Kubewarden

Kubewarden policies cover all the Kubernetes Pod Security Policies

The Kubewarden team worked tirelessly to create equivalent Kubewarden policies for all the deprecated Pod Security Policies (PSP). In order to reach this very important milestone, the team wrote the policies with the same validations available in the Kubernetes PSPs, and we counted on the community help to map and validate the policies. This will allow our users to replace deprecated PSPs while continuing to enforce their security rules. The Kubewarden policies which replace all the Kubernetes PSPs, are available in the Policy Hub, and you can find them by typing the keyword “PSP”. Read more...

Policy Server on aarch64

We recently got notified that the policy-server was crashing in an aarch64 environment. The moment in which it got a request from the API server, it crashed immediately with a SIGSEGV signal. We figured out that this was only happening when the request was a TLS one, and that the problem was related to the OpenSSL stack and the way we were producing the final image of the policy-server with the OpenSSL stack. Read more...

First year of Kubewarden

Year 2021 is almost over. Let’s take that as a chance to look back at what has been achieved during the 1st year of life of the Kubewarden project. Finally, I’ll also talk about what we plan to do during the next one. 2021 Highlights Project Announcement The Kubewarden project has been introduced to the masses for the 1st time during KubeCon Europe 2021. During this presentation, Rafael and I explained what lead us to rethink how Kubernetes policies could be written and distributed. Read more...

Deep Dive into policy logging

Policies are regular programs. As such they often have the need to log information. In general, we are used to make our programs log into standard output (stdout) and standard error (stderr) outputs. However, policies run in a confined WebAssembly environment. For this mechanism to work as usual Kubewarden would need to set up the runtime environment in a way that the policy can write to stdout and stderr file descriptors, and upon completion, Kubewarden can check them – or stream log messages as they pop up. Read more...

A new architecture to ease Kubewarden administrators' lives

We are pleased to announce a new architecture for the Kubewarden stack, in line with its journey to maturity: The introduction of a PolicyServer Custom Resource Definition (CRD) which allows users to describe a policy-server Deployment, together with binding ClusterAdmissionPolicies to a specific PolicyServer instance. These 2 changes are accompanied by a multitude of improvements to make Kubewarden more comfortable for Kubernetes Administrators, such as validation for Kuberwarden Custom Resources, improvements in Helm Charts, Status and Conditions for ClusterAdmissionPolicies. Read more...

Towards a universal policy platform

Kubewarden is a policy framework for Kubernetes. It can be used to secure your clusters and to ensure they stay compliant with the rules your organization establishes over time. By leveraging the power of WebAssembly, Kubewarden allows policy authors to write policies using traditional programming languages such as Rust, Go, AssemblyScript and Swift. Kubewarden policies, once compiled into WebAssembly modules, are then distributed using regular OCI registries. This allows Operators to have a consistent way to securely distribute both container images and policies. Read more...

WebAssembly is coming to Cloud Native

Is the title of this post a pun inspired by Christmas or by the Games of Thrones? I can’t decide… Are my dad jokes as bad as my daughters claim? Probably… Is WebAssembly spreading inside of the Cloud Native ecosystem? 💯 I have no doubts about that! First of all, why am I so excited about seeing WebAssembly flourish inside of the Cloud Native ecosystem? Well, it’s no secret that I’m a huge fan of it. Read more...

Let's learn Kubewarden - Streaming Event

In case you missed, CNCF Ambassador Saiyam Pathak recently hosted a live streaming event on his YouTube channel about Kubewarden. Flavio had the pleasure to join Saiyam and give an overview of the project. We spoke about Kubernetes Admission Controllers, why we started the Kubewarden project and how it differentiates from other existing open source projects such as Open Policy Agent and Kyverno. The talk features also a brief overview of WebAssembly, what it is and what are the benefits it provides to Kubewarden. Read more...

Introducing the PSP host namespaces policy

As you probably know, Kubernetes Pod Security Policies (PSPs) are being deprecated in Kubernetes 1.21 – although these APIs will be served until Kubernetes 1.25 it’s a good time to start thinking about what you will use to replace them. At Kubewarden we have an ongoing effort to replace the Pod Security Policies with small, targeted Kubewarden policies. Up until now, we have implemented some policies that replace some Pod Security Policies: Read more...

Introducing kwctl to Kubernetes Administrators

We are pleased to announce the availability of a new tool within the Kubewarden project: kwctl. kwctl is a command line utility designed to help both policy authors and Kubernetes administrators. This blog post focuses on the user experience of Kubernetes administrators. Future ones will cover the policy developer side of the story. A Real-World Example: Controlling Container Capabilities The main character of today’s story is Alice. Alice is a Kubernetes administrator who wants to keep her Kubernetes cluster secure. Read more...

More