Kubewarden Blog

The garden has a new nameplate! Kubewarden 1.36 renames the repository and its container images, changes how PolicyServer deletion works, adds host network support, and ships the docs on a new platform. Breaking changes Repository and container image rename We renamed the kubewarden-controller repository to adm-controller. The old name stopped making sense once the project grew beyond a single admission controller. The container images moved too: kubewarden-controller is now just controller All images live under ghcr.

We are happy to announce SBOMscanner v0.11.0. This release introduces an MCP server for AI assistants, a new way to target a subset of a registry from a ScanJob, supply chain hardening with zizmor, and several fixes for race conditions in the storage controller watches. MCP server SBOMscanner now ships an MCP server that puts everything the controller knows in front of your AI assistant of choice. Instead of crafting kubectl queries across CRDs and joining the results in your head, you can ask Claude, Claude Code, GitHub Copilot, or any other MCP client questions like “which workloads in cluster prod are running an image with a critical CVE?

This Admission Controller 1.35 release is one that builds the nest properly: load-bearing branches first, then careful weaving. A moderate security vulnerability has been fixed, and rather than a quick twig stuffed in a gap, the team reinforced the whole structure. This release brings also a new policy, an expansion on our threat model, and a JavaScrypt/TypeScrypt SDK relocation. Security fix: RBAC reconnaissance and host capability calls Kubewarden makes the following security promise:

After the big blooms of 1.33, this release turns its attention to the garden fence: making sure our CI pipelines are sturdy, our supply chain is trustworthy, and a nagging bug in kwctl gets pulled out by the roots. Nothing flashy, but the kind of care that keeps the garden healthy for the long haul. Let’s take a look at what’s new! Fix for kwctl scaffold command When using kwctl command scaffold manifest with a policy URI that omits an explicit tag (e.

The Kubewarden ecosystem continues to expand its supply chain security capabilities! Hot on the heels of the Admission Controller 1.33 release, we are excited to announce SBOMscanner v0.10.0. This release introduces powerful new features and critical stability fixes. Let’s dive in! Workload Scan Until now, SBOMscanner required explicit Registry configurations to scan images. However, what usually matters most are the images actively running in your cluster. The new Workload Scan feature automatically discovers and scans container images based on live workloads.

The garden is thriving and Kubewarden 1.33 is ready to bloom! Following last release’s big repotting, this one is serious about pruning, including a security issue. It’s not all housekeeping though, fresh flowers are blooming and come with nice features: BYO-PKI landing in the policy-server, field mask filtering for context-aware calls, proxy support, and a few more treats. Let’s dig in! Security fix: Cross-namespace data access, removal of deprecated API calls In our previous post we explained how our architecture protects namespaced policy users from privilege escalations.