Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 Policy Open-Source Projects
-
A popular Policy-as-Code tool for Terraform is OPA, everyone's favorite versatile open-source policy engine that enforces security and compliance policies across your cloud-native stack, making it easier to manage and maintain consistent policy enforcement in complex, multi-service environments.
-
datree
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io
Project mention: Show HN: Datree (YC W20) – End-to-End Policy Management for Kubernetes | news.ycombinator.com | 2023-04-04Hi HN, I’m Shimon, the co-founder of Datree: A policy management solution for Kubernetes. We help DevOps engineers prevent misconfigurations in their Kubernetes by enforcing an organizational policy on their clusters. Engineers can define a custom policy or use one of Datree’s built-in policies, such as NIST/NSA Hardening Guide, EKS Security Best Practices, CIS Benchmark, and more.
Our website is at https://datree.io and our GitHub is here: https://github.com/datreeio/datree
This is not the first time I have shown Datree to the HN community: A little over a year ago, I posted here an earlier version of Datree (https://news.ycombinator.com/item?id=28918850). At that time, Datree consisted of a CLI tool to detect Kubernetes misconfigurations during the development process (locally or in the CI/CD), unlike the version I present today in which the enforcement happens in production.
We built the CLI tool because we detected a big problem among Kubernetes operators: Misconfigurations. Kubernetes is extremely complex and flexible, which makes it very easy to poorly configure it in ways that are not secure. And indeed, we talked to dozens of Kubernetes operators who suffered from various problems, starting with failed audits, all the way to downtime in production, all because of misconfigurations.
Our solution was simple: Give the developers the means to shift-left security testing during the development process with a CLI tool that can be integrated into the CI/CD. We thought this was the best way to approach the problem: It is easiest to fix misconfigurations in the development process before they are deployed to production, it prevents context-switching and relieves resources from the DevOps team.
While the CLI tool was very popular among the open-source community (it got over 6000 stars on GitHub), we soon realized that CI/CD enforcement is not enough. As we talked with Datree’s users, we realized we had made a fundamental mistake: We thought of misconfiguration prevention in technical terms rather than organizational terms.
Indeed, from a technical point of view, it makes sense to shift-left Kubernetes security. But when considering the organizational structure in which it takes place, it simply isn’t enough. DevOps engineers told us that they love the shift-left concept, but they simply cannot rely on the goodwill of the engineers to run a CLI tool locally or to monitor all the pipelines leading to production. They need governance, something to help them stay in control of the state of their clusters.
Moreover, we realized that many companies who use Kubernetes are heavily regulated, and cannot take any chances with their security. Sure, these companies want the engineers to fix misconfigurations during development, but they also want something to make sure that no matter what, their clusters remain misconfiguration-free.
Based on this understanding, we developed a new version of Datree that sits on the cluster itself (rather than in the CI/CD) and protects the production environment by blocking misconfigured resources with an admission webhook. It has a centralized policy management solution to enable governance, and native monitoring to get real-time insights into the state of your Kubernetes.
I look forward to hearing your feedback and answering any questions you may have.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Everytime I see Shellcheck coming up, I have to mention shellharden[0] written by a colleague of mine. It is basically shellcheck but it applies the suggested changes automatically.
-
app-privacy-policy-generator
Generate a customized Privacy Policy and Terms of Use document for your mobile apps
-
Project mention: Shrink to Secure: Kubernetes and Secure Compact Containers | news.ycombinator.com | 2023-07-02
-
cerbos
Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
-
OPAL
Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...) (by permitio)
Another tool that can help you deploy a Policy as Code-based solution in 2024 is OPAL, the Open Policy Administration Layer. OPAL is an open-source project that provides a comprehensive policy-based service for applications. With one click, you can deploy a full architecture of a Git-based centralized policy store with decentralized policy engines running as a sidecar with your applications. OPAL also provides a unified architecture to sync all the data you need with the policy engines.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
balanced-employee-ip-agreement
GitHub's employee intellectual property agreement, open sourced and reusable
Project mention: GitHub's employee intellectual property agreement, open sourced and reusable | /r/CKsTechNews | 2023-04-05 -
Project mention: My collection of Ansible roles for self-hosting everything with Rocky Linux and FreeIPA | /r/selfhosted | 2023-06-02
FreeRADIUS WiFi authentication server
-
Certified-Kubernetes-Security-Specialist
Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.
-
Project mention: Why should you care about the "security.txt" file on your website? | news.ycombinator.com | 2024-01-22
A very, very long article to say "you should have a security.txt file, find an example at https://securitytxt.org/".
-
-
-
KubeArmor
Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
-
KCL: A declarative configuration and policy programming language implemented by Rust, which improves the writing of a large number of complex configurations through mature programming language technology and practice, and is committed to building better modularity, scalability and stability around configuration, simpler logic writing, fast automation and good ecological extensionally.
-
felix
Project Calico's per-host agent Felix, responsible for programming routes and security policy.
-
-
-
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
-
-
Here is a library or rules for the Open Policy Agent.
-
gke-policy-automation
Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices
-
Pike is a tool that analyzes Terraform managed resources and automatically generates the necessary IAM permissions, improving security by ensuring that only the minimum necessary permissions are granted.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Policy related posts
- Why should you care about the "security.txt" file on your website?
- Build and Push to GAR and Deploy to GKE - End-to-End CI/CD Pipeline
- 🖌️⚙️ Innovate Like Da Vinci: Blending Art and Science in Software Development
- Who's actually using network policies in their clusters? Why/why not?
- Get started with Cerbos Hub
- Cerbos v0.32 released!
- Cerbos v0.32 released!
-
A note from our sponsor - InfluxDB
www.influxdata.com | 29 Mar 2024
Index
What are some of the best open-source Policy projects? This list will help you:
Project | Stars | |
---|---|---|
1 | OPA (Open Policy Agent) | 9,024 |
2 | datree | 6,402 |
3 | shellharden | 4,530 |
4 | app-privacy-policy-generator | 3,700 |
5 | gatekeeper | 3,422 |
6 | cerbos | 2,417 |
7 | OPAL | 2,252 |
8 | balanced-employee-ip-agreement | 2,114 |
9 | FreeRADIUS | 1,999 |
10 | Certified-Kubernetes-Security-Specialist | 1,910 |
11 | security-txt | 1,738 |
12 | site-policy | 1,645 |
13 | azure-policy | 1,421 |
14 | KubeArmor | 1,246 |
15 | kcl | 1,203 |
16 | felix | 922 |
17 | FreeIPA | 911 |
18 | covid-policy-tracker | 759 |
19 | OpenAM | 705 |
20 | policy-bot | 700 |
21 | gatekeeper-library | 599 |
22 | gke-policy-automation | 507 |
23 | pike | 458 |