Skip to main content
Version: 1.13

Distributing an OPA policy with Kubewarden

You have written, built and run your Rego policy. Now it's time to distribute the policy.

Policies have to be annotated, so they can run in the policy-server. The policy-server is the part that executes the policies, when running in a Kubernetes cluster.

Annotating the policy

Annotating a policy is a process that enriches the policy metadata with relevant information. Information like authorship, license, source code location, rules, that describe what kind of resources this policy understands and evaluates.

To annotate your policy you need to write a metadata.yaml file:

- apiGroups: [""]
apiVersions: ["*"]
resources: ["*"]
operations: ["CREATE"]
mutating: false
contextAware: false
executionMode: opa
io.kubewarden.policy.title: no-default-namespace
io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace The Kubewarden Authors
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
This policy is just an example.

You can write interesting descriptions about the policy here.

You can see several details:

  • Rules: What resources this policy is targeting.
  • Mutating: Whether this policy is mutating. In this case, it is just validating.
  • Context aware: Whether this policy requires context from the cluster to evaluate the request.
  • Execution mode: Since this is a Rego policy it's mandatory to specify what execution mode it expects, opa or gatekeeper. This policy is written in the opa style, returning a whole AdmissionReview object.
  • Annotations: Metadata stored in the policy itself.

Go ahead and annotate your policy:

$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm

Now you can inspect the policy by running kwctl inspect annotated-policy.wasm.

Pushing the policy

Now that the policy is annotated you can push it to an OCI registry.

$ kwctl push annotated-policy.wasm
Policy successfully pushed

Your Rego policy, targeting the OPA framework, has everything it needs, to be deployed in production, by creating a ClusterAdmissionPolicy. You can prepare that as well. First you need to pull the policy into the kwctl local store:

$ kwctl pull registry://
pulling policy...

Create a ClusterAdmissionPolicy from it. This operation takes into account the metadata it has about the policy:

$ kwctl manifest registry:// --type ClusterAdmissionPolicy
kind: ClusterAdmissionPolicy
name: generated-policy
module: "registry://"
settings: {}
- apiGroups:
- ""
- "*"
- "*"
mutating: false

You can now use this ClusterAdmissionPolicy as a base to target the resources that you want, or deploy to Kubernetes as is.