Skip to main content
Version: 1.7

Policy metadata

The Kubewarden metadata file, metadata.yaml, serves as a vital configuration file that contains important information and settings related to the policies used within Kubewarden. This documentation provides an overview of the purpose and usage of the metadata file.

The policy metadata.yaml file contains defaults for the policy, in addition to metadata such as author and description, set by the policy author. The file is used by the kwctl annonate command to, as the name suggests, annotates the .wasm file containing the policy. Therefore, all the relevant information required to run the policy will be available. More information about how to annotate the policy can be found in the Distributing Policies guide.

When policy users want to use a policy, they generate a YAML manifest using kwctl scaffold. This command reads the policy metadata embedded in the shipped Wasm module, performs sanity checks, and returns a YAML manifest that the author can use as-is or adapt to their needs.

As a policy author, you can adapt the metadata.yaml file provided during the scaffolding of your policy.

See the following example of a metadata.yaml:

rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE"]
mutating: false
contextAwareResources: []
executionMode: kubewarden-wapc
backgroundAudit: true
annotations:
# artifacthub specific:
io.artifacthub.displayName: Policy Name
io.artifacthub.resources: Pod
io.artifacthub.keywords: pod, cool policy, kubewarden
io.kubewarden.policy.ociUrl: ghcr.io/myorg/my-policy
# kubewarden specific:
io.kubewarden.policy.title: My policy
io.kubewarden.policy.description: Short description
io.kubewarden.policy.author: myself
io.kubewarden.policy.url: https://github.com/yourorg/my-policy
io.kubewarden.policy.source: https://github.com/yourorg/my-policy
io.kubewarden.policy.license: Apache-2.0
# The next two annotations are used in the policy report generated by the
# Audit scanner. Severity indicates policy check result criticality and
# Category indicates policy category. See more here at docs.kubewarden.io
io.kubewarden.policy.severity: medium
io.kubewarden.policy.category: Resource validation

1. Enabling Background Audit Checks:

The metadata file includes a flag, backgroundAudit, that enables the background audit checks for a specific policy. By default, this flag is set to true.

There are some policies that, due to the way they work or to the type of events they are interested about, should have this field set to false. More information can be found inside of the audit scanner documentation.

2. Defining Kubernetes Resources policies can access:

Within the metadata file, using the contextAwareResources field, users can define which Kubernetes resources the policy is allowed to access. For example, if the policy need access to Namespace resource. The policy author can define the contextAwareResources as:

[...]
contextAwareResources:
- apiVersion: v1 kind: Namespace
[...]

3. Specifying Policy Type: Mutating or Non-Mutating:

The metadata file contains a flag, mutating, that allows users to designate a policy as either mutating or non-mutating. A mutating policy modifies the incoming requests or the resources being managed. A non-mutating one observes and enforces restrictions without making any changes. This distinction is crucial in determining how policies interact with the Kubernetes resources and their impact on the cluster.

4. Defining Resource Type Targets:

The metadata file provides users with the ability to define the rules within the rules field, which determine the resource types to which the policy applies. This feature empowers users to exercise precise control over policy enforcement, guaranteeing that policies are exclusively applied to the intended resource types. With this fine-grained control, users can ensure that policies are targeted accurately, aligning with their specific requirements and avoiding any unintended application to unrelated resource types.