We are thrilled to announce the release of Kubewarden v1.18.0. For this release we have focused on achieving level 3 of the SLSA standard, in addition to minor bug fixes, adding tests, and developer tech debt improvements.
SLSA level 3 Kubewarden has been at the forefront of Sigstore integration (being co-maintainers of the upstream sigstore-rs Rust library), and have signed our artifacts and provided SBOMs for several years.
For this cycle, we have made the necessary changes to our build pipelines to achieve level 3 of SLSA.
Read more...
With v1.17, we introduced a new powerful feature, Policy Groups, enabled by two new Kubernetes Custom Resources:
AdmissionPolicyGroups: Namespaced policy comprised of several policies. ClusterAdmissionPolicyGroups: Clusterwide policy comprised of several policies. These new Policy Groups resources define a policy comprised of several policies and their policy settings, and they perform a combined evaluation of those multiple policies using logical operators.
Why are these useful? Because they reuse existing policies, reducing the need for custom policy creation.
Read more...
We are thrilled to announce the release of Kubewarden v1.17.0. This release is packed with big features, let’s have a look!
Certificate rotation & removal of cert-manager dependency Starting from this release, the Kubewarden stack takes care of creating and rotating all the needed TLS certificates and certificate authorities.
Kubewarden, by virtue of connecting to the Kubernetes API server, needs TLS certificates for both the kubewarden-controller (when creating webhooks for its policies) and for the PolicyServers (so they can report their results to the Webhook API server).
Read more...
Policy Server and kwctl 1.16.1 patch releases Today we published the 1.16.1 patch release of Policy Server and kwctl.
The release addresses a breaking change inside Sigstore’s TUF repository. The change caused errors while retrieving the contents of the TUF repository, which broke part of Kubewarden’s integration with Sigstore.
More specifically, it was no longer possible to verify the signatures of Kubewarden’s policies and to verify the signatures of the container images used inside of a Kubernetes cluster via policies like verify-image-signatures.
Read more...
Kubewarden v1.16.0 release We are thrilled to announce the release of Kubewarden v1.16.0! Following the northern hemisphere summer, this version packs some goodies but is a bit more lightweight than usual.
kwctl scaffold for AdmissionRequests The kwctl cli has learned a new command, kwctl scaffold admission-request, which prints a Kubernetes AdmissionRequest object from the provided Kubernetes resource definition.
This is useful when developing policies (and not only limited to Kubewarden ones).
Read more...
Kubewarden v1.15.0 release We are thrilled to announce the release of Kubewarden v1.15.0! This version comes packed with CEL policy updates, controller enhancements, and fixes that make Kubewarden even more robust and user-friendly.
Enhanced PolicyServer CRD with Tolerations One of the standout features of Kubewarden v1.15 is the extension of the PolicyServer Custom Resource Definition (CRD) to include a list of Toleration objects to be used in the deployment created for the Policy Server.
Read more...
Kubewarden v1.14.0 release We are thrilled to announce the release of Kubewarden v1.14.0! This version comes packed with new capabilities, enhancements, and fixes that make Kubewarden even more robust and user-friendly.
New Host Capability for Container Image Configuration One of the significant updates in this release is the introduction of a new host capability that allows policies to fetch the container image configuration. This update stems from a user request to enhance the user-group-psp-policy policy by enabling it to check the user defined to run the container in the image configuration.
Read more...
We are pleased to announce a new policy by the Kubewarden team: cel-policy.
This new policy uses the Common Expression Language (CEL). For those new to CEL, it is a general-purpose expression language designed to be fast, portable, and safe to execute. CEL as a language is memory-safe, side-effect free, terminating (as in “programs cannot loop forever”), and strong & dynamically typed.
CEL is a perfect candidate for extending the Kubernetes API, as CEL expressions can be easily inlined into CRD schemas, and compiled and type-checked “ahead-of-time” (when CRDs are created and updated).
Read more...
I’m pleased to announce a new release of Kubewarden, version 1.13. This release features a series of improvements and bug fixes that contribute to better performance and stability.
Let’s go through the most significant changes.
Policy Server memory usage A community member reported that the Kubewarden Policy Server was using a lot of memory, especially when running context aware policies on big clusters. The number of resources being accessed by the policies was significantly high, in the order of 3200 Namespaces, 10500 Ingresses, 200 ClusterRoleBindings and 11000 RoleBindings.
Read more...
Today we’re glad to announce the release of Kubewarden 1.12.
This release focuses on optimizations and high availability, both oriented to production.
Optimizing Gatekeeper policies The previous 1.11 release featured lots of optimizations for context aware policies.
The 1.12 release provides a further optimization for Gatekeeper policies that access Kubernetes resources. This optimization provides an extra 55% performance boost for these policies.
The benefits of this optimization are particularly noticeable when a huge number of Kubernetes resources are accessed by a Gatekeeper policy.
Read more...
