Skip to main content
Version: 1.10

Distributing an OPA policy with Kubewarden

We have written, built and run our Rego policy. Now it's time to distribute the policy.

Policies have to be annotated in order for them to be executed in the policy-server, the component that executes the policies when running in a Kubernetes cluster.

Annotating the policy​

Annotating a policy is a process that enriches the policy metadata with relevant information like authorship, license, source code location and other important metadata such as rules, that describes what kind of resources this policy can understand and evaluate.

In order to annotate our policy let's write a simple metadata.yaml file:

rules:
- apiGroups: [""]
apiVersions: ["*"]
resources: ["*"]
operations: ["CREATE"]
mutating: false
contextAware: false
executionMode: opa
annotations:
io.kubewarden.policy.title: no-default-namespace
io.kubewarden.policy.description: This policy will reject any resource created inside the default namespace
io.kubewarden.policy.author: The Kubewarden Authors
io.kubewarden.policy.url: https://github.com/kubewarden/some-policy
io.kubewarden.policy.source: https://github.com/kubewarden/some-policy
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
This policy is just an example.

You can write interesting descriptions about the policy here.

In this case, you can see several details:

  • Rules: what resources this policy is targeting
  • Mutating: whether this policy is mutating. In this case, is just validating.
  • Context aware: whether this policy requires context from the cluster in order to evaluate the request.
  • Execution mode: since this is a Rego policy it is mandatory to specify what execution mode it expects: opa or gatekeeper. This policy is written in the opa style: returning a whole AdmissionReview object.
  • Annotations: metadata stored into the policy itself.

Let's go ahead and annotate our policy:

$ kwctl annotate policy.wasm --metadata-path metadata.yaml --output-path annotated-policy.wasm

Now you can inspect the policy if you will by running kwctl inspect annotated-policy.wasm.

Pushing the policy​

Now that the policy is annotated we can push it to an OCI registry. Let's do that:

$ kwctl push annotated-policy.wasm registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
Policy successfully pushed

Now our Rego policy targeting the OPA framework has everything it needs to be deployed in production by creating a ClusterAdmissionPolicy. Let's prepare that too. First, we have to pull the policy into the kwctl local store:

$ kwctl pull registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1
pulling policy...

Let's create a ClusterAdmissionPolicy out of it. This operation will take into account the metadata it has about the policy:

$ kwctl manifest registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1 --type ClusterAdmissionPolicy
---
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: generated-policy
spec:
module: "registry://registry.my-company.com/kubewarden/no-default-namespace:v0.0.1"
settings: {}
rules:
- apiGroups:
- ""
apiVersions:
- "*"
resources:
- "*"
operations:
- CREATE
mutating: false

You can now use this ClusterAdmissionPolicy as a base to target the resources that you want, or deploy to Kubernetes as is.