We recently got notified that the policy-server was crashing in an aarch64 environment. The moment in which it got a request from the API server, it crashed immediately with a SIGSEGV signal.
We figured out that this was only happening when the request was a TLS one, and that the problem was related to the OpenSSL stack and the way we were producing the final image of the policy-server with the OpenSSL stack.
Read more...
Year 2021 is almost over. Let’s take that as a chance to look back at what has been achieved during the 1st year of life of the Kubewarden project.
Finally, I’ll also talk about what we plan to do during the next one.
2021 Highlights Project Announcement The Kubewarden project has been introduced to the masses for the 1st time during KubeCon Europe 2021. During this presentation, Rafael and I explained what lead us to rethink how Kubernetes policies could be written and distributed.
Read more...
Policies are regular programs. As such they often have the need to log information. In general, we are used to make our programs log into standard output (stdout) and standard error (stderr) outputs.
However, policies run in a confined WebAssembly environment. For this mechanism to work as usual Kubewarden would need to set up the runtime environment in a way that the policy can write to stdout and stderr file descriptors, and upon completion, Kubewarden can check them – or stream log messages as they pop up.
Read more...
We are pleased to announce a new architecture for the Kubewarden stack, in line with its journey to maturity:
The introduction of a PolicyServer Custom Resource Definition (CRD) which allows users to describe a policy-server Deployment, together with binding ClusterAdmissionPolicies to a specific PolicyServer instance.
These 2 changes are accompanied by a multitude of improvements to make Kubewarden more comfortable for Kubernetes Administrators, such as validation for Kuberwarden Custom Resources, improvements in Helm Charts, Status and Conditions for ClusterAdmissionPolicies.
Read more...
Kubewarden is a policy framework for Kubernetes. It can be used to secure your clusters and to ensure they stay compliant with the rules your organization establishes over time.
By leveraging the power of WebAssembly, Kubewarden allows policy authors to write policies using traditional programming languages such as Rust, Go, AssemblyScript and Swift.
Kubewarden policies, once compiled into WebAssembly modules, are then distributed using regular OCI registries. This allows Operators to have a consistent way to securely distribute both container images and policies.
Read more...
Is the title of this post a pun inspired by Christmas or by the Games of Thrones? I can’t decide…
Are my dad jokes as bad as my daughters claim? Probably…
Is WebAssembly spreading inside of the Cloud Native ecosystem? 💯 I have no doubts about that!
First of all, why am I so excited about seeing WebAssembly flourish inside of the Cloud Native ecosystem? Well, it’s no secret that I’m a huge fan of it.
Read more...
In case you missed, CNCF Ambassador Saiyam Pathak recently hosted a live streaming event on his YouTube channel about Kubewarden. Flavio had the pleasure to join Saiyam and give an overview of the project.
We spoke about Kubernetes Admission Controllers, why we started the Kubewarden project and how it differentiates from other existing open source projects such as Open Policy Agent and Kyverno.
The talk features also a brief overview of WebAssembly, what it is and what are the benefits it provides to Kubewarden.
Read more...
As you probably know, Kubernetes Pod Security Policies (PSPs) are being deprecated in Kubernetes 1.21 – although these APIs will be served until Kubernetes 1.25 it’s a good time to start thinking about what you will use to replace them.
At Kubewarden we have an ongoing effort to replace the Pod Security Policies with small, targeted Kubewarden policies.
Up until now, we have implemented some policies that replace some Pod Security Policies:
Read more...
We are pleased to announce the availability of a new tool within the Kubewarden project: kwctl.
kwctl is a command line utility designed to help both policy authors and Kubernetes administrators.
This blog post focuses on the user experience of Kubernetes administrators. Future ones will cover the policy developer side of the story.
A Real-World Example: Controlling Container Capabilities The main character of today’s story is Alice. Alice is a Kubernetes administrator who wants to keep her Kubernetes cluster secure.
Read more...
Kubewarden is a project focused on security and compliance. Its main goal is to allow you to write, test, distribute and run policies using the tooling that you already know and master, with a focus on controlling Kubernetes inner behaviors.
Policies are written in one of the supported languages, and the target object is a WebAssembly binary artifact. This is how Kubewarden can ensure that no matter where you built the policy, it can run on all platforms without any kind of adaptation.
Read more...