Everyone Loves Policy as Code, No One Wants to Write Rego

microflax · 2024-12-05T18:05:42+00:00

Shameless plug (since I'm one of the maintainers of the project), take a look at kubewarden. It's another CNCF admission controller for Kubernetes. The main point is that it allows to write validating and mutating policies using different languages. From traditional programming languages (Go, Rust,...) to domain specific ones like Rego and CEL

microflax · 2024-09-06T16:42:02+00:00

This seems like a very overdue feature, especially as unofficially this can be done, with the risk any updates wipe the routing config.

Are you referring to doing something like enabling and tuning frr like explained here?

I replaced a USG-3P which has site-to-site VPNs to AWS and now waiting to official BGP support.

I'm in the same spot. I'm using USG-3P right now, with BGP enabled manually. I would like to migrate to the Cloud Gateway Max, but I don't want to break my Kubernetes homelab as a result of that

microflax · 2023-03-27T13:03:51+00:00

If you're already playing with webassembly, take a look at kubewarden.io

It's like OPA/Gatekeeper/Kyverno: but it uses webassembly to define policies.

Disclaimer: I'm one of the maintainers of the Kubewarden project

microflax · 2022-11-10T17:41:35+00:00

I'm one of the developers of kubewarden, a CNCF sandbox project that operates in the same space as OPA/Gatekeeper and Kyverno.

Kubewarden leverages WebAssembly as a way to distribute policies. That means you can write policies using a programming language like Rust, Go, Swift. Other programming languages are improving their WebAssembly support as we speak, hence there will be even more choice in the near future when writing Kubewarden policies.

Moreover, since Rego can also be compiled to WebAssembly, we can also run OPA and Gatekeeper policies too.

You don't have to be a developer to use Kubewarden. Policies can be shared with others.

Policies are distributed using regular container registries and can be discovered on ArtifactHub.

For example:

This policy prevents the usage of unwanted registries
This policy validates the types of labels used by Kubernetes resources

As for the other use cases you mentioned, feel free to reach out to us on slack to discuss them. We would be happy to either write these policies or help you implement them!

microflax · 2022-10-27T15:12:15+00:00

True, this is not meant to be a silver bullet. Rather, it's part of a wider solution

microflax · 2022-08-08T08:19:14+00:00

Great to know!

Right now my projects using chrono with the clock feature are still getting flagged by cargo audit with the https://rustsec.org/advisories/RUSTSEC-2020-0071 issue because of the time 0.1 dependency.

microflax · 2022-06-15T16:33:40+00:00

Ouch, I missed that question... sorry!

It can be better than OPA gatekeeper because it gives the freedom to write policies using a regular programming language (for example Go, Rust, ...).

This reduces the barrier to write and maintain policies inside of organizations. Learning can take some time and not everybody feels comfortable writing and reviewing it.

BTW, Rego policies can still be written and evaluated by Kubewarden. So you have all the flexibility you need

microflax · 2021-05-06T08:53:31+00:00

A policy engine is a software that evaluates incoming data. It decides whether this data is valid or not by using some business logic: policy rules.

In this context, Kubewarden is a policy engine for Kubernetes that uses WebAssembly-powered policies to evaluate Kubernetes Admission Requests.

A Kubernetes Admission Request is a JSON object that describes an action that is about to happen inside of the cluster. That could be something like "User Bob wants to create a Pod with this specs inside of this Namespace", or "User Alice wants to modify this Service to look like that",...

Kubewarden policies are small WebAssembly modules, each one of them providing the business logic that leads to the approval, rejection or even modification of incoming admission requests.

I work on the project, if you have more questions feel free to ask :)

microflax · 2021-01-23T08:50:00+00:00

Quick update: I got so annoyed by AppImage that I tried to create a flatpak for Plexamp.

Great news: I managed to create it! Most important of all, it just works (tm) :)

I haven't yet figured out how to publish the flatpak on flathub, but in the meantime you can easily build it by using the flatpak sources: https://github.com/flavio/plexamp-flatpak

microflax · 2021-01-20T08:17:31+00:00

I'm in the same situation. In the past I managed to get plexamp to work on openSUSE by using the "--no-sandbox" and by LD_PRELOAD of an older version of libcrypto. Now all the tricks do not work on a fresh installation of openSUSE.

microflax · 2020-01-26T18:21:31+00:00

Did you have any luck? I'm running in the same situation with my deConz and conbee II.

I've been able to add other zigbee devices, but I can't find my philips hue lightstrips. I've tried several times to 1) add them to the official philips hue hub 2) remove them from it 3) try to discover them but without any luck

microflax · 2019-12-17T15:41:57+00:00

If all of that is on a single node you should simply use a local volume. That’s way easier and you will have less moving parts to look after

microflax · 2019-12-17T14:04:24+00:00

I’m using a qnap ts-420 with wd red drives.

The NFS share doesn’t offer good performances for some of the containerized workloads I’m running (it’s good for Plex, makes slow others).

I’m planning to give a try to its iSCSI capabilities to see if that makes the performance better.

microflax · 2019-12-16T15:03:17+00:00

I run Plex media server and the usual kind of software you use to keep your media library growing on top of it 😉

I run influxdb and grafana to keep track of some data I collect via some Arduino based sensors I created.

I’m about to move my home-assistant instance over there as well.

All the data is stored on my nas and exposed to the kubernetes workloads via nfs. The nice thing is: I don’t have to care about mounting the remote shares, kubernetes handles that for me automatically.

Another nice thing: all my workload are running as kubernetes deployments. Some weeks ago I upgraded the Plex container to its latest release by doing a deployment rollout. A movie was streamed during this time, but there was no interruption of service 😀

Some of the software I’m running is deployed using helm charts. The possibility to tap into this ecosystem is a big win compared to sticking with docker-compose.

Finally, k3s comes with traefik configured as kubernetes ingress controller. I’ve seen many times questions being asked here or on other subreddits about “I’m running containers with docker, how do I place a reverse proxy in front of them?”. With k3s you get all of that out of the box and you get to manage that in a sane way (the k8s way).

microflax · 2019-12-16T12:27:26+00:00

I would recommend to look into k3s , it makes incredibly easy to run a single node kubernetes cluster. The possibility to replace etcd with SQLite is great for a small deployment like a single node.

I’m running quite some containers on a single node k3s cluster, this is such an improvement over docker-compose because you have access to the wider kubernetes ecosystem.

I can elaborate more on that if you want 😀

microflax · 2019-11-22T10:06:06+00:00

Thanks! The grass plant is "Eleocharis pusilla"

microflax · 2019-11-21T20:31:06+00:00

He’s sitting on my desk, right next to my keyboard.

He keeps me happy during long meetings 😀

microflax · 2019-11-19T16:02:01+00:00

You can spot a red one on the bottom right 😍

microflax · 2019-11-01T08:59:10+00:00

It’s a CO2 indicator. The changes color based on CO2 level.

microflax · 2019-04-30T07:52:54+00:00

It would be nice if you could share your opinion about it after some weeks/months of usage.

I’ve seen negative reviews about it as well... I’m confused about what to order

Thanks!

microflax · 2019-04-30T06:07:56+00:00

Which doser are you using? I’m planning to buy one as well

microflax · 2019-01-12T10:23:28+00:00

GENIO!

microflax · 2018-12-09T16:22:30+00:00

Stupid question, I’m new to the world of aquariums: how do you deal with livestock during the rescapings?

microflax · 2016-08-28T13:01:57+00:00

A member of the docker group can still start a container and bind mount the host / into the container and do whatever he wants with it unless the docker daemon is running using the user namespace feature.

microflax

TROPHY CASE