Today I want to talk a bit about a side project I’ve been working on for a while, but never actively publicised it.

As a security engineer I often like to test new tools and technologies related to Kubernetes, but I realised I didn’t have a proper environment to do so.

Previous Iterations

In the past, I did blog about having a dedicated Kubernetes lab (see Deploy Your Own Kubernetes Lab), and also released automation to Deploy a Multi-node Production Ready Kubernetes Cluster via kubespray, but much has changed since I released that blog post, and relying on virtual machines seems so 2019 to me 😅.

So earlier this year I blogged on how to have a Kubernetes Lab on Baremetal, detailing the steps I took to deploy my own Kubernetes Lab on baremetal, and on an Intel NUC in particular.

That’s great for the provisioning phase, but I wanted to take this a step further, by having an automated and (more importantly) repeatable way to deploy tools/components onto the cluster.

Enter please

It’s no secret that, once I got exposed to the world of monorepos and repeatable builds in my previous job at Thought Machine, I fell in love with their elegance and engineering philosophy.

Therefore, for this project I decided to use please, a cross-language build system with an emphasis on high performance, extensibility and correctness, highly inspired by Google’s Bazel.

The Result: k8s-lab-plz

The result is k8s-lab-plz, a modular Kubernetes lab which provides an easy and streamlined way to deploy a test cluster (on minikube or baremetal) with support for different components.


The components currently supported are:

Vault Kibana Prometheus

For a more detailed view of what’s coming up next (i.e., Istio, Gatekeeper, Falco, etc.), you can refer to the project roadmap.

Ok, How Does it Work?

Deploying a component is as simple as running a command. For example, to deploy Vault:

❯ plz run //components/vault:deploy [minikube|baremetal]

This will automagically:

  • Create a vault namespace
  • Create a StorageClass and a PersistentVolume (baremetal only)
  • Fetch and deploy the Vault Helm chart in the vault namespace
  • Initialize (unseal) Vault
  • Enable the Vault’s Kubernetes backend
  • Setup the sidecar Agent, by creating a role/policy for the sidecar which allows it to read any secret in the kv-v2 secret/ backend

All with one (reproducible) command.

For another concrete example, you can check “Automating Cartography Deployments on Kubernetes”.

Show Me the Code

k8s-lab-plz can be found on Github:


I hope you’ll find k8s-lab-plz useful, and I’m keen to get feedback on it!

If you find the information shared was useful, if something is missing, or if you have ideas on how to improve it, please let me know on Twitter.