Skip to main content
Version: Next 🚧

Testing for policy authors

Kubewarden policies are regular programs compiled as WebAssembly (Wasm). As with any kind of program, good test coverage is important.

Policy authors can use their favorite development environments. You can use familiar tools, and testing frameworks to verify development.

These Kubewarden policies are examples written in Rust and Go:

They have test suites using standard testing for their development environments.

The policies use GitHub Actions for their CI pipelines.

End-to-end tests

You can also write tests that execute against the Wasm binary containing your policy. To do this without having to deploy a Kubernetes cluster you can use these tools:

  • bats: is to write tests and automate their execution.
  • kwctl: Kubewarden's default CLI tool that helps you with policy-related operations; pull, inspect, annotate, push, and run.

To use kwctl run you need the following:

  1. The Wasm binary file reference of the policy to run. The Kubewarden policy can be loaded from:
    • the local filesystem (file://)
    • a HTTP(s) server (https://
    • an OCI registry (registry://).
  2. The admission request object to test. You give it via the --request-path argument, or on stdin by setting --request-path to -.
  3. The policy settings for runtime as an inline JSON via --settings-json flag. Or a JSON, or a YAML file, loaded from the file system via --settings-path.

After the test kwctl, prints the ValidationResponse object to standard output.

This is how you use kwctl to test the Wasm binary of the ingress-policy mentioned previously:

$ curl 2> /dev/null | \
kwctl run \
--settings-json '{"allowPorts": [80], "denyPorts": [3000]}' \
--request-path - \
registry:// | jq

You can download pre-built binaries of kwctl here.

Using bats you can write a test that runs this command and looks for the expected outputs:

A bats test
@test "all is good" {
run kwctl run \
--request-path test_data/ingress-wildcard.json \
--settings-json '{"allowPorts": [80], "denyPorts": [3000]}' \

# this prints the output when one the checks below fails
echo "output = ${output}"

# settings validation passed
[[ "$output" == *"valid: true"* ]]

# request accepted
[[ "$output" == *"allowed: true"* ]]

You can put the code in a file, e2e.bats, for example, and then invoke bats by:

$ bats e2e.bats
✓ all is good

1 tests, 0 failures

This section of the documentation has more about writing end-to-end tests of your policies.