DEV Community

Cover image for Kubernetes policy management: IV - jsPolicy
Ashok Nagaraj
Ashok Nagaraj

Posted on • Edited on

Kubernetes policy management: IV - jsPolicy

#kubernetes #policy #loft #jspolicy

This is the final post of the series.

Other parts:
I - Introduction
II - OPA Gatekeeper
III - Kyverno

jsPolicy offers a simple alternative to OPA. You can use it to write policy logic in JavaScript or TypeScript, and it offers Turing completeness, easy cluster access, and a huge ecosystem of libraries. Other features include validating, mutating, or changing policies, and defining controller policies. It uses Chrome V8 engine underneath, so performance and stability are battle tested

Installation

❯ helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh NAME: jspolicy LAST DEPLOYED: Tue Mar 8 20:46:34 2022 NAMESPACE: jspolicy STATUS: deployed ... ❯ kubectl get crds | grep jspolicy jspolicies.policy.jspolicy.com 2022-03-08T15:16:28Z jspolicybundles.policy.jspolicy.com 2022-03-08T15:16:28Z jspolicyviolations.policy.jspolicy.com 2022-03-08T15:16:28Z
Enter fullscreen mode Exit fullscreen mode

Architecture
jsPolicy architecture from loft labs

Creating and instantiating policies
Validating policy to disallow workload creation under namespaces default and restricted

❯ cat /tmp/policy.yaml # policy.yaml apiVersion: policy.jspolicy.com/v1beta1 kind: JsPolicy metadata: name: "deny-default-namespace.example.com" spec: operations: ["CREATE"] resources: ["*"] scope: Namespaced javascript: | var namespacesToDeny = ["default", "restricted"]; if (namespacesToDeny.includes(request.namespace)) { deny("Creation of resources is not allowed in the following namespaces: " + namespacesToDeny.toString()); } ❯ kubectl create -f /tmp/policy.yaml jspolicy.policy.jspolicy.com/deny-default-namespace created
Enter fullscreen mode Exit fullscreen mode

Mutating policy to add a foo=bar label to pods

❯ cat /tmp/mutate.yaml apiVersion: policy.jspolicy.com/v1beta1 kind: JsPolicy metadata: name: "create-foo-bar-label.example.com" spec: type: Mutating operations: ["CREATE", "UPDATE"] resources: ["pods"] javascript: | if (request.object.metadata.labels?.["foo"] !== "bar") { request.object.metadata.labels = {...request.object.metadata.labels, 'foo': 'bar'}; // tell jspolicy to calc the patch and exit mutate(request.object); } ❯ kubectl create -f /tmp/mutate.yaml jspolicy.policy.jspolicy.com/create-foo-bar-label.example.com created ❯ kubectl run test-pod --image=nginx -n test-ns pod/test-pod created ❯ kubectl get pod -n test-ns --show-labels NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 14s foo=bar,run=test-pod
Enter fullscreen mode Exit fullscreen mode

Testing

❯ kubectl run test-pod --image=nginx --restart=Never Error from server (Forbidden): admission webhook "deny-default-namespace.example.com" denied the request: Creation of resources is not allowed in the following namespaces: default,restricted
Enter fullscreen mode Exit fullscreen mode

Extra tools
Policies created for jsPolicy are regular javascript files =>

  • You can develop policies with your favorite editor
  • You can test(unit, functional, scale) with any javascript test frameworks like Jest, Mocha ..
  • You can write policies as external JavaScript files and load them as a dependency This is a programming library so it can be scaled, evolved and maintained with relative ease over time.

More info
jsPolicy configuration
jsPolicy custom javascript functions
Comparison with OPA

I love the rationale(improve understandability) behind JSPolicy

Top comments (0)