We have just released 1.27.3, a small patch release for kwctl. This newly released kwctl version v1.27.3 fixes a bug on the kwctl run subcommand for ClusterPolicyGroups and PolicyGroups.

When evaluating policies and policy groups, both kwctl and policy-server take care of running the policies in the correct execution mode that the policies have defined via their metadata. This means that Kubewarden policies that are Wasm modules intended to run as WASI are executed as such. The same applies, for example, to Rust policies compiled for WAPC or to OPA policies.

Up until kwctl 1.27.2, when doing kwctl run of a ClusterPolicyGroup or PolicyGroup, kwctl wasn’t extracting the execution mode from the metadata information of the policies part of the group, but using the default execution mode. This meant that when mixing different policies, it would fail, for example, with:

$ kwctl run policy-group.yml --request-path adm-req.yml
  Successfully pulled policy from registry://ghcr.io/kubewarden/policies/pod-privileged:v1.0.3
  Successfully pulled policy from registry://ghcr.io/kubewarden/policies/container-running-as-user:v1.0.4                                                                                                                 Error: error when building wapc precompiled stack: cannot build Wasmtime engine: unknown import: `env::opa_builtin0` has not been defined

Caused by:
    0: cannot build Wasmtime engine: unknown import: `env::opa_builtin0` has not been defined
    1: unknown import: `env::opa_builtin0` has not been defined

Now, kwctl run of (Cluster)PolicyGroups will get evaluated correctly.

Getting in touch

Join the conversation on Slack or GitHub discussions and let us know how you’re using Kubewarden!