Kubernetes Policy Enforcement: OPA vs jsPolicy

Two piles of coffee beans, one green and one brown

Developer Experience

helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh
​​# policy.yaml
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
name: "deny-default-namespace.company.tld"
spec:
operations: ["CREATE"]
resources: ["*"]
scope: Namespaced
javascript: |
if (request.namespace === "default") {
deny("Creation of resources within the default namespace is not allowed!");
}

Maintainability

Testability of Policies

  • data mocking
  • coverage
  • modifying test result outputs

Conclusion

--

--

--

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptography for JavaScript/Node.js developers: Part 1 Hash Function

PARSIQ Q&A #24

10 Basic CLI Commands Every Junior Software Engineer Should Know

What’s the best way to learn to code? — Active vs Passive Learning

Lineup Ninja — June 2020 Release Notes

TWTW — Week 4 (October) & Attending GDG DevFest for the first time!

Asynchronous logging in rust, or how to create predominantly lock-free bounded queue without data…

Remembering TDD

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loft Labs

Loft Labs

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy

More from Medium

5 Reasons Why Engineers Need Access to Kubernetes Clusters

Two software developers writing code

Kube-Scout: An Alerting tool for Kubernetes Clusters

icon

Falco: A Security Camera For Kubernetes Applications

Creating your own Template in Monokle