Distributing an OPA policy with Kubewarden
We have written, built and run our Rego policy. Now it's time to distribute the policy.
Policies have to be annotated in order for them to be executed in the
policy-server
, the component that executes the policies when running
in a Kubernetes cluster.
Annotating the policy​
Annotating a policy is a process that enriches the policy metadata with relevant information like authorship, license, source code location and other important metadata such as rules, that describes what kind of resources this policy can understand and evaluate.
In order to annotate our policy let's write a simple metadata.yaml
file:
rules:
- apiGroups: [""]
apiVersions: ["*"]
resources: ["*"]
operations: ["CREATE"]
mutating: false
contextAware: false
executionMode: opa
annotations:
io.kubewarden.policy.title: no-default-namespace
io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace
io.kubewarden.policy.author: The Kubewarden Authors
io.kubewarden.policy.url: https://github.com/kubewarden/some-policy
io.kubewarden.policy.source: https://github.com/kubewarden/some-policy
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
This policy is just an example.
You can write interesting descriptions about the policy here.
In this case, you can see several details:
- Rules: what resources this policy is targeting
- Mutating: whether this policy is mutating. In this case, is just validating.
- Context aware: whether this policy requires context from the cluster in order to evaluate the request.
- Execution mode: since this is a Rego policy it is mandatory to
specify what execution mode it expects:
opa
orgatekeeper
. This policy is written in theopa
style: returning a wholeAdmissionReview
object. - Annotations: metadata stored into the policy itself.
Let's go ahead and annotate our policy:
$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm
Now you can inspect
the policy if you will by running kwctl inspect annotated-policy.wasm
.
Pushing the policy​
Now that the policy is annotated we can push it to an OCI registry. Let's do that:
$ kwctl push annotated-policy.wasm registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
Policy successfully pushed
Now our Rego policy targeting the OPA framework has everything it
needs to be deployed in production by creating a
ClusterAdmissionPolicy
. Let's prepare that too. First, we have to
pull the policy into the kwctl
local store:
$ kwctl pull registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
pulling policy...
Let's create a ClusterAdmissionPolicy
out of it. This operation will
take into account the metadata it has about the policy:
$ kwctl manifest registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1 --type ClusterAdmissionPolicy
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: generated-policy
spec:
module: "registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1"
settings: {}
rules:
- apiGroups:
- ""
apiVersions:
- "*"
resources:
- "*"
operations:
- CREATE
mutating: false
You can now use this ClusterAdmissionPolicy
as a base to target the
resources that you want, or deploy to Kubernetes as is.