Build and run a Gatekeeper policy
Building and running the policy is done exactly the same way as a Rego policy targeting Open Policy Agent. The structure of our project is like:
.
├── data
│  ├── default-ns.json
│  └── other-ns.json
└── policy.rego
1 directory, 3 files
Build​
Let's build our policy by running the following opa
command:
$ opa build -t wasm -e policy/violation policy.rego
What this does is build the rego policy, with:
target
:wasm
. We want to build the policy for thewasm
target.entrypoint
:policy/violation
. The entry point is theviolation
rule inside thepolicy
package.policy.rego
: build and include thepolicy.rego
file.
The previous command generates a bundle.tar.gz
file. You can extract
the wasm module from it:
$ tar -xf bundle.tar.gz /policy.wasm
The project tree looks like the following:
.
├── bundle.tar.gz
├── data
│  ├── default-ns.json
│  └── other-ns.json
├── policy.rego
└── policy.wasm
1 directory, 5 files
We can now execute our policy!
Run​
Let's use kwctl
to run our policy as follows:
$ kwctl run -e gatekeeper --request-path data/other-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": true
}
Given that this is our resource created in the namespace called
other
, this resource is accepted, as expected.
Now let's execute a request that will be rejected by the policy:
$ kwctl run -e gatekeeper --request-path data/default-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": false,
"status": {
"message": "it is forbidden to use the default namespace"
}
}
As you can see, our Gatekeeper policy rejected this resource as expected.