Web Assembly

Preparing for season celebrations, Kubewarden grabbed its running shoes and went for a lively jog. This release is about keeping your cluster environment fit and lively: new policy, new Sigstore airgap features, backup support, and new resource limits for our Helm charts and among other things. The running group is growing too! New peer project: SBOMScanner As announced some weeks ago, the Kubewarden family is growing with the addition of SBOMscanner.

Function inlining is one of the most important compiler optimizations, not because of its direct effects, but because of the follow-up optimizations it unlocks. It may reveal, for example, that an otherwise-unknown function parameter value is bound to a constant argument, which makes a conditional branch unconditional, which in turn exposes that the function will always return the same value. Inlining is the catalyst of modern compiler optimization.

Writing Kubewarden policies is now even more accessible. Today, we’re excited to announce the alpha release of the Kubewarden JavaScript/TypeScript SDK, bringing policy development to the world’s most popular programming language. Why JavaScript for Kubernetes Policies? Kubewarden has always been about choice, letting you write policies in the language you’re most comfortable with. The JavaScript/TypeScript SDK opens Kubewarden to an entirely new audience, the millions of developers already familiar with the JavaScript ecosystem.

The Kubewarden project was created four years ago at SUSE with the goal of redefining Policy As Code. We built a universal policy engine for Kubernetes and donated it to the CNCF. When the project started, policies could only be written in Rust and Go. Since then, we’ve worked to increase flexibility. Today, policies can also be written in other programming languages such as C#, and even JavaScript and TypeScript (stay tuned for the upcoming announcement).

This is a blog post outlining the odyssey I recently took to implement the Wasm exception-handling proposal in Wasmtime, the open-source WebAssembly engine for which I’m a core team member/maintainer, and its Cranelift compiler backend.

Today, Kubewarden 1.30 woke up, shook itself, stretched its wings and took off to a cluster near you! This release brings in its beak a bunch of policy features, and performs some future-proofing migrations. Migration to OpenReports So far, the Kubewarden Audit Scanner feature has been using the PolicyReports CRDs from policyreports.wgpolicyk8s.io to save its results. These CRDs came from the Kubernetes Policy Working Group and enabled standardized reporting across policy engines.

Earlier this week we published a patch release of Policy Server. The fix was required to avoid a crash at startup time. The crash was caused by some changes inside the Sigstore TUF repository, specifically the introduction of a new public key for the Rekor service. The Rust library we use to interact with Sigstore could not handle this change, resulting in an error. The patch we issued on Monday allowed Policy Server to continue operating in a degraded mode.

Today, we released patch updates for both Policy Server and kwctl. These releases address a startup failure affecting both components, caused by an issue initializing Sigstore’s TUF repository. With this fix, Policy Server and kwctl will now exit with an error only if policy verification settings are enabled. Policies using image verification settings will reject all images that rely on Sigstore certificate infrastructure (like keyless signatures). In the meantime, we are collaborating upstream to resolve the Sigstore issue.

Straight from the kitchen, Kubewarden 1.29 is served! This release is a poké bowl of healthy stack features, crisp policy improvements, and some fresh fixes, all seasoned with the wholesome flavour of paid-off tech debt. Removal of Picky dependency and stringent behavior change We have long depended on the Rust crate picky as the implementation for X.509 and PKI certificates that we use in our cryptographic host capabilities. It allowed us to overcome some limitations in the webpki crate.

Kubewarden 1.28 has emerged refreshed from a bath in the lake (just like my dog on the morning walk before writing this post!). This release cycle comes mainly with improvements on policies, though some stack features plus kwctl bugfixes also bubbled up. Supporting Hauler for air-gap installs With 1.28, our Helm chart releases now include a Hauler YAML manifest. Hauler is an Open Source project that provides a declarative way of saving all artifacts needed for air-gap installs, along with a tool (the hauler cli) that works with it without requiring operators to adopt a specific workflow.