Introduction

Kubewarden is a Kubernetes Dynamic Admission Controller that validates incoming requests against WebAssembly policies. The policies can be developed in any programming language that generates WebAssembly binaries.

Kubewarden is a CNCF Sandbox project, initially created by Rancher.

What is WebAssembly?

As stated on WebAssembly's official website:

WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.

Wasm was originally conceived as a browser "extension". However, efforts are being made by the WebAssembly community to allow the execution of Wasm code outside browsers.

Why use WebAssembly?

Users can write Kubernetes policies using their favorite programming language, provided its toolchain can generate Wasm binaries.

Wasm modules are portable, once built they can run on any kind of processor architecture and operating system. For example, a policy developed and built on Apple Silicon can run on AMD64/Intel64 Linux without conversion.

Policy authors can reuse their skills, tools and best practices. Policies are "traditional" programs that can have reusable blocks (regular libraries), can be linted and tested, and be plugged into current CI and CD workflows.

Policy distribution

Kubewarden policies can be served by a regular web server or, better, be published from an OCI compliant registry.

Kubewarden policies can be stored inside an OCI compliant registry as OCI artifacts.