Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way.
Litmus is a toolset to do cloud-native chaos engineering. Litmus provides tools to orchestrate chaos on #k8s to help SREs find weaknesses in their deployments. SREs use Litmus to run chaos experiments initially in the staging environment and eventually in production to find bugs, vulnerabilities. Fixing the weaknesses leads to increased resilience of the system.
Litmus takes a cloud-native approach to create, manage and monitor chaos. Chaos is orchestrated using the following Kubernetes Custom Resource Definitions (CRDs):
- ChaosEngine: A resource to link a Kubernetes application or Kubernetes node to a ChaosExperiment. ChaosEngine is watched by Litmus' Chaos-Operator which then invokes Chaos-Experiments
- ChaosExperiment: A resource to group the configuration parameters of a chaos experiment. ChaosExperiment CRs are created by the operator when experiments are invoked by ChaosEngine.
- ChaosResult: A resource to hold the results of a chaos-experiment. The Chaos-exporter reads the results and exports the metrics into a configured Prometheus server.
Chaos experiments are hosted on hub.litmuschaos.io. It is a central hub where the application developers or vendors share their chaos experiments so that their users can use them to increase the resilience of the applications in production.
https://github.com/litmuschaos/litmus
#docker #devops #ts #go
Litmus is a toolset to do cloud-native chaos engineering. Litmus provides tools to orchestrate chaos on #k8s to help SREs find weaknesses in their deployments. SREs use Litmus to run chaos experiments initially in the staging environment and eventually in production to find bugs, vulnerabilities. Fixing the weaknesses leads to increased resilience of the system.
Litmus takes a cloud-native approach to create, manage and monitor chaos. Chaos is orchestrated using the following Kubernetes Custom Resource Definitions (CRDs):
- ChaosEngine: A resource to link a Kubernetes application or Kubernetes node to a ChaosExperiment. ChaosEngine is watched by Litmus' Chaos-Operator which then invokes Chaos-Experiments
- ChaosExperiment: A resource to group the configuration parameters of a chaos experiment. ChaosExperiment CRs are created by the operator when experiments are invoked by ChaosEngine.
- ChaosResult: A resource to hold the results of a chaos-experiment. The Chaos-exporter reads the results and exports the metrics into a configured Prometheus server.
Chaos experiments are hosted on hub.litmuschaos.io. It is a central hub where the application developers or vendors share their chaos experiments so that their users can use them to increase the resilience of the applications in production.
https://github.com/litmuschaos/litmus
#docker #devops #ts #go
A temporary email right from your terminal.
tmpmail tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive the emails.
By default w3m is used to render the HTML emails on the terminal. But if you prefer another text based web browser or would rather view the email in a GUI web browser such as Firefox, simply use the --browser argument followed by the command needed to launch the web browser of your choice.
https://github.com/sdushantha/tmpmail
#shell #devops
tmpmail tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive the emails.
By default w3m is used to render the HTML emails on the terminal. But if you prefer another text based web browser or would rather view the email in a GUI web browser such as Firefox, simply use the --browser argument followed by the command needed to launch the web browser of your choice.
https://github.com/sdushantha/tmpmail
#shell #devops
SQL powered operating system instrumentation, monitoring, and analytics.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
https://osquery.io/
#cpp #devops
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
DISTINCT processes.name, listening_ports.port, processes.pid
FROM listening_ports JOIN processes USING (pid)
WHERE listening_ports.address = '0.0.0.0';
https://osquery.io/
#cpp #devops
Automatic HTTPS for any #go program: fully-managed TLS certificate issuance and renewal.
Easy and Powerful TLS Automation. The same library used by the Caddy Web Server.
Caddy's automagic TLS features—now for your own Go programs—in one powerful and easy-to-use library! CertMagic is the most mature, robust, and capable ACME client integration for Go... and perhaps ever.
With CertMagic, you can add one line to your Go application to serve securely over TLS, without ever having to touch certificates.
That line of code will serve your HTTP router
Compared to other ACME client libraries for Go, only CertMagic supports the full suite of ACME features, and no other library matches CertMagic's maturity and reliability.
https://github.com/caddyserver/certmagic
#devops
Easy and Powerful TLS Automation. The same library used by the Caddy Web Server.
Caddy's automagic TLS features—now for your own Go programs—in one powerful and easy-to-use library! CertMagic is the most mature, robust, and capable ACME client integration for Go... and perhaps ever.
With CertMagic, you can add one line to your Go application to serve securely over TLS, without ever having to touch certificates.
certmagic.HTTPS([]string{"example.com"}, mux)That line of code will serve your HTTP router
mux over HTTPS, complete with HTTP->HTTPS redirects. It obtains and renews the TLS certificates. It staples OCSP responses for greater privacy and security. As long as your domain name points to your server, CertMagic will keep its connections secure.Compared to other ACME client libraries for Go, only CertMagic supports the full suite of ACME features, and no other library matches CertMagic's maturity and reliability.
https://github.com/caddyserver/certmagic
#devops
GitHub
GitHub - caddyserver/certmagic: Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal - caddyserver/certmagic
Disk Usage/Free Utility (Linux, BSD & macOS)
Features:
- User-friendly, colorful output
- Adjusts to your terminal's width
- Sort the results according to your needs
- Groups & filters devices
- Can conveniently output JSON
https://github.com/muesli/duf
#go #devops
Features:
- User-friendly, colorful output
- Adjusts to your terminal's width
- Sort the results according to your needs
- Groups & filters devices
- Can conveniently output JSON
https://github.com/muesli/duf
#go #devops
❤1
Build automation for the post-container era. It's like Makefile and Dockerfile had a baby.
Earthly is a build automation tool for the post-container era. It allows you to execute all your builds in containers. This makes them self-contained, reproducible, portable and parallel. You can use Earthly to create Docker images and artifacts (eg binaries, packages, arbitrary files).
Earthly is meant to be used both on your development machine and in CI. It can run on top of popular CI systems (like Jenkins, Circle, GitHub Actions). It is typically the layer between language-specific tooling (like maven, gradle, npm, pip, go build) and the CI build spec.
Features:
- Reproduce CI failures
- Builds that run the same for everyone
- From zero to working build in minutes
- Build anything via containers - build images or standalone artifacts (binaries, packages, arbitrary files)
- Programming language agnostic - allows use of language-specific build tooling
- Reproducible builds - does not depend on user's local installation. Runs the same locally, as in CI
- Parallelism that just works - builds in parallel without special considerations the user has to make
- Mono-repo friendly - ability to split the build definitions across a vast directory hierarchy
- Multi-repo friendly - ability to import builds or artifacts from other repositories
https://github.com/earthly/earthly
#docker #devops #go
Example:
Output:
Earthly is a build automation tool for the post-container era. It allows you to execute all your builds in containers. This makes them self-contained, reproducible, portable and parallel. You can use Earthly to create Docker images and artifacts (eg binaries, packages, arbitrary files).
Earthly is meant to be used both on your development machine and in CI. It can run on top of popular CI systems (like Jenkins, Circle, GitHub Actions). It is typically the layer between language-specific tooling (like maven, gradle, npm, pip, go build) and the CI build spec.
Features:
- Reproduce CI failures
- Builds that run the same for everyone
- From zero to working build in minutes
- Build anything via containers - build images or standalone artifacts (binaries, packages, arbitrary files)
- Programming language agnostic - allows use of language-specific build tooling
- Reproducible builds - does not depend on user's local installation. Runs the same locally, as in CI
- Parallelism that just works - builds in parallel without special considerations the user has to make
- Mono-repo friendly - ability to split the build definitions across a vast directory hierarchy
- Multi-repo friendly - ability to import builds or artifacts from other repositories
https://github.com/earthly/earthly
#docker #devops #go
Example:
# Earthfile
FROM golang:1.13-alpine3.11
RUN apk --update --no-cache add git
WORKDIR /go-example
all:
BUILD +lint
BUILD +docker
build:
COPY main.go .
RUN go build -o build/go-example main.go
SAVE ARTIFACT build/go-example AS LOCAL build/go-example
lint:
RUN go get golang.org/x/lint/golint
COPY main.go .
RUN golint -set_exit_status ./...
docker:
COPY +build/go-example .
ENTRYPOINT ["/go-example/go-example"]
SAVE IMAGE go-example:latest
Output:
concise commandline monitoring for containers.
Top-like interface for container metrics. ctop comes with built-in support for Docker and runC. As well as a single container view for inspecting a specific container.
Connectors for other container and cluster systems are planned for future releases.
https://github.com/bcicen/ctop
#go #devops #docker
Top-like interface for container metrics. ctop comes with built-in support for Docker and runC. As well as a single container view for inspecting a specific container.
Connectors for other container and cluster systems are planned for future releases.
https://github.com/bcicen/ctop
#go #devops #docker
Secure and fast microVMs for serverless computing.
Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.
Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers. Firecracker was developed at Amazon Web Services to improve the customer experience of services like AWS Lambda and AWS Fargate .
Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker currently supports Intel CPUs, with AMD and Arm support in developer preview.
Firecracker is integrated with Kata Containers , Open Nebula , UniK , Weave FireKube (via Weave Ignite ), and containerd via firecracker-containerd It's also used by fly.io . Firecracker can run Linux and OSv guests.
https://github.com/firecracker-microvm/firecracker
#rust #devops
Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.
Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers. Firecracker was developed at Amazon Web Services to improve the customer experience of services like AWS Lambda and AWS Fargate .
Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker currently supports Intel CPUs, with AMD and Arm support in developer preview.
Firecracker is integrated with Kata Containers , Open Nebula , UniK , Weave FireKube (via Weave Ignite ), and containerd via firecracker-containerd It's also used by fly.io . Firecracker can run Linux and OSv guests.
https://github.com/firecracker-microvm/firecracker
#rust #devops
Monorepo vs. polyrepo: architecture for source code management (SCM) version control systems (VCS)
Monorepo means using one repository that contains many projects, and polyrepo means using a repository per project. This page discusses the similarities and differences, and has advice and opinions on both.
https://github.com/joelparkerhenderson/monorepo_vs_polyrepo
#devops
Monorepo means using one repository that contains many projects, and polyrepo means using a repository per project. This page discusses the similarities and differences, and has advice and opinions on both.
https://github.com/joelparkerhenderson/monorepo_vs_polyrepo
#devops
An event-driven, portable runtime for building microservices on cloud and edge. Any language, any framework, anywhere.
Dapr is a portable, serverless, event-driven runtime that makes it easy for developers to build resilient, stateless and stateful microservices that run on the cloud and edge and embraces the diversity of languages and developer frameworks.
Dapr codifies the best practices for building microservice applications into open, independent, building blocks that enable you to build portable applications with the language and framework of your choice. Each building block is independent and you can use one, some, or all of them in your application.
Dapr injects a side-car (container or process) to each compute unit. The side-car interacts with event triggers and communicates with the compute unit via standard HTTP or gRPC protocols. This enables Dapr to support all existing and future programming languages without requiring you to import frameworks or libraries.
Dapr offers built-in state management, reliable messaging (at least once delivery), triggers and bindings through standard HTTP verbs or gRPC interfaces. This allows you to write stateless, stateful and actor-like services following the same programming paradigm. You can freely choose consistency model, threading model and message delivery patterns.
Dapr runs natively on Kubernetes, as a self hosted binary on your machine, on an IoT device, or as a container that can be injected into any system, in the cloud or on-premises.
Dapr uses pluggable component state stores and message buses such as Redis as well as gRPC to offer a wide range of communication methods, including direct dapr-to-dapr using gRPC and async Pub-Sub with guaranteed delivery and at-least-once semantics.
Features:
- Event-driven Pub-Sub system with pluggable providers and at-least-once semantics
- Input and output bindings with pluggable providers
- State management with pluggable data stores
- Consistent service-to-service discovery and invocation
- Opt-in stateful models: Strong/Eventual consistency, First-write/Last-write wins
- Cross platform virtual actors
- Secrets management to retrieve secrets from secure key vaults
- Rate limiting
- Built-in Observability support
- Runs natively on Kubernetes using a dedicated Operator and CRDs
- Supports all programming languages via HTTP and gRPC
- Multi-Cloud, open components (bindings, pub-sub, state) from Azure, AWS, GCP
- Runs anywhere, as a process or containerized
- Lightweight (58MB binary, 4MB physical memory)
- Runs as a sidecar - removes the need for special SDKs or libraries
- Dedicated CLI - developer friendly experience with easy debugging
- Clients for Java, .NET Core, Go, Javascript, Python, Rust and C++
https://dapr.io/
#devops #go #k8s
Dapr is a portable, serverless, event-driven runtime that makes it easy for developers to build resilient, stateless and stateful microservices that run on the cloud and edge and embraces the diversity of languages and developer frameworks.
Dapr codifies the best practices for building microservice applications into open, independent, building blocks that enable you to build portable applications with the language and framework of your choice. Each building block is independent and you can use one, some, or all of them in your application.
Dapr injects a side-car (container or process) to each compute unit. The side-car interacts with event triggers and communicates with the compute unit via standard HTTP or gRPC protocols. This enables Dapr to support all existing and future programming languages without requiring you to import frameworks or libraries.
Dapr offers built-in state management, reliable messaging (at least once delivery), triggers and bindings through standard HTTP verbs or gRPC interfaces. This allows you to write stateless, stateful and actor-like services following the same programming paradigm. You can freely choose consistency model, threading model and message delivery patterns.
Dapr runs natively on Kubernetes, as a self hosted binary on your machine, on an IoT device, or as a container that can be injected into any system, in the cloud or on-premises.
Dapr uses pluggable component state stores and message buses such as Redis as well as gRPC to offer a wide range of communication methods, including direct dapr-to-dapr using gRPC and async Pub-Sub with guaranteed delivery and at-least-once semantics.
Features:
- Event-driven Pub-Sub system with pluggable providers and at-least-once semantics
- Input and output bindings with pluggable providers
- State management with pluggable data stores
- Consistent service-to-service discovery and invocation
- Opt-in stateful models: Strong/Eventual consistency, First-write/Last-write wins
- Cross platform virtual actors
- Secrets management to retrieve secrets from secure key vaults
- Rate limiting
- Built-in Observability support
- Runs natively on Kubernetes using a dedicated Operator and CRDs
- Supports all programming languages via HTTP and gRPC
- Multi-Cloud, open components (bindings, pub-sub, state) from Azure, AWS, GCP
- Runs anywhere, as a process or containerized
- Lightweight (58MB binary, 4MB physical memory)
- Runs as a sidecar - removes the need for special SDKs or libraries
- Dedicated CLI - developer friendly experience with easy debugging
- Clients for Java, .NET Core, Go, Javascript, Python, Rust and C++
https://dapr.io/
#devops #go #k8s
Put your Nginx inside a bunker! nginx Docker image secure by default.
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
Non-exhaustive list of features :
- HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ...
- Perform automatic DNSBL checks to block known bad IP
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Easy to configure with environment variables
https://github.com/bunkerity/bunkerized-nginx
#devops #docker
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself.
Non-exhaustive list of features :
- HTTPS support with transparent Let's Encrypt automation
- State-of-the-art web security : HTTP security headers, php.ini hardening, prevent leaks, ...
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Antibot challenge through cookie, javascript, captcha or recaptcha v3
- Block TOR, proxies, bad user-agents, countries, ...
- Perform automatic DNSBL checks to block known bad IP
- Prevent bruteforce attacks with rate limiting
- Detect bad files with ClamAV
- Easy to configure with environment variables
https://github.com/bunkerity/bunkerized-nginx
#devops #docker
GitHub
GitHub - bunkerity/bunkerweb: 🛡️ Open-source and next-generation Web Application Firewall (WAF)
🛡️ Open-source and next-generation Web Application Firewall (WAF) - bunkerity/bunkerweb
Validate, define, and use dynamic and text-based data.
CUE is an open source language, with a rich set of APIs and tooling, for defining, generating, and validating all kinds of data: configuration, APIs, database schemas, code, … you name it.
Features:
- Data Validation. Validate text-based data files or programmatic data such as incoming RPCs or database documents.
- Configuration. Just add validation to existing data (CUE, YAML, JSON), reduce boilerplate in large-scale configurations, or both.
- Schema Definition. Define schema to communicate an API or standard and validate backwards compatibility.
- Generate Code and Schema. Keep validation code in sync across code bases, Protobuf definitions, and OpenAPI definitions.
- Scripting. Automate the use of your data without writing yet another tool.
- Querying. Find the locations of instances of CUE types and values in data. Coming soon.
https://cuelang.org/
#devops #go #noyaml
CUE is an open source language, with a rich set of APIs and tooling, for defining, generating, and validating all kinds of data: configuration, APIs, database schemas, code, … you name it.
Features:
- Data Validation. Validate text-based data files or programmatic data such as incoming RPCs or database documents.
- Configuration. Just add validation to existing data (CUE, YAML, JSON), reduce boilerplate in large-scale configurations, or both.
- Schema Definition. Define schema to communicate an API or standard and validate backwards compatibility.
- Generate Code and Schema. Keep validation code in sync across code bases, Protobuf definitions, and OpenAPI definitions.
- Scripting. Automate the use of your data without writing yet another tool.
- Querying. Find the locations of instances of CUE types and values in data. Coming soon.
https://cuelang.org/
#devops #go #noyaml
Gitkube is a tool for building and deploying Docker images on Kubernetes using
After a simple initial setup, users can simply keep git push-ing their repos to build and deploy to Kubernetes automatically.
Features:
- No dependencies except native tooling (git, kubectl)
- Plug and play installation
- Simple public key based authentication
- RBAC ready - Control access to git remotes using RBAC
- Support for namespace based multi-tenancy - Remotes can only deploy to their own namespace
- No assumptions about repository structure
https://github.com/hasura/gitkube
#go #devops #k8s
git push.After a simple initial setup, users can simply keep git push-ing their repos to build and deploy to Kubernetes automatically.
Features:
- No dependencies except native tooling (git, kubectl)
- Plug and play installation
- Simple public key based authentication
- RBAC ready - Control access to git remotes using RBAC
- Support for namespace based multi-tenancy - Remotes can only deploy to their own namespace
- No assumptions about repository structure
https://github.com/hasura/gitkube
#go #devops #k8s
Keel is a tool for automating Kubernetes deployment updates.
kubectl is the new SSH. If you are using it to update production workloads, you are doing it wrong. See examples on how to automate application updates.
Keel runs as a single container, scanning Kubernetes and Helm releases for outdated images. Policies and trigger types are specified in your application deployment files or Helm charts. Single command, no dependencies. No lock-in, no custom configuration files.
Comes with a web interface.
https://github.com/keel-hq/keel
#go #vue #devops #k8s
kubectl is the new SSH. If you are using it to update production workloads, you are doing it wrong. See examples on how to automate application updates.
Keel runs as a single container, scanning Kubernetes and Helm releases for outdated images. Policies and trigger types are specified in your application deployment files or Helm charts. Single command, no dependencies. No lock-in, no custom configuration files.
Comes with a web interface.
https://github.com/keel-hq/keel
#go #vue #devops #k8s
The smallest, fastest Kubernetes.
MicroK8s is a small, fast, single-package Kubernetes for developers, IoT and edge.
Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. Perfect for:
- Developer workstations
- IoT
- Edge
- CI/CD
Why MicroK8s?
- Small. Developers want the smallest K8s for laptop and workstation development. MicroK8s provides a standalone K8s compatible with Azure AKS, Amazon EKS, Google GKE when you run it on Ubuntu.
- Simple. Minimize administration and operations with a single-package install that has no moving parts for simplicity and certainty. All dependencies and batteries included.
- Secure. Updates are available for all security issues and can be applied immediately or scheduled to suit your maintenance cycle.
- Current. MicroK8s tracks upstream and releases beta, RC and final bits the same day as upstream K8s. You can track latest K8s or stick to any release version from 1.10 onwards.
- Comprehensive. MicroK8s includes a curated collection of manifests for common K8s capabilities and services.
https://github.com/ubuntu/microk8s
#python #devops #k8s
MicroK8s is a small, fast, single-package Kubernetes for developers, IoT and edge.
Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. Perfect for:
- Developer workstations
- IoT
- Edge
- CI/CD
Why MicroK8s?
- Small. Developers want the smallest K8s for laptop and workstation development. MicroK8s provides a standalone K8s compatible with Azure AKS, Amazon EKS, Google GKE when you run it on Ubuntu.
- Simple. Minimize administration and operations with a single-package install that has no moving parts for simplicity and certainty. All dependencies and batteries included.
- Secure. Updates are available for all security issues and can be applied immediately or scheduled to suit your maintenance cycle.
- Current. MicroK8s tracks upstream and releases beta, RC and final bits the same day as upstream K8s. You can track latest K8s or stick to any release version from 1.10 onwards.
- Comprehensive. MicroK8s includes a curated collection of manifests for common K8s capabilities and services.
https://github.com/ubuntu/microk8s
#python #devops #k8s
GitHub
GitHub - canonical/microk8s: MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge.
MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge. - canonical/microk8s
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov (Чехов).
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.
Features:
- Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
- Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON, JUnit XML and github markdown and link to remediation guides.
https://github.com/bridgecrewio/checkov
#python #devops #k8s
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.
Features:
- Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
- Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON, JUnit XML and github markdown and link to remediation guides.
https://github.com/bridgecrewio/checkov
#python #devops #k8s
k0s - Zero Friction Kubernetes
k0s is an all-inclusive Kubernetes distribution with all the required bells and whistles preconfigured to make building a Kubernetes clusters a matter of just copying an executable to every host and running it.
Key Features:
- Packaged as a single static binary
- Self-hosted, isolated control plane
- Variety of storage backends: etcd, SQLite, MySQL (or any compatible), PostgreSQL
- Elastic control-plane
- Vanilla upstream Kubernetes
- Supports custom container runtimes (containerd is the default)
- Supports custom Container Network Interface (CNI) plugins (calico is the default)
- Supports x86-64 and arm64
Quickstart:
https://github.com/k0sproject/k0s
#k8s #devops #go
k0s is an all-inclusive Kubernetes distribution with all the required bells and whistles preconfigured to make building a Kubernetes clusters a matter of just copying an executable to every host and running it.
Key Features:
- Packaged as a single static binary
- Self-hosted, isolated control plane
- Variety of storage backends: etcd, SQLite, MySQL (or any compatible), PostgreSQL
- Elastic control-plane
- Vanilla upstream Kubernetes
- Supports custom container runtimes (containerd is the default)
- Supports custom Container Network Interface (CNI) plugins (calico is the default)
- Supports x86-64 and arm64
Quickstart:
curl -sSLf get.k0s.sh | sh
k0s server --enable-worker
https://github.com/k0sproject/k0s
#k8s #devops #go
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! Datree is a CLI tool to ensure K8s manifests and Helm charts follow best practices as well as your organization’s policies.
It’s far more effective than manual processes, such as sending an email to a slew of developers, begging them to set various limits, which likely falls on deaf ears because developers are already overwhelmed.
The CLI integration provides a policy enforcement solution for Kubernetes to run automatic checks on every code change for rule violations and misconfigurations. When rule violations are found, Datree produces an alert which guides the developer to fix the issue inside the CI process — or even earlier as a pre-commit hook — while explaining the reason behind the rule.
Right now, there are 30 battle-tested rules for you to choose from.
https://github.com/datreeio/datree
#k8s #devops #go
It’s far more effective than manual processes, such as sending an email to a slew of developers, begging them to set various limits, which likely falls on deaf ears because developers are already overwhelmed.
The CLI integration provides a policy enforcement solution for Kubernetes to run automatic checks on every code change for rule violations and misconfigurations. When rule violations are found, Datree produces an alert which guides the developer to fix the issue inside the CI process — or even earlier as a pre-commit hook — while explaining the reason behind the rule.
Right now, there are 30 battle-tested rules for you to choose from.
https://github.com/datreeio/datree
#k8s #devops #go
Kubegres is a #k8s operator allowing to deploy one or many clusters of postgresql instances and manage databases replication, failover and backup.
Features:
- It can manage one or many clusters of Postgres instances. Each cluster of Postgres instances is created using a YAML of "kind: Kubegres". Each cluster is self-contained and is identified by its unique name and namespace.
- It creates a cluster of PostgreSql servers with Streaming Replication enabled: it creates a Primary PostgreSql pod and a number of Replica PostgreSql pods and replicates primary's database in real-time to Replica pods.
- It manages fail-over: if a Primary PostgreSql crashes, it automatically promotes a Replica PostgreSql as a Primary.
- It has a data backup option allowing to dump PostgreSql data regularly in a given volume.
- It provides a very simple YAML with properties specialised for PostgreSql.
https://github.com/reactive-tech/kubegres
#go #devops
Features:
- It can manage one or many clusters of Postgres instances. Each cluster of Postgres instances is created using a YAML of "kind: Kubegres". Each cluster is self-contained and is identified by its unique name and namespace.
- It creates a cluster of PostgreSql servers with Streaming Replication enabled: it creates a Primary PostgreSql pod and a number of Replica PostgreSql pods and replicates primary's database in real-time to Replica pods.
- It manages fail-over: if a Primary PostgreSql crashes, it automatically promotes a Replica PostgreSql as a Primary.
- It has a data backup option allowing to dump PostgreSql data regularly in a given volume.
- It provides a very simple YAML with properties specialised for PostgreSql.
https://github.com/reactive-tech/kubegres
#go #devops
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
https://github.com/stackrox/kube-linter
#go #k8s #devops
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
https://github.com/stackrox/kube-linter
#go #k8s #devops
👍1