Warning: This is a demo policy that demonstrates the possibility of writing Kubewarden policies using TypeScript.

The policy is experimental, and the codebase needs to be cleaned to separate the TypeScript SDK from the actual policy.

The policy is written using TypeScript, which is then transpiled to JavaScript, which is finally compiled to WebAssembly.

The Javascript to WebAssembly compilation is done using the Javy project from the Bytecode Alliance.

The Kubewarden policy is built targeting the Kubewarden WASI policy type.

The policy demonstrates that it's possible to perform validation and make use of Kubewarden's host capabilities during policy evaluation.

Requirements

The policy requires the following tools to be installed on the host machine:

• Rust: The Rust compiler is required to build the Kubewarden Javy plugin. The wasm32-wasip1 target must be added. It's recommended to use rustup.
• TypeScript Compiler (tsc): Required to compile the TypeScript files into JavaScript.
• npm: Required to install the project dependencies.
• Javy: The compiler that transforms the JavaScript code into a WebAssembly module.
• kwctl: Required to run the final policy.
• bats: Required to run the end-to-end tests.

Building

While inside the js directory, run the following command:

make annotated-policy.wasm

This will produce a Kubewarden policy that can then be run with:

kwctl run annotated-policy.wasm -r test_data/no_privileged_containers.json

The end to end tests can be run with:

make e2e-tests