Build and run a OPA policy for Kubewarden
In the previous section you wrote your Rego policy. The structure looks like:
.
├── data
│ ├── default-ns.json
│ └── other-ns.json
├── policy.rego
└── request.rego
1 directory, 4 files
Build
To build:
$ opa build -t wasm -e policy/main policy.rego request.rego
This builds the rego policy, with:
-
target
:wasm
. You want to build the policy for thewasm
target. -
entrypoint
:policy/main
. The entry point is themain
rule inside thepolicy
package. -
policy.rego
: Build and include thepolicy.rego
file. -
request.rego
: Build and include therequest.rego
file.
After the build completes, opa build
has generated a bundle.tar.gz
file.
You can extract it:
$ tar -xf bundle.tar.gz /policy.wasm
Now the tree looks like the following:
.
├── bundle.tar.gz
├── data
│ ├── default-ns.json
│ └── other-ns.json
├── policy.rego
├── policy.wasm
└── request.rego
1 directory, 6 file
You have your policy.wasm
file:
$ file policy.wasm
policy.wasm: WebAssembly (wasm) binary module version 0x1 (MVP)
Now you run it.
Run
Use kwctl
to run the policy:
$ kwctl run -e opa --request-path data/other-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": true
}
This request is accepted by the policy,
since this is the request pointing to the other
namespace.
-
execution-mode
:opa
. Rego policies can be targeting Open Policy Agent or Gatekeeper. You must tellkwctl
what kind of policy you’re running. -
request-path
: The location of the recorded request thatkwctl
sends the policy to for evaluation.
Now try to evaluate the request that creates the pod inside the default
namespace:
$ kwctl run -e opa --request-path data/default-ns.json policy.wasm | jq
{
"uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
"allowed": false,
"status": {
"message": "it is forbidden to use the default namespace"
}
}
The policy is rejecting the request, giving a reason back to the API server that’s returned to the user or API consumer.