Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written in WebAssembly.
For more information refer to the official Kubewarden website.
kubewarden-controller is a Kubernetes controller that allows you to
dynamically register Kubewarden admission policies.
The kubewarden-controller will reconcile the admission policies you
have registered against the Kubernetes webhooks of the cluster where
it is deployed.
The kubewarden-controller can be deployed using a helm chart. For instructions, see https://charts.kubewarden.io.
Once the kubewarden-controller is up and running, Kubewarden policies can be defined
via the ClusterAdmissionPolicy resource.
The documentation of this Custom Resource can be found here or on docs.crds.dev.
Note well: ClusterAdmissionPolicy resources are cluster-wide.
The following snippet defines a Kubewarden Policy based on the psp-capabilities policy:
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: psp-capabilities
spec:
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
allowed_capabilities:
- CHOWN
required_drop_capabilities:
- NET_ADMINThis ClusterAdmissionPolicy will evaluate all the CREATE and
UPDATE operations performed against Pods.
The homepage of this policy provides more insights about how this policy behaves.
Creating the resource inside of Kubernetes is sufficient to enforce the policy:
$ kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/policies_v1alpha2_clusteradmissionpolicy.yamlYou can delete the admission policy you just created:
$ kubectl delete clusteradmissionpolicy psp-capabilities
$ kubectl patch clusteradmissionpolicy psp-capabilities -p '{"metadata":{"finalizers":null}}' --type=merge
The official documentation provides more insights about how the project works and how to use it.
Kubewarden controller has its software bill of materials (SBOM) published every release. It follows the SPDX version 2.2 format and it can be found together with the signature and certificate used to signed it in the release assets
Roadmap for the Kubewarden project.
See our governance document.
We host regular online meetings for contributors, adopters, maintainers, and anyone else interested to connect in a synchronous fashion. These meetings usually take place on second Thursday of the month at 4PM UTC.
We're a friendly group, so please feel free to join us!
- Slack: #kubewarden and #kubewarden-dev