Building a policy for the
wasm target is only half of the problem,
it needs to be executed.
The Open Policy Agent team has a dedicated page you can check in order to find out the built-in support level.
When building a Rego policy into a WebAssembly module, some of these built-in functions are going to be implemented inside of the Wasm file itself (the built-ins marked with a green check in the previously linked table) -- regardless of the runtime; while others have to be provided at execution time by the WebAssembly runtime evaluating the module.
The built-ins marked as
SDK-dependent are the ones that the host has
to implement -- in this case, Kubewarden. Open Policy Agent and
Gatekeeper may use them depending on the needs of the policy. In any
case, this built-ins are exposed to the policy and any new or existing
policy could depend on them.
There are still some built-ins that are not yet provided by us, however, based on the policies we have seen in the open, the ones we already support should be enough for the majority of Kubernetes users.
This GitHub issue keeps track of the Rego built-ins we have still to implement. Feel free to comment over there to prioritize our work.
Executing policies with missing built-ins
When a policy is instantiated with
kwctl or with
the list of built-ins used by the policy will be inspected, and if any
of the used built-ins is missing, the program will abort execution
logging a fatal error reporting what are the missing built-ins.