Skip to content

A template repository to quickly port a Open Policy Agent policy to Kubewarden

License

Notifications You must be signed in to change notification settings

kubewarden/opa-policy-template

Repository files navigation

Stable

opa-policy-template

This is a template repository that can be used to easily convert an existing Rego policy targeting the Open Policy Agent framework into a Kubewarden policy.

Don't forget to checkout Kubewarden's official documentation for more information about writing policies.

Introduction

Note well: the existing Rego code should not need to be rewritten.

These are the only requirements you have to fulfill:

  1. The policy evaluation must return a AdmissionReview response object. This is already a requirement for all the Open Policy Agent policies that are meant to be used with Kubernetes.
  2. The policy must be compiled into a WebAssembly module using the opa cli tool.
  3. The policy must be annotated via kwctl annotate.

This template repository contains an example policy that can be used as foundation for your policies, plus all the automation needed to implement the 2nd and 3rd points.

Implementation details

The actual policy is defined inside of the policy.rego file. This file defines a deny object that is later embedded into an AdmissionReview response.

The AdmissionReview object is defined inside of the utility/policy.rego file. You probably won't need to change this file.

Testing

The policy has some unit tests written using Rego, they can be found inside of the file policy_test.rego. The unit tests can be executed via the following command:

make test

The repository provides also a way to run end-to-end tests against the WebAssembly module produced by the compilation. These tests execute the policy using the WebAssembly runtime of Kubewarden.

The e2e tests are implemented using bats: the Bash Automated Testing System. The WebAssembly runtime is provided by the kwctl cli tool.

The end-to-end tests are defined inside of the e2e.bats file and can be run via this command:

make e2e-tests

Automation

This project contains GitHub Actions workflows.

They take care of the following automations:

  • Execute the Rego test suite
  • Build the Rego files into a single WebAssembly module
  • Annotate the WebAssembly module with Kubewarden's metadata
  • Execute end-to-end tests
  • Push events on the main branch lead the:
    • Push the annotated WebAssembly module to the GitHub Container Registry using the :latest tag.
  • The creation of git tags lead to:
    • Creation of the GitHub Release, holding the annotated WebAssembly module
    • Push the annotated WebAssembly module to the GitHub Container Registry using the :<git tag> tag.