Kubewarden

Verify image signatures with GitHub Actions and KeylessPrefix

With the latest releases of Kubewarden v1.1.0 and the verify-image-signatures policy, it’s now possible to use GithubActions or KeylessPrefix for verifying images. Read our previous blog post if you want to learn more about how to verify container images with Sigstore using Kubewarden. Let’s see it in action! We want to verify the image ghcr.io/raulcabello/app-example which was built and signed inside a GitHub action using this GitHub Action. Out of the box, GitHub Actions have a specially crafted environment that makes Sigstore keyless signing work in a non-interactive way. Read more...

Migrate your PSPs to Kubewarden policies!

As announced in past blog posts, Kubewarden has 100% coverage of the deprecated, and soon to be removed, Kubernetes PSPs. If everything goes as expected the PSPs will be removed in Kubernetes v1.25 due for release on 23rd August 2022. The Kubewarden team has written a script that leverages the migration tool written by AppVia, to migrate PSP automatically. The tool is capable of reading PSPs YAML and can generate the equivalent policies in many different policy engines. Read more...

Kubewarden reaches 1.0.0 release 🎉

Kubewarden is a policy engine for Kubernetes that is part of CNCF Sandbox. Never heard of Kubewarden before? Do you want to know what makes Kubewarden stand out among similar solutions? This is a high level overview of Kubewarden’s unique points: Boost Policy Authors' productivity: write policies using your favorite programming language. Leverage your knowledge, skills and tools. Policies are portable WebAssembly modules Reuse your existing Open Policy Agent / Gatekeeper policies Distribute policies using regular container registries Secure supply chain, leverage Sigstore to sign and verify policies Today, a year and a half since its conception, we’re thrilled to announce the release of Kubewarden v1. Read more...

CNCF Sandbox admission 🎊

Today the whole Kubewarden team is overjoyed because the Kubewarden project has just been accepted into the CNCF Sandbox!!! 🥳 This is a great achievement for the whole team and is the beginning of our journey into CNCF. Also, many thanks to the CNCF TOC for the feedback they provided during the project evaluation. What’s next? The admission happens at an interesting time since we are currently testing the 1.0.0-rc1 release of Kubewarden. Read more...

Secure Supply Chain: Verifying image signatures

After these last releases Kubewarden now has support for verifying the integrity and authenticity of artifacts within Kubewarden using the Sigstore project. In this post, we shall focus on verifying container image signatures using the new verify-image-signatures policy. To learn more about how Sigstore works, take a look at our previous post Verify Image Signatures Policy This policy validates Pods by checking their container images for signatures (that is, containers, init containers and ephemeral containers in the pod) Read more...

Have you migrated your Kubernetes PodSecurityPolicy?

If you use a version of Kubernetes (< v1.24) that supports the deprecated PodSecurityPolicy (a.k.a PSP), you would be wondering what to do after the Kubernetes v1.25 version when the PSP will be removed. With this in mind, the Kuberwarden team wrote a documentation to help users migrate away from PSPs to Kuberwarden policies. As you know, the original Pod Security Policies had many configuration knobs. The Kubewarden team created a series of policies that offer a 100% feature parity with all the soon to be dropped Pod Security Policies. Read more...

Introducing the Monitor mode

Policies are a core component of a Kubernetes cluster story that involves security, compliance and consistency. Being this process an iterative one, it’s common for new policies to potentially reject operations that we might be issuing today in our production clusters. As an example, we might have decided that it’s not possible to change certain annotations on existing resources after the fact. In this case, we don’t want to revoke UPDATE rights completely, but just to define an inalterable set of annotations after the resource has been created. Read more...

Secure Supply Chain with Kubewarden: securing Kubewarden policies

With recent releases, the Kubewarden stack supports verifying the integrity and authenticity of content using the Sigstore project. In this post, we focus on Kubewarden Policies and how to create a Secure Supply Chain for them. Sigstore? Since a full Sigstore dive is not within the scope for this post, we recommend checking out their nice docs. In short, Sigstore provides an automatable workflow to match the distributed Open Source development model. Read more...

CRI-O CVE-2022-0811 Mitigation

Recently a severe CVE in the CRI-O container engine come to public. The flaw in CRI-O allows bad actors to gain root access and run arbitrary code in the host machine. A fix for the issue is already available and you should update your cluster to avoid any headache in the future. But if you cannot do that right away, use Kubewarden to mitigate the impact of this issue. It’s possible to prevent pods with sysctl configuration to run in the cluster with the policy sysctl-psp available in the Policy Hub. Read more...

Introducing the AdmissionPolicy

Up till now, the only way to define a policy in Kubewarden was to use the ClusterAdmissionPolicy resource that would be applied to cluster-wide resources across all namespaces. That’s why we’re thrilled to announce the new AdmissionPolicy resource. This new resource is created inside a namespace and the policies will only process the requests that are targeting the namespace where the AdmissionPolicy is defined. Except from being a “namespaced” resource, AdmissionPolicy works exactly the same as the ClusterAdmissionPolicy. Read more...

More