Warning: The SDK and demo policy are experimental and under active development.
This repository contains the TypeScript SDK for writing Kubewarden policies, along with a demo policy that demonstrates its usage.
The policy is written using TypeScript, which is then transpiled to JavaScript, which is finally compiled to WebAssembly.
The Javascript to WebAssembly compilation is done using the Javy project from the Bytecode Alliance.
The Kubewarden policy is built targeting the Kubewarden WASI policy type.
The policy demonstrates that it's possible to perform validation and make use of Kubewarden's host capabilities during policy evaluation.
The project is organized into the following components:
js/: The core TypeScript SDK.demo-policy/: A sample policy demonstrating the SDKs capabilities.javy-plugin-kubewarden/: Custom Javy plugin for JavaScript to WebAssembly compilation
The policy requires the following tools to be installed on the host machine:
- Rust: The Rust compiler is required to build the Kubewarden Javy plugin.
The
wasm32-wasip1target must be added. It's recommended to use rustup. - TypeScript Compiler (
tsc): Required to compile the TypeScript files into JavaScript. - npm: Required to install the project dependencies.
- Javy: The compiler that transforms the JavaScript code into a WebAssembly module.
clang: required to build the quickjs related Rust crates.- kwctl: Required to run the final policy.
bats: Required to run the end-to-end tests. Install bats locally using the official installation instructionsjest: Required to run unit tests.
While inside the js directory, run the following command:
make annotated-policy.wasmThis will produce a Kubewarden policy that can then be run with:
kwctl run annotated-policy.wasm -r demo_policy/test_data/no_privileged_containers.jsonThe end to end tests can be run with:
make e2e-tests