kubewarden
diff --git a/‎Cargo.lock‎
Lines changed: 589 additions & 609 deletions b/‎Cargo.lock‎
Lines changed: 589 additions & 609 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 3 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 34 additions & 3 deletions b/‎README.md‎
Lines changed: 34 additions & 3 deletions
diff --git a/‎cli-docs.md‎
Lines changed: 54 additions & 6 deletions b/‎cli-docs.md‎
Lines changed: 54 additions & 6 deletions
diff --git a/‎src/backend.rs‎
Lines changed: 1 addition & 0 deletions b/‎src/backend.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/bench.rs‎
Lines changed: 0 additions & 67 deletions b/‎src/bench.rs‎
Lines changed: 0 additions & 67 deletions
diff --git a/‎src/callback_handler/mod.rs‎
Lines changed: 20 additions & 17 deletions b/‎src/callback_handler/mod.rs‎
Lines changed: 20 additions & 17 deletions
@@ -12,6 +12,7 @@ anyhow = "1.0"
 clap = { version = "4.5", features = ["cargo", "env"] }
 clap-markdown = "0.1.4"
 clap_complete = "4.5"
+color-print = "0.3"
 directories = "6.0.0"
 flate2 = "1.1"
 humansize = "2.1"
@@ -23,7 +24,7 @@ k8s-openapi = { version = "0.25.0", default-features = false, features = [
 ] }
 lazy_static = "1.4.0"
 pem = "3"
-policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.25.2" }
+policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.26.0" }
 prettytable-rs = "^0.10"
 regex = "1"
 rustls-pki-types = { version = "1", features = ["alloc"] }
@@ -41,7 +42,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["fmt"] }
 url = "2.5.0"
 walrus = "0.23.0"
-wasmparser = "0.233"
+wasmparser = "0.235"
 
 hostname-validator = "1.1.1"
 # This is required to have reqwest built using the `rustls-tls-native-roots`
 
@@ -104,14 +104,19 @@ This value can be obtained using a tool like [crane](https://github.com/google/g
 crane digest ghcr.io/kubewarden/policies/psp-capabilities:v0.1.6
 ```
 
-### Run a policy locally
+### Run
 
 `kwctl` can be used to run a policy locally, outside of Kubernetes. This can be used
 to quickly evaluate a policy and find the right settings for it.
 
 The evaluation is done against a pre-recorded [`AdmissionReview`](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request).
 
-Running a policy locally:
+> **Note:** it's possible to scaffodl an `AdmissionReview` object from a Kubernetes resource.
+> Take a look at [this section](#scaffold-kubernetes-custom-resources) for more details.
+
+#### Run a local policy
+
+To run a local `.wasm` file containing a policy:
 
 ```console
 kwctl run \
@@ -123,7 +128,33 @@ kwctl run \
 Policy configuration can be passed on the CLI via the `--settings-json` flag
 or can be loaded from the disk via the `--settings-path` flag.
 
-#### Scaffold AdmissionReview from a Kubernetes resource
+#### Run a policy defined by a Kubewarden Custom Resource
+
+To run a local YAML file containing the definition of any of the Kubewarden Custom
+Resources:
+
+```console
+kwctl run \
+  -r test_data/ingress.json \
+  policy.yaml
+```
+
+The YAML file can contain any of the Kubewarden CRDs, including policy groups.
+
+**Warning:** kwctl considers only these attributes of the CRD:
+
+- policy module to be evaluated
+- policy settings
+- context aware resources
+
+All the other fields are ignored. For example, `rules`, `matchConditions`, `objectSelector`,
+`namespaceSelector` and other fields are not taken into account.
+
+Moreover, the YAML file could contain multiple declarations of Kubewarden Custom Resources. In this case
+kwctl will evaluate each policy found inside of the YAML file. However, the same request is going to be used
+during each evaluation.
+
+### [Scaffold AdmissionReview from a Kubernetes resource](#scaffold-admissionreview-from-a-kubernetes-resource)
 
 It's possible to scaffold an `AdmissionReview` object from a Kubernetes resource:
 
 
@@ -79,13 +79,37 @@ Add Kubewarden metadata to a WebAssembly module
 
 ## `kwctl bench`
 
-Benchmarks a Kubewarden policy
+Benchmarks a Kubewarden policy.
 
-**Usage:** `kwctl bench [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`
+The policy can be specified in the following ways:
+- URI: e.g., `registry://ghcr.io/kubewarden/policies/psp-policy:latest` or `https://example.com/kubewarden/policies/main/psp-policy/psp-policy.wasm`
+- SHA prefix: e.g., `c3b80a10f9c3` (requires the policy to be already pulled)
+- Local WASM file: e.g., `file://home/tux/new-policy/psp-policy.wasm`
+- Local YAML file: e.g., `file://home/tux/cluster-admission-policy.yaml` (contains declarations of Kubewarden Custom Resources like `ClusterAdmissionPolicy`, `AdmissionPolicy`, etc.)
+
+Default Behavior:
+If the schema is omitted, `file://` is assumed, rooted in the current directory.
+
+Notes on Kubewarden Custom Resources:
+- Flags `--request-path`, `--settings-path`, and `--settings-json` are ignored; settings are read from the Custom Resource definition.
+- The `--execution-mode` flag applies to all policies in the YAML file.
+- The `--raw` flag cannot be used, as Kubewarden's Custom Resources do not support `raw` policies.
+
+Only the following attributes of the Custom Resource Definition (CRD) are evaluated:
+- Policy module
+- Policy settings
+- Context-aware resources the policy can access
+
+Other fields, such as `rules`, `matchConditions`, `objectSelector`, and `namespaceSelector`, are ignored.
+
+A YAML file may contain multiple Custom Resource declarations. In this case, `kwctl` evaluates each policy in the file using the same request during each evaluation.
+
+
+**Usage:** `kwctl bench [OPTIONS] --request-path <PATH> <uri_or_sha_prefix_or_yaml_file>`
 
 ###### **Arguments:**
 
-* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.
+* `<URI_OR_SHA_PREFIX_OR_YAML_FILE>` — Policy URI, SHA prefix or YAML file containing Kubewarden policy resources. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.
 
 ###### **Options:**
 
@@ -292,13 +316,37 @@ Removes a Kubewarden policy from the store
 
 ## `kwctl run`
 
-Runs a Kubewarden policy from a given URI
+Run one or more Kubewarden policies locally.
 
-**Usage:** `kwctl run [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`
+The policy can be specified in the following ways:
+- URI: e.g., `registry://ghcr.io/kubewarden/policies/psp-policy:latest` or `https://example.com/kubewarden/policies/main/psp-policy/psp-policy.wasm`
+- SHA prefix: e.g., `c3b80a10f9c3` (requires the policy to be already pulled)
+- Local WASM file: e.g., `file://home/tux/new-policy/psp-policy.wasm`
+- Local YAML file: e.g., `file://home/tux/cluster-admission-policy.yaml` (contains declarations of Kubewarden Custom Resources like `ClusterAdmissionPolicy`, `AdmissionPolicy`, etc.)
+
+Default Behavior:
+If the schema is omitted, `file://` is assumed, rooted in the current directory.
+
+Notes on Kubewarden Custom Resources:
+- Flags `--request-path`, `--settings-path`, and `--settings-json` are ignored; settings are read from the Custom Resource definition.
+- The `--execution-mode` flag applies to all policies in the YAML file.
+- The `--raw` flag cannot be used, as Kubewarden's Custom Resources do not support `raw` policies.
+
+Only the following attributes of the Custom Resource Definition (CRD) are evaluated:
+- Policy module
+- Policy settings
+- Context-aware resources the policy can access
+
+Other fields, such as `rules`, `matchConditions`, `objectSelector`, and `namespaceSelector`, are ignored.
+
+A YAML file may contain multiple Custom Resource declarations. In this case, `kwctl` evaluates each policy in the file using the same request during each evaluation.
+
+
+**Usage:** `kwctl run [OPTIONS] --request-path <PATH> <uri_or_sha_prefix_or_yaml_file>`
 
 ###### **Arguments:**
 
-* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.
+* `<URI_OR_SHA_PREFIX_OR_YAML_FILE>` — Policy URI, SHA prefix or YAML file containing Kubewarden policy resources. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.
 
 ###### **Options:**
 
 
@@ -133,6 +133,7 @@ impl BackendDetector {
 
 /// Check if policy server version is compatible with  minimum kubewarden
 /// version required by the policy
+/// TODO: this should not take an Option
 pub fn has_minimum_kubewarden_version(opt_metadata: Option<&Metadata>) -> Result<()> {
     if let Some(metadata) = opt_metadata {
         if let Some(minimum_kubewarden_version) = &metadata.minimum_kubewarden_version {
 
@@ -1,13 +1,16 @@
-use crate::run::{HostCapabilitiesMode, PullAndRunSettings};
+use std::path::PathBuf;
+
 use anyhow::Result;
 use policy_evaluator::{callback_requests::CallbackRequest, kube};
-use std::path::PathBuf;
 use tokio::sync::{mpsc, oneshot};
 
-use self::proxy::CallbackHandlerProxy;
-
 mod proxy;
 
+use crate::{
+    callback_handler::proxy::CallbackHandlerProxy,
+    config::{pull_and_run::PullAndRunSettings, HostCapabilitiesMode},
+};
+
 #[derive(Clone)]
 pub(crate) enum ProxyMode {
     Record { destination: PathBuf },
@@ -27,29 +30,29 @@ impl CallbackHandler {
     pub async fn new(
         cfg: &PullAndRunSettings,
         kube_client: Option<kube::Client>,
-        shutdown_channel: oneshot::Receiver<()>,
+        shutdown_channel_rx: oneshot::Receiver<()>,
     ) -> Result<CallbackHandler> {
         match &cfg.host_capabilities_mode {
             HostCapabilitiesMode::Proxy(proxy_mode) => {
-                new_proxy(proxy_mode, cfg, kube_client, shutdown_channel).await
+                new_proxy(proxy_mode, cfg, kube_client, shutdown_channel_rx).await
             }
             HostCapabilitiesMode::Direct => {
-                new_transparent(cfg, kube_client, shutdown_channel).await
+                new_transparent(cfg, kube_client, shutdown_channel_rx).await
             }
         }
     }
 
-    pub async fn loop_eval(&mut self) {
+    pub fn sender_channel(&self) -> mpsc::Sender<CallbackRequest> {
         match self {
-            CallbackHandler::Direct(direct) => direct.loop_eval().await,
-            CallbackHandler::Proxy(proxy) => proxy.loop_eval().await,
+            CallbackHandler::Direct(handler) => handler.sender_channel(),
+            CallbackHandler::Proxy(handler) => handler.sender_channel(),
         }
     }
 
-    pub fn sender_channel(&self) -> mpsc::Sender<CallbackRequest> {
+    pub async fn loop_eval(self) {
         match self {
-            CallbackHandler::Direct(direct) => direct.sender_channel(),
-            CallbackHandler::Proxy(proxy) => proxy.sender_channel(),
+            CallbackHandler::Direct(mut handler) => handler.loop_eval().await,
+            CallbackHandler::Proxy(mut handler) => handler.loop_eval().await,
         }
     }
 }
@@ -58,11 +61,11 @@ async fn new_proxy(
     mode: &ProxyMode,
     cfg: &PullAndRunSettings,
     kube_client: Option<kube::Client>,
-    shutdown_channel: oneshot::Receiver<()>,
+    shutdown_channel_rx: oneshot::Receiver<()>,
 ) -> Result<CallbackHandler> {
     let proxy = CallbackHandlerProxy::new(
         mode,
-        shutdown_channel,
+        shutdown_channel_rx,
         cfg.sources.clone(),
         cfg.sigstore_trust_root.clone(),
         kube_client,
@@ -75,10 +78,10 @@ async fn new_proxy(
 async fn new_transparent(
     cfg: &PullAndRunSettings,
     kube_client: Option<kube::Client>,
-    shutdown_channel: oneshot::Receiver<()>,
+    shutdown_channel_rx: oneshot::Receiver<()>,
 ) -> Result<CallbackHandler> {
     let mut callback_handler_builder =
-        policy_evaluator::callback_handler::CallbackHandlerBuilder::new(shutdown_channel)
+        policy_evaluator::callback_handler::CallbackHandlerBuilder::new(shutdown_channel_rx)
             .registry_config(cfg.sources.clone())
             .trust_root(cfg.sigstore_trust_root.clone());
     if let Some(kc) = kube_client {