A recent Aqua Security blog post highlighted the risks of misconfigured Kubernetes policy engines, particularly when dealing with OPA Gatekeeper. The post correctly points out the challenges of managing complex policies and the potential for bypasses due to misconfigurations. However, it also underscores a critical limitation of many policy engines: their reliance on string manipulation, especially when dealing with OCI image references. This is where Kubewarden takes a different, and significantly more robust, approach.
Read more...
Today we published the 1.21.1 patch releases of the kwctl and Policy Server components of the Kubewarden stack.
The release ensures all Sigstore verification capabilities work.
What happened On Monday, February 3rd, the contents of Sigstore’s TUF repository were updated. During this process, part of the repository metadata wasn’t properly handled. Specifically, one of the KEYIDs of the repository wasn’t updated when the key contents were modified.
The breaking change wasn’t noticed by upstream maintainers as the TUF Go implementation is not performing strict verification of the KEYID.
Read more...
We’re excited to announce the release of Kubewarden v1.21, our first release of 2025!
The release addresses two security issues that the Kubewarden team has discovered. Detailed information about them is included below. While these issues do not have a critical impact, we recommend our users upgrade their Kubewarden deployments.
Alongside these security fixes, the 1.21 release includes the usual stream of dependency updates and features some improvements to our documentation.
Read more...
It was an exciting year for Kubewarden policy management. We had new features, performance improvements, and have been working towards a regular release schedule.
The year has seen work in these areas:
performance and reliability scalability improvements to reduce complexity and improve security adding CEL policies and policy grouping using logical operators improving community outreach Kubewarden 1.10 had optimizations for policy server performance. Memory usage was improved, enabling constant consumption even in large deployments.
Read more...
We’re excited to announce the release of Kubewarden v1.20! This release brings a nice improvement for deploying with OpenTelemetry and some bug fixes.
Supporting more OpenTelemetry scenarios ⚠️ IMPORTANT⚠️ The kubewarden-controller Helm chart has changed the values.yml schema for the OpenTelemetry keys, hence this update is not backwards-compatible if you have configured OpenTelemetry. Please adapt your values to the new values.yml format.
This is of course reflected with a major version bump of the chart version.
Read more...
We’re excited to announce the release of Kubewarden v1.19! This release brings a host of improvements focused on minor bug fixes, adding tests, and developer tech debt improvements.
Bug Fixes and Dependency Updates As always, we’ve addressed bugs and updated dependencies to ensure a smooth and reliable experience. Notably, we’ve updated the dependencies for our major components. These updates contribute to the overall stability and security of the Kubewarden stack.
Read more...
We are thrilled to announce the release of Kubewarden v1.18.0. For this release we have focused on achieving level 3 of the SLSA standard, in addition to minor bug fixes, adding tests, and developer tech debt improvements.
SLSA level 3 Kubewarden has been at the forefront of Sigstore integration (being co-maintainers of the upstream sigstore-rs Rust library), and have signed our artifacts and provided SBOMs for several years.
For this cycle, we have made the necessary changes to our build pipelines to achieve level 3 of SLSA.
Read more...
With v1.17, we introduced a new powerful feature, Policy Groups, enabled by two new Kubernetes Custom Resources:
AdmissionPolicyGroups: Namespaced policy comprised of several policies. ClusterAdmissionPolicyGroups: Clusterwide policy comprised of several policies. These new Policy Groups resources define a policy comprised of several policies and their policy settings, and they perform a combined evaluation of those multiple policies using logical operators.
Why are these useful? Because they reuse existing policies, reducing the need for custom policy creation.
Read more...
We are thrilled to announce the release of Kubewarden v1.17.0. This release is packed with big features, let’s have a look!
Certificate rotation & removal of cert-manager dependency Starting from this release, the Kubewarden stack takes care of creating and rotating all the needed TLS certificates and certificate authorities.
Kubewarden, by virtue of connecting to the Kubernetes API server, needs TLS certificates for both the kubewarden-controller (when creating webhooks for its policies) and for the PolicyServers (so they can report their results to the Webhook API server).
Read more...
Policy Server and kwctl 1.16.1 patch releases Today we published the 1.16.1 patch release of Policy Server and kwctl.
The release addresses a breaking change inside Sigstore’s TUF repository. The change caused errors while retrieving the contents of the TUF repository, which broke part of Kubewarden’s integration with Sigstore.
More specifically, it was no longer possible to verify the signatures of Kubewarden’s policies and to verify the signatures of the container images used inside of a Kubernetes cluster via policies like verify-image-signatures.
Read more...
