jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Overview

WebsiteGetting Started GuideDocumentationBlogTwitterSlack

Latest Release License: Apache-2.0

jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

  • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
  • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
  • 3 Policy Types for anything you need:
    • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
    • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
    • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
  • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
  • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
  • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
  • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
  • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
  • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
  • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow

Learn more on www.jspolicy.com.

Join us on Slack!


Architecture

jsPolicy Architecture

jsPolicy Compatibility

Learn more in the documentation.


⭐️ Do you like jsPolicy? Support the project with a star ⭐️


Quick Start

To learn more about jspolicy, open the full getting started guide.

1. Install jsPolicy

Install jsPolicy to your Kubernetes cluster via Helm v3:

helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh

2. Create a Policy

Create the file policy.yaml:

# policy.yaml
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
  name: "deny-default-namespace.company.tld"
spec:
  operations: ["CREATE"]
  resources: ["*"]
  scope: Namespaced
  javascript: |
    if (request.namespace === "default") {
      deny("Creation of resources within the default namespace is not allowed!");
    }

3. Apply The Policy

Apply the policy in your cluster:

kubectl apply -f policy.yaml

4. See Policy In Action

kubectl create deployment nginx-deployment -n default --image=nginx


This project is open-source and licensed under Apache 2.0, so you can use it in any private or commercial projects.

Comments
  • name should be a domain with at least three segments separated by dots

    name should be a domain with at least three segments separated by dots

    This doesn't really make sense. Why does it matter what the name format is?

    If there's no reason for this, can I make a pull to remove this restriction?

    jspolicy-testing$ cat <<EOF | kubectl apply -f -
    apiVersion: policy.jspolicy.com/v1beta1
    kind: JsPolicy
    metadata:
      name: "deny-default"
    spec:
      operations: ["CREATE", "UPDATE"]
      resources: ["pods"]
      scope: Namespaced
      javascript: |
        if (request.object.metadata.namespace === "default") {
          deny("Creation of resources within this namespace is not allowed!");
        }
    EOF
    Error from server (Forbidden): error when creating "STDIN": admission webhook "jspolicy.jspolicy.com" denied the request: metadata.name: Invalid value: "deny-default": should be a domain with at least three segments separated by dots
    
    opened by protosam 4
  • AKS - `jspolicy` pod retries validating webhook update

    AKS - `jspolicy` pod retries validating webhook update

    after applying https://github.com/loft-sh/jspolicy/issues/26#issuecomment-992213595 on AKS cluster jspolicy pod is full of below logs, repeating continuously, functionally everything is fine, what could be the issue?

    I1213 10:27:36.595144       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.617848       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.637093       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.660114       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.694569       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.746162       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    I1213 10:27:36.795385       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-jhwl8
    

    these are ~20 logs per second so looks like those many calls are made by jspolicy pod per second

    EKS and GKE doesn't have any issue

    log when deleting the jspolicy object

    
    I1213 11:05:41.866732       1 loghelper.go:34] jspolicy-controller: Update validating webhook pod-policy.example.com-dkwjx
    E1213 11:05:41.886877       1 controller.go:302] controller-runtime: manager: reconciler group policy.jspolicy.com reconciler kind JsPolicy: controller: jspolicy: name pod-policy.example.com namespace : Reconciler error Operation cannot be fulfilled on jspolicies.policy.jspolicy.com "pod-policy.example.com": StorageError: invalid object, Code: 4, Key: /registry/policy.jspolicy.com/jspolicies/pod-policy.example.com, ResourceVersion: 0, AdditionalErrorMsg: Precondition failed: UID in precondition: 818d53ac-68d4-40a4-b9c6-3496f14d2e68, UID in object meta: 
    
    opened by infa-ddeore 3
  • reduce docker image size and use non-root user

    reduce docker image size and use non-root user

    loftsh/jspolicy image is around 1.2G, also the jspolicy process runs as root user which would flag security concerns

    1. can the image size be reduced
    2. i think root user is used to listen on 80 and 443 port but this can be higher ports (>1024) and expose them on 80/443 via k8s service so root user isnt required
    enhancement 
    opened by infa-ddeore 2
  • `warn` doesn't allow namespace deletion

    `warn` doesn't allow namespace deletion

    i have a policy to deny everything about namesapce changes, this is just for testing, not a real use-case

    apiVersion: policy.jspolicy.com/v1beta1
    kind: JsPolicy
    metadata:
      name: "pod-policy.example.com"
    spec:
      operations: ["*"]
      resources: ["namespaces"]
      javascript: |
        // print will print a message to jsPolicies pod log
        print("Incoming request for: " + request.object.metadata?.name);
        print(request.object);
        warn("forbidden-annotation is not allowed");
    

    it works fine but delete namespace gives weird error instead of forbidden also it doesn't allow delete

    $ k delete ns dd
    Error from server: admission webhook "pod-policy.example.com" denied the request: Uncaught TypeError: Cannot read property 'metadata' of null
        at pod-policy.example.com:1:1594
        at pod-policy.example.com:1:1779
    
    question 
    opened by infa-ddeore 2
  • FEATURE REQUEST - jspolicy as a generic sidecar injector

    FEATURE REQUEST - jspolicy as a generic sidecar injector

    will it be possible to use jsplicy as a sidecar injector?

    use case: my cluster has 3 different types of sidecar injector pods running. Instead of running all these 3 injectors, if jspolicy can mutate the deployment based on annotation then i would stop all these 3 injector pods and use jspolicy for adminssion controls as well as sidecar injector

    there may be different set of templates that jspolicy can refer to inject sidecar

    this would reduce running multiple injector/ controller pods

    question 
    opened by infa-ddeore 2
  • build(deps): bump cross-fetch from 3.1.4 to 3.1.5 in /docs

    build(deps): bump cross-fetch from 3.1.4 to 3.1.5 in /docs

    Bumps cross-fetch from 3.1.4 to 3.1.5.

    Release notes

    Sourced from cross-fetch's releases.

    v3.1.5

    What's Changed

    New Contributors

    Full Changelog: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5

    Commits
    • c6089df chore(release): 3.1.5
    • a3b3a94 chore: updated node-fetch version to 2.6.7 (#124)
    • efed703 chore: updated node-fetch version to 2.6.5
    • 694ff77 refactor: removed ora from dependencies
    • efc5956 refactor: added .vscode to .gitignore
    • da605d5 refactor: renamed test/fetch/ to test/fetch-api/ and test/module/ to test/mod...
    • 0f0d51d chore: updated minor and patch versions of dev dependencies
    • c6e34ea refactor: removed sinon.js
    • f524a52 fix: yargs was incompatible with node 10
    • 7906fcf chore: updated dev dependencies
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 1
  • build(deps): bump url-parse from 1.5.3 to 1.5.7 in /docs

    build(deps): bump url-parse from 1.5.3 to 1.5.7 in /docs

    Bumps url-parse from 1.5.3 to 1.5.7.

    Commits
    • 8b3f5f2 1.5.7
    • ef45a13 [fix] Readd the empty userinfo to url.href (#226)
    • 88df234 [doc] Add soft deprecation notice
    • 78e9f2f [security] Fix nits
    • e6fa434 [security] Add credits for incorrect handling of userinfo vulnerability
    • 4c9fa23 1.5.6
    • 7b0b8a6 Merge pull request #223 from unshiftio/fix/at-sign-handling-in-userinfo
    • e4a5807 1.5.5
    • 193b44b [minor] Simplify whitespace regex
    • 319851b [fix] Remove CR, HT, and LF
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Support PolicyReport CRD from the Kubernetes Policy WG

    Support PolicyReport CRD from the Kubernetes Policy WG

    PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). The goal is to create a default Schema for Policy related tools like Kyverno, Falco, Kube Bench and other tools like JsPolicy. This makes it possible to create generell Tooling for this Projects like Policy Reporter.

    This PR adds this CRDs and create them besides the existing JsPolicyViolations CRD. It creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations.

    This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI

    terminal

    policy-reporter-ui

    prometheus-metrics

    grafana-loki

    opened by fjogeleit 1
  • build(deps): bump eventsource from 1.1.0 to 1.1.1 in /docs

    build(deps): bump eventsource from 1.1.0 to 1.1.1 in /docs

    Bumps eventsource from 1.1.0 to 1.1.1.

    Changelog

    Sourced from eventsource's changelog.

    1.1.1

    • Do not include authorization and cookie headers on redirect to different origin (#273 Espen Hovlandsdal)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • build(deps): bump async from 2.6.3 to 2.6.4 in /docs

    build(deps): bump async from 2.6.3 to 2.6.4 in /docs

    Bumps async from 2.6.3 to 2.6.4.

    Changelog

    Sourced from async's changelog.

    v2.6.4

    • Fix potential prototype pollution exploit (#1828)
    Commits
    Maintainer changes

    This version was pushed to npm by hargasinski, a new releaser for async since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • build(deps): bump minimist from 1.2.5 to 1.2.6 in /examples/typescript-policy

    build(deps): bump minimist from 1.2.5 to 1.2.6 in /examples/typescript-policy

    Bumps minimist from 1.2.5 to 1.2.6.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump jose from 2.0.5 to 2.0.6 in /examples/typescript-policy

    build(deps): bump jose from 2.0.5 to 2.0.6 in /examples/typescript-policy

    Bumps jose from 2.0.5 to 2.0.6.

    Release notes

    Sourced from jose's releases.

    v2.0.6

    Fixes

    • limit default PBES2 alg's computational expense (c1512be)
    Changelog

    Sourced from jose's changelog.

    2.0.6 (2022-09-01)

    Bug Fixes

    • limit default PBES2 alg's computational expense (c1512be)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • Allow to parameterize the policies

    Allow to parameterize the policies

    Do you have a plan for parameterizing the policies to avoid duplicated code?

    For example when I want to deny multiple namespaces I could write generic code that gets the namespace as a parameter and then create multiple JsPolicy files that reference the same JsPolicyBundle:

    apiVersion: policy.jspolicy.com/v1beta1
    kind: JsPolicy
    metadata:
      name: "deny-default-namespace.example.com"
    spec:
      bundle: "deny-namespace.example.com"
      operations: ["CREATE"]
      resources: ["*"]
      scope: Namespaced
      parameters:
         namespace: default
    
    apiVersion: policy.jspolicy.com/v1beta1
    kind: JsPolicy
    metadata:
      name: "deny-other-namespace.example.com"
    spec:
      bundle: "deny-namespace.example.com"
      operations: ["CREATE"]
      resources: ["*"]
      scope: Namespaced
      parameters:
         namespace: other
    
    opened by as42sl 0
  • [Snyk] Fix for 14 vulnerabilities

    [Snyk] Fix for 14 vulnerabilities

    This PR was automatically created by Snyk using the credentials of a real user.


    Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

    Changes included in this PR

    • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
      • docs/package.json
      • docs/yarn.lock

    Vulnerabilities that will be fixed

    With an upgrade:

    Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- high severity | 696/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-ANSIREGEX-1583908 | No | Proof of Concept medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-BROWSERSLIST-1090194 | No | Proof of Concept medium severity | 479/1000
    Why? Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-CSSWHAT-1298035 | No | No Known Exploit medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-GLOBPARENT-1016905 | No | Proof of Concept medium severity | 601/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution
    SNYK-JS-IMMER-1540542 | No | Proof of Concept high severity | 589/1000
    Why? Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-NORMALIZEURL-1296539 | No | No Known Exploit high severity | 696/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-NTHCHECK-1586032 | No | Proof of Concept medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-POSTCSS-1090595 | No | Proof of Concept medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-POSTCSS-1255640 | No | Proof of Concept medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-PROMPTS-1729737 | No | Proof of Concept high severity | 619/1000
    Why? Has a fix available, CVSS 8.1 | Remote Code Execution (RCE)
    SNYK-JS-SHELLQUOTE-1766506 | No | No Known Exploit medium severity | 551/1000
    Why? Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-TERSER-2806366 | No | No Known Exploit high severity | 696/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-TRIM-1017038 | No | Proof of Concept medium severity | 586/1000
    Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
    SNYK-JS-WS-1296835 | No | Proof of Concept

    (*) Note that the real score may have changed since the PR was raised.

    Check the changes in this PR to ensure they won't cause issues with your project.


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    📚 Read more about Snyk's upgrade and patch logic


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Prototype Pollution 🦉 Remote Code Execution (RCE)

    opened by LukasGentele 1
  • build(deps): bump terser from 5.7.0 to 5.14.2 in /examples/typescript-policy

    build(deps): bump terser from 5.7.0 to 5.14.2 in /examples/typescript-policy

    Bumps terser from 5.7.0 to 5.14.2.

    Changelog

    Sourced from terser's changelog.

    v5.14.2

    • Security fix for RegExps that should not be evaluated (regexp DDOS)
    • Source maps improvements (#1211)
    • Performance improvements in long property access evaluation (#1213)

    v5.14.1

    • keep_numbers option added to TypeScript defs (#1208)
    • Fixed parsing of nested template strings (#1204)

    v5.14.0

    • Switched to @​jridgewell/source-map for sourcemap generation (#1190, #1181)
    • Fixed source maps with non-terminated segments (#1106)
    • Enabled typescript types to be imported from the package (#1194)
    • Extra DOM props have been added (#1191)
    • Delete the AST while generating code, as a means to save RAM

    v5.13.1

    • Removed self-assignments (varname=varname) (closes #1081)
    • Separated inlining code (for inlining things into references, or removing IIFEs)
    • Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#1176)

    v5.13.0

    • All calls to eval() were removed (#1171, #1184)
    • source-map was updated to 0.8.0-beta.0 (#1164)
    • NavigatorUAData was added to domprops to avoid property mangling (#1166)

    v5.12.1

    • Fixed an issue with function definitions inside blocks (#1155)
    • Fixed parens of new in some situations (closes #1159)

    v5.12.0

    • TERSER_DEBUG_DIR environment variable
    • @​copyright comments are now preserved with the comments="some" option (#1153)

    v5.11.0

    • Unicode code point escapes (\u{abcde}) are not emitted inside RegExp literals anymore (#1147)
    • acorn is now a regular dependency

    v5.10.0

    • Massive optimization to max_line_len (#1109)
    • Basic support for import assertions
    • Marked ES2022 Object.hasOwn as a pure function
    • Fix delete optional?.property
    • New CI/CD pipeline with github actions (#1057)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
Releases(v0.2.1)
  • v0.2.1(Jul 5, 2022)

  • v0.2.0(Dec 21, 2021)

    !!! Breaking !!!

    Make sure you reapply the jspolicy crds via the following command before upgrading:

    kubectl apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/5211a03e9258d2f9917da3f4511af3af77fe441a/chart/crds/crds.yaml
    

    Changes

    • Decreased jsPolicy image size
    • jsPolicy is now running as non root
    • jsPolicy can now bundle multiple policies in parallel
    • jsPolicy now applies changes to webhook configurations rather than overwriting them
    • jsPolicy now supports PolicyReport and ClusterPolicyReport. PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). These CRDs will be created besides the existing JsPolicyViolations CRD. jsPolicy can now creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations. (thanks @fjogeleit) This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI.
    • New imagePullSecrets in the jsPolicy chart to define custom image pull secrets (thanks @infa-ddeore)
    • Refactored jsPolicy controller to use conditions
    • Fixed an issue where jsPolicy would end up in a retry loop on AKS clusters
    • Changed health probe port from 80 to 9080
    • Updated k8s dependencies to v1.23.0
    • Updated v8 engine to 9.6.180.12
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0-beta.4(Dec 20, 2021)

    !!! Breaking !!!

    Make sure you reapply the jspolicy crds via the following command before upgrading:

    kubectl apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/5211a03e9258d2f9917da3f4511af3af77fe441a/chart/crds/crds.yaml
    

    Changes

    • Decreased jsPolicy image size
    • jsPolicy is now running as non root
    • jsPolicy can now bundle multiple policies in parallel
    • jsPolicy now applies changes to webhook configurations rather than overwriting them
    • jsPolicy now supports PolicyReport and ClusterPolicyReport. PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). These CRDs will be created besides the existing JsPolicyViolations CRD. jsPolicy can now creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations. (thanks @fjogeleit) This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI.
    • New imagePullSecrets in the jsPolicy chart to define custom image pull secrets (thanks @infa-ddeore)
    • Refactored jsPolicy controller to use conditions
    • Fixed an issue where jsPolicy would end up in a retry loop on AKS clusters
    • Changed health probe port from 80 to 9080
    • Updated k8s dependencies to v1.23.0
    • Updated v8 engine to 9.6.180.12
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0-beta.3(Dec 20, 2021)

    !!! Breaking !!!

    Make sure you reapply the jspolicy crds via the following command before upgrading:

    kubectl apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/5211a03e9258d2f9917da3f4511af3af77fe441a/chart/crds/crds.yaml
    

    Changes

    • Decreased jsPolicy image size
    • jsPolicy is now running as non root
    • jsPolicy can now bundle multiple policies in parallel
    • jsPolicy now applies changes to webhook configurations rather than overwriting them
    • jsPolicy now supports PolicyReport and ClusterPolicyReport. PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). These CRDs will be created besides the existing JsPolicyViolations CRD. jsPolicy can now creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations. (thanks @fjogeleit) This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI.
    • New imagePullSecrets in the jsPolicy chart to define custom image pull secrets (thanks @infa-ddeore)
    • Refactored jsPolicy controller to use conditions
    • Fixed an issue where jsPolicy would end up in a retry loop on AKS clusters
    • Updated k8s dependencies to v1.23.0
    • Updated v8 engine to 9.6.180.12
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0-beta.1(Dec 16, 2021)

    !!! Breaking !!!

    Make sure you reapply the jspolicy crds via the following command before upgrading:

    kubectly apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/5211a03e9258d2f9917da3f4511af3af77fe441a/chart/crds/crds.yaml
    

    Changes

    • jsPolicy now supports PolicyReport and ClusterPolicyReport. PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). These CRDs will be created besides the existing JsPolicyViolations CRD. jsPolicy can now creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations. (thanks @fjogeleit) This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI.
    • New imagePullSecrets in the jsPolicy chart to define custom image pull secrets (thanks @infa-ddeore)
    • Refactored jsPolicy controller to use conditions
    • Fixed an issue where jsPolicy would end up in a retry loop on AKS clusters
    • Updated k8s dependencies to v1.23.0
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0-beta.0(Dec 16, 2021)

    !!! Breaking !!!

    Make sure you reapply the jspolicy crds via the following command before upgrading:

    kubectly apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/5211a03e9258d2f9917da3f4511af3af77fe441a/chart/crds/crds.yaml
    

    Changes

    • jsPolicy now supports PolicyReport and ClusterPolicyReport. PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). These CRDs will be created besides the existing JsPolicyViolations CRD. jsPolicy can now creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations. (thanks @fjogeleit) This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI.
    • New imagePullSecrets in the jsPolicy chart to define custom image pull secrets (thanks @infa-ddeore)
    • Refactored jsPolicy controller to use conditions
    • Fixed an issue where jsPolicy would end up in a retry loop on AKS clusters
    • Updated k8s dependencies to v1.23.0
    Source code(tar.gz)
    Source code(zip)
  • v0.1.1(May 14, 2021)

    jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

    • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
    • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
    • 3 Policy Types for anything you need:
      • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
      • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
      • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
    • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
    • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
    • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
    • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
    • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
    • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
    • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(May 6, 2021)

    jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

    • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
    • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
    • 3 Policy Types for anything you need:
      • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
      • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
      • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
    • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
    • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
    • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
    • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
    • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
    • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
    • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.0(May 6, 2021)

Owner
Loft Labs
Superpowers for your Kubernetes clusters
Loft Labs
Kubeswitch - Easier way to switch your kubernetes context

Switch Kubectl Context Easier way to switch your kubernetes context Set PATH Dow

sai umesh 3 Jun 17, 2022
Kubernetes OS Server - Kubernetes Extension API server exposing OS configuration like sysctl via Kubernetes API

KOSS is a Extension API Server which exposes OS properties and functionality using Kubernetes API, so it can be accessed using e.g. kubectl. At the moment this is highly experimental and only managing sysctl is supported. To make things actually usable, you must run KOSS binary as root on the machine you will be managing.

Mateusz Gozdek 3 May 19, 2021
Faster way to switch between kubeconfig files.

kubectl-cf Faster way to switch between kubeconfig files (not contexts). Usage of kubectl-cf: cf Select kubeconfig interactively cf [co

Who Lives in a Pineapple Under the Sea? 11 Aug 23, 2022
Go library for easier work with sqlgo

sqlgo go library for easier work with sql Installation go get github.com/Mikhail

null 1 Jan 7, 2022
Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.

sigstore-scaffolding This repository contains scaffolding to make standing up a full sigstore stack easier and automatable. Our focus is on running on

Ville Aikas 33 Sep 25, 2022
Utility to make kubeseal --raw a bit easier.

ks Utility to make kubeseal --raw a bit easier. Building GOOS=windows GOARCH=amd64 go build -o ks-windows-amd64.exe ks.go GOOS=windows GOARCH=386 go b

null 1 Aug 19, 2022
LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with.

LTF Status: alpha LTF is a minimal, transparent Terraform wrapper. It makes Terraform projects easier to work with. In standard Terraform projects, th

Raymond Butcher 21 Sep 20, 2022
A kubectl plugin for easier query and operate k8s cluster.

kube-query A kubectl plug-in that makes it easier to query and manipulate K8S clusters. (what is kubectl plug-in ?) Kube-query support some resource s

Shadow-L 14 Jun 9, 2022
Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way.

Litmus Cloud-Native Chaos Engineering Read this in other languages. ???? ???? ???? ???? Overview Litmus is a toolset to do cloud-native chaos engineer

Litmus Chaos 3.3k Sep 25, 2022
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes

Kubernetes-based Event Driven Autoscaling KEDA allows for fine-grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KED

KEDA 5.5k Oct 2, 2022
vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds

Website • Quickstart • Documentation • Blog • Twitter • Slack vcluster - Virtual Clusters For Kubernetes Lightweight & Low-Overhead - Based on k3s, bu

Loft Labs 2k Oct 2, 2022
network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.

Network Node Manager network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of ku

kakao 98 Sep 22, 2022
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Opstree Container Kit 112 Aug 25, 2022
Carrier is a Kubernetes controller for running and scaling game servers on Kubernetes.

Carrier is a Kubernetes controller for running and scaling game servers on Kubernetes. This project is inspired by agones. Introduction Genera

Open Cloud-native Game-application Initiative 30 Jul 28, 2022
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Portshift 737 Sep 28, 2022
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Oracle 23 Sep 16, 2022
Kubernetes IN Docker - local clusters for testing Kubernetes

kind is a tool for running local Kubernetes clusters using Docker container "nodes".

Kubernetes SIGs 10.5k Sep 30, 2022
An Easy to use Go framework for Kubernetes based on kubernetes/client-go

k8devel An Easy to use Go framework for Kubernetes based on kubernetes/client-go, see examples dir for a quick start. How to test it ? Download the mo

null 10 Mar 25, 2022
PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes.

GalaxyKube -- PolarDB-X Operator PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes. It follo

null 63 Sep 8, 2022