Allow to annotate policies with a specific runtime

kubewarden / kwctl

Go-to CLI tool for Kubewarden users

https://kubewarden.io

Apache License 2.0

73 stars 15 forks source link

Allow to annotate policies with a specific runtime #57

Closed ereslibre closed 3 years ago

ereslibre commented 3 years ago

Depends on: https://github.com/kubewarden/policy-evaluator/issues/21

Allow to annotate policies with a specific execution model, of the three:

Kubewarden + waPC
OPA
OPA Gatekeeper

This information has to be provided as part of the metadata in the --metadata-path argument.

flavio commented 3 years ago

I would also add that annotate should do a quick heuristic against the policy to understand whether this is a Rego vs Kubewarden policy. If the user tries to annotate a Kubewarden policy as OPA/Gatekepper, the annotate command should exit with an error.

The heuristic can leverage these facts:

Rego based policies have the OPA ABI constants defined
Kubewarden policies must implement the policy protocol guest call

flavio commented 3 years ago

Implemented via https://github.com/kubewarden/kwctl/pull/60