search

rancher / kubewarden-ui

Kubewarden's User Interface
Apache License 2.0
11 stars 13 forks source link

Add support for policies groups #848

Open jvanz opened 1 month ago

jvanz commented 1 month ago

We are in the process of adding a new policy kind, the ClusterAdimissionPolicyGroups and AdmissionPolicyGroup. These new kinds allow users to group policy together and act as a single policy. More info about them can be found in the RFC. In a recent change, we add the new CRDs in the Kubewarden controller and we should update the UI to support it as well.

This is an example of a yaml file to deploy all the policy types together:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicyGroup
metadata:
  name: cluster-policy-group-hd83ybjz
spec:
  policyServer: default
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      operations:
        - CREATE
        - UPDATE
  backgroundAudit: true
  policies:
    - name: pod-privileged
      url: ghcr.io/kubewarden/policies/pod-privileged:v0.3.1
      settings: {}
      contextAwareResources:
        - apiVersion: "v1"
          kind: "Pod"

  expression: "pod-privileged()"
  message: "The policy group is rejected."
---
apiVersion: policies.kubewarden.io/v1
kind: AdmissionPolicyGroup 
metadata:
  name: namespace-policy-group-hd83ybjz
  namespace: default
spec:
  policyServer: "default"
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
      operations:
        - CREATE
        - UPDATE
  backgroundAudit: true
  policies:
    - name: pod-privileged
      url: ghcr.io/kubewarden/policies/pod-privileged:v0.3.1
      settings: {}
      contextAwareResources:
        - apiVersion: "v1"
          kind: "Pod"

  expression: "pod-privileged()"
  message: "The policy group is rejected."
---
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: pod-privileged
  namespace: kubewarden
spec:
  module: "registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.7"
  policyServer: default
  settings: {}
  mode: monitor
  rules:
    - apiGroups: ["apps"]
      apiVersions: ["v1"]
      resources: ["deployment"]
      operations:
        - CREATE
        - UPDATE
  mutating: false
---
apiVersion: policies.kubewarden.io/v1
kind: AdmissionPolicy
metadata:
  name: pod-privileged
  namespace: kubewarden
spec:
  module: "registry://ghcr.io/kubewarden/policies/pod-privileged:v0.2.7"
  settings: {}
  mode: monitor
  policyServer: default
  rules:
    - apiGroups: ["apps"]
      apiVersions: ["v1"]
      resources: ["deployment"]
      operations:
        - CREATE
        - UPDATE
  mutating: false

Acceptance criteria