Custom certificate authorities
With both of kwctl
and policy-server
you can pull policies from Open Container Initiative (OCI) registries and HTTP servers.
You can only push policies to OCI registries.
By default, HTTPS is used with host TLS verification for this.
The system's certificate authority (CA) store is used to
validate the trusted chain of certificates from the OCI registry.
In a standard Kubewarden installation, the policy-server
uses the
CA store shipped with its Linux container.
On the client side, kwctl
uses your operating system CA store.
If you are using the
Kubewarden Controller,
you can configure the PolicyServer via its
spec
fields.
The default behavior of kwctl
and policy-server
enforces HTTPS with trusted certificates matching the system CA store.
You can interact with registries using untrusted certificates or even without TLS, by using the insecure_sources
setting.
Clearly, it's not for production environments.
The sources.yaml
file​
You can tune the push-pull behavior of kwctl
and policy-server
using the sources.yaml
file.
For reference details, check the sources.yaml
reference.