The policy-server repository is a Kubernetes dynamic admission controller written in Rust that evaluates WebAssembly policies to validate admission requests. It functions as a webhook server that integrates with Kubernetes' extensible admission controller framework, allowing organizations to enforce custom policies written as WebAssembly modules. The project is part of the broader Kubewarden ecosystem, which provides a policy-as-code approach to Kubernetes security and compliance.
As of release 1.32.0, this repository has been archived and merged into the kubewarden-controller repository, which now serves as a monorepo for continued development. The policy-server codebase represents a significant shift toward consolidating the Kubewarden stack into a single repository for easier maintenance and coordination.
The core functionality of policy-server centers on loading and executing multiple Kubewarden policies simultaneously. Policies are configured through a YAML file that specifies which WebAssembly modules to load, how to expose them via HTTP endpoints, and their runtime settings. Each policy is exposed under a `/validate/<policy id>` endpoint. The system supports flexible policy sourcing, allowing WebAssembly modules to be loaded from local filesystems, remote HTTPS servers, or OCI registries. This flexibility enables organizations to manage policies from various sources within a single policy-server instance.
A notable feature is the policy group functionality, which allows multiple policies to be combined using boolean expressions. This capability enables users to create complex validation logic by composing simpler policies without requiring custom WebAssembly development. Policy groups reduce code duplication and cognitive overhead by leveraging existing policies in new combinations, supporting a more modular approach to policy management.
The repository demonstrates active development and maintenance patterns. GitGenius tracking shows 106 issues and pull requests with a median response latency of approximately 10,063 hours and a mean of 14,372.6 hours. The most active issue categories are enhancements with 39 tracked items, bugs with 30 items, and technical debt with 11 items. The primary contributors tracked by GitGenius are flavio with 201 events, jvanz with 61 events, and viccuad with 52 events, indicating a core team driving the project forward.
Policy-server provides comprehensive logging and distributed tracing capabilities. Log output can be formatted as plain text or JSON, with configurable verbosity levels including trace, debug, info, warn, and error. The system supports integration with OpenTelemetry Collector for sending trace events via gRPC, enabling observability in distributed environments. However, current OpenTelemetry support has limitations, requiring the collector to run as a sidecar and only supporting gRPC transport.
The project emphasizes security and supply chain integrity. Release artifacts include software bill of materials in SPDX format and provenance files generated during the build process. Container images and attestations are signed using cosign, allowing users to verify the authenticity and integrity of releases. The Kubewarden team maintains documented threat model assessments and responsible disclosure policies.
The repository is built using Rust and distributed as container images through the GitHub Container Registry. The project is classified across multiple security and policy domains including admission control, compliance, regulatory compliance, network policies, and container isolation, reflecting its broad applicability to Kubernetes security governance.