Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written
in WebAssembly.
For more information refer to the official Kubewarden website.
kubewarden-controller
kubewarden-controller
is a Kubernetes controller that allows you to
dynamically register Kubewarden admission policies.
The kubewarden-controller
reconciles the admission policies you
have registered with the Kubernetes webhooks of the cluster where
it's deployed.
Installation
The kubewarden-controller can be deployed using a Helm chart. For instructions,
see https://charts.kubewarden.io.
Usage
Once the kubewarden-controller is up and running, you can define Kubewarden policies
using the ClusterAdmissionPolicy
resource.
The documentation of this Custom Resource can be found
here
or on docs.crds.dev.
Note: ClusterAdmissionPolicy
resources are cluster-wide.
Deploy your first admission policy
The following snippet defines a Kubewarden Policy based on the
psp-capabilities
policy:
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: psp-capabilities
spec:
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
allowed_capabilities:
- CHOWN
required_drop_capabilities:
- NET_ADMIN
This ClusterAdmissionPolicy
evaluates all the CREATE
and UPDATE
operations
performed against Pods. The homepage of this policy provides more insights about
how this policy behaves.
Creating the resource inside Kubernetes is sufficient to enforce the policy:
kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/policies_v1alpha2_clusteradmissionpolicy.yaml
Remove your first admission policy
You can delete the admission policy you just created:
kubectl delete clusteradmissionpolicy psp-capabilities
kubectl patch clusteradmissionpolicy psp-capabilities -p '{"metadata":{"finalizers":null}}' --type=merge
Learn more
The documentation provides more insights
about how the project works and how to use it.
Software bill of materials
Kubewarden controller has its software bill of materials (SBOM) published every
release. It follows the SPDX version 2.2 format and you can
find it together with the signature and certificate used to sign it in the
release assets
Roadmap
Roadmap for the Kubewarden project.
Governance
See the governance document.
We host regular online meetings for contributors, adopters, maintainers, and
anyone else interested. These meetings usually take place on the second Thursday
of the month at 4 PM UTC.
We're a friendly group, so please feel free to join us!