Update CLI Reference Docs#491
Closed
github-actions[bot] wants to merge 8 commits into
Closed
Conversation
github-actions
Bot
changed the title
✅ Deploy Preview for docs-kubewarden-io ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Member
|
@jvanz: what was the trick to make the DCO check pass for bot's contributions? 🤔 |
flavio
approved these changes
Jan 20, 2025
Comment on lines
+2
to
+5
| sidebar_label: Kwctl CLI Reference | ||
| sidebar_position: 120 | ||
| title: Kwctl CLI | ||
| description: Kwctl CLI reference documentation |
Member
There was a problem hiding this comment.
nitpicking: can we do lowercase kwctl instead of Kwctl?
jhkrug
reviewed
Jan 20, 2025
Contributor
jhkrug
left a comment
jhkrug
left a comment
There was a problem hiding this comment.
looks ok. Is that right angled down pointing arrow useful/necessary?
Also, can asciidoc be generated (in due course). Sorry, should have asked that earlier.
github-actions
Bot
changed the title
github-actions
Bot
changed the title
added 2 commits
January 20, 2025 15:04
Made with ❤️️ by updatecli
Made with ❤️️ by updatecli
github-actions
Bot
force-pushed
the
updatecli_main_cli-ref-docs
branch
from
2e65106 to
cd403b9
Compare
github-actions
Bot
changed the title
github-actions
Bot
changed the title
added 2 commits
January 20, 2025 16:04
Made with ❤️️ by updatecli
Made with ❤️️ by updatecli
github-actions
Bot
changed the title
github-actions
Bot
changed the title
added 2 commits
January 20, 2025 17:04
Made with ❤️️ by updatecli
Made with ❤️️ by updatecli
github-actions
Bot
changed the title
github-actions
Bot
changed the title
added 2 commits
January 20, 2025 18:05
Made with ❤️️ by updatecli
Made with ❤️️ by updatecli
github-actions
Bot
changed the title
github-actions
Bot
changed the title
Member
This is from the library we are using to generate the docs. I'm not sure if we can change that.
I'm afraid that requires more changes. The library we use generates markdown only. I'll open an issue for this request. |
Member
|
I'm closing this because it will superseded by a future PR created after merging the #492 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update all the CLI reference documentation
Copy files [cli-docs.md] from kubewarden/kwctl
Updates docs/reference/kwctl-cli.md file
1 file(s) updated with "# Command-Line Help for `kwctl`\n\nThis document contains the help content for the `kwctl` command-line program.\n\n**Command Overview:**\n\n* [`kwctl`↴](#kwctl)\n* [`kwctl annotate`↴](#kwctl-annotate)\n* [`kwctl bench`↴](#kwctl-bench)\n* [`kwctl completions`↴](#kwctl-completions)\n* [`kwctl digest`↴](#kwctl-digest)\n* [`kwctl docs`↴](#kwctl-docs)\n* [`kwctl info`↴](#kwctl-info)\n* [`kwctl inspect`↴](#kwctl-inspect)\n* [`kwctl load`↴](#kwctl-load)\n* [`kwctl policies`↴](#kwctl-policies)\n* [`kwctl pull`↴](#kwctl-pull)\n* [`kwctl push`↴](#kwctl-push)\n* [`kwctl rm`↴](#kwctl-rm)\n* [`kwctl run`↴](#kwctl-run)\n* [`kwctl save`↴](#kwctl-save)\n* [`kwctl scaffold`↴](#kwctl-scaffold)\n* [`kwctl scaffold admission-request`↴](#kwctl-scaffold-admission-request)\n* [`kwctl scaffold artifacthub`↴](#kwctl-scaffold-artifacthub)\n* [`kwctl scaffold manifest`↴](#kwctl-scaffold-manifest)\n* [`kwctl scaffold vap`↴](#kwctl-scaffold-vap)\n* [`kwctl scaffold verification-config`↴](#kwctl-scaffold-verification-config)\n* [`kwctl verify`↴](#kwctl-verify)\n\n## `kwctl`\n\nTool to manage Kubewarden policies\n\n**Usage:** `kwctl [OPTIONS] <COMMAND>`\n\n###### **Subcommands:**\n\n* `annotate` — Add Kubewarden metadata to a WebAssembly module\n* `bench` — Benchmarks a Kubewarden policy\n* `completions` — Generate shell completions\n* `digest` — Fetch digest from the OCI manifest of a policy\n* `docs` — Generates the markdown documentation for kwctl commands\n* `info` — Display system information\n* `inspect` — Inspect Kubewarden policy\n* `load` — load policies from a tar.gz file\n* `policies` — Lists all downloaded policies\n* `pull` — Pulls a Kubewarden policy from a given URI\n* `push` — Pushes a Kubewarden policy to an OCI registry\n* `rm` — Removes a Kubewarden policy from the store\n* `run` — Runs a Kubewarden policy from a given URI\n* `save` — save policies to a tar.gz file\n* `scaffold` — Scaffold a Kubernetes resource or configuration file\n* `verify` — Verify a Kubewarden policy from a given URI using Sigstore\n\n###### **Options:**\n\n* `-v`, `--verbose <VERBOSE>` — Increase verbosity\n* `--no-color <NO-COLOR>` — Disable colorful output\n\n\n\n## `kwctl annotate`\n\nAdd Kubewarden metadata to a WebAssembly module\n\n**Usage:** `kwctl annotate [OPTIONS] --metadata-path <PATH> --output-path <PATH> <wasm-path>`\n\n###### **Arguments:**\n\n* `<WASM-PATH>` — Path to WebAssembly module to be annotated\n\n###### **Options:**\n\n* `-m`, `--metadata-path <PATH>` — File containing the metadata\n* `-o`, `--output-path <PATH>` — Output file\n* `-u`, `--usage-path <PATH>` — File containing the usage information of the policy\n\n\n\n## `kwctl bench`\n\nBenchmarks a Kubewarden policy\n\n**Usage:** `kwctl bench [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Grant access to the Kubernetes resources defined inside of the policy's `contextAwareResources` section. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--disable-wasmtime-cache <DISABLE-WASMTIME-CACHE>` — Turn off usage of wasmtime cache\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--dump-results-to-disk <DUMP_RESULTS_TO_DISK>` — Puts results in target/tiny-bench/label/.. if target can be found. used for comparing previous runs\n* `-e`, `--execution-mode <MODE>` — The runtime to use to execute this policy\n\n Possible values: `opa`, `gatekeeper`, `kubewarden`, `wasi`\n\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--measurement-time <SECONDS>` — How long the bench ‘should’ run, num_samples is prioritized so benching will take longer to be able to collect num_samples if the code to be benched is slower than this time limit allowed\n* `--num-resamples <NUM>` — How many resamples should be done\n* `--num-samples <NUM>` — How many resamples should be done. Recommended at least 50, above 100 doesn’t seem to yield a significantly different result\n* `--raw <RAW>` — Validate a raw request\n\n Default value: `false`\n* `--record-host-capabilities-interactions <FILE>` — Record all the policy and host capabilities\n communications to the given file.\n Useful to be combined later with '--replay-host-capabilities-interactions' flag\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--replay-host-capabilities-interactions <FILE>` — During policy and host capabilities exchanges\n the host replays back the answers found inside of the provided file.\n This is useful to test policies in a reproducible way, given no external\n interactions with OCI registries, DNS, Kubernetes are performed.\n* `-r`, `--request-path <PATH>` — File containing the Kubernetes admission request object in JSON format\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n* `--warm-up-time <SECONDS>` — How long the bench should warm up\n\n\n\n## `kwctl completions`\n\nGenerate shell completions\n\n**Usage:** `kwctl completions --shell <VALUE>`\n\n###### **Options:**\n\n* `-s`, `--shell <VALUE>` — Shell type\n\n Possible values: `bash`, `elvish`, `fish`, `powershell`, `zsh`\n\n\n\n\n## `kwctl digest`\n\nFetch digest from the OCI manifest of a policy\n\n**Usage:** `kwctl digest [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl docs`\n\nGenerates the markdown documentation for kwctl commands\n\n**Usage:** `kwctl docs --output <FILE>`\n\n###### **Options:**\n\n* `-o`, `--output <FILE>` — path where the documentation file will be stored\n\n\n\n## `kwctl info`\n\nDisplay system information\n\n**Usage:** `kwctl info`\n\n\n\n## `kwctl inspect`\n\nInspect Kubewarden policy\n\n**Usage:** `kwctl inspect [OPTIONS] <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-o`, `--output <FORMAT>` — Output format\n\n Possible values: `yaml`\n\n* `--show-signatures <SHOW-SIGNATURES>` — Show sigstore signatures\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl load`\n\nload policies from a tar.gz file\n\n**Usage:** `kwctl load --input <input>`\n\n###### **Options:**\n\n* `--input <INPUT>` — load policies from tarball\n\n\n\n## `kwctl policies`\n\nLists all downloaded policies\n\n**Usage:** `kwctl policies`\n\n\n\n## `kwctl pull`\n\nPulls a Kubewarden policy from a given URI\n\n**Usage:** `kwctl pull [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI. Supported schemes: registry://, https://, file://\n\n###### **Options:**\n\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <DOCKER_CONFIG>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `-o`, `--output-path <PATH>` — Output file. If not provided will be downloaded to the Kubewarden store\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key. Can be repeated multiple times\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl push`\n\nPushes a Kubewarden policy to an OCI registry\n\n**Usage:** `kwctl push [OPTIONS] <policy> <uri>`\n\n###### **Arguments:**\n\n* `<POLICY>` — Policy to push. Can be the path to a local file, a policy URI or the SHA prefix of a policy in the store.\n* `<URI>` — Policy URI. Supported schemes: registry://\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-f`, `--force <FORCE>` — Push also a policy that is not annotated\n* `-o`, `--output <PATH>` — Output format\n\n Default value: `text`\n\n Possible values: `text`, `json`\n\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl rm`\n\nRemoves a Kubewarden policy from the store\n\n**Usage:** `kwctl rm <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix\n\n\n\n## `kwctl run`\n\nRuns a Kubewarden policy from a given URI\n\n**Usage:** `kwctl run [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Grant access to the Kubernetes resources defined inside of the policy's `contextAwareResources` section. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--disable-wasmtime-cache <DISABLE-WASMTIME-CACHE>` — Turn off usage of wasmtime cache\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-e`, `--execution-mode <MODE>` — The runtime to use to execute this policy\n\n Possible values: `opa`, `gatekeeper`, `kubewarden`, `wasi`\n\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--raw <RAW>` — Validate a raw request\n\n Default value: `false`\n* `--record-host-capabilities-interactions <FILE>` — Record all the policy and host capabilities\n communications to the given file.\n Useful to be combined later with '--replay-host-capabilities-interactions' flag\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--replay-host-capabilities-interactions <FILE>` — During policy and host capabilities exchanges\n the host replays back the answers found inside of the provided file.\n This is useful to test policies in a reproducible way, given no external\n interactions with OCI registries, DNS, Kubernetes are performed.\n* `-r`, `--request-path <PATH>` — File containing the Kubernetes admission request object in JSON format\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl save`\n\nsave policies to a tar.gz file\n\n**Usage:** `kwctl save --output <FILE> <policies>...`\n\n###### **Arguments:**\n\n* `<POLICIES>` — list of policies to save\n\n###### **Options:**\n\n* `-o`, `--output <FILE>` — path where the file will be stored\n\n\n\n## `kwctl scaffold`\n\nScaffold a Kubernetes resource or configuration file\n\n**Usage:** `kwctl scaffold <COMMAND>`\n\n###### **Subcommands:**\n\n* `admission-request` — Scaffold an AdmissionRequest object\n* `artifacthub` — Output an artifacthub-pkg.yml file from a metadata.yml file\n* `manifest` — Output a Kubernetes resource manifest\n* `vap` — Convert a Kubernetes `ValidatingAdmissionPolicy` into a Kubewarden `ClusterAdmissionPolicy`\n* `verification-config` — Output a default Sigstore verification configuration file\n\n\n\n## `kwctl scaffold admission-request`\n\nScaffold an AdmissionRequest object\n\n**Usage:** `kwctl scaffold admission-request [OPTIONS] --operation <TYPE>`\n\n###### **Options:**\n\n* `--object <PATH>` — The file containing the new object being admitted\n* `--old-object <PATH>` — The file containing the existing object\n* `-o`, `--operation <TYPE>` — Kubewarden Custom Resource type\n\n Possible values: `CREATE`\n\n\n\n\n## `kwctl scaffold artifacthub`\n\nOutput an artifacthub-pkg.yml file from a metadata.yml file\n\n**Usage:** `kwctl scaffold artifacthub [OPTIONS] --metadata-path <PATH> --version <VALUE>`\n\n###### **Options:**\n\n* `-m`, `--metadata-path <PATH>` — File containing the metadata of the policy\n* `-o`, `--output <FILE>` — Path where the artifact-pkg.yml file will be stored\n* `-q`, `--questions-path <PATH>` — File containing the questions-ui content of the policy\n* `-v`, `--version <VALUE>` — Semver version of the policy\n\n\n\n## `kwctl scaffold manifest`\n\nOutput a Kubernetes resource manifest\n\n**Usage:** `kwctl scaffold manifest [OPTIONS] --type <VALUE> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Uses the policy metadata to define which Kubernetes resources can be accessed by the policy. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <DOCKER_CONFIG>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key. Can be repeated multiple times\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `--title <VALUE>` — Policy title\n* `-t`, `--type <VALUE>` — Kubewarden Custom Resource type\n\n Possible values: `ClusterAdmissionPolicy`, `AdmissionPolicy`\n\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl scaffold vap`\n\nConvert a Kubernetes `ValidatingAdmissionPolicy` into a Kubewarden `ClusterAdmissionPolicy`\n\n**Usage:** `kwctl scaffold vap [OPTIONS] --binding <VALIDATING-ADMISSION-POLICY-BINDING.yaml> --policy <VALIDATING-ADMISSION-POLICY.yaml>`\n\n###### **Options:**\n\n* `-b`, `--binding <VALIDATING-ADMISSION-POLICY-BINDING.yaml>` — The file containining the ValidatingAdmissionPolicyBinding definition\n* `--cel-policy <URI>` — The CEL policy module to use\n\n Default value: `ghcr.io/kubewarden/policies/cel-policy:latest`\n* `-p`, `--policy <VALIDATING-ADMISSION-POLICY.yaml>` — The file containining the ValidatingAdmissionPolicy definition\n\n\n\n## `kwctl scaffold verification-config`\n\nOutput a default Sigstore verification configuration file\n\n**Usage:** `kwctl scaffold verification-config`\n\n\n\n## `kwctl verify`\n\nVerify a Kubewarden policy from a given URI using Sigstore\n\n**Usage:** `kwctl verify [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI. Supported schemes: registry://\n\n###### **Options:**\n\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n<hr/>\n\n<small><i>\n This document was generated automatically by\n <a href=\"https://crates.io/crates/clap-markdown\"><code>clap-markdown</code></a>.\n</i></small>\n": * docs/reference/kwctl-cli.md
Add header to the CLI reference documentation
Add header to the docs/reference/kwctl-cli.md file
1 file(s) updated with "---\nsidebar_label: Kwctl CLI Reference\nsidebar_position: 120\ntitle: Kwctl CLI\ndescription: Kwctl CLI reference documentation\nkeywords: [cli, reference, kwctl]\ndoc-persona: [kubewarden-operator]\ndoc-type: [reference]\ndoc-topic: [operator-manual]\n---\n# Command-Line Help for `kwctl`\n\nThis document contains the help content for the `kwctl` command-line program.\n\n**Command Overview:**\n\n* [`kwctl`↴](#kwctl)\n* [`kwctl annotate`↴](#kwctl-annotate)\n* [`kwctl bench`↴](#kwctl-bench)\n* [`kwctl completions`↴](#kwctl-completions)\n* [`kwctl digest`↴](#kwctl-digest)\n* [`kwctl docs`↴](#kwctl-docs)\n* [`kwctl info`↴](#kwctl-info)\n* [`kwctl inspect`↴](#kwctl-inspect)\n* [`kwctl load`↴](#kwctl-load)\n* [`kwctl policies`↴](#kwctl-policies)\n* [`kwctl pull`↴](#kwctl-pull)\n* [`kwctl push`↴](#kwctl-push)\n* [`kwctl rm`↴](#kwctl-rm)\n* [`kwctl run`↴](#kwctl-run)\n* [`kwctl save`↴](#kwctl-save)\n* [`kwctl scaffold`↴](#kwctl-scaffold)\n* [`kwctl scaffold admission-request`↴](#kwctl-scaffold-admission-request)\n* [`kwctl scaffold artifacthub`↴](#kwctl-scaffold-artifacthub)\n* [`kwctl scaffold manifest`↴](#kwctl-scaffold-manifest)\n* [`kwctl scaffold vap`↴](#kwctl-scaffold-vap)\n* [`kwctl scaffold verification-config`↴](#kwctl-scaffold-verification-config)\n* [`kwctl verify`↴](#kwctl-verify)\n\n## `kwctl`\n\nTool to manage Kubewarden policies\n\n**Usage:** `kwctl [OPTIONS] <COMMAND>`\n\n###### **Subcommands:**\n\n* `annotate` — Add Kubewarden metadata to a WebAssembly module\n* `bench` — Benchmarks a Kubewarden policy\n* `completions` — Generate shell completions\n* `digest` — Fetch digest from the OCI manifest of a policy\n* `docs` — Generates the markdown documentation for kwctl commands\n* `info` — Display system information\n* `inspect` — Inspect Kubewarden policy\n* `load` — load policies from a tar.gz file\n* `policies` — Lists all downloaded policies\n* `pull` — Pulls a Kubewarden policy from a given URI\n* `push` — Pushes a Kubewarden policy to an OCI registry\n* `rm` — Removes a Kubewarden policy from the store\n* `run` — Runs a Kubewarden policy from a given URI\n* `save` — save policies to a tar.gz file\n* `scaffold` — Scaffold a Kubernetes resource or configuration file\n* `verify` — Verify a Kubewarden policy from a given URI using Sigstore\n\n###### **Options:**\n\n* `-v`, `--verbose <VERBOSE>` — Increase verbosity\n* `--no-color <NO-COLOR>` — Disable colorful output\n\n\n\n## `kwctl annotate`\n\nAdd Kubewarden metadata to a WebAssembly module\n\n**Usage:** `kwctl annotate [OPTIONS] --metadata-path <PATH> --output-path <PATH> <wasm-path>`\n\n###### **Arguments:**\n\n* `<WASM-PATH>` — Path to WebAssembly module to be annotated\n\n###### **Options:**\n\n* `-m`, `--metadata-path <PATH>` — File containing the metadata\n* `-o`, `--output-path <PATH>` — Output file\n* `-u`, `--usage-path <PATH>` — File containing the usage information of the policy\n\n\n\n## `kwctl bench`\n\nBenchmarks a Kubewarden policy\n\n**Usage:** `kwctl bench [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Grant access to the Kubernetes resources defined inside of the policy's `contextAwareResources` section. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--disable-wasmtime-cache <DISABLE-WASMTIME-CACHE>` — Turn off usage of wasmtime cache\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--dump-results-to-disk <DUMP_RESULTS_TO_DISK>` — Puts results in target/tiny-bench/label/.. if target can be found. used for comparing previous runs\n* `-e`, `--execution-mode <MODE>` — The runtime to use to execute this policy\n\n Possible values: `opa`, `gatekeeper`, `kubewarden`, `wasi`\n\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--measurement-time <SECONDS>` — How long the bench ‘should’ run, num_samples is prioritized so benching will take longer to be able to collect num_samples if the code to be benched is slower than this time limit allowed\n* `--num-resamples <NUM>` — How many resamples should be done\n* `--num-samples <NUM>` — How many resamples should be done. Recommended at least 50, above 100 doesn’t seem to yield a significantly different result\n* `--raw <RAW>` — Validate a raw request\n\n Default value: `false`\n* `--record-host-capabilities-interactions <FILE>` — Record all the policy and host capabilities\n communications to the given file.\n Useful to be combined later with '--replay-host-capabilities-interactions' flag\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--replay-host-capabilities-interactions <FILE>` — During policy and host capabilities exchanges\n the host replays back the answers found inside of the provided file.\n This is useful to test policies in a reproducible way, given no external\n interactions with OCI registries, DNS, Kubernetes are performed.\n* `-r`, `--request-path <PATH>` — File containing the Kubernetes admission request object in JSON format\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n* `--warm-up-time <SECONDS>` — How long the bench should warm up\n\n\n\n## `kwctl completions`\n\nGenerate shell completions\n\n**Usage:** `kwctl completions --shell <VALUE>`\n\n###### **Options:**\n\n* `-s`, `--shell <VALUE>` — Shell type\n\n Possible values: `bash`, `elvish`, `fish`, `powershell`, `zsh`\n\n\n\n\n## `kwctl digest`\n\nFetch digest from the OCI manifest of a policy\n\n**Usage:** `kwctl digest [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl docs`\n\nGenerates the markdown documentation for kwctl commands\n\n**Usage:** `kwctl docs --output <FILE>`\n\n###### **Options:**\n\n* `-o`, `--output <FILE>` — path where the documentation file will be stored\n\n\n\n## `kwctl info`\n\nDisplay system information\n\n**Usage:** `kwctl info`\n\n\n\n## `kwctl inspect`\n\nInspect Kubewarden policy\n\n**Usage:** `kwctl inspect [OPTIONS] <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-o`, `--output <FORMAT>` — Output format\n\n Possible values: `yaml`\n\n* `--show-signatures <SHOW-SIGNATURES>` — Show sigstore signatures\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl load`\n\nload policies from a tar.gz file\n\n**Usage:** `kwctl load --input <input>`\n\n###### **Options:**\n\n* `--input <INPUT>` — load policies from tarball\n\n\n\n## `kwctl policies`\n\nLists all downloaded policies\n\n**Usage:** `kwctl policies`\n\n\n\n## `kwctl pull`\n\nPulls a Kubewarden policy from a given URI\n\n**Usage:** `kwctl pull [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI. Supported schemes: registry://, https://, file://\n\n###### **Options:**\n\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <DOCKER_CONFIG>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `-o`, `--output-path <PATH>` — Output file. If not provided will be downloaded to the Kubewarden store\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key. Can be repeated multiple times\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl push`\n\nPushes a Kubewarden policy to an OCI registry\n\n**Usage:** `kwctl push [OPTIONS] <policy> <uri>`\n\n###### **Arguments:**\n\n* `<POLICY>` — Policy to push. Can be the path to a local file, a policy URI or the SHA prefix of a policy in the store.\n* `<URI>` — Policy URI. Supported schemes: registry://\n\n###### **Options:**\n\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-f`, `--force <FORCE>` — Push also a policy that is not annotated\n* `-o`, `--output <PATH>` — Output format\n\n Default value: `text`\n\n Possible values: `text`, `json`\n\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n\n\n\n## `kwctl rm`\n\nRemoves a Kubewarden policy from the store\n\n**Usage:** `kwctl rm <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix\n\n\n\n## `kwctl run`\n\nRuns a Kubewarden policy from a given URI\n\n**Usage:** `kwctl run [OPTIONS] --request-path <PATH> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Grant access to the Kubernetes resources defined inside of the policy's `contextAwareResources` section. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--disable-wasmtime-cache <DISABLE-WASMTIME-CACHE>` — Turn off usage of wasmtime cache\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `-e`, `--execution-mode <MODE>` — The runtime to use to execute this policy\n\n Possible values: `opa`, `gatekeeper`, `kubewarden`, `wasi`\n\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--raw <RAW>` — Validate a raw request\n\n Default value: `false`\n* `--record-host-capabilities-interactions <FILE>` — Record all the policy and host capabilities\n communications to the given file.\n Useful to be combined later with '--replay-host-capabilities-interactions' flag\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--replay-host-capabilities-interactions <FILE>` — During policy and host capabilities exchanges\n the host replays back the answers found inside of the provided file.\n This is useful to test policies in a reproducible way, given no external\n interactions with OCI registries, DNS, Kubernetes are performed.\n* `-r`, `--request-path <PATH>` — File containing the Kubernetes admission request object in JSON format\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl save`\n\nsave policies to a tar.gz file\n\n**Usage:** `kwctl save --output <FILE> <policies>...`\n\n###### **Arguments:**\n\n* `<POLICIES>` — list of policies to save\n\n###### **Options:**\n\n* `-o`, `--output <FILE>` — path where the file will be stored\n\n\n\n## `kwctl scaffold`\n\nScaffold a Kubernetes resource or configuration file\n\n**Usage:** `kwctl scaffold <COMMAND>`\n\n###### **Subcommands:**\n\n* `admission-request` — Scaffold an AdmissionRequest object\n* `artifacthub` — Output an artifacthub-pkg.yml file from a metadata.yml file\n* `manifest` — Output a Kubernetes resource manifest\n* `vap` — Convert a Kubernetes `ValidatingAdmissionPolicy` into a Kubewarden `ClusterAdmissionPolicy`\n* `verification-config` — Output a default Sigstore verification configuration file\n\n\n\n## `kwctl scaffold admission-request`\n\nScaffold an AdmissionRequest object\n\n**Usage:** `kwctl scaffold admission-request [OPTIONS] --operation <TYPE>`\n\n###### **Options:**\n\n* `--object <PATH>` — The file containing the new object being admitted\n* `--old-object <PATH>` — The file containing the existing object\n* `-o`, `--operation <TYPE>` — Kubewarden Custom Resource type\n\n Possible values: `CREATE`\n\n\n\n\n## `kwctl scaffold artifacthub`\n\nOutput an artifacthub-pkg.yml file from a metadata.yml file\n\n**Usage:** `kwctl scaffold artifacthub [OPTIONS] --metadata-path <PATH> --version <VALUE>`\n\n###### **Options:**\n\n* `-m`, `--metadata-path <PATH>` — File containing the metadata of the policy\n* `-o`, `--output <FILE>` — Path where the artifact-pkg.yml file will be stored\n* `-q`, `--questions-path <PATH>` — File containing the questions-ui content of the policy\n* `-v`, `--version <VALUE>` — Semver version of the policy\n\n\n\n## `kwctl scaffold manifest`\n\nOutput a Kubernetes resource manifest\n\n**Usage:** `kwctl scaffold manifest [OPTIONS] --type <VALUE> <uri_or_sha_prefix>`\n\n###### **Arguments:**\n\n* `<URI_OR_SHA_PREFIX>` — Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory.\n\n###### **Options:**\n\n* `--allow-context-aware <ALLOW-CONTEXT-AWARE>` — Uses the policy metadata to define which Kubernetes resources can be accessed by the policy. Warning: review the list of resources carefully to avoid abuses. Disabled by default\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <DOCKER_CONFIG>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key. Can be repeated multiple times\n* `--settings-json <VALUE>` — JSON string containing the settings for this policy\n* `-s`, `--settings-path <PATH>` — File containing the settings for this policy\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `--title <VALUE>` — Policy title\n* `-t`, `--type <VALUE>` — Kubewarden Custom Resource type\n\n Possible values: `ClusterAdmissionPolicy`, `AdmissionPolicy`\n\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n## `kwctl scaffold vap`\n\nConvert a Kubernetes `ValidatingAdmissionPolicy` into a Kubewarden `ClusterAdmissionPolicy`\n\n**Usage:** `kwctl scaffold vap [OPTIONS] --binding <VALIDATING-ADMISSION-POLICY-BINDING.yaml> --policy <VALIDATING-ADMISSION-POLICY.yaml>`\n\n###### **Options:**\n\n* `-b`, `--binding <VALIDATING-ADMISSION-POLICY-BINDING.yaml>` — The file containining the ValidatingAdmissionPolicyBinding definition\n* `--cel-policy <URI>` — The CEL policy module to use\n\n Default value: `ghcr.io/kubewarden/policies/cel-policy:latest`\n* `-p`, `--policy <VALIDATING-ADMISSION-POLICY.yaml>` — The file containining the ValidatingAdmissionPolicy definition\n\n\n\n## `kwctl scaffold verification-config`\n\nOutput a default Sigstore verification configuration file\n\n**Usage:** `kwctl scaffold verification-config`\n\n\n\n## `kwctl verify`\n\nVerify a Kubewarden policy from a given URI using Sigstore\n\n**Usage:** `kwctl verify [OPTIONS] <uri>`\n\n###### **Arguments:**\n\n* `<URI>` — Policy URI. Supported schemes: registry://\n\n###### **Options:**\n\n* `--cert-email <VALUE>` — Expected email in Fulcio certificate\n* `--cert-oidc-issuer <VALUE>` — Expected OIDC issuer in Fulcio certificates\n* `--docker-config-json-path <PATH>` — Path to a directory containing the Docker 'config.json' file. Can be used to indicate registry authentication details\n* `--fulcio-cert-path <PATH>` — Path to the Fulcio certificate. Can be repeated multiple times\n* `--github-owner <VALUE>` — GitHub owner expected in the certificates generated in CD pipelines\n* `--github-repo <VALUE>` — GitHub repository expected in the certificates generated in CD pipelines\n* `--rekor-public-key-path <PATH>` — Path to the Rekor public key\n* `--sources-path <PATH>` — YAML file holding source information (https, registry insecure hosts, custom CA's...)\n* `-a`, `--verification-annotation <KEY=VALUE>` — Annotation in key=value format. Can be repeated multiple times\n* `--verification-config-path <PATH>` — YAML file holding verification config information (signatures, public keys...)\n* `-k`, `--verification-key <PATH>` — Path to key used to verify the policy. Can be repeated multiple times\n\n\n\n<hr/>\n\n<small><i>\n This document was generated automatically by\n <a href=\"https://crates.io/crates/clap-markdown\"><code>clap-markdown</code></a>.\n</i></small>\n": * docs/reference/kwctl-cli.md
Created automatically by Updatecli
Options:
Most of Updatecli configuration is done via its manifest(s).
Feel free to report any issues at github.com/updatecli/updatecli.
If you find this tool useful, do not hesitate to star our GitHub repository as a sign of appreciation, and/or to tell us directly on our chat!