Skip to main content
Version: Next 🚧

Custom certificate authorities

With both of kwctl and policy-server you can pull policies from Open Container Initiative (OCI) registries and HTTP servers. You can only push policies to OCI registries. By default, HTTPS is used with host TLS verification for this.

The system's certificate authority (CA) store is used to validate the trusted chain of certificates from the OCI registry. In a standard Kubewarden installation, the policy-server uses the CA store shipped with its Linux container. On the client side, kwctl uses your operating system CA store.

If you are using the Kubewarden Controller, you can configure the PolicyServer via its spec fields.


The default behavior of kwctl and policy-server enforces HTTPS with trusted certificates matching the system CA store. You can interact with registries using untrusted certificates or even without TLS, by using the insecure_sources setting. Clearly, it's not for production environments.

The sources.yaml file

You can tune the push-pull behavior of kwctl and policy-server using the sources.yaml file.

For reference details, check the sources.yaml reference.