What is SUSE® Rancher Prime: Admission Policy Manager (Kubewarden)?
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) is a Kubernetes Policy Engine. It aims to be the Universal Policy Engine for Kubernetes.
-
You can reuse policies from other policy engines without having to rewrite them.
-
You can write your own policies in any programming language that generates WebAssembly binaries, reusing your language tooling and libraries.
-
You can run policies both outside the cluster and as part of your CI/CD processes.
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) also provides an audit scanner to actively and continuously check policy enforcement over time.
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) is derived from a CNCF Sandbox project, called Kubewarden, originally created by SUSE Rancher. The name Kubewarden refers to the open-source community project. The name Kubewarden may also be used throughout this documentation in place of SUSE® Rancher Prime: Admission Policy Manager (Kubewarden).
How does Kubewarden help?
Kubewarden offers flexibility for policy admission and enforcement in a Kubernetes environment.
Benefits and value
-
Use any programming language that generates WebAssembly binaries to write your policies.
-
WebAssembly enables policy compatibility across processors and operating systems.
-
Reuse of policies from other policy engines without the need for rewriting them.
-
Distribute policies using standard and secure mechanisms such as OCI compliant registries.
-
Policy enforcement at admission ensures only compliant workloads run.
-
The Kubewarden audit scanner actively and continuously checks policy enforcement over time.
-
Verify policies using SLSA (Supply Chain Levels for Software Artifacts) tools and practices.
-
Kubewarden provides a comprehensive approach to admission policy management.
-
CNCF membership and a growing open source community and ecosystem help Kubewarden with transparency, collaboration and improvement.
Use cases
-
Security hardening. For example, enforce policies restricting container privileges, enforce network policies, or block insecure image registries.
-
Compliance auditing. Ensure workloads comply with organizational or regulatory standards and best practices.
-
Resource optimization. Enforce resource limits and quotas.
New to Kubewarden?
If new to the Kubewarden project start with the Quick start guide and the architecture page. Then it depends where your interests take you. For policy developers there are language specific sections in the tutorials. For integrators and administrators there is a 'howtos' section. The explanations section contains useful background material. There is also a glossary.
What is WebAssembly?
As stated on WebAssembly’s official website:
WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.
Wasm was originally conceived as a browser "extension". However, efforts are being made by the WebAssembly community to allow the execution of Wasm code outside browsers.
Why use WebAssembly?
Users can write Kubernetes policies using their favorite programming language, provided its toolchain can generate Wasm binaries.
Wasm modules are portable, once built they can run on any kind of processor architecture and operating system. For example, a policy developed and built on Apple Silicon can run on AMD64/Intel64 Linux without conversion.
Policy authors can reuse their skills, tools and best practices. Policies are "traditional" programs that can have reusable blocks (regular libraries), can be linted and tested, and be plugged into current CI and CD workflows.
Policy distribution
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) policies can be served by a regular web server or, better, be published from an OCI compliant registry.
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) policies can be stored inside an OCI compliant registry as OCI artifacts.