konstraint
neuvector-helm
konstraint | neuvector-helm | |
---|---|---|
3 | 2 | |
373 | 108 | |
-0.8% | 3.7% | |
8.1 | 8.9 | |
7 days ago | 10 days ago | |
Go | Go | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
konstraint
- Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
- OPA Rego is ridiculously confusing - best way to learn it?
-
How would you write policies in .rego file and use them in OPA-Gatekeeper?
The konstraint tool is quite popular for this use case: https://github.com/plexsystems/konstraint
neuvector-helm
- stopping namespaces to talk with each other
-
Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
You can test and have this up-and-running in less than 30 minutes... 1. deploy NeuVector into your cluster and login (~10 minutes via helm?) 2. login & change admin password - (2 minutes?) 3. Policy > Admission Control 4. click Add - select "Image Registry", "is one of", add your registries, click add - (2 minutes?) 5. click Add - select "Resource Limit Configuration (RLC) - set appropriate values, click add - (4 minutes?) 6. Click Status to "Enabled" & confirm Mode is set to "Monitor" so you can collect violation data without pissing someone off. (the Protect mode will block scheduling of image by kubernetes) - 2 minutes
What are some alternatives?
k-rail - Kubernetes security tool for policy enforcement
Kubewarden - Kubewarden is a policy engine for Kubernetes. It helps with keeping your Kubernetes clusters secure and compliant. Kubewarden policies can be written using regular programming languages or Domain Specific Languages (DSL) sugh as Rego. Policies are compiled into WebAssembly modules that are then distributed using traditional container registries.
jspolicy - jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript
Kyverno - Kubernetes Native Policy Management
bridgekeeper - Kubernetes policy enforcement using python
docker-security-checker - Dockerfile Security Checker using OPA Rego policies with Conftest
policy-as-code-war - OPA Gatekeeper vs Kyverno
datree - Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
regal - Regal is a linter for Rego, with the goal of making your Rego magnificent!
checkov - Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.