Is OPA Gatekeeper the best solution for writing policies for k8s clusters?

This page summarizes the projects mentioned and recommended in the original post on /r/kubernetes

Our great sponsors
  • InfluxDB - Collect and Analyze Billions of Data Points in Real Time
  • SonarLint - Clean code begins in your IDE with SonarLint
  • Mergify - Updating dependencies is time-consuming.
  • checkov

    Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

    We’ve been using for terraform and will be using this for yaml and helm. Lots of policies out of the box.

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

  • InfluxDB

    Collect and Analyze Billions of Data Points in Real Time. Manage all types of time series data in a single, purpose-built database. Run at any scale in any environment in the cloud, on-premises, or at the edge.

  • Kyverno

    Kubernetes Native Policy Management

  • datree

    Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs:

  • polaris

    Validation of best practices in your Kubernetes clusters (by FairwindsOps)

  • gatekeeper

    🐊 Gatekeeper - Policy Controller for Kubernetes

  • Kubewarden

    Kubewarden is a policy engine for Kubernetes. It helps with keeping your Kubernetes clusters secure and compliant. Kubewarden policies can be written using regular programming languages or Domain Specific Languages (DSL) sugh as Rego. Policies are compiled into WebAssembly modules that are then distributed using traditional container registries.

    I'm one of the developers of kubewarden, a CNCF sandbox project that operates in the same space as OPA/Gatekeeper and Kyverno.

  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

  • kubeval

    Validate your Kubernetes configuration files, supports multiple Kubernetes versions

  • k-rail

    Kubernetes security tool for policy enforcement

  • konstraint

    A policy management tool for interacting with Gatekeeper

  • bridgekeeper

    Kubernetes policy enforcement using python

  • jspolicy

    jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

  • neuvector-helm

    HELM chart to install NeuVector container cluster

    You can test and have this up-and-running in less than 30 minutes... 1. deploy NeuVector into your cluster and login (~10 minutes via helm?) 2. login & change admin password - (2 minutes?) 3. Policy > Admission Control 4. click Add - select "Image Registry", "is one of", add your registries, click add - (2 minutes?) 5. click Add - select "Resource Limit Configuration (RLC) - set appropriate values, click add - (4 minutes?) 6. Click Status to "Enabled" & confirm Mode is set to "Monitor" so you can collect violation data without pissing someone off. (the Protect mode will block scheduling of image by kubernetes) - 2 minutes

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts