on security and compliance. Its main goal is to allow you to write, test, distribute and run policies using the tooling that you already know and master, with a focus on controlling Kubernetes inner behaviors. Policies are written in one of the supported languages, and the target object is a WebAssembly binary artifact. This is how Kubewarden can ensure that no matter where you built the policy, it can run on all platforms without any kind of adaptation. Read more...