Kubewarden is a new open-source policy engine aiming to simplify the adoption of policy-as-code. It provides a set of Kubernetes Custom Resources that makes the enforcement of policies in a cluster easier.
According to Flavio Castelli, distinguished engineer at SUSE and contributor to the project, policies can be written in any programming language because Kubewarden uses WebAssembly. The policies are also portable binary artifacts, which means that a policy could be built on a macOS host and then deployed to a Kubernetes cluster made of x86_64 Linux nodes.
It is also secure by default because of WebAssembly. All policies live in their own sandbox with no access to the host environment. The policy server receives requests coming from Kubernetes and then evaluates them based on relevant policies,” Castelli explained in a blog post.
Policies can be pushed or pulled to and from container registries as OCI artifacts. This helps increase flexibility of the registries because they can store other types of artifacts other than regular container images. Other companies like Amazon, Microsoft, Google, and GitHub already offer this capability in their registries, according to Castelli.
“As I learned, the biggest obstacle for a policy author is the steep learning curve needed to write policies. It takes time to become comfortable with the coding paradigms that existing solutions impose — especially because these paradigms are different from what developers are used to. Wouldn’t it be great to be able to reuse existing knowledge? If only there was a way to write policy as code using a programming language of your choice. If that was possible, suddenly teams who want to write policies as code would be able to tap into their existing skills and significantly reduce the barrier to entry. These and more are the questions that lead to the creation of the Kubewarden project,” Castelli wrote in a post.