search

kubewarden / rust-policy-template

A Kubewarden rust policy template to be used with cargo-generate
https://kubewarden.io
Apache License 2.0
9 stars 6 forks source link

Add metadata.yml file to the template #8

Closed flavio closed 3 years ago

flavio commented 3 years ago

The project should be created with a metadata.yml file that looks like:

rules:
- apiGroups: [""]
  apiVersions: ["v1"]
  resources: ["pods"]
  operations: ["CREATE", "UPDATE"]
mutating: false
labels:
  production: false
annotations:
  name.castelli.hello: world
  io.kubewarden.policy.title: psp-apparmor
  io.kubewarden.policy.description: Replacement for the Kubernetes Pod Security Policy that controls the usage of AppArmor profiles
  io.kubewarden.policy.author: Flavio Castelli
  io.kubewarden.policy.url: https://github.com/kubewarden/psp-apparmor
  io.kubewarden.policy.source: https://github.com/kubewarden/psp-apparmor
  io.kubewarden.policy.license: Apache-2.0
  io.kubewarden.policy.usage: |
    This policy works by defining a whitelist of allowed AppArmor profiles. Pods are then inspected at creation and update time, to ensure only approved profiles are used.

    When no AppArmor profile is defined, Kubernetes will leave the final choice to the underlying container runtime. This will result in using the default AppArmor profile provided by Container Runtime. Because of that, the default behaviour of this policy is to accept workloads that do not have an AppArmor profile specified.

    The policy can be configured with the following data structure:
    ```yaml
    # list of allowed profiles
    allowed_profiles:
    - runtime/default
    - localhost/my-special-workload


Parts of the file can be templated, based on the name of the project
flavio commented 3 years ago

Implemented via 7e1f3d6107156ae34c7f6fa74e24f01311b867f3