Coverage Matrix

Chkk Curated Release Notesv0.18.0 to latest
Private RegistrySupported
Custom Built ImagesSupported
Safety, Health, and Readiness Checksv0.19.1 to latest
Supported PackagesHelm, Kustomize, Kube
EOL InformationAvailable
Version Incompatibility InformationAvailable
Upgrade TemplatesIn-Place, Blue-Green
PreverificationAvailable

Pomerium Overview

Pomerium is an open-source identity-aware proxy implementing zero-trust security principles inspired by Google’s BeyondCorp model. Acting as a gateway in front of internal services, it continuously verifies user identity, device state, and request context. Without client software, Pomerium enforces granular access policies centrally at the proxy layer, enabling seamless single sign-on (SSO). This simplifies secure access management across environments (on-premises, cloud, hybrid) and eliminates complex VPNs. By enforcing dynamic, identity-driven policies, Pomerium significantly enhances security and user experience.

Chkk Coverage

Curated Release Notes

Chkk monitors official Pomerium release notes, highlighting new features, breaking changes, or deprecations impacting your clusters. Instead of manually reviewing upstream changelogs, Chkk provides a concise operational summary relevant to your environment. Critical changes, such as tracing subsystem replacements (OpenCensus to OpenTelemetry) or removal of legacy “forward-auth” modes, are clearly flagged with remediation guidance. This proactive notification ensures platform teams are prepared for impactful changes before upgrades.

Preflight & Postflight Checks

Chkk performs preflight checks to ensure your clusters and configurations meet Pomerium’s compatibility requirements before upgrades. It identifies deprecated settings like old policy fields or required datastore dependencies, preventing disruptive upgrade issues. Postflight checks confirm successful version transitions, verify pod health, detect leftover resources from previous versions, and inspect logs for identity provider connection errors or misconfigured policies. This structured approach significantly reduces operational risks during upgrades.

Version Recommendations

Chkk actively tracks Pomerium versions and support timelines, alerting you when your deployed version falls out of the maintenance window or becomes vulnerable. It references official advisories and known issues, providing clear justifications for recommended upgrades. Chkk suggests stable, vetted upgrade targets based on community feedback, helping platform teams balance feature urgency with operational stability. Custom versioning and support policies, including enterprise editions or forks, are fully accommodated.

Upgrade Templates

Chkk offers detailed Upgrade Templates for both in-place and blue-green upgrades, aligning with Pomerium best practices. In-place upgrade templates cover incremental pod rollouts, checkpoint configurations, and DNS or side-component reloads. Blue-green strategies allow parallel testing of new versions in controlled subsets, outlining rollback points for safe transitions. These templates integrate smoothly with GitOps or CI/CD pipelines, minimizing human error and downtime.

Preverification

Chkk’s preverification simulates the entire upgrade process in an isolated environment, replicating your production configurations and infrastructure. This identifies configuration conflicts, increased resource consumption, or identity provider integration issues before production deployment. Detected issues like stricter policy parsing or resource spikes can be proactively addressed. Preverification significantly reduces upgrade risk by validating steps safely before real-world application.

Supported Packages

Chkk supports multiple Pomerium deployment methods, including Helm, Kustomize, and raw Kubernetes YAML manifests. It identifies specific configuration changes required by new versions, respecting custom builds, private registries, and enterprise variations. Chkk provides precise upgrade diffs tailored to your deployment format, simplifying updates in existing workflows. This flexible support helps maintain consistency across your managed Kubernetes resources.

Common Operational Considerations

  • Ingress Class & TLS Enforcement: Ensure Pomerium’s ingress class (spec.ingressClassName: pomerium) and TLS are explicitly defined. Misconfiguration leads to silent request failures without clear error logs.
  • Identity Provider Dependencies: Pomerium depends directly on your IdP for authentication; outages or performance degradation can halt application access. Monitor IdP availability and plan contingencies for peak loads.
  • Authorization Policy Pitfalls: Mistakes in Pomerium Policy Language (PPL), like incorrect logical operators or overly broad patterns, can lead to unintended access. Always test new policies thoroughly and audit decisions.
  • Session & Token Management: Balance session durations and JWT expiry to avoid user frustration and excessive IdP load. Monitor token refresh behaviors closely, especially after upgrades impacting OAuth mechanisms.
  • Scaling & State: Pomerium requires shared databroker storage for consistent session state across scaled replicas. Use supported backends (e.g., PostgreSQL) and tune CPU/memory allocations proactively.
  • Forward-Auth Removal: forward-auth was dropped in Pomerium v0.21, so newer images no longer expose the /verify endpoint. Replace any NGINX/Traefik forward-auth integrations with the Pomerium Ingress Controller.
  • Operator Deprecation: The original pomerium-operator relies on the removed extensions/v1beta1 Ingress API and breaks on Kubernetes 1.22+. Migrate to the Helm-based Pomerium Ingress Controller before upgrading clusters.

Additional Resources