gke-policy-automation
tanka
gke-policy-automation | tanka | |
---|---|---|
8 | 25 | |
508 | 2,236 | |
0.2% | 2.1% | |
6.9 | 8.3 | |
15 days ago | 4 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gke-policy-automation
-
Google Kubernetes clusters config checker tool
https://github.com/google/gke-policy-automation/blob/main/gk...
What's the point of requiring the control plane to be locked down to authorized networks (IP address ranges)? Isn't Google responsible for DDoS protection, enforcing authentication controls (i.e. logging in with a Google account in the right Google group), patching the control plane ASAP for any security vulnerabilities?
If you have a VPN, if you have heavy-duty network monitoring on your VPN endpoint, sure, limit it to the VPN. For the rest of us? Is every startup running GKE without heavy-duty VPN / network monitoring fundamentally insecure? That doesn't sound right to me. Security is supposed to be a spectrum, and it seems like black-and-white automated config checkers like these are more likely to provoke arguments internally ("but the tool said it's bad!!") than to help reach a nuanced understanding of why tradeoffs are made. No?
-
GKE Policy Automation: validate your cluster configurations
GKE Policy Automation is a tool and a policy library for validating Google Kubernetes Engine clusters against set of configuration best practices.
tanka
-
Why the fuck are we templating YAML? (2019)
I would recommend implementing a similar API to Grafana Tanka: https://tanka.dev
When you "synthesise", the returned value should be an array or an object.
1. If it's an object, check if it has an `apiVersion` and `kind` key. If it does, yield that as a kubernetes object and do not recurse.
-
What Is Wrong with TOML?
Maybe you'd like jsonnet: https://jsonnet.org/
I find it particularly useful for configurations that often have repeated boilerplate, like ansible playbooks or deploying a bunch of "similar-but" services to kubernetes (with https://tanka.dev).
Dhall is also quite interesting, with some tradeoffs: https://dhall-lang.org/
A few years ago I did a small comparison by re-implementing one of my simpler ansible playbooks: https://github.com/retzkek/ansible-dhall-jsonnet
-
Show HN: Keep β GitHub Actions for your monitoring tools
- validation is often impractical (at least identifying exactly where the error isβ¦ Iβm looking at you Helm!)
Unrelated to OP, but you can leverage Tanka to extend helm charts with functionality not provided by upstream.
https://tanka.dev/
-
Alternatives to Helm?
Although jsonette might be considered more complex Tanka is a great alternative for k8s config management.
- Helm makes it overly complex, or is it just me?
-
The YAML Document from Hell
At Grafana Labs we're using jsonnet at scale, while being a powerful functional language it is also excellent for rendering JSON/YAML config. We have developed Tanka[0] to work with Kubernetes, for other purposes I can recommend this course[1] (authored by me).
[0] https://tanka.dev/
[1] https://jsonnet-libs.github.io/jsonnet-training-course/
-
Should i migrate from Kustomize to Helm?
If you're hitting the limits of Kustomize, maybe look at Tanka as well.
-
Is it possible to wrap Kustomize yaml with jinja2?
Yes, try Tanka.
-
Using Docker β Compose in Development and Production
yes. basically. and this is a path that multiple people are trying to solve. e.g. AWS CDK8s, https://tanka.dev/, etc
Compose would be awesome.
-
Google Kubernetes clusters config checker tool
http://tanka.dev
(Note I work for Grafana Labs who fund Tanka and use it for all production config)
What are some alternatives?
cerbos - Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
helm-charts - Prometheus community Helm charts
OPAL - Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)
kustomize - Customization of kubernetes YAML configurations
policy-enforcer - Represent your rego rules programmatically.
kapitan - Generic templated configuration management for Kubernetes, Terraform and other things
reposaur - Open source compliance tool for development platforms.
ytt - YAML templating tool that works on YAML structure instead of text
popeye - π A Kubernetes cluster resource sanitizer
kpt - Automate Kubernetes Configuration Editing
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Pulumi - Pulumi - Infrastructure as Code in any programming language. Build infrastructure intuitively on any cloud using familiar languages π