This is unreleased documentation for Policy Manager 1.28-next.

Policy settings

Policy behavior isn’t rigid, you can configure it by providing configuration details to the policy at runtime. The policy author has the freedom to define the structure of policy settings.

Kubewarden takes care of serializing the policy settings into JSON and provides them to the policy each time it’s invoked.

Settings validation

Policies should validate the settings a user provides to check correctness.

Each policy registers a waPC function called validate_settings that validates the policy settings.

The validate_settings function receives as input a JSON representation of the settings provided by the user. This function validates them and returns as a response a SettingsValidationResponse object.

The structure of the SettingsValidationResponse object is:

{
  # mandatory
  "valid": <boolean>,

  # optional, ignored if accepted - recommended for rejections
  "message": <string>,
}

If the user provided settings are valid, validate_settings ignores the message contents. Otherwise, validate_settings displays the message contents.

Kubewarden’s policy-server validates all the policy settings provided by users at start time. The policy-server exits immediately with an error if at least one of its policies received wrong configuration parameters.

Example

As an example, consider the psp-capabilities policy which has the following configuration format:

allowed_capabilities:
- CHOWN

required_drop_capabilities:
- NET_ADMIN

default_add_capabilities:
- KILL

The validate_settings function receives as input the following JSON document:

{
  "allowed_capabilities": [
    "CHOWN"
  ],
  "required_drop_capabilities": [
    "NET_ADMIN"
  ],
  "default_add_capabilities": [
    "KILL"
  ]
}

Recap

Each policy must register a waPC function, validate_settings.