Skip to content
/ kubewarden-controller Public
forked from kubewarden/kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease.

License

Apache-2.0 license
0 stars 33 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

anserhyb/kubewarden-controller

BranchesTags
 
 

Repository files navigation

Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written in WebAssembly.

For more information refer to the official Kubewarden website.

kubewarden-controller

kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies.

The kubewarden-controller will reconcile the admission policies you have registered against the Kubernetes webhooks of the cluster where it is deployed.

Installation

The kubewarden-controller can be deployed using a helm chart:

$ helm repo add kubewarden https://charts.kubewarden.io
$ helm install --create-namespace -n kubewarden kubewarden-controller kubewarden/kubewarden-controller

This will install kubewarden-controller on the Kubernetes cluster in the default configuration.

The default configuration values should be good enough for the majority of deployments, all the options are documented here.

Usage

Once the kubewarden-controller is up and running, Kubewarden policies can be defined via the ClusterAdmissionPolicy resource.

The documentation of this Custom Resource can be found here or on docs.crds.dev.

Note well: ClusterAdmissionPolicy resources are cluster-wide.

Deploy your first admission policy

The following snippet defines a Kubewarden Policy based on the psp-capabilities policy:

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-capabilities
spec:
  module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      operations:
      - CREATE
      - UPDATE
  mutating: true
  settings:
    allowed_capabilities:
    - CHOWN
    required_drop_capabilities:
    - NET_ADMIN

This ClusterAdmissionPolicy will evaluate all the CREATE and UPDATE operations performed against Pods. The homepage of this policy provides more insights about how this policy behaves.

Creating the resource inside of Kubernetes is sufficient to enforce the policy:

$ kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/policies_v1alpha2_clusteradmissionpolicy.yaml

Remove your first admission policy

You can delete the admission policy you just created:

$ kubectl delete clusteradmissionpolicy psp-capabilities

Learn more

The official documentation provides more insights about how the project works and how to use it.

About

Manage admission policies in your Kubernetes cluster with ease.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

13 tags

Packages

No packages published

Languages

  • Go 91.5%
  • Makefile 7.3%
  • Dockerfile 1.2%