safe-naming-policy

Kubewarden policy which validates the PodName in order to allow and disallow the Pod Deployment into the Kubernetes cluster

Requirements

In order to deploy this policy in K8s, you just need a K8s cluster + Kubewarden. Then you can go to assets/deployment folder and execute:

kubectl apply -f ClusterAdmissionPolicy-sample.yaml

And if you want to test if it's working, you can use the testing sample pods in the same folder:

kubectl apply -f invalidPod.yaml: Will fail at deployment because of it's blacklisted
kubectl apply -f validPod.yaml: Will success at deployment because it's whitelisted
kubectl apply -f notListedPod.yaml: Will fail at deployment because it's not whitelisted

Note: You could change the settings field on the ClusterAdmissionPolicy-sample.yaml file in order to fit your needs.

make types_easyjson.go

make policy.wasm

annotated-policy.wasm: Annotates the policy.wasm generated with the assets/metadata.yml details

make annotated-policy.wasm

You could perform all those actions using make build

e2e-tests: Uses Bats framework to execute the E2E tests located in assets/e2e.bats
test: Executes the Go tests
clean: Typical go clean + deletion of the WASM files generated policy.wasm annotated-policy.wasm

To enable the deployment on these processors we will need to do 2 things:

Tinygo build: We cannot execute the build on a docker environment without make our own Tinygo container image, because they only support amd64 and Apple Silicon ones are based on aach64
Kwctl Binary: For now we need to recompile the kwctl binary by hand because they are not publishing images based on aarch64 (PR On going). To do this we need to execute these commands (remember, to perform the compilation you will need Rust):
```
git clone https://github.com/kubewarden/kwctl.git && cd kwctl
rustup target add aarch64-apple-darwin
cargo build --target=aarch64-apple-darwin --release
```
UPDATE: PR it's now merged, so in the next release from v1.1.1 we will have Apple Silicon binaries 🎉🎉🎉