Writing Policies
What is a Kubewarden policy​
In this section we will explain what Kubewarden policies are by using some traditional computing analogies.
A Kubewarden policy can be seen as a regular program that does one job: it receives input data, performs some computation against that and it finally returns a response.
The input data are Kubernetes admission requests and the result of the computation is a validation response, something that tells to Kubernetes whether to accept, reject or mutate the original input data.
All these operations are performed by a component of Kubewarden that is called policy-server.
The policy server doesn't bundle any data processing capability. All these capabilities are added at runtime via add-ons: the Kubewarden policies.
As a consequence, a Kubewarden policy can be seen as a traditional plug-in of the "policy server" program.
To recap:
- Kubewarden policies are plug-ins that expose a set of well-defined functionalities (validate a Kubernetes request object, validate policy settings provided by the user,...) using a well-defined API
- Policy server is the "main" program that loads the plug-ins (aka policies) and leverages their exposed functionalities to validate or mutate Kubernetes requests
Writing Kubewarden policies consists of writing the validation business logic and then exposing it through a well-defined API.
Programming language requirements​
Kubewarden policies are delivered as WebAssembly binaries.
Policy authors can write policies using any programming language that supports WebAssembly as a compilation target. The list of supported language is constantly evolving, this page provides a nice overview of the WebAssembly landscape.
Currently WebAssembly doesn't have an official way to share complex data types between the host and a WebAssembly guest. To overcome this limitation Kubewarden policies leverage the waPC project, which provides a bi-directional communication channel.
Because of that your programming language of choice must provide a waPC guest SDK. If that's not the case, feel free to reach out. We can help you overcome this limitation.