Build and run a Gatekeeper policy
You can build and run the policy in exactly the same way as a Rego policy targeting Open Policy Agent. The structure of your project is:
.
├── data
│  ├── default-ns.json
│  └── other-ns.json
└── policy.rego
1 directory, 3 files
Build​
Build the policy by running the opa
command:
$ opa build -t wasm -e policy/violation policy.rego
This builds the rego policy, with:
target
:wasm
. We want to build the policy for thewasm
target.entrypoint
:policy/violation
. The entry point is theviolation
rule inside thepolicy
package.policy.rego
: build and include thepolicy.rego
file.
The earlier command generates a bundle.tar.gz
file.
You can extract the Wasm module from it:
$ tar -xf bundle.tar.gz /policy.wasm
The project tree looks like the following:
.
├── bundle.tar.gz
├── data
│  ├── default-ns.json
│  └── other-ns.json
├── policy.rego
└── policy.wasm
1 directory, 5 files
You can now execute your policy.
Run​
Use kwctl
to run your policy as follows:
$ kwctl run -e gatekeeper --request-path data/other-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": true
}
This is your resource created in the namespace called other
, it's accepted, as expected.
Now you can run a request that is rejected by the policy:
$ kwctl run -e gatekeeper --request-path data/default-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": false,
"status": {
"message": "it is forbidden to use the default namespace"
}
}
You can see your Gatekeeper policy rejected this resource.