{"id":13645175,"url":"https://github.com/kubewarden/adm-controller","last_synced_at":"2026-05-01T00:02:45.675Z","repository":{"id":37249935,"uuid":"318490971","full_name":"kubewarden/kubewarden-controller","owner":"kubewarden","description":"Manage admission policies in your Kubernetes cluster with ease","archived":false,"fork":false,"pushed_at":"2025-04-12T04:23:44.000Z","size":2834,"stargazers_count":207,"open_issues_count":72,"forks_count":37,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-12T05:27:37.109Z","etag":null,"topics":["hacktoberfest","kubernetes","kubernetes-security","policy-as-code","webassembly"],"latest_commit_sha":null,"homepage":"https://kubewarden.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubewarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY-INSIGHTS.yml","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-04T11:08:13.000Z","updated_at":"2025-04-12T04:23:47.000Z","dependencies_parsed_at":"2023-02-17T12:30:46.433Z","dependency_job_id":"260fc5f8-c6ec-44fe-afdd-2822a7735ead","html_url":"https://github.com/kubewarden/kubewarden-controller","commit_stats":null,"previous_names":["chimera-kube/chimera-controller"],"tags_count":107,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fkubewarden-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fkubewarden-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fkubewarden-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fkubewarden-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubewarden","download_url":"https://codeload.github.com/kubewarden/kubewarden-controller/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248641611,"owners_count":21138233,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","kubernetes","kubernetes-security","policy-as-code","webassembly"],"created_at":"2024-08-02T01:02:30.551Z","updated_at":"2026-05-01T00:02:45.643Z","avatar_url":"https://github.com/kubewarden.png","language":"Go","funding_links":[],"categories":["kubernetes","Rust","Configuration \u0026 Policy Automation","Configuration Management","Security and Supply Chain"],"sub_categories":["Streaming Operations"],"readme":"[![Kubewarden Core Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-core.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#core-scope)\n[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)\n[![Artifact HUB](https://img.shields.io/badge/ArtifactHub-Helm_Charts-blue?style=flat\u0026logo=artifacthub\u0026link=https%3A%2F%2Fartifacthub.io%2Fpackages%2Fsearch%3Frepo%3Dkubewarden%26kind%3D0%26verified_publisher%3Dtrue%26official%3Dtrue%26cncf%3Dtrue%26sort%3Drelevance%26page%3D1)](https://artifacthub.io/packages/search?repo=kubewarden\u0026kind=0\u0026verified_publisher=true\u0026official=true\u0026cncf=true\u0026sort=relevance\u0026page=1)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6502/badge)](https://www.bestpractices.dev/projects/6502)\n[![FOSSA license scan](https://app.fossa.com/api/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fkubewarden-controller.svg?type=shield)](https://app.fossa.com/projects/custom%252B25850%252Fgithub.com%252Fkubewarden%252Fkubewarden-controller?ref=badge_shield)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kubewarden/kubewarden-controller/badge)](https://scorecard.dev/viewer/?uri=github.com/kubewarden/kubewarden-controller)\n[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kubewarden/badge)](https://clomonitor.io/projects/cncf/kubewarden)\n\nKubewarden is a Kubernetes Dynamic Admission Controller that uses policies written\nin WebAssembly.\n\nFor more information refer to the [official Kubewarden website](https://kubewarden.io/).\n\n# Kubewarden Admission Controller - Monorepo\n\nThis repository is a monorepo containing the source code for all the different\ncomponents of the Kubewarden Admission Controller:\n\n- **kubewarden-controller**: A Kubernetes controller that allows you to dynamically register Kubewarden admission policies and reconcile them with the Kubernetes webhooks of the cluster where it's deployed\n- **policy-server**: The runtime component that evaluates admission policies written in WebAssembly\n- **audit-scanner**: A component that scans existing resources in the cluster against registered policies\n- **kwctl**: A CLI tool for testing and managing Kubewarden policies\n\n## Documentation\n\nThe full and exhaustive documentation is available at [docs.kubewarden.io](https://docs.kubewarden.io).\n\nThe [`docs/`](./docs) folder contains README files for each component:\n\n- [Controller](./docs/controller)\n- [Policy Server](./docs/policy-server)\n- [Audit Scanner](./docs/audit-scanner)\n- [kwctl](./docs/kwctl)\n- [CRDs](./docs/crds)\n\n## Installation\n\nThe kubewarden-controller can be deployed using a Helm chart. For instructions,\nsee https://charts.kubewarden.io.\n\nPlease refer to our [quickstart](https://docs.kubewarden.io/quick-start) for more details.\n\n# Software bill of materials \u0026 provenance\n\nAll Kubewarden components has its software bill of materials (SBOM) and build\n[Provenance](https://slsa.dev/spec/v1.0/provenance) information published every\nrelease. It follows the [SPDX](https://spdx.dev/) format and\n[SLSA](https://slsa.dev/provenance/v0.2#schema) provenance schema.\nBoth of the files are generated by [Docker\nbuildx](https://docs.docker.com/build/metadata/attestations/) during the build\nprocess and stored in the container registry together with the container image\nas well as upload in the release page.\n\nYou can find them together with the signature and certificate used to sign it\nin the [release\nassets](https://github.com/kubewarden/kubewarden-controller/releases), and\nattached to the image as JSON-encoded documents following the [in-toto SPDX\npredicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md)\nformat. You can obtain them with\n[`crane`](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md)\nor [`docker buildx imagetools\ninspect`](https://docs.docker.com/reference/cli/docker/buildx/imagetools/inspect).\n\nYou can verify the container image with:\n\n```shell\ncosign verify-blob --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \\\n    --certificate-identity=\"https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@\u003cTAG TO VERIFY\u003e\" \\\n    --bundle kubewarden-controller-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore \\\n    kubewarden-controller-attestation-amd64-provenance.intoto.jsonl\n```\n\nTo verify the attestation manifest and its layer signatures:\n\n```shell\ncosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \\\n    --certificate-identity=\"https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@\u003cTAG TO VERIFY\u003e\" \\\n    ghcr.io/kubewarden/kubewarden-controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e\n```\n\n\u003e [!NOTE]\n\u003e All the commands and file locations used in this section to validate the\n\u003e controller components can be used to verify all the others Kubewarden\n\u003e components as well.\n\nThat sha256 hash is the digest of the attestation manifest or its layers.\nTherefore, you need to find this hash in the registry using the UI or tools\nlike `crane`. For example, the following command will show you all the\nattestation manifests of the `latest` tag:\n\n```shell\ncrane manifest  ghcr.io/kubewarden/kubewarden-controller:latest | jq '.manifests[] | select(.annotations[\"vnd.docker.reference.type\"]==\"attestation-manifest\")'\n{\n  \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n  \"digest\": \"sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8\",\n  \"size\": 1655,\n  \"annotations\": {\n    \"vnd.docker.reference.digest\": \"sha256:611d499ec9a26034463f09fa4af4efe2856086252d233b38e3fc31b0b982d369\",\n    \"vnd.docker.reference.type\": \"attestation-manifest\"\n  },\n  \"platform\": {\n    \"architecture\": \"unknown\",\n    \"os\": \"unknown\"\n  }\n}\n{\n  \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n  \"digest\": \"sha256:e0cd736c2241407114256e09a4cdeef55eb81dcd374c5785c4e5c9362a0088a2\",\n  \"size\": 1655,\n  \"annotations\": {\n    \"vnd.docker.reference.digest\": \"sha256:03e5db83a25ea2ac498cf81226ab8db8eb53a74a2c9102e4a1da922d5f68b70f\",\n    \"vnd.docker.reference.type\": \"attestation-manifest\"\n  },\n  \"platform\": {\n    \"architecture\": \"unknown\",\n    \"os\": \"unknown\"\n  }\n}\n```\n\nThen you can use the `digest` field to verify the attestation manifest and its\nlayers signatures.\n\n```shell\ncosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \\\n    --certificate-identity=\"https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@\u003cTAG TO VERIFY\u003e\" \\\n    ghcr.io/kubewarden/kubewarden-controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8\n\ncrane manifest  ghcr.io/kubewarden/kubewarden-controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8\n{\n  \"schemaVersion\": 2,\n  \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n  \"config\": {\n    \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n    \"digest\": \"sha256:eda788a0e94041a443eca7286a9ef7fce40aa2832263f7d76c597186f5887f6a\",\n    \"size\": 463\n  },\n  \"layers\": [\n    {\n      \"mediaType\": \"application/vnd.in-toto+json\",\n      \"digest\": \"sha256:563689cdee407ab514d057fe2f8f693189279e10bfe4f31f277e24dee00793ea\",\n      \"size\": 94849,\n      \"annotations\": {\n        \"in-toto.io/predicate-type\": \"https://spdx.dev/Document\"\n      }\n    },\n    {\n      \"mediaType\": \"application/vnd.in-toto+json\",\n      \"digest\": \"sha256:7ce0572628290373e17ba0bbb44a9ec3c94ba36034124931d322ca3fbfb768d9\",\n      \"size\": 7363045,\n      \"annotations\": {\n        \"in-toto.io/predicate-type\": \"https://spdx.dev/Document\"\n      }\n    },\n    {\n      \"mediaType\": \"application/vnd.in-toto+json\",\n      \"digest\": \"sha256:dacf511c5ec7fd87e8692bd08c3ced2c46f4da72e7271b82f1b3720d5b0a8877\",\n      \"size\": 71331,\n      \"annotations\": {\n        \"in-toto.io/predicate-type\": \"https://spdx.dev/Document\"\n      }\n    },\n    {\n      \"mediaType\": \"application/vnd.in-toto+json\",\n      \"digest\": \"sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d\",\n      \"size\": 980,\n      \"annotations\": {\n        \"in-toto.io/predicate-type\": \"https://spdx.dev/Document\"\n      }\n    },\n    {\n      \"mediaType\": \"application/vnd.in-toto+json\",\n      \"digest\": \"sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca\",\n      \"size\": 13838,\n      \"annotations\": {\n        \"in-toto.io/predicate-type\": \"https://slsa.dev/provenance/v0.2\"\n      }\n    }\n  ]\n}\n\ncosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \\\n    --certificate-identity=\"https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@\u003cTAG TO VERIFY\u003e\" \\\n    ghcr.io/kubewarden/kubewarden-controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d\n```\n\nNote that each attestation manifest (for each architecture) has its own layers.\nEach layer is a different SBOM SPDX or provenance file generated by Docker\nBuildx during the multi stage build process. You can also use `crane` to\ndownload the attestation file:\n\n```shell\ncrane blob ghcr.io/kubewarden/kubewarden-controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca\n```\n\n## Security disclosure\n\nSee [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo.\n\n# Changelog\n\nSee [GitHub Releases content](https://github.com/kubewarden/kubewarden-controller/releases).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fadm-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubewarden%2Fadm-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fadm-controller/lists"}