credentials-operator
network-mapper
credentials-operator | network-mapper | |
---|---|---|
6 | 10 | |
54 | 574 | |
- | 1.2% | |
8.5 | 8.7 | |
about 17 hours ago | 6 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
credentials-operator
-
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
No more! The open-source intents-operator and credentials-operator enable you to achieve the same, except without all that work: do it all from Kubernetes, declaratively, and just-in-time, through the magic of IBAC (intent-based access control).
-
How to have SSL certificates for all my home lab Kubernetes apps?
Otterize Credential Operator ( https://github.com/otterize/credentials-operator ) helps you automatically provision credentials as Kubernetes secrets (using a self-hosted SPIRE or a free SaaS solution). You can use pod annotations to determine the certificate's domain names (as well as many other properties). I think it is a straightforward approach to managing trust, especially for a relatively small cluster where you manage everything. (Full disclosure: I am one of the contributors to this project)
-
Ask r/kubernetes: What are you working on this week?
Have you taken a look at using SPIRE to create the TLS certificates and attesting about the workload identity? You could couple SPIRE server with the Otterize SPIRE integration operator to declaratively generate TLS certificates. This could be easier to deploy than a service mesh and sidecars, depending on your use case - what the clients are and what the servers are.
-
How to authenticate microservices?
You could create JWT or mTLS-based identities, and then verify those in your middleware. If you are on Kubernetes, you might try using SPIRE together with the SPIRE integration operator to automatically issue identities as Kubernetes secrets, which you could then use to connect between services.
-
Who defines secret management / certificate management in your company
In practice, the technical part is implemented by the DevOps/platform team. The way in which you declare and get access to these secrets varies, but can be one of the cloud provider secret managers (e.g. AWS Secret Manager), Hashicorp Vault, or if you're on Kubernetes, could be something like cert-manager, Hashicorp Vault sidecars, or SPIRE coupled with the Otterize SPIRE integration.
-
How to automate certificate renewal with Azure Key vault?
If this seems a bit complicated, you could use SPIRE server to issue certificates and Otterize SPIRE integration operator to renew them in Kubernetes and update Secrets.
network-mapper
- Network Mapper – low privileges, no-eBPF network observability tool for K8s
-
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
Yep! When you deploy Otterize, you get a map of your cluster’s traffic, with zero-configuration, through the open-source network-mapper.
-
Kubernetes traffic discovery
After multiple iterations, research sessions and some trial & error, we could produce an exportable list of network connections in any Kubernetes cluster. You might recall that our larger goal was to get to a logical (functional) map of pod-to-pod traffic, and that will be covered in a future posting. After adding that capability, here’s an example output from our project, now called network-mapper, when pointed at one of the clusters in our “lab” environment:
- Show HN: Visualize Kubernetes Clusters
-
Visualizing Kubernetes traffic, the non-invasive way
It'll require some changes but you can go for it if that's something up your alley, as after all, it's all open source - https://github.com/otterize/network-mapper
- GitHub - otterize/network-mapper: Map Kubernetes in-cluster traffic and export as text, intents, or an image
-
Open-source Kubernetes traffic visualizer - Otterize network mapper
We received some great feedback from the community regarding our tool, and one of the most commonly requested features was visualization. So we embedded this functionality into the tool, and now you can easily map and visualize your cluster with a single CLI command.
-
Alternative to Network Policys
As you've mentioned, it is not possible to define deny rules using the native NetworkPolicy resource. Instead, you could use your CNI’s implementation for network policies. If you use Calico as your CNI you can use Calico's network policies to create deny rules. You can also take a look at Otterize OSS, an open-source solution my team and I are working on recently. It simplifies network policies by defining them from the client’s perspective in a ClientIntents resource. You can use the network mapper to auto-generate those ClientIntents from the traffic in your cluster, and then deploy them and let the intents-operator manage the network policies for you.
- Otterize network mapper - map Kubernetes in-cluster traffic with zero-config
What are some alternatives?
bouncer - JWT-based authentication and authorization service
echopod - The minimal HTTP server that provides info about container/pod.
tic-tac-toe - 🎮 Tic Tac Toe implementation over network 🌐
intents-operator - Manage network policies, AWS, GCP & Azure IAM policies, Istio Authorization Policies, and Kafka ACLs in a Kubernetes cluster with ease.
grafana-operator - An operator for Grafana that installs and manages Grafana instances, Dashboards and Datasources through Kubernetes/OpenShift CRs
kubeshark - The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes
kubetunnel - Develop microservices locally while being connected to your Kubernetes environment
CoreDNS - CoreDNS is a DNS server that chains plugins
cni - Container Network Interface - networking for Linux containers