This repository aims to document the evolution process of The Kubewarden Project.
It provides a space for the community to work together, discuss ideas, and document processes. It is also a place to make decisions that regard the whole Kubewarden organization and define rules and structures that span beyond the extent of a single repository.
Table of Contents
We follow the CNCF Code of Conduct.
To report an issue, please contact [email protected] or any of the individual members of the CNCF Code of Conduct Committee to submit your report. For more detailed instructions on how to submit a report, including how to submit a report anonymously, please see our Incident Resolution Procedures. You can expect a response within three business days.
You can find the list of current maintainers in the MAINTAINERS.md file.
We track our roadmap in GitHub. You can see the milestone roadmap here.
Get in contact with us:
- Slack: #kubewarden and #kubewarden-dev.
- GitHub discussions in this repository.
- Maintainers mailing list:
cncf-kubewarden-maintainers, followed by@, followed bylists.cncf.io
We host regular online meetings for contributors, adopters, maintainers, and anyone else interested. These meetings usually take place on the second Thursday of the month at 4 PM UTC.
We're a friendly group, so please feel free to join us!
See the contributing guide and the code of conduct.
See the security policy for more information about how to report any security issues.
The Kubewarden Project applies a straightforward adoption model for its repositories. Each repository is given a scope, which outlines its purpose, and a status that indicates its maturity level.
For more detailed information, please refer to the REPOSITORIES.md file.
In the sections that follow, we present the repositories, grouped by their scope.
Furthermore, some of the roles of the components listed below are described in the components.md file.
Core repositories, are critically important as they are essential for building, installing, running and using Kubewarden.
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/kubewarden-controller |  |
Manage admission policies in your Kubernetes cluster with ease |
| kubewarden/policy-server | |
Webhook server that evaluates WebAssembly policies to validate Kubernetes requests |
| kubewarden/audit-scanner | |
Reports evaluation of existing Kubernetes resources with your already deployed Kubewarden policies |
| kubewarden/kwctl | |
Go-to CLI tool for Kubewarden users |
| kubewarden/helm-charts | |
Helm charts for the Kubewarden project |
| kubewarden/policy-evaluator | |
Rust library used by Kubewarden to evaluate policies with a given input, request to evaluate and settings. |
| kubewarden/policy-fetcher | |
Rust library used by Kubewarden to pull policies from OCI registries and HTTP servers. |
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/automation | |
Automation scripts for the management of the Kubewarden organization on GitHub |
| kubewarden/load-testing | |
HTTP load to stress policy-server |
| kubewarden/rancher-kubectl-builder | |
Workflow to rebuild and sign rancher/kubectl image |
| kubewarden/github-actions | |
GitHub actions used by the Kubewarden project |
| kubewarden/kubewarden-end-to-end-tests | |
Files used to run Kubewarden end-to-end tests |
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/allow-privilege-escalation-psp-policy | |
A Kubewarden Pod Security Policy that controls usage of allowPrivilegeEscalation |
| kubewarden/allowed-fsgroups-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of fsGroup in the pod security context |
| kubewarden/allowed-proc-mount-types-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of /proc mount types |
| kubewarden/apparmor-psp-policy | |
A Kubewarden Pod Security Policy that controls usage of AppArmor profiles |
| kubewarden/capabilities-psp-policy | |
A Pod Security Policy that controls Container Capabilities |
| kubewarden/cel-policy |  |
A policy that can run CEL expressions |
| kubewarden/container-resources-policy | |
Policy is designed to enforce constraints on the resource requirements of Kubernetes containers |
| kubewarden/context-aware-demo | |
A demo policy showing how to access Kubernetes resources at policy evaluation time |
| kubewarden/deprecated-api-versions-policy | |
A Kubewarden Policy that detects usage of deprecated and dropped Kubernetes resources |
| kubewarden/disallow-service-loadbalancer-policy | |
A policy that prevents the creation of Service resources with type LoadBalancer |
| kubewarden/disallow-service-nodeport-policy | |
A policy that prevents the creation of Service resources with type NodePort |
| kubewarden/echo | |
A Kubewarden Policy that echoes Kubernetes' AdmissionReview objects |
| kubewarden/env-variable-secrets-scanner-policy | |
A Kubewarden Policy that detects secrets (ssh private keys, API tokens, etc) leaked via environment variables |
| kubewarden/environment-variable-policy | |
A Kubewarden Policy that controls the usage of environment variables |
| kubewarden/flexvolume-drivers-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the allowed `flexVolume` drivers |
| kubewarden/go-wasi-context-aware-test-policy | |
A test context-aware policy written using Go Wasi |
| kubewarden/host-namespaces-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of host namespaces |
| kubewarden/hostpaths-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of hostpaths |
| kubewarden/ingress-policy | |
Policy to enforce requirements on Kubernetes Ingress resources. |
| kubewarden/namespace-label-propagator-policy | |
Kubewarden policy designed to automatically propagate labels defined in a Kubernetes namespace to the associated resources within that namespace |
| kubewarden/persistentvolumeclaim-storageclass-policy | |
Policy that validates and adjusts the usage of StorageClasses in PersistentVolumeClaims |
| kubewarden/pod-privileged-policy | |
A Kubewarden Policy that limits the ability to create privileged containers |
| kubewarden/pod-runtime-class-policy | |
A Kubewarden Policy that controls the usage of Pod runtimeClass |
| kubewarden/psa-label-enforcer-policy | |
Kubewarden policy that ensures that namespaces have the required PSA labels |
| kubewarden/rancher-project-quotas-namespace-validator | |
Prevent the creation of Namespace under a Rancher Project that doesn't have any resource quota left |
| kubewarden/raw-mutation-policy | |
Demo policy showing how to write a raw mutating policy |
| kubewarden/raw-mutation-wasi-policy | |
Demo policy showing how to write a raw WASI mutation policy |
| kubewarden/raw-validation-opa-policy | |
Demo policy showing how to write a raw OPA validating policy |
| kubewarden/raw-validation-policy | |
Demo policy showing how to write a raw validating policy |
| kubewarden/raw-validation-wasi-policy | |
Demo policy showing how to write a raw WASI validating policy |
| kubewarden/readonly-root-filesystem-psp-policy | |
A Kubewarden policy that enforces root filesystem to be readonly |
| kubewarden/safe-annotations-policy | |
Kubewarden policy that validates Kubernetes' resource annotations |
| kubewarden/safe-labels-policy | |
Kubewarden policy that validates Kubernetes' resource labels |
| kubewarden/seccomp-psp-policy | |
A Kubewarden Pod Security Policy that controls usage of Seccomp profiles |
| kubewarden/selinux-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux |
| kubewarden/share-pid-namespace-policy | |
Policy validates pods sharing processes PID namespace |
| kubewarden/sleeping-policy | |
A test policy that simulates long running policy evaluations |
| kubewarden/sysctl-psp-policy | |
A Kubewarden policy that controls usage of sysctls |
| kubewarden/trusted-repos-policy | |
A Kubewarden policy that restricts what registries, tags and images can pods on your cluster refer to |
| kubewarden/unique-ingress-policy | |
Prevent the creation of Ingress resources with duplicated hosts |
| kubewarden/unique-service-selector-policy | |
Policy validates that there are no services with the same set of selectors |
| kubewarden/user-group-psp-policy | |
This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that controls containers user and groups |
| kubewarden/verify-image-signatures | |
A Kubewarden Policy that verifies all the signatures of the container images referenced by a Pod |
| kubewarden/volumeMounts-policy | |
A Kubewarden Policy that controls the usage of `volumeMounts` |
| kubewarden/volumes-psp-policy | |
Replacement for the Kubernetes Pod Security Policy that controls the usage of volumes |
The following repositories are the template the policy authors can use to write their own policies. Checkout the Kubewarden documentation for more information about how to write policies.
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/dotnet-policy-template | |
A template repository to quickly scaffold a Kubewarden policy written with C# |
| kubewarden/gatekeeper-policy-template | ||
| kubewarden/go-policy-template | |
A template repository to quickly scaffold a Kubewarden policy written with Go language |
| kubewarden/go-wasi-policy-template | |
Template of a plain WASI policy written using Go |
| kubewarden/opa-policy-template | |
A template repository to quickly port a Open Policy Agent policy to Kubewarden |
| kubewarden/rust-policy-template | |
A Kubewarden rust policy template to be used with cargo-generate |
| kubewarden/swift-policy-template |  |
A template repository to quickly scaffold a Kubewarden policy written with Swift language |
The following repositories are the SDKs the policy authors can use to write their own policies. Checkout the Kubewarden documentation
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/policy-sdk-dotnet | |
Kubewarden Policy SDK for the .NET platform |
| kubewarden/policy-sdk-go | |
Kubewarden Policy SDK for the Go programming language |
| kubewarden/policy-sdk-rust | |
Kubewarden Policy SDK for the Rust programming language |
| kubewarden/policy-sdk-swift | |
Kubewarden Policy SDK for the Swift programming language |
Finally, some repositories have a special meaning and do not fit the above scopes. They serve a particular purpose or function in the Kubewarden organization and are curated by maintainers.
See REPOSITORIES.md for more information.
| NAME | STATUS | DESCRIPTION |
|---|---|---|
| kubewarden/fleet-example | |
Example of Rancher Fleet bundle for Kubewarden |
| kubewarden/docs | |
Kubewarden's documentation |
| kubewarden/rfc | |
Kubewarden's RFCs |
| kubewarden/.github | |
Special GitHub repository |
| kubewarden/kubewarden.io | |
Kubewarden website |
| kubewarden/gostubpkg | |
gostubpkg is a tool for generating stubs of Go packages |
| kubewarden/k8s-objects-generator | |
CLI tool that generates Kubernetes Go types that can be used with TinyGo starting from the official OpenAPI spec |
| kubewarden/strfmt | |
A stripped down version of go-openapi/strfrm that works with TinyGo |
| kubewarden/k8s-objects | |
Experimental: Kubernetes Go types that can be used with TinyGo |
| kubewarden/utils | |
Utils scripts used by the Kubewarden team and users. |
| kubewarden/gtmpl-rust | |
golang text/template for rust |
In general, a repository can be archived at the discretion of Kubewarden community. Usually, maintainers can decide to archive a project that has not been maintained for a long time or does not fit the guidelines for the projects under the Kubewarden GitHub's organization anymore. In other cases, a repository is archived to reserve its name for future use.
The list of archived repositories can be found here.