Community meetings have been a recurring demand from different sides and with the new year approaching, it’s time to make our first good resolution.
To improve community feedback, the Kubewarden project has decided to organize a monthly community meeting. The first community meeting to be held is scheduled for January 12th, 2023 at 4 PM UTC.
In addition to GitHub Discussions, GitHub issues, and the #kubewarden channel on the Kubernetes Slack, the community meeting is an additional avenue for the community to discuss Kubewarden and shape its future together.
Read more...
Today we’re pleased to announce the availability of Kubewarden 1.4.0.
This version brings some minor fixes to our controller and helm charts and two new interesting features.
Sigstore certificate verification Kubewarden integration with Sigstore keeps growing. Starting from this release it’s possible to verify signatures that have been produced with certificates.
This can be useful to organizations that are using hardware tokens and KMS solutions to sign their container images via Sigstore.
Read more...
Secure supply chain is one of the hottest topics right now. Many organizations are implementing strategies to verify the provenance of their software starting from the development phase up to the deployment in production.
Sigstore is an open source project that makes incredibly easy to sign and verify assets. Lots of open source projects and organizations are using it to sign and verify their container images, system packages and any kind of binary artifact.
Read more...
We are glad to announce that deploying Kubewarden in air gap environments has been simplified and documented! For that, you will need a private OCI registry accessible by your Kubernetes cluster. Kubewarden policies are WebAssembly modules; therefore they can be stored inside an OCI-compliant registry as OCI artifacts. For an air gap installation you need to download all the Kubewarden container images and policies in your workstation, then move them to your private OCI registry.
Read more...
It’s fact of life: as the Kubernetes API evolves, it’s periodically reorganized or upgraded. This means some Kubernetes resources can be deprecated and later removed.
We deserve to easily keep track of those deprecations and removals. For that, we have just released the deprecated-api-versions policy.
A look at the deprecated-api-versions policy This policy detects the usage of Kubernetes resources that have been deprecated or removed from the Kubernetes API.
The policy has two settings:
Read more...
We present to you the new volumeMounts Policy: It inspects containers, init containers, and ephemeral containers, and restricts their usage of volumes by checking the volume name being used in the containers' volumeMounts[*].name.
You can find it published in Artifact Hub. As usual, its artifact is signed with Sigstore in keyless mode, and if you are curious, you can peek into the policy’s implementation in Rust here.
This new policy joins the already existing volumes-psp policy, which provides an allowlist of volume types, and hostpaths-psp policy, with an allowlist of hostPath volumes.
Read more...
We’re glad to present the new environment-variable-policy to Kubewarden users. With this policy, you will now be able to inspect init containers and ephemeral containers. You can also restrict their usage by reviewing the names and values defined under the containers' env[*] field.
As always, the policy can be found in ArtifactHub and all the artifacts, including the BOM files, are signed with Sigstore.
What is so useful about the new environment-variable policy?
Read more...
The Kubewarden development team is happy to announce the release of the Kubewarden 1.3 stack.
In addition to the usual amount of small fixes, this release focused on the following themes.
Improve end users confidence We want our users to feel confident about using Kubewarden, knowing that good development and security practices are being followed by the Kubewarden project. We think this is particularly relevant to Kubewarden, given our users trust us to keep their Kubernetes clusters secure and compliant.
Read more...
We are thrilled to announce you can now scan your environment variables for secrets with the new env-variable-secrets-scanner-policy! This policy rejects a Pod or workload resources such as Deployments, ReplicaSets, DaemonSets , ReplicationControllers, Jobs, CronJobs etc. if a secret is found in the environment variable within a container, init container, or ephemeral container. Secrets that are leaked in plain text or in base64 encoded variables are detected.
This policy uses rusty hog, an open source secret scanner from New Relic.
Read more...
We are happy to announce the first minor release of v1.0: v1.1.1 is now available!
Apart from being a nice looking number, v1.1.1 includes:
Improved the policies API for Sigstore verification by adding new backwards-compatible WaPC host callback v2/verify functions to the API. Check them out here to add support for your language of choice.
This has been used in the verify-image-signatures policy to simplify verification of GitHub Actions signatures and others.
Read more...