enhancements VS conftest

Compare enhancements vs conftest and see what are their differences.

conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language (by open-policy-agent)
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
enhancements conftest
63 10
3,457 2,880
0.7% 0.4%
9.8 8.5
7 days ago about 9 hours ago
Go Go
Apache License 2.0 GNU General Public License v3.0 or later
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

enhancements

Posts with mentions or reviews of enhancements. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-07-28.
  • A skeptic's first contact with Kubernetes
    8 projects | news.ycombinator.com | 28 Jul 2024
    The motivation is more the latter, but it's not at all clear the proposed removal of the embedded kustomize will proceed, given the compatibility implications. See discussion at https://github.com/kubernetes/enhancements/issues/4706#issue... and following.
  • Debugging Distroless Images with kubectl and cdebug
    2 projects | dev.to | 31 May 2024
    (I do see there are some proposed enhancements related to profiles that might help here)
  • Design Docs at Google
    3 projects | news.ycombinator.com | 7 May 2024
    Thanks for these links!

    I picked out one at random just to check if my skeptical reaction is fair: https://github.com/kubernetes/enhancements/tree/master/keps/...

    - OK, this is actually a really good and useful doc!

    - However, it's not an up-front design doc, it has clearly been written after the bulk of the work has been done, to explain and justify rolling out a big change. (See the "implementation history" timeline: https://github.com/kubernetes/enhancements/tree/master/keps/...)

    - It looks like the template wasn't very useful; most of the required sections are marked "N/A", and there are comments like The best test for work like this is, more or less, "did it work?"

  • IBM to buy HashiCorp in $6.4B deal
    1 project | news.ycombinator.com | 25 Apr 2024
    > was always told early on that although they supported vault on kubernetes via a helm chart, they did not recommend using it on anything but EC2 instances (because of "security" which never really made sense their reasoning).

    The reasoning is basically that there are some security and isolation guarantees you don't get in Kubernetes that you do get on bare metal or (to a somewhat lesser extent) in VMs.

    In particular for Kubernetes, Vault wants to run as a non-root user and set the IPC_LOCK capability when it starts to prevent its memory from being swapped to disk. While in Docker you can directly enable this by adding capabilities when you launch the container, Kubernetes has an issue because of the way it handles non-root container users specified in a pod manifest, detailed in a (long-dormant) KEP: https://github.com/kubernetes/enhancements/blob/master/keps/... (tl;dr: Kubernetes runs the container process as root, with the specified capabilities added, but then switches it to the non-root UID, which causes the explicitly-added capabilities to be dropped).

    You can work around this by rebuilding the container and setting the capability directly on the binary, but the upstream build of the binary and the one in the container image don't come with that set (because the user should set it at runtime if running the container image directly, and the systemd unit sets it via systemd if running as a systemd service, so there's no need to do that except for working around Kubernetes' ambient-capability issue).

    > It always surprised me how these conversations went. "Well we don't really recommend kubernetes so we won't support (feature)."

  • Exploring cgroups v2 and MemoryQoS With EKS and Bottlerocket
    7 projects | dev.to | 19 Feb 2024
    0 is not the request we've defined. And that makes sense. Memory QoS has been in alpha since Kubernetes 1.22 (August 2021) and according to the KEP data was still in alpha as of 1.27.
  • Jenkins Agents On Kubernetes
    7 projects | dev.to | 4 Sep 2023
    Note: There's actually a Structured Authentication Config established via KEP-3331. It's in v1.28 as a feature flag gated option and removes the limitation of only having one OIDC provider. I may look into doing an article on it, but for now I'll deal with the issue in a manner that should work even with a bit older versions versions of Kubernetes.
  • Isint release cycle becoming a bit crazy with monthly releases and deprecations ?
    2 projects | /r/kubernetes | 11 Jul 2023
    Kubernetes supports a skew policy of n+2 between API server and kubelet. This means if your CP and DP are both on 1.20, you could upgrade your control plane twice (1.20 -> 1.21 -> 1.22) before you need to upgrade your data plane. And when it comes time to upgrade your data plane you can jump from 1.20 to 1.22 to minimize update churn. In the future, this skew will be opened to n+3 https://github.com/kubernetes/enhancements/tree/master/keps/sig-architecture/3935-oldest-node-newest-control-plane
  • Kubernetes SidecarContainers feature is merged
    7 projects | news.ycombinator.com | 10 Jul 2023
    The KEP (Kubernetes Enhancement Proposal) is linked to in the PR [1]. From the summary:

    > Sidecar containers are a new type of containers that start among the Init containers, run through the lifecycle of the Pod and don’t block pod termination. Kubelet makes a best effort to keep them alive and running while other containers are running.

    [1] https://github.com/kubernetes/enhancements/tree/master/keps/...

  • What's there in K8s 1.27
    1 project | dev.to | 4 Jun 2023
    This is where the new feature of mutable scheduling directives for jobs comes into play. This feature enables the updating of a job's scheduling directives before it begins. Essentially, it allows custom queue controllers to influence pod placement without needing to directly handle the assignment of pods to nodes themselves. To learn more about this check out the Kubernetes Enhancement Proposal 2926.
  • Dependencies between Services
    1 project | /r/kubernetes | 6 Apr 2023
    What your asking is a (vanilla) Kubernetes non-goal, others have mentioned fluxcd and other add ons that provide primitives for dependency aware deployments. The problem space is so large, that it's unreasonable to to address these concerns in Kubernetes itself, instead, make it extensible... Look at this KEP for example: https://github.com/kubernetes/enhancements/issues/753 Sidecar containers have existed, and been named as such since WAY before that KEP's inception, defining what these things should and shouldn't do is largely arbitrary. Aka: your use-case is niche, if you don't like the behavior, use flux or argo, or write something yourself.

conftest

Posts with mentions or reviews of conftest. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-06-24.
  • Show HN: Qq: like jq, but can transcode between many formats
    6 projects | news.ycombinator.com | 24 Jun 2024
    6 - https://github.com/open-policy-agent/conftest
  • Validation on list(object) variables
    1 project | /r/Terraform | 8 May 2023
    I wrote following conftest.dev (OPA), sample policy
  • The default.go file meaning
    1 project | /r/golang | 22 Apr 2023
  • Introducing Conftest and setting up CI with Github Actions to automate reviewing of Terraform code
    3 projects | dev.to | 28 Dec 2021
    name: tf-plan-apply on: pull_request: branches: [ main ] env: TF_VERSION: 1.0.0 CONFTEST_VERSION: 0.28.3 WORKING_DIR: ./ jobs: terraform: name: aws-eureka-pairs-etc-s3 runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Install conftest run: | wget -O - 'https://github.com/open-policy-agent/conftest/releases/download/v${{ env.CONFTEST_VERSION }}/conftest_${{ env.CONFTEST_VERSION }}_Linux_x86_64.tar.gz' | tar zxvf - ./conftest --version //❶ - name: Setup Terraform uses: hashicorp/setup-terraform@v1 with: terraform_wrapper: false //❷ terraform_version: ${{ env.TF_VERSION }} cli_config_credentials_token: ${{ secrets.YOUR_CRED_NAME}} - name: Terraform Init ${{ env.WORKING_DIR }} working-directory: ${{ env.WORKING_DIR }} run: terraform init - name: Terraform Plan ${{ env.WORKING_DIR }} if: github.event_name == 'pull_request' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} working-directory: ${{ env.WORKING_DIR }} id: plan run: terraform plan -out=tfplan -no-color -lock=false -parallelism=50 - name: Convert terraform plan result to json formmat if: github.event_name == 'pull_request' id: convert working-directory: ${{ env.WORKING_DIR }} run: terraform show -json tfplan > tfplan.json - name: conftest test if: github.event_name == 'pull_request' id: conftest run: ./conftest test --no-color ${{ env.WORKING_DIR }}/tfplan.json //❸
  • Kubernetes Security Checklist 2021
    28 projects | dev.to | 18 Oct 2021
    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)
  • Don't let your Terraform go rogue with Conftest and the Open Policy Agent
    2 projects | dev.to | 25 Jun 2021
    Insert Conftest! As they state in their GitHub description, Conftest tests against structured configuration data using the Open Policy Agent Rego query language. In the case of Terraform, this means we're actually running unit tests against sample JSON and actual tests against the Terraform state JSON.
  • Using Open Policy Agent and Conftest to Validate Your Openshift 4 IPI Configuration
    1 project | dev.to | 25 Jun 2021
    While Rego is the policy language we use to assemble our policies, we still need something to run those policies with. If you have a cluster and you want to actively evaluate policies, you can end up running an instance of Open Policy Agent and it's associated tooling. However in our case, we just want to check things at runtime (or just on some recurring basis such as when changes get checked in or a pull request is submitted). In the latter instance, we are able to use another tool from the Open Policy Agent project called ConfTest. What ConfTest allows us to do is to specify a file or directory of files that we want to inspect along with the set of policies we want to inspect them with. It then takes all of that and dumps out the associated outputs from those policies and tell us the results (i.e. the messages, how many policies were checked and the results of those policies). This tool is much better suited for our use case, so this is what we will proceed with. To grab the latest version of ConfTest, you can grab the latest release from here.
  • !!!*IMP: Conftest Integration with AWS or Other*!!!!
    1 project | /r/devopsish | 18 Jun 2021
    OR HOW TO RUN https://github.com/open-policy-agent/conftest AS CI/CD in Circle CI to apply policies?
  • Terraforming in 2021 – new features, testing and compliance
    12 projects | dev.to | 2 May 2021
    If you like terraform-compliance, Conftest might also be worth having a look. It has its own DSL to write policies, and allows you to test multiple frameworks. We found this blog post from Lennard Eijsackers very informative, and would thus rather recommend you to check it out.
  • Mental models for understanding Kubernetes Pod Security Policy PSP
    4 projects | /r/kubernetes | 16 Jan 2021
    Can Gatekeeper and Conftest single-source the same set of rules? I'm looking at https://github.com/open-policy-agent/conftest/issues/54#issuecomment-528988831 and not seeing how.

What are some alternatives?

When comparing enhancements and conftest you can also consider the following projects:

kubeconform - A FAST Kubernetes manifests validator, with support for Custom Resources!

checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

spark-operator - Kubernetes operator for managing the lifecycle of Apache Spark applications on Kubernetes.

terratest - Terratest is a Go library that makes it easier to write automated tests for your infrastructure code.

kubernetes-json-schema - Schemas for every version of every object in every version of Kubernetes

tfsec - Security scanner for your Terraform code [Moved to: https://github.com/aquasecurity/tfsec]

klipper-lb - Embedded service load balancer in Klipper

tflint - A Pluggable Terraform Linter

pixie - Instant Kubernetes-Native Application Observability

inspec - InSpec: Auditing and Testing Framework

connaisseur - An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

gatekeeper-library - 📚 The OPA Gatekeeper policy library

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

Did you konow that Go is
the 4th most popular programming language
based on number of metions?