{"id":38094464,"url":"https://github.com/k-cloud-labs/kinitiras","last_synced_at":"2026-01-18T05:44:16.628Z","repository":{"id":45781725,"uuid":"484638262","full_name":"k-cloud-labs/kinitiras","owner":"k-cloud-labs","description":"A programmable rule engine for k8s admission webhook","archived":false,"fork":false,"pushed_at":"2025-07-04T06:07:26.000Z","size":277,"stargazers_count":164,"open_issues_count":5,"forks_count":12,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-07-04T07:20:58.515Z","etag":null,"topics":["k8s","kubernetes","rules-engine","webhook"],"latest_commit_sha":null,"homepage":"https://k-cloud-labs.github.io/kinitiras-doc","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k-cloud-labs.png","metadata":{"files":{"readme":"README-zh.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-23T03:44:47.000Z","updated_at":"2025-07-04T06:07:31.000Z","dependencies_parsed_at":"2024-06-19T02:07:01.436Z","dependency_job_id":null,"html_url":"https://github.com/k-cloud-labs/kinitiras","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/k-cloud-labs/kinitiras","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k-cloud-labs%2Fkinitiras","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k-cloud-labs%2Fkinitiras/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k-cloud-labs%2Fkinitiras/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k-cloud-labs%2Fkinitiras/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k-cloud-labs","download_url":"https://codeload.github.com/k-cloud-labs/kinitiras/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k-cloud-labs%2Fkinitiras/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28531381,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"online","status_checked_at":"2026-01-18T02:00:07.578Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["k8s","kubernetes","rules-engine","webhook"],"created_at":"2026-01-16T21:00:23.269Z","updated_at":"2026-01-18T05:44:16.623Z","avatar_url":"https://github.com/k-cloud-labs.png","language":"Go","funding_links":[],"categories":["Configuration Management"],"sub_categories":[],"readme":"# kinitiras\n![kinitiras-logo](docs/images/kinitiras.png)\n\n[![Build Status](https://github.com/k-cloud-labs/kinitiras/actions/workflows/ci.yml/badge.svg)](https://github.com/k-cloud-labs/kinitiras/actions?query=workflow%3Abuild)\n[![codecov](https://codecov.io/gh/k-cloud-labs/kinitiras/branch/main/graph/badge.svg?token=74uYpOiawR)](https://codecov.io/gh/k-cloud-labs/kinitiras)\n[![Go Report Card](https://goreportcard.com/badge/github.com/k-cloud-labs/kinitiras)](https://goreportcard.com/report/github.com/k-cloud-labs/kinitiras)\n[![Go doc](https://img.shields.io/badge/go.dev-reference-brightgreen?logo=go\u0026logoColor=white\u0026style=flat)](https://pkg.go.dev/github.com/k-cloud-labs/kinitiras)\n\n[[English](README.md)]\n\n**轻量**、**功能强大**、**可编程的** k8s admission webhook 规则引擎。\n\n如果你想在客户端实现类似能力，请使用 [pidalio](https://github.com/k-cloud-labs/pidalio)。\n\n## 快速开始\n\n### 部署 CRD\n```shell\nkubectl apply -f https://raw.githubusercontent.com/k-cloud-labs/pkg/main/charts/_crds/bases/policy.kcloudlabs.io_overridepolicies.yaml\nkubectl apply -f https://raw.githubusercontent.com/k-cloud-labs/pkg/main/charts/_crds/bases/policy.kcloudlabs.io_clusteroverridepolicies.yaml\nkubectl apply -f https://raw.githubusercontent.com/k-cloud-labs/pkg/main/charts/_crds/bases/policy.kcloudlabs.io_clustervalidatepolicies.yaml\n```\n\n### 部署应用\n所有资源将会被默认部署在 `kinitiras-system` 命名空间下，你可以按需修改部署文件 `deploy/deploy.yaml`。\n\n默认 webhook 配置会对所有包含 `kinitiras.kcloudlabs.io/webhook: enabled` 标签的资源对象进行拦截，你可以按需修改对应文件 `deploy/webhook-configuration.yaml`。\n**_部署前请按需修改所有 `deploy` 下的部署文件._**\n\n修改完之后执行如下命令部署到集群即可。\n\n```shell\nkubectl apply -f deploy/\n```\n\n### 创建策略\n支持三种策略，作用和生效范围如下：\n\n`OverridePolicy` 可以修改同命名空间下的资源对象。\n`ClusterOverridePolicy` 可以修改任意命名空间下的资源对象。\n`CLusterValidatePolciy` 可以校验任意命名空间下的资源对象的操作。\n\n针对集群级别的资源:\n- 按照匹配的 `ClusterOverridePolicy` 策略名称的字母顺序进行应用；\n\n针对命名空间级别的资源对象:\n- 首先应用所有匹配的 `ClusterOverridePolicy`;\n- 其次应用虽有匹配的 `OverridePolicy`;\n\n策略的可编程能力依赖 [CUE](https://cuelang.org/).\n\n### 约束\n1. K8s 资源对象通过 `object` 参数传递，针对修改请求，老资源对象将通过 `oldObject` 参数传递，无需入参时可省略，但参数名不可修改；\n2. Mutating 结果将以 `patches` 参数返回；\n3. Validating 结果将以 `validate` 参数返回； \n4. 数据传输在 `processing` 节点定义，包含 `http` 和 `output` 两个子节点\n    1. `http` 用来发送 http(s) 请求. 参考: [http](https://pkg.go.dev/cuelang.org/go/pkg/tool/http)；\n    2. `output` 用来接受返回结果，按需定义其结构即可；\n\n结构定义:\n\n```cue\n// oldObject 只针对 `clustervalidatepolicy` 策略中的 `UPDATE` 操作  \nobject: _ @tag(object) \noldObject: _ @tag(oldObject)\n\nprocessing: {\n\toutput: {\n\t\t// 按需自定义返回体结构\t\n\t}\n\thttp: {\n\t    method: *\"GET\" | string\n\t    url: parameter.serviceURL\n\t    request: {\n\t    \tbody ?: bytes\n\t    \theader: {}\n\t    \ttrailer: {}\n\t    }\n\t}\n}\n\npatch: {\n\top: string\n\tpath: string\n\tvalue: string\n}\n\n// mutating 返回结构\npatches: [...patch] \n\n// validating 返回结构\nvalidate: { \n\treason?: string\n\tvalid: bool\n}\n```\n\n\n## 例子\nexample 文件夹下有如下实例供参考。\n\n`deletens-cvp.yaml` 保护带有 `kinitiras.kcloudlabs.io/webhook=enabled` 标签的命名空间被删除。\n\n`addanno-op.yaml` 将会给默认命名空间下带有 `kinitiras.kcloudlabs.io/webhook=enabled` 标签的 pod 添加 `added-by=op` annotation。\n\n`addanno-cop.yaml` 将会给默认命名空间下带有 `kinitiras.kcloudlabs.io/webhook=enabled` 标签的 pod 添加 `added-by=cue` annotation。\n\n## 特性\n- [x] 支持通过在 (Cluster)OverridePolicy 策略中以 plaintext 方式实现对 k8s 资源对象的修改。\n- [x] 支持通过在 (Cluster)OverridePolicy 策略中以 cue 可编程的方式实现对 k8s 资源对象的修改。\n- [x] 支持通过在 ClusterValidatePolicy 策略中以 cue 可编程的方式实现对 k8s 资源对象的校验。\n- [x] 支持在策略中使用 CUE 发送 http 请求。\n- [ ] 支持使用 kubectl plugin 进行 CUE 内容校验。\n- [ ] ...\n\n更多详细内容，请参考 [roadmap](./ROADMAP.md)。","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk-cloud-labs%2Fkinitiras","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk-cloud-labs%2Fkinitiras","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk-cloud-labs%2Fkinitiras/lists"}