https://github.com/kubewarden/adm-controller
Manage admission policies in your Kubernetes cluster with ease
https://github.com/kubewarden/adm-controller
hacktoberfest kubernetes kubernetes-security policy-as-code webassembly
Last synced: about 2 months ago
JSON representation
Manage admission policies in your Kubernetes cluster with ease
- Host: GitHub
- URL: https://github.com/kubewarden/adm-controller
- Owner: kubewarden
- License: apache-2.0
- Created: 2020-12-04T11:08:13.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2025-04-12T04:23:44.000Z (about 1 year ago)
- Last Synced: 2025-04-12T05:27:37.109Z (about 1 year ago)
- Topics: hacktoberfest, kubernetes, kubernetes-security, policy-as-code, webassembly
- Language: Go
- Homepage: https://kubewarden.io
- Size: 2.7 MB
- Stars: 207
- Watchers: 8
- Forks: 37
- Open Issues: 72
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: CODEOWNERS
- Security: SECURITY-INSIGHTS.yml
Awesome Lists containing this project
- awesome-cloud-native - kubewarden - Policy as code for Kubernetes powered by WebAssembly modules. (Configuration & Policy Automation)
- awesome-kubernetes-configuration-management - Kubewarden
- awesome-x-ops - Kubewarden - as-code governance. (Security and Supply Chain / Streaming Operations)
README
[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#core-scope)
[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
[](https://artifacthub.io/packages/search?repo=kubewarden&kind=0&verified_publisher=true&official=true&cncf=true&sort=relevance&page=1)
[](https://www.bestpractices.dev/projects/6502)
[](https://app.fossa.com/projects/custom%252B25850%252Fgithub.com%252Fkubewarden%252Fkubewarden-controller?ref=badge_shield)
[](https://scorecard.dev/viewer/?uri=github.com/kubewarden/kubewarden-controller)
[](https://clomonitor.io/projects/cncf/kubewarden)
Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written
in WebAssembly.
For more information refer to the [official Kubewarden website](https://kubewarden.io/).
# Kubewarden Admission Controller - Monorepo
This repository is a monorepo containing the source code for all the different
components of the Kubewarden Admission Controller:
- **kubewarden-controller**: A Kubernetes controller that allows you to dynamically register Kubewarden admission policies and reconcile them with the Kubernetes webhooks of the cluster where it's deployed
- **policy-server**: The runtime component that evaluates admission policies written in WebAssembly
- **audit-scanner**: A component that scans existing resources in the cluster against registered policies
- **kwctl**: A CLI tool for testing and managing Kubewarden policies
## Documentation
The full and exhaustive documentation is available at [docs.kubewarden.io](https://docs.kubewarden.io).
The [`docs/`](./docs) folder contains README files for each component:
- [Controller](./docs/controller)
- [Policy Server](./docs/policy-server)
- [Audit Scanner](./docs/audit-scanner)
- [kwctl](./docs/kwctl)
- [CRDs](./docs/crds)
## Installation
The kubewarden-controller can be deployed using a Helm chart. For instructions,
see https://charts.kubewarden.io.
Please refer to our [quickstart](https://docs.kubewarden.io/quick-start) for more details.
# Software bill of materials & provenance
All Kubewarden components has its software bill of materials (SBOM) and build
[Provenance](https://slsa.dev/spec/v1.0/provenance) information published every
release. It follows the [SPDX](https://spdx.dev/) format and
[SLSA](https://slsa.dev/provenance/v0.2#schema) provenance schema.
Both of the files are generated by [Docker
buildx](https://docs.docker.com/build/metadata/attestations/) during the build
process and stored in the container registry together with the container image
as well as upload in the release page.
You can find them together with the signature and certificate used to sign it
in the [release
assets](https://github.com/kubewarden/kubewarden-controller/releases), and
attached to the image as JSON-encoded documents following the [in-toto SPDX
predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md)
format. You can obtain them with
[`crane`](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md)
or [`docker buildx imagetools
inspect`](https://docs.docker.com/reference/cli/docker/buildx/imagetools/inspect).
You can verify the container image with:
```shell
cosign verify-blob --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@" \
--bundle kubewarden-controller-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore \
kubewarden-controller-attestation-amd64-provenance.intoto.jsonl
```
To verify the attestation manifest and its layer signatures:
```shell
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@" \
ghcr.io/kubewarden/kubewarden-controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e
```
> [!NOTE]
> All the commands and file locations used in this section to validate the
> controller components can be used to verify all the others Kubewarden
> components as well.
That sha256 hash is the digest of the attestation manifest or its layers.
Therefore, you need to find this hash in the registry using the UI or tools
like `crane`. For example, the following command will show you all the
attestation manifests of the `latest` tag:
```shell
crane manifest ghcr.io/kubewarden/kubewarden-controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")'
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8",
"size": 1655,
"annotations": {
"vnd.docker.reference.digest": "sha256:611d499ec9a26034463f09fa4af4efe2856086252d233b38e3fc31b0b982d369",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:e0cd736c2241407114256e09a4cdeef55eb81dcd374c5785c4e5c9362a0088a2",
"size": 1655,
"annotations": {
"vnd.docker.reference.digest": "sha256:03e5db83a25ea2ac498cf81226ab8db8eb53a74a2c9102e4a1da922d5f68b70f",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
```
Then you can use the `digest` field to verify the attestation manifest and its
layers signatures.
```shell
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@" \
ghcr.io/kubewarden/kubewarden-controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
crane manifest ghcr.io/kubewarden/kubewarden-controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:eda788a0e94041a443eca7286a9ef7fce40aa2832263f7d76c597186f5887f6a",
"size": 463
},
"layers": [
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:563689cdee407ab514d057fe2f8f693189279e10bfe4f31f277e24dee00793ea",
"size": 94849,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:7ce0572628290373e17ba0bbb44a9ec3c94ba36034124931d322ca3fbfb768d9",
"size": 7363045,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:dacf511c5ec7fd87e8692bd08c3ced2c46f4da72e7271b82f1b3720d5b0a8877",
"size": 71331,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d",
"size": 980,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca",
"size": 13838,
"annotations": {
"in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
}
}
]
}
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/kubewarden/kubewarden-controller/.github/workflows/attestation.yml@" \
ghcr.io/kubewarden/kubewarden-controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d
```
Note that each attestation manifest (for each architecture) has its own layers.
Each layer is a different SBOM SPDX or provenance file generated by Docker
Buildx during the multi stage build process. You can also use `crane` to
download the attestation file:
```shell
crane blob ghcr.io/kubewarden/kubewarden-controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca
```
## Security disclosure
See [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo.
# Changelog
See [GitHub Releases content](https://github.com/kubewarden/kubewarden-controller/releases).