Security hardening

Operators can obtain a secure deployment by installing all the Kubewarden Helm charts. It’s recommended to install the kubewarden-defaults Helm chart and enable its recommended policies with:

This provides a default PolicyServer and default policies, in protect mode, to ensure the Kubewarden stack is safe from other workloads.

Refer to the Verifying Kubewarden tutorial.

Kubewarden describes RBAC configurations in different Explanations sections. Users can fine-tune the needed permissions for the Audit Scanner feature, as well as per Policy Server Service Account for the context-aware feature.

To view all Roles:

For context-aware policies, operators specify fine-grained permissions per policy under its spec.contextAwareResources, and those work in conjunction with the Service Account configured for the Policy Server where the policy runs.

By default, Kubewarden excludes specific Namespaces from Kubewarden coverage. This is done to simplify first-time use and interoperability with other workloads.

Security-conscious operators can tune these Namespaces list via the .global.skipNamespaces value for both the kubewarden-controller and kubewarden-defaults Helm charts.

Starting from 1.23, Kubewarden’s stack is able to run in a Namespace where the restricted Pod Security Standards are enforced, with current Pod hardening best practices.

The kubewarden-controller Helm chart configures the SecurityContexts and exposes them in its values.yaml.

The kubewarden-defaults Helm chart allows for configuring the default Policy Server .spec.securityContexts under .Values.policyServer.securityContexts.

For Policy Servers managed by operators, you can configure them via their spec.securityContexts.