Luckily Kyverno is also able to generate objects, like secrets. So the following policy is going to clone the secret under the default namespace to any newly created namespace.

This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster.

This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io. The policies are written in Rego, a high-level declarative language, its purpose-built for expressing policies over complex hierarchical data structures. For detailed information on Rego see the Policy Language documentation.

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Kyverno is a policy engine built for Kubernetes: policies as Kubernetes resources (no new language to learn!), validate, mutate, or generate any resource, match resources using label selectors and wildcards, validate and mutate using overlays (like Kustomize!), generate and synchronize defaults across namespaces, block or report violations, test using kubectl.

K8s webhook handling profiles for tolerations, nodeSelector and nodeAffinity

Blog posts written by engineers at Plex Systems

Konstraint is a CLI tool to assist with the creation and management of constraints when using Gatekeeper.

cloud native software supply chain ☁️🔗. Contribute to liatrio/rode development by creating an account on GitHub.

Contains a valid OPA unit testing environment. Contribute to k8spin/opa-k8s-development development by creating an account on GitHub.

conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.

Kyverno is a policy engine designed for Kubernetes.

Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations.

A tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model.

Kubernetes allows decoupling complex logic such as policy decision from the inner working of API Server by means of "admission controllers”. Admission control is a custom logic executed by a webhook. Kubernetes policy controller is a mutating and a validating webhook which gets called for matching Kubernetes API server requests by the admission controller. It uses Open Policy Agent (OPA) is a policy engine for Cloud Native environments hosted by CNCF as a sandbox level project.