### Run Tilt for Development Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Start the Kubewarden controller development environment using Tilt. This command sets up the namespace, installs Helm charts, injects development images, and enables hot reloading. ```console tilt up ``` -------------------------------- ### Tilt Settings Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Example configuration for tilt-settings.yaml, specifying container registry and image names. ```yaml registry: ghcr.io audit-scanner: your-github-username/kubewarden/audit-scanner controller: your-github-username/kubewarden/controller policy-server: your-github-username/kubewarden/policy-server ``` -------------------------------- ### Install Kubewarden with Helm Chart Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Installs Kubewarden and its CRDs using Helm charts. Ensure cert-manager is installed and available before running. ```bash kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml kubectl wait --for=condition=Available deployment --timeout=2m -n cert-manager --all helm repo add kubewarden https://charts.kubewarden.io helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds helm install --wait -n kubewarden kubewarden-controller kubewarden/kubewarden-controller ``` -------------------------------- ### Install Recommended Policies with Custom Settings Source: https://github.com/kubewarden/kubewarden-controller/blob/main/charts/kubewarden-defaults/README.md This command installs the kubewarden-defaults chart, enabling recommended policies, adding the 'devel' namespace to the list of ignored namespaces, and setting the default policy mode to 'protect'. ```bash helm install \ --set recommendedPolicies.enabled=True \ --set recommendedPolicies.skipAdditionalNamespaces={devel} \ --set recommendedPolicies.defaultPolicyMode=protect \ kubewarden-defaults kubewarden/kubewarden-defaults ``` -------------------------------- ### Basic Helm Chart Installation Source: https://github.com/kubewarden/kubewarden-controller/blob/main/charts/kubewarden-defaults/README.md This command adds the Kubewarden Helm repository and installs the kubewarden-defaults chart into a new namespace named 'kubewarden'. ```bash helm repo add kubewarden https://charts.kubewarden.io helm install --create-namespace -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults ``` -------------------------------- ### Install Bash Shell Completions for All Sessions (Linux) Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Install Kubewarden CLI (kwctl) bash completion scripts for all new sessions on Linux by redirecting the output of `kwctl completions -s bash` to a file in `/etc/bash_completion.d/`. ```console $ kwctl completions -s bash > /etc/bash_completion.d/kwctl ``` -------------------------------- ### Install Bash Shell Completions for All Sessions (MacOS) Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Install Kubewarden CLI (kwctl) bash completion scripts for all new sessions on MacOS by redirecting the output of `kwctl completions -s bash` to a file in `/usr/local/etc/bash_completion.d/`. ```console $ kwctl completions -s bash > /usr/local/etc/bash_completion.d/kwctl ``` -------------------------------- ### Kubernetes Namespace Selector Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/CRD-docs-for-docs-repo.adoc This example demonstrates how to configure a `namespaceSelector` to target specific namespaces based on labels. It uses `matchExpressions` to select namespaces with the label 'environment' set to either 'prod' or 'staging'. Refer to Kubernetes documentation for more label selector examples. ```yaml "namespaceSelector": "matchExpressions": "key": "environment", "operator": "In", "values": "prod", "staging" ``` -------------------------------- ### ClusterAdmissionPolicySpec NamespaceSelector Example (In) Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/CRD-docs-for-docs-repo.adoc Provides an example of how to configure the namespaceSelector within a ClusterAdmissionPolicySpec to filter which namespaces the policy applies to. This example uses 'In' to include specific environments. ```json "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } ``` -------------------------------- ### Run Policy Server Locally Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/DEVELOPMENT.md Starts the Policy Server in release mode with specified configurations for policies, workers, logging, and metrics. Ensure a 'policies.yml' file is present. ```bash cargo run --release -- \ --policies policies.yml \ --workers 2 \ --log-fmt otlp \ --log-level debug \ --enable-metrics \ --ignore-kubernetes-connection-failure ``` -------------------------------- ### Analyze CPU Profile Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/PROFILING.md Use the pprof tool to analyze the downloaded CPU profile. This command starts an HTTP server for interactive analysis. ```sh pprof -http=:8080 cpu_profile.prof ``` -------------------------------- ### Install Kubewarden CRDs Source: https://github.com/kubewarden/kubewarden-controller/blob/main/charts/kubewarden-crds/README.md Installs the kubewarden-crds Helm chart. Ensure the Helm repository is added first. ```bash helm repo add kubewarden https://charts.kubewarden.io helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds ``` -------------------------------- ### Start Development Docker Compose Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/DEVELOPMENT.md Initiates the local development environment using Docker Compose. This command should be run from the 'hack' directory. ```bash cd hack && docker-compose up -d ``` -------------------------------- ### ClusterAdmissionPolicyGroupSpec NamespaceSelector Example (In) Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/CRD-docs-for-docs-repo.md Provides an alternative namespaceSelector configuration for ClusterAdmissionPolicyGroupSpec, this example shows how to include namespaces with specific 'environment' labels. ```yaml "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } ``` -------------------------------- ### ClusterAdmissionPolicySpec NamespaceSelector Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/CRD-docs-for-docs-repo.adoc Provides an example of how to configure the namespaceSelector within a ClusterAdmissionPolicySpec to filter which namespaces the policy applies to. This example uses 'NotIn' to exclude specific runlevels. ```json "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } ``` -------------------------------- ### ClusterAdmissionPolicyGroupSpec NamespaceSelector Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/CRD-docs-for-docs-repo.md Demonstrates how to configure a namespaceSelector for a ClusterAdmissionPolicyGroupSpec. This example shows how to exclude namespaces with specific 'runlevel' labels. ```yaml "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } ``` -------------------------------- ### Kubernetes Pod Definition Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/DEVELOPMENT.md This is an example of a Kubernetes Pod definition, showing various configurations including volume mounts, security contexts, and tolerations. It is part of a larger Kubernetes object definition. ```yaml { "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "example-pod", "namespace": "default" }, "spec": { "containers": [ { "name": "main-container", "image": "kubewarden/policy-init", "args": [ "--port", "9090" ], "ports": [ { "containerPort": 9090 } ], "volumeMounts": [ { "name": "serviceaccount-volume", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "imagePullPolicy": "IfNotPresent" }, { "name": "nginx", "image": "nginx", "resources": {}, "volumeMounts": [ { "name": "default-token-pvpz7", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "securityContext": { "privileged": true }, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", "imagePullPolicy": "IfNotPresent" } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "serviceAccountName": "default", "serviceAccount": "default", "securityContext": {}, "schedulerName": "default-scheduler", "tolerations": [ { "key": "node.kubernetes.io/not-ready", "operator": "Exists", "effect": "NoExecute", "tolerationSeconds": 300 }, { "key": "node.kubernetes.io/unreachable", "operator": "Exists", "effect": "NoExecute", "tolerationSeconds": 300 }, { "key": "dedicated", "operator": "Equal", "value": "tenantA", "effect": "NoSchedule" } ], "priority": 0, "enableServiceLinks": true, "preemptionPolicy": "PreemptLowerPriority" }, "status": { "phase": "Pending", "qosClass": "BestEffort" } }, "oldObject": null, "dryRun": false, "options": { "kind": "CreateOptions", "apiVersion": "meta.k8s.io/v1" } } ``` -------------------------------- ### Run Sigstore E2E Tests Script Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Execute the script for end-to-end testing of Kubewarden with a private Sigstore instance. This script orchestrates setup, signing, and deployment stages. ```console ./scripts/test-sigstore-e2e.sh ``` -------------------------------- ### Attach Strace to Policy Server Process Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/DEVELOPMENT.md Install `strace` in the debugging container and run it as the same user as the policy-server process to attach to the process and monitor its system calls. ```bash # apk add strace ``` ```bash # su - kw $ strace -p ``` -------------------------------- ### Install a Mutating Policy with Kubewarden Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Apply a ClusterAdmissionPolicy to install a mutating policy. Ensure the policyServer, module, rules, and settings are correctly configured for the desired mutation. ```yaml apiVersion: policies.kubewarden.io/v1alpha2 kind: ClusterAdmissionPolicy metadata: name: psp-user-group spec: policyServer: default module: registry://ghcr.io/kubewarden/policies/psp-user-group:latest rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE - UPDATE mutating: true settings: run_as_user: rule: "MustRunAs" ranges: - min: 1000 max: 2000 - min: 3000 max: 4000 run_as_group: rule: "RunAsAny" supplemental_groups: rule: "RunAsAny" ``` -------------------------------- ### Run Sigstore E2E Tests with Skipped Stages Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Run the Sigstore end-to-end tests while skipping specific stages like setup or signing. This is useful for iterative development or when parts of the environment are already prepared. ```console ./scripts/test-sigstore-e2e.sh --skip-setup ``` ```console ./scripts/test-sigstore-e2e.sh --skip-sign ``` ```console ./scripts/test-sigstore-e2e.sh --skip-kubewarden ``` -------------------------------- ### Check Kubewarden Controller Pod Status Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Verifies that the Kubewarden controller pods are running after installation. ```bash kubectl get pods ``` -------------------------------- ### Example Policy Group Configuration Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/policy-server/README.md Defines a policy group named 'pod-image-signatures' that combines signature verification and tag rejection policies. The expression 'sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag())' dictates the evaluation logic. ```yaml pod-image-signatures: # policy group policies: - name: sigstore_pgp module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 settings: signatures: - image: "*" pubKeys: - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" - name: sigstore_gh_action module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 settings: signatures: - image: "*" githubActions: owner: "kubewarden" - name: reject_latest_tag module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12 settings: tags: reject: - latest expression: "sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag())" message: "The group policy is rejected." ``` -------------------------------- ### Migrate ClusterAdmissionPolicy from v1alpha1 to v1alpha2 Source: https://github.com/kubewarden/kubewarden-controller/blob/main/RELEASE_NOTES/RELEASE_NOTES_v0.2.0.md Example demonstrating the structural changes required when migrating a ClusterAdmissionPolicy from v1alpha1 to v1alpha2. Note the 'rules' attribute replacing top-level 'resources', 'operations', etc. ```yaml apiVersion: policies.kubewarden.io/v1alpha1 kind: ClusterAdmissionPolicy metadata: name: psp-capabilities spec: module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3 resources: - pods operations: - CREATE - UPDATE mutating: true settings: allowed_capabilities: - CHOWN required_drop_capabilities: - NET_ADMIN ``` ```yaml apiVersion: policies.kubewarden.io/v1alpha2 kind: ClusterAdmissionPolicy metadata: name: psp-capabilities spec: module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3 rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE - UPDATE mutating: true settings: allowed_capabilities: - CHOWN required_drop_capabilities: - NET_ADMIN ``` -------------------------------- ### Check ClusterAdmissionPolicy CRD Installation Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Confirms that the ClusterAdmissionPolicy custom resource definition has been successfully installed. ```bash kubectl get crds ``` -------------------------------- ### Build All Components Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Build all project components including controller, audit-scanner, policy-server, and kwctl. ```console make all ``` -------------------------------- ### Conventional Commit Subject Example Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Example of a commit message following the conventional commits standard, including type and an optional component. ```text feat(resolver): this adds a new solver strategy ``` -------------------------------- ### Build Container Images Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Build Docker images for each component. ```console make controller-image ``` ```console make audit-scanner-image ``` ```console make policy-server-image ``` -------------------------------- ### Build Container Image with Custom Registry/Repo/Tag Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Customize the registry, repository, and tag when building a controller Docker image. ```console make controller-image REGISTRY=ghcr.io REPO=your-username TAG=dev ``` -------------------------------- ### Conventional Commit Type Examples Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Examples of commit messages using different types defined by the conventional commits standard, such as 'feat', 'fix', and 'refactor'. ```text feat: this is a new feature ``` ```text fix: this is fixing a reported bug ``` ```text perf: this is improving performance ``` ```text refactor: this is doing some code refactoring ``` -------------------------------- ### Build Individual Go Components Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Build only the Go components: controller and audit-scanner. ```console make controller ``` ```console make audit-scanner ``` -------------------------------- ### Recreate and Push Image for Testing Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/kwctl/tests/data/sigstore/README.md Obtain the image under test and push it to a new registry location for signing and verification purposes. ```console kwctl pull registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9 kwctl push \ ~/.cache/kubewarden/store/registry/ghcr.io/kubewarden/policies/pod-privileged:v0.1.9 \ ghcr.io/kubewarden/tests/pod-privileged:v0.1.9 ``` -------------------------------- ### Access Policy Server Filesystem Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/DEVELOPMENT.md After creating a debug pod and finding the policy-server PID, create a user with the same UID as the policy-server process to access its filesystem. The filesystem is read-only. ```bash # cd /proc// # ls root ls: root: Permission denied ``` ```bash # adduser -G nogroup -u -D kw # su - kw $ cd /proc//root ``` ```bash $ export PS1="\h: $ " $ ls -l config dev etc pki policy-server proc sys tmp var ``` -------------------------------- ### Build Audit Scanner Binary Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/audit-scanner/README.md Execute this command to build the audit-scanner binary locally. ```shell make build ``` -------------------------------- ### List Local Policies with kwctl Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Use this command to view all policies that have been downloaded to your local machine. ```bash kwctl policies ``` -------------------------------- ### Define a ClusterAdmissionPolicy Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Use this command to apply a new ClusterAdmissionPolicy to your Kubernetes cluster. Ensure Kubewarden is installed. ```bash kubectl apply -f - < - name: self-signed2.registry.com certificateFrom: configMapKeyRef: name: name-of-the-configmap key: ca_key_name env: - name: KUBEWARDEN_LOG_LEVEL value: debug - name: KUBEWARDEN_LOG_FMT value: jaeger annotations: sidecar.jaegertracing.io/inject: default EOF ``` -------------------------------- ### Format Go Code Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Use this command to format Go code according to project standards. ```console make fmt-go ``` -------------------------------- ### Define a ClusterAdmissionPolicy Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/controller/README.md Defines a Kubewarden Policy using the ClusterAdmissionPolicy resource. This example configures the psp-capabilities policy to evaluate Pod CREATE and UPDATE operations. ```yaml apiVersion: policies.kubewarden.io/v1alpha2 kind: ClusterAdmissionPolicy metadata: name: psp-capabilities spec: module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3 rules: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] operations: - CREATE - UPDATE mutating: true settings: allowed_capabilities: - CHOWN required_drop_capabilities: - NET_ADMIN ``` -------------------------------- ### Build Individual Rust Components Source: https://github.com/kubewarden/kubewarden-controller/blob/main/CONTRIBUTING.md Build only the Rust components: policy-server and kwctl. ```console make policy-server ``` ```console make kwctl ``` -------------------------------- ### Deploy a Pod for Policy Mutation Testing Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Deploy a Kubernetes Pod to test the effects of a mutating policy. This pod will be subject to the rules defined in the installed policy. ```yaml apiVersion: v1 kind: Pod metadata: name: pause-user-group spec: containers: - name: pause image: k8s.gcr.io/pause ``` -------------------------------- ### Generated ClusterAdmissionPolicy Manifest Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Example of a generated `ClusterAdmissionPolicy` manifest. This YAML defines a policy to be enforced within a Kubernetes cluster, including its module, settings, and rules. ```yaml --- apiVersion: policies.kubewarden.io/v1 kind: ClusterAdmissionPolicy metadata: name: generated-policy spec: module: "registry://ghcr.io/kubewarden/policies/safe-labels:v0.1.5" settings: constrained_labels: owner: ".*" rules: - apiGroups: - "*" apiVersions: - "*" resources: - "*" operations: - CREATE - UPDATE mutating: false ``` -------------------------------- ### Get OCI Artifact Digest with Crane Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Use the `crane digest` command to obtain the SHA256 digest of an OCI artifact, which is necessary for pulling policies by immutable reference. ```bash crane digest ghcr.io/kubewarden/policies/psp-capabilities:v0.1.6 ``` -------------------------------- ### Oh My Zsh User Completions Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Specific steps for Oh My Zsh users to set up kwctl completions, including creating a completions directory and regenerating the zcompdump file. ```bash $ print -l $fpath | grep '.oh-my-zsh/completions' ``` ```bash $ mkdir ~/.oh-my-zsh/completions ``` ```bash $ kwctl completions -s zsh > ~/.oh-my-zsh/completions/_kwctl ``` ```bash rm ~/.zcompdump* ``` -------------------------------- ### Run Release PR Pipeline Locally Source: https://github.com/kubewarden/kubewarden-controller/blob/main/updatecli/DEVELOPING.md Execute the release PR pipeline from your local machine. Ensure GitHub token and owner are exported as environment variables. ```bash $ cd adm-controller/ $ export UPDATECLI_GITHUB_TOKEN= $ export UPDATECLI_GITHUB_OWNER=kubewarden $ updatecli compose apply --file updatecli/open-release-pr.yaml ``` -------------------------------- ### Test updatecli Manifests Locally Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/kwctl/updatecli/DEVELOP.md Set your GitHub token and owner, then run updatecli diff to test manifest changes against your local configuration. ```console export UPDATECLI_GITHUB_TOKEN= UPDATECLI_GITHUB_OWNER= updatecli diff --config updatecli/updatecli.d/update-rust-toolchain.yaml --values updatecli/values.yaml ``` -------------------------------- ### Deploy an Unprivileged Pod (Expected to Succeed) Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Attempts to create a Pod without the 'privileged: true' security context. This should be allowed by the 'privileged-pods' ClusterAdmissionPolicy. ```yaml apiVersion: v1 kind: Pod metadata: name: unprivileged-pod spec: containers: - name: nginx image: nginx:latest ``` -------------------------------- ### Load Bash Shell Completions for Current Session Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Load Kubewarden CLI (kwctl) shell completions for the bash shell into the current session using the `source` command with process substitution. ```console $ source <(kwctl completions -s bash) ``` -------------------------------- ### Fish Shell Completions Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Load Fish shell completions for the current session or for every new session by saving the output to a file. ```bash $ kwctl completions -s fish | source ``` ```bash $ kwctl completions -s fish > ~/.config/fish/completions/kwctl.fish ``` -------------------------------- ### Verify Container Image Attestation Manifest Source: https://github.com/kubewarden/kubewarden-controller/blob/main/charts/kubewarden-controller/README.md This command verifies the attestation manifest and its layer signatures for a specific container image digest. Replace `` with the appropriate release tag. ```shell cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@" ghcr.io/kubewarden/adm-controller/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e ``` -------------------------------- ### List Namespace Reports Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/audit-scanner/README.md Use this command to list all cluster-wide policy reports. ```bash $ kubectl get cpolr -o wide ``` -------------------------------- ### Download Policy from OCI Registry by Tag Source: https://github.com/kubewarden/kubewarden-controller/blob/main/docs/kwctl/README.md Download a policy from an OCI registry using its tag. Ensure the policy name is formatted as a URL with the `registry://` protocol. ```bash kwctl pull registry://ghcr.io/kubewarden/policies/psp-capabilities:latest ``` -------------------------------- ### Download CPU Profile Source: https://github.com/kubewarden/kubewarden-controller/blob/main/crates/policy-server/PROFILING.md Fetch the CPU profile data from the policy-server using curl. This profile can then be analyzed with the pprof tool. ```sh curl --insecure https://localhost:8443/debug/pprof/cpu -o cpu_profile.prof ``` -------------------------------- ### Deploy a Privileged Pod (Expected to Fail) Source: https://github.com/kubewarden/kubewarden-controller/wiki/Test-Plan Attempts to create a Pod with the 'privileged: true' security context. This should be blocked by the 'privileged-pods' ClusterAdmissionPolicy. ```yaml apiVersion: v1 kind: Pod metadata: name: privileged-pod spec: containers: - name: nginx image: nginx:latest securityContext: privileged: true ```