{"id":13689929,"url":"https://github.com/google/gke-policy-automation","last_synced_at":"2026-04-13T11:00:58.376Z","repository":{"id":37525080,"uuid":"470366002","full_name":"google/gke-policy-automation","owner":"google","description":"Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices","archived":false,"fork":false,"pushed_at":"2025-11-20T02:49:20.000Z","size":2933,"stargazers_count":526,"open_issues_count":8,"forks_count":26,"subscribers_count":8,"default_branch":"main","last_synced_at":"2026-04-01T03:55:41.982Z","etag":null,"topics":["gcp","gke","opa","policy","rego"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-15T23:39:19.000Z","updated_at":"2026-02-21T22:51:38.000Z","dependencies_parsed_at":"2023-11-07T13:29:45.092Z","dependency_job_id":"6c9d3c9d-8da4-4810-a314-c9cc9083a46d","html_url":"https://github.com/google/gke-policy-automation","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/google/gke-policy-automation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgke-policy-automation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgke-policy-automation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgke-policy-automation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgke-policy-automation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/gke-policy-automation/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fgke-policy-automation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31747856,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T09:16:15.125Z","status":"ssl_error","status_checked_at":"2026-04-13T09:16:05.023Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","gke","opa","policy","rego"],"created_at":"2024-08-02T16:00:34.621Z","updated_at":"2026-04-13T11:00:58.299Z","avatar_url":"https://github.com/google.png","language":"Go","funding_links":[],"categories":["Compute","Containers","Kubernetes"],"sub_categories":["Kubernetes Engine","Kubernetes","Built with Wasm"],"readme":"\u003c!-- markdownlint-disable MD041 --\u003e\n\u003cimg src=\"assets/gke-policy-automation-logo.png\" alt=\"GKE Policy Automation logo\"\ntitle=\"GKE Policy Automation\" align=\"left\" height=\"70\" /\u003e\n\u003c!-- markdownlint-enable MD041 --\u003e\n\n# GKE Policy Automation\n\nThis repository contains the tool and the [policy library](./gke-policies-v2) for validating [GKE](https://cloud.google.com/kubernetes-engine)\nclusters against configuration [best practices](#checking-best-practices)\nand [scalability limits](#checking-scalability-limits).\n\n[![Build](https://github.com/google/gke-policy-automation/actions/workflows/build.yml/badge.svg)](https://github.com/google/gke-policy-automation/actions/workflows/build.yml)\n[![Policy tests](https://github.com/google/gke-policy-automation/actions/workflows/policy-test.yml/badge.svg)](https://github.com/google/gke-policy-automation/actions/workflows/policy-test.yml)\n[![Version](https://img.shields.io/github/v/release/google/gke-policy-automation?label=version)](https://img.shields.io/github/v/release/google/gke-policy-automation?label=version)\n[![Go Report Card](https://goreportcard.com/badge/github.com/google/gke-policy-automation)](https://goreportcard.com/report/github.com/google/gke-policy-automation)\n[![GoDoc](https://godoc.org/github.com/google/gke-policy-automation?status.svg)](https://godoc.org/github.com/google/gke-policy-automation)\n![GitHub](https://img.shields.io/github/license/google/gke-policy-automation)\n\n![GKE Policy Automation Demo](./assets/gke-policy-automation-demo.gif)\n\nNote: this is not an officially supported Google product.\n\n---\n\n## Table of Contents\n\n* [Installation](#installation)\n* [Usage](#usage)\n  * [Checking best practices](#checking-best-practices)\n  * [Checking scalability limits](#checking-scalability-limits)\n  * [Common check options](#common-check-options)\n  * [Defining inputs](#defining-inputs)\n  * [Defining outputs](#defining-outputs)\n  * [Authentication](#authentication)\n  * [Serverless execution](#serverless-execution)\n* [Contributing](#contributing)\n* [License](#license)\n\n## Installation\n\n### Container image\n\nThe container images with GKE Policy Automation tool are hosted on `ghcr.io`. Check the [packages page](https://github.com/google/gke-policy-automation/pkgs/container/gke-policy-automation)\nfor a list of all tags and versions.\n\n```sh\ndocker pull ghcr.io/google/gke-policy-automation:latest\ndocker run --rm ghcr.io/google/gke-policy-automation check \\\n-project my-project -location europe-west2 -name my-cluster\n```\n\n### Krew\n\nThe GKE Policy Automation is available as a [Krew](https://krew.sigs.k8s.io) plugin.\n\n```sh\nkubectl krew install gke-policy\nkubectl gke-policy check --discovery -p my-project\n```\n\n### Binary\n\nBinaries for Linux, Windows and Mac are available as tarballs in the\n[release page](https://github.com/google/gke-policy-automation/releases).\n\n### Source code\n\nGo [v1.23](https://go.dev/doc/install) or newer is required. Check the [development guide](./DEVELOPMENT.md)\nfor more details.\n\n```sh\ngit clone https://github.com/google/gke-policy-automation.git\ncd gke-policy-automation\nmake build\n./gke-policy check \\\n--project my-project --location europe-west2 --name my-cluster\n```\n\n## Usage\n\n**Full user guide**: [GKE Policy Automation User Guide](./docs/user-guide.md).\n\n### Checking best practices\n\nThe configuration best practices check validates GKE clusters against the set of\nGKE configuration policies.\n\n```sh\n./gke-policy check \\\n--project my-project --location europe-west2 --name my-cluster\n```\n\n### Checking scalability limits\n\nThe scalability limits check validates GKE clusters against the GKE quotas and limits.\nThe tool will report violations when the current values will cross the certain thresholds.\n\n```sh\n./gke-policy check scalability \\\n--project my-project --location europe-west2 --name my-cluster\n```\n\n**NOTE**: you need to run `kube-state-metrics` to export cluster metrics to use cluster scalability\nlimits check. Refer to the [kube-state-metrics installation \u0026 configuration guide](./docs/kube-state-metrics.md)\nfor more details.\n\nThe tool assumes that metrics are available in Cloud Monitoring, i.e. in a result of\n[Google Cloud Managed Service for Prometheus](https://cloud.google.com/stackdriver/docs/managed-prometheus)\nbased metrics collection. If self managed Prometheus collection is used, be sure to:\n\n* Configure Prometheus scraping for `kube-state-metrics` using `PodMonitor` / `ServiceMonitor` and\n corresponding annotations, i.e. `prometheus.io/scrape`\n* Configure custom Prometheus API server address in a tool\n\n  * Prepare `config.yaml`:\n\n     ```yaml\n     inputs:\n       metricsAPI:\n         enabled: true\n         address: http://my-prometheus-svc:8080 # Prometheus server API endpoint\n         username: user   # username for basic authentication (optional)\n         password: secret # password for basic authentication (optional)\n     ```\n\n  * Run `./gke-policy check scalability -c config.yaml`\n\n### Common check options\n\nThe common options apply to all types of check commands.\n\n#### Selecting multiple clusters\n\nCheck multiple GKE clusters using the config file.\n\n```sh\n./gke-policy check -c config.yaml\n```\n\nThe `config.yaml` file:\n\n```yaml\nclusters:\n  - name: prod-central\n    project: my-project-one\n    location: europe-central2\n  - id: projects/my-project-two/locations/europe-west2/clusters/prod-west\n```\n\n#### Using cluster discovery\n\nCheck multiple clusters by discovering them in a selected GCP projects, folders or in the entire organization\nusing [Cloud Asset Inventory](https://cloud.google.com/asset-inventory) and configuration file.\n\n```sh\n./gke-policy check -c config.yaml\n```\n\nThe `config.yaml` file:\n\n```yaml\nclusterDiscovery:\n  enabled: true\n  organization: \"123456789012\"\n```\n\nIt is possible to use cluster discovery on a given project using command line flags only:\n\n```sh\n./gke-policy check --discovery -p my-project-id\n```\n\n### Defining inputs\n\nData for cluster validation can be retrieved from multiple data sources,\neg. GKE API, Cloud Monitoring API or local JSON file exported from GKE API.\nFor best practices checks GKE API is enabled by default,\nand for scalability checks, metrics API is enabled as well.\nCheck [Inputs user guide](./docs/user-guide.md#inputs) for more details.\n\nExample:\n\n* Metrics API input from Cloud Monitoring configured in dedicated project\nand other values set with defaults for scalability check\n\n```yaml\ninputs:\n  gkeAPI:\n    enabled: true\n  gkeLocal:\n    enabled: false\n    file:\n  metricsAPI:\n    enabled: true\n    project: sample-project\n    metrics:\n```\n\n### Defining outputs\n\nThe cluster validation results can be published to multiple outputs, including JSON file, Pub/Sub topic,\nCloud Storage bucket or Security Command Center. Check [Outputs user guide](./docs/user-guide.md#outputs)\nfor more details.\n\nExamples:\n\n* JSON file output with command line flags\n\n  ```sh\n  ./gke-policy check \\\n  --project my-project --location europe-west2 --name my-cluster \\\n  --out-file output.json\n  ```\n\n* All outputs enabled in a configuration file\n\n  ```yaml\n  clusters:\n    - name: my-cluster\n      project: my-project\n      location: europe-west2\n  outputs:\n    - file: output.json\n    - pubsub:\n        topic: Test\n        project: my-pubsub-project\n    - cloudStorage:\n        bucket: bucket-name\n        path: path/to/write\n    - securityCommandCenter:\n        organization: \"153963171798\"\n  ```\n\n#### Custom Policy repository\n\nSpecify custom repository with the GKE cluster best practices and check the cluster against them.\n\n* Custom policies source with command line flags\n\n  ```sh\n  ./gke-policy check \\\n  --project my-project --location europe-west2 --name my-cluster \\\n  --git-policy-repo \"https://github.com/google/gke-policy-automation\" \\\n  --git-policy-branch \"main\" \\\n  --git-policy-dir \"gke-policies-v2\"\n  ```\n\n* Custom policies source with configuration file\n\n  ```sh\n  ./gke-policy check -c config.yaml\n  ```\n\n  The `config.yaml` file:\n\n  ```yaml\n  clusters:\n    - name: my-cluster\n      project: my-project\n      location: europe-west2\n  policies:\n    - repository: https://domain.com/your/custom/repository\n      branch: main\n      directory: gke-policies-v2\n  ```\n\n### Authentication\n\nThe tool is fetching GKE cluster details using GCP APIs. The [application default credentials](https://cloud.google.com/docs/authentication/production)\nare used by default.\n\n* When running the tool in GCP environment, the tool will use the [attached service account](https://cloud.google.com/iam/docs/impersonating-service-accounts#attaching-to-resources)\nby default\n* When running locally, use `gcloud auth application-default login` command to get application\ndefault credentials\n* To use credentials from service account key file pass `--creds` parameter with a path to the file.\n\nThe minimum required IAM role is `roles/container.clusterViewer`\non a cluster projects. Additional roles may be needed, depending on configured outputs\n\\- check [authentication section](./docs/user-guide.md#authentication) in the user guide.\n\n### Serverless execution\n\nThe GKE Policy Automation tool can be executed in a serverless way to perform automatic evaluations\nof a clusters running in your organization. Please check our [reference Terraform Solution](./terraform/README.md)\nthat leverages GCP serverless solutions including Cloud Scheduler and Cloud Run.\n\n## Contributing\n\nPlease check out [Contributing](./CONTRIBUTING.md) and [Code of Conduct](./docs/code-of-conduct.md)\ndocs before contributing.\n\n### Development\n\nPlease check [GKE Policy Automation development](./DEVELOPMENT.md) for guides on building and developing\nthe application.\n\n### Policy authoring\n\nPlease check [GKE Policy authoring guide](./gke-policies-v2/README.md) for guides on authoring REGO rules\nfor GKE Policy Automation.\n\n## License\n\n[Apache License 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fgke-policy-automation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fgke-policy-automation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fgke-policy-automation/lists"}