Segspec (CLI) K8s NetworkPolicies from App Configs (Go)
Static analysis beats 30-60 day observation. Generates NetworkPolicies in seconds, not weeks.
Static analysis from configs → Kubernetes NetworkPolicies in seconds
It statically parses rendered manifests and common config files (Helm, Docker Compose, Spring Boot, .env, build files) to emit per-service ingress+egress NetworkPolicies—no cluster access needed. That offline, config-driven approach is smart and practical for PR-based workflows, though it will still need runtime validation for dynamic cases (headless services, service mesh/DNS/egress quirks) before you slam policies into prod.
Platform engineers, SREs, cluster security teams, DevOps/DevSecOps
Workflow:
PR changes manifests
CI regenerates policies
reviewers see “newly allowed” connections as a normal permission diff
Curious how others handle this: would you rather review generated policy diffs, or a connectivity-graph diff? Any edge cases you’ve seen bite in real clusters (headless services, shared namespaces, DNS/egress, service meshes, etc.)?
Static analysis beats 30-60 day observation. Generates NetworkPolicies in seconds, not weeks.
MCP server for values.yaml generation is nice, but universal Helm charts already exist.
Local-first parsing is nice, but K8s visualizers are a crowded shelf.
Turns chaotic DOMs into structured action manifests for autonomous agents.
Lazy-loading MCP tools bypass the ten-server context wall with JSON configs.
LangGraph Platform alternative with per-run cost caps and Helm charts included.