The title is quite a bold statement, isn’t it? Yet we the Kubewarden team are serious about it. Let’s see how we are building a universal policy platform!
The CNCF’s annual survey of 2022 highlighted that the biggest issues are knowledge gaps from lack of training and security concerns. They also point out the rise of observability tools, which give better insights and automate system behavior. The 2023 survey also mentions that containers are the new normal, and WebAssembly is the future: 37% of users have some experience with WebAssembly.
This points to the benefits of having a Policy Platform for Kubernetes: which defines, deploys, and enforces policies, ensuring the security and smooth functioning of a Kubernetes cluster. In today’s world policies need to be treated as code, enabling earlier integration, improved security posture, and scalability.
Yet in which language to write those “policies as code”?
Choice is vast; there’s no one-size-fits-all. From Domain Specific Languages (DSLs) to powerful general ones, each language is a tool fit for a specific purpose, with tradeoffs and personal preferences.
Enter Kubewarden: a production ready CNCF Sandbox project which aims to be the Universal Policy Engine.
How?
Kubewarden policies are WebAssembly binary modules: WebAssembly is a minimal target architecture, run by a WebAssembly interpreter (a small secure and containerized VM). Programming languages can target the Wasm architecture and compile to WebAssembly (even DSLs). The most used languages already include Wasm as a target architecture, and the support keeps growing.
Consuming policies as Wasm binary modules allows Kubewarden to simplify the life of all possible personas involved with a Policy Engine, since a universal one really needs to be for everybody:
- Policy consumer: Consume any policy regardless of the language it is written in (DSL or not). Easily configure, test, and iterate on the policies, as they can be run out of cluster.
- Policy developer: Use your preferred language that compiles to Wasm. And with it, its libraries and testing methodology, CI&CD, Git, training, org culture, Etc.
- Policy distributor: Wasm binary modules are first-class OCI artifacts. Store the policies in your OCI registry just like you do with container images or Helm charts. Use industry-standards, Software-Bill-Of-Materials and signatures for them.
- Engine operator: Deploy policies using CRDs, and the Kubewarden stack via Helm charts. Make use of default policies, Opentelemetry, etc. Separate policies per tenant or projects. Review fine-graded permissions per policy if needed.
- Engine developer/integrator: Reuse parts of the Kubewarden stack as you see fit. White-label them and incorporate them into your solutions. Iterate and develop on Kubewarden modular architecture.
The WebAssembly approach informs a modular architecture for Kubewarden: from OCI registries (to store the policies), policy-servers (to evaluate the policies), a Kubernetes controller (to schedule them in cluster), to the kwctl cli (to run, test, scaffold policies out of cluster) and the audit-scanner (to provide cronological reports on the cluster).
The Kubewarden team provides some SDKs for several languages to simplify policy creation.
We have SDKs for Go, Rust, C#, Swift, and TypeScript.
In addition, one can write policies in Rego (both the OPA flavour and the Gatekeeper one).
WebAssembly also opens the door to compiling more complex policies into WASI, which Kubewarden also supports. As an example, see the kyverno-dsl-policy, a Kubewarden experimental policy of the Kyverno codebase compiled into WASI. Or the cel-policy, an upcoming policy using Kubernetes’ upstream libraries that allows you to reuse and write policies using the CEL language.
And of course, one can publish new policies or reuse the ones by the Kubewarden team at https://artifacthub.io.
From the Kubewarden team, we are curious as to which features you would like to see in, and how you are enjoying Kubewarden. Reach out to us on slack or join our monthly community meeting to talk more about Kubewarden!
