TOC 2023 annual review

review.md

Kubewarden 2023 Annual Review

Kubewarden is a Kubernetes Dynamic Admission Controller that validates incoming requests against WebAssembly policies. The policies can be developed in any programming language that generates WebAssembly binaries.

DevStats

The Kubewarden devstats page and dashboard are found here

• 54 contributors in the last year
• 875 PRs in the last year
• 548 issues in the last year

Maintainers

Maintainer	GitHub ID	Affiliation
Flavio Castelli	@flavio	SUSE
Victor Cuadrado Juan	@viccuad	SUSE
José Guilherme Vanz	@jvanz	SUSE
Rafael Fernández Lópaz	@ereslibre	VMWare
Fabrizio Sestito	@fabriziosestito	SUSE

Adoption

Since Kubewarden project joint CNCF as a sandbox project we have not hear about any company publicly using Kubewarden. But the project has been approached by teams evaluating the usage of Kubewarden multiple times.

Project performance

Since the approval of the Kubewarden project as a sandbox project we released some importante features and fixes. Some of them are:

• Migrate all Kubewarden policies to ArtifactHub
• New policy to scan secret defined in container's environment variable
• New policy to enforce rules in the container's environment variables name and values
• New policy to restrict volumeMount usage within a container
• New policy to prevent the usage of deprecated/removed Kubernetes resource
• New policy to allow users to verify container image signatures using Sigstore
• CLI tool can benchmark the policies execution times
• New features allowing users to define a timeout for policies execution
• CLI tool imports CA defined in the host machine. Simplifying the interactions with registries
• Context aware policies. They are policies can access Kubernetes resources during its execution
• Audit scanner. It's a new component used to perform audit checks on resource already deployed in the cluster.
• Bunch fixes improving the integration with OpenTelemetry, a security fix reported by community and CI enhancements

In addition to the features added to the Kubewarden stack, we have started to host monthly community calls.

Goals

The next defined goal are to address feature request from the community. Among them are:

• Turn the cert-manager dependency optional
• Allow context aware policies written in Rego
• Allow Kubewarden to validate other documents beyond Kubernetes Admission requests.

In the project Roadmap board is possible to see what's the next goal over time.

Incubation readiness

The Kubewarden project still does not have the criteria for incubation stage. However, we would like to apply in the future. Thus, we will do that once we have all the requirements addressed.

Expected annual review content:

Annual review contents

Your annual review should answer the following questions:
  - Include a link to your project’s devstats page. We will be looking for signs of consistent or increasing contribution activity. Please feel free to add commentary to add colour to the numbers and graphs we will see on devstats.
  - How many maintainers do you have, and which organisations are they from? (Feel free to link to an existing MAINTAINERS file if appropriate.)
  - What do you know about adoption, and how has this changed since your last review / since you joined Sandbox? If you can list companies that are adopters of your project, please do so. (Feel free to link to an existing ADOPTERS file if appropriate. Refer to the [FAQs](https://github.com/cncf/toc/blob/main/FAQ.md#what-is-the-definition-of-an-adopter) for more information on adopters.)
  - How has the project performed against its goals since the last review? (We won't penalize you if your goals changed for good reasons.)
  - What are the current goals of the project? For example, are you working on major new features? Or are you concentrating on adoption or documentation?
  - How can the CNCF help you achieve your upcoming goals?
  - Do you think that your project meets the [criteria for incubation](https://github.com/cncf/toc/blob/main/process/graduation_criteria.md#incubating-stage)?