After the big blooms of 1.33, this release turns its attention to the garden fence: making sure our CI pipelines are sturdy, our supply chain is trustworthy, and a nagging bug in kwctl gets pulled out by the roots. Nothing flashy, but the kind of care that keeps the garden healthy for the long haul. Let’s take a look at what’s new!

Fix for kwctl scaffold command

When using kwctl command scaffold manifest with a policy URI that omits an explicit tag (e.g. registry://ghcr.io/kubewarden/policies/pod-privileged), users would hit an unexpected error: “Cannot find policy with uri”.

The root cause was a mismatch between how the pull step stores the policy (appending :latest to the path) and how subsequent commands looked it up (using the bare URI without the tag). These commands now normalize registry:// URIs to include :latest when no tag is given, making the lookup key consistent with the stored path.

For example, the following now works as expected:

$ kwctl scaffold manifest -t ClusterAdmissionPolicy \
    registry://ghcr.io/kubewarden/policies/pod-privileged
apiVersion: policies.kubewarden.io/v1

---
kind: ClusterAdmissionPolicy
metadata:
  name: pod-privileged-policy
spec:
  module: registry://ghcr.io/kubewarden/policies/pod-privileged:latest
  ...

RBAC templates refactoring in Helm charts

The RBAC manifests in the kubewarden-controller Helm chart are now fully generated by controller-gen via kubebuilder markers, replacing the previous mix of generated and manually-maintained role files. This is an internal change with no user-visible impact, but it eliminates permission drift and makes the chart easier to maintain going forward.

CI security hardening

Recent supply chain security incidents in the open source ecosystem prompted us to perform a thorough review of all our CI workflows to spot any potential exposure. We found no critical issues, but the audit gave us a great opportunity to raise the bar and tighten things up. Therefore, this release brings several improvements to the security of our CI pipelines, covering the Kubewarden controller monorepo as well as many repositories across the Kubewarden organization.

Zizmor: GitHub Actions security linting

We have integrated Zizmor, a static analysis tool for GitHub Actions workflows, into our CI. Zizmor audits workflows for common security pitfalls such as script injection, overly broad permissions, and unsafe use of untrusted input.

Pinning GitHub Actions to immutable references

Most of our CI was already pinning GitHub Actions steps to specific versions, but the audit uncovered a handful of places where floating tags were still in use. Pinning prevents a workflow from silently running different code if an action’s tag is updated by its maintainer, giving us reproducible and auditable builds. Those remaining gaps have now been closed.

Checksum verification for CI-downloaded artifacts

Every place in our codebase that downloads a binary — CI workflow files, Dockerfiles, and shell scripts — now verifies the download against a known checksum before using it. For example, our Dockerfiles now fetch the rustup-init script instead of the previously-used rustup.sh precisely because it allows checksum verification. Base images and tool versions are also pinned, making our build inputs fully deterministic.

Wildcard support in trusted-repos-policy v2.1.0

The trusted-repos-policy now supports wildcard patterns (* and ?) when matching image registries, names, and tags. Any value containing a * or ? character is automatically treated as a glob pattern, so you can write rules like ghcr.io/myorg/* or *-rc without any extra configuration.

This feature was contributed by community member @mokhahmed92 — thank you!

Dependency updates

This release includes the usual round of dependency updates: Go and Rust dependencies have been bumped to their latest versions, and the Rust toolchain has been updated to 1.94.1.

Breaking changes in Kubewarden GitHub Actions

Policy authors using the Kubewarden GitHub Actions in their policy repositories should be aware of breaking changes in this release: all action inputs have been renamed to lowercase kebab-case. For example, GITHUB_TOKEN is now github-token, VERSION becomes version, and digest_artifact_prefix becomes digest-artifact-prefix.

If your policy workflows use any Kubewarden-provided actions, please update your input names accordingly after upgrading.

Getting in touch

Join the conversation on Slack or GitHub discussions and let us know how you’re finding Kubewarden 1.34!