Skip to content

Instantly share code, notes, and snippets.

@vfarcic

vfarcic/kubewarden.sh

Created January 9, 2024 15:05
Show Gist options
  • Save vfarcic/515192a43c7e29f793525288b754c8c2 to your computer and use it in GitHub Desktop.
Save vfarcic/515192a43c7e29f793525288b754c8c2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kubewarden.sh
####################################################################
# Govern Kubernetes with Kubewarden and WASM Admission Controllers #
####################################################################
# Additional Info:
# - Kubewarden: https://kubewarden.io
# - Kubernetes Validating Admission Policy Changes The Game: https://youtu.be/EsZcDUaSUss
# - GitHub CLI (gh) - How to manage repositories more efficiently: https://youtu.be/BII6ZY2Rnlc
#########
# Setup #
#########
git clone https://github.com/vfarcic/kubewarden-demo
cd kubewarden-demo
helm upgrade --install crossplane crossplane \
--repo https://charts.crossplane.io/stable \
--namespace crossplane-system --create-namespace --wait
kubectl apply --filename crossplane-config-sql.yaml
helm upgrade --install cert-manager cert-manager \
--repo https://charts.jetstack.io \
--namespace cert-manager --create-namespace \
--set installCRDs=true --wait
helm upgrade --install kubewarden-crds kubewarden-crds \
--repo https://charts.kubewarden.io \
--namespace kubewarden --create-namespace --wait
helm upgrade --install \
kubewarden-controller kubewarden-controller \
--repo https://charts.kubewarden.io \
--namespace kubewarden --create-namespace --wait
helm upgrade --install kubewarden-defaults kubewarden-defaults \
--repo https://charts.kubewarden.io \
--namespace kubewarden --create-namespace --wait
kubectl wait --for=condition=healthy provider.pkg.crossplane.io \
--all --timeout=600s
kubectl create namespace a-team
kubectl create namespace production
#############################################
# Apply Predefined Policies with Kubewarden #
#############################################
cat cluster-admission-policy.yaml
kubectl apply --filename cluster-admission-policy.yaml
kubectl get clusteradmissionpolicies
kubectl get validatingwebhookconfigurations
cat pods.yaml
kubectl --namespace a-team apply --filename pods.yaml
##############################################
# Find and Inspect Kubewarden Policy Modules #
##############################################
# Open https://artifacthub.io in a browser.
kwctl pull ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
kwctl policies
kwctl scaffold manifest --type AdmissionPolicy \
registry://ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 \
| tee signature-policy.yaml
kwctl inspect \
registry://ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
##############################################
# Use Custom Kubewarden Modules and Policies #
##############################################
cat sql-policy.yaml
kubectl apply --filename sql-policy.yaml
kubectl get clusteradmissionpolicies
kubectl --namespace kubewarden get pods
cat sql-ultra.yaml
kubectl --namespace a-team apply --filename sql-ultra.yaml
kubectl describe clusteradmissionpolicies sql-policy
kubectl --namespace kubewarden logs \
--selector app=kubewarden-policy-server-default
cat sql-small.yaml
kubectl --namespace a-team apply --filename sql-small.yaml
kubectl --namespace production apply --filename sql-small.yaml
cat sql-policy.yaml
##################################################
# Develop Custom Kubewarden Modules and Policies #
##################################################
gh repo view vfarcic/kubewarden-crossplane-sql --web
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment