Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written in WebAssembly.
You can combine all values from all charts on a single values.yaml
file.
Note: kubewarden-crds
is the Helm chart that installs the Custom Resources Definition required by the Kubewarden stack. It should be installed before installing kubewarden-controller
and kubewarden-defaults
charts.
For more information refer to the official Kubewarden website.
kubewarden-controller
is a Kubernetes controller that allows you to
dynamically register Kubewarden admission policies.
The kubewarden-controller
will reconcile the admission policies you
have registered against the Kubernetes webhooks of the cluster where
it is deployed.
The kubewarden-controller can be deployed using a helm chart.
If you want to enable telemetry, you also need to install OpenTelemetry Operator.
For example:
$ helm repo add kubewarden https://charts.kubewarden.io
$ helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds
$ helm install --wait -n kubewarden kubewarden-controller kubewarden/kubewarden-controller
$ helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults
This will install kubewarden-crds, kubewarden-controller, and a default PolicyServer on the Kubernetes cluster in the default configuration (which includes self-signed TLS certs).
The default configuration values should be good enough for the majority of deployments. All the options are documented in the configuration section.
Please refer to the release notes of each version of the helm charts. These can be found here.
To uninstall/delete kubewarden-controller and kubewarden-crds use the following command:
$ helm uninstall -n kubewarden kubewarden-defaults
$ helm uninstall -n kubewarden kubewarden-controller
$ helm uninstall -n kubewarden kubewarden-crds
The commands remove all the Kubernetes components associated with the chart, all policy servers and their policies, and deletes the release along with the release history.
If you want to keep the history use --keep-history
flag.
See the values.yaml
file of the chart for the configuration values.
For the default PolicyServer configuration, Check the kubewarden-defaults
chart and its documentation.
Once the kubewarden-controller is up and running, Kubewarden policies can be
defined via the ClusterAdmissionPolicy
resource.
The documentation of this Custom Resource can be found here or on docs.crds.dev.
Note well: ClusterAdmissionPolicy
resources are cluster-wide.
The following snippet defines a Kubewarden Policy based on the pod-privileged policy:
kubectl apply -f - <<EOF
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
policyServer: default
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
EOF
Note well: The ClusterAdmissionPolicy
is deployed in the default
PolicyServer.
Which is installed in the kubewarden-defaults
chart. If you do not install
the chart, you should deploy a PolicyServer first. Check out the
documentation for more details
Let’s try to create a Pod with no privileged containers:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: unprivileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
EOF
This will produce the following output, which means the Pod was successfully created:
pod/unprivileged-pod created
Now, let’s try to create a pod with at least one privileged container:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
privileged: true
EOF
This time the creation of the Pod will be blocked, with the following message:
Error from server: error when creating "STDIN": admission webhook "privileged-pods.kubewarden.admission" denied the request: User 'minikube-user' cannot schedule privileged containers
You can delete the admission policy you just created:
$ kubectl delete clusteradmissionpolicy privileged-pods
kubewarden-defaults
is the Helm chart that installs a default PolicyServer
required by the Kubewarden to run ClusterAdmissionPolicy
and AdmissionPolicy
. It should be installed
before installing any policies.
The chart allows the user to install some recommended policies to enforce some best practice security checks. By the default, the policies are disabled and the user must enable this feature. The recommended policies are:
allow-privilege-escalation-psp
policy: prevents process to gain more privileges.host-namespaces-psp
policy: blocks pods trying to share host’s IPC, networks and PID namespacespod-privileged
policy: does not allow pod running in privileged modeuser-group-psp
policy: prevents pod running with root userhostpaths-psp
policy: prevents containers from accessing host paths when hosthPath volumes are definedcapabilities-psp
policy: prevents containers from adding Linux capabilitiesAll the policies are installed cluster wide. But they are configured to ignore
namespaces important to run the control plane and Rancher components, like
kube-system
and rancher-operator-system
namespaces. This list of default
ignored namespaces is in the chart values under recommendedPolicies.skipNamespaces
,
additional namespaces can be excluded using recommendedPolicies.skipAdditionalNamespaces
.
Furthermore, all the policies are installed in “monitor” mode by default. This means that the policies will not block requests. They will report the requests which violates the policies rules. To change the default policy mode to “protect” mode, the user can change the default policy mode using the Helm chart value.
For example, if the user wants to install the policies in “protect” mode and ignore the resources from the “devel” namespaces, the following command can be used:
helm install \
--set recommendedPolicies.enabled=True \
--set recommendedPolicies.skipAdditionalNamespaces=\{devel\} \
--set recommendedPolicies.defaultPolicyMode=protect \
kubewarden-defaults kubewarden/kubewarden-defaults
WARNING
Enforcing the policies to the kube-system
namespace could break your cluster.
Be aware that some pods could need break this rules. Therefore, the user must be
sure which namespaces the policies will be applied. Remember that when you define the --set
command line flag the default values are overwritten. So, the
user must define the kube-system
namespace manually.
Check out the configuration section to see all the configuration options. The user can also change the policies mode after the installation. See the Kubewarden documentation to learn more.
For example:
$ helm repo add kubewarden https://charts.kubewarden.io
$ helm install --create-namespace -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults
For a more comprehensive documentation about how to install the whole Kubewarden
stack, check the kubewarden-controller
chart documentation out.
Please refer to the release notes of each version of the helm charts. These can be found here.
To uninstall/delete kubewarden-crds use the following command:
$ helm uninstall -n kubewarden kubewarden-defaults
The commands remove all the Kubernetes components associated with the chart.
WARNING! Keep in mind that the removal of the chart will remove all the
policies running on the default
Policy Server.
If you want to keep the history use --keep-history
flag.
See the values.yaml
file of the chart for the configuration values.
kubewarden-crds
is the Helm chart that installs the Custom Resources Definition
required by the Kubewarden stack. It should be installed before installing
kubewarden-controller
and kubewarden-defaults
charts.
This chart installs Kubewarden CRDs:
admissionpolicies.policies.kubewarden.io
clusteradmissionpolicies.policies.kubewarden.io
policyservers.policies.kubewarden.io
It also installs PolicyReports CRDs:
policyreports.wgpolicyk8s.io
clusterpolicyreports.wgpolicyk8s.io
To skip installing these (maybe because for example they are already installed
and owned by a different Helm Release), set the value policyReports.enable
to
false
.
For example:
$ helm repo add kubewarden https://charts.kubewarden.io
$ helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds
For a more comprehensive documentation about how to install the whole Kubewarden
stack, check the kubewarden-controller
chart documentation out.
Please refer to the release notes of each version of the helm charts. These can be found here.
To uninstall/delete kubewarden-crds use the following command:
$ helm uninstall -n kubewarden kubewarden-crds
The commands remove all the Kubernetes components associated with the chart.
Keep in mind that the chart is required by the kubewarden-controller
chart.
If you want to keep the history use --keep-history
flag.