Website • Getting Started Guide • Documentation • Blog • Twitter • Slack
jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript
- Lightning Fast & Secure Policy Execution - jsPolicy runs policies with Google's super fast V8 JavaScript engine in a pool of pre-heated sandbox environments. Most policies do not even take a single millisecond to execute
- Great Language For Policies - JavaScript is made for handling and manipulating JSON objects (short for: JavaScript Object Notation!) and Kubernetes uses JSON by converting your YAML to JSON during every API request
- 3 Policy Types for anything you need:
- Validating Policies - Request validation that is as easy as calling
allow(),deny("This is not allowed"), orwarn("We'll let this one slip, but upgrade to the new ingress controller") - Mutating Policies - Simple mutations of the kubectl request payload via
mutate(modifiedObj) - Controller Policies - Run custom JavaScript controllers that react to any changes to the objects in your cluster (controller policies are reactive, so they are not webhooks and part of a Kubernetes API server request but instead react to
Eventsin your cluster after they have happened). With controller policies you can write resource sync mechanisms, enforce objects in namespaces, garbage collectors or fully functional CRD controllers
- Validating Policies - Request validation that is as easy as calling
- Simple yet Powerful - Create a functional webhook with a single line of JavaScript or write your own fully blown custom StatefulSet controller in TypeScript with jsPolicy. There are no limits and the possibilities are endless
- Easy Cluster Access - Control cluster state with built-in functions such as
get("Pod", "v1", "my-namespace/my-pod"),list("Namespace", "v1"),create(limitRange),update(mySecret)orremove(configMap) - Focus on Policy Logic - Jump right in and only focus on writing your own policy logic or simply reuse existing policies. Let jsPolicy do the rest and don't worry about high-availability, performance tuning, auditing, certificate management, webhook registration, prometheus metrics, shared resource caches, controller boilerplate, dynamic policy management etc. anymore
- Turing Complete Policy Language - Use
loops,Promises,generatorfunctions,?operators, TypeScript Type-Safe practices, hot reloaders, linting, test frameworks and all other modern JS language features and development best practices for writing clean and easy to maintain policy code - Huge Ecosystem of Libraries - Use any CommonJS JavaScript or TypeScript library from npmjs or from your private registry
- Easy Policy Sharing & Reuse - Share entire policies or reusable functions via npmjs or via your private registry
- Efficient Policy Development - Use any of the dev tools available in JavaScript or TypeScript for a highly efficient workflow
Learn more on www.jspolicy.com.
Architecture
Learn more in the documentation.
Quick Start
To learn more about jspolicy, open the full getting started guide.
1. Install jsPolicy
Install jsPolicy to your Kubernetes cluster via Helm v3:
helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh2. Create a Policy
Create the file policy.yaml:
# policy.yaml
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
name: "deny-default-namespace.company.tld"
spec:
operations: ["CREATE"]
resources: ["*"]
scope: Namespaced
javascript: |
if (request.namespace === "default") {
deny("Creation of resources within the default namespace is not allowed!");
}3. Apply The Policy
Apply the policy in your cluster:
kubectl apply -f policy.yaml4. See Policy In Action
kubectl create deployment nginx-deployment -n default --image=nginxContributing
Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance.
This project is open-source and licensed under Apache 2.0, so you can use it in any private or commercial projects.