Build and run a OPA policy for Kubewarden
In the previous section we have written our Rego policy. The structure looks as the following:
.
├── data
│  ├── default-ns.json
│  └── other-ns.json
├── policy.rego
└── request.rego
1 directory, 4 files
Build​
We have our policy, now let's go ahead and build it. We do:
$ opa build -t wasm -e policy/main policy.rego request.rego
What this does is build the rego policy, with:
target
:wasm
. We want to build the policy for thewasm
target.entrypoint
:policy/main
. The entry point is themain
rule inside thepolicy
package.policy.rego
: build and include thepolicy.rego
file.request.rego
: build and include therequest.rego
file.
After the build is complete, opa build
will have generated a
bundle.tar.gz
file. You can extract it:
$ tar -xf bundle.tar.gz /policy.wasm
Now the tree looks like the following:
.
├── bundle.tar.gz
├── data
│  ├── default-ns.json
│  └── other-ns.json
├── policy.rego
├── policy.wasm
└── request.rego
1 directory, 6 file
We have our precious policy.wasm
file:
$ file policy.wasm
policy.wasm: WebAssembly (wasm) binary module version 0x1 (MVP)
Now it's time to execute it! Let's go on.
Run​
We are going to use kwctl
in order to run the policy:
$ kwctl run -e opa --request-path data/other-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": true
}
This request is accepted by the policy, since this is the request
pointing to the other
namespace.
-
execution-mode
:opa
. Rego policies can be targeting Open Policy Agent or Gatekeeper: we must tellkwctl
what kind of policy we are running. -
request-path
: the location of the recorded requestkwctl
will send to the policy to evaluate.
Now let's try to evaluate the request that creates the pod inside the
default
namespace:
$ kwctl run -e opa --request-path data/default-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": false,
"status": {
"message": "it is forbidden to use the default namespace"
}
}
In this case, the policy is rejecting the request, and giving a reason back to the API server that will be returned to the user or API consumer.