Writing Kubewarden policies is now even more accessible. Today, we’re excited to announce the alpha release of the Kubewarden JavaScript/TypeScript SDK, bringing policy development to the world’s most popular programming language.
Why JavaScript for Kubernetes Policies? Kubewarden has always been about choice, letting you write policies in the language you’re most comfortable with. The JavaScript/TypeScript SDK opens Kubewarden to an entirely new audience, the millions of developers already familiar with the JavaScript ecosystem.
Read more...
The Kubewarden project was created four years ago at SUSE with the goal of redefining Policy As Code. We built a universal policy engine for Kubernetes and donated it to the CNCF.
When the project started, policies could only be written in Rust and Go. Since then, we’ve worked to increase flexibility. Today, policies can also be written in other programming languages such as C#, and even JavaScript and TypeScript (stay tuned for the upcoming announcement).
Read more...
Today, Kubewarden 1.30 woke up, shook itself, stretched its wings and took off to a cluster near you! This release brings in its beak a bunch of policy features, and performs some future-proofing migrations.
Migration to OpenReports So far, the Kubewarden Audit Scanner feature has been using the PolicyReports CRDs from policyreports.wgpolicyk8s.io to save its results. These CRDs came from the Kubernetes Policy Working Group and enabled standardized reporting across policy engines.
Read more...
Earlier this week we published a patch release of Policy Server. The fix was required to avoid a crash at startup time.
The crash was caused by some changes inside the Sigstore TUF repository, specifically the introduction of a new public key for the Rekor service. The Rust library we use to interact with Sigstore could not handle this change, resulting in an error.
The patch we issued on Monday allowed Policy Server to continue operating in a degraded mode.
Read more...
Today, we released patch updates for both Policy Server and kwctl.
These releases address a startup failure affecting both components, caused by an issue initializing Sigstore’s TUF repository.
With this fix, Policy Server and kwctl will now exit with an error only if policy verification settings are enabled. Policies using image verification settings will reject all images that rely on Sigstore certificate infrastructure (like keyless signatures).
In the meantime, we are collaborating upstream to resolve the Sigstore issue.
Read more...
Straight from the kitchen, Kubewarden 1.29 is served! This release is a poké bowl of healthy stack features, crisp policy improvements, and some fresh fixes, all seasoned with the wholesome flavour of paid-off tech debt.
Removal of Picky dependency and stringent behavior change We have long depended on the Rust crate picky as the implementation for X.509 and PKI certificates that we use in our cryptographic host capabilities. It allowed us to overcome some limitations in the webpki crate.
Read more...
Kubewarden 1.28 has emerged refreshed from a bath in the lake (just like my dog on the morning walk before writing this post!). This release cycle comes mainly with improvements on policies, though some stack features plus kwctl bugfixes also bubbled up.
Supporting Hauler for air-gap installs With 1.28, our Helm chart releases now include a Hauler YAML manifest.
Hauler is an Open Source project that provides a declarative way of saving all artifacts needed for air-gap installs, along with a tool (the hauler cli) that works with it without requiring operators to adopt a specific workflow.
Read more...
We have just released 1.27.3, a small patch release for kwctl. This newly released kwctl version v1.27.3 fixes a bug on the kwctl run subcommand for ClusterPolicyGroups and PolicyGroups.
When evaluating policies and policy groups, both kwctl and policy-server take care of running the policies in the correct execution mode that the policies have defined via their metadata. This means that Kubewarden policies that are Wasm modules intended to run as WASI are executed as such.
Read more...
We have just released 1.27.2, a small patch release for kwctl. This newly released kwctl version v1.27.2 fixes 2 bugs on the kwctl scaffold admission-request subcommand.
On first run, kwctl scaffold admission-request tries to connect to a cluster (if it exists) via kubeconfig, and create a cache of available resource definitions. This allows for scaffolding AdmissionRequests for CRDs in the cluster.
Starting from 1.22, there was a bug where kwctl failed to create the internal client to connect to a running cluster.
Read more...
Hi, I’m Esosa Ohangbon, a software engineering student at Carleton University. This summer, I’ve had the incredible opportunity to participate in Google Summer of Code (GSoC) as a contributor to Kubewarden.
My focus has been on developing policy-sdk-js, a JavaScript SDK for writing Kubewarden policies using JavaScript or TypeScript. In this post, I’ll share what the experience has been like so far, some of the challenges I’ve faced, what I’ve learned, and what I’m looking forward to next.
Read more...
