Skip to main content
Version: 1.23

What is Kubewarden?

Kubewarden is a Kubernetes Policy Engine. It aims to be the Universal Policy Engine for Kubernetes.

Kubewarden is a vendor neutral, CNCF Sandbox project, originally created by SUSE Rancher.

How does Kubewarden help?​

Kubewarden offers flexibility for policy admission and enforcement in a Kubernetes environment.

Benefits and value​

  • Use any programming language that generates WebAssembly binaries to write your policies.
  • WebAssembly enables policy compatibility across processors and operating systems.
  • Reuse of policies from other policy engines without the need for rewriting them.
  • Distribute policies using standard and secure mechanisms such as OCI compliant registries.
  • Policy enforcement at admission ensures only compliant workloads run.
  • The Kubewarden audit scanner actively and continuously checks policy enforcement over time.
  • Verify policies using SLSA (Supply Chain Levels for Software Artifacts) tools and practices.
  • Kubewarden provides a comprehensive approach to admission policy management.
  • CNCF membership and a growing open source community and ecosystem help Kubewarden with transparency, collaboration and improvement.

Use cases​

  • Security hardening. For example, enforce policies restricting container privileges, enforce network policies, or block insecure image registries.
  • Compliance auditing. Ensure workloads comply with organizational or regulatory standards and best practices.
  • Resource optimization. Enforce resource limits and quotas.

New to Kubewarden?​

If new to the Kubewarden project start with the Quick start guide and the architecture page. Then it depends where your interests take you. For policy developers there are language specific sections in the tutorials. For integrators and administrators there is a 'howtos' section. The explanations section contains useful background material. There is also a glossary.

What is WebAssembly?​

As stated on WebAssembly's official website:

WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.

Wasm was originally conceived as a browser "extension". However, the WebAssembly community is engaged in efforts to allow the execution of Wasm code outside browsers.

Why use WebAssembly?​

Users can write Kubernetes policies using their favorite programming language, provided its toolchain can generate Wasm binaries.

Wasm modules are portable, once built they can run on any kind of processor architecture and operating system. For example, a policy developed and built on Apple Silicon can run on AMD64/Intel64 Linux without conversion.

Policy authors can reuse their skills, tools and best practices. Policies are "traditional" programs that can have reusable blocks (regular libraries). You can lint and test them and you can plug them into current CI and CD workflows.

Policy distribution​

You can serve Kubewarden policies using a standard web server or, better, you can be publish them in an OCI compliant registry as OCI artifacts.

Vendor neutrality​

Kubewarden is a vendor neutral project as defined by the CNCF.