Kubewarden Blocking External IPS

[saiben10]

Hello,

So up to now we used opa policies for Kubernetes--> blocking externalips, namespace owner label, need to replace with Kube warden is there any policies for externalips and replica count in Kube warden.
As i don't see those in antifactory hub.

Please clarify on this.

Thanks

[flavio]

You can reuse your OPA/Gatekeeper policies with kubewarden. Please take a look at this section of our documentation. You will see how you can use opa cli tool to compile a .rego policy into .wasm and then use it inside of Kubewarden

[saiben10]

So, need to write the policy from scratch as i am not aware of Rego.
Please clarify on this

[saiben10]

Hey @flavio ,
This was my previous opa templates and constraint templates.

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sexternalips
  annotations:
    description: "Restricts Services from containing externalIPs except those in a provided allowlist."
spec:
  crd:
    spec:
      names:
        kind: K8sExternalIPs
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            allowedIPs:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sexternalips
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.kind.group == ""
          allowedIPs := {ip | ip := input.parameters.allowedIPs[_]}
          externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]}
          forbiddenIPs := externalIPs - allowedIPs
          count(forbiddenIPs) > 0
          msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
        }
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips-opa
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    excludedNamespaces : ["cattle-system","calico-system","fleet-system","cattle-fleet-system","cattle-monitoring-system","kube-node-lease","kube-public","kube-system","default","ingress-nginx","cis-operator-system","cattle-pipeline","tigera-operator","cattle-impersonation-system"]
  parameters:
    allowedIPs:
      - ""

How can i convert this and I tried to install opa cli but not working to convert and should we need to push these modules in the gcr and is there any method to use. As we have 3 more other policies to convert.

Please clarify on this.

[saiben10]

Hello, @flavio

Any inputs on this please let me know

[flavio]

You should start by using the gatekeeper-policy-template repository. Then replace the contents of policy.rego wit the Rego code you pasted above.
Running make policy will produce a .wasm file. Update the metadata.yml file inside of the repo and do make annotate. You can then push the annotated wasm file to a registry and consume it like any other Kubewarden policy.

The documentation I linked previously will guide you through each step