PkgRadar

Go modules · proxy.golang.org

github.com/devantler-tech/ksail/v7

Remote Payload: matched "raw.githubusercontent.com"

Why PkgRadar flagged v7.56.0

SeveritySignalEvidence
mediumRemote Payloadmatched "raw.githubusercontent.com" · github.com/devantler-tech/ksail/[email protected]/pkg/cli/cmd/workload/validate.go
mediumRemote Payloadmatched "raw.githubusercontent.com" · github.com/devantler-tech/ksail/[email protected]/pkg/client/kubeconform/client.go
mediumRemote Payloadmatched "raw.githubusercontent.com" · github.com/devantler-tech/ksail/[email protected]/pkg/fsutil/generator/talos/generator.go
mediumRemote Payloadmatched "github.com/loft-sh/vcluster) Docker driver to run control plane and optional workers as containers, requiring only Docker. This enables fast creation with a small footprint. See [documentation](https://www.vcluster.com/docs/), [configuration](https://www.vcluster.com/docs/vcluster/configure/vcluster-yaml/), and [Vind driver](https://github.com/loft-sh/vcluster).\\n\\n### KWOK (kwokctl)\\n\\n[KWOK](https://kwok.sigs.k8s.io/) (Kubernetes WithOut Kubelet) creates simulated Kubernetes clusters where nodes and pods exist at the API level without running real containers. KSail uses kwokctl's Docker runtime to run etcd, kube-apiserver, and the kwok-controller as Docker containers. Ideal for control-plane testing, CI/CD speed optimization, and scale testing. See [documentation](https://kwok.sigs.k8s.io/docs/), [user guide](https://kwok.sigs.k8s.io/docs/user/), and [GitHub](https://github.com/kubernetes-sigs/kwok).\\n\\n## Providers\\n\\nProviders are infrastructure backends that run cluster nodes. KSail abstracts provider-specific operations for consistent workflows.\\n\\n### Docker\\n\\nRuns Kubernetes nodes as Docker containers locally. Default provider for all distributions, requires only Docker. **Supported distributions:** Vanilla, K3s, Talos, VCluster, KWOK. See [Docker Provider](/providers/docker/), [Docker docs](https://docs.docker.com/), and [Docker Desktop](https://www.docker.com/products/docker-desktop/).\\n\\n### Hetzner\\n\\nCreates nodes as Hetzner Cloud servers for production-grade clusters. **Supported distributions:** Talos. **Requirements:** `HCLOUD_TOKEN` environment variable and Talos ISO. See [Hetzner Provider](/providers/hetzner/), [Hetzner Cloud docs](https://docs.hetzner.com/cloud/), [API](https://docs.hetzner.cloud/), and [Talos on Hetzner](https://www.talos.dev/latest/talos-guides/install/cloud-platforms/hetzner/).\\n\\n> [!NOTE]\\n> KSail only enables Hetzner-backed operations when `HCLOUD_TOKEN` is set; if it's unset, Hetzner is skipped.\\n\\n### Kubernetes (Nested)\\n\\nRuns nested cluster nodes as pods inside an existing host Kubernetes cluster. No Docker daemon is required on the host machine — the nested cluster's API server is exposed via Gateway API (TCPRoute), LoadBalancer, or NodePort, making it routable after `ksail` exits. **Supported distributions:** Vanilla, K3s, Talos, VCluster, KWOK. See [Kubernetes Provider](/providers/kubernetes/).\\n\\n### Omni\\n\\nManages Talos clusters through the [Sidero Omni](https://www.siderolabs.com/omni/) SaaS API. **Supported distributions:** Talos. **Requirements:** a Sidero Omni account, a service account key, and an Omni API endpoint. See [Omni Provider](/providers/omni/), [Omni docs](https://omni.siderolabs.com/docs/), and [Talos on Omni](https://omni.siderolabs.com/docs/how-to-guides/how-to-create-a-cluster/).\\n\\n> [!NOTE]\\n> Omni provider is only supported with the `Talos` distribution.\\n\\n## Container Network Interface (CNI)\\n\\n[CNI](https://www.cni.dev/) is a specification for configuring network interfaces in Linux containers, providing pod networking, policies, and observability.\\n\\n### Cilium\\n\\n[Cilium](https://cilium.io/) is an eBPF-based CNI offering networking, security, and observability with features like transparent encryption and service mesh.\\n\\nKSail-specific configuration:\\n\\n- **Gateway API** is enabled by default (`gatewayAPI.enabled: true`); experimental [Gateway API CRDs](https://gateway-api.sigs.k8s.io/guides/) are pre-installed automatically\\n- **Without a LoadBalancer** (Docker-based): host network mode (`gatewayAPI.hostNetwork.enabled: true`) routes traffic via the Docker bridge using port mappings\\n- **With a LoadBalancer** (e.g. Cloud Provider KIND for Vanilla, MetalLB for Talos on Docker, or `hcloud-cloud-controller-manager` for Talos on Hetzner): host network mode is skipped; traffic flows via LoadBalancer external IPs\\n\\nSee [documentation](https://docs.cilium.io/), [Gateway API guide](https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/), and [Gateway API with KSail](/configuration/gateway-api/).\\n\\n### Calico\\n\\n[Calico](https://www.tigera.io/project-calico/) provides networking and network security with strong policy enforcement. See [documentation](https://docs.tigera.io/calico/latest/about/), [network policy](https://docs.tigera.io/calico/latest/network-policy/), and [getting started](https://docs.tigera.io/calico/latest/getting-started/).\\n\\n## Container Storage Interface (CSI)\\n\\n[CSI](https://kubernetes-csi.github.io/docs/) is a standard for exposing storage systems to containerized workloads, providing persistent storage for stateful applications.\\n\\n### Local Path Provisioner\\n\\n[Local Path Provisioner](https://github.com/rancher/local-path-provisioner) creates PersistentVolumes using local storage on nodes, suitable for development and single-node clusters. See [GitHub](https://github.com/rancher/local-path-provisioner), [persistent volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/), and [storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/).\\n\\n## Metrics Server\\n\\n[Metrics Server](https://github.com/kubernetes-sigs/metrics-server) collects resource metrics from kubelets and exposes them via the Kubernetes API, required for HPA and `kubectl top`. See [GitHub](https://github.com/kubernetes-sigs/metrics-server), [resource metrics pipeline](https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/), and [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).\\n\\n## Kubelet CSR Approver\\n\\nKSail automatically approves Certificate Signing Requests (CSRs) for kubelet serving certificates when metrics-server is enabled. When `serverTLSBootstrap: true` is active, kubelets request proper TLS certificates via CSR instead of self-signed certificates, enabling secure TLS communication with metrics-server. KSail handles this automatically using a distribution-appropriate implementation.\\n\\nSee [TLS bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) and [CSRs](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/).\\n\\n## cert-manager\\n\\n[cert-manager](https://cert-manager.io/) automates TLS certificate management in Kubernetes, supporting ACME (Let's Encrypt), self-signed, and external CA certificates. See [documentation](https://cert-manager.io/docs/), [concepts](https://cert-manager.io/docs/concepts/), and [issuer types](https://cert-manager.io/docs/configuration/).\\n\\n## Policy Engines\\n\\nPolicy engines enforce security, compliance, and best practices through admission control and continuous validation.\\n\\n### Kyverno\\n\\n[Kyverno](https://kyverno.io/) is a Kubernetes-native policy engine with policies written as YAML resources without new languages. See [documentation](https://kyverno.io/docs/), [policies](https://kyverno.io/policies/), and [policy reports](https://kyverno.io/docs/policy-reports/).\\n\\n### Gatekeeper\\n\\n[OPA Gatekeeper](https://open-policy-agent.github.io/gatekeeper/) brings Open Policy Agent to Kubernetes with policies in Rego. See [Gatekeeper docs](https://open-policy-agent.github.io/gatekeeper/website/docs/), [OPA docs](https://www.openpolicyagent.org/docs/latest/), and [library](https://open-policy-agent.github.io/gatekeeper-library/website/).\\n\\n## OCI Registries\\n\\n[OCI Distribution](https://github.com/opencontainers/distribution-spec) defines a standard for storing and distributing container images and artifacts. See [specification](https://github.com/opencontainers/distribution-spec), [Docker Registry](https://distribution.github.io/distribution/), and [OCI Artifacts](https://github.com/opencontainers/artifacts).\\n\\n## GitOps\\n\\n[GitOps](https://opengitops.dev/) uses Git as the single source of truth for declarative infrastructure and applications.\\n\\n### Flux\\n\\n[Flux](https://fluxcd.io/) keeps clusters in sync with configuration in Git or OCI registries. See [documentation](https://fluxcd.io/flux/), [concepts](https://fluxcd.io/flux/concepts/), and [FluxInstance CRD](https://fluxcd.io/flux/components/).\\n\\n### ArgoCD\\n\\n[Argo CD](https://argo-cd.readthedocs.io/) provides declarative GitOps with a web UI for visualizing application state. See [documentation](https://argo-cd.readthedocs.io/), [concepts](https://argo-cd.readthedocs.io/en/stable/core_concepts/), [Application CRD](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/), and [ArgoCD ApplicationSet guide](/guides/argocd-applicationset/).\\n\\n## SOPS\\n\\n[SOPS](https://github.com/getsops/sops) (Secrets OPerationS) edits encrypted files with multiple key management backends. See [documentation](https://github.com/getsops/sops), [age encryption](https://age-encryption.org/), and [SOPS with Flux](https://fluxcd.io/flux/guides/mozilla-sops/).\\n\\n### Key Management Systems\\n\\n| Provider | Documentation |\\n| --------------- | ----------------------------------------------------------------------------------- |\\n| age | [age-encryption.org](https://age-encryption.org/) |\\n| PGP | [GnuPG](https://gnupg.org/) |\\n| AWS KMS | [AWS KMS](https://docs.aws.amazon.com/kms/) |\\n| GCP KMS | [Cloud KMS](https://docs.cloud.google.com/kms/docs) |\\n| Azure Key Vault | [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/) |\\n| HashiCorp Vault | [Vault](https://developer.hashicorp.com/vault/docs) |\\n\\n## Kustomize\\n\\n[Kustomize](https://kustomize.io/) is a template-free customization tool using overlays to patch base configurations. See [documentation](https://kubectl.docs.kubernetes.io/references/kustomize/), [examples](https://github.com/kubernetes-sigs/kustomize/tree/master/examples), and [file reference](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/).\\n\\n## Helm\\n\\n[Helm](https://helm.sh/) is the package manager for Kubernetes, using charts to define, install, and upgrade applications.\\n\\nKSail uses Helm v4 with kstatus-based waiting for reliable resource readiness checks, including custom resources and status conditions. See [Helm docs](https://helm.sh/docs/) and [Artifact Hub](https://artifacthub.io/).\\n\\n## Use Cases\\n\\n## Learning Kubernetes\\n\\nFor developers new to Kubernetes who want to explore concepts and experiment with different configurations.\\n\\n### Recommended Setup\\n\\n```bash\\nksail cluster init \\\\\\n --name learning \\\\\\n --distribution Vanilla \\\\\\n --cni Cilium \\\\\\n --gitops-engine None\\n```\\n\\n### Workflow\\n\\n```bash\\nksail cluster create\\n\\n# Apply, inspect, and iterate\\nksail workload apply -f my-deployment.yaml\\nksail workload get pods\\nksail workload apply -f updated-deployment.yaml\\nksail workload logs deployment/my-app\\n\\nksail cluster delete\\n```\\n\\n### Tips\\n\\n- Use `ksail workload gen` to generate example manifests\\n- Use `ksail workload explain <resource>` to learn about Kubernetes resources\\n- Use `ksail workload watch` to watch for file changes and auto-apply (add `--initial-apply` to sync the cluster on startup). See [CLI flags](/cli-flags/workload/workload-watch/) for options.\\n- Use `ksail cluster connect` to open K9s for interactive exploration\\n\\n## Iterating on Applications\\n\\nFor developers building and testing applications locally before deploying to staging or production.\\n\\n### Recommended Setup\\n\\n```bash\\nksail cluster init \\\\\\n --name dev \\\\\\n --distribution K3s \\\\\\n --cni Cilium \\\\\\n --csi Enabled \\\\\\n --gitops-engine Flux \\\\\\n --local-registry localhost:5050\\n```\\n\\n### Workflow\\n\\n```bash\\nksail cluster create\\n\\n# Build and push to local registry\\ndocker build -t localhost:5050/my-app:dev .\\ndocker push localhost:5050/my-app:dev\\n\\n# Update k8s/deployment.yaml: image: localhost:5050/my-app:dev\\nksail workload push\\nksail workload reconcile\\n```\\n\\n### Tips\\n\\n- Use `ksail workload logs -f deployment/my-app` for live log streaming\\n- Use `ksail workload exec deployment/my-app -- /bin/sh` for debugging\\n- Keep terminal running with `ksail cluster info` to monitor cluster health\\n- Pair KSail with **[Tilt, Skaffold, DevSpace, Telepresence, or mirrord](/integrations/companion-tools/)** to automate the build-deploy loop, hot-reload interpreted code, or bridge local↔remote traffic\\n\\n## Testing in CI/CD\\n\\nFor automated testing in CI/CD pipelines where reproducibility and speed matter.\\n\\n### Recommended Setup\\n\\n```yaml\\n# ksail.yaml\\napiVersion: ksail.io/v1alpha1\\nkind: Cluster\\nspec:\\n cluster:\\n distribution: K3s\\n cni: Cilium\\n gitOpsEngine: Flux\\n localRegistry:\\n registry: localhost:5050\\n workload:\\n sourceDirectory: k8s\\n```\\n\\n### GitHub Actions (Recommended)\\n\\nUse the official `ksail-cluster` composite action to provision a cluster in one step. It handles installation, Helm chart caching, mirror registry caching, and image pre-pulling automatically.\\n\\n```yaml\\n# .github/workflows/test.yaml\\nname: Integration Tests\\n\\non:\\n pull_request:\\n branches: [main]\\n\\njobs:\\n test:\\n runs-on: ubuntu-latest\\n steps:\\n - uses: actions/checkout@v4\\n\\n - name: Provision KSail cluster\\n id: cluster\\n uses: devantler-tech/ksail/.github/actions/[email protected]\\n with:\\n distribution: K3s # Vanilla, K3s, Talos, VCluster, KWOK\\n sops-age-key: ${{ secrets.SOPS_AGE_KEY }} # optional: import SOPS key + create sops-age secret\\n delete: true # delete cluster at the end (runs even on failure)\\n\\n - name: Build and push app image\\n run: |\\n docker build -t localhost:5050/my-app:${{ github.sha }} .\\n docker push localhost:5050/my-app:${{ github.sha }}\\n\\n - name: Deploy and test\\n env:\\n KUBECONFIG: ${{ steps.cluster.outputs.kubeconfig }}\\n run: |\\n sed -i \\\"s|image:.*|image: localhost:5050/my-app:${{ github.sha }}|\\\" k8s/deployment.yaml\\n ksail workload push\\n ksail workload reconcile\\n ksail workload wait deployment/my-app --for=condition=available\\n npm run test:integration\\n```\\n\\nFor the full action inputs reference, PR preview patterns, and GitOps CI workflows, see [PR Preview Clusters](/guides/pr-preview-clusters/).\\n\\n### Other CI Systems\\n\\nFor non-GitHub CI (GitLab CI, CircleCI, etc.), install KSail directly and run lifecycle commands:\\n\\n```bash\\n# Install (see https://github.com/devantler-tech/ksail/releases for available versions)\\nVERSION=5.59.0\\ncurl -sSL \\\"https://github.com/devantler-tech/ksail/releases/download" · github.com/devantler-tech/ksail/[email protected]/pkg/svc/chat/docs_generated.go
mediumRemote Payloadmatched "github.com/kubernetes-sigs/gateway-api/releases/download" · github.com/devantler-tech/ksail/[email protected]/pkg/svc/installer/cni/cilium/gateway_api.go
mediumRemote Payloadmatched "raw.githubusercontent.com" · github.com/devantler-tech/ksail/[email protected]/pkg/svc/installer/localpathstorage/installer.go
mediumRemote Payloadmatched "github.com/loft-sh/vcluster/releases/download" · github.com/devantler-tech/ksail/[email protected]/pkg/svc/provisioner/cluster/vcluster/provisioner.go

Scanned versions

VersionVerdictScoreScanned (UTC)
v7.56.0High risk972026-06-13
v7.55.1-0.20260610213754-9206420bfcadHigh risk972026-06-12
v7.41.1High risk972026-06-11
v7.46.0High risk972026-06-11
v7.44.1High risk972026-06-11
v7.47.0High risk972026-06-11
v7.32.0High risk972026-06-11
v7.41.2High risk972026-06-11
v7.53.1High risk972026-06-11
v7.51.0High risk972026-06-11
v7.36.0High risk972026-06-11
v7.49.0High risk972026-06-11
v7.44.0High risk972026-06-11
v7.34.0High risk972026-06-11
v7.43.0High risk972026-06-11
v7.35.0High risk972026-06-11
v7.53.3-0.20260609235914-730c9d89048aHigh risk972026-06-11
v7.53.2High risk972026-06-11
v7.41.0High risk972026-06-10
v7.33.0High risk972026-06-10
v7.29.2High risk972026-06-10
v7.48.0High risk972026-06-10
v7.31.0High risk972026-06-10
v7.52.1-0.20260609174221-5cd5264bace1High risk972026-06-10
v7.50.0High risk972026-06-10
v7.51.2-0.20260609132703-7df8934643cfHigh risk972026-06-10
v7.51.1High risk972026-06-10
v7.29.0High risk972026-06-08
v7.27.1High risk972026-06-08
v7.27.2High risk972026-06-08
v7.27.1-0.20260606224833-f8879090d0a7High risk972026-06-07
v7.27.0High risk972026-06-07
v7.26.2-0.20260606121511-9b6ed53fa349High risk972026-06-07
v7.26.1High risk972026-06-07
v7.26.1-0.20260605151632-792844ecd2d1High risk972026-06-06
v7.26.0High risk972026-06-06
v7.16.1High risk892026-06-06
v7.16.2High risk892026-06-06
v7.17.0High risk892026-06-06
v7.17.1High risk892026-06-06
v7.17.2High risk892026-06-06
v7.17.3High risk892026-06-06
v7.18.0High risk892026-06-06
v7.19.0High risk952026-06-06
v7.20.0High risk922026-06-06
v7.25.1-0.20260605015820-e3af7624ce3bHigh risk972026-06-06
v7.20.1High risk922026-06-06
v7.22.0High risk922026-06-06
v7.22.1High risk922026-06-06
v7.22.2High risk922026-06-06
v7.22.3High risk922026-06-06
v7.23.2High risk972026-06-06
v7.23.0High risk972026-06-06
v7.23.1High risk972026-06-06
v7.23.3High risk972026-06-06
v7.23.4High risk972026-06-06
v7.24.0High risk972026-06-06
v7.25.0High risk972026-06-06
v7.21.0High risk922026-05-30

Block this in CI

PkgRadar gates github.com/devantler-tech/ksail/v7 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/devantler-tech/ksail/[email protected]
Start free — 25 scans / moView full evidence