Quick start
The SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) stack comprises:
-
Some ClusterAdmissionPolicy resources: this is how policies are defined for Kubernetes clusters
-
Some PolicyServer resources: representing a deployment of a SUSE® Rancher Prime: Admission Policy Manager (Kubewarden)
PolicyServer
. Your administrator’s policies are loaded and evaluated by the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden)PolicyServer
-
Some AdmissionPolicy resources: policies for a defined namespace
-
A deployment of a
kubewarden-controller
: this controller monitors the ClusterAdmissionPolicy resources and interacts with the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) PolicyServer components.
The Kubernetes Custom Resource Definitions (CRDs) defined by SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) are described here. |
Installation
Authentication
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) policies can be retrieved from the GitHub container registry at https://ghcr.io. You need authentication to use the repository with the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) CLI, a GitHub personal access token (PAT). Their documentation guides you through creating one if you haven’t already done so. Then you authenticate with a command like:
|
Deploy the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) stack using helm
charts as follows:
helm repo add kubewarden https://charts.kubewarden.io
helm repo update kubewarden
Install the following Helm charts inside the kubewarden
namespace in your Kubernetes cluster:
-
kubewarden-crds
, which registers the ClusterAdmissionPolicy, AdmissionPolicy and PolicyServer Custom Resource Definitions. Also, the PolicyReport Custom Resource Definitions used by the audit scanner. -
kubewarden-controller
, which installs the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) controller and the audit scanner
If you need to disable the audit scanner component check the audit scanner installation documentation page. |
-
kubewarden-defaults
, which will create aPolicyServer
resource nameddefault
. It can also install a set of recommended policies to secure your cluster by enforcing some well known best practices.
helm install --wait -n kubewarden --create-namespace kubewarden-crds kubewarden/kubewarden-crds
helm install --wait -n kubewarden kubewarden-controller kubewarden/kubewarden-controller
helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults
Since This means that if you aren’t using the latest version of the |
The default configuration values are sufficient for most deployments. All options are documented here.
Main components
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) has three main components which you will interact with:
-
The PolicyServer
-
The AdmissionPolicy
PolicyServer
A SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) PolicyServer
is managed by the kubewarden-controller
.
Multiple PolicyServers can be deployed in the same Kubernetes cluster.
A PolicyServer
validates incoming requests by executing SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) policies against them.
This is the default PolicyServer
configuration:
apiVersion: policies.kubewarden.io/v1
kind: PolicyServer
metadata:
name: reserved-instance-for-tenant-a
spec:
image: ghcr.io/kubewarden/policy-server:v1.3.0
replicas: 2
serviceAccountName: ~
env:
- name: KUBEWARDEN_LOG_LEVEL
value: debug
Check the latest released |
Overview of the attributes of the PolicyServer
resource:
Required | Placeholder | Description |
---|---|---|
Y |
|
The name of the container image |
Y |
|
The number of desired instances |
N |
|
The name of the |
N |
|
The list of environment variables |
N |
|
The list of annotations |
Changing any of these attributes causes a PolicyServer
deployment with the new configuration.
ClusterAdmissionPolicy
The ClusterAdmissionPolicy resource is the core of the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) stack. It defines how policies evaluate requests.
Enforcing policies is the most common operation which a Kubernetes administrator performs.
You can declare as many policies as you want, each targets one or more Kubernetes resources (that is, pods
, Custom Resource
and others).
You also specify the type of operations applied to targeted resources.
The operations available are CREATE
, UPDATE
, DELETE
and CONNECT
.
Default ClusterAdmissionPolicy configuration:
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: psp-capabilities
spec:
policyServer: reserved-instance-for-tenant-a
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.9
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
allowed_capabilities:
- CHOWN
required_drop_capabilities:
- NET_ADMIN
Overview of the attributes of the ClusterAdmissionPolicy resource:
Required | Placeholder | Description |
---|---|---|
N |
|
Identifies an existing |
Y |
|
The location of the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) policy. The following schemes are allowed: |
N |
- |
|
N |
- |
|
N |
- |
|
Y |
|
The Kubernetes resources evaluated by the policy |
Y |
|
What operations for the previously given types should be forwarded to this admission policy by the API server for evaluation. |
Y |
|
A boolean value that must be set to |
N |
|
A free-form object that contains the policy configuration values |
N |
|
The action to take if the request evaluated by a policy results in an error. The following options are allowed: |
N |
- |
|
N |
- |
The ClusterAdmissionPolicy resources are registered with a |
AdmissionPolicy
AdmissionPolicy is a namespace-wide resource. The policy processes only the requests that are targeting the Namespace where the AdmissionPolicy is defined. Other than that, there are no functional differences between the AdmissionPolicy and ClusterAdmissionPolicy resources.
AdmissionPolicy requires Kubernetes 1.21.0 or greater. This is because we’re using the |
The complete documentation of these Custom Resources can be found here or on docs.crds.dev.
Example: Enforce your first policy
We will use the pod-privileged
policy.
We want to prevent the creation of privileged containers inside our Kubernetes cluster by enforcing this policy.
Let’s define a ClusterAdmissionPolicy to do that:
kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: privileged-pods
spec:
module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.2
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: false
EOF
This produces the following output:
clusteradmissionpolicy.policies.kubewarden.io/privileged-pods created
When a ClusterAdmissionPolicy is defined, the status is set to pending
, and it will force a rollout of the targeted PolicyServer
.
In our example, it’s the PolicyServer
named default
. You can monitor the rollout by running the following command:
kubectl get clusteradmissionpolicy.policies.kubewarden.io/privileged-pods
You should see the following output:
NAME POLICY SERVER MUTATING STATUS
privileged-pods default false pending
Once the new policy is ready to be served, the kubewarden-controller
will register a ValidatingWebhookConfiguration object.
The ClusterAdmissionPolicy status will be set to active
once the Deployment is done for every PolicyServer
instance.
Show ValidatingWebhookConfigurations with the following command:
kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -l kubewarden
You should see the following output:
NAME WEBHOOKS AGE
clusterwide-privileged-pods 1 9s
Once the ClusterAdmissionPolicy is active and the ValidatingWebhookConfiguration is registered, you can test the policy.
First, let’s create a Pod with a Container not in privileged
mode:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: unprivileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
EOF
This produces the following output:
pod/unprivileged-pod created
The Pod is successfully created.
Now, let’s create a Pod with at least one Container privileged
flag:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
privileged: true
EOF
The creation of the Pod has been denied by the policy and you should see the following message:
Error from server: error when creating "STDIN": admission webhook "clusterwide-privileged-pods.kubewarden.admission" denied the request: Privileged container is not allowed
Both examples didn’t define a |
Uninstall
You can remove the resources created by uninstalling the helm
charts as follows:
helm uninstall --namespace kubewarden kubewarden-defaults
helm uninstall --namespace kubewarden kubewarden-controller
helm uninstall --namespace kubewarden kubewarden-crds
Once the helm
charts have been uninstalled, remove the Kubernetes namespace that was used to deploy the SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) stack:
kubectl delete namespace kubewarden
SUSE® Rancher Prime: Admission Policy Manager (Kubewarden) contains a helm pre-delete hook that removes all |
ValidatingWebhookConfigurations and MutatingWebhookConfigurations created by kubewarden should be deleted, this can be checked with:
kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -l "kubewarden"
kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io -l "kubewarden"
If these resources are not automatically removed, remove them manually by using the following command:
kubectl delete -l "kubewarden" validatingwebhookconfigurations.admissionregistration.k8s.io
kubectl delete -l "kubewarden" mutatingwebhookconfigurations.admissionregistration.k8s.io
Wrapping up
ClusterAdmissionPolicy is the core resource that a cluster operator has to manage. The kubewarden-controller
module automatically takes care of the configuration for the rest of the resources needed to run the policies.
What’s next?
Now, you are ready to deploy SUSE® Rancher Prime: Admission Policy Manager (Kubewarden)! Have a look at the policies on artifacthub.io, on GitHub, or reuse existing Rego policies as shown in the following chapters.