datree
Grafana
Our great sponsors
datree | Grafana | |
---|---|---|
34 | 379 | |
6,403 | 60,279 | |
0.1% | 1.5% | |
7.2 | 10.0 | |
6 months ago | 3 days ago | |
Go | TypeScript | |
Apache License 2.0 | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
datree
-
Show HN: Datree (YC W20) ā End-to-End Policy Management for Kubernetes
Hi HN, Iām Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datreeās built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.
Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree
This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.
We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.
Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.
While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datreeās users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.
Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isnāt enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.
Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.
Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.
I look forward to hearing your feedback and answering any questions you may have.
- Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
- datreeio/datree: Prevent Kubernetes misconfigurations from reaching production (again š¤ )! Datree is a CLI tool to ensure K8s configs follow stability & security best practices as well as your organizationās policies. See our docs: https://hub.datree.io
- Question for the Argo-Verse
-
How to create a react app with Go support using WebAssembly in under 60 seconds
Go is a statically typed, compiled programming language designed at Google, it is syntactically similar to C, but with memory safety, garbage collection, structural typing, and CSP-style concurrency. In my case, I needed to run Go for JSON schema validations, in other cases, you might want to perform a CPU-intensive task or use a CLI tool written in Go.
- Techworld with Nana: Enforce K8s Best Practices with Datree
-
Gatekeeper vs Kyverno
I worked with both of them and from my experience Gatekeeper is more solid and accountable, I even wrote an article about Gatekeeper. Both Gatekeeper and Kyverno require a lot of heavy lifting work. On the one hand, Gatekeeper will probably require more configuration work however the community and the tool itself are more stable than Kyverno. On the other hand, Kyverno policy-as-code capabilities are much easier to use/understand. This way or another, for me using Kyvernoās policy language or Rego for my policies, wasnāt such a pleasant experience. I personally believe in GitOps and shifting left so if youāre looking for tools I would highly recommend you to review Datree, which is an open-source CLI (Disclaimer: Iām one of the developers at Datree). Datree is a more centralized policy management solution rather than a policy engine. Unlike Kyverno/Gatekeeper Datree was built to help DevOps teams to shift left and practice GitOps by delegating more responsibilities to the developers more efficiently. In practice, Datree already comes with built-in rules and policies along with YAML and schema validation for K8s resources and CRDs such as Argo CRDs. Datreeās policies are written in JSONScheme which is a common solid policy language supported by the community for many years. Additionally, Datreeās CLI also comes with a dashboard app where you can monitor the policies in your organization. You can modify and update your policies, review which policies are being used in practice, and control who can create/delete/update your policies. The major difference is that at the moment, unlike Kyverno/Gatekeeper Datree doesnāt provide native policy enforcement in the Kubernetes cluster at the moment but we expect to release this support very soon. At the moment, we provide a way to scan the cluster using a kubectl plugin. Feel free to check it out :)
-
Working with Datreeās Helm Plugin
$ helm plugin install https://github.com/datreeio/helm-datree Installing helm-datree... https://github.com/datreeio/datree/releases/download/1.0.6/datree-cli_1.0.6_Darwin_x86_64.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 673 100 673 0 0 1439 0 --:--:-- --:--:-- --:--:-- 1469 100 6901k 100 6901k 0 0 1852k 0 0:00:03 0:00:03 --:--:-- 2865k helm-datree is installed. See https://hub.datree.io for help getting started. Installed plugin: datree
-
Adding custom rules in Datree
GitHub
- Learn from Nana, AWS Hero & CNCF Ambassador, how to enforce K8s best practices with Datree.
Grafana
-
Docker Log Observability: Analyzing Container Logs in HashiCorp Nomad with Vector, Loki, and Grafana
Monitoring application logs is a crucial aspect of the software development and deployment lifecycle. In this post, we'll delve into the process of observing logs generated by Docker container applications operating within HashiCorp Nomad. With the aid of Grafana, Vector, and Loki, we'll explore effective strategies for log analysis and visualization, enhancing visibility and troubleshooting capabilities within your Nomad environment.
-
Golang: out-of-box backpressure handling with gRPC, proven by a Grafana dashboard
To help us visualize these scenarios, we'll build a Grafana Dashboard so we can follow along.
-
Monitoring, Observability, and Telemetry Explained
Visualization and Analysis: Choose a tool with intuitive and customizable dashboards, charts, and visualizations. A question to ask is, "Are the visualization features of this tool user-friendly and adaptable to our team's specific needs?" Tools like Grafana and Kibana provide powerful visualization capabilities.
-
4 facets of API monitoring you should implement
Prometheus: Open-source monitoring system. Often used together with Grafana.
- Grafana: Open and composable observability and data visualization platform
-
The Mechanics of Silicon Valley Pump and Dump Schemes
Grafana
-
Reverse engineering the Grafana API to get the data from a dashboard
Yes I'm aware that Grafana is open source but the method I used to find the API endpoints is far quicker than digging through hundreds of files in a codebase I'm not familiar with.
-
Building an Observability Stack with Docker
So, you will add one last container to allow us to visualize this data: Grafana, an open-source analytics and visualization platform that allows us to see traces and metrics simply. You can set Grafana to read data from both Tempo and Prometheus by setting them as datastores with the following grafana.datasource.yaml config file:
-
How to collect metrics from node.js applications in PM2 with exporting to Prometheus
In example above, we use 2 additional parameters: code (HTTP response code) and page (page identifier), which provide detailed statistics. For example, you can build such graphs in Grafana:
-
Root Cause Chronicles: Quivering Queue
Robin switched to the Grafana dashboard tab, and sure enough, the 5xx volume on web service was rising. It had not hit the critical alert thresholds yet, but customers had already started noticing.
What are some alternatives?
KubeArmor - Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
Thingsboard - Open-source IoT Platform - Device management, data collection, processing and visualization.
polaris - Validation of best practices in your Kubernetes clusters
Apache Superset - Apache Superset is a Data Visualization and Data Exploration Platform [Moved to: https://github.com/apache/superset]
kube-score - Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
Heimdall - An Application dashboard and launcher
polaris - Shopifyās design system to help us work together to build a great experience for all of our merchants.
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
reviewdog - š¶ Automated code review tool integrated with any code analysis tools regardless of programming language
Thingspeak - ThingSpeak is an open source āInternet of Thingsā application and API to store and retrieve data from things using HTTP over the Internet or via a Local Area Network. With ThingSpeak, you can create sensor logging applications, location tracking applications, and a social network of things with status updates.
Kyverno - Kubernetes Native Policy Management
uptime-kuma - A fancy self-hosted monitoring tool