Feature Request: Support context-awareness on policies written in Rego

[brunorene]

Is your feature request related to a problem?

I am thinking about using Kuberwarden to create security policies on our Kubernetes policies. I used Gatekeeper before and I found Kubewarden has enough better features (1 webhook per policy, multi-language support for Policies, metrics,...) to justify the move. My only issue is the lack of context-awareness support on Rego policies. I wanted to move our gatekeeper policies from Gatekeeper into Kubewarden directly but some policies need to be rewritten into Go. It is not a huge effort, but in the long term if want to support more policies I will always need to plan some time to rewrite policies that need context-awareness. It would make Kubewarden much more attractive for other people that like using Rego to write policies. Also I feel that there is a little bit of movement on some corporations to make Rego the go to language to write policies. I much prefer Go for that, but again having complete support of Rego policies would make Kubewarden even more attractive to that community.

Solution you'd like

Just support context awareness the same way Gatekeeper does, by adding resource information into the data.inventory structure. The configuration of the resources available on the context awareness can be exactly the same as other policies, through the contextAwareResources field on the Admission Policies.

Alternatives you've considered

Well, the only alternative is rewriting the policies... which can have varying degrees of effort, depending on how complex a policy is.

Anything else?

There are tech and security companies betting on Rego as the go to policy language. Having full support for Rego would put Kuberwarden on a level plain field with those other companies. Even if the main goal is to write policies in Go or Rust. It would make migrations into Kubewarden extremely easy to sell and easy to do.

Some companies I found:

• Red Hat
• Snyk
• Aserto

Again I find your decision to recommend Go and Rust and languages to write policies is great, but like I said before, Kubewarden would be a much easier sell if it had full Rego support. Thanks!

[flavio]

We definitely see the value in implementing this feature. We haven't added that yet because we are prioritizing the work on Rego based on community feedback.

Right now we're busy with the release process of Kubewarden 1.7.0, we will come back to evaluate this request once the release is done.

Thanks!

[flavio]

Linked issues that belong to this EPIC:

• [x] https://github.com/kubewarden/kubewarden-controller/issues/538
• [x] https://github.com/kubewarden/kubewarden-controller/issues/539
• [x] https://github.com/kubewarden/policy-evaluator/issues/353
• [x] https://github.com/kubewarden/kwctl/issues/609
• [x] policy-server: support context aware and Rego
• [x] https://github.com/kubewarden/docs/pull/289
• [x] https://github.com/kubewarden/kubewarden.io/issues/199

[flavio]

Implemented, this is part of Kubewarden 1.9.0 which has just been released