Creating a policy

As an example, you create a simple validation policy that processes Pod creation requests.

The policy looks at the metadata.name attribute of the Pod and rejects pods having an invalid name. It’s list of invalid names should be configurable by end users of the policy.

The policy settings look something like:

invalid_names:
- bad_name1
- bad_name2

The policy should accept the creation of a Pod like the following one:

apiVersion: v1
kind: Pod
metadata:
// highlight-next-line
  name: nginx
spec:
  containers:
    - name: nginx
      image: nginx:latest

It should reject the creation of a Pod like:

apiVersion: v1
kind: Pod
metadata:
// highlight-next-line
  name: bad_name1
spec:
  containers:
    - name: nginx
      image: nginx:latest

Scaffolding the new policy project

You can create a new policy project by using cargo generate with the template project.

First, install cargo-generate. This requires openssl-devel.

cargo install cargo-generate

Now scaffold the project as follows:

cargo generate --git https://github.com/kubewarden/rust-policy-template \
               --branch main \
               --name demo

The command produces output like:

🔧   Creating project called `demo`...
✨   Done! New project created /<some-path-name>/demo

This creates the new policy project in the demo sub-directory.

If you plan to make use of the GitHub container registry functionality in the demo, you need to enable improved container support.

Testing

You can try:

cargo test

This tests the generated scaffolding. If everything is correctly in place you’ll see a series of compilation messages ending with output like:

running 4 tests
test settings::tests::validate_settings ... ok
test tests::accept_request_with_non_pod_resource ... ok
test tests::accept_pod_with_valid_name ... ok
test tests::reject_pod_with_invalid_name ... ok

test result: ok. 4 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s