Build and run
Building and running the policy is done exactly the same way as a Rego policy targeting Open Policy Agent. The structure of our project is like:
.
├── data
│   ├── default-ns.json
│   └── other-ns.json
└── policy.rego
1 directory, 3 files
Build​
Let's build our policy by running the following opa command:
$ opa build -t wasm -e policy/violation policy.rego
What this does is build the rego policy, with:
- target:- wasm. We want to build the policy for the- wasmtarget.
- entrypoint:- policy/violation. The entry point is the- violationrule inside the- policypackage.
- policy.rego: build and include the- policy.regofile.
The previous command generates a bundle.tar.gz file. You can extract
the wasm module from it:
$ tar -xf bundle.tar.gz /policy.wasm
The project tree looks like the following:
.
├── bundle.tar.gz
├── data
│   ├── default-ns.json
│   └── other-ns.json
├── policy.rego
└── policy.wasm
1 directory, 5 files
We can now execute our policy!
Run​
Let's use kwctl to run our policy as follows:
$ kwctl run -e gatekeeper --request-path data/other-ns.json policy.wasm | jq
{
  "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
  "allowed": true
}
Given that this is our resource created in the namespace called
other, this resource is accepted, as expected.
Now let's execute a request that will be rejected by the policy:
$ kwctl run -e gatekeeper --request-path data/default-ns.json policy.wasm | jq
{
  "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
  "allowed": false,
  "status": {
    "message": "it is forbidden to use the default namespace"
  }
}
As you can see, our Gatekeeper policy rejected this resource as expected.