Last week, a high severity issue CVE-2025-1974 was found affecting ingress-nginx, one of the most used ingress solutions for Kubernetes.
The issue The issue allows an attacker to execute arbitrary code in the Pod running the controller. The attacker can then steal the Kubernetes identity of the nginx-ingress controller which, by design, has access to all the Secrets defined in the cluster.
The issue is exploited by making http requests against the validating webhook server used by the nginx-ingress controller.
Read more...
For those attending KubeCon EU 2025 in London, we’re excited to announce that some of our team will be there!
Here’s where you can catch us:
Tuesday, 9:31 AM: Don’t miss our lightning talk! Learn how to leverage and extend CEL for cluster security. Details here. Tuesday, 2:00 PM - 5:00 PM, Project Pavillion kiosk: Stop by to chat with us and learn more about Kubewarden. We can’t wait to see you there!
Read more...
The wait is over—Kubewarden 1.23 has arrived! Packed with exciting security enhancements, smoother workflows, and important updates, this release is here to make your Kubernetes experience even better. Let’s dive into what’s new!
Hardening of the admission webhooks Kubernetes Dynamic Admission Controllers, like Kubewarden, work by providing a webhook server that implements the validation/mutation API defined by the Kubernetes project. These webhook servers are usually deployed within the same cluster as regular Kubernetes workloads.
Read more...
We are happy to highlight a recent CNCF webinar that does a first-dive into Kubewarden.
In this webinar, CNCF Ambassador Carlos Santana explores Kubewarden’s architecture, use cases, and benefits, with a smile in a relaxed enviroment. You’ll learn how Kubewarden policies can be applied at admission control or runtime to ensure compliance and security.
You can watch the full webinar here.
Thanks Carlos!
Getting in touch As always, we welcome your feedback and contributions.
Read more...
Today we published the 1.21.1 patch release of kwctl.
This release includes a fix for a bug that, under certain circumstances, could prevent users from pushing policies to a container registry.
The 1.22.0 release introduces the ability to add policy annotations to the manifest of the OCI artifact that is pushed to the container registry. This feature is useful for adding metadata to the OCI artifact that can be utilized by other tools in the CI/CD pipeline.
Read more...
We’re excited to announce the release of Kubewarden v1.22! This release brings some improvements to kwctl and the Rust SDK, together with some internal changes to prepare for future work.
Breaking change: PolicyServer health check endpoint change ⚠️ IMPORTANT⚠️ Breaking change: If you have created a custom instance of PolicyServer with a hard-coded .spec.image, you must update it to consume the v1.22.0 tag.
Starting from 1.22, the Policy Server health check endpoint is exposed on port 80 instead of port 443, and Policy Server Deployment objects created by the kubewarden-controller make this assumption.
Read more...
A recent Aqua Security blog post highlighted the risks of misconfigured Kubernetes policy engines, particularly when dealing with OPA Gatekeeper. The post correctly points out the challenges of managing complex policies and the potential for bypasses due to misconfigurations. However, it also underscores a critical limitation of many policy engines: their reliance on string manipulation, especially when dealing with OCI image references. This is where Kubewarden takes a different, and significantly more robust, approach.
Read more...
Today we published the 1.21.1 patch releases of the kwctl and Policy Server components of the Kubewarden stack.
The release ensures all Sigstore verification capabilities work.
What happened On Monday, February 3rd, the contents of Sigstore’s TUF repository were updated. During this process, part of the repository metadata wasn’t properly handled. Specifically, one of the KEYIDs of the repository wasn’t updated when the key contents were modified.
The breaking change wasn’t noticed by upstream maintainers as the TUF Go implementation is not performing strict verification of the KEYID.
Read more...
We’re excited to announce the release of Kubewarden v1.21, our first release of 2025!
The release addresses two security issues that the Kubewarden team has discovered. Detailed information about them is included below. While these issues do not have a critical impact, we recommend our users upgrade their Kubewarden deployments.
Alongside these security fixes, the 1.21 release includes the usual stream of dependency updates and features some improvements to our documentation.
Read more...
It was an exciting year for Kubewarden policy management. We had new features, performance improvements, and have been working towards a regular release schedule.
The year has seen work in these areas:
performance and reliability scalability improvements to reduce complexity and improve security adding CEL policies and policy grouping using logical operators improving community outreach Kubewarden 1.10 had optimizations for policy server performance. Memory usage was improved, enabling constant consumption even in large deployments.
Read more...
