...and here’s how to fix it

At kapitan.dev we believe the current way to manage Kubernetes configurations is broken. Actually, it probably goes even deeper than that, and you will see soon why.

I have a strange way to look at Kubernetes: for me Kubernetes is something that allows me to define, package and distribute complex applications with a set of configuration files. Meaning, I can define every aspect of the deployment of a complex multi-components application with Kubernetes resources: the services that make the application, configuration files, network policies, services, load balancers, RBAC, monitoring, alerting, auth.

Everything can be…

So the other day using the Twitter @kapitandev handler I set the following challenge

Didn’t get many answers (help us! Please follow, RT and like) but I think many missed the point of the challenge. Good, because I have the right chance to talk about a hidden gem of Kapitan. “templated scripts” or canned scripts.

The responses to the challenge

Understandably, I only got replies from people that were fairly confident/satisfied with their own setup, perhaps using some tooling that allows them to quickly reconfigure the missing configuration.

For example, both GKE and EKS (and others) have helper scripts that you can run to…

In this post I would like to compare different ways to manage secrets in code, especially relevant to Kubernetes but also in general with a more broad reach.

I have already introduced with “Managing secrets with Kapitan” the approach we promote, but with the release of Tesoro, our new “secrets” admission controller, it’s time to review the different approaches and show why we prefer our way.

When talking about approaches for managing secrets, the solutions that normally come to mind are the excellent Mozilla Sops and Bitnami Sealed Secrets (I will get to Vault in a second).

For Mozilla Sops

NEW: Katacoda scenario!

UPDATE: Generators have been ported from jsonnet to kadet (python)

Manage complexity with Kapitan

We open sourced Kapitan back in October 2017.

In the 12 months before that date, Kapitan helped us revolutionise the way we were running things at DeepMind Health, and allowed us to keep control over many heterogeneous systems: Kubernetes, Terraform, Documentations, Scripts, Playbooks, Grafana Dashboards, Prometheus rules: everything was kept under control from one single point of truth.

I am not afraid to say it loud: there is nothing out there which is as versatile and powerful as Kapitan for managing configurations of complex systems. There.. I said it. …

Efficiently managing secrets is an essential part of any configuration management tool that cannot be left to the last minute. When evaluating a solution for Kapitan, we immediately looked into plug-in solutions like the amazing git-crypt which was at the time one of the suggested approaches for Helm.

There were a couple of things that we didn’t like about this approach, which made us think about the top requirements for the perfect solution:


Encrypted secrets while you work: With other approaches, while the data is encrypted in the git-repository, it will be most likely unencrypted on your workspace while you…

In my previous posts, I explained the basic of Kapitan and how it can be used to drive complex deployments of Kubernetes. This post will pick up where we left off on the Introduction to Kapitan, and go more into details on how to use jsonnet to manage Kubernetes configurations.


To recap on how to use Kapitan, please refer to my previous post.

Please star https://github.com/deepmind/kapitan and leave a comment!

So why jsonnet, or rather: why not jinja/go templates?

In the initial deployment scripts we were using before Kapitan, we were using jinja2 to generate templates. …

In my first post I explained a little bit the philosophy behind Kapitan and how it came to be.

In this post, I will give a more pragmatic introduction so that you can easily evaluate it and see if it fits your needs.

Kapitan is a tool to template files. It can be used to template things like text, documentation, scripts or yaml/json manifests. It was created to manage Kubernetes based deployments but it is flexible enough to be used in completely different contexts.

To get started with it, you can run it using docker or following these instructions.


This story is all about Kapitan, the tool that will help you manage your Kubernetes configuration and make you feel good about it.

In spite of limited documentation and marketing efforts, Kapitan has grown organically thanks to the “word-of-mouth” of happy users. We now have a fair share of stars, a couple of mentions from Kubernetes bloggers and evangelists. Kapitan has even its very own section on a book. Most importantly, it has attracted the interest of a number of ambitious companies that recognised in the workflow that Kapitan enables the secret recipe to manage the “configuration spaghetti problem”.


Alessandro De Maria

#father #kapitan #devops. Head of SRE at Synthace. Ex DeepMind. Ex Google. Opinions are my own

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store