{"id":22930717,"url":"https://github.com/kubewarden/gatekeeper-policy-template","last_synced_at":"2025-08-12T15:31:50.311Z","repository":{"id":38313139,"uuid":"409226967","full_name":"kubewarden/gatekeeper-policy-template","owner":"kubewarden","description":"A template repository to quickly port a Gatekeeper policy to Kubewarden","archived":false,"fork":false,"pushed_at":"2025-08-11T10:28:44.000Z","size":120,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-08-11T12:24:47.286Z","etag":null,"topics":["gatekeeper","gatekeeper-policies","gatekeeper-v2","hacktoberfest","kubernetes","kubernetes-security","kubewarden-policy-template","policy-as-code","rego","webassembly"],"latest_commit_sha":null,"homepage":"https://kubewarden.io","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubewarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-09-22T14:01:27.000Z","updated_at":"2025-08-11T10:28:22.000Z","dependencies_parsed_at":"2023-10-16T18:38:01.939Z","dependency_job_id":"953de1b2-9a01-4b1e-b741-10d6b8f17cdb","html_url":"https://github.com/kubewarden/gatekeeper-policy-template","commit_stats":null,"previous_names":[],"tags_count":1,"template":true,"template_full_name":null,"purl":"pkg:github/kubewarden/gatekeeper-policy-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fgatekeeper-policy-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fgatekeeper-policy-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fgatekeeper-policy-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fgatekeeper-policy-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubewarden","download_url":"https://codeload.github.com/kubewarden/gatekeeper-policy-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fgatekeeper-policy-template/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270086717,"owners_count":24524625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-12T02:00:09.011Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gatekeeper","gatekeeper-policies","gatekeeper-v2","hacktoberfest","kubernetes","kubernetes-security","kubewarden-policy-template","policy-as-code","rego","webassembly"],"created_at":"2024-12-14T10:29:28.117Z","updated_at":"2025-08-12T15:31:50.292Z","avatar_url":"https://github.com/kubewarden.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)\n\n# gatekeeper-policy-template\n\nThis is a template repository that can be used to easily convert an existing\nRego policy targeting the Gatekeeper framework into a Kubewarden policy.\n\nDon't forget to checkout Kubewarden's [official documentation](https://docs.kubewarden.io)\nfor more information about writing policies.\n\n## Requirements\n\nTo fully use this template, you'll need the following tools:\n\n- [opa](https://github.com/open-policy-agent/opa/releases): tool\n  to build the code into wasm. The version expected is `v1.0.0` or later\n- [kwctl](https://github.com/kubewarden/kwctl/releases): tool you use to\n  prepare and run Kubewarden web assembly module\n- [bats](https://github.com/bats-core/bats-core): tool used to run end-to-end\n  tests. If you decided to write such kind of tests\n\n## Introduction\n\n**Note well:** the existing Rego code should not need to be rewritten.\n\nThese are the only requirements you have to fulfill:\n\n1. The policy evaluation must return a `violation` response object. This\n   is already a requirement for all the Gatekeeper policies.\n1. The policy must be compiled into a WebAssembly module using the `opa` cli tool.\n1. The policy must be annotated via `kwctl annotate`.\n\nThis template repository contains an example policy that can be used as foundation\nfor your policies, plus all the automation needed to implement the 2nd and 3rd points.\n\n## Implementation details\n\nThe actual policy is defined inside of the `policy.rego` file. This file defines\na `violation` object.\n\n## Rego Policy code and OPA v1.0.0 compatibility\n\nWith the release of OPA (Open Policy Agent)\n[v1.0.0](https://github.com/open-policy-agent/opa/releases/tag/v1.0.0) in\nDecember 2024, a breaking change was introduced regarding Rego policy syntax.\n\nPreviously, `if` for all rule definitions and `contains` for multi-value rules\nwere optional; now, they're mandatory. This change affects most older policies.\n\nHere's a summary of what you need to know:\n\n- OPA v1.0.0 Syntax: OPA v1.0.0 mandates the use of `if` for all rule\n  definitions and `contains` for multi-value rules. Policies not adhering to this\n  syntax will break.\n- Backward Compatibility: If you need to build older policies that don't use\n  the new v1.0.0 syntax, you must provide the `--v0-compatible` flag to the `opa\nbuild` command.\n- Gatekeeper integration: Gatekeeper updated its OPA dependency to v1.0.0 in\n  its [v3.19.0\n  release](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.19.0).\n- Rego version in Gatekeeper templates: Gatekeeper assumes `v0` syntax is used\n  unless the template explicitly specifies `version: \"v1\"` within the `source`\n  field under `code.engine: Rego`.\n\nCheckout [this\nsection](https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates/#enable-opa-rego-v1-syntax-in-constrainttemplates)\nof Gatekeeper's docs for more details about how `v0` and `v1` versions of Rego\nare handled.\n\nWhat this means for you:\n\n- If the Gatekeeper CR doesn't specify a Rego version, it implies `v0` is going\n  to be used. You must build the policy using the `OPA_V0_COMPATIBLE=true make`\n  command.\n- If the Gatekeeper CR explicitly specifies `version: \"v1\"`, you must build the\n  policy without any environment variable set.\n\n## Testing\n\nThe policy has some unit tests written using Rego, they can be found inside of\nthe file `policy_test.rego`. The unit tests can be executed via the following\ncommand:\n\n```shell\nmake test\n```\n\nThe repository provides also a way to run end-to-end tests against the WebAssembly\nmodule produced by the compilation. These tests execute the policy using the\nWebAssembly runtime of Kubewarden.\n\nThe e2e tests are implemented using [bats](https://github.com/bats-core/bats-core):\nthe Bash Automated Testing System. The WebAssembly runtime is provided by the\n[kwctl](https://github.com/kubewarden/kwctl) cli tool.\n\nThe end-to-end tests are defined inside of the `e2e.bats` file and can\nbe run via this command:\n\n```shell\nmake e2e-tests\n```\n\n## Automation\n\nThis project contains [GitHub Actions](https://docs.github.com/en/actions)\nworkflows.\n\nThey take care of the following automations:\n\n- Execute the Rego test suite\n- Build the Rego files into a single WebAssembly module\n- Annotate the WebAssembly module with Kubewarden's metadata\n- Execute end-to-end tests\n- Push events on the `main` branch lead the:\n  - Push the annotated WebAssembly module to the GitHub Container Registry using the\n    `:latest` tag.\n- The creation of git tags lead to:\n  - Creation of the GitHub Release, holding the annotated WebAssembly module\n  - Push the annotated WebAssembly module to the GitHub Container Registry using the\n    `:\u003cgit tag\u003e` tag.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fgatekeeper-policy-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubewarden%2Fgatekeeper-policy-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fgatekeeper-policy-template/lists"}