The Kubewarden blog

We have just released 1.27.3, a small patch release for kwctl. This newly released kwctl version v1.27.3 fixes a bug on the kwctl run subcommand for ClusterPolicyGroups and PolicyGroups. When evaluating policies and policy groups, both kwctl and policy-server take care of running the policies in the correct execution mode that the policies have defined via their metadata. This means that Kubewarden policies that are Wasm modules intended to run as WASI are executed as such. Read more...

We have just released 1.27.2, a small patch release for kwctl. This newly released kwctl version v1.27.2 fixes 2 bugs on the kwctl scaffold admission-request subcommand. On first run, kwctl scaffold admission-request tries to connect to a cluster (if it exists) via kubeconfig, and create a cache of available resource definitions. This allows for scaffolding AdmissionRequests for CRDs in the cluster. Starting from 1.22, there was a bug where kwctl failed to create the internal client to connect to a running cluster. Read more...

Hi, I’m Esosa Ohangbon, a software engineering student at Carleton University. This summer, I’ve had the incredible opportunity to participate in Google Summer of Code (GSoC) as a contributor to Kubewarden. My focus has been on developing policy-sdk-js, a JavaScript SDK for writing Kubewarden policies using JavaScript or TypeScript. In this post, I’ll share what the experience has been like so far, some of the challenges I’ve faced, what I’ve learned, and what I’m looking forward to next. Read more...

We have just released 1.27.1, a small patch release for kwctl. With 1.27, kwctl CLI now performs post-policy processing validations previously only done by the policy-server. This includes checking for the policy mode, as in spec.mode being monitor or protect. This was achieved by refactoring the code in the policy-server and moving it to our library, policy-evaluator. With this change, we introduced a regression in the command kwctl run, used to run policies. Read more...

Here’s a look at the key updates and improvements in the latest release. New High-Risk Service Account Policy In this release, we’ve introduced a new policy to improve cluster security. The High-Risk Service Account Blocker policy, as its name suggests, blocks workloads that attempt to run with a service account that has excessive permissions. This policy leverages the Kubernetes authorization API and allows cluster operators to define a list of forbidden permissions. Read more...

Kubewarden 1.26 is fresh out of the oven, with a nice bunch of features. Running policies from YAML locally with kwctl Up until now, to run policies with kwctl run one needed to pass the policy module URL, the settings, and the context-aware settings via specific flags. For example: $ kwctl run \ --settings-json '{"allowPorts": [80], "denyPorts": [3000]}' \ --request-path req_pod_with_allowed_capabilities_accept.json \ registry://ghcr.io/kubewarden/policies/ingress:v0.1.8 Thanks to suggestions from our user community, kwctl now can consume a YAML file containing the Custom Resource Definition of policies, and run the request against them. Read more...

Call for Adopters Kubewarden is showing significant maturity as a Kubernetes policy enforcement solution, with a growing number of organizations adopting it for policy enforcement for their clusters. This trend reflects the increasing need for robust, flexible, and auditable policy enforcement in the Kubernetes ecosystem. Why Kubewarden? But why use Kubewarden? Kubewarden has seen a substantial expansion of its policy library. More pre-built policies are available, covering a wider range of security and operational best practices. Read more...

Kubewarden 1.25 arrives with: enhanced Kubernetes Priority Class integration across the stack improved CI security through GitHub Actions cleanup usability refinements in the kwctl tool. Priority Class support A key feature of this release is the comprehensive integration of Kubernetes Priority Classes across the entire Kubewarden stack. This allows for fine-grained control over the scheduling and resource allocation of Kubewarden components and other workloads in the cluster. The Kubewarden Helm charts now include a new value, . Read more...

Kubewarden is an open-source CNCF project actively engaged with the wider Kubernetes ecosystem. This informs the use of valuable projects like Policy Reporter. Using Policy Reporter as a default UI for Kubewarden simplifies the user experience, allowing the use of familiar reporting mechanisms. This strategic choice also lets the team concentrate on the Kubewarden core stack. So, the Kubewarden team participates in the Kubernetes Policy Working Group. We join community meetings and seek opportunities for collaboration, focusing on the future of policy reporting and related resources. Read more...

The wait is over, Kubewarden 1.24 has arrived! We have some Easter eggs for you in this one. Promoting our policies to v1.0.0 In the past, we consciously picked semver 0.X.Y for policy versions as that meant that the policy API for the user (in this case, the policy spec.settings) was not considered stable. Since the settings of our policies haven’t changed since their initial release, we decided it was time to highlight their stability by promoting them to v1. Read more...