Skip to content

Commit

Permalink
Update README
Browse files Browse the repository at this point in the history 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
@ritazh
ritazh committed Sep 27, 2022
1 parent 19a98d0 commit b3b0853
Showing 1 changed file with 19 additions and 10 deletions.
29 changes: 19 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,39 +1,48 @@
# wasm-policies

## To test allowed repos or required labels (policies written in Go):
Wouldn't it be great if you could write cloud native policies as code in your favorite programming language? Let's create flexible, secure, and portable policies with WebAssembly!

To run these policies with Gatekeeper, please refer to the experimental Gatekeeper (Kubernetes admission webhook) with Wasm support:
https://github.com/ritazh/gatekeeper/tree/wasm

## To test policies written in Go (allowed repos or required labels):

### Required Labels
Allow k8s pod creation if owner label prefix is admin

```console
$ cd <policy folder name such as allowedrepos or requiredlabels>
$ tinygo build -o policy.wasm -scheduler=none -target=wasi policy.go
# build the policy
$ cd requiredlabels
$ tinygo build -o policy.wasm -scheduler=none -target=wasi -no-debug policy.go

# if owner label prefix is admin, decision is true
# test from host, if owner label prefix is admin, decision is true
$ go run host.go '{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"owner":"admin.agilebank.com"},"name":"test-pod1"},"spec":{"containers":[{"image":"tomcat","name":"tomcat"}]}}' param

wasm guest objectToTest >> {"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"owner":"admin.agilebank.com"},"name":"test-pod1"},"spec":{"containers":[{"image":"tomcat","name":"tomcat"}]}}, parameters >> param, value >> admin.agilebank.com

host getting data from guest stdout: true

# if owner label prefix is NOT admin, decision is false
$ go run host.go '{"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"owner":"admin.agilebank.com"},"name":"test-pod1"},"spec":{"containers":[{"image":"tomcat","name":"tomcat"}]}}' param

wasm guest objectToTest >> {"apiVersion":"v1","kind":"Pod","metadata":{"labels":{"owner":"user.agilebank.com"},"name":"test-pod1"},"spec":{"containers":[{"image":"tomcat","name":"tomcat"}]}}, parameters >> param, value >> admin.agilebank.com

host getting data from guest stdout: false
```

## To test privileged (policy written in Rust):
## To test policy written in Rust (privileged):

### Privileged
Allow k8s pod creation if pod is not privileged

```console
# build the policy
$ cd privileged
$ make
...
Finished release [optimized] target(s) in 18.67s
cp target/wasm32-wasi/release/*.wasm policy.wasm

# testing
# testing from host, if securityContext of container is privileged, decision is false
$ make run
go get github.com/tetratelabs/wazero
go run host.go '{"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx","labels":{"app":"nginx"}},"spec":{"containers":[{"name":"nginx","image":"nginx","securityContext":{"privileged":true}}]}}' ''

host getting data from guest stdout: false
```

0 comments on commit b3b0853

Please sign in to comment.