Kubewarden

Kubewarden 1.23 release

Author: Flavio Castelli

Published:

Updated:

The wait is over—Kubewarden 1.23 has arrived! Packed with exciting security enhancements, smoother workflows, and important updates, this release is here to make your Kubernetes experience even better. Let’s dive into what’s new!

Hardening of the admission webhooks

Kubernetes Dynamic Admission Controllers, like Kubewarden, work by providing a webhook server that implements the validation/mutation API defined by the Kubernetes project. These webhook servers are usually deployed within the same cluster as regular Kubernetes workloads. They are exposed internally using Kubernetes' Service resources.

The majority of the time, the only legitimate consumer of these webhooks is the Kubernetes API Server. However, due to Kubernetes' network model, any Pod running in the cluster can make requests against them.

This attack surface can be reduced by limiting who can actually interact with these webhook servers.

One way to reduce this attack surface is by deploying network policies, but an even stronger approach is using mutual TLS (mTLS). With mTLS, both the client and server verify each other’s identity using certificates, ensuring secure and encrypted communication while blocking unauthorized access.

Starting from this release, all the Kubewarden webhooks can be protected using mTLS. This can be done using a configuration option in our helm charts. Unfortunately this cannot be turned on by default, since some manual operations are required by the administrator of the Kubernetes cluster. This howto explains how to enable mTLS when deploying Kubewarden on k3s.

Finally, take a look at this reference documentation to learn more about how to perform security hardening of Kubewarden webhooks. This includes information both about mTLS and reference network policies that can be used to improve the security posture of your deployment.

Support of PSA restricted profile

Kubernetes Pod Security Admission (PSA) is a stable feature since the Kubernetes 1.25 release. It provides a way to validate the workloads created in a Namespace using different set of rules. These rules are hard-coded in Kubernetes and are grouped into three different profiles, ranging from relaxed to strict.

Starting from this release, the restricted profile of the Pod Security Admission is now fully supported out of the box. This means you can enforce stricter security policies against the Kubewarden stack, ensuring its workloads adhere to Kubernetes' best practices without hassle. Prior to this release, the default values of our helm chart required some small tuning to be compliant with the restricted profile.

The only action required to the administrator of the cluster is to add a label to the Namespace where the Kubewarden stack is being deployed.

To enforce the strict profile create a Namespace like the following one:

apiVersion: v1
kind: Namespace
metadata:
  name: kubewarden
  labels:
    pod-security.kubernetes.io/enforce: restricted

For more details, consult the official Kubernetes documentation.

Bug fixes, dependency updates and small improvements

As always, we’ve addressed bugs and updated dependencies to ensure a smooth experience.

kubectl

Starting from this release, a spinner is now shown when pulling images. Thanks to Kiraat for their contribution!

The scaffold artifacthub command has been simplified. Some of its mandatory flags, like the policy version, are now read from the io.kubewarden.policy.version annotation from the metadata.yml file.

Finally, the libraries used to render the output of the inspect command have been replaced with more actively maintained ones. This lead to a slightly different output compared to before in terms of colors and styling.

Different components of the Kubewarden stack (Deployment, Pods, Services) now use the Kubernetes recommended labels. By following these best practices, writing selectors for Kubewarden components is now simpler and more intuitive.

Google Summer of Code

We’re proud to announce that Kubewarden has two projects available under CNCF’s Google Summer of Code. You can find all the details here.

Getting in touch

Join the conversation on Slack or GitHub discussions. and let us know how you’re using Kubewarden 1.23!