kubewarden-controller is a Kubernetes controller that allows you to
dynamically register Kubewarden admission policies.
The kubewarden-controller reconciles the admission policies you
have registered with the Kubernetes webhooks of the cluster where
it's deployed.
Once the kubewarden-controller is up and running, you can define Kubewarden policies
using the ClusterAdmissionPolicy resource.
The documentation of this Custom Resource can be found here or on docs.crds.dev.
Note
ClusterAdmissionPolicy resources are cluster-wide.
The following snippet defines a Kubewarden Policy based on the psp-capabilities policy:
apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
name: psp-capabilities
spec:
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
allowed_capabilities:
- CHOWN
required_drop_capabilities:
- NET_ADMINThis ClusterAdmissionPolicy evaluates all the CREATE and UPDATE operations
performed against Pods. The homepage of this policy provides more insights about
how this policy behaves.
Creating the resource inside Kubernetes is sufficient to enforce the policy:
kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/policies_v1alpha2_clusteradmissionpolicy.yamlYou can delete the admission policy you just created:
kubectl delete clusteradmissionpolicy psp-capabilities
kubectl patch clusteradmissionpolicy psp-capabilities -p '{"metadata":{"finalizers":null}}' --type=mergeThe documentation provides more insights about how the project works and how to use it.