CompliK is a comprehensive Kubernetes compliance and security platform built with a Monorepo architecture. It provides three powerful tools for monitoring, managing, and securing your Kubernetes clusters.
- 📚 Documentation Hub - Complete documentation index for all components
- Installation - Quick start guides
- Contributing - How to contribute
- License - Apache 2.0
This repository adopts a Monorepo + Multi-module architecture, organizing three completely independent and equal sub-projects:
Comprehensive compliance and security monitoring platform with plugin architecture
- Event-driven plugin system for extensibility
- Automated service discovery for Kubernetes resources
- Browser-based compliance checking
- Integration with Lark/Feishu for alerts
- PostgreSQL storage for compliance records
Kubernetes namespace lifecycle manager with resource blocking capabilities
- Custom Resource Definition (CRD) for batch namespace operations
- Automatic workload scaling and resource quota management
- Namespace expiration and cleanup handling
- kubectl plugin for easy CLI access
- High availability with leader election
Lightweight security scanning DaemonSet for process monitoring
- Real-time /proc filesystem monitoring
- Blacklist/whitelist rule engine
- Cryptocurrency mining detection
- Automatic labeling of suspicious pods
- Comprehensive Prometheus metrics
Data analysis tool for compliance detection keywords
- MySQL database integration
- Frequency analysis with top-N statistics
- Histogram visualization with Chinese font support
- Cross-platform compatibility
- Unified Monorepo: All components in one repository with independent modules
- Cloud-Native: Built for Kubernetes with CRDs, operators, and DaemonSets
- Extensible: Plugin architecture for custom compliance checks
- Production-Ready: Comprehensive logging, metrics, and monitoring
- Open Source: Apache 2.0 licensed for community contributions
Important: The sub-projects are completely equal in structure and organization, with no primary-secondary distinction, all located in independent subdirectories under the root directory.
CompliK/ # Monorepo root directory
├── README.md # Project overview and quick start
├── MONOREPO.md # This document (architecture guide)
├── Makefile # Unified build system
├── .git/ # Git repository
├── .github/ # GitHub configuration (CI/CD, etc.)
│
├── complik/ # Sub-project 1: Compliance monitoring platform
│ ├── go.mod # Independent module
│ │ # module: github.com/bearslyricattack/CompliK/complik
│ ├── go.sum
│ ├── cmd/complik/ # Main program entry
│ │ └── main.go
│ ├── internal/ # Internal implementation
│ │ └── app/
│ ├── plugins/ # Plugin system
│ │ ├── compliance/
│ │ ├── discovery/
│ │ └── handle/
│ ├── pkg/ # Public packages
│ ├── deploy/ # K8s deployment configuration
│ ├── config.yml # Configuration file
│ ├── Dockerfile # Docker image build
│ └── bin/ # Build artifacts
│ └── manager
│
├── block-controller/ # Sub-project 2: Namespace manager
│ ├── go.mod # Independent module
│ │ # module: github.com/bearslyricattack/CompliK/block-controller
│ ├── go.sum
│ ├── cmd/ # Entry programs
│ │ ├── main.go # Controller main entry
│ │ └── kubectl-block/ # kubectl plugin
│ ├── api/v1/ # CRD API definitions
│ ├── internal/ # Internal implementation
│ │ ├── controller/ # Controller logic
│ │ ├── scanner/ # Namespace scanner
│ │ ├── constants/
│ │ └── utils/
│ ├── config/ # Kubernetes configuration
│ │ ├── crd/
│ │ ├── default/
│ │ ├── manager/
│ │ └── rbac/
│ ├── deploy/ # Deployment manifests
│ ├── Dockerfile # Docker image build
│ ├── Makefile # Local build script
│ └── bin/ # Build artifacts
│ └── manager
│
└── procscan/ # Sub-project 3: Process scanning tool
├── go.mod # Independent module
│ # module: github.com/bearslyricattack/CompliK/procscan
├── go.sum
├── cmd/procscan/ # Main program entry
│ └── main.go
├── internal/ # Internal implementation
│ ├── core/
│ │ ├── alert/
│ │ ├── k8s/
│ │ ├── processor/
│ │ └── scanner/
│ ├── container/
│ └── notification/
├── pkg/ # Public packages
│ ├── config/
│ ├── logger/
│ ├── metrics/
│ └── models/
├── deploy/ # DaemonSet deployment configuration
├── config.yaml # Configuration file
├── Dockerfile # Docker image build
├── CLAUDE.md # Development guide
└── bin/ # Build artifacts
└── procscan
The three sub-projects are completely equal in structure and organization:
| Feature | complik | block-controller | procscan |
|---|---|---|---|
| Directory Location | Under root | Under root | Under root |
| go.mod | Independent module | Independent module | Independent module |
| Code Structure | cmd/internal/pkg | cmd/internal/api | cmd/internal/pkg |
| Deployment Config | deploy/ | deploy/ | deploy/ |
| Docker | Dockerfile | Dockerfile | Dockerfile |
| Build Artifacts | bin/ | bin/ | bin/ |
Each sub-project has its own independent go.mod, forming independent Go modules:
// complik/go.mod
module github.com/bearslyricattack/CompliK/complik
// block-controller/go.mod
module github.com/bearslyricattack/CompliK/block-controller
// procscan/go.mod
module github.com/bearslyricattack/CompliK/procscanAdvantages:
- Independent dependency management (can use different versions of k8s.io, etc.)
- Independent build and test
- Clear module boundaries
- Avoid dependency conflicts
The Makefile in the root directory provides a unified build entry point, but each sub-project can also be built independently.
| Project | Module Path | Go Version | Main Dependencies |
|---|---|---|---|
| complik | github.com/bearslyricattack/CompliK/complik |
1.24.5 | k8s.io v0.33.4, gorm, go-rod |
| block-controller | github.com/bearslyricattack/CompliK/block-controller |
1.24.5 | k8s.io v0.34.0, controller-runtime v0.22.1 |
| procscan | github.com/bearslyricattack/CompliK/procscan |
1.24.5 | k8s.io v0.33.4, prometheus client |
The Makefile in the root directory provides unified management for the three sub-projects.
make help# Build all projects
make build-all
# Build individual projects
make build-complik # CompliK platform
make build-block-controller # Block Controller
make build-procscan # ProcScan
# Clean all build artifacts
make clean-all# Run tests for all projects
make test-all
# Test individual projects
make test-complik
make test-block-controller
make test-procscan# Tidy dependencies for all projects
make tidy-all
# Format code for all projects
make fmt-all
# Run go vet checks
make vet-all# Build Docker images
make docker-build-complik
make docker-build-block-controller
make docker-build-procscan# Deploy all projects to Kubernetes
make deploy-allEach sub-project can be built, tested, and deployed completely independently.
cd complik
go build -o bin/manager cmd/complik/main.go
./bin/manager --config=config.ymlcd block-controller
go build -o bin/manager cmd/main.go
./bin/managercd procscan
go build -o bin/procscan cmd/procscan/main.go
./bin/procscan --config=config.yamlAlthough the three sub-projects are completely independent in code (no cross-references), they can work together at runtime:
1. ProcScan detects a threat process
↓
Labels the namespace: "block.clawcloud.run/locked=true"
2. Block Controller listens to label changes
↓
Automatically blocks namespace (scale down, limit resources, isolate network)
3. CompliK collects security events
↓
Sends alert notifications (Feishu, DingTalk, Email)
┌─────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌────────────────────────────────────┐ │
│ │ complik (Deployment) │ │
│ │ Replicas: 2 │ │
│ │ - Compliance detection │ │
│ │ - Service discovery │ │
│ │ - Alert notifications │ │
│ └────────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────────┐ │
│ │ block-controller (Deployment) │ │
│ │ Replicas: 1 │ │
│ │ - Listen to BlockRequest CRD │ │
│ │ - Namespace lifecycle management │ │
│ └────────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────────┐ │
│ │ procscan (DaemonSet) │ │
│ │ One instance per node │ │
│ │ - Scan container processes │ │
│ │ - Real-time threat detection │ │
│ └────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────┘
git clone https://github.com/bearslyricattack/CompliK.git
cd CompliKmake build-all# Enter sub-project directory
cd complik # or block-controller, procscan
# Modify code
vim cmd/complik/main.go
# Build and test
go build -o bin/manager cmd/complik/main.go
./bin/manager# In sub-project directory
go mod tidy
# Or tidy all projects from root directory
cd ..
make tidy-allgit add .
git commit -m "feat(complik): add new feature"
git push origin mainIncorrect Example:
// Referencing complik code in block-controller (❌ Don't do this)
import "github.com/bearslyricattack/CompliK/complik/pkg/logger"Correct Approach:
- Keep each sub-project independent
- If code sharing is needed, consider creating an independent shared library
If you need to develop multiple sub-projects locally simultaneously, you can create go.work:
go work init
go work use complik
go work use block-controller
go work use procscanmake tidy-allOld Structure (v1.x):
CompliK/
├── go.mod # CompliK code directly in root directory
├── cmd/complik/
├── internal/
├── pkg/
├── procscan/ # procscan as subdirectory
│ └── go.mod
└── block-controller/ # block-controller as subdirectory
└── go.mod
New Structure (v2.0):
CompliK/
├── complik/ # CompliK also became a sub-project
│ └── go.mod
├── block-controller/ # Remains as sub-project
│ └── go.mod
└── procscan/ # Remains as sub-project
└── go.mod
Main Changes:
- CompliK main project code moved to
complik/subdirectory - Module path changed from
github.com/bearslyricattack/CompliKtogithub.com/bearslyricattack/CompliK/complik - All import paths updated accordingly
- Makefile adjusted to uniformly manage three equal sub-projects
procscan.old.backup/- Old procscan code from original CompliK project- Can be deleted after confirmation:
rm -rf procscan.old.backup
A: For architectural consistency and clarity:
- Three projects are completely equal in structure
- Clearer module boundaries
- Easier to understand and maintain
- Follows Monorepo best practices
A: Impact is minimal:
- Just one more level in path:
/complik,/block-controller,/procscan - No impact on compilation speed or runtime performance
- IDE auto-completion still works normally
A:
- Create new sub-project directory in root
- Initialize independent go.mod
mkdir newproject cd newproject go mod init github.com/bearslyricattack/CompliK/newproject - Create standard Go project structure (cmd/, internal/, pkg/)
- Add build targets in root Makefile
- Update README.md and MONOREPO.md
A: Common troubleshooting:
- Ensure Go version >= 1.24.5
- Run
make tidy-allto update all dependencies - Check if import paths are correct (should include
/complik,/block-controller, or/procscan) - Review specific error logs
A:
cd <project>
docker build -t <registry>/<project>:<tag> .
docker push <registry>/<project>:<tag>Or use Makefile:
make docker-build-complik
make docker-build-block-controller
make docker-build-procscanname: Build All Projects
on: [push, pull_request]
jobs:
build-complik:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '1.24.5'
- run: make build-complik
build-block-controller:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '1.24.5'
- run: make build-block-controller
build-procscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '1.24.5'
- run: make build-procscanEach component has comprehensive documentation:
- CompliK Platform - Plugin architecture, configuration, deployment
- CompliK Logging - Advanced logging system documentation
- CompliK Security - Security configuration guide
- Block Controller - CRD usage, kubectl plugin, architecture
- ProcScan - Configuration, rules, deployment
- ProcScan Metrics - Complete metrics reference
- Keyword Analyzer - Database setup, customization, troubleshooting
We welcome contributions! Please see CONTRIBUTING.md for:
- Code of conduct
- Development setup
- Contribution workflow
- Coding standards
- Pull request process
Copyright 2025 CompliK Authors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
See LICENSE for the full license text.
- Built with Kubernetes
- Powered by Go
- Inspired by cloud-native security best practices
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Labels: Use labels to identify which component your issue relates to
complik- CompliK platform issuesblock-controller- Block Controller issuesprocscan- ProcScan issuesanalyze- Keyword Analyzer issuesmonorepo- Repository structure issuesdocumentation- Documentation improvements
- Completely equal three-project Monorepo architecture
- CompliK main project changed to sub-project structure
- All sub-projects are now independent and equal
- Updated all module paths and import paths
- Unified build system with Makefile
- Apache 2.0 license applied to all components
- Full English documentation and internationalization
- Hybrid structure (CompliK in root directory)
- Block-controller and procscan as subdirectories
Project Status: Active Development Kubernetes Compatibility: 1.19+ Go Version: 1.24+ Last Updated: 2025-11-26