Simplest Kubewarden policy written using Go.
To be compiled with TinyGo:
tinygo build -o policy.wasm -target=wasi -no-debug .For more details: https://github.com/kubewarden/go-policy-template
Flavio Castelli flavio
flavio
/ wasmtime-one-module-smap.txt
Created
September 20, 2023 14:52
Output produced by `smap` when looking at a process running wasmtime. Only one module loaded
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 28789: target/release/wasmtime-provider-memory | |
| Address Perm Offset Device Inode Size Rss Pss Referenced Anonymous LazyFree ShmemPmdMapped FilePmdMapped Shared_Hugetlb Private_Hugetlb Swap SwapPss Locked THPeligible Mapping | |
| 5654b4238000 r-xp 00000000 fe:02 584900893 9532 6048 6048 6048 0 0 0 0 0 0 0 0 0 0 /home/flavio/hacking/wasm/wapc/wasmtime-provider-memory/target/release/wasmtime-provider-memory | |
| 5654b4b87000 r--p 0094f000 fe:02 584900893 280 280 280 280 280 0 0 0 0 0 0 0 0 0 /home/flavio/hacking/wasm/wapc/wasmtime-provider-memory/target/release/wasmtime-provider-memory | |
| 5654b4bcd000 rw-p 00995000 fe:02 584900893 8 8 8 8 8 0 0 0 0 0 0 0 0 0 /home/flavio/ha |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *.wasm |
This is a set of files that can be used to reproduce an issue I'm facing with rustls.
This is the current setup:
- A self signed root CA
- A wildcard certificate issued by this CA. One of the SAN is
*.suse(yeah this is bad from a security POV)
I've a simple program that uses reqwest to perform a GET request against a HTTPS server that uses this certificate.
The server FQDN is registry01.suse.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module github.com/flavio/container-image-name | |
| go 1.16 | |
| require ( | |
| github.com/docker/distribution v2.7.1+incompatible | |
| github.com/opencontainers/go-digest v1.0.0 // indirect | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use oci_distribution::{ParseError, Reference}; | |
| use std::str::FromStr; | |
| use url::Url; | |
| fn build_oci_reference(url: Url) -> Result<Reference, ParseError> { | |
| Reference::from_str( | |
| url.as_ref() | |
| .strip_prefix("registry://") | |
| .unwrap_or_else(|| url.as_ref()), | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Running `target/release/kwctl -v run --settings-json '{"allowed_capabilities": ["CHOWN"]}' -r ../psp-capabilities/test_data/req_pod_with_container_with_capabilities_added.json ../psp-capabilities/target/wasm32-unknown-unknown/release/psp_capabilities.wasm` | |
| Jun 27 15:06:21.457 INFO validate{self=PolicyEvaluator { settings: Some({"allowed_capabilities": Array([String("CHOWN")])}) } request="{\"uid\":\"1299d386-525b-4032-98ae-1949f69f9cfc\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"groups\":[\"system:masters\",\"system:authenticated\"]},\"object\":{\"kind\":\"Pod\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"nginx\",\"namespace\":\"default\",\"uid\":\"04dc7 |
The v0.2.0 release of kubewarden-controller introduces a new version of the ClusterAdmissionPolicy custom resource.
Starting from this release, only ClusterAdmissionPolicy of version v1alpha2 are going to be reconciled by the controller.
This section describes how to migrate a kubewarden deployment from v0.1.4 to
v0.2.0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "libvirt" { │··························· | |
| uri = "qemu:///system" │··························· | |
| } │··························· | |
| │··························· | |
| resource "libvirt_cloudinit" "disk" { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "github.com/imdario/mergo" | |
| "gopkg.in/yaml.v2" | |
| ) | |
| type UserData struct { |
NewerOlder