We have written, built and run our Rego policy. Now it's time to distribute the policy.
Policies have to be annotated in order for them to be executed in the
policy-server, the component that executes the policies when running
in a Kubernetes cluster.
Annotating the policy
Annotating a policy is a process that enriches the policy metadata with relevant information like authorship, license, source code location and other important metadata such as rules, that describes what kind of resources this policy can understand and evaluate.
In order to annotate our policy let's write a simple
- apiGroups: [""]
io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace
io.kubewarden.policy.author: The Kubewarden Authors
This policy is just an example.
You can write interesting descriptions about the policy here.
In this case, you can see several details:
- Rules: what resources this policy is targeting
- Mutating: whether this policy is mutating. In this case, is just validating.
- Context aware: whether this policy requires context from the cluster in order to evaluate the request.
- Execution mode: since this is a Rego policy it is mandatory to
specify what execution mode it expects:
gatekeeper. This policy is written in the
opastyle: returning a whole
- Annotations: metadata stored into the policy itself.
Let's go ahead and annotate our policy:
$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm
Now you can
inspect the policy if you will by running
kwctl inspect annotated-policy.wasm.
Pushing the policy
Now that the policy is annotated we can push it to an OCI registry. Let's do that:
$ kwctl push annotated-policy.wasm registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
Policy successfully pushed
Now our Rego policy targeting the OPA framework has everything it
needs to be deployed in production by creating a
ClusterAdmissionPolicy. Let's prepare that too. First, we have to
pull the policy into the
kwctl local store:
$ kwctl pull registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
Let's create a
ClusterAdmissionPolicy out of it. This operation will
take into account the metadata it has about the policy:
$ kwctl manifest registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1 --type ClusterAdmissionPolicy
You can now use this
ClusterAdmissionPolicy as a base to target the
resources that you want, or deploy to Kubernetes as is.