/blog/Recent content in Blog on KubewardenHugo -- gohugo.ioen-usTue, 10 Mar 2026 11:31:19 +0100/blog/2026/03/sbomscanner-0.10-release/Tue, 10 Mar 2026 00:00:00 +0000/blog/2026/03/sbomscanner-0.10-release/The Kubewarden ecosystem continues to expand its supply chain security capabilities! Hot on the heels of the Admission Controller 1.33 release, we are excited to announce SBOMscanner v0.10.0. This release introduces powerful new features and critical stability fixes. Let’s dive in! Workload Scan Until now, SBOMscanner required explicit Registry configurations to scan images. However, what usually matters most are the images actively running in your cluster. The new Workload Scan feature automatically discovers and scans container images based on live workloads./blog/2026/03/adm-controller-1.33-release/Mon, 09 Mar 2026 00:00:00 +0000/blog/2026/03/adm-controller-1.33-release/The garden is thriving and Kubewarden 1.33 is ready to bloom! Following last release’s big repotting, this one is serious about pruning, including a security issue. It’s not all housekeeping though, fresh flowers are blooming and come with nice features: BYO-PKI landing in the policy-server, field mask filtering for context-aware calls, proxy support, and a few more treats. Let’s dig in! Security fix: Cross-namespace data access, removal of deprecated API calls In our previous post we explained how our architecture protects namespaced policy users from privilege escalations./blog/2026/02/not-affected-by-cve-2026-22039/Mon, 16 Feb 2026 00:00:00 +0000/blog/2026/02/not-affected-by-cve-2026-22039/Why Kubewarden is not affected by CVE-2026-22039 The recent vulnerability CVE-2026-22039 is doing the rounds in the Kubernetes security community, with dramatic titles such as “How an admission controller vulnerability turned Kubernetes namespaces into a security illusion”. You can read about people doubting admission controllers, claiming they have too much power, or they represent too high a value target. In this blogpost, we reassure Kubewarden users that they aren’t affected thanks to our architecture, and explain why./blog/2026/02/kubewarden-1.32-release/Thu, 05 Feb 2026 00:00:00 +0000/blog/2026/02/kubewarden-1.32-release/Another year rolls around, and Kubewarden is still growing like a well-watered houseplant! Kubewarden got a New Year’s resolution to tidy up and repot, and has gone full on with digital gardening. This release is a maintenance one, with big moves to monorepos and a refresh in release artifacts. New Admission Controller monorepo With the addition of SBOMscanner to the Kubewarden harvest, we saw a great opportunity for cleanup on the Admission Controller side./blog/2026/01/end-year-2025/Wed, 07 Jan 2026 00:00:00 +0000/blog/2026/01/end-year-2025/Join us in celebrating a fruitful 2025 for the Kubewarden project! The team has spent time planting kernels and enjoying the fruit of the grown ideas. Let’s look together at what the basket brings as we say ciao to 2025. Grab anything you like for the trip! Expanding the Scope: Introducing SBOMScanner 2025 saw Kubewarden expand beyond admission policies with the introduction of SBOMScanner, a new project donated to CNCF under the Kubewarden umbrella./blog/2025/11/kubewarden-1.31-release/Tue, 25 Nov 2025 00:00:00 +0000/blog/2025/11/kubewarden-1.31-release/Preparing for season celebrations, Kubewarden grabbed its running shoes and went for a lively jog. This release is about keeping your cluster environment fit and lively: new policy, new Sigstore airgap features, backup support, and new resource limits for our Helm charts and among other things. The running group is growing too! New peer project: SBOMScanner As announced some weeks ago, the Kubewarden family is growing with the addition of SBOMscanner./blog/2025/11/policy-sdk-js/Tue, 18 Nov 2025 00:00:00 +0000/blog/2025/11/policy-sdk-js/Writing Kubewarden policies is now even more accessible. Today, we’re excited to announce the alpha release of the Kubewarden JavaScript/TypeScript SDK, bringing policy development to the world’s most popular programming language. Why JavaScript for Kubernetes Policies? Kubewarden has always been about choice, letting you write policies in the language you’re most comfortable with. The JavaScript/TypeScript SDK opens Kubewarden to an entirely new audience, the millions of developers already familiar with the JavaScript ecosystem./blog/2025/11/expanding-kubewarden-scope/Tue, 11 Nov 2025 00:00:00 +0000/blog/2025/11/expanding-kubewarden-scope/The Kubewarden project was created four years ago at SUSE with the goal of redefining Policy As Code. We built a universal policy engine for Kubernetes and donated it to the CNCF. When the project started, policies could only be written in Rust and Go. Since then, we’ve worked to increase flexibility. Today, policies can also be written in other programming languages such as C#, and even JavaScript and TypeScript (stay tuned for the upcoming announcement)./blog/2025/10/kubewarden-1.30-release/Thu, 30 Oct 2025 00:00:00 +0000/blog/2025/10/kubewarden-1.30-release/Today, Kubewarden 1.30 woke up, shook itself, stretched its wings and took off to a cluster near you! This release brings in its beak a bunch of policy features, and performs some future-proofing migrations. Migration to OpenReports So far, the Kubewarden Audit Scanner feature has been using the PolicyReports CRDs from policyreports.wgpolicyk8s.io to save its results. These CRDs came from the Kubernetes Policy Working Group and enabled standardized reporting across policy engines./blog/2025/10/policy-server-1.29.2-patch-release/Fri, 17 Oct 2025 00:00:00 +0000/blog/2025/10/policy-server-1.29.2-patch-release/Earlier this week we published a patch release of Policy Server. The fix was required to avoid a crash at startup time. The crash was caused by some changes inside the Sigstore TUF repository, specifically the introduction of a new public key for the Rekor service. The Rust library we use to interact with Sigstore could not handle this change, resulting in an error. The patch we issued on Monday allowed Policy Server to continue operating in a degraded mode./blog/2025/10/kubewarden-1.29.1-patch-release/Mon, 13 Oct 2025 00:00:00 +0000/blog/2025/10/kubewarden-1.29.1-patch-release/Today, we released patch updates for both Policy Server and kwctl. These releases address a startup failure affecting both components, caused by an issue initializing Sigstore’s TUF repository. With this fix, Policy Server and kwctl will now exit with an error only if policy verification settings are enabled. Policies using image verification settings will reject all images that rely on Sigstore certificate infrastructure (like keyless signatures). In the meantime, we are collaborating upstream to resolve the Sigstore issue./blog/2025/10/kubewarden-1.29-release/Wed, 01 Oct 2025 00:00:00 +0000/blog/2025/10/kubewarden-1.29-release/Straight from the kitchen, Kubewarden 1.29 is served! This release is a poké bowl of healthy stack features, crisp policy improvements, and some fresh fixes, all seasoned with the wholesome flavour of paid-off tech debt. Removal of Picky dependency and stringent behavior change We have long depended on the Rust crate picky as the implementation for X.509 and PKI certificates that we use in our cryptographic host capabilities. It allowed us to overcome some limitations in the webpki crate./blog/2025/08/kubewarden-1.28-release/Wed, 27 Aug 2025 00:00:00 +0000/blog/2025/08/kubewarden-1.28-release/Kubewarden 1.28 has emerged refreshed from a bath in the lake (just like my dog on the morning walk before writing this post!). This release cycle comes mainly with improvements on policies, though some stack features plus kwctl bugfixes also bubbled up. Supporting Hauler for air-gap installs With 1.28, our Helm chart releases now include a Hauler YAML manifest. Hauler is an Open Source project that provides a declarative way of saving all artifacts needed for air-gap installs, along with a tool (the hauler cli) that works with it without requiring operators to adopt a specific workflow./blog/2025/07/kubewarden-1.27.3-release/Thu, 14 Aug 2025 00:00:00 +0000/blog/2025/07/kubewarden-1.27.3-release/We have just released 1.27.3, a small patch release for kwctl. This newly released kwctl version v1.27.3 fixes a bug on the kwctl run subcommand for ClusterPolicyGroups and PolicyGroups. When evaluating policies and policy groups, both kwctl and policy-server take care of running the policies in the correct execution mode that the policies have defined via their metadata. This means that Kubewarden policies that are Wasm modules intended to run as WASI are executed as such./blog/2025/07/kubewarden-1.27.2-release/Tue, 05 Aug 2025 00:00:00 +0000/blog/2025/07/kubewarden-1.27.2-release/We have just released 1.27.2, a small patch release for kwctl. This newly released kwctl version v1.27.2 fixes 2 bugs on the kwctl scaffold admission-request subcommand. On first run, kwctl scaffold admission-request tries to connect to a cluster (if it exists) via kubeconfig, and create a cache of available resource definitions. This allows for scaffolding AdmissionRequests for CRDs in the cluster. Starting from 1.22, there was a bug where kwctl failed to create the internal client to connect to a running cluster./blog/2025/07/gsoc-policy-sdk-js/Mon, 04 Aug 2025 00:00:00 +0000/blog/2025/07/gsoc-policy-sdk-js/Hi, I’m Esosa Ohangbon, a software engineering student at Carleton University. This summer, I’ve had the incredible opportunity to participate in Google Summer of Code (GSoC) as a contributor to Kubewarden. My focus has been on developing policy-sdk-js, a JavaScript SDK for writing Kubewarden policies using JavaScript or TypeScript. In this post, I’ll share what the experience has been like so far, some of the challenges I’ve faced, what I’ve learned, and what I’m looking forward to next./blog/2025/07/kubewarden-1.27.1-release/Fri, 01 Aug 2025 00:00:00 +0000/blog/2025/07/kubewarden-1.27.1-release/We have just released 1.27.1, a small patch release for kwctl. With 1.27, kwctl CLI now performs post-policy processing validations previously only done by the policy-server. This includes checking for the policy mode, as in spec.mode being monitor or protect. This was achieved by refactoring the code in the policy-server and moving it to our library, policy-evaluator. With this change, we introduced a regression in the command kwctl run, used to run policies./blog/2025/07/kubewarden-1.27-release/Tue, 29 Jul 2025 00:00:00 +0000/blog/2025/07/kubewarden-1.27-release/Here’s a look at the key updates and improvements in the latest release. New High-Risk Service Account Policy In this release, we’ve introduced a new policy to improve cluster security. The High-Risk Service Account Blocker policy, as its name suggests, blocks workloads that attempt to run with a service account that has excessive permissions. This policy leverages the Kubernetes authorization API and allows cluster operators to define a list of forbidden permissions./blog/2025/06/kubewarden-1.26-release/Wed, 25 Jun 2025 00:00:00 +0000/blog/2025/06/kubewarden-1.26-release/Kubewarden 1.26 is fresh out of the oven, with a nice bunch of features. Running policies from YAML locally with kwctl Up until now, to run policies with kwctl run one needed to pass the policy module URL, the settings, and the context-aware settings via specific flags. For example: $ kwctl run \ --settings-json '{"allowPorts": [80], "denyPorts": [3000]}' \ --request-path req_pod_with_allowed_capabilities_accept.json \ registry://ghcr.io/kubewarden/policies/ingress:v0.1.8 Thanks to suggestions from our user community, kwctl now can consume a YAML file containing the Custom Resource Definition of policies, and run the request against them./blog/2025/05/adopting-kubewarden/Fri, 23 May 2025 00:00:00 +0000/blog/2025/05/adopting-kubewarden/Call for Adopters Kubewarden is showing significant maturity as a Kubernetes policy enforcement solution, with a growing number of organizations adopting it for policy enforcement for their clusters. This trend reflects the increasing need for robust, flexible, and auditable policy enforcement in the Kubernetes ecosystem. Why Kubewarden? But why use Kubewarden? Kubewarden has seen a substantial expansion of its policy library. More pre-built policies are available, covering a wider range of security and operational best practices./blog/2025/05/kubewarden-1.25-release/Thu, 15 May 2025 00:00:00 +0000/blog/2025/05/kubewarden-1.25-release/Kubewarden 1.25 arrives with: enhanced Kubernetes Priority Class integration across the stack improved CI security through GitHub Actions cleanup usability refinements in the kwctl tool. Priority Class support A key feature of this release is the comprehensive integration of Kubernetes Priority Classes across the entire Kubewarden stack. This allows for fine-grained control over the scheduling and resource allocation of Kubewarden components and other workloads in the cluster. The Kubewarden Helm charts now include a new value, ./blog/2025/04/openreport/Mon, 12 May 2025 00:00:00 +0000/blog/2025/04/openreport/Kubewarden is an open-source CNCF project actively engaged with the wider Kubernetes ecosystem. This informs the use of valuable projects like Policy Reporter. Using Policy Reporter as a default UI for Kubewarden simplifies the user experience, allowing the use of familiar reporting mechanisms. This strategic choice also lets the team concentrate on the Kubewarden core stack. So, the Kubewarden team participates in the Kubernetes Policy Working Group. We join community meetings and seek opportunities for collaboration, focusing on the future of policy reporting and related resources./blog/2025/04/kubewarden-1.24-release/Wed, 30 Apr 2025 00:00:00 +0000/blog/2025/04/kubewarden-1.24-release/The wait is over, Kubewarden 1.24 has arrived! We have some Easter eggs for you in this one. Promoting our policies to v1.0.0 In the past, we consciously picked semver 0.X.Y for policy versions as that meant that the policy API for the user (in this case, the policy spec.settings) was not considered stable. Since the settings of our policies haven’t changed since their initial release, we decided it was time to highlight their stability by promoting them to v1./blog/2025/04/rego-policy-library-relaunch/Tue, 22 Apr 2025 00:00:00 +0000/blog/2025/04/rego-policy-library-relaunch/We are excited to announce the latest additions to our policy library! Seventy finely crafted Rego policies are now available for you to use in your Kubernetes clusters. Rego policy library The Kubewarden’s Rego policy library is a collection of policies written in Rego, the policy language used by Open Policy Agent (OPA). These policies are designed to help you enforce security and compliance best practices in your Kubernetes clusters./blog/2025/04/ingress-nginx-cve-2025-1974/Thu, 03 Apr 2025 00:00:00 +0000/blog/2025/04/ingress-nginx-cve-2025-1974/Last week, a high severity issue CVE-2025-1974 was found affecting ingress-nginx, one of the most used ingress solutions for Kubernetes. The issue The issue allows an attacker to execute arbitrary code in the Pod running the controller. The attacker can then steal the Kubernetes identity of the nginx-ingress controller which, by design, has access to all the Secrets defined in the cluster. The issue is exploited by making http requests against the validating webhook server used by the nginx-ingress controller./blog/2025/03/kubecon-eu-2025/Thu, 27 Mar 2025 00:00:00 +0000/blog/2025/03/kubecon-eu-2025/For those attending KubeCon EU 2025 in London, we’re excited to announce that some of our team will be there! Here’s where you can catch us: Tuesday, 9:31 AM: Don’t miss our lightning talk! Learn how to leverage and extend CEL for cluster security. Details here. Tuesday, 2:00 PM - 5:00 PM, Project Pavilion kiosk: Stop by to chat with us and learn more about Kubewarden. We can’t wait to see you there!/blog/2025/03/kubewarden-1.23-release/Wed, 26 Mar 2025 00:00:00 +0000/blog/2025/03/kubewarden-1.23-release/The wait is over—Kubewarden 1.23 has arrived! Packed with exciting security enhancements, smoother workflows, and important updates, this release is here to make your Kubernetes experience even better. Let’s dive into what’s new! Hardening of the admission webhooks Kubernetes Dynamic Admission Controllers, like Kubewarden, work by providing a webhook server that implements the validation/mutation API defined by the Kubernetes project. These webhook servers are usually deployed within the same cluster as regular Kubernetes workloads./blog/2025/03/cncf-webinar-chatloopbackoff/Tue, 18 Mar 2025 00:00:00 +0000/blog/2025/03/cncf-webinar-chatloopbackoff/We are happy to highlight a recent CNCF webinar that does a first-dive into Kubewarden. In this webinar, CNCF Ambassador Carlos Santana explores Kubewarden’s architecture, use cases, and benefits, with a smile in a relaxed environment. You’ll learn how Kubewarden policies can be applied at admission control or runtime to ensure compliance and security. You can watch the full webinar here. Thanks Carlos! Getting in touch As always, we welcome your feedback and contributions./blog/2025/03/kwctl-1-22-1-patch-release/Tue, 04 Mar 2025 00:00:00 +0000/blog/2025/03/kwctl-1-22-1-patch-release/Today we published the 1.21.1 patch release of kwctl. This release includes a fix for a bug that, under certain circumstances, could prevent users from pushing policies to a container registry. The 1.22.0 release introduces the ability to add policy annotations to the manifest of the OCI artifact that is pushed to the container registry. This feature is useful for adding metadata to the OCI artifact that can be utilized by other tools in the CI/CD pipeline./blog/2025/02/kubewarden-1.22-release/Wed, 26 Feb 2025 00:00:00 +0000/blog/2025/02/kubewarden-1.22-release/We’re excited to announce the release of Kubewarden v1.22! This release brings some improvements to kwctl and the Rust SDK, together with some internal changes to prepare for future work. Breaking change: PolicyServer health check endpoint change ⚠️ IMPORTANT⚠️ Breaking change: If you have created a custom instance of PolicyServer with a hard-coded .spec.image, you must update it to consume the v1.22.0 tag. Starting from 1.22, the Policy Server health check endpoint is exposed on port 80 instead of port 443, and Policy Server Deployment objects created by the kubewarden-controller make this assumption./blog/2025/02/beyond-prefix-matching/Wed, 19 Feb 2025 00:00:00 +0000/blog/2025/02/beyond-prefix-matching/A recent Aqua Security blog post highlighted the risks of misconfigured Kubernetes policy engines, particularly when dealing with OPA Gatekeeper. The post correctly points out the challenges of managing complex policies and the potential for bypasses due to misconfigurations. However, it also underscores a critical limitation of many policy engines: their reliance on string manipulation, especially when dealing with OCI image references. This is where Kubewarden takes a different, and significantly more robust, approach./blog/2025/02/kubewarden-1-21-1-patch-release/Wed, 05 Feb 2025 00:00:00 +0000/blog/2025/02/kubewarden-1-21-1-patch-release/Today we published the 1.21.1 patch releases of the kwctl and Policy Server components of the Kubewarden stack. The release ensures all Sigstore verification capabilities work. What happened On Monday, February 3rd, the contents of Sigstore’s TUF repository were updated. During this process, part of the repository metadata wasn’t properly handled. Specifically, one of the KEYIDs of the repository wasn’t updated when the key contents were modified. The breaking change wasn’t noticed by upstream maintainers as the TUF Go implementation is not performing strict verification of the KEYID./blog/2025/01/kubewarden-1-21-release/Thu, 30 Jan 2025 00:00:00 +0000/blog/2025/01/kubewarden-1-21-release/We’re excited to announce the release of Kubewarden v1.21, our first release of 2025! The release addresses two security issues that the Kubewarden team has discovered. Detailed information about them is included below. While these issues do not have a critical impact, we recommend our users upgrade their Kubewarden deployments. Alongside these security fixes, the 1.21 release includes the usual stream of dependency updates and features some improvements to our documentation./blog/2024/12/end-year-2024/Tue, 07 Jan 2025 00:00:00 +0000/blog/2024/12/end-year-2024/It was an exciting year for Kubewarden policy management. We had new features, performance improvements, and have been working towards a regular release schedule. The year has seen work in these areas: performance and reliability scalability improvements to reduce complexity and improve security adding CEL policies and policy grouping using logical operators improving community outreach Kubewarden 1.10 had optimizations for policy server performance. Memory usage was improved, enabling constant consumption even in large deployments./blog/2024/12/kubewarden-1-20-release/Thu, 19 Dec 2024 00:00:00 +0000/blog/2024/12/kubewarden-1-20-release/We’re excited to announce the release of Kubewarden v1.20! This release brings a nice improvement for deploying with OpenTelemetry and some bug fixes. Supporting more OpenTelemetry scenarios ⚠️ IMPORTANT⚠️ The kubewarden-controller Helm chart has changed the values.yml schema for the OpenTelemetry keys, hence this update is not backwards-compatible if you have configured OpenTelemetry. Please adapt your values to the new values.yml format. This is of course reflected with a major version bump of the chart version./blog/2024/11/kubewarden-1-19-release/Mon, 02 Dec 2024 00:00:00 +0000/blog/2024/11/kubewarden-1-19-release/We’re excited to announce the release of Kubewarden v1.19! This release brings a host of improvements focused on minor bug fixes, adding tests, and developer tech debt improvements. Bug Fixes and Dependency Updates As always, we’ve addressed bugs and updated dependencies to ensure a smooth and reliable experience. Notably, we’ve updated the dependencies for our major components. These updates contribute to the overall stability and security of the Kubewarden stack./blog/2024/11/kubewarden-1-18-release-slsa-level-3/Mon, 04 Nov 2024 00:00:00 +0000/blog/2024/11/kubewarden-1-18-release-slsa-level-3/We are thrilled to announce the release of Kubewarden v1.18.0. For this release we have focused on achieving level 3 of the SLSA standard, in addition to minor bug fixes, adding tests, and developer tech debt improvements. SLSA level 3 Kubewarden has been at the forefront of Sigstore integration (being co-maintainers of the upstream sigstore-rs Rust library), and have signed our artifacts and provided SBOMs for several years. For this cycle, we have made the necessary changes to our build pipelines to achieve level 3 of SLSA./blog/2024/10/policy-groups/Wed, 02 Oct 2024 00:00:00 +0000/blog/2024/10/policy-groups/With v1.17, we introduced a new powerful feature, Policy Groups, enabled by two new Kubernetes Custom Resources: AdmissionPolicyGroups: Namespaced policy comprised of several policies. ClusterAdmissionPolicyGroups: Clusterwide policy comprised of several policies. These new Policy Groups resources define a policy comprised of several policies and their policy settings, and they perform a combined evaluation of those multiple policies using logical operators. Why are these useful? Because they reuse existing policies, reducing the need for custom policy creation./blog/2024/10/kubewarden-1-17-release/Mon, 30 Sep 2024 00:00:00 +0000/blog/2024/10/kubewarden-1-17-release/We are thrilled to announce the release of Kubewarden v1.17.0. This release is packed with big features, let’s have a look! Certificate rotation & removal of cert-manager dependency Starting from this release, the Kubewarden stack takes care of creating and rotating all the needed TLS certificates and certificate authorities. Kubewarden, by virtue of connecting to the Kubernetes API server, needs TLS certificates for both the kubewarden-controller (when creating webhooks for its policies) and for the PolicyServers (so they can report their results to the Webhook API server)./blog/2024/09/policy-server-and-kwctl-1-16-1-patch-release/Wed, 04 Sep 2024 00:00:00 +0000/blog/2024/09/policy-server-and-kwctl-1-16-1-patch-release/Policy Server and kwctl 1.16.1 patch releases Today we published the 1.16.1 patch release of Policy Server and kwctl. The release addresses a breaking change inside Sigstore’s TUF repository. The change caused errors while retrieving the contents of the TUF repository, which broke part of Kubewarden’s integration with Sigstore. More specifically, it was no longer possible to verify the signatures of Kubewarden’s policies and to verify the signatures of the container images used inside of a Kubernetes cluster via policies like verify-image-signatures./blog/2024/08/kubewarden-1-16-release/Mon, 19 Aug 2024 00:00:00 +0000/blog/2024/08/kubewarden-1-16-release/Kubewarden v1.16.0 release We are thrilled to announce the release of Kubewarden v1.16.0! Following the northern hemisphere summer, this version packs some goodies but is a bit more lightweight than usual. kwctl scaffold for AdmissionRequests The kwctl cli has learned a new command, kwctl scaffold admission-request, which prints a Kubernetes AdmissionRequest object from the provided Kubernetes resource definition. This is useful when developing policies (and not only limited to Kubewarden ones)./blog/2024/07/kubewarden-1-15-release/Tue, 30 Jul 2024 00:00:00 +0000/blog/2024/07/kubewarden-1-15-release/Kubewarden v1.15.0 release We are thrilled to announce the release of Kubewarden v1.15.0! This version comes packed with CEL policy updates, controller enhancements, and fixes that make Kubewarden even more robust and user-friendly. Enhanced PolicyServer CRD with Tolerations One of the standout features of Kubewarden v1.15 is the extension of the PolicyServer Custom Resource Definition (CRD) to include a list of Toleration objects to be used in the deployment created for the Policy Server./blog/2024/06/kubewarden-1-14-release/Tue, 25 Jun 2024 00:00:00 +0000/blog/2024/06/kubewarden-1-14-release/Kubewarden v1.14.0 release We are thrilled to announce the release of Kubewarden v1.14.0! This version comes packed with new capabilities, enhancements, and fixes that make Kubewarden even more robust and user-friendly. New Host Capability for Container Image Configuration One of the significant updates in this release is the introduction of a new host capability that allows policies to fetch the container image configuration. This update stems from a user request to enhance the user-group-psp-policy policy by enabling it to check the user defined to run the container in the image configuration./blog/2024/06/welcome-cel-policy/Mon, 17 Jun 2024 00:00:00 +0000/blog/2024/06/welcome-cel-policy/We are pleased to announce a new policy by the Kubewarden team: cel-policy. This new policy uses the Common Expression Language (CEL). For those new to CEL, it is a general-purpose expression language designed to be fast, portable, and safe to execute. CEL as a language is memory-safe, side-effect free, terminating (as in “programs cannot loop forever”), and strong & dynamically typed. CEL is a perfect candidate for extending the Kubernetes API, as CEL expressions can be easily inlined into CRD schemas, and compiled and type-checked “ahead-of-time” (when CRDs are created and updated)./blog/2024/06/kubewarden-1-13-release/Thu, 06 Jun 2024 00:00:00 +0000/blog/2024/06/kubewarden-1-13-release/I’m pleased to announce a new release of Kubewarden, version 1.13. This release features a series of improvements and bug fixes that contribute to better performance and stability. Let’s go through the most significant changes. Policy Server memory usage A community member reported that the Kubewarden Policy Server was using a lot of memory, especially when running context aware policies on big clusters. The number of resources being accessed by the policies was significantly high, in the order of 3200 Namespaces, 10500 Ingresses, 200 ClusterRoleBindings and 11000 RoleBindings./blog/2024/04/kubewarden-1-12-release/Wed, 24 Apr 2024 00:00:00 +0000/blog/2024/04/kubewarden-1-12-release/Today we’re glad to announce the release of Kubewarden 1.12. This release focuses on optimizations and high availability, both oriented to production. Optimizing Gatekeeper policies The previous 1.11 release featured lots of optimizations for context aware policies. The 1.12 release provides a further optimization for Gatekeeper policies that access Kubernetes resources. This optimization provides an extra 55% performance boost for these policies. The benefits of this optimization are particularly noticeable when a huge number of Kubernetes resources are accessed by a Gatekeeper policy./blog/2024/04/community-repository/Tue, 09 Apr 2024 00:00:00 +0000/blog/2024/04/community-repository/The Kubewarden project has recently improved how it shares information and involves others by starting a new community repository. This move was made after a suggestion from the CNCF during their last yearly review. The aim is to bring together all the documentation in one place and make it easier for both new and current contributors to get involved. This new repository is a place for finding out about the project’s rules, security measures, project components, and what’s happening in each Kubewarden GitHub organization repository./blog/2024/03/oci-manifest-capability/Mon, 25 Mar 2024 00:00:00 +0000/blog/2024/03/oci-manifest-capability/Kubewarden’s latest version 1.11.0 introduces a new feature enabling policies to retrieve OCI image manifests. This function, supported in both Rust and Go SDKs, enhances the policy enforcement capabilities within Kubernetes environments. The update provides an additional layer of security inspection for containerized environments. Developers can now write policies using the updated SDKs to access OCI image manifests of container images. This access facilitates more detailed inspections and validations, aligning with security standards and organizational protocols./blog/2024/03/kubewarden-1-11-release/Thu, 21 Mar 2024 00:00:00 +0000/blog/2024/03/kubewarden-1-11-release/Today we’re glad to announce the release of Kubewarden 1.11. This release focuses on performance improvements, especially when running on big Kubernetes clusters. Audit Scanner A lot of work has been done on the audit scanner. The auditing of resources is now done in parallel, which means less time is required on big clusters to scan all the available resources. We’ve also changed how we handle Policy Reports. Kubewarden is still using the Policy Report format being defined inside the Kubernetes’s wg-policy group./blog/2024/01/kubewarden-1-10-release/Fri, 26 Jan 2024 00:00:00 +0000/blog/2024/01/kubewarden-1-10-release/We have the first release of 2024, Kubewarden 1.10.0! 🎉🥳 And this one contains a nice bag of goodies, let’s have a look! Reduced memory usage and increased reliability of Policy servers A nice graph is worth a thousand words! Note the slightly lower memory consumption, and unchanging consumption when scaling horizontally. This graph represents the memory consumption of one instance of policy-server, containing 13 policies: 4 instances of “verify-signatures” 5 of “pod-privileged” 2 of “go-wasi-template” (a 20MB policy, WASI being experimental) 1 Rego policy 1 ordinary Rust policy The policy-server was configured with one worker to start, progressing to eight./blog/2023/12/kubewarden-2023-wrapped/Wed, 20 Dec 2023 00:00:00 +0000/blog/2023/12/kubewarden-2023-wrapped/The end of the year is around the corner. Let’s look at what the Kubewarden project achieved in 2023! Context-Aware graduation The context-aware feature graduated to stable during this year. We did this by performing a massive overhaul of the initial iteration. Context-aware policies can access information about Kubernetes resources defined inside the cluster. At evaluation time, these policies can make decisions based on this information. Such an example is the unique ingress host policy./blog/2023/11/raw-policies/Tue, 14 Nov 2023 00:00:00 +0000/blog/2023/11/raw-policies/Kubewarden 1.9.0 has introduced even more features requested by the community, and we are excited to share them with you! In this blog post, we will introduce the new Raw policy type. Kubewarden as a generic policy engine Raw policies allow policy authors to write and execute policies that are not necessarily related to Kubernetes. This means that Kubewarden can be used as a general-purpose policy engine. For instance, you can use Kubewarden to validate any type of artifact: configurations, Terraform plans, test coverage, static analysis or even deploy Kubewarden alongside your web application to validate domain-specific requests./blog/2023/11/kubewarden-1.9-release/Fri, 03 Nov 2023 00:00:00 +0000/blog/2023/11/kubewarden-1.9-release/Not even a month after the 1.8.0 release, today we are happy to announce Kubewarden 1.9.0! 🎉🥳 This release includes two major features that have been requested by our community. Making Rego policies context-aware Context-aware policies have been introduced with Kubewarden 1.6.0. These policies can obtain information about other Kubernetes resources at evaluation time. This allows them to make decisions based not only on the information provided by the AdmissionReview object they receive./blog/2023/10/wasi-policies/Tue, 24 Oct 2023 00:00:00 +0000/blog/2023/10/wasi-policies/Kubewarden policies can be written using either a traditional programming language (like Go, Rust, C#, Swift, …) or using a domain-specific language like Rego. It is required that the programming language can generate the necessary WebAssembly module for use by Kubewarden. When using a traditional programming language, the communication between the host executing the policy and the WebAssembly guest (the actual policy) uses the waPC communication protocol. This protocol provides a bidirectional channel between the host and guest./blog/2023/10/kubewarden-1.8-release/Wed, 11 Oct 2023 00:00:00 +0000/blog/2023/10/kubewarden-1.8-release/Today we are happy to announce the release of Kubewarden 1.8.0! 🎉🥳 This is a small release, focused on OpenTelemetry. The OpenTelemetry Protocol (OTLP) got its first 1.0.0 version in July 2023; several libraries got their first 1.0.0 release, such as the Go metric SDK or the .NET Automatic Instrumentation. Still, the OpenTelemetry stack is not yet stable, and unannounced backwards-incompatible changes still happen. You can have a look at the status of each of their libraries and protocols here./blog/2023/10/audit-scanner-feature/Wed, 11 Oct 2023 00:00:00 +0000/blog/2023/10/audit-scanner-feature/Fresh in the already released Kubewarden v1.7.0 stack, we welcome a new module: the Audit Scanner! Audit Scanner? Up until the release of Audit Scanner, Kubewarden was strictly a Dynamic Admission Controller, checking requests made against the Kubernetes API server with the deployed policies. Yet policies evolve over time; new ones are deployed, and existing ones are updated. This can mean that resources that are inside the cluster are no longer compliant./blog/2023/09/kwctl-sha/Thu, 28 Sep 2023 00:00:00 +0000/blog/2023/09/kwctl-sha/Recently, we have focused on improving the Kubewarden developer experience. We have been implementing features requested by the community. Reference policies by their SHA Since kwctl release v1.7.0 we support referencing policies by their SHA. Container engines such as Docker and Podman allow users to refer to images by their SHA sum. As Kubewarden policies are distributed as OCI artifacts, we thought it would be a good idea to add the SHA support to kwctl, so that users have a familiar experience./blog/2023/09/kubewarden-1.7-release/Thu, 21 Sep 2023 00:00:00 +0000/blog/2023/09/kubewarden-1.7-release/Today we are delighted to announce the release of Kubewarden 1.7.0! 🎊 🥳 Aside from the bug and stability fixes, this release is packed with new features. This post highlights the main changes, detailed blog entries will come in the next weeks covering each feature in depth. Audit scanner A new component has been added to the Kubewarden stack. Its name is audit-scanner and it allows administrators to assess the compliance level of the clusters secured by Kubewarden./blog/2023/05/khaled-mentorship-xp/Tue, 30 May 2023 00:00:00 +0000/blog/2023/05/khaled-mentorship-xp/This text was originally written by Khaled Emara on his blog. Hi, I’m Khaled Emara, a software developer with a background in Go and Rust programming. In this blog post, I’m excited to share my experience in the LFX mentorship program with the Linux Foundation and my work on the Kubewarden project enhancing the Go SDK to bring it parity with the Rust SDK. The Kubewarden project is a security policy engine for Kubernetes, a popular container orchestration platform./blog/2023/05/kubewarden-telemetry-fixes-release/Tue, 09 May 2023 00:00:00 +0000/blog/2023/05/kubewarden-telemetry-fixes-release/We are excited to announce a variety of updates, fixes, and enhancements for Kubewarden components! This release primarily focuses on improvements to Kubewarden telemetry and dependency updates. Telemetry Enhancements and Fixes The Kubewarden controller has received several fixes and improvements in the telemetry department. These include a streamlined process for users to deploy a policy server with telemetry enabled, as well as a bug fix related to the controller’s available metrics./blog/2023/04/kubewarden-.1.6.0-release/Mon, 17 Apr 2023 00:00:00 +0000/blog/2023/04/kubewarden-.1.6.0-release/We are pleased to announce the availability of the Kubewarden 1.6.0 stack. This release brings stability, performance and security improvements. All packed with a new major feature. Let’s dig into the changes! Security Improvements The Kubewarden controller is ran using a dedicated Service Account. Prior to this release, the Service Account had access to a series of Kubernetes resources across the entire cluster. Starting from this release, the Kubewarden controller Service Account has a more limited access to the cluster./blog/2023/02/ui-1.0.0-release/Thu, 09 Feb 2023 00:00:00 +0000/blog/2023/02/ui-1.0.0-release/We are excited to announce that the Kubewarden UI 1.0.0 has been released! The UI is an Extension for Rancher Manager, now you will be able to enable Kubewarden policies for your Kubernetes clusters with a streamlined user experience. You can find the latests releases of the extension Helm chart here, the release provides a Github Pages deployment which can be used when adding the UI as a Helm repository./blog/2023/01/release-1_5_0/Fri, 20 Jan 2023 00:00:00 +0000/blog/2023/01/release-1_5_0/Today we’re pleased to announce the availability of Kubewarden 1.5.0! This release brings the usual amount of small bug fixes, dependency updates, and a major security enhancement. Let’s take a closer look! Policy evaluation timeout The Kubewarden team is constantly working to improve the security posture of the project. As part of these efforts, we’re excited to introduce the new “policy evaluation timeout” feature. Starting from this release, Policy Server will interrupt the evaluation of admission requests after a certain amount of time has elapsed./blog/2022/12/kubewarden-2022-wrapped/Thu, 29 Dec 2022 00:00:00 +0000/blog/2022/12/kubewarden-2022-wrapped/With 2022 almost over, it’s time to look back at what happened within the Kubewarden project during the last year. The 1.0 release A significant milestone for the project in 2022 was the release of Kubewarden v1.0.0 during the month of June. With this release, the Kubewarden team committed to the stability of all the public interfaces of the project and all its Kubernetes Custom Resource Definitions. Moreover, the project was considered ready to be used in production environments./blog/2022/12/community-meeting/Tue, 20 Dec 2022 00:00:00 +0000/blog/2022/12/community-meeting/Community meetings have been a recurring demand from different sides and with the new year approaching, it’s time to make our first good resolution. To improve community feedback, the Kubewarden project has decided to organize a monthly community meeting. The first community meeting to be held is scheduled for January 12th, 2023 at 4 PM UTC. In addition to GitHub Discussions, GitHub issues, and the #kubewarden channel on the Kubernetes Slack, the community meeting is an additional avenue for the community to discuss Kubewarden and shape its future together./blog/2022/12/release-1_4_0/Mon, 05 Dec 2022 00:00:00 +0000/blog/2022/12/release-1_4_0/Today we’re pleased to announce the availability of Kubewarden 1.4.0. This version brings some minor fixes to our controller and helm charts and two new interesting features. Sigstore certificate verification Kubewarden integration with Sigstore keeps growing. Starting from this release it’s possible to verify signatures that have been produced with certificates. This can be useful to organizations that are using hardware tokens and KMS solutions to sign their container images via Sigstore./blog/2022/12/sigstore-certificate-verification/Mon, 05 Dec 2022 00:00:00 +0000/blog/2022/12/sigstore-certificate-verification/Secure supply chain is one of the hottest topics right now. Many organizations are implementing strategies to verify the provenance of their software starting from the development phase up to the deployment in production. Sigstore is an open source project that makes incredibly easy to sign and verify assets. Lots of open source projects and organizations are using it to sign and verify their container images, system packages and any kind of binary artifact./blog/2022/11/airgap/Tue, 29 Nov 2022 00:00:00 +0000/blog/2022/11/airgap/We are glad to announce that deploying Kubewarden in air gap environments has been simplified and documented! For that, you will need a private OCI registry accessible by your Kubernetes cluster. Kubewarden policies are WebAssembly modules; therefore they can be stored inside an OCI-compliant registry as OCI artifacts. For an air gap installation you need to download all the Kubewarden container images and policies in your workstation, then move them to your private OCI registry./blog/2022/11/deprecation-policy/Wed, 09 Nov 2022 00:00:00 +0000/blog/2022/11/deprecation-policy/It’s fact of life: as the Kubernetes API evolves, it’s periodically reorganized or upgraded. This means some Kubernetes resources can be deprecated and later removed. We deserve to easily keep track of those deprecations and removals. For that, we have just released the deprecated-api-versions policy. A look at the deprecated-api-versions policy This policy detects the usage of Kubernetes resources that have been deprecated or removed from the Kubernetes API. The policy has two settings:/blog/2022/11/volumemounts-policy/Thu, 03 Nov 2022 00:00:00 +0000/blog/2022/11/volumemounts-policy/We present to you the new volumeMounts Policy: It inspects containers, init containers, and ephemeral containers, and restricts their usage of volumes by checking the volume name being used in the containers’ volumeMounts[*].name. You can find it published in Artifact Hub. As usual, its artifact is signed with Sigstore in keyless mode, and if you are curious, you can peek into the policy’s implementation in Rust here. This new policy joins the already existing volumes-psp policy, which provides an allowlist of volume types, and hostpaths-psp policy, with an allowlist of hostPath volumes./blog/2022/10/envvar-policy/Mon, 31 Oct 2022 00:00:00 +0000/blog/2022/10/envvar-policy/We’re glad to present the new environment-variable-policy to Kubewarden users. With this policy, you will now be able to inspect init containers and ephemeral containers. You can also restrict their usage by reviewing the names and values defined under the containers’ env[*] field. As always, the policy can be found in ArtifactHub and all the artifacts, including the BOM files, are signed with Sigstore. What is so useful about the new environment-variable policy?/blog/2022/10/kubewarden_1_3_release/Thu, 27 Oct 2022 00:00:00 +0000/blog/2022/10/kubewarden_1_3_release/The Kubewarden development team is happy to announce the release of the Kubewarden 1.3 stack. In addition to the usual amount of small fixes, this release focused on the following themes. Improve end users confidence We want our users to feel confident about using Kubewarden, knowing that good development and security practices are being followed by the Kubewarden project. We think this is particularly relevant to Kubewarden, given our users trust us to keep their Kubernetes clusters secure and compliant./blog/2022/10/env-var-secrets/Mon, 24 Oct 2022 00:00:00 +0000/blog/2022/10/env-var-secrets/We are thrilled to announce you can now scan your environment variables for secrets with the new env-variable-secrets-scanner-policy! This policy rejects a Pod or workload resources such as Deployments, ReplicaSets, DaemonSets , ReplicationControllers, Jobs, CronJobs etc. if a secret is found in the environment variable within a container, init container, or ephemeral container. Secrets that are leaked in plain text or in base64 encoded variables are detected. This policy uses rusty hog, an open source secret scanner from New Relic./blog/2022/07/v1.1.1-release/Wed, 27 Jul 2022 00:00:00 +0000/blog/2022/07/v1.1.1-release/We are happy to announce the first minor release of v1.0: v1.1.1 is now available! Apart from being a nice looking number, v1.1.1 includes: Improved the policies API for Sigstore verification by adding new backwards-compatible WaPC host callback v2/verify functions to the API. Check them out here to add support for your language of choice. This has been used in the verify-image-signatures policy to simplify verification of GitHub Actions signatures and others./blog/2022/07/artifact-hub-supports-kubewarden/Fri, 22 Jul 2022 00:00:00 +0000/blog/2022/07/artifact-hub-supports-kubewarden/Today we’re happy to announce that Artifact Hub now supports Kubewarden policies! 🤯 🥳 Artifact Hub is the de-facto place where Cloud Native users search for helm charts, container images, and other kinds of artifacts and configurations of different CNCF projects. That’s why we are super excited and honored to have Kubewarden policies listed on Artifact Hub. This would not have been possible without the work done by the Artifact Hub team./blog/2022/07/verify-signatures-with-gha-and-prefix/Thu, 21 Jul 2022 00:00:00 +0000/blog/2022/07/verify-signatures-with-gha-and-prefix/With the latest releases of Kubewarden v1.1.0 and the verify-image-signatures policy, it’s now possible to use GithubActions or KeylessPrefix for verifying images. Read our previous blog post if you want to learn more about how to verify container images with Sigstore using Kubewarden. Let’s see it in action! We want to verify the image ghcr.io/raulcabello/app-example which was built and signed inside a GitHub action using this GitHub Action. Out of the box, GitHub Actions have a specially crafted environment that makes Sigstore keyless signing work in a non-interactive way./blog/2022/07/psp-migration-script/Wed, 13 Jul 2022 00:00:00 +0000/blog/2022/07/psp-migration-script/Warning: the code snippets shown inside of this blog post have become outdated. For up-to-date information checkout this section of the Kubewarden documentation. As announced in past blog posts, Kubewarden has 100% coverage of the deprecated, and soon to be removed, Kubernetes PSPs. If everything goes as expected the PSPs will be removed in Kubernetes v1.25 due for release on 23rd August 2022. The Kubewarden team has written a script that leverages the migration tool written by AppVia, to migrate PSP automatically./blog/2022/06/v1-release/Wed, 22 Jun 2022 00:00:00 +0000/blog/2022/06/v1-release/Kubewarden is a policy engine for Kubernetes that is part of CNCF Sandbox. Never heard of Kubewarden before? Do you want to know what makes Kubewarden stand out among similar solutions? This is a high level overview of Kubewarden’s unique points: Boost Policy Authors’ productivity: write policies using your favorite programming language. Leverage your knowledge, skills and tools. Policies are portable WebAssembly modules Reuse your existing Open Policy Agent / Gatekeeper policies Distribute policies using regular container registries Secure supply chain, leverage Sigstore to sign and verify policies Today, a year and a half since its conception, we’re thrilled to announce the release of Kubewarden v1./blog/2022/06/cncf-sandbox-inclusion/Wed, 15 Jun 2022 00:00:00 +0000/blog/2022/06/cncf-sandbox-inclusion/Today the whole Kubewarden team is overjoyed because the Kubewarden project has just been accepted into the CNCF Sandbox!!! 🥳 This is a great achievement for the whole team and is the beginning of our journey into CNCF. Also, many thanks to the CNCF TOC for the feedback they provided during the project evaluation. What’s next? The admission happens at an interesting time since we are currently testing the 1.0.0-rc1 release of Kubewarden./blog/2022/05/verifying-image-signatures/Fri, 20 May 2022 00:00:00 +0000/blog/2022/05/verifying-image-signatures/After these last releases Kubewarden now has support for verifying the integrity and authenticity of artifacts within Kubewarden using the Sigstore project. In this post, we shall focus on verifying container image signatures using the new verify-image-signatures policy. To learn more about how Sigstore works, take a look at our previous post Verify Image Signatures Policy This policy validates Pods by checking their container images for signatures (that is, containers, init containers and ephemeral containers in the pod)/blog/2022/05/psp-migration-docs/Thu, 12 May 2022 00:00:00 +0000/blog/2022/05/psp-migration-docs/If you use a version of Kubernetes (< v1.24) that supports the deprecated PodSecurityPolicy (a.k.a PSP), you would be wondering what to do after the Kubernetes v1.25 version when the PSP will be removed. With this in mind, the Kuberwarden team wrote a documentation to help users migrate away from PSPs to Kuberwarden policies. As you know, the original Pod Security Policies had many configuration knobs. The Kubewarden team created a series of policies that offer a 100% feature parity with all the soon to be dropped Pod Security Policies./blog/2022/05/monitor-mode/Fri, 06 May 2022 00:00:00 +0000/blog/2022/05/monitor-mode/Policies are a core component of a Kubernetes cluster story that involves security, compliance and consistency. Being this process an iterative one, it’s common for new policies to potentially reject operations that we might be issuing today in our production clusters. As an example, we might have decided that it’s not possible to change certain annotations on existing resources after the fact. In this case, we don’t want to revoke UPDATE rights completely, but just to define an inalterable set of annotations after the resource has been created./blog/2022/04/securing-kubewarden-policies/Mon, 02 May 2022 00:00:00 +0000/blog/2022/04/securing-kubewarden-policies/With recent releases, the Kubewarden stack supports verifying the integrity and authenticity of content using the Sigstore project. In this post, we focus on Kubewarden Policies and how to create a Secure Supply Chain for them. Sigstore? Since a full Sigstore dive is not within the scope for this post, we recommend checking out their nice docs. In short, Sigstore provides an automatable workflow to match the distributed Open Source development model./blog/2022/03/cri-o-cve-mitigation/Tue, 29 Mar 2022 00:00:00 +0000/blog/2022/03/cri-o-cve-mitigation/Recently a severe CVE in the CRI-O container engine come to public. The flaw in CRI-O allows bad actors to gain root access and run arbitrary code in the host machine. A fix for the issue is already available and you should update your cluster to avoid any headache in the future. But if you cannot do that right away, use Kubewarden to mitigate the impact of this issue. It’s possible to prevent pods with sysctl configuration to run in the cluster with the policy sysctl-psp available in the Policy Hub./blog/2022/03/admission-policy/Wed, 16 Mar 2022 00:00:00 +0000/blog/2022/03/admission-policy/Up till now, the only way to define a policy in Kubewarden was to use the ClusterAdmissionPolicy resource that would be applied to cluster-wide resources across all namespaces. That’s why we’re thrilled to announce the new AdmissionPolicy resource. This new resource is created inside a namespace and the policies will only process the requests that are targeting the namespace where the AdmissionPolicy is defined. Except from being a “namespaced” resource, AdmissionPolicy works exactly the same as the ClusterAdmissionPolicy./blog/2022/02/multiplatform-kubewarden/Fri, 04 Feb 2022 00:00:00 +0000/blog/2022/02/multiplatform-kubewarden/The Kubewarden team is glad to announce that in the spirit of helping Policy Authors and Cluster Administrators, the project is now officially multiplatform. The list of supported platforms as of now are: Policy Server, as a container image: linux/amd64 (with the musl libc) linux/arm64 (with the musl libc) kwctl, as a standalone binary: darwin (x86_64) linux (aarch64, with the musl libc) linux (x86_64, with the musl libc) windows (x86_64, with MSVC) We have prioritized the usage of the same dependencies and toolchain on platforms where we were able to do so./blog/2022/01/mutating-policy-behave-as-validating/Mon, 31 Jan 2022 00:00:00 +0000/blog/2022/01/mutating-policy-behave-as-validating/The Kubewarden team worked tirelessly to create equivalent Kubewarden policies for all the deprecated Pod Security Policies (PSP). In order to reach this very important milestone, the team wrote the policies with the same validations available in the Kubernetes PSPs, and we counted on the community help to map and validate the policies. This will allow our users to replace deprecated PSPs while continuing to enforce their security rules. The Kubewarden policies which replace all the Kubernetes PSPs, are available in the Policy Hub, and you can find them by typing the keyword “PSP”./blog/2022/01/policy-server-on-aarch64/Fri, 21 Jan 2022 00:00:00 +0000/blog/2022/01/policy-server-on-aarch64/We recently got notified that the policy-server was crashing in an aarch64 environment. The moment in which it got a request from the API server, it crashed immediately with a SIGSEGV signal. We figured out that this was only happening when the request was a TLS one, and that the problem was related to the OpenSSL stack and the way we were producing the final image of the policy-server with the OpenSSL stack./blog/2021/12/first-year-of-kubewarden/Wed, 22 Dec 2021 00:00:00 +0000/blog/2021/12/first-year-of-kubewarden/Year 2021 is almost over. Let’s take that as a chance to look back at what has been achieved during the 1st year of life of the Kubewarden project. Finally, I’ll also talk about what we plan to do during the next one. 2021 Highlights Project Announcement The Kubewarden project has been introduced to the masses for the 1st time during KubeCon Europe 2021. During this presentation, Rafael and I explained what lead us to rethink how Kubernetes policies could be written and distributed./blog/2021/11/deep-dive-into-policy-logging/Mon, 15 Nov 2021 00:00:00 +0000/blog/2021/11/deep-dive-into-policy-logging/Policies are regular programs. As such they often have the need to log information. In general, we are used to make our programs log into standard output (stdout) and standard error (stderr) outputs. However, policies run in a confined WebAssembly environment. For this mechanism to work as usual Kubewarden would need to set up the runtime environment in a way that the policy can write to stdout and stderr file descriptors, and upon completion, Kubewarden can check them – or stream log messages as they pop up./blog/2021/10/new-architecture/new-architecture-to-ease-kubewarden-administrators-lives/Fri, 01 Oct 2021 00:00:00 +0000/blog/2021/10/new-architecture/new-architecture-to-ease-kubewarden-administrators-lives/We are pleased to announce a new architecture for the Kubewarden stack, in line with its journey to maturity: The introduction of a PolicyServer Custom Resource Definition (CRD) which allows users to describe a policy-server Deployment, together with binding ClusterAdmissionPolicies to a specific PolicyServer instance. These 2 changes are accompanied by a multitude of improvements to make Kubewarden more comfortable for Kubernetes Administrators, such as validation for Kuberwarden Custom Resources, improvements in Helm Charts, Status and Conditions for ClusterAdmissionPolicies./blog/2021/09/towards-a-universal-policy-platform/Tue, 21 Sep 2021 00:00:00 +0000/blog/2021/09/towards-a-universal-policy-platform/Kubewarden is a policy framework for Kubernetes. It can be used to secure your clusters and to ensure they stay compliant with the rules your organization establishes over time. By leveraging the power of WebAssembly, Kubewarden allows policy authors to write policies using traditional programming languages such as Rust, Go, AssemblyScript and Swift. Kubewarden policies, once compiled into WebAssembly modules, are then distributed using regular OCI registries. This allows Operators to have a consistent way to securely distribute both container images and policies./blog/2021/07/webassembly-is-coming-to-cloud-native/Fri, 16 Jul 2021 00:00:00 +0000/blog/2021/07/webassembly-is-coming-to-cloud-native/Is the title of this post a pun inspired by Christmas or by the Games of Thrones? I can’t decide… Are my dad jokes as bad as my daughters claim? Probably… Is WebAssembly spreading inside of the Cloud Native ecosystem? 💯 I have no doubts about that! First of all, why am I so excited about seeing WebAssembly flourish inside of the Cloud Native ecosystem? Well, it’s no secret that I’m a huge fan of it./blog/2021/07/learn-kubewarden-streaming-event/Tue, 13 Jul 2021 00:00:00 +0000/blog/2021/07/learn-kubewarden-streaming-event/In case you missed, CNCF Ambassador Saiyam Pathak recently hosted a live streaming event on his YouTube channel about Kubewarden. Flavio had the pleasure to join Saiyam and give an overview of the project. We spoke about Kubernetes Admission Controllers, why we started the Kubewarden project and how it differentiates from other existing open source projects such as Open Policy Agent and Kyverno. The talk features also a brief overview of WebAssembly, what it is and what are the benefits it provides to Kubewarden./blog/2021/06/introducing-the-psp-host-namespaces-policy/Fri, 11 Jun 2021 00:00:00 +0000/blog/2021/06/introducing-the-psp-host-namespaces-policy/As you probably know, Kubernetes Pod Security Policies (PSPs) are being deprecated in Kubernetes 1.21 – although these APIs will be served until Kubernetes 1.25 it’s a good time to start thinking about what you will use to replace them. At Kubewarden we have an ongoing effort to replace the Pod Security Policies with small, targeted Kubewarden policies. Up until now, we have implemented some policies that replace some Pod Security Policies:/blog/2021/06/kwctl-intro-for-kubernetes-administrators/Wed, 09 Jun 2021 00:00:00 +0000/blog/2021/06/kwctl-intro-for-kubernetes-administrators/We are pleased to announce the availability of a new tool within the Kubewarden project: kwctl. kwctl is a command line utility designed to help both policy authors and Kubernetes administrators. This blog post focuses on the user experience of Kubernetes administrators. Future ones will cover the policy developer side of the story. A Real-World Example: Controlling Container Capabilities The main character of today’s story is Alice. Alice is a Kubernetes administrator who wants to keep her Kubernetes cluster secure./blog/2021/06/writing-your-first-policy-with-kubewarden/Wed, 02 Jun 2021 00:00:00 +0000/blog/2021/06/writing-your-first-policy-with-kubewarden/Kubewarden is a project focused on security and compliance. Its main goal is to allow you to write, test, distribute and run policies using the tooling that you already know and master, with a focus on controlling Kubernetes inner behaviors. Policies are written in one of the supported languages, and the target object is a WebAssembly binary artifact. This is how Kubewarden can ensure that no matter where you built the policy, it can run on all platforms without any kind of adaptation.