This repository contains the helm charts used to deploy the Kubewarden stack.
kubewarden / helm-charts Goto Github PK
View Code? Open in Web Editor NEWHelm charts for the Kubewarden project
License: Apache License 2.0
Helm charts for the Kubewarden project
License: Apache License 2.0
The helm chart is currently creating the ClusterAdmissionPolicy
custom resource definition. It should now create:
ClusterAdmissionPolicy
described in kubewarden/kubewarden-controller#49: v1alpha3
.PolicyServer
.Currently users have to manually delete clusteradmissionpolices before deleting the helm chart or resources will not be removed https://docs.kubewarden.io/quick-start.html#uninstall
Add a helm pre-delete hook that deletes all PolicyServer resources. Then the controller will remove all policy server deployments, services, configmaps, secrets and all the clusteradmissionpolicies bounded to this PolicyServer.
We adding a new Helm chart to install a default Policy Server, see more in #52 . We could take this opportunity to install some default policies in the cluster as well. Thus, let's look in the NeuVector documentation which PSPs they install in the customer cluster when the users enable the "best practices PSPs" feature. Once we have this information, let's decide if we should add this policies in the chart or not.
Helm charts can have annotations and there are some specific ones for Artifact Hub. Some of these could be useful to customize the display.
For example, artifacthub.io/links
can hold a list of links. A link to the docs site could be added.
When attempting to install the latest kubewarden-controller
chart from the UI with a Rancher version v2.7.0
, the latest versions of the chart do not appear. This is causing the installation to fail as the kubewarden-crds
chart is not being auto-installed along with the controller.
I believe this annotation needs to be updated to include 2.7.0 versions of Rancher, or rewritten to >= 2.7.0-0 <= 2.7.100-0
as v2.7.0
is the first with the extensions support.
All of the latest versions should appear and should include the crd auto-install.
v2.7.0
attempt to install Kubewarden from the UI guided stepsIn order to increase the security of the cluster running the recommended policies, we should add the capabilities-psp-policy
in the policies installed in the cluster. This will help the mitigation of the threat #8 of the threat model.
The policy should block the NEW_RAW
capability in the pods launched in the namespaces besides ones defined in the skip list
NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible
Helm charts can include schema files. The schemas are useful as Helm will validate them and they can be used for other purposes, such as generating forms (here's a react example).
There's a Helm plugin that can stub out a schema. Once you have the stub there is still information to be filled it. It provides the structure. It can't fill in things like a description.
Extract registry to a separate field in the helm charts values.yaml
After recent changes in the release CI to add files with list of policies and images a release ended having two versions of the same file.
The release should have one file for the policy list and another one for the image list
No response
- OS:
- Architecture:
No response
Install the latest kubewarden and create a policy file as follows:
apiVersion: policies.kubewarden.io/v1alpha2 kind: ClusterAdmissionPolicy metadata: name: privileged-pods spec: policyServer: default module: file:///test/policy.wasm rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE - UPDATE mutating: false
The wasm policy file has been downloaded and placed on the host.
Policy successfully created
No response
- OS:Linux
- Architecture:x86
Is there something wrong with the way I use it? Who can tell me?
The securityContext
in controller deployment is hard-coded and cannot be configured like "fsGroup" or "MustRunAs".
The pre-deletion job has no securityContext and can not be configured. Also the policy server deployment has no securityContext and I have no idea how to configure.
Full feature set securityContext
in Helm Chart.
Install Charts with default settings. Try to set securityContext without any affect
- OS: Linux
- Architecture: amd64
thx
Release a new helm chart with the new policy-server and kuberwarden-controller:
Acceptance criteria
We should write release notes for the helm chart version that introduces the new architecture.
The goals are:
From #70 (comment), a future problem arises: values from the different charts may be tightly coupled. Example:
policyServer.default.name
, which sets the default PolicyServer name that the controller will give to policies when the policies don't specify their spec.policyServer
.policyServer.name
, which sets the name of the CR that will be created.Craft the values.yml of the 3 charts in a way that they can all be merged into 1 values.yml. Effectively having just 1 values.yml for the 3 charts. The charts are tightly coupled, I believe it's fine if the values.yml are tightly coupled as well.
A. This could mean namespacing each of the values of each chart under a key with their chart name:
kubewarden-controller:
policyServer.default.name: foo
...
kubewarden-defaults:
policyServer.name: foo
...
B. Or we could merge all the keys from all the charts to form 1 kubewarden-values.yml, linting so there aren't any conflicts. We could also use templating to reduce repetiton (e.g: foo
in example of (a)), or better, merge those 2 keys into 1 that both charts would use.
No response
No response
Updates the CI/CD pipeline to run the E2E tests when the charts are changed. The E2E tests should validate if the chart does not have issues
To ensure that the Kubewarden users are using the right software versions and binaries from the Kubewarden team, we should sign the Helm charts using Sigtore infrastructure.
See more at threat kubewarden threat #1
NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible
Each release should have a SBOM file that allows to track the origin of all the dependencies.
It looks like this project can do it: https://github.com/defenseunicorns/sbom-cli
Acceptance criteria:
It should be possible for the user to provide a list of their own custom certificate authorities that can be used along with the system ones. This can be useful when some or all policies are in an OCI registry or HTTPS server served with a chain of trust that requires custom PKI.
Depends on kubewarden/kubewarden-controller#41
Add kubewarden-images.txt to releases. Add a text file with the images with the right version in the release. See rancher releases
When deploying KW UI, and deploying kubewarden-defaults
, I didn't find a button to enable the default policies, and did it by changing the yaml instead.
This is not easily discoverable for new users.
Relates to rancher/kubewarden-ui#68
kubewarden-controller
& kubewarden-defaults
have the most used values exposed through questions.yaml.
After installing the Kubewarden stack it is not possible to change configuration values with the helm upgrade
command
$ cat k3d-default.yaml
---
apiVersion: k3d.io/v1alpha3
kind: Simple
name: k3s-default
servers: 1
agents: 0
image: docker.io/rancher/k3s:v1.22.4-k3s1
$ k3d cluster create $(PROFILE) --config k3d-default.yaml -v /dev/mapper:/dev/mapper
$ kubectl wait --for=condition=Ready nodes --all
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
$ kubectl wait --for=condition=Available deployment --timeout=3m -n cert-manager --
$ cat kubewarden-controller-values.yaml
telemetry:
enabled: false
policyServer:
image:
repository: ghcr.io/kubewarden/policy-server
tag: "v0.2.5"
replicaCount: 1
telemetry:
metrics:
port: 8080
env:
- name: KUBEWARDEN_LOG_LEVEL
value: debug
annotations: {}
$ helm repo add --force-update kubewarden https://charts.kubewarden.io
$ helm upgrade --install --wait --namespace kubewarden --create-namespace kubewarden-crds kubewarden/kubewarden-crds
$ helm upgrade --install --wait --namespace kubewarden --values kubewarden-controller-values.yaml kubewarden-controller kubewarden/kubewarden-controller
$ cat values.yaml
policyServer:
replicaCount: 2
image:
tag: "v0.2.4"
$ helm upgrade --namespace kubewarden --values values.yaml kubewarden-controller kubewarden/kubewarden-controller
$ kubectl get policyservers default -o=jsonpath="{['.spec.image', '.spec.replicas']}"
ghcr.io/kubewarden/policy-server:v0.2.5 1%
Update the CI/CD pipelines to allow the major/minor updates of all charts. This means that when a component (kubewarden-controller, kubewarden-crds or policy-server) has a major/minor version release, the CI/CD pipeline in the helm-chart repository should release all Helm charts to keep all the components in sync
The Kubewarden helm charts should be discoverable via artifacthub.io
Hi
Could you please make the resource allocation configurable here: https://github.com/kubewarden/helm-charts/blob/main/charts/kubewarden-controller/templates/deployment.yaml#L58
It's a fairly common configuration point.
Many Thanks
The policy-server
today is fetching a list of well known (and static) resources, being:
Until we make this configurable and extendable with custom resources, the policy-server
needs to have enough rights in the Kubernetes cluster to list this resources, so context-aware policies can use this information to take contextual decisions (or perform contextual-aware mutations).
Acceptance criteria
policy-server
deployed through the controller started by the helm chart is able to list namespaces, services and ingresses in all namespaces.The artifact hub has the ability to have verified and official repos and charts. The docs are at https://artifacthub.io/docs/topics/repositories/#verified-publisher
When using the helm chart, a default
PolicyServer
will be created, forwarding the attributes exposed on the values.yaml
that we currently have:
replicaCount
image
serviceAccountName
: policy-server
The policy-server
service account is created with the same rights as today, and is defaulted in the helm chart if not provided. Nothing has to change in this regard.
Update the CI/CD pipeline to allow other repositories trigger chart releases.
When adding https://chimera-kube.github.io/helm-charts
to the "Apps & Marketplace" charts in Rancher, there's no detailed information shown for the helm chart.
Instead
This chart doesn't have a Rancher-specific README. Review the Helm README to learn more about the available configuration options and their usage.
is displayed
Just did a standard deployment with 50Mi using kubewarden-controller 1.2.4 helm chart (v1.3.0) and got OOM in the kubewarden-controller.
Deployment has been done on RKE2 1.24.4 in a 3 node Rancher cluster.
Seems we need to change / increase the default here:
From Grafana:
I assume we should start with 200Mi...
With the new architecture the controller provides a mutation and validation Webhook endpoint. The Webhook must be secured via a certificate in order to be used by Kubernetes.
As a result of that, CertManager is going to become a dependency of Kubewarden. This is going to be used to create and renew this certificate.
The helm chart should take care of installing CertManager.
values.yaml
file has a new boolean flag that enable/disable the installation of CertManagervalues.yaml
has new flags for enabling cert-manager annotations, and creating a self signed cert with cert-manager. If desired, the user can set these flags to false, to opt out of 1 or both. Automatic creation of a self signed certificate without cert-manager will be discussed in a different card (either to be done by a job, or implemented as a controller option).Running container images with a read-only filesystem is considered a good security practice. I think we can achieve that both for policy-server and for kubewarden-controller.
For policy-server we will need to declare an emptyDir
volume to store the policies that are being downloaded.
Configuring a PolicyServer to enable verification is already done, see https://github.com/kubewarden/kubewarden-controller/blob/6013ca6919c3711d4e1ebbc8afec0c2e5b38dc59/config/crd/bases/policies.kubewarden.io_policyservers.yaml#L181.
The ConfigMap gets already mounted by the controller. But, chart users need to expose that.
Come up with a good UX for helm chart users for enabling verification. We can't enable verification by default as we don't know the source of their policies/images.
Examples:
Accept configmap content as chart value (this poses problems with ugprade. Who owns the ConfigMap?)
No response
This is related with kubewarden/kubewarden-controller#42
We need to offer the following scenarios via our helm chart:
values.yml
-> The helm chart writes the name of the Secret inside of the policy-server
ConfigMapvalues.yml
file -> the helm chart creates a Secret and then adds a reference to it inside of the policy-server
ConfigMapBecause of a small mistake in our automation pipeline (see #174) some of our helm charts had duplicates inside of their name.
Next time a new helm chart is going to be released, the fix from the previous PR will create new helm charts with proper name. Once that's done, we have to manually remove the charts with the ugly names.
Update the CI/CD pipelines to allow the patch update of the individual chart releases. This means that when a component (kubewarden-controller
, kubewarden-crds
or policy-server
) has a patch version release, the CI/CD pipeline in the helm-chart repository should release only the related Helm charts.
The Rancher manifest allows charts to ask questions to the users, which is a really convenient way to provide chart values.
Right now our manifest doesn't ask any question.
Ensure our Rancher manifest asks the following questions
#176 adds some recommended labels to resources created from kubewarden-controller chart, and allows the user to set their own, useful for node selection, load, etc.
It would be nice to expand on this.
Add the missing labels from the recommended labels list to kubewarden-controller
, kubewarden-defaults
, kubewarden-crds
chart.
app.kubernetes.io/part-of: kubewarden
app.kubernetes.io/name: kubewarden-controller
app.kubernetes.io/instance: kubewarden-controller-abcxzy
(with correct string generation, maybe matching the helm one?)
Add a new .Values.additionalLabels
, that gets honored, to those charts too.
create a v1.0.1 release with the verification fix from sigstore-rs
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Warning
Renovate failed to look up the following dependencies: Failed to look up docker package kubewarden/kubewarden-controller
, Failed to look up docker package kubewarden/kubectl
, Failed to look up docker package kubewarden/audit-scanner
, Failed to look up docker package kubewarden/policy-server
.
Files affected: charts/kubewarden-controller/values.yaml
, charts/kubewarden-defaults/values.yaml
This repository currently has no open or pending branches.
.github/workflows/ci.yaml
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
.github/workflows/e2e-tests.yml
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
kubewarden/kubewarden-end-to-end-tests main
.github/workflows/helm-chart-release.yml
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
azure/setup-helm v3.5@5119fcb9089d432beecbf79bb2c7915207344b78
sigstore/cosign-installer v3.5.0@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
helm/chart-releaser-action v1.6.0@a917fd15b20e8b64b94d9158ad54cd6345335584
peaceiris/actions-gh-pages v4.0.0@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e
docker/login-action v3.1.0@e92390c5fb421da1463c202d546fed0ec5c39f20
.github/workflows/update-charts.yml
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
updatecli/updatecli-action v2.58.0@fa41baa922561b436c449de1a0bd1f5bd768248c
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea
updatecli/updatecli-action v2.58.0@fa41baa922561b436c449de1a0bd1f5bd768248c
.github/workflows/update-dependencies.yaml
actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29
updatecli/updatecli-action v2.58.0@fa41baa922561b436c449de1a0bd1f5bd768248c
charts/kubewarden-controller/values.yaml
kubewarden/kubewarden-controller v1.13.0-rc1
kubewarden/kubectl v1.27.14
kubewarden/audit-scanner v1.13.0-rc1
ghcr.io/kyverno/policy-reporter 2.19.0
ghcr.io/kyverno/policy-reporter-ui 1.9.2
charts/kubewarden-defaults/values.yaml
kubewarden/policy-server v1.13.0-rc1
charts/kubewarden-controller/Chart.yaml
policy-reporter 2.23.1
Helm has a feature to sign and verify charts so that the provenance and integrity can be checked. Given that kubewarden is around security, this could be useful to use.
There is a plugin to make this easier with GPG.
On Artifact Hub there is a badge to show the provenance file. Here's an example. The badge shows up in search, too.
The new architecture relies on some controller Webhook to mutate/validate Kubewarden's resources. We have to ensure the helm chart creates the right RBAC permissions to allow the controller to work.
The kubewarden-defaults
helm charts takes care of deploying the default
instance of Policy Server. The helm chart however, doesn't expose all the parameters supported by the PolicyServer
CRD.
This is a problem when, for example, the Policy Server image being used is being pulled from a private registry that has authentication. In this case, the definition of the Policy Server Deployment
needs to have a imagePullSecret
configured.
The helm chart exposes the values of the PolicyServer
CRD via its values.yaml
file:
imagePullSecret
insecureSources
sourceAuthorities
No response
No response
No response
On Artifact Hub, neither the kubewarden-controller nor the kubewarden-crds charts have a README.
CRDs defined in the /crd folder cannot be upgraded, may overlap with already defined CRDs in the cluster from a different user and silently substitute them, cannot be safely removed when several charts depend on them, and other dangerous and destroying behaviours. In addition, they can't be templated either.
We should consider using a separate chart for CRDs in the future.
More info:
https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
https://github.com/helm/community/blob/f9e06c16d89ccea1bea77c01a6a96ae3b309f823/architecture/crds.md
When deploying cert-manager we create a CA and a ClusterIssuer and want to use the ClusterIssuer also for Kubewarden.
Unfortunately the helm chart does not allow to specify the usage of a ClusterIssuer. Seems there is just support for an "Issuer".
ClusterIssuer should be able to be used.
- OS: Linux / SLES 15 SP4
- Architecture: x86_64
No response
Always defining all rancher namespaces in my fleet configuration seems unnecessarily and redundant.
Create two arrays instead:
rancherNamespaces: []
skipNamespaces: []
and use them in the helper:
{{- with .Values.recommendedPolicies.rancherNamespaces }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.recommendedPolicies.skipNamespaces }}
{{- toYaml . | nindent 6 }}
{{- end }}
No response
No response
In order to increase the security of the cluster running the recommended policies, we should add the hostpaths-psp-policy
in the policies installed in the cluster. This will help the mitigation of the threat #16 of the threat model. The policy should allow hostPath volume in some directories. These directories can be define in the values of the chart.
NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible
Update the chart to deploy kubewarden-controller v0.2.0.
Note well, this kubewarden-controller release introduces quite some significant changes:
These changes caused quite some of the deployment yaml file to change.
Controller should have permission to patch and watch webhooks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.