Hey HN,<p>We’ve recently published an open source Kubernetes operator, the intents operator, that makes it easy to manage network policies and Kafka ACLs in a way that enables teams to control access without cross-team coordination, and keeps gradual rollout in mind, eliminating many points of friction with using network policies and Kafka ACLs.<p>The intents operator implements a concept called IBAC, or Intents-Based Access Control, for Kubernetes network policies and Kafka ACLs. For network policies, it means that developers that want to connect to another service, declare the intent to do so, and the operator creates appropriate network policies, as well as labeling pods and namespaces as needed.<p>For example:<p><pre><code> apiVersion: k8s.otterize.com/v1alpha1
kind: ClientIntents
metadata:
name: intents-sample
spec:
service:
name: my-client
calls:
- name: web-server
</code></pre>
The effect is that a single Kubernetes resource controls access - whereas with network policies, developers, often across multiple teams, must coordinate the contents and versioning of 3 resources - the network policy and labels themselves. We think this approach is a ton easier to reason about and work with, and that’s all us devs really want, right? Just let me get on with it.<p>We’re building more of this stuff, and think it should be equally easy to get access even when you need to access different kinds of services on different platforms. Securely accessing services shouldn’t be hard - it should be easy to do the right thing and hard to shoot yourself in the foot, and it should work with your existing infrastructure and development workflows.<p>If you too have felt the pain of managing network policies, have a look and let us know what you think!