policy-server
by
kubewarden

Description: Webhook server that evaluates WebAssembly policies to validate Kubernetes requests

View on GitHub ↗

Summary Information

Updated 1 hour ago
Added to GitGenius on June 30th, 2023
Created on December 15th, 2020
Open Issues & Pull Requests: 1 (+0)
Number of forks: 20
Total Stargazers: 151 (+0)
Total Subscribers: 5 (+0)

Issue Activity (beta)

Open issues: 0
New in 7 days: 0
Closed in 7 days: 0
Avg open age: N/A days
Stale 30+ days: 0
Stale 90+ days: 0

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

  • kind/enhancement (39)
  • kind/bug (30)
  • area/observability (18)
  • kind/tech-debt (11)
  • kind/epic (10)
  • kind/good first issue (9)
  • area/ci (7)
  • area/sigstore (5)

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 419.3 days
Mean response time: 598.9 days
90th percentile: 1595.3 days
Tracked items: 106

Most active contributors

Detailed Description

The policy-server repository is a Kubernetes dynamic admission controller written in Rust that evaluates WebAssembly policies to validate admission requests. It functions as a webhook server that integrates with Kubernetes' extensible admission controller framework, allowing organizations to enforce custom policies written as WebAssembly modules. The project is part of the broader Kubewarden ecosystem, which provides a policy-as-code approach to Kubernetes security and compliance.

As of release 1.32.0, this repository has been archived and merged into the kubewarden-controller repository, which now serves as a monorepo for continued development. The policy-server codebase represents a significant shift toward consolidating the Kubewarden stack into a single repository for easier maintenance and coordination.

The core functionality of policy-server centers on loading and executing multiple Kubewarden policies simultaneously. Policies are configured through a YAML file that specifies which WebAssembly modules to load, how to expose them via HTTP endpoints, and their runtime settings. Each policy is exposed under a `/validate/<policy id>` endpoint. The system supports flexible policy sourcing, allowing WebAssembly modules to be loaded from local filesystems, remote HTTPS servers, or OCI registries. This flexibility enables organizations to manage policies from various sources within a single policy-server instance.

A notable feature is the policy group functionality, which allows multiple policies to be combined using boolean expressions. This capability enables users to create complex validation logic by composing simpler policies without requiring custom WebAssembly development. Policy groups reduce code duplication and cognitive overhead by leveraging existing policies in new combinations, supporting a more modular approach to policy management.

The repository demonstrates active development and maintenance patterns. GitGenius tracking shows 106 issues and pull requests with a median response latency of approximately 10,063 hours and a mean of 14,372.6 hours. The most active issue categories are enhancements with 39 tracked items, bugs with 30 items, and technical debt with 11 items. The primary contributors tracked by GitGenius are flavio with 201 events, jvanz with 61 events, and viccuad with 52 events, indicating a core team driving the project forward.

Policy-server provides comprehensive logging and distributed tracing capabilities. Log output can be formatted as plain text or JSON, with configurable verbosity levels including trace, debug, info, warn, and error. The system supports integration with OpenTelemetry Collector for sending trace events via gRPC, enabling observability in distributed environments. However, current OpenTelemetry support has limitations, requiring the collector to run as a sidecar and only supporting gRPC transport.

The project emphasizes security and supply chain integrity. Release artifacts include software bill of materials in SPDX format and provenance files generated during the build process. Container images and attestations are signed using cosign, allowing users to verify the authenticity and integrity of releases. The Kubewarden team maintains documented threat model assessments and responsible disclosure policies.

The repository is built using Rust and distributed as container images through the GitHub Container Registry. The project is classified across multiple security and policy domains including admission control, compliance, regulatory compliance, network policies, and container isolation, reflecting its broad applicability to Kubernetes security governance.

policy-server
by
kubewardenkubewarden/policy-server

Repository Details

Fetching additional details & charts...