No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

any thoughts about a controller-based workflow for kubernetes? i.e. pulumi running in the cluster checking git repos for changes, then applying the changes when detected (and/or on a schedule)

<@UGJPG4ZGF> this is something we’re actively thinking about.

Something that will automatically monitor and do things like generate slack messages when observed state differs from desired state in git

I’m sure something could be hacked together today using the CLI and other components. but something “official”, possibly with hooks into the console/UI, would be very interesting

We have almost everything we need to do it, we just have so much work we haven’t gotten around to it.

_e.g._, we have the ability to output machine-readable data about pulumi runs.

If there was a groundswell of interest from community or customers it would probably be something we’d think more seriously about.

this would be an awesome thing to have, but is definitely a nice to have imo

probably worth noting there are pretty significant security implications from allowing something in the cluster that degree of control, FWIW if you're in a compliance-regulated industry

it's an ouroboros of auth issues, and a great way to escalate from "merely" being able to see a service account or secret in K8s to having full control of it and much more (because pulumi can manage the existence of clusters themselves)

<@UFPFMDBTK> that’s true, but the alternative is having an _external_ component that has god mode privileges for your cluster.

I almost always prefer to keep it in-cluster.

Something like this would be attractive if, until invoked with the appropriate key (say, a service with the appropriate service account delegated it permissions) it could only operate in a monitoring mode.