Kubewarden is a Kubernetes Dynamic Admission Controller that validates incoming requests against WebAssembly policies. The policies can be developed in any programming language that generates WebAssembly binaries.
The Kubewarden devstats page and dashboard are found here
- 54 contributors in the last year
- 875 PRs in the last year
- 548 issues in the last year
Maintainer | GitHub ID | Affiliation |
---|---|---|
Flavio Castelli | @flavio | SUSE |
Victor Cuadrado Juan | @viccuad | SUSE |
José Guilherme Vanz | @jvanz | SUSE |
Rafael Fernández Lópaz | @ereslibre | VMWare |
Fabrizio Sestito | @fabriziosestito | SUSE |
Since Kubewarden project joint CNCF as a sandbox project we have not hear about any company publicly using Kubewarden. But the project has been approached by teams evaluating the usage of Kubewarden multiple times.
Since the approval of the Kubewarden project as a sandbox project we released some importante features and fixes. Some of them are:
- Migrate all Kubewarden policies to ArtifactHub
- New policy to scan secret defined in container's environment variable
- New policy to enforce rules in the container's environment variables name and values
- New policy to restrict
volumeMount
usage within a container - New policy to prevent the usage of deprecated/removed Kubernetes resource
- New policy to allow users to verify container image signatures using Sigstore
- CLI tool can benchmark the policies execution times
- New features allowing users to define a timeout for policies execution
- CLI tool imports CA defined in the host machine. Simplifying the interactions with registries
- Context aware policies. They are policies can access Kubernetes resources during its execution
- Audit scanner. It's a new component used to perform audit checks on resource already deployed in the cluster.
- Bunch fixes improving the integration with OpenTelemetry, a security fix reported by community and CI enhancements
In addition to the features added to the Kubewarden stack, we have started to host monthly community calls.
The next defined goal are to address feature request from the community. Among them are:
- Turn the cert-manager dependency optional
- Allow context aware policies written in Rego
- Allow Kubewarden to validate other documents beyond Kubernetes Admission requests.
In the project Roadmap board is possible to see what's the next goal over time.
The Kubewarden project still does not have the criteria for incubation stage. However, we would like to apply in the future. Thus, we will do that once we have all the requirements addressed.
Expected annual review content: