📚 / Documentation / Getting Started


klander is a Compliance-As-Code utility. It allows you to detect divergences from your desired Kubernetes cluster state and perform reconciliation.

It works by specifying Kubernetes Resources to observe and how the should be reconcilied if they are not compliant to your specification.


With Docker

$ docker pull ghcr.io/datapio/klander:latest

Build from sources

If you wish to build klander from sources, you will need:

  • Poetry to install the Python dependencies
  • GNU Make to run the installation steps

Then run:

$ git clone https://github.com/datapio/klander
$ cd klander
$ make

This will use PyInstaller to build a standalone executable, which will be located in the dist folder:

  • klander for UNIX platforms (Mac, Linux, BSD, …)
  • klander.exe for Windows platforms

NB: klander relies on the system’s kubectl binary, please consult this page to install it.

Install the CRDs

Before running klander, you will need to install the Kubernetes Custom Resource Definitions:

$ kubectl apply -f https://raw.githubusercontent.com/datapio/klander/main/crds/state-reconciler.yml

Reconcile your cluster

Create a file named only-default-service-accounts.yml with the following content:

apiVersion: datapio.co/v1
kind: StateReconciler
  name: only-default-service-accounts
    apiVersion: v1
    kind: ServiceAccount
    namespaces: '*'
    field: metadata.name
    where: ['$eq', 'default']
    deleteExtras: yes

Then run:

$ kubectl apply -f only-default-service-accounts.yml
$ docker run \
      -v $HOME/.kube:/workspace/.kube \

This will remove every ServiceAccount whose name is not default.

What’s next?

Learn more about the StateReconciler.