Closed brunorene closed 11 months ago
We definitely see the value in implementing this feature. We haven't added that yet because we are prioritizing the work on Rego based on community feedback.
Right now we're busy with the release process of Kubewarden 1.7.0, we will come back to evaluate this request once the release is done.
Thanks!
Linked issues that belong to this EPIC:
Implemented, this is part of Kubewarden 1.9.0 which has just been released
Is your feature request related to a problem?
I am thinking about using Kuberwarden to create security policies on our Kubernetes policies. I used Gatekeeper before and I found Kubewarden has enough better features (1 webhook per policy, multi-language support for Policies, metrics,...) to justify the move. My only issue is the lack of context-awareness support on Rego policies. I wanted to move our gatekeeper policies from Gatekeeper into Kubewarden directly but some policies need to be rewritten into Go. It is not a huge effort, but in the long term if want to support more policies I will always need to plan some time to rewrite policies that need context-awareness. It would make Kubewarden much more attractive for other people that like using Rego to write policies. Also I feel that there is a little bit of movement on some corporations to make Rego the go to language to write policies. I much prefer Go for that, but again having complete support of Rego policies would make Kubewarden even more attractive to that community.
Solution you'd like
Just support context awareness the same way Gatekeeper does, by adding resource information into the
data.inventory
structure. The configuration of the resources available on the context awareness can be exactly the same as other policies, through thecontextAwareResources
field on the Admission Policies.Alternatives you've considered
Well, the only alternative is rewriting the policies... which can have varying degrees of effort, depending on how complex a policy is.
Anything else?
There are tech and security companies betting on Rego as the go to policy language. Having full support for Rego would put Kuberwarden on a level plain field with those other companies. Even if the main goal is to write policies in Go or Rust. It would make migrations into Kubewarden extremely easy to sell and easy to do.
Some companies I found:
Again I find your decision to recommend Go and Rust and languages to write policies is great, but like I said before, Kubewarden would be a much easier sell if it had full Rego support. Thanks!