argocd-example-apps VS intents-operator

I have not yet had the opportunity to test flux extensively. Regarding Argo examples, the Argo team themself maintain such a repo: https://github.com/argoproj/argocd-example-apps

Second, when dealing with OCI helm charts, look up the umbrella chart model https://github.com/argoproj/argocd-example-apps/blob/master/helm-dependency/README.md. This basically lets you create a helm chat that doesn’t do anything but call your next helm chart as a dependency. I use this with OCI stores helm charts all over the place. Also, in the next ArgoCD release, you should be able to get multiple sources for a sync, but we’ll see when that comes out

argocd app create helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-server https://kubernetes.default.svc --dest-namespace default

Let’s Fork a sample repo, for example, like this one found here: https://github.com/argoproj/argocd-example-apps

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: guestbook namespace: argocd spec: project: default source: repoURL: https://github.com/argoproj/argocd-example-apps.git targetRevision: HEAD path: guestbook destination: server: https://kubernetes.default.svc namespace: guestbook

For example if I point to https://github.com/argoproj/argocd-example-apps, from the UI, I can see a new repository but no applications

extraObjects: - apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: project: default source: repoURL: 'https://github.com/argoproj/argocd-example-apps' path: guestbook targetRevision: HEAD destination: server: 'https://kubernetes.default.svc' namespace: test syncPolicy: automated: {} syncOptions: - CreateNamespace=true EOF

❯ cd ~/git ❯ gh repo fork https://github.com/argoproj/argocd-example-apps.git --clone ✓ Created fork e-minguez/argocd-example-apps Cloning into 'argocd-example-apps'... ... From github.com:argoproj/argocd-example-apps * [new branch] master -> upstream/master ✓ Cloned fork

No more! The open-source intents-operator and credentials-operator enable you to achieve the same, except without all that work: do it all from Kubernetes, declaratively, and just-in-time, through the magic of IBAC (intent-based access control).

As you've mentioned, it is not possible to define deny rules using the native NetworkPolicy resource. Instead, you could use your CNI’s implementation for network policies. If you use Calico as your CNI you can use Calico's network policies to create deny rules. You can also take a look at Otterize OSS, an open-source solution my team and I are working on recently. It simplifies network policies by defining them from the client’s perspective in a ClientIntents resource. You can use the network mapper to auto-generate those ClientIntents from the traffic in your cluster, and then deploy them and let the intents-operator manage the network policies for you.

However, if you want to control pod-to-pod communication, you might be better suited with managing network policies using ClientIntents, which let you specify which pods should communicate with which, from the client's point of view, and without requiring labels beforehand. It's open source, have a look at the intents operator here: https://github.com/otterize/intents-operator

You can try it out by installing an open source, standalone Kubernetes operator that implements them using network policies - https://github.com/otterize/intents-operator

Hi! I'm Tomer, the CEO of Otterize - a cloud-native open-source tool that makes secure access transparent for developers with a declarative approach to service-to-service authorization. Otterize allows you to automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format. Just declare which services your code intends to call using a Kubernetes custom resource, and access will be granted automatically while blocking anything else. Give it a try! It's free and takes 5 min to get started. https://github.com/otterize/intents-operator

You can use https://github.com/otterize/intents-operator to easily configure network policies using only pod names by specifying logical connections (a->b, c->b), and the operator configures network policies and labels for cluster resources automatically.

I'm very passionate about this as I think cybersecurity and ops people lean too far into control -- controlling people, that is, not just programs, and they end up shooting themselves in the foot. Instead, I think you should make it easy for devs in your team to create the right access controls, and that this is the only way to achieve zero trust. Zero-trust inherently relies on all access being intentional and authorized, so if other engineers don't declare which access their code needs, it's impossible to achieve. There's an open source Kubernetes operator that aims to get this concept right with network policies and Kafka ACLs - make it easy for one person to declare which access is intentional and start rolling out zero trust using network policies, and have the access control policy live alongside the client code. Check it out at https://github.com/otterize/intents-operator. Full disclosure - I'm one of the contributors, so I'm a bit biased ;) I'm there on the Slack, so feel free to hit me up (Ori).

Hi all, I’m Tomer @Otterize. We just launched an open-source tool to easily automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format, via a custom resource. Check it out - https://github.com/otterize/intents-operator