{"id":18769296,"url":"https://github.com/score-spec/score-k8s","last_synced_at":"2026-03-09T01:07:26.336Z","repository":{"id":239602416,"uuid":"783797927","full_name":"score-spec/score-k8s","owner":"score-spec","description":"A reference Score implementation that targets Kubernetes","archived":false,"fork":false,"pushed_at":"2026-03-01T20:01:06.000Z","size":1436,"stargazers_count":46,"open_issues_count":9,"forks_count":19,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-01T21:54:59.367Z","etag":null,"topics":["kubernetes","platform-engineering","score"],"latest_commit_sha":null,"homepage":"https://docs.score.dev/docs/score-implementation/score-k8s/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/score-spec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-04-08T15:35:28.000Z","updated_at":"2026-03-01T20:00:50.000Z","dependencies_parsed_at":"2024-06-03T18:42:18.770Z","dependency_job_id":"e3d248af-6bc2-4bb4-af2d-2a3dbb4467c5","html_url":"https://github.com/score-spec/score-k8s","commit_stats":null,"previous_names":["score-spec/score-k8s"],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/score-spec/score-k8s","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/score-spec%2Fscore-k8s","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/score-spec%2Fscore-k8s/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/score-spec%2Fscore-k8s/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/score-spec%2Fscore-k8s/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/score-spec","download_url":"https://codeload.github.com/score-spec/score-k8s/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/score-spec%2Fscore-k8s/sbom","scorecard":{"id":278486,"data":{"date":"2025-08-17T14:38:36Z","repo":{"name":"github.com/score-spec/score-k8s","commit":"aa535746af9cb4d0139f272080973f81dd6a5dca"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":7.4,"checks":[{"name":"Code-Review","score":4,"reason":"Found 5/12 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"22 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:9","Warn: topLevel 'contents' permission set to 'write': .github/workflows/dependabot-auto-merge.yaml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:7","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   7 out of   7 GitHub-owned GitHubAction dependencies pinned","Info:   8 out of   8 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yaml:11"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: checksums.txt.sig: https://github.com/score-spec/score-k8s/releases/tag/0.6.1","Info: signed release artifact: checksums.txt.sig: https://github.com/score-spec/score-k8s/releases/tag/0.6.0","Info: signed release artifact: checksums.txt.sig: https://github.com/score-spec/score-k8s/releases/tag/0.5.2","Info: signed release artifact: checksums.txt.sig: https://github.com/score-spec/score-k8s/releases/tag/0.5.1","Info: signed release artifact: checksums.txt.sig: https://github.com/score-spec/score-k8s/releases/tag/0.5.0","Warn: release artifact 0.6.1 does not have provenance: https://api.github.com/repos/score-spec/score-k8s/releases/227511726","Warn: release artifact 0.6.0 does not have provenance: https://api.github.com/repos/score-spec/score-k8s/releases/227509676","Warn: release artifact 0.5.2 does not have provenance: https://api.github.com/repos/score-spec/score-k8s/releases/225205855","Warn: release artifact 0.5.1 does not have provenance: https://api.github.com/repos/score-spec/score-k8s/releases/225002789","Warn: release artifact 0.5.0 does not have provenance: https://api.github.com/repos/score-spec/score-k8s/releases/224340931"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: found contributions from: humanitec, score-spec, unemployed"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-08-17T15:07:26.494Z","repository_id":239602416,"created_at":"2025-08-17T15:07:26.494Z","updated_at":"2025-08-17T15:07:26.494Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30279768,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T20:45:49.896Z","status":"ssl_error","status_checked_at":"2026-03-08T20:45:49.525Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","platform-engineering","score"],"created_at":"2024-11-07T19:15:27.523Z","updated_at":"2026-03-09T01:07:26.306Z","avatar_url":"https://github.com/score-spec.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![ci](https://github.com/score-spec/score-k8s/actions/workflows/ci.yaml/badge.svg)](https://github.com/score-spec/score-k8s/actions/workflows/ci.yaml)\n[![release](https://github.com/score-spec/score-k8s/actions/workflows/release.yaml/badge.svg)](https://github.com/score-spec/score-k8s/actions/workflows/release.yaml)\n[![good first issues](https://img.shields.io/github/issues-search/score-spec/score-k8s?query=type%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22\u0026label=good%20first%20issues\u0026style=flat\u0026logo=github)](https://github.com/score-spec/score-k8s/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fscore-spec%2Fscore-k8s.svg?type=shield\u0026issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fscore-spec%2Fscore-k8s?ref=badge_shield\u0026issueType=license)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/score-spec/score-k8s/badge)](https://scorecard.dev/viewer/?uri=github.com/score-spec/score-k8s)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9913/badge)](https://www.bestpractices.dev/projects/9913)\n\n![banner image](images/banner.png)\n\n# score-k8s\n\n`score-k8s` is a reference implementation of the [Score specification](https://github.com/score-spec/spec) for [Kubernetes](https://kubernetes.io/). It converts Score files into a YAML file containing Kubernetes manifests that can be packaged or installed through `kubectl apply`. `score-k8s` is used primarily for demonstration and reference purposes but _may_ be used for pre-production/production use if necessary.\n\nThis implementation supports most aspects of the Score specification and provides a powerful resource provisioning system for supplying and customising the dynamic configuration of attached services such as databases, queues, storage, and other network or storage APIs.\n\n![workflow diagram](images/workflow.drawio.png)\n\n1. The user runs `score-k8s init` in their project to initialise the empty state and default provisioners\n\n    1b. The user can import, copy, or download a custom set of extended resource provisioners that they or their platform team have developed specific to the target cluster.\n\n2. The user runs `score-k8s generate` to add Score files to the project and generate a `manifests.yaml` file. Multiple score files can be added and the resulting manifests will include all workloads and all resources together.\n3. Iterate by changing the score files, and re-running `generate`.\n4. The manifests can then be validated and deployed through `kubectl apply -f manifests.yaml`.\n5. To remove the resources from the cluster, the same `kubectl delete -f manifests.yaml` can be used.\n\n## Feature support\n\n`score-k8s` supports all features of the Score Workload specification.\n\n## Resource support\n\n`score-k8s` supports a full resource provisioning system which converts workload artefacts into outputs and/or a set of Kubernetes manifests. The resource system works similarly to `score-compose` with one or more YAML files describing how to provision a set of supported resources. Users and teams can supply their own provisioners files to extend this set.\n\nProvisioners are loaded from any `*.provisioners.yaml` files in the local `.score-k8s` directory, and matched to the resources by the `type` and optional `class` and `id` fields. Matches are performed with a first-match policy, so default provisioners can be overridden by supplying a custom provisioner with the same `type`.\n\nGenerally, users will want to copy in the provisioners files that work with their cluster. For example, if the cluster has Postgres or MySQL operators installed, then custom provisioners can be written to provision a database using the operator-specific CRDs with any clustering and backup mechanisms configured.\n\nFor details of how the standard \"template\" provisioner works, see the `template://example-provisioners/example-provisioner` provisioner [here](internal/provisioners/default/zz-default.provisioners.yaml). For details of how the standard \"cmd\" provisioner works, see the `cmd://bash#example-provisioner` provisioner [here](internal/provisioners/default/zz-default.provisioners.yaml).\n\n## Provisioner support\n\n`score-k8s` comes with out-of-the-box support for:\n\n| Type          | Class   | Params                 | Output                                                          |\n| ------------- | ------- | ---------------------- |-----------------------------------------------------------------|\n| volume        | default | (none)                 | `source`                                                        |\n| redis         | default | (none)                 | `host`, `port`, `username`, `password`                          |\n| postgres      | default | (none)                 | `host`, `port`, `name` (aka `database`), `username`, `password` |\n| mysql         | default | (none)                 | `host`, `port`, `name` (aka `database`), `username`, `password` |\n| dns           | default | (none)                 | `host`                                                          |\n| route         | default | `host`, `path`, `port` |                                                                 |\n| mongodb       | default | (none)                 | `host`, `port`, `username`, `password`, `name`, `connection`    |\n| ampq          | default | (none)                 | `host`, `port`, `username`, `password`, `vhost`                 |\n| mssql         | default | (none)                 | `server`, `port`, `database`, `password`                        |\n| s3            | default | (none)                 | `endpoint`, `region`, `bucket`, `access_key_id`, `secret_key`   |\n\nUsers are encouraged to write their own custom provisioners to support new resource types or to modify the implementations above.\n\n## Commands\n\n### Init\n\n```\n$ score-k8s init --help\nThe init subcommand will prepare the current directory for working with score-k8s and write the initial\nempty state and default provisioners file into the '.score-k8s' subdirectory.\n\nThe '.score-k8s' directory contains state that will be used to generate any Kubernetes resource manifests including\npotentially sensitive data and raw secrets, so this should not be checked into generic source control.\n\nCustom provisioners can be installed by uri using the --provisioners flag. The provisioners will be installed and take\nprecedence in the order they are defined over the default provisioners. If init has already been called with provisioners\nthe new provisioners will take precedence.\n\nTo adjust the generated manifests, or perform post processing actions, you can use the --patch-templates flag to provide\none or more template files by uri. Each template file is stored in the project and then evaluated as a \nGolang text/template and should output a yaml/json encoded array of patches. Each patch is an object with required 'op' \n(set or delete), 'patch' (a dot-separated json path), a 'value' if the 'op' == 'set', and an optional 'description' for \nshowing in the logs. The template has access to '.Manifests' and '.Workloads'.\n\nUsage:\n  score-k8s init [flags]\n\nExamples:\n\n  # Initialise a new score-k8s project\n  score-k8s init\n\n  # Or disable the default score file generation if you already have a score file\n  score-k8s init --no-sample\n\n  # Optionally loading in provisoners from a remote url\n  score-k8s init --provisioners https://raw.githubusercontent.com/user/repo/main/example.yaml\n\n  # Optionally adding a couple of patching templates\n  score-k8s init --patch-templates ./patching.tpl --patch-templates https://raw.githubusercontent.com/user/repo/main/example.tpl\n\nURI Retrieval:\n  The --provisioners and --patch-templates arguments support URI retrieval for pulling the contents from a URI on disk\n  or over the network. These support:\n    - HTTP        : http://host/file\n    - HTTPS       : https://host/file\n    - Git (SSH)   : git-ssh://git@host/repo.git/file\n    - Git (HTTPS) : git-https://host/repo.git/file\n    - OCI         : oci://[registry/][namespace/]repository[:tag|@digest][#file]\n    - Local File  : /path/to/local/file\n    - Stdin       : - (read from standard input)\n\nFlags:\n  -f, --file string                  The score file to initialize (default \"score.yaml\")\n  -h, --help                         help for init\n      --no-sample                    Disable generation of the sample score file\n      --patch-templates stringArray   Patching template files to include. May be specified multiple times. Supports URI retrieval.\n      --provisioners stringArray     Provisioner files to install. May be specified multiple times. Supports URI retrieval.\n\nGlobal Flags:\n      --quiet           Mute any logging output\n  -v, --verbose count   Increase log verbosity and detail by specifying this flag one or more times\n```\n\n### Generate\n\n```\n$ score-k8s generate --help\nThe generate command will convert Score files in the current Score state into a combined set of Kubernetes\nmanifests. All resources and links between Workloads will be resolved and provisioned as required.\n\n\"score-k8s init\" MUST be run first. An error will be thrown if the project directory is not present.\n\nUsage:\n  score-k8s generate [flags]\n\nExamples:\n\n  # Specify Score files\n  score-k8s generate score.yaml *.score.yaml\n\n  # Regenerate without adding new score files\n  score-k8s generate\n\n  # Provide a default container image for any containers with image=.\n  score-k8s generate score.yaml --image=nginx:latest\n\n  # Provide overrides when one score file is provided\n  score-k8s generate score.yaml --override-file=./overrides.score.yaml --override-property=metadata.key=value\n\n  # Patch resulting manifests\n  score-k8s generate score.yaml --patch-manifests */*/metadata.annotations.key=value --patch-manifests Deployment/foo/spec.replicas=4\n\n  # Set namespace for all resources\n  score-k8s generate score.yaml --namespace=test-ns\n\n  # Generate namespace manifest and set namespace for all resources\n  score-k8s generate score.yaml --namespace=test-ns --generate-namespace\n\nFlags:\n  -h, --help                            help for generate\n      --image string                    An optional container image to use for any container with image == '.'\n  -o, --output string                   The output manifests file to write the manifests to (default \"manifests.yaml\")\n      --override-property stringArray   An optional set of path=key overrides to set or remove\n      --overrides-file string           An optional file of Score overrides to merge in\n      --patch-manifests stringArray     An optional set of \u003ckind|*\u003e/\u003cname|*\u003e/path=key operations for the output manifests\n      --namespace string               An optional namespace to set for all generated resources\n      --generate-namespace              If true, generate a namespace manifest (requires --namespace to be set)\n```\n\n### Shell Completions\n\n```\n$ score-k8s completion --help\nGenerate the autocompletion script for score-k8s for the specified shell.\nSee each sub-command's help for details on how to use the generated script.\n\nUsage:\n  score-k8s completion [command]\n\nAvailable Commands:\n  bash        Generate the autocompletion script for bash\n  fish        Generate the autocompletion script for fish\n  powershell  Generate the autocompletion script for powershell\n  zsh         Generate the autocompletion script for zsh\n\nFlags:\n  -h, --help   help for completion\n\nGlobal Flags:\n      --quiet           Mute any logging output\n  -v, --verbose count   Increase log verbosity and detail by specifying this flag one or more times\n\nUse \"score-k8s completion [command] --help\" for more information about a command.\n```\n\n## Installation\n\nEither, install through Homebrew for macOS and supported Linux distributions:\n\n```\n$ brew install score-spec/tap/score-k8s\n# to upgrade an existing installation, tr\n$ brew upgrade score-k8s\n```\n\nOr, download the binaries for your platform from the [latest Github releases](https://github.com/score-spec/score-k8s/releases):\n\n```\n$ wget https://github.com/score-spec/score-k8s/releases/download/\u003cx.y.z\u003e/score-k8s_\u003cx.y.z\u003e_\u003cos_system\u003e.tar.gz\n```\n\nOr, install the Go module directly (Go \u003e 1.23):\n\n```\n$ go install -v github.com/score-spec/score-k8s/cmd/score-k8s@latest\n```\n\nAlternative installation guides and implementations can be found in the [Score docs](https://docs.score.dev/docs/score-implementation/score-k8s/#installation).\n\n## FAQ\n\n### Why are there so few default resource provisioners?\n\nKubernetes is a complex environment to provide defaults for since there are so many different ways to configure it and so many different ways to deploy the same resource. For example, should a Database be provisioned using a Helm chart, a set of manifests, an operator CRD, a cloud-specific operator CRD? These are not questions that have easy default answers and so we encourage users to build and share a set of custom provisioners depending on the cluster they aim to deploy to.\n\n### Why does the default provisioners file have a `zz-` prefix?\n\nThe provisioner files are loaded in lexicographic order, the `zz` prefix helps to ensure that the defaults are loaded last and that any custom provisioners have precedence.\n\n### How can I write my own provisioner?\n\nProvisioners can be written as templates for score-k8s to evaluate or a command/script that will be called. Write a file following the conventions used in the example provisioners from [zz-default.provisioners.yaml](./internal/provisioners/default/zz-default.provisioners.yaml). Then add this to your project by running `score-k8s init --provisioners ./your-custom.provisioners.yaml`.\n\nOther resources can be found at:\n- https://github.com/score-spec/community-provisioners\n- https://score.dev/blog/writing-a-custom-score-compose-provisioner-for-apache-kafka/\n- `score-k8s init --help`\n\n### Does score-k8s generate a Deployment or StatefulSet?\n\n`score-k8s` generates a Deployment by default or when the `k8s.score.dev/kind` workload metadata annotation is set to `Deployment`. If the annotation is set to `StatefulSet` it will generate a set and allow the use of claim templates as outputs from volume resources.\n\n### How do I configure the number of replicas or security context for the workload deployment?\n\n`score-k8s` will always generate a deployment or set with 1 replica. The workload should be scaled to multiple replicas through either:\n\n1. Scale up in-cluster after deployment (`kubectl scale --replicas=3 deployment/my-workload`).\n2. Or, use a [Kustomize](https://kustomize.io/) patch to override the number of replicas with `kubectl apply -k`.\n3. Or, use a `--patch-templates` template to set the `spec.replicas` in the relevant workloads (see further below).\n\n### Which namespace will manifests be deployed into?\n\nBy default, no namespace is specified in the generated manifests, so they will obey any `--namespace` passed to the `kubectl apply` command. All secret references are assumed to be in the same namespace as the workloads.\n\nHowever, you can explicitly manage namespaces using two flags in the `score-k8s generate` command:\n\n1. `--namespace`: Sets the namespace for all generated resources. When this flag is used, all resources in the generated manifests will have their `metadata.namespace` field set to the specified value.\n\n2. `--generate-namespace`: When used with `--namespace`, this flag will generate a Namespace manifest at the beginning of the output file. The namespace manifest will include appropriate labels (`app.kubernetes.io/managed-by: score-k8s`).\n\nExample usage:\n```bash\n# Set namespace for all resources\nscore-k8s generate score.yaml --namespace=test-ns\n\n# Generate namespace manifest and set namespace for all resources\nscore-k8s generate score.yaml --namespace=test-ns --generate-namespace\n```\n\n### How do I modify the generated manifests or add and remove from them?\n\nUse the `--patch-templates` options. Patch templates are small Go Text Template files which can output a set of JSON \"patch\" operations on the list of manifests. This is intended to deprecate the `--patch-manifests` option.\n\nTemplate inputs:\n\n```\n.Manifests: the array of generated manifests from the Score conversion process\n.Workloads: the map of workload name to Score specification\n```\n\nThe patch should follow this schema:\n\n```yaml\ntype: object\nrequired: [\"op\", \"path\"]\nproperties:\n  op:\n    description: The patch operation to perform at the path\n    type: string\n    enum: [\"set\", \"delete\"]\n  path:\n    description: \"A .-separated JSON path. Numeric indexes can be used to reference array indices. -1 allows appending to an array. : can be used to escape an otherwise numeric index.\"\n    type: string\n  value:\n    description: The value to set at the path when a 'set' operation is used.\n  description:\n    description: An optional description which is included in the log output when the patch is applied\n    type: string\n```\n\nAs an example, to set the replicas for the Deployment of the workload named 'example':\n\n```\n{{ range $i, $m := .Manifests }}\n{{ if and (eq $m.kind \"Deployment\") (eq (dig \"metadata\" \"annotations\" \"k8s.score.dev/workload-name\" \"\" $m) \"example\") }}\n- op: set\n  path: {{ $i }}.spec.replicas\n  value: 3\n  description: Increase the replicas for the example deployment\n{{ end }}\n{{ end }}\n```\n\nA similar approach can be done to inject security context restrictions, service accounts, labels, annotations, or to even convert a manifest from Deployment\ninto a different Kubernetes `kind` entirely through a series of patch modifications.\n\n### How do I test `score-k8s` with `kind` (Kubernetes in docker)?\n\nThe main requirement is that the route resource provisioner assumes that the Gateway API implementation is available with a named Gateway \"default\".\n\nSetup the cluster:\n\n```console\n$ kind create cluster\n$ kubectl --context kind-kind apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml\n$ helm --kube-context kind-kind install ngf oci://ghcr.io/nginxinc/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set service.type=ClusterIP\n$ kubectl --context kind-kind apply -f - \u003c\u003cEOF\napiVersion: gateway.networking.k8s.io/v1\nkind: Gateway\nmetadata:\n  name: default\nspec:\n  gatewayClassName: nginx\n  listeners:\n  - name: http\n    port: 80\n    protocol: HTTP\nEOF\n```\n\nThen if you want to call the gateway routes, open a port forward:\n\n```\n$ kubectl --context kind-kind -n nginx-gateway port-forward service/ngf-nginx-gateway-fabric 8080:80\n```\n\nAnd DNS resources can be accessed on http://\u003cprefix\u003e.localhost:8080, or using a command like the following to get the generated dns name:\n\n```\n$ score-k8s resources get-outputs 'dns.default#demo-app.dns' --format '{{.host}}'\n```\n\n### Once I have provisioned a resource, how do I delete it or clean it up?\n\nResource cleanup has not been implemented yet. The only mechanism today is limited to deleting the Kubernetes manifests output by a template provisioner. As a workaround, the YAML structure in `.score-k8s/state.yaml` can be interpreted to determine what side effects need to be cleaned up.\n\n## Get in touch\n\nLearn how to connect and engage with our community [here](https://github.com/score-spec/spec?tab=readme-ov-file#-get-in-touch).\n\n### Contribution Guidelines and Governance\n\nOur general contributor guidelines can be found in [CONTRIBUTING.md](CONTRIBUTING.md). Please note that some repositories may have additional guidelines. For more information on our governance model, please refer to [GOVERNANCE.md](https://github.com/score-spec/spec/blob/main/GOVERNANCE.md).\n\n### Documentation\n\nYou can find our documentation at [docs.score.dev](https://docs.score.dev/docs).\n\n### Roadmap\n\nSee [Roadmap](https://github.com/score-spec/spec/blob/main/roadmap.md). You can [submit an idea](https://github.com/score-spec/spec/blob/main/roadmap.md#get-involved) anytime.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscore-spec%2Fscore-k8s","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscore-spec%2Fscore-k8s","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscore-spec%2Fscore-k8s/lists"}