Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written in WebAssembly.

For more information refer to the official Kubewarden website.

kubewarden-controller

kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies.

The kubewarden-controller reconciles the admission policies you have registered with the Kubernetes webhooks of the cluster where it's deployed.

Installation

The kubewarden-controller can be deployed using a Helm chart. For instructions, see https://charts.kubewarden.io.

Usage

Once the kubewarden-controller is up and running, you can define Kubewarden policies using the ClusterAdmissionPolicy resource.

The documentation of this Custom Resource can be found here or on docs.crds.dev.

Note: ClusterAdmissionPolicy resources are cluster-wide.

Deploy your first admission policy

The following snippet defines a Kubewarden Policy based on the psp-capabilities policy:

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities
spec:
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      operations:
        - CREATE
        - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
      - CHOWN
    required_drop_capabilities:
      - NET_ADMIN

This ClusterAdmissionPolicy evaluates all the CREATE and UPDATE operations performed against Pods. The homepage of this policy provides more insights about how this policy behaves.

Creating the resource inside Kubernetes is sufficient to enforce the policy:

kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/policies_v1alpha2_clusteradmissionpolicy.yaml

Remove your first admission policy

You can delete the admission policy you just created:

kubectl delete clusteradmissionpolicy psp-capabilities
kubectl patch clusteradmissionpolicy psp-capabilities -p '{"metadata":{"finalizers":null}}' --type=merge

Learn more

The documentation provides more insights about how the project works and how to use it.

Software bill of materials

Kubewarden controller has its software bill of materials (SBOM) published every release. It follows the SPDX version 2.2 format and you can find it together with the signature and certificate used to sign it in the release assets

Roadmap

Roadmap for the Kubewarden project.

Governance

See the governance document.

Community meeting

We host regular online meetings for contributors, adopters, maintainers, and anyone else interested. These meetings usually take place on the second Thursday of the month at 4 PM UTC.

• Zoom link
• Minutes from earlier meetings

We're a friendly group, so please feel free to join us!

Community

• Slack: #kubewarden and #kubewarden-dev