Kubernetes Policy Enforcement: OPA vs jsPolicy

Two piles of coffee beans, one green and one brown

Developer Experience

helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh
​​# policy.yaml
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
name: "deny-default-namespace.company.tld"
spec:
operations: ["CREATE"]
resources: ["*"]
scope: Namespaced
javascript: |
if (request.namespace === "default") {
deny("Creation of resources within the default namespace is not allowed!");
}

Maintainability

Testability of Policies

  • data mocking
  • coverage
  • modifying test result outputs

Conclusion

--

--

--

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Magikarp Finance Day 2

CS371p Fall 2021: Maxwell Xu

Dear Vendor: Can you do better with UI/API parity please?

blank name tags and pens

Setting up Expo and Bitbucket Pipelines

My experience with 42Wolfsburg during the remote Piscine — Day 11

Lufthansa Cargo digitalise critical handling process with IBS Software

Command-Query separation in Elixir

A Transaction’s Journey through Brex

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Loft Labs

Loft Labs

>> www.loft.sh << Build Your Internal Kubernetes Platform With Virtual Clusters, Namespace Self-Service & Secure Multi-Tenancy

More from Medium

How to tackle Kubernetes observability challenges with Pixie

Reducing Kubernetes Cost: Kubecost vs Cast.ai

Monokle 1.5.0 Release — Kubeshop

Devtron: Open-Source Software Delivery Workflow for K8s