Open flavio opened 2 weeks ago
Weaveworks uses the docker image weaveworks/polctl
for automation on auto-generating, testing, documenting, and releasing the policies, repo here.
The repo uses openpolicyagent/opa
to test the policies. Since we already use opa
to build as a wasm target, I find it a good compromise to keep that workflow.
Weavework policies are marked with spec.standards
. The list of available standards are in ./standards
(example), and the policies have spec.standards
. For now, transform these into metadata.annotations
.
The policies are Rego gatekeeper policies.
The end result is a forked monorepo with the following format:
$ tree
.
├── LICENSE
├── artifacthub-repo.yml
├── policy1/
│ └── 0.1.0/
│ ├── README.md
│ ├── tests/
| │ └── deployment.yaml
│ ├── policy.rego
│ ├── Makefile
│ ├── metadata.yml
│ └── artifacthub-pkg.yml
└── policy2/
...
Example for one policy in https://github.com/viccuad/rego-policies.
For that:
[ ] Per policy in examples/,policies/
, do a 1-time conversion:
Makefile
from disallow-service-loadbalander-policy. Should be
adapted to run rego tests with opa
from ./tests
. Not all policies have a
./tests/policy_test.rego
.README.md
from policy.yaml
, by reusing the following fields in a template:metadata.name
with weave.policies
prefix removed.spec.name
, description
, how_to_solve
, tags
.metadata.yml
from policy.yaml
, by reusing the following fields from the Weaveworks policy:
spec.id
, without the prefix weave.policies
, as annotations
io.kubewarden.policy.title
, io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/<id>
, io.kubewarden.policy.url: https://github.com/kubewarden/<id>
.io.kubewarden.policy.url
and io.kubewarden.policy.source
hardcoded to the Rego monorepo for these policies. (e.g: https://github.com/kubewarden/rego-policies
).spec.category
as annotations io.kubewarden.policy.category
, without prefix weave.category
.spec.severity
as annotations io.kubewarden.policy.severity
spec.standards
as annotation io.kubewarden.policy.standards
, where each
element in the controls
array is a new annotation, and it is commented out until we evaluate further. The list of available standards are in ./standards
(example).spec.description
as annotation io.kubewarden.policy.description
spec.targets
into rules
and the annotation io.artifacthub.resources
by computing the list of resources. This translation is not trivial.policy.rego
:package
for all rego files, including tests (e.g: package policy
)../tests/
, which will get run by the make tests
artifacthub-pkg.yml
following artifacthub docs. Generated by our Makefile.Weavework policies are marked with spec.standards
. The list of available
standards are in ./standards
(example).
Manually mark the converted policies with annotation
io.kubewarden.policy.category: Best practices RBAC
for those policies listed in
from ./goodpractices
.
CI & CD: I found no way to programatically create jobs. Hence the jobs will go through all repos when they are called. To release, for each policy folder, if no git tag matching the policy id and version, build and push the annotated-policy.wasm as usual.
spec.standards
. For these to be valid, the data structure of the k8s deployment needs to match the expected lyout. (E.g: expecting users to deploy things segregated by namespaces, and is a specific way).
Spike: about how to convert all these policies to Kubewarden
Define: