All Projects → kubewarden → policy-server

kubewarden / policy-server

Licence: Apache-2.0 license
Webhook server that evaluates WebAssembly policies to validate Kubernetes requests

Programming Languages

rust
11053 projects
Makefile
30231 projects
Dockerfile
14818 projects

Projects that are alternatives of or similar to policy-server

intercept
INTERCEPT / Policy as Code Static Analysis Auditing / SAST
Stars: ✭ 54 (-51.35%)
Mutual labels:  policy, policy-as-code
Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+3118.02%)
Mutual labels:  policy-as-code, kubernetes-security
gamechanger-data
GAMECHANGER aspires to be the Department’s trusted solution for evidence-based, data-driven decision-making across the universe of DoD requirements
Stars: ✭ 17 (-84.68%)
Mutual labels:  policy, policy-as-code
chimera-admission
A Kubernetes dynamic admission controller that uses WebAssembly policies to validate incoming requests
Stars: ✭ 25 (-77.48%)
Mutual labels:  policy, policy-as-code
gamechanger
GAMECHANGER aspires to be the Department’s trusted solution for evidence-based, data-driven decision-making across the universe of DoD requirements
Stars: ✭ 27 (-75.68%)
Mutual labels:  policy, policy-as-code
open-source-logiciel-libre
Open Source Software Requirements and Guidance (Draft) - Exigences et guides liés aux logiciels libres (Ébauche)
Stars: ✭ 31 (-72.07%)
Mutual labels:  policy, policy-as-code
opal
Policy and data administration, distribution, and real-time updates on top of Open Policy Agent
Stars: ✭ 459 (+313.51%)
Mutual labels:  policy, policy-as-code
Felix
Project Calico's per-host agent Felix, responsible for programming routes and security policy.
Stars: ✭ 871 (+684.68%)
Mutual labels:  policy
User.api
集成网关、身份认证、Token授权、微服务、.netcore等的基于CQRS的微服务开发框架示例
Stars: ✭ 109 (-1.8%)
Mutual labels:  policy
Site Policy
Collaborative development on GitHub's site policies, procedures, and guidelines
Stars: ✭ 797 (+618.02%)
Mutual labels:  policy
Rasa chatbot cn
building a chinese dialogue system based on the newest version of rasa(基于最新版本rasa搭建的对话系统)
Stars: ✭ 723 (+551.35%)
Mutual labels:  policy
Terraform
Share Terraform best practices and custom modules with the community
Stars: ✭ 39 (-64.86%)
Mutual labels:  policy
Cape Python
Collaborate on privacy-preserving policy for data science projects in Pandas and Apache Spark
Stars: ✭ 125 (+12.61%)
Mutual labels:  policy
Tram Policy
Policy Object Pattern
Stars: ✭ 16 (-85.59%)
Mutual labels:  policy
Speedle
Speedle is an open source project for access control.
Stars: ✭ 153 (+37.84%)
Mutual labels:  policy
Azure Policy
Repository for Azure Resource Policy built-in definitions and samples
Stars: ✭ 758 (+582.88%)
Mutual labels:  policy
Opa Envoy Plugin
A plugin to enforce OPA policies with Envoy
Stars: ✭ 185 (+66.67%)
Mutual labels:  policy
App Privacy Policy Generator
A simple web app to generate a generic privacy policy for your Android/iOS apps
Stars: ✭ 2,278 (+1952.25%)
Mutual labels:  policy
Freeradius Server
FreeRADIUS - A multi-protocol policy server.
Stars: ✭ 1,379 (+1142.34%)
Mutual labels:  policy
Bc Policy Framework For Github
Policy information for BC Government employees using GitHub
Stars: ✭ 98 (-11.71%)
Mutual labels:  policy

Artifact HUB CII Best Practices FOSSA Status

Note well: don't forget to checkout Kubewarden's documentation for more information

policy-server

policy-server is a Kubernetes dynamic admission controller that uses Kubewarden Policies to validate admission requests.

Kubewarden Policies are simple WebAssembly modules.

Deployment

We recommend to rely on the kubewarden-controller and the Kubernetes Custom Resources provided by it to deploy the Kubewarden stack.

Configuring policies

A single instance of policy-server can load multiple Kubewarden policies. The list of policies to load, how to expose them and their runtime settings are handled through a policies file.

By default policy-server will load the policies.yml file, unless the user provides a different value via the --policies flag.

This is an example of the policies file:

psp-apparmor:
  url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.3
psp-capabilities:
  url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
namespace_simple:
  url: file:///tmp/namespace-validate-policy.wasm
  settings:
    valid_namespace: kubewarden-approved

The YAML file contains a dictionary with strings as keys, and policy objects as values.

The key that identifies a policy is used by policy-server to expose the policy through its web interface. Policies are exposed under `/validate/.

For example, given the configuration file from above, the following API endpoint would be created:

  • /validate/psp-apparmor: this exposes the psp-apparmor:v0.1.3 policy. The Wasm module is downloaded from the OCI registry of GitHub.
  • /validate/psp-capabilities: this exposes the psp-capabilities:v0.1.3 policy. The Wasm module is downloaded from the OCI registry of GitHub.
  • /validate/namespace_simple: this exposes the namespace-validate-policy policy. The Wasm module is loaded from a local file located under /tmp/namespace-validate-policy.wasm.

It's common for policies to allow users to tune their behaviour via ad-hoc settings. These customization parameters are provided via the settings dictionary.

For example, given the configuration file from above, the namespace_simple policy will be invoked with the valid_namespace parameter set to kubewarden-approved.

Note well: it's possible to expose the same policy multiple times, each time with a different set of parameters.

The Wasm file providing the Kubewarden Policy can be either loaded from the local filesystem or it can be fetched from a remote location. The behaviour depends on the URL format provided by the user:

  • file:///some/local/program.wasm: load the policy from the local filesystem
  • https://some-host.com/some/remote/program.wasm: download the policy from the remote http(s) server
  • registry://localhost:5000/project/artifact:some-version download the policy from a OCI registry. The policy must have been pushed as an OCI artifact

Logging and distributed tracing

The verbosity of policy-server can be configured via the --log-level flag. The default log level used is info, but trace, debug, warn and error levels are available too.

Policy server can produce logs events using different formats. The --log-fmt flag is used to choose the format to be used.

Standard output

By default, log messages are printed on the standard output using the text format. Logs can be printed as JSON objects using the json format type.

Open Telemetry Collector

The open Telemetry project provides a collector component that can be used to receive, process and export telemetry data in a vendor agnostic way.

Policy server can send trace events to the Open Telemetry Collector using the --log-fmt otlp flag.

Current limitations:

  • Traces can be sent to the collector only via grpc. The HTTP transport layer is not supported.
  • The Open Telemetry Collector must be listening on localhost. When deployed on Kubernetes, policy-server must have the Open Telemetry Collector running as a sidecar.
  • Policy server doesn't expose any configuration setting for Open Telemetry (e.g.: endpoint URL, encryption, authentication,...). All of the tuning has to be done on the collector process that runs as a sidecar.

More details about OpenTelemetry and tracing can be found inside of our official docs.

Building

You can use the container image we maintain inside of our GitHub Container Registry.

Alternatively, the policy-server binary can be built in this way:

$ make build

Software bill of materials

Policy server has its software bill of materials (SBOM) published every release. It follows the SPDX version 2.2 format and it can be found together with the signature and certificate used to signed it in the release assets

Security

The Kubewarden team is security conscious. You can find our threat model assessment, responsible disclosure approach and other related things under the security section of Kubewarden docs.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].