Skip to main content
Version: 1.10

Distributing a Gatekeeper policy with Kubewarden

Policies have to be annotated for them to be pushed, and eventually executed by the Kubewarden policy-server in a Kubernetes cluster.

Annotating and distributing our Gatekeeper policy is very similar to distributing an Open Policy Agent one. Let's go through it.

Annotating the policy​

We are going to write a metadata.yaml file in our policy directory with contents:

rules:
- apiGroups: [""]
apiVersions: ["*"]
resources: ["*"]
operations: ["CREATE"]
mutating: false
contextAware: false
executionMode: gatekeeper
annotations:
io.kubewarden.policy.title: no-default-namespace
io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace
io.kubewarden.policy.author: The Kubewarden Authors
io.kubewarden.policy.url: https://github.com/kubewarden/some-policy
io.kubewarden.policy.source: https://github.com/kubewarden/some-policy
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
This policy is just an example.

You can write interesting descriptions about the policy here.

As you can see, everything is the same as the Open Policy Agent version metadata, except for the executionMode: gatekeeper bit.

Let's go ahead and annotate the policy:

$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm

Pushing the policy​

Let's push our policy to an OCI registry:

$ kwctl push annotated-policy.wasm registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1
Policy successfully pushed

Deploying on Kubernetes​

We have to pull our policy to our kwctl local store first:

$ kwctl pull registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1
pulling policy...

We can now create a scaffold ClusterAdmissionPolicy resource:

$ kwctl scaffold manifest registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1 --type ClusterAdmissionPolicy
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: generated-policy
spec:
module: "registry://registry.my-company.com/kubewarden/no-default-namespace-gatekeeper:v0.0.1"
settings: {}
rules:
- apiGroups:
- ""
apiVersions:
- "*"
resources:
- "*"
operations:
- CREATE
mutating: false

We could now use this ClusterAdmissionPolicy resource to deploy our policy to a Kubernetes cluster.