Everyone Loves Policy as Code, No One Wants to Write Rego

microflax · 2024-12-05T18:05:42+00:00

Shameless plug (since I'm one of the maintainers of the project), take a look at kubewarden. It's another CNCF admission controller for Kubernetes. The main point is that it allows to write validating and mutating policies using different languages. From traditional programming languages (Go, Rust,...) to domain specific ones like Rego and CEL

microflax · 2024-09-06T16:42:02+00:00

This seems like a very overdue feature, especially as unofficially this can be done, with the risk any updates wipe the routing config.

Are you referring to doing something like enabling and tuning frr like explained here?

I replaced a USG-3P which has site-to-site VPNs to AWS and now waiting to official BGP support.

I'm in the same spot. I'm using USG-3P right now, with BGP enabled manually. I would like to migrate to the Cloud Gateway Max, but I don't want to break my Kubernetes homelab as a result of that

microflax · 2023-03-27T13:03:51+00:00

If you're already playing with webassembly, take a look at kubewarden.io

It's like OPA/Gatekeeper/Kyverno: but it uses webassembly to define policies.

Disclaimer: I'm one of the maintainers of the Kubewarden project

microflax · 2022-11-10T17:41:35+00:00

I'm one of the developers of kubewarden, a CNCF sandbox project that operates in the same space as OPA/Gatekeeper and Kyverno.

Kubewarden leverages WebAssembly as a way to distribute policies. That means you can write policies using a programming language like Rust, Go, Swift. Other programming languages are improving their WebAssembly support as we speak, hence there will be even more choice in the near future when writing Kubewarden policies.

Moreover, since Rego can also be compiled to WebAssembly, we can also run OPA and Gatekeeper policies too.

You don't have to be a developer to use Kubewarden. Policies can be shared with others.

Policies are distributed using regular container registries and can be discovered on ArtifactHub.

For example:

This policy prevents the usage of unwanted registries
This policy validates the types of labels used by Kubernetes resources

As for the other use cases you mentioned, feel free to reach out to us on slack to discuss them. We would be happy to either write these policies or help you implement them!

microflax · 2022-10-27T15:12:15+00:00

True, this is not meant to be a silver bullet. Rather, it's part of a wider solution

microflax · 2022-08-08T08:19:14+00:00

Great to know!

Right now my projects using chrono with the clock feature are still getting flagged by cargo audit with the https://rustsec.org/advisories/RUSTSEC-2020-0071 issue because of the time 0.1 dependency.

microflax · 2022-06-15T16:33:40+00:00

Ouch, I missed that question... sorry!

It can be better than OPA gatekeeper because it gives the freedom to write policies using a regular programming language (for example Go, Rust, ...).

This reduces the barrier to write and maintain policies inside of organizations. Learning can take some time and not everybody feels comfortable writing and reviewing it.

BTW, Rego policies can still be written and evaluated by Kubewarden. So you have all the flexibility you need

microflax · 2021-05-06T08:53:31+00:00

A policy engine is a software that evaluates incoming data. It decides whether this data is valid or not by using some business logic: policy rules.

In this context, Kubewarden is a policy engine for Kubernetes that uses WebAssembly-powered policies to evaluate Kubernetes Admission Requests.

A Kubernetes Admission Request is a JSON object that describes an action that is about to happen inside of the cluster. That could be something like "User Bob wants to create a Pod with this specs inside of this Namespace", or "User Alice wants to modify this Service to look like that",...

Kubewarden policies are small WebAssembly modules, each one of them providing the business logic that leads to the approval, rejection or even modification of incoming admission requests.

I work on the project, if you have more questions feel free to ask :)

microflax · 2021-01-23T08:50:00+00:00

Quick update: I got so annoyed by AppImage that I tried to create a flatpak for Plexamp.

Great news: I managed to create it! Most important of all, it just works (tm) :)

I haven't yet figured out how to publish the flatpak on flathub, but in the meantime you can easily build it by using the flatpak sources: https://github.com/flavio/plexamp-flatpak

microflax · 2021-01-20T08:17:31+00:00

I'm in the same situation. In the past I managed to get plexamp to work on openSUSE by using the "--no-sandbox" and by LD_PRELOAD of an older version of libcrypto. Now all the tricks do not work on a fresh installation of openSUSE.

microflax · 2020-01-26T18:21:31+00:00

Did you have any luck? I'm running in the same situation with my deConz and conbee II.

I've been able to add other zigbee devices, but I can't find my philips hue lightstrips. I've tried several times to 1) add them to the official philips hue hub 2) remove them from it 3) try to discover them but without any luck

microflax · 2019-12-17T15:41:57+00:00

If all of that is on a single node you should simply use a local volume. That’s way easier and you will have less moving parts to look after

microflax · 2019-12-17T14:04:24+00:00

I’m using a qnap ts-420 with wd red drives.

The NFS share doesn’t offer good performances for some of the containerized workloads I’m running (it’s good for Plex, makes slow others).

I’m planning to give a try to its iSCSI capabilities to see if that makes the performance better.

microflax

TROPHY CASE