diff --git a/.github/actions/push-artifacthub/action.yaml b/.github/actions/push-artifacthub/action.yaml
new file mode 100644
index 0000000..2842080
--- /dev/null
+++ b/.github/actions/push-artifacthub/action.yaml
@@ -0,0 +1,50 @@
+name: "kubewarden-check-artifacthub"
+description: "Push artifacthub files to artifacthub branch"
+branding:
+ icon: "package"
+ color: "blue"
+inputs:
+ policy-working-dir:
+ description: "working directory of the policy. Useful for repos with policies in folders"
+ required: true
+ version:
+ description: "The version of the policy"
+ required: true
+runs:
+ using: "composite"
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+ with:
+ fetch-depth: 0 # fetch all history for all branches and tags
+ - name: generate artifacthub-pkg.yml
+ shell: bash
+ working-directory: ${{ inputs.policy-working-dir }}
+ run: |
+ kwctl scaffold artifacthub --output ${{ runner.temp }}/artifacthub-pkg.yml
+ - name: Push up-to-date artifacthub-pkg.yml
+ shell: bash
+ run: |
+ set -x
+ git config user.name "Update artifacthub branch"
+ git config user.email github-actions@github.com
+
+ git checkout -b main --track origin/main
+ git checkout -b artifacthub --track origin/artifacthub || git checkout --orphan artifacthub
+ git reset HEAD -- .
+
+ export POLICY_DIRECTORY="${{ inputs.policy-working-dir }}/${{ inputs.version }}"
+
+ # Create or update files
+ git checkout ${{ github.ref_name }} -- artifacthub-repo.yml
+ mkdir -p $POLICY_DIRECTORY
+ mv ${{ runner.temp }}/artifacthub-pkg.yml $POLICY_DIRECTORY/artifacthub-pkg.yml
+ git show ${{ github.ref_name }}:${{ inputs.policy-working-dir }}/README.md > $POLICY_DIRECTORY/README.md
+
+ # Add changes to Git
+ git add artifacthub-repo.yml
+ git add $POLICY_DIRECTORY/artifacthub-pkg.yml
+ git add $POLICY_DIRECTORY/README.md
+
+ git commit -m "Bump ArtifactHub files for ${{ inputs.policy-working-dir }}, version ${{ inputs.version }}"
+ git push origin artifacthub
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..0f2e75c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,30 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+ - package-ecosystem: "cargo"
+ directories:
+ - "/policies/istio-gateway"
+ schedule:
+ interval: "weekly"
+ labels:
+ - "area/dependencies"
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: "weekly"
+ labels:
+ - "area/dependencies"
+ - package-ecosystem: gomod
+ directories:
+ - "/policies/harvester-pci-devices"
+ - "/policies/harvester-restricted-network"
+ - "/policies/harvester-restricted-network-vm"
+ - "/policies/pod-mig-partitions"
+ schedule:
+ interval: "weekly"
+ labels:
+ - "area/dependencies"
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
index aefd559..90200a0 100644
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@@ -33,12 +33,6 @@ autolabeler:
# Tag any PR with "!" in the subject as major update. In other words, breaking change
- label: "kind/breaking-change"
title: "/.*!:.*/"
- - label: "area/dependencies"
- title: "chore(deps)"
- - label: "area/dependencies"
- title: "fix(deps)"
- - label: "area/dependencies"
- title: "build(deps)"
- label: "kind/feature"
title: "feat"
- label: "kind/bug"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5776769..b8f4828 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -199,3 +199,9 @@ jobs:
prerelease: isPreRelease,
make_latest: !isPreRelease
});
+
+ - name: Publish to ArtifactHub
+ uses: ./.github/actions/push-artifacthub
+ with:
+ policy-working-dir: "${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}"
+ version: "${{ needs.calculate-policy-from-tag.outputs.policy-version }}"
diff --git a/.gitignore b/.gitignore
index 323de64..8365952 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,10 +22,6 @@ bin
debug/
target/
-# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
-# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
-Cargo.lock
-
# These are backup files generated by rustfmt
**/*.rs.bk
@@ -38,6 +34,7 @@ Cargo.lock
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
+
### JetBrains template
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d5dd329
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [2026] [SUSE Software Solutions Germany GmbH]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..18571cf
--- /dev/null
+++ b/README.md
@@ -0,0 +1,11 @@
+# OpenPlatform Kubewarden Policies
+
+This is a collection of Kubewarden policies that SUSE's ITPE Core Platform team manages for its Kubernetes environments.
+
+## Policies
+
+* [harvester-pci-devices](policies/harvester-pci-devices)
+* [harvester-restricted-network](policies/harvester-restricted-network)
+* [harvester-restricted-network-vm](policies/harvester-restricted-network-vm)
+* [istio-gateway](policies/istio-gateway)
+* [pod-mig-partitions](policies/pod-mig-partitions)
diff --git a/artifacthub-repo.yml b/artifacthub-repo.yml
new file mode 100644
index 0000000..f967430
--- /dev/null
+++ b/artifacthub-repo.yml
@@ -0,0 +1,5 @@
+---
+repositoryID: 9e1c3fdf-3a6e-474d-8f44-6690a48ef967
+owners:
+ - name: SUSE ITPE
+ email: itpe-core-maintenance@suse.com
diff --git a/policies/harvester-pci-devices/README.md b/policies/harvester-pci-devices/README.md
index 5a94eb1..43d594b 100644
--- a/policies/harvester-pci-devices/README.md
+++ b/policies/harvester-pci-devices/README.md
@@ -1,10 +1,32 @@
-# policy-pci-devices
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
+
+# harvester-pci-devices
This policy guards against VMs attaching PCI Devices (e.g., GPUs) without permission.
-**Example policy:**
+## Settings
-```
+| Field | Description |
+|--------------------------------------------------------------------------------------------|-----------------------------------------|
+| namespaceDeviceindings
map[string, [NamespaceDeviceBinding](#namespaceDeviceBinding)] | A map of Harvester PCI Device bindings. |
+
+### NamespaceDeviceBinding
+
+| Field | Description |
+|------------------------|---------------------------|
+| namespace
string | The namespace. |
+| device
string | The ID of the PCI device. |
+
+
+## Specifications
+
+1. You should be able to create a VM without a PCI Device
+2. You should not be able to bind a VM to a PCI Device not allocated to its namespace.
+
+## Example
+
+```yaml
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
@@ -26,14 +48,9 @@ spec:
policyServer: default
```
-**Specifications:**
-
-1. You should be able to create a VM without a PCI Device
-2. You should not be able to bind a VM to a PCI Device not allocated to its namespace.
-
-**Examples:**
+Here would be the result of the above policy.
-| Namespace | Device | Result |
+| Namespace | PCI Device ID | Result |
|------------------|---------------------|--------|
| test-ns-1 | tekton27a-000001010 | ALLOW |
| test-ns-2 | tekton27b-000001010 | ALLOW |
diff --git a/policies/harvester-pci-devices/metadata.yml b/policies/harvester-pci-devices/metadata.yml
index 3cdb733..c8571a7 100644
--- a/policies/harvester-pci-devices/metadata.yml
+++ b/policies/harvester-pci-devices/metadata.yml
@@ -12,15 +12,18 @@ executionMode: kubewarden-wapc
# skip this policy and not generate false positives.
backgroundAudit: true
annotations:
+ # artifacthub specific
+ io.artifacthub.displayName: Harvester PCI Devices
+ io.artifacthub.resources: VirtualMachine
+ io.artifacthub.keywords: harvester, virtualmachine, pci
# kubewarden specific:
- io.kubewarden.policy.version: 0.1.0
io.kubewarden.policy.title: harvester-pci-devices
+ io.kubewarden.policy.version: 0.1.0-rc1
io.kubewarden.policy.description: Prevents libvirt from binding pci devices in the wrong namespaces.
- io.kubewarden.policy.author: "ITPE Core Team "
- io.kubewarden.policy.url: https://github.github.com/SUSE/openplatform-kubewarden-policies
- io.kubewarden.policy.source: https://github.github.com/SUSE/openplatform-kubewarden-policies
- # The next two annotations are used in the policy report generated by the
- # Audit scanner. Severity indicates policy check result criticality and
- # Category indicates policy category. See more here at docs.kubewarden.io
- io.kubewarden.policy.severity: critical # one of info, low, medium, high, critical. See docs.
+ io.kubewarden.policy.author: "ITPE CORE Team "
+ io.kubewarden.policy.url: https://github.com/SUSE/openplatform-kubewarden-policies
+ io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies/tree/main/policies/harvester-pci-devices
+ io.kubewarden.policy.ociUrl: ghcr.io/suse/openplatform-kubewarden-policies/harvester-pci-devices
+ io.kubewarden.policy.license: Apache-2.0
+ io.kubewarden.policy.severity: critical
io.kubewarden.policy.category: Resource validation
diff --git a/policies/harvester-restricted-network-vm/README.md b/policies/harvester-restricted-network-vm/README.md
index 9613b0f..2fd9a22 100644
--- a/policies/harvester-restricted-network-vm/README.md
+++ b/policies/harvester-restricted-network-vm/README.md
@@ -1,23 +1,45 @@
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
+
# harvester-restricted-network-vm
-This policy guards against VMs being deployed into protected network segments.
+This policy protects Harvester VM networks, by specifying which namespaces are allowed.
-**Example policy:**
+## Settings
-```
+| Field | Description |
+|------------------------------------------------------------------------------------------------|--------------------------------------|
+| namespaceNetworkBindings
map[string, [NamespaceNetworkBinding](#namespaceNetworkBinding)] | A map of namespace network bindings. |
+
+### NamespaceNetworkBinding
+
+| Field | Description |
+|------------------------|------------------------------------------------------------------|
+| namespace
string | The namespace. |
+| network
string | The Harvester VM Network in the format `namespace/network-name`. |
+
+## Specifications
+
+1. You should be able to create a VM with any of the specified combinations of namespace and network.
+2. You should not be able to create a VM from any namespace or network that is in the settings, but the exact combination is not in the settings.
+3. Any namespace or network that is not on the settings is not restricted
+
+## Example
+
+```yaml
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: restricted-network-vm-policy-1
spec:
- module: harvester-restricted-network-vm:20
+ module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network-vm:latest
rules:
- apiGroups: ["kubevirt.io"]
apiVersions: ["v1"]
resources: ["virtualmachines"]
operations: ["CREATE", "UPDATE"]
settings:
- namespaceNetworkBindings:
+ namespaceNetworkBindings:
- namespace: test-restricted-1-network-1
network: test-restricted-1-network-1/network-1
- namespace: test-restricted-2-network-1
@@ -28,15 +50,9 @@ spec:
policyServer: default
```
-**Specifications:**
-
-1. You should be able to create a VM with any of the specific combinations there
-2. You should not be able to create a VM from any namespace or network that is in that list, but the exact combination is not in the list.
-3. Any namespace or network that is not on the list is not restricted
-
-**Examples:**
+Here would be the result of the above policy.
-| namespace | network | Result |
+| Namespace | Network | Result |
|-----------------------------|---------------------------------------|--------|
| test-restricted-1-network-1 | test-restricted-1-network-1/network-1 | ALLOW |
| test-restricted-2-network-1 | test-restricted-1-network-1/network-1 | ALLOW |
diff --git a/policies/harvester-restricted-network-vm/metadata.yml b/policies/harvester-restricted-network-vm/metadata.yml
index 0e08411..6186803 100644
--- a/policies/harvester-restricted-network-vm/metadata.yml
+++ b/policies/harvester-restricted-network-vm/metadata.yml
@@ -12,15 +12,18 @@ executionMode: kubewarden-wapc
# skip this policy and not generate false positives.
backgroundAudit: true
annotations:
+ # artifacthub specific
+ io.artifacthub.displayName: Harvester Restricted Network VM
+ io.artifacthub.resources: VirtualMachine
+ io.artifacthub.keywords: harvester, network, virtualmachine
# kubewarden specific:
- io.kubewarden.policy.version: 0.1.0
io.kubewarden.policy.title: harvester-restricted-network-vm
+ io.kubewarden.policy.version: 0.1.0-rc1
io.kubewarden.policy.description: Ensures harvester only creates a VM with a specified network within a restricted namespace.
- io.kubewarden.policy.author: "ITPE Core Team "
- io.kubewarden.policy.url: https://github.github.com/SUSE/openplatform-kubewarden-policies
- io.kubewarden.policy.source: https://github.github.com/SUSE/openplatform-kubewarden-policies
- # The next two annotations are used in the policy report generated by the
- # Audit scanner. Severity indicates policy check result criticality and
- # Category indicates policy category. See more here at docs.kubewarden.io
- io.kubewarden.policy.severity: critical # one of info, low, medium, high, critical. See docs.
+ io.kubewarden.policy.author: "ITPE CORE Team "
+ io.kubewarden.policy.url: https://github.com/SUSE/openplatform-kubewarden-policies
+ io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies/tree/main/policies/harvester-restricted-network-vm
+ io.kubewarden.policy.ociUrl: ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network
+ io.kubewarden.policy.license: Apache-2.0
+ io.kubewarden.policy.severity: critical
io.kubewarden.policy.category: Resource validation
diff --git a/policies/harvester-restricted-network/README.md b/policies/harvester-restricted-network/README.md
index b334fa1..34e5279 100644
--- a/policies/harvester-restricted-network/README.md
+++ b/policies/harvester-restricted-network/README.md
@@ -1,49 +1,64 @@
-# harvester-restricted-netwok
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
+
+# harvester-restricted-network
This policy guards against harvester creating a network for a restricted VLAN in unauthorized namespaces.
-**Example policy:**
+## Settings
-```
+| Field | Description |
+|---------------------------------------------------------------------------------------|-----------------------------------|
+| namespaceVLANBindings
map[string, [NamespaceVLANBinding](#namespaceVLANBinding)] | A map of namespace VLAN bindings. |
+
+### NamespaceVLANBinding
+
+| Field | Description |
+|------------------------|----------------------------------------|
+| namespace
string | The namespace. |
+| vlan
int | The VLAN for the Harvester VM Network. |
+
+
+## Specifications
+
+1. All bound namespaces must use their respective bound VLANs.
+2. All bound VLANs must use their respective bound namespaces.
+3. Any namespace or VLAN that isn't bound, is unrestricted.
+
+## Example
+
+```yaml
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
- name: restricted-vlan-policy-1
+ name: restricted-network-policy-1
spec:
- module: harvester-restricted-network:0.1.0
+ module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network:latest
rules:
- - apiGroups: ["k8s.cni.cncf.io"]
+ - apiGroups: ["kubevirt.io"]
apiVersions: ["v1"]
- resources: ["network-attachment-definitions"]
+ resources: ["virtualmachines"]
operations: ["CREATE", "UPDATE"]
settings:
namespaceVLANBindings:
- - namespace: test-restricted-1-network-1
+ - namespace: test-restricted-1
vlan: 42
- - namespace: test-restricted-2-network-1
+ - namespace: test-restricted-2
vlan: 1337
- mutating: false # or true if your policy mutates resources
+ mutating: false
policyServer: default
```
-**Specifications:**
-
-1. All bound namespaces must use their respective bound VLANs.
-2. All bound VLANs must use their respective bound namespaces.
-3. Any namespace or VLAN that isn't bound, is unrestricted.
-
-**Examples:**
-
The following examples are with the example policy above, with a random non-restricted VLAN being 100.
-| namespace | network | Result |
-|-----------------------------|---------|--------|
-| test-restricted-1-network-1 | 42 | ALLOW |
-| test-restricted-2-network-1 | 1337 | ALLOW |
-| random-namespace | 100 | ALLOW |
-| test-restricted-1-network-1 | 1337 | REJECT |
-| test-restricted-2-network-2 | 42 | REJECT |
-| random-namespace | 42 | REJECT |
-| random-namespace | 1337 | REJECT |
-| test-restricted-1-network-1 | 100 | REJECT |
-| test-restricted-2-network-2 | 100 | REJECT |
+| Namespace | VLAN ID | Result |
+|-------------------|---------|--------|
+| test-restricted-1 | 42 | ALLOW |
+| test-restricted-2 | 1337 | ALLOW |
+| random-namespace | 100 | ALLOW |
+| test-restricted-1 | 1337 | REJECT |
+| test-restricted-2 | 42 | REJECT |
+| random-namespace | 42 | REJECT |
+| random-namespace | 1337 | REJECT |
+| test-restricted-1 | 100 | REJECT |
+| test-restricted-2 | 100 | REJECT |
diff --git a/policies/harvester-restricted-network/metadata.yml b/policies/harvester-restricted-network/metadata.yml
index 065512a..7b1031f 100644
--- a/policies/harvester-restricted-network/metadata.yml
+++ b/policies/harvester-restricted-network/metadata.yml
@@ -12,15 +12,18 @@ executionMode: kubewarden-wapc
# skip this policy and not generate false positives.
backgroundAudit: true
annotations:
+ # artifacthub specific
+ io.artifacthub.displayName: Harvester Restricted Network
+ io.artifacthub.resources: NetworkAttachmentDefinition
+ io.artifacthub.keywords: harvester, network
# kubewarden specific:
- io.kubewarden.policy.version: 0.1.0
io.kubewarden.policy.title: harvester-restricted-network
+ io.kubewarden.policy.version: 0.1.0-rc1
io.kubewarden.policy.description: Prevents harvester from creating a network for a restricted VLAN in unauthorized namespaces.
- io.kubewarden.policy.author: "ITPE Core Team "
- io.kubewarden.policy.url: https://github.github.com/SUSE/openplatform-kubewarden-policies
- io.kubewarden.policy.source: https://github.github.com/SUSE/openplatform-kubewarden-policies
- # The next two annotations are used in the policy report generated by the
- # Audit scanner. Severity indicates policy check result criticality and
- # Category indicates policy category. See more here at docs.kubewarden.io
- io.kubewarden.policy.severity: critical # one of info, low, medium, high, critical. See docs.
+ io.kubewarden.policy.author: "ITPE CORE Team "
+ io.kubewarden.policy.url: https://github.com/SUSE/openplatform-kubewarden-policies
+ io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies/tree/main/policies/harvester-restricted-network
+ io.kubewarden.policy.ociUrl: ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network-vm
+ io.kubewarden.policy.license: Apache-2.0
+ io.kubewarden.policy.severity: critical
io.kubewarden.policy.category: Resource validation
diff --git a/policies/istio-gateway/Cargo.lock b/policies/istio-gateway/Cargo.lock
new file mode 100644
index 0000000..ba65f67
--- /dev/null
+++ b/policies/istio-gateway/Cargo.lock
@@ -0,0 +1,1162 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "bitflags"
+version = "2.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2261d10cca569e4643e526d8dc2e62e433cc8aba21ab764233731f8d369bf394"
+
+[[package]]
+name = "bytes"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2fd1289c04a9ea8cb22300a459a72a385d7c73d3259e2ed7dcb2af674838cfa9"
+
+[[package]]
+name = "chrono"
+version = "0.4.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "145052bdd345b87320e369255277e3fb5152762ad123a901ef5c262dd38fe8d2"
+dependencies = [
+ "num-traits",
+ "serde",
+]
+
+[[package]]
+name = "const_format"
+version = "0.2.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7faa7469a93a566e9ccc1c73fe783b4a65c274c5ace346038dca9c39fe0030ad"
+dependencies = [
+ "const_format_proc_macros",
+]
+
+[[package]]
+name = "const_format_proc_macros"
+version = "0.2.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-xid",
+]
+
+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core 0.20.11",
+ "darling_macro 0.20.11",
+]
+
+[[package]]
+name = "darling"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
+dependencies = [
+ "darling_core 0.21.3",
+ "darling_macro 0.21.3",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core 0.20.11",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
+dependencies = [
+ "darling_core 0.21.3",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "derive_builder"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "507dfb09ea8b7fa618fcf76e953f4f5e192547945816d5358edffe39f6f94947"
+dependencies = [
+ "derive_builder_macro",
+]
+
+[[package]]
+name = "derive_builder_core"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
+dependencies = [
+ "darling 0.20.11",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "derive_builder_macro"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab63b0e2bf4d5928aff72e83a7dace85d7bba5fe12dcc3c5a572d78caffd3f3c"
+dependencies = [
+ "derive_builder_core",
+ "syn",
+]
+
+[[package]]
+name = "derive_more"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678"
+dependencies = [
+ "derive_more-impl",
+]
+
+[[package]]
+name = "derive_more-impl"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "erased-serde"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c138974f9d5e7fe373eb04df7cae98833802ae4b11c24ac7039a21d5af4b26c"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "getset"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9cf0fc11e47561d47397154977bc219f4cf809b2974facc3ccb3b89e2436f912"
+dependencies = [
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "http"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
+
+[[package]]
+name = "icu_properties"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "potential_utf",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
+
+[[package]]
+name = "icu_provider"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "stable_deref_trait",
+ "tinystr",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.11.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
+dependencies = [
+ "equivalent",
+ "hashbrown",
+]
+
+[[package]]
+name = "istio-gateway"
+version = "0.1.0"
+dependencies = [
+ "k8s-openapi",
+ "kcr_networking_istio_io",
+ "kubewarden-policy-sdk",
+ "lazy_static",
+ "serde",
+ "serde_json",
+ "slog",
+ "thiserror",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
+
+[[package]]
+name = "k8s-openapi"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d13f06d5326a915becaffabdfab75051b8cdc260c2a5c06c0e90226ede89a692"
+dependencies = [
+ "base64",
+ "chrono",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "kcr_networking_istio_io"
+version = "2.20251019.30658"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45cb3afb4ef77204d7a96fc4fc3fd9e60fe83dbfb1fc42ef46dc27e88e8ac84b"
+dependencies = [
+ "k8s-openapi",
+ "kube",
+ "schemars",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "kube"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48e7bb0b6a46502cc20e4575b6ff401af45cfea150b34ba272a3410b78aa014e"
+dependencies = [
+ "k8s-openapi",
+ "kube-core",
+ "kube-derive",
+]
+
+[[package]]
+name = "kube-core"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "914bbb770e7bb721a06e3538c0edd2babed46447d128f7c21caa68747060ee73"
+dependencies = [
+ "chrono",
+ "derive_more",
+ "form_urlencoded",
+ "http",
+ "k8s-openapi",
+ "schemars",
+ "serde",
+ "serde-value",
+ "serde_json",
+ "thiserror",
+]
+
+[[package]]
+name = "kube-derive"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03dee8252be137772a6ab3508b81cd797dee62ee771112a2453bc85cbbe150d2"
+dependencies = [
+ "darling 0.21.3",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "syn",
+]
+
+[[package]]
+name = "kubewarden-policy-sdk"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3fe5786acb75fb7744b3b57ee517f72a4e614a0b62a15bb6a44765cb8a8f9163"
+dependencies = [
+ "anyhow",
+ "cfg-if",
+ "chrono",
+ "hex",
+ "k8s-openapi",
+ "num",
+ "num-derive",
+ "num-traits",
+ "oci-spec",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "slog",
+ "url",
+ "wapc-guest",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+
+[[package]]
+name = "libc"
+version = "0.2.177"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
+
+[[package]]
+name = "litemap"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "memchr"
+version = "2.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
+
+[[package]]
+name = "num"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
+dependencies = [
+ "num-bigint",
+ "num-complex",
+ "num-integer",
+ "num-iter",
+ "num-rational",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-complex"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-derive"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-rational"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
+dependencies = [
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "oci-spec"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eb4684653aeaba48dea019caa17b2773e1212e281d50b6fa759f36fe032239d"
+dependencies = [
+ "const_format",
+ "derive_builder",
+ "getset",
+ "regex",
+ "serde",
+ "serde_json",
+ "strum",
+ "strum_macros",
+ "thiserror",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "ordered-float"
+version = "2.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
+
+[[package]]
+name = "potential_utf"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "84df19adbe5b5a0782edcab45899906947ab039ccf4573713735ee7de1e6b08a"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.101"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "ref-cast"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a52d8d02cacdb176ef4678de6c052efb4b3da14b78e4db683a4252762be5433"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "722166aa0d7438abbaa4d5cc2c649dac844e8c56d82fb3d33e9c34b5cd268fc6"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3160422bbd54dd5ecfdca71e5fd59b7b8fe2b1697ab2baf64f6d05dcc66d298"
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "ryu"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f"
+
+[[package]]
+name = "schemars"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "301858a4023d78debd2353c7426dc486001bddc91ae31a76fb1f55132f7e2633"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde-value"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
+dependencies = [
+ "ordered-float",
+ "serde",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.145"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
+dependencies = [
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
+[[package]]
+name = "slog"
+version = "2.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b3b8565691b22d2bdfc066426ed48f837fc0c5f2c8cad8d9718f7f99d6995c1"
+dependencies = [
+ "anyhow",
+ "erased-serde",
+ "rustversion",
+ "serde_core",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "strum"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
+
+[[package]]
+name = "strum_macros"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
+[[package]]
+name = "url"
+version = "2.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08bc136a29a3d1758e07a9cca267be308aeebf5cfd5a10f3f67ab2097683ef5b"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "wapc-guest"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "680cefee82217e1c312bdbc21789a33a168038b64f715621cdb780cf7946c82d"
+dependencies = [
+ "once_cell",
+ "parking_lot",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "writeable"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+
+[[package]]
+name = "yoke"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
+dependencies = [
+ "serde",
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerotrie"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7aa2bd55086f1ab526693ecbe444205da57e25f4489879da80635a46d90e73b"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
diff --git a/policies/istio-gateway/README.md b/policies/istio-gateway/README.md
index 5ec51fa..5444f6d 100644
--- a/policies/istio-gateway/README.md
+++ b/policies/istio-gateway/README.md
@@ -1,10 +1,41 @@
-# Kubewarden policy
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
-## Description
+# istio-gateway
-This policy will restrict the usage of the `Gateway` object configured on top of a dedicated instance of istio proxy only to `VirtualService` object coming from a set of namespaces.
+> [!NOTE]
+> This policy is meant to work with link:https://istio.io/[Istio], but not does not protect resources from its [Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) implementation.
-**Example policy:**
+This policy protects shared Istio Gateway resources by watching changes to VirtualService resources.
+For configured Gateway resources, it will ensure that VirtualService resources are correctly configured.
+
+## Settings
+
+| Field | Description |
+|---------------------------------------------------------------------------------|----------------------------------------------|
+| gatewayRestirctions
map[string, [gatewayRestriction](#gatewayRestriction) | A list of Istio Gateway objects to restrict. |
+
+### GatewayRestriction
+
+| Field | Description |
+|------------------------------------------------------|-----------------------------|
+| namespaces
map[string, [namespace](#namespace)] | A map of namespace objects. |
+
+### Namespace
+
+| Field | Description |
+|----------------------------------|----------------------------------------------------------------------------------|
+| hostnames
string[] | A list of hostnames for the VirtualService. |
+| port
int | The port for the VirtualService. The default value 0 means any. |
+| protocol
string | The protocol for the VirtualService. The default value (empty string) means any. |
+| destination_hosts
string[] | The destination hosts for the VirtualService. |
+
+## Specifications
+
+1. You should be able to create a Gateway only on specific namespaces for specific hosts and destination_hosts if defined, otherwise the `*` wildcard will allow `all`.
+2. You should not be able to create a Gateway without specifying a valid namespace.
+
+## Example
```yaml
apiVersion: policies.kubewarden.io/v1
@@ -12,7 +43,7 @@ kind: ClusterAdmissionPolicy
metadata:
name: istio-gw-policy-1
spec:
- module: harbor.op-prg2-0-dev-ingress.op.suse.org/policy-istio-gateway/policy-istio-gateway:0.1.0
+ module: registry://ghcr.io/suse/openplatform-kubewarden-policies/istio-gateway:latest
rules:
- apiGroups: ["networking.istio.io"]
apiVersions: ["v1"]
@@ -42,53 +73,3 @@ spec:
mutating: false
policyServer: default
```
-
-**Specifications:**
-
-1. You should be able to create a Gateway only on specific namespaces for specific hosts and destination_hosts if defined, otherwise the `*` wildcard will allow `all`.
-2. You should not be able to create a Gateway without specifying a valid namespace.
-
-**Examples:**
-
-```json
-{
- "gatewayRestrictions": {
- "gateway-01": {
- "ns-01": [
- {
- "hostnames": ["*"],
- "destination_hosts": ["*"],
- "port": 443,
- "protocol": "https"
- }
- ]
- },
- "gateway-02": {
- "ns-02": [
- {
- "hostnames": ["hostname a"],
- "destination_hosts": ["servicename a", "servicename b"],
- "port": 80,
- "protocol": "http"
- },
- {
- "hostnames": ["hostname b"],
- "destination_hosts": ["servicename a", "servicename c"],
- "port": 443,
- "protocol": "https"
- }
- ]
- },
- "gateway-03": {
- "ns-03": [
- {
- "hostnames": ["hostname a"],
- "destination_hosts": ["*"],
- "port": 443,
- "protocol": "https"
- }
- ]
- }
- }
-}
-```
diff --git a/policies/istio-gateway/metadata.yml b/policies/istio-gateway/metadata.yml
index 3fd1bfe..24dc5df 100644
--- a/policies/istio-gateway/metadata.yml
+++ b/policies/istio-gateway/metadata.yml
@@ -14,15 +14,18 @@ executionMode: kubewarden-wapc
# skip this policy and not generate false positives.
backgroundAudit: true
annotations:
+ # artifacthub specific
+ io.artifacthub.displayName: Istio Gateway
+ io.artifacthub.resources: VirtualService
+ io.artifacthub.keywords: virtualservice
# kubewarden specific:
- io.kubewarden.policy.version: 0.1.0
- io.kubewarden.policy.title: policy-istio-gateway
+ io.kubewarden.policy.title: istio-gateway
+ io.kubewarden.policy.version: 0.1.0-rc1
io.kubewarden.policy.description: Restrict the usage of the `Gateway` object configured on top of a dedicated instance of istio proxy only to `VirtualService` object coming from a set of namespaces.
- io.kubewarden.policy.author: "ITPE Core Team "
- io.kubewarden.policy.url: https://github.github.com/SUSE/openplatform-kubewarden-policies
- io.kubewarden.policy.source: https://github.github.com/SUSE/openplatform-kubewarden-policies
- # The next two annotations are used in the policy report generated by the
- # Audit scanner. Severity indicates policy check result criticality and
- # Category indicates policy category. See more here at docs.kubewarden.io
+ io.kubewarden.policy.author: "ITPE CORE Team "
+ io.kubewarden.policy.url: https://github.com/SUSE/openplatform-kubewarden-policies
+ io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies/tree/main/policies/istio-gateway
+ io.kubewarden.policy.ociUrl: ghcr.io/suse/openplatform-kubewarden-policies/istio-gateway
+ io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.severity: critical
io.kubewarden.policy.category: Resource validation
diff --git a/policies/pod-mig-partitions/README.md b/policies/pod-mig-partitions/README.md
index 96a4209..a1d3b3e 100644
--- a/policies/pod-mig-partitions/README.md
+++ b/policies/pod-mig-partitions/README.md
@@ -1,22 +1,70 @@
-# policy-pod-mig-partitions
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)
+[](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)
-This policy guards against Pods attaching MIG Partitions without a ResourceQuota.
+# pod-mig-partitions
-**Example policy:**
+> [!NOTE]
+> This project is meant to work with [NVIDIA GPU Operator](https://github.com/NVIDIA/gpu-operator).
-```
+With the NVIDIA GPU Operator, pods request MIG partitions with resource requests.
+This policy ensures that a pod can only request a MIG partition within a namespace's [ResourceQuota](https://kubernetes.io/docs/concepts/policy/resource-quotas/).
+
+## Example
+
+The policy doesn't require any configuration, so you just need to add it to a Kubewarden policy server.
+
+```yaml
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: pod-mig-partitions
spec:
- module: harbor.op-prg2-0-dev-ingress.op.suse.org/policy-pod-mig-partitions/policy-pod-mig-partitions:0.1.0
+ module: registry://ghcr.io/suse/openplatform-kubewarden-policies/pod-mig-partitions:latest
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE", "UPDATE"]
settings:
- mutating: false # or true if your policy mutates resources
+ mutating: false
policyServer: default
```
+
+With the policy active, if a pod tried to create or update a pod, adding a MIG partition, this policy should deny the change.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: ollama
+spec:
+ containers:
+ - image: dp.apps.rancher.io/containers/ollama:latest
+ name: ollama
+ resources:
+ limits:
+ cpu: '8'
+ memory: 32Gi
+ nvidia.com/mig-1g.12gb: '1'
+ requests:
+ cpu: '8'
+ memory: 32Gi
+ nvidia.com/mig-1g.12gb: '1'
+```
+
+To get the pod to deploy, would need to add a ResourceQuota with the requested resource.
+
+```yaml
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+ name: gpu-quota
+spec:
+ hard:
+ requests.nvidia.com/mig-1g.12gb: '1
+```
+
+Now, if the above pod requests the same MIG partition, it should be allowed. The pod-mig-partitions policy will see that `nvidia.com/mig-1g.12gb` is in the namespace's ResourceQuota and allow the change.
+If the pod instead requests `requests.nvidia.com/mig-2g.24gb`, the policy would deny the change because that MIG partition is not in the ResourceQuota.
+However, the policy doesn't concern itself with how many MIG partitions are in the request, instead,
+Kubernetes ensures that the Pod doesn't exceed the namespace's ResourceQuotas.
diff --git a/policies/pod-mig-partitions/metadata.yml b/policies/pod-mig-partitions/metadata.yml
index ecf10fe..0edb440 100644
--- a/policies/pod-mig-partitions/metadata.yml
+++ b/policies/pod-mig-partitions/metadata.yml
@@ -14,15 +14,18 @@ executionMode: wasi
# skip this policy and not generate false positives.
backgroundAudit: true
annotations:
+ # artifacthub specific
+ io.artifacthub.displayName: Pod MIG Partitions
+ io.artifacthub.resources: Pod
+ io.artifacthub.keywords: pod
# kubewarden specific:
- io.kubewarden.policy.version: 0.1.0
- io.kubewarden.policy.title: policy-pod-mig-partitions
+ io.kubewarden.policy.title: pod-mig-partitions
+ io.kubewarden.policy.version: 0.1.0-rc1
io.kubewarden.policy.description: Prevents assigning mig partitions without a ResourceQuota for them.
- io.kubewarden.policy.author: "ITPE Core Team "
+ io.kubewarden.policy.author: "ITPE CORE Team "
io.kubewarden.policy.url: https://github.com/SUSE/openplatform-kubewarden-policies
- io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies
- # The next two annotations are used in the policy report generated by the
- # Audit scanner. Severity indicates policy check result criticality and
- # Category indicates policy category. See more here at docs.kubewarden.io
- io.kubewarden.policy.severity: critical # one of info, low, medium, high, critical. See docs.
+ io.kubewarden.policy.source: https://github.com/SUSE/openplatform-kubewarden-policies/tree/main/policies/pod-mig-partitions
+ io.kubewarden.policy.ociUrl: ghcr.io/suse/openplatform-kubewarden-policies/rke2-mig-partitions
+ io.kubewarden.policy.license: Apache-2.0
+ io.kubewarden.policy.severity: critical
io.kubewarden.policy.category: Resource validation