Infra-as-code tooling provider and Terraform challenger Pulumi has expanded its open source portfolio with a Kubernetes operator and some conversion tools, while making its policy as code framework a little bit more Open Policy Agent (OPA) friendly.
Company CEO Joe Duffy said the new operator was a means to realise Kubernetes based deployments via a new custom resource called Stack to specify the cloud infrastructure to deploy. “You’re still using get commits, pull requests, and code reviews to deploy your infrastructure. It’s just that instead of a CI/CD system picking up the code and pushing changes into the cluster, the cluster [..] is actually self-managing.”
According to Duffy, the operator will pick up on new to deploy code, while a native Kubernetes admission controller runs the policy-as-code engine for Pulumi to enforce OPA and Python rules. “But then any infrastructure can be managed this way” Duffy added. “Not just infrastructure within the Kubernetes cluster, you can even manage other Kubernetes clusters from within the cluster. You can manage other AWS resources, Datadog, you know, anything that Pulumi can manage, can be done in this way.”
As Pulumi has championed an approach of using modern programming languages such as Python for infra definition, the company also open sourced a kube2pulumi. The tool is meant to transform Kubernetes YAML into Python, TypeScript, .NET or Go, so that developers can , for example, use linters or type checkers on their code and have an easier time refactoring if needed.
“The other part is you can get the YAML out as well” Duffy said, which can help in cases in which the Pulumi output is supposed to be fed into a succeeding pipeline part which isn’t familiar with Python and co.
Another new command-line interface tool is crd2pulumi, which is designed to allow DevOps types to generate strongly-typed CustomResources based on a Kubernetes CustomResourceDefinition. The key word here is strongly typed, as this characteristic means people can make use of their IDE’s type checking and auto completion options when specifying resources, making the process less error prone.
Though Pulumi’s newly strengthened focus on cloud native use cases should be clear by now, the company also fitted its policy-as-code framework with the ability to understand the Rego query language used by the OPA to disperse any doubts of who they’d like to cater to. OPA is a Cloud Native Computing Foundation incubating project looking to “unify policy enforcement across the stack”. In this context, Rego is used for writing policies, while APIs are supposed to take over the policy-decision making process from other software.
With policies (and a policy-as-code approach in particular) stepping more into the limelight recently, the project might come up more and more in the near future. At least GitHub users seem to like their OPA, if stars can be used as an indicator, and a quick “unscientific” poll from CNCF TOC chair Liz Rice in the last few days showed quite a bit of interest as well from end users.