{"id":13408195,"url":"https://github.com/open-policy-agent/kube-mgmt","last_synced_at":"2026-02-05T22:05:04.764Z","repository":{"id":37451357,"uuid":"94342237","full_name":"open-policy-agent/kube-mgmt","owner":"open-policy-agent","description":"Sidecar for managing OPA instances in Kubernetes.","archived":false,"fork":false,"pushed_at":"2025-11-25T14:53:33.000Z","size":46365,"stargazers_count":254,"open_issues_count":11,"forks_count":106,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-11-28T20:33:00.190Z","etag":null,"topics":["devops","k8s","kubernetes","opa","policy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-policy-agent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-06-14T14:50:18.000Z","updated_at":"2025-11-28T13:39:51.000Z","dependencies_parsed_at":"2024-04-19T13:44:09.694Z","dependency_job_id":"87a520c1-cb1a-491e-959a-20cb7ef13a93","html_url":"https://github.com/open-policy-agent/kube-mgmt","commit_stats":null,"previous_names":[],"tags_count":69,"template":false,"template_full_name":null,"purl":"pkg:github/open-policy-agent/kube-mgmt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fkube-mgmt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fkube-mgmt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fkube-mgmt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fkube-mgmt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-policy-agent","download_url":"https://codeload.github.com/open-policy-agent/kube-mgmt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-policy-agent%2Fkube-mgmt/sbom","scorecard":{"id":708483,"data":{"date":"2025-08-11","repo":{"name":"github.com/open-policy-agent/kube-mgmt","commit":"86424fc4f77f8165fca867dfae7d247dd2a6d9a8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.9,"checks":[{"name":"Maintained","score":10,"reason":"12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":7,"reason":"Found 13/17 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/build.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/build.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/open-policy-agent/kube-mgmt/release.yaml/master?enable=pin","Warn: goCommand not pinned by hash: .github/workflows/build.yaml:27","Warn: pipCommand not pinned by hash: .github/workflows/build.yaml:45","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   9 third-party GitHubAction dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3787 / GHSA-fv92-fjc5-jj9h"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T07:27:05.792Z","repository_id":37451357,"created_at":"2025-08-22T07:27:05.792Z","updated_at":"2025-08-22T07:27:05.792Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29135959,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T21:59:57.939Z","status":"ssl_error","status_checked_at":"2026-02-05T21:59:57.628Z","response_time":65,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","k8s","kubernetes","opa","policy"],"created_at":"2024-07-30T20:00:51.343Z","updated_at":"2026-02-05T22:05:04.757Z","avatar_url":"https://github.com/open-policy-agent.png","language":"Go","funding_links":[],"categories":["Go","Kubernetes","Tools"],"sub_categories":["Built with Wasm","Others"],"readme":"# ![logo](./logo/logo.png) kube-mgmt\n\n`kube-mgmt` manages policies / data of [Open Policy Agent](https://github.com/open-policy-agent/opa)\ninstances in Kubernetes.\n\nUse `kube-mgmt` to:\n* Load policies and/or static data into OPA instance from `ConfigMap`.\n* Replicate Kubernetes resources\nincluding [CustomResourceDefinitions (CRDs)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) into OPA instance.\n\n## Deployment Guide\n\nBoth `OPA` and `kube-mgmt` can be installed using [opa-kube-mgmt](\nhttps://artifacthub.io/packages/helm/opa-kube-mgmt/opa-kube-mgmt) Helm chart.\n\nFollow [README](charts/opa-kube-mgmt/README.md) to install it into K8s cluster.\n\n## Policies and data loading\n\n`kube-mgmt` automatically discovers policies and JSON data\nstored in `ConfigMaps` in Kubernetes and loads them into OPA.\n\n`kube-mgmt` assumes a `ConfigMap` contains policy or JSON data if the `ConfigMap` is:\n\n- Created in a namespace listed in the `--namespaces` option.\n  If you specify `--namespaces=*` then `kube-mgmt` will look for policies in ALL namespaces.\n- Labelled with `openpolicyagent.org/policy=rego` for policies\n- Labelled with `openpolicyagent.org/data=opa` for JSON data\n\nPolicies or data discovery and loading can be disabled using `--enable-policy=false` or `--enable-data=false` flags respectively.\n\nLabel names and their values can be configured using `--policy-label`, `--policy-value`, `--data-label`, `--data-value` CLI options.\n\nWhen a `ConfigMap` has been successfully loaded into OPA,\nthe `openpolicyagent.org/kube-mgmt-status` annotation is set to `{\"status\": \"ok\"}`.\n\nIf loading fails for some reason (e.g., because of a parse error), the\n`openpolicyagent.org/kube-mgmt-status` annotation is set to `{\"status\": \"error\", \"error\": ...}`\nwhere the `error` field contains details about the failure.\n\nData loaded out of ConfigMaps is laid out as follows:\n\n```\n\u003cnamespace\u003e/\u003cname\u003e/\u003ckey\u003e\n```\n\nFor example, if the following ConfigMap was created:\n\n```yaml\nkind: ConfigMap\napiVersion: v1\nmetadata:\n  name: hello-data\n  namespace: opa\n  labels:\n    openpolicyagent.org/data: opa\ndata:\n  x.json: |\n    {\"a\": [1,2,3,4]}\n```\nNote: \"x.json\" may be any key.\n\nYou could refer to the data inside your policies as follows:\n\n```rego\ndata.opa[\"hello-data\"][\"x.json\"].a[0]  # evaluates to 1\n```\n\n## K8s resource replication\n\n\u003e [!WARNING]\n\u003e K8s resource replication requires global cluster permission with `ClusterRole` and `ClusterRoleBinding`.\n\n`kube-mgmt` can be configured to replicate Kubernetes resources into OPA so that\nyou can express policies over an eventually consistent cache of Kubernetes\nstate.\n\nReplication is enabled with the following options:\n\n```bash\n# Replicate namespace-level resources. May be specified multiple times.\n--replicate=\u003c[group/]version/resource\u003e\n\n# Replicate cluster-level resources. May be specified multiple times.\n--replicate-cluster=\u003c[group/]version/resource\u003e\n```\n\nBy default resources are replicated from all namespaces.\nUse `--replicate-ignore-namespaces` option to exclude particular namespaces from replication.\n\nKubernetes resources replicated into OPA are laid out as follows:\n\n```\n\u003creplicate-path\u003e/\u003cresource\u003e/\u003cnamespace\u003e/\u003cname\u003e # namespace scoped\n\u003creplicate-path\u003e/\u003cresource\u003e/\u003cname\u003e             # cluster scoped\n```\n\n- `\u003creplicate-path\u003e` is configurable (via `--replicate-path`) and\n  defaults to `kubernetes`.\n- `\u003cresource\u003e` is the Kubernetes resource plural, e.g., `nodes`,\n  `pods`, `services`, etc.\n- `\u003cnamespace\u003e` is the namespace of the Kubernetes resource.\n- `\u003cname\u003e` is the name of the Kubernetes resource.\n\nFor example, to search for services with the label `\"foo\"` you could write:\n\n```\nsome namespace, name\nservice := data.kubernetes.services[namespace][name]\nservice.metadata.labels[\"foo\"]\n```\n\nAn alternative way to visualize the layout is as single JSON document:\n\n```json\n{\n  \"kubernetes\": {\n    \"services\": {\n      \"default\": {\n        \"example-service\": {...},\n          \"another-service\": {...},\n        }\n      }\n    }\n  }\n}\n```\n\nThe example below would replicate Deployments, Services, and Nodes into OPA:\n\n```bash\n--replicate=apps/v1beta/deployments\n--replicate=v1/services\n--replicate-cluster=v1/nodes\n```\n\nCustom Resource Definitions can also be replicated using the same `--replicate` and `--replicate-cluster` options.\n\n## Admission Control\n\nTo get started with admission control policy enforcement in Kubernetes 1.9 or later see the [Kubernetes Admission Control](http://www.openpolicyagent.org/docs/kubernetes-admission-control.html) tutorial. For older versions of Kubernetes, see [Admission Control (1.7)](./docs/admission-control-1.7.md).\n\nIn the [Kubernetes Admission Control](http://www.openpolicyagent.org/docs/kubernetes-admission-control.html) tutorial, OPA is **NOT** running with an authorization policy configured and hence clients can read and write policies in OPA. When deploying OPA in an insecure environment, it is recommended to configure `authentication` and `authorization` on the OPA daemon. For an example of how OPA can be securely deployed as an admission controller see [Admission Control Secure](./docs/admission-control-secure.md).\n\n## OPA API Endpoints and Least-privilege Configuration\n\n`kube-mgmt` is a privileged component that can load policy and data into OPA.\nOther clients connecting to the OPA API only need to query for policy decisions.\n\nTo load policy and data into OPA, `kube-mgmt` uses the following OPA API\nendpoints:\n\n* `PUT v1/policy/\u003cpath\u003e` - upserting policies\n* `DELETE v1/policy/\u003cpath\u003e` - deleting policies\n* `PUT v1/data/\u003cpath\u003e` - upserting data\n* `PATCH v1/data/\u003cpath\u003e` - updating and removing data\n\nMany users configure OPA with a simple API authorization policy that restricts\naccess to the OPA APIs:\n\n```rego\npackage system.authz\n\n# Deny access by default.\ndefault allow = false\n\n# Allow anonymous access to decision `data.example.response`\n#\n# NOTE: the specific decision differs depending on your policies.\n# NOTE: depending on how callers are configured, they may only require this or the default decision below.\nallow {\n  input.path == [\"v0\", \"data\", \"example\", \"response\"]\n  input.method == \"POST\"\n}\n\n# Allow anonymous access to default decision.\nallow {\n  input.path == [\"\"]\n  input.method == \"POST\"\n}\n\n# This is only used for health check in liveness and readiness probe\nallow {\n  input.path == [\"health\"]\n  input.method == \"GET\"\n}\n\n# This is only used for prometheus metrics\nallow {\n  input.path == [\"metrics\"]\n  input.method == \"GET\"\n}\n\n# This is used by kube-mgmt to PUT/PATCH against /v1/data and PUT/DELETE against /v1/policies.\n#\n# NOTE: The $TOKEN value is replaced at deploy-time with the actual value that kube-mgmt will use. This is typically done by an initContainer.\nallow {\n  input.identity == \"$TOKEN\"\n}\n```\n\n## Development\n\n### Required software\n\n* [Go language toolchain](https://go.dev/doc/install).\n* [just](https://github.com/casey/just#just) - generic command runner.\n* [skaffold](https://skaffold.dev/) - build and publish docker images and more, `v2.x` and above is required.\n* [helm](https://helm.sh/docs/intro/install/) - package manager for k8s.\n* [k3d](https://k3d.io/#installation) - local k8s cluster with docker registry.\n* [kubectl](https://kubernetes.io/docs/tasks/tools/) - Kubernetes CLI.\n* [opa](https://www.openpolicyagent.org/docs#running-opa) - Open Policy Agent CLI (for e2e tests).\n* [staticcheck](https://staticcheck.io/docs/getting-started/) - Go static analysis tool (for linting).\n* [httpie](https://httpie.io/docs/cli/installation) - HTTP client (for e2e tests).\n* [jq](https://jqlang.github.io/jq/download/) - JSON processor (for e2e tests).\n* [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) - Container image tool (optional, for inspecting images).\n\nThis project uses `just` for building, testing and running `kube-mgmt` locally.\nIt is configured from [justfile](./justfile) in root directory.\nAll available recipes can be inspected by running `just` without arguments.\n\n### Release\n\nTo release a new version - create [GitHub release](https://github.com/open-policy-agent/kube-mgmt/releases)\nwith corresponding tag name that follows [semantic versioning convention](https://semver.org/).\n\nAs soon as tag is pushed - CI pipeline will build and publish artifacts: docker images for supported architectures and helm chart.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-policy-agent%2Fkube-mgmt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-policy-agent%2Fkube-mgmt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-policy-agent%2Fkube-mgmt/lists"}