Easier & Faster Kubernetes Policies with JavaScript or TypeScript

Get Started

Why yet another policy engine for Kubernetes?

OPA Logo
Kyverno logo
Language
JS | TS

Policies in jsPolicy can be written either in JavaScript or in any language that can be compiled to JavaScript such as TypeScript.

JS | TS
Rego

OPA policies need to be written in Rego which is not turing complete.

Rego
YAML

Kyverno uses YAML to express policies rather than a real programming language.

YAML
Validating Policies
yes

jsPolicy supports validating admission control policies.

yes

OPA supports validating admission control policies.

yes

Kyverno supports validating admission control policies.

Mutating Policies
super easy

jsPolicy supports mutating admission control policies and makes them incredibly easy to write.

very limited

Mutating policies are an alpha feature in OPA and have many limitations.

complicated

Kyverno's YAML policies only allow mutating policies to apply patches. More complex operations are impossible or really complicated.

Controller Policies
yes

Controller policies are executed after Events in your cluster and jsPolicy is the first policy engine to introduce this feature.

not supported

Controller policies only exist in jsPolicy.

not supported

Controller policies only exist in jsPolicy.

Dev & Test Tooling
extensive + mature

Since jsPolicy lets you work with regular JavaScript, the entire JS ecosystem with great dev tools and testing frameworks can be used to write, test and maintain policies.

limited

Due to OPA's popularity and maturity, several dev and test tools are available but this very limited compared to the JS ecosystem.

very basic

Kvverno provides a CLI tool for running very basic end-to-end tests. 3rd party tooling is not available.

Package Management
npm

Publish and share your policies via npmjs.com or pull policy functions from a private npm registry. jsPolicy introduces a new level of policy package management via npm.

not available

Due to OPA's popularity and maturity, several dev and test tools are available but this very limited compared to the JS ecosystem.

not available

There is no widely adopted package manager for publishing and sharing Kyverno policy logic.

Try jsPolicy Examples

Deny Label Policy
View on GitHub
Hello
kubectl
Create
-f object.yaml
Run
Mutate
Select the example and hit the Run button.
Deny
Editor for Mutate
Allow

Get started with jsPolicy

Getting started with jsPolicy is as easy as installing the Helm chart and applying some policies to your cluster. Check out the demo video for a preview of how to get started with jsPolicy in a few minutes.

# Install via Helm v3
helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh

# Create JsPolicies
kubectl apply -f https://raw.githubusercontent.com/loft-sh/jspolicy/main/examples/by-use-case/deny-default-namespace.yaml

Get Started
Watch: jsPolicy Demo Video

Open-Source at Loft Labs

At Loft Labs, we are committed to building open-source tools such as DevSpace, vcluster and kiosk alongside our commercial offering Loft. We want to give back to the community and we believe open-source projects are the best way to accelerate the speed of innovation in the cloud-native space.

About Loft

Loft is an advanced control plane that runs on top of your existing Kubernetes clusters to add multi-tenancy and self-service capabilities to these clusters to get the full value out of Kubernetes beyond cluster management.

vcluster

vcluster allows you to spin up lightweight, virtual Kubernetes clusters inside the namespaces of a regular Kubernetes cluster.
1.7k Stars
8.4M Image Pulls

DevSpace

DevSpace is the fastest cloud-native development tool and is designed to be the docker-compose for Kubernetes.
2.9k Stars
659k Image Pulls

kiosk

kiosk is a multi-tenancy extension for Kubernetes that introduces basic custom resources for tenant isolation and namespace self-service.
832 Stars
98k Image Pulls

Free, Open-Source & Community Driven

Star the project on GitHub, open issues and pull requests. Any contribution is welcome.

jsPolicy on Github

Join the conversation about jsPolicy on Slack and get help from the project maintainers.

jsPolicy on Slack

Open-Source at Loft Labs

At Loft Labs, we are committed to building cloud-native open-source tools such as DevSpace, vcluster, kiosk, and of course jsPolicy. We do this alongside our commercial offering Loft because we want to give back to the community and we believe open-source projects are the best way to accelerate the speed of innovation in the cloud-native space.

Get The Latest News About Our Projects

JS | TS

Policies in jsPolicy can be written either in JavaScript or in any language that can be compiled to JavaScript such as TypeScript.

yes

jsPolicy supports validating admission control policies.

super easy

jsPolicy supports mutating admission control policies and makes them incredibly easy to write.

yes

Controller policies are executed after Events in your cluster and jsPolicy is the first policy engine to introduce this feature.

extensive + mature

Since jsPolicy lets you work with regular JavaScript, the entire JS ecosystem with great dev tools and testing frameworks can be used to write, test and maintain policies.

Rego

OPA policies need to be written in Rego which is not turing complete.

yes

OPA supports validating admission control policies.

very limited

Mutating policies are an alpha feature in OPA and have many limitations.

not supported

Controller policies only exist in jsPolicy.

limited

Due to OPA's popularity and maturity, several dev and test tools are available but this very limited compared to the JS ecosystem.

YAML

Kyverno uses YAML to express policies rather than a real programming language.

yes

Kyverno supports validating admission control policies.

complicated

Kyverno's YAML policies only allow mutating policies to apply patches. More complex operations are impossible or really complicated.

not supported

Controller policies only exist in jsPolicy.

very basic

Kvverno provides a CLI tool for running very basic end-to-end tests. 3rd party tooling is not available.

npm

Publish and share your policies via npmjs.com or pull policy functions from a private npm registry. jsPolicy introduces a new level of policy package management via npm.

not available

Due to OPA's popularity and maturity, several dev and test tools are available but this very limited compared to the JS ecosystem.

not available

There is no widely adopted package manager for publishing and sharing Kyverno policy logic.