jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Related tags

jspolicy
Overview

WebsiteGetting Started GuideDocumentationBlogTwitterSlack

Latest Release License: Apache-2.0

jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

  • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
  • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
  • 3 Policy Types for anything you need:
    • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
    • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
    • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
  • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
  • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
  • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
  • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
  • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
  • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
  • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow

Learn more on www.jspolicy.com.

Join us on Slack!


Architecture

jsPolicy Architecture

jsPolicy Compatibility

Learn more in the documentation.


⭐️ Do you like jsPolicy? Support the project with a star ⭐️


Quick Start

To learn more about jspolicy, open the full getting started guide.

1. Install jsPolicy

Install jsPolicy to your Kubernetes cluster via Helm v3:

helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh

2. Create a Policy

Create the file policy.yaml:

# policy.yaml
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
  name: "deny-default-namespace.company.tld"
spec:
  operations: ["CREATE"]
  resources: ["*"]
  scope: Namespaced
  javascript: |
    if (request.namespace === "default") {
      deny("Creation of resources within the default namespace is not allowed!");
    }

3. Apply The Policy

Apply the policy in your cluster:

kubectl apply -f policy.yaml

4. See Policy In Action

kubectl create deployment nginx-deployment -n default --image=nginx


This project is open-source and licensed under Apache 2.0, so you can use it in any private or commercial projects.

Issues
  • name should be a domain with at least three segments separated by dots

    name should be a domain with at least three segments separated by dots

    This doesn't really make sense. Why does it matter what the name format is?

    If there's no reason for this, can I make a pull to remove this restriction?

    jspolicy-testing$ cat <<EOF | kubectl apply -f -
    apiVersion: policy.jspolicy.com/v1beta1
    kind: JsPolicy
    metadata:
      name: "deny-default"
    spec:
      operations: ["CREATE", "UPDATE"]
      resources: ["pods"]
      scope: Namespaced
      javascript: |
        if (request.object.metadata.namespace === "default") {
          deny("Creation of resources within this namespace is not allowed!");
        }
    EOF
    Error from server (Forbidden): error when creating "STDIN": admission webhook "jspolicy.jspolicy.com" denied the request: metadata.name: Invalid value: "deny-default": should be a domain with at least three segments separated by dots
    
    opened by protosam 4
  • added policies to the helm chart so they are created on deploy

    added policies to the helm chart so they are created on deploy

    It would be nice if the chart created policies for us as well. Added policies.yaml to the chart templates do just that.

    opened by oliverisaac 1
  • Support PolicyReport CRD from the Kubernetes Policy WG

    Support PolicyReport CRD from the Kubernetes Policy WG

    PolicyReport and ClusterPolicyReport are CRDs created by the Kubernetes Policy WG (https://github.com/kubernetes-sigs/wg-policy-prototypes). The goal is to create a default Schema for Policy related tools like Kyverno, Falco, Kube Bench and other tools like JsPolicy. This makes it possible to create generell Tooling for this Projects like Policy Reporter.

    This PR adds this CRDs and create them besides the existing JsPolicyViolations CRD. It creates one PolicyReport per Namespace for all JsPolices and one ClusterPolicyReport for all Cluster scoped violations.

    This makes it possible to use JsPolicy together with Policy Reporter and creates observability capabilities like integrations in Prometheus, Grafana Loki or the standalone Policy Reporter UI

    terminal

    policy-reporter-ui

    prometheus-metrics

    grafana-loki

    opened by fjogeleit 1
  • build(deps): bump ws from 6.2.1 to 6.2.2 in /docs

    build(deps): bump ws from 6.2.1 to 6.2.2 in /docs

    Bumps ws from 6.2.1 to 6.2.2.

    Release notes

    Sourced from ws's releases.

    6.2.2

    Bug fixes

    • Backported 00c425ec to the 6.x release line (78c676d2).
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • [Snyk] Security upgrade ubuntu from trusty to trusty-20190425

    [Snyk] Security upgrade ubuntu from trusty to trusty-20190425

    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • vendor/golang.org/x/net/http2/Dockerfile

    We recommend upgrading to ubuntu:trusty-20190425, as this image has only 136 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Priority Score / 1000 | Issue | Exploit Maturity | | :------: | :-------------------- | :---- | :--------------- | | high severity | 614 | NULL Pointer Dereference
    SNYK-UBUNTU1404-OPENSSL-1049144 | No Known Exploit | | high severity | 811 | Off-by-one Error
    SNYK-UBUNTU1404-SUDO-1065770 | Mature | | medium severity | 514 | Arbitrary Command Injection
    SNYK-UBUNTU1404-SUDO-406981 | No Known Exploit | | medium severity | 686 | Improper Handling of Exceptional Conditions
    SNYK-UBUNTU1404-SUDO-473059 | Mature | | low severity | 536 | Out-of-bounds Write
    SNYK-UBUNTU1404-SUDO-546522 | Mature |


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings

    opened by snyk-bot 0
  • build(deps): bump prismjs from 1.24.1 to 1.25.0 in /docs

    build(deps): bump prismjs from 1.24.1 to 1.25.0 in /docs

    Bumps prismjs from 1.24.1 to 1.25.0.

    Release notes

    Sourced from prismjs's releases.

    v1.25.0

    Release 1.25.0

    Changelog

    Sourced from prismjs's changelog.

    1.25.0 (2021-09-16)

    New components

    Updated components

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump axios from 0.21.1 to 0.21.4 in /docs

    build(deps): bump axios from 0.21.1 to 0.21.4 in /docs

    Bumps axios from 0.21.1 to 0.21.4.

    Release notes

    Sourced from axios's releases.

    v0.21.4

    0.21.4 (September 6, 2021)

    Fixes and Functionality:

    • Fixing JSON transform when data is stringified. Providing backward compatibility and complying to the JSON RFC standard (#4020)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    v0.21.3

    0.21.3 (September 4, 2021)

    Fixes and Functionality:

    • Fixing response interceptor not being called when request interceptor is attached (#4013)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    v0.21.2

    0.21.2 (September 4, 2021)

    Fixes and Functionality:

    • Updating axios requests to be delayed by pre-emptive promise creation (#2702)
    • Adding "synchronous" and "runWhen" options to interceptors api (#2702)
    • Updating of transformResponse (#3377)
    • Adding ability to omit User-Agent header (#3703)
    • Adding multiple JSON improvements (#3688, #3763)
    • Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#3738)
    • Adding parseInt to config.timeout (#3781)
    • Adding custom return type support to interceptor (#3783)
    • Adding security fix for ReDoS vulnerability (#3980)

    Internal and Tests:

    • Updating build dev dependancies (#3401)
    • Fixing builds running on Travis CI (#3538)
    • Updating follow rediect version (#3694, #3771)
    • Updating karma sauce launcher to fix failing sauce tests (#3712, #3717)
    • Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#2154)
    • Fixing tests by bumping karma-sauce-launcher version (#3813)
    • Changing testing process from Travis CI to GitHub Actions (#3938)

    Documentation:

    ... (truncated)

    Changelog

    Sourced from axios's changelog.

    0.21.4 (September 6, 2021)

    Fixes and Functionality:

    • Fixing JSON transform when data is stringified. Providing backward compatability and complying to the JSON RFC standard (#4020)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    0.21.3 (September 4, 2021)

    Fixes and Functionality:

    • Fixing response interceptor not being called when request interceptor is attached (#4013)

    Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

    0.21.2 (September 4, 2021)

    Fixes and Functionality:

    • Updating axios requests to be delayed by pre-emptive promise creation (#2702)
    • Adding "synchronous" and "runWhen" options to interceptors api (#2702)
    • Updating of transformResponse (#3377)
    • Adding ability to omit User-Agent header (#3703)
    • Adding multiple JSON improvements (#3688, #3763)
    • Fixing quadratic runtime and extra memory usage when setting a maxContentLength (#3738)
    • Adding parseInt to config.timeout (#3781)
    • Adding custom return type support to interceptor (#3783)
    • Adding security fix for ReDoS vulnerability (#3980)

    Internal and Tests:

    • Updating build dev dependancies (#3401)
    • Fixing builds running on Travis CI (#3538)
    • Updating follow rediect version (#3694, #3771)
    • Updating karma sauce launcher to fix failing sauce tests (#3712, #3717)
    • Updating content-type header for application/json to not contain charset field, according do RFC 8259 (#2154)
    • Fixing tests by bumping karma-sauce-launcher version (#3813)
    • Changing testing process from Travis CI to GitHub Actions (#3938)

    Documentation:

    • Updating documentation around the use of AUTH_TOKEN with multiple domain endpoints (#3539)
    • Remove duplication of item in changelog (#3523)

    ... (truncated)

    Commits
    • 66c4602 Merge branch 'master' into release/0.21.4
    • fc15665 [Releasing] v0.21.4
    • c2714f0 [Updating] incorrect JSON syntax in README.md
    • 0fc7248 fix json transform when data is pre-stringified (#4020)
    • 90205f8 Change headers type to string record (#3021)
    • 92b29d2 Make the default type of response data never (#3002)
    • 4eeb3b1 Improved type-safety for AxiosRequestConfig (#2995)
    • cd7ff04 Adding HTTP status code to error.toJSON (#2956)
    • b5a1a67 Adding nodejs http.request option: insecureHTTPParser (#2930)
    • 4f25380 Exposing the Axios constructor in index.d.ts (#2872)
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump tar from 6.1.5 to 6.1.11 in /docs

    build(deps): bump tar from 6.1.5 to 6.1.11 in /docs

    Bumps tar from 6.1.5 to 6.1.11.

    Commits
    • e573aee 6.1.11
    • edb8e9a fix: perf regression on hot string munging path
    • a9d9b05 chore(test): Avoid spurious failures packing node_modules/.cache
    • 24b8bda fix(test): use posix path for testing path reservations
    • e5a223c fix(test): make unpack test pass on case-sensitive fs
    • 188badd 6.1.10
    • 23312ce drop dirCache for symlink on all platforms
    • 4f1f4a2 6.1.9
    • 875a37e fix: prevent path escape using drive-relative paths
    • b6162c7 fix: reserve paths properly for unicode, windows
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump url-parse from 1.5.1 to 1.5.3 in /docs

    build(deps): bump url-parse from 1.5.1 to 1.5.3 in /docs

    Bumps url-parse from 1.5.1 to 1.5.3.

    Commits
    • ad44493 [dist] 1.5.3
    • c798461 [fix] Fix host parsing for file URLs (#210)
    • 201034b [dist] 1.5.2
    • 2d9ac2c [fix] Sanitize only special URLs (#209)
    • fb128af [fix] Use 'null' as origin for non special URLs
    • fed6d9e [fix] Add a leading slash only if the URL is special
    • 94872e7 [fix] Do not incorrectly set the slashes property to true
    • 81ab967 [fix] Ignore slashes after the protocol for special URLs
    • ee22050 [ci] Use GitHub Actions
    • d2979b5 [fix] Special case the file: protocol (#204)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump path-parse from 1.0.6 to 1.0.7 in /docs

    build(deps): bump path-parse from 1.0.6 to 1.0.7 in /docs

    Bumps path-parse from 1.0.6 to 1.0.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
Releases(v0.1.1)
  • v0.1.1(May 14, 2021)

    jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

    • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
    • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
    • 3 Policy Types for anything you need:
      • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
      • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
      • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
    • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
    • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
    • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
    • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
    • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
    • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
    • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(May 6, 2021)

    jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

    • Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
    • Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
    • 3 Policy Types for anything you need:
      • Validating Policies - Request validation that is as easy as calling allow(), deny("This is not allowed"), or warn("We'll let this one slip, but upgrade to the new ingress controller")
      • Mutating Policies - Simple mutations of the kubectl request payload via mutate(modifiedObj)
      • Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to Events in your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
    • Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
    • Easy Cluster Access - Control cluster state with built-in functions such as get("Pod", "v1", "my-namespace/my-pod"), list("Namespace", "v1"), create(limitRange), update(mySecret) or remove(configMap)
    • Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
    • Turing Complete Policy Language - Use loops, Promises, generator functions, ? operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code
    • Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
    • Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
    • Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0-beta.0(May 6, 2021)

Owner
Loft Labs
Superpowers for your Kubernetes clusters
Loft Labs
A curated list of awesome Kubernetes tools and resources.

Awesome Kubernetes Resources A curated list of awesome Kubernetes tools and resources. Inspired by awesome list and donnemartin/awesome-aws. The Fiery

Tom Huang 913 Oct 23, 2021
An operator to support Haschicorp Vault configuration workflows from within Kubernetes

Vault Config Operator This operator helps set up Vault Configurations. The main intent is to do so such that subsequently pods can consume the secrets

Red Hat Communities of Practice 2 Oct 14, 2021
An operator to support Haschicorp Vault configuration workflows from within Kubernetes

Vault Config Operator This operator helps set up Vault Configurations. The main intent is to do so such that subsequently pods can consume the secrets

null 0 Oct 18, 2021
Kubedd – Check migration issues of Kubernetes Objects while K8s upgrade

Kubedd – Check migration issues of Kubernetes Objects while K8s upgrade

Devtron Labs 95 Oct 20, 2021
k6 is a modern load testing tool for developers and testers in the DevOps era.

k6 is a modern load testing tool, building on our years of experience in the load and performance testing industry. It provides a clean, approachable scripting API, local and cloud execution, and flexible configuration.

k6 14.2k Oct 21, 2021
Kubernetes Cluster API Provider AWS

Kubernetes Cluster API Provider AWS Kubernetes-native declarative infrastructure for AWS. What is the Cluster API Provider AWS The Cluster API brings

null 0 Oct 23, 2021
Simple Kubernetes real-time dashboard and management.

Skooner - Kubernetes Dashboard We are changing our name from k8dash to Skooner! Please bear with us as we update our documentation and codebase to ref

null 859 Oct 20, 2021
Enterprise-grade container platform tailored for multicloud and multi-cluster management

KubeSphere Container Platform What is KubeSphere English | 中文 KubeSphere is a distributed operating system providing cloud native stack with Kubernete

KubeSphere 7.1k Oct 21, 2021
Lightweight, CRD based envoy control plane for kubernetes

Lighweight, CRD based Envoy control plane for Kubernetes: Implemented as a Kubernetes Operator Deploy and manage an Envoy xDS server using the Discove

null 36 Oct 20, 2021
Production-Grade Container Scheduling and Management

Kubernetes (K8s) Kubernetes, also known as K8s, is an open source system for managing containerized applications across multiple hosts. It provides ba

Kubernetes 82.1k Oct 25, 2021
A Kubernetes operator to manage ThousandEyes tests

ThousandEyes Kubernetes Operator ThousandEyes Kubernetes Operator is a Kubernetes operator used to manage ThousandEyes Tests deployed via Kubernetes c

Cisco DevNet 26 Sep 28, 2021
Kubernetes IN Docker - local clusters for testing Kubernetes

kind is a tool for running local Kubernetes clusters using Docker container "nodes".

Kubernetes SIGs 8.6k Oct 15, 2021
Lightweight Kubernetes

K3s - Lightweight Kubernetes Lightweight Kubernetes. Production ready, easy to install, half the memory, all in a binary less than 100 MB. Great for:

null 18.2k Oct 22, 2021
A web-based simulator for the Kubernetes scheduler

Web-based Kubernetes scheduler simulator Hello world. Here is web-based Kubernetes scheduler simulator. On the simulator, you can create/edit/delete t

Kubernetes SIGs 57 Oct 15, 2021
Collect data about your dependencies

Collect data about your dependencies Features and Data Sources: Go modules, runs tests, detects tests and benchmarks Flexible rendering with Graphviz,

Nikolay Dubina 35 Jul 23, 2021
KinK is a helper CLI that facilitates to manage KinD clusters as Kubernetes pods. Designed to ease clusters up for fast testing with batteries included in mind.

kink A helper CLI that facilitates to manage KinD clusters as Kubernetes pods. Table of Contents kink (KinD in Kubernetes) Introduction How it works ?

Trendyol Open Source 298 Oct 16, 2021
Managing your Kubernetes clusters (including public, private, edge, etc) as easily as visiting the Internet

Clusternet Managing Your Clusters (including public, private, hybrid, edge, etc) as easily as Visiting the Internet. Clusternet (Cluster Internet) is

Clusternet 235 Oct 13, 2021
Golang Integration Testing Framework For Kong Kubernetes APIs and Controllers.

Kong Kubernetes Testing Framework (KTF) Testing framework used by the Kong Kubernetes Team for the Kong Kubernetes Ingress Controller (KIC). Requireme

Kong 11 Oct 18, 2021
Hardening a sketchy containerized application one step at a time

Road to Secure Kubernetes Hardening a containerized application one step at a time This repository hosts a tutorial on security hardening a containeri

Nathan Smith 30 Oct 22, 2021