Skip to main content
Version: 1.10

Context aware policies

The policy-server has capabilities to expose cluster information to policies, so that they can take decisions based on other existing resources, and not only based on the details provided by the admission request.

The retrieval of Kubernetes resources is performed by the Policy Server hosting the policy. Access to Kubernetes is regulated by RBAC rules applied to the Service Account used by the Policy Server.

The default Policy Server deployed by Kubewarden helm charts has access to the following Kubernetes resources:

  • Namespaces
  • Services
  • Ingresses
caution

The policy server performs caching of the results obtained from the Kubernetes API server to reduce the amount of load on this core part of Kubernetes. That means some information might be stale or missing.

Support Matrix​

Policy typeSupportNotes
Traditional programming languages✅-
Rego✅Since Kubewarden 1.9 release
WASI✅Since Kubewarden 1.10.0 release, only for Go SDK

ClusterAdmissionPolicies​

ClusterAdmissionPolicies have the field spec.contextAwareResources. This field provides a list a GroupVersionKind resources that the policy needs to access. This allows policy writers to ship the "permissions" that the policy needs together with the policy. Moreover, this allows policy operators to review the "permissions" needed by the policy at deployment time.

Testing context aware policies locally​

Apart from running policies in cluster for end-to-end tests, one can use our kwctl CLI utility to run policies and mock requests against the cluster.

For that, kwctl run can first record all the interactions with the cluster into a file:

kwctl run \
--allow-context-aware \
-r request.json \
--record-host-capabilities-interactions replay-session.yml \
annotated-policy.wasm

which creates the following replay-session.yml file:

# replay-session.yml
---
- type: Exchange
request: |
!KubernetesGetResource
api_version: /v1
kind: Pod
name: p-testing
namespace: local
disable_cache: true
response:
type: Success
payload: '{"apiVersion":"","kind":"Pod", <snipped> }'

With the replay session, one can now mock the cluster interactions without the need of a cluster, perfect for CI and end-to-end tests:

kwctl run \
--allow-context-aware \
-r request.json \
--replay-host-capabilities-interactions replay-session.yml \
annotated-policy.wasm

Language SDKs​

Language SDK's that support cluster context at this time will expose functions that allow policies to retrieve the current state of the cluster.

tip

If you want more information about the waPC function used by the SDKs, check the Kubernetes capabilities reference documentation.

Rust​

See the functions exposing this functionality at the Rust SDK reference docs.

Go​

See the functions exposing this functionality at the Go SDK reference docs.

Rego policies​

Gatekeeper​

The context aware information is exposed under the data.inventory key, like Gatekeeper does.

The inventory is populated with the resources the policy has been granted access to via the spec.contextAwareResources field.

Open Policy Agent​

The context aware information is exposed under the data.kubernetes key, like kube-mgmt does by default.

The inventory is populated with the resources the policy has been granted access to via the spec.contextAwareResources field.