intents-operator
network-mapper
intents-operator | network-mapper | |
---|---|---|
10 | 10 | |
278 | 570 | |
1.8% | 0.5% | |
9.3 | 8.7 | |
4 days ago | 3 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
intents-operator
-
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
No more! The open-source intents-operator and credentials-operator enable you to achieve the same, except without all that work: do it all from Kubernetes, declaratively, and just-in-time, through the magic of IBAC (intent-based access control).
-
Alternative to Network Policys
As you've mentioned, it is not possible to define deny rules using the native NetworkPolicy resource. Instead, you could use your CNI’s implementation for network policies. If you use Calico as your CNI you can use Calico's network policies to create deny rules. You can also take a look at Otterize OSS, an open-source solution my team and I are working on recently. It simplifies network policies by defining them from the client’s perspective in a ClientIntents resource. You can use the network mapper to auto-generate those ClientIntents from the traffic in your cluster, and then deploy them and let the intents-operator manage the network policies for you.
-
Did I miss something here, regarding network policies and helm templates? (Slightly ranty)
However, if you want to control pod-to-pod communication, you might be better suited with managing network policies using ClientIntents, which let you specify which pods should communicate with which, from the client's point of view, and without requiring labels beforehand. It's open source, have a look at the intents operator here: https://github.com/otterize/intents-operator
-
Can I create a NetworkPolicy with podSelector that matches a pod name instead of its labels?
You can try it out by installing an open source, standalone Kubernetes operator that implements them using network policies - https://github.com/otterize/intents-operator
-
Monthly 'Shameless Self Promotion' thread - 2022/12
Hi! I'm Tomer, the CEO of Otterize - a cloud-native open-source tool that makes secure access transparent for developers with a declarative approach to service-to-service authorization. Otterize allows you to automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format. Just declare which services your code intends to call using a Kubernetes custom resource, and access will be granted automatically while blocking anything else. Give it a try! It's free and takes 5 min to get started. https://github.com/otterize/intents-operator
-
Creating network policies for pods with services
You can use https://github.com/otterize/intents-operator to easily configure network policies using only pod names by specifying logical connections (a->b, c->b), and the operator configures network policies and labels for cluster resources automatically.
- otterize/intents-operator: Manage network policies and Kafka ACLs in a Kubernetes cluster with ease.
- Show HN: Intents Operator, turns dev intent into K8s netpolicies and Kafka ACLs
-
What's your take on Zero Trust for Kubernetes?
I'm very passionate about this as I think cybersecurity and ops people lean too far into control -- controlling people, that is, not just programs, and they end up shooting themselves in the foot. Instead, I think you should make it easy for devs in your team to create the right access controls, and that this is the only way to achieve zero trust. Zero-trust inherently relies on all access being intentional and authorized, so if other engineers don't declare which access their code needs, it's impossible to achieve. There's an open source Kubernetes operator that aims to get this concept right with network policies and Kafka ACLs - make it easy for one person to declare which access is intentional and start rolling out zero trust using network policies, and have the access control policy live alongside the client code. Check it out at https://github.com/otterize/intents-operator. Full disclosure - I'm one of the contributors, so I'm a bit biased ;) I'm there on the Slack, so feel free to hit me up (Ori).
-
Manage network policies and Kafka ACLs in a Kubernetes cluster with ease
Hi all, I’m Tomer @Otterize. We just launched an open-source tool to easily automate the creation of network policies and Kafka ACLs in a Kubernetes cluster using a human-readable format, via a custom resource. Check it out - https://github.com/otterize/intents-operator
network-mapper
- Network Mapper – low privileges, no-eBPF network observability tool for K8s
-
Otterize launches open-source, declarative IAM permissions for workloads on AWS EKS clusters
Yep! When you deploy Otterize, you get a map of your cluster’s traffic, with zero-configuration, through the open-source network-mapper.
-
Kubernetes traffic discovery
After multiple iterations, research sessions and some trial & error, we could produce an exportable list of network connections in any Kubernetes cluster. You might recall that our larger goal was to get to a logical (functional) map of pod-to-pod traffic, and that will be covered in a future posting. After adding that capability, here’s an example output from our project, now called network-mapper, when pointed at one of the clusters in our “lab” environment:
- Show HN: Visualize Kubernetes Clusters
-
Visualizing Kubernetes traffic, the non-invasive way
It'll require some changes but you can go for it if that's something up your alley, as after all, it's all open source - https://github.com/otterize/network-mapper
- GitHub - otterize/network-mapper: Map Kubernetes in-cluster traffic and export as text, intents, or an image
-
Open-source Kubernetes traffic visualizer - Otterize network mapper
We received some great feedback from the community regarding our tool, and one of the most commonly requested features was visualization. So we embedded this functionality into the tool, and now you can easily map and visualize your cluster with a single CLI command.
-
Alternative to Network Policys
As you've mentioned, it is not possible to define deny rules using the native NetworkPolicy resource. Instead, you could use your CNI’s implementation for network policies. If you use Calico as your CNI you can use Calico's network policies to create deny rules. You can also take a look at Otterize OSS, an open-source solution my team and I are working on recently. It simplifies network policies by defining them from the client’s perspective in a ClientIntents resource. You can use the network mapper to auto-generate those ClientIntents from the traffic in your cluster, and then deploy them and let the intents-operator manage the network policies for you.
- Otterize network mapper - map Kubernetes in-cluster traffic with zero-config
What are some alternatives?
kubelet-csr-approver - Kubernetes controller to enable automatic kubelet CSR validation after a series of (configurable) security checks
echopod - The minimal HTTP server that provides info about container/pod.
certify - :lock: Create private CA and Issue Certificates without hassle
tic-tac-toe - 🎮 Tic Tac Toe implementation over network 🌐
argocd-example-apps - Example Apps to Demonstrate Argo CD
grafana-operator - An operator for Grafana that installs and manages Grafana instances, Dashboards and Datasources through Kubernetes/OpenShift CRs
ziti - The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
kubeshark - The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes
Lux - Lux is a command-line interface for controlling and monitoring Govee lighting, built in Go.
kubetunnel - Develop microservices locally while being connected to your Kubernetes environment
pcreds - save ~20 seconds when copy/pasting to your aws credentials file from Control Tower
CoreDNS - CoreDNS is a DNS server that chains plugins