{"id":20954386,"url":"https://github.com/devsisters/checkpoint","last_synced_at":"2025-08-21T08:16:23.568Z","repository":{"id":63350628,"uuid":"519119260","full_name":"devsisters/checkpoint","owner":"devsisters","description":"Kubernetes policy checker","archived":false,"fork":false,"pushed_at":"2024-08-01T06:16:56.000Z","size":324,"stargazers_count":47,"open_issues_count":1,"forks_count":0,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-05-14T04:32:44.247Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devsisters.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-29T07:19:39.000Z","updated_at":"2025-02-14T02:37:35.000Z","dependencies_parsed_at":"2024-02-20T10:30:27.100Z","dependency_job_id":"62bdd095-6dc9-4ef9-9019-91b211e1a512","html_url":"https://github.com/devsisters/checkpoint","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/devsisters/checkpoint","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsisters%2Fcheckpoint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsisters%2Fcheckpoint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsisters%2Fcheckpoint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsisters%2Fcheckpoint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devsisters","download_url":"https://codeload.github.com/devsisters/checkpoint/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsisters%2Fcheckpoint/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271448405,"owners_count":24761441,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-19T01:14:31.852Z","updated_at":"2025-08-21T08:16:23.547Z","avatar_url":"https://github.com/devsisters.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Checkpoint\n\n`checkpoint` is a Kubernetes policy checker.\nPowered by [deno](https://github.com/denoland/deno).\n\n## Why?\n\nEnsuring a certain policy in a Kubernetes cluster is usually done by admission controllers.\nBut setting up an admission controller is quite cumbersome.\nWe need to set up a HTTPS web server and its certificates.\n\n`checkpoint` provides a simpler way - writing a simple JavaScript code becomes a new admission controller.\n\n`checkpoint` also aims to provide other convenient ways to ensure policies.\n\n## Usage\n\n### Helm\n\n```\nhelm repo add devsisters https://charts.devsisters.io\nhelm repo update\nhelm install checkpoint devsisters/checkpoint --namespace checkpoint --create-namespace\n```\n\n## Example\n\nMore examples can be found at [`examples/` folder](./examples).\n\n### ValidatingRule\n\nValidatingRule is similar to ValidatingWebhookConfiguration.\nIt can allow, deny incoming requests.\n\nWrite a ValidatingRule:\n\n```yaml\napiVersion: checkpoint.devsisters.com/v1\nkind: ValidatingRule\nmetadata:\n  name: check-namespace-name-is-cute\nspec:\n  objectRules:\n  - apiGroups: [\"\"]\n    apiVersions: [\"*\"]\n    resources: [\"namespaces\"]\n    operations: [\"CREATE\"]\n  code: |\n    const request = getRequest();\n    if (!request.name.endsWith(\"-uwu\")) {\n      deny(\"That name is not cute.\");\n    }\n```\n\nNow your Kubernetes cluster only accepts namespaces with cute name:\n\n```\n$ kubectl create namespace my-namespace\nError from server: admission webhook \"check-namespace-name-is-cute.validatingwebhook.checkpoint.devsisters.com\" denied the request: That name is not cute.\n$ kubectl create namespace my-namespace-uwu\nnamespace/my-namespace-uwu created\n```\n\n### MutatingRule\n\nMutatingRule is similar to MutatingWebhookConfiguration.\nIt can allow, deny, or mutate incoming requests.\n\nWrite a MutatingRule:\n\n```yaml\napiVersion: checkpoint.devsisters.com/v1\nkind: MutatingRule\nmetadata:\n  name: mutate-namespace-name-cute\nspec:\n  objectRules:\n  - apiGroups: [\"\"]\n    apiVersions: [\"*\"]\n    resources: [\"namespaces\"]\n    operations: [\"CREATE\"]\n  code: |\n    const request = getRequest();\n    const name = request.object.metadata.name;\n    if (!name.endsWith(\"-uwu\")) {\n      const newObject = jsonClone(request.object);\n      newObject.metadata.name = `${name}-uwu`;\n      const patch = jsonPatchDiff(request.object, newObject);\n      allowAndMutate(patch);\n    }\n```\n\nNow your cluster automatically makes all namespaces cute:\n\n```\n$ kubectl create namespace my-namespace\nnamespace/my-namespace-uwu created\n```\n\n### CronPolicy\n\nCronPolicy checks the cluster periodically and notifies to specified webhook (e.g. Slack) if check fails.\n\nWrite a CronPolicy:\n\n```yaml\napiVersion: checkpoint.devsisters.com/v1\nkind: CronPolicy\nmetadata:\n  name: cute-namespace-detected\nspec:\n  suspend: false\n  schedule: \"* * * * *\"\n  resources:\n  - group: \"\"\n    version: v1\n    kind: Namespace\n  code: |\n    const [namespaces] = getResources();\n    let names = \"\";\n    for (const namespace of namespaces) {\n      if (namespace.metadata.name.endsWith(\"-uwu\")) {\n        names += `- \\`${namespace.metadata.name}\\`\\n`;\n      }\n    }\n    if (names !== \"\") {\n      setOutput({names});\n    }\n  notifications:\n    slack:\n      webhookUrl: \"https://example.com\" # Edit with your real Slack incoming webhook URL!\n      message: |\n        `{policy.name}` *is firing*\n        Following namespaces have cute name:\n        {output.names}\n  restartPolicy: Never\n```\n\nNow your cluster is checked every minute if the cluster has cute namespaces.\n\nIf you create one:\n\n```\n$ kubectl create namespace my-namespace-uwu\nnamespace/my-namespace-uwu created\n```\n\nYou will receive following Slack notification:\n\n![Example Slack notification](./example-slack-notification.png)\n\n## License\n\nThis project is licensed under the terms of Apache 2.0. See [LICENSE](./LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsisters%2Fcheckpoint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevsisters%2Fcheckpoint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsisters%2Fcheckpoint/lists"}