Kubernetes capabilities
Kubewarden context aware policies requires access to resources from the Kubernetes cluster where they are running on. For that, the Kubewarden SDKs expose functions that use the waPC communication protocol to talk with the host system asking for data about the cluster.
waPC protocol contract​
Under the hood, the SDKs rely on these functions exposed by the policy host environment:
list_resources_by_namespace
: given a resource type and a namespace, list all the resources of that type that are defined inside of it. This cannot be used to list cluster-wide resources, likeNamespace
.list_resources_all
: given a resource type, list all the resources of that type that are defined inside the whole cluster. This can be used to list cluster-wide resources, likeNamespace
.get_resource
: find the exact resource identified by a the given resource type, given name and an optional namespace identifier.
This guest-host intercommunication is performed using the regular waPC host calling mechanism, and so any guest implementing the waPC intercommunication mechanism is able to request this information from the host.
waPC has the following function arguments when performing a call from the guest to the host:
- Binding
- Namespace
- Operation
- Payload
By contract, or convention, policies can retrieve the Kubernetes cluster information by calling the host in the following ways:
Binding | Namespace | Operation | Input payload | Output payload (JSON format) |
---|---|---|---|---|
kubewarden | kubernetes | list_resources_all |
| Return a Kubernetes info Use this API function to fetch cluster-wide resources (e.g. namespaces) |
kubewarden | kubernetes | list_resources_by_namespace |
| Return a Kubernetes caution This API function returns an error when used to fetch cluster-wide resources (e.g. namespaces).
Please use the |
kubewarden | kubernetes | get_resource |
| Result of GET /apis/$api_version/namespaces/$namespace/$kind/$name |