v0.3.2

This is a patch release. It contains an updated bugfix where policies targeting a core api group (e.g. Pods) were not handled correctly.

v0.3.1

This is a patch release. It contains a bugfix where the audit mode could not find objects for resources in the core api group. It also extends the policy validation to check if all defined apigroup/kind targets are actually available in the kubernetes cluster.

v0.3.0

The next relese of bridgekeeper with the following changes:

• Audit run can be configured as CronJob to run on a schedule (this way bridgekeeper can be configured with multiple replicas)
• Scheduled audit runs produce metrics that are pushed to prometheus pushgateway (can be used to build grafana dashboards that show policy compliance)
• Docker image now runs under non-root user
• ServiceMonitor is now part of helm chart to enable automatic prometheus metrics scraping

No changes have been made to the CRD, the helm chart has additional options. Existing deployments can be updated by just updating the helm release to chart version 0.3.0.

v0.2.1

A maintenance release with the following changes:

• Updated all rust dependencies to their newest version
• Refactored the code to reduce locking usage and allow for better parallel execution of policy evaluations
• Added the kubernetes-python library to the docker image for use in policy code
• Added an option to the helm chart to give bridgekeeper an additional clusterrole

There are no changes to the CRD or the policy interface.

v0.2.0

The second release of bridgekeeper, a policy engine for Kubernetes, with cool new features:

• Policies can now mutate the objects they are checking. This is done by modifying the object structure in the python rule code, no need to generate JSONPatches
• Audit mode to periodically check existing objects
• Enforcement can be disabled for single policies (very useful when introducing a new policy to inform users about a policy violation without directly rejecting objects)
• Policies can now send warnings to the applying user even when accepting the object
• Strict admission mode can be enabled that rejects all objects when bridgekeeper is not available (by default kubernetes will allow an object if the admission webhook cannot be reached)
• Technical refactoring to bring Rust dependencies up-to-date and make bridgekeeper more resilient

Bridgekeeper can be easily installed via helm, see the project README for details.

If you have already installed v0.1.0, please completely uninstall it and then reinstall as the Custom Resource has been renamed from Constraint to Policy and helm installation/upgrade behaviour has been changed.

v0.1.0

This is the first public release of bridgekeeper, a policy engine inspired by gatekeeper but with rules written in python. This release is mainly intended for testing and should not be considered stable and secure enough for production use.

The main features are:

• Define constraints for any kubernetes resource
• Write constraints with the full power of python
• Insights into accepts and rejects using kubernetes events

This release can be installed using helm:

helm repo add bridgekeeper https://maibornwolff.github.io/bridgekeeper/
helm install --namespace bridgekeeper --create-namespace bridgekeeper bridgekeeper/bridgekeeper