Skip to content
Kunobi
>_ kunobi-shin
Coming Soon
Open Source

Stop bumping image tags by hand

Shin is an open-source Kubernetes operator that watches your OCI registries and keeps workloads on the right image. Each tracked image is a CRD you inspect, gate, and ship through Git.

Contact us
2CRDs
2strategies
0glue scripts

Built for your GitOps stack

shin-controller logs
>_ the-problem

Keeping images current is a chore. It should be an API

Manual tag bumps don't scale

Every image build means hand-editing manifests or wiring brittle CI scripts. Multiply that across services and environments and you are forever chasing the latest digest.

Registry and cluster drift

A new image lands in your registry, but nothing tells your cluster. What is published and what is actually running quietly diverge, until someone notices in prod.

Automation you can't inspect

Bolt-on updaters bury their logic in controllers and annotations. There is no first-class Kubernetes object to query, gate, or reason about when something goes wrong.

>_ how-it-works

One operator. Two CRDs. Zero black boxes

Shin runs inside your cluster and reconciles from real Kubernetes resources. There is no hidden workflow engine. kubectl sees every image it tracks and every decision it makes.

step . 01
Registry
OCI registry as a CRD
step . 02
TrackedImage
what to watch + policy
step . 03
Reconcile
scan . resolve digest
step . 04
Strategy
patch or publish
step . 05
Output
workload or ConfigMap
runs in your clusterCRDs are the APIopen source
>_ crd-first

Describe what to track. Shin keeps it current

A single TrackedImage declares the image, the registry it lives in, an update policy, and a strategy. Shin resolves the newest matching digest and applies it. No DSL, no glue scripts.

same_tagallmajorminorpatchglobregexprange
TrackedImage CR is the single source of truth
Digest-aware updates from any OCI registry
Annotation-based discovery from existing workloads
Fully inspectable with kubectl get trackedimages
omega-core.yaml
>_ strategies

Two strategies. Optional grouped releases.

Pick exactly one strategy per TrackedImage: patch in place or publish to your GitOps stack. Add group on publish-mode images to flip a whole release together.

patch

A strategy. Shin patches the referenced Deployment, DaemonSet, or StatefulSet container in place, with no Git round-trip, ideal for fast-moving environments.

publish

A strategy. Shin writes resolved tags to a target ConfigMap. Flux and Kustomize pick them up as substitution variables (OMEGA_CORE_TAG, OMEGA_TAG), keeping Git the source of truth.

group

A publish-mode modifier. Set spec.group on several publish-mode TrackedImages and Shin coordinates them as one release: the shared key flips only when every member agrees on tag, policy, and resolved digest.

>_ quick-start

Install. Apply. Reconcile.

One Helm chart spins up the operator. One CRD tells it what to watch. Shin keeps it current from there.

01 · install
clone the chart
$git clone https://github.com/kunobi-ninja/shin && cd shin
install the operator
$helm upgrade --install shin ./charts/shin -n shin-system --create-namespace
02 · apply
declare a TrackedImage
$kubectl apply -f trackedimage.yaml
trackedimage.shin.kunobi.ninja/omega-core created
03 · reconcile
verify Shin is reconciling
$kubectl get trackedimages
NAME         RESOLVEDTAG   READY
omega-core   v1.4.2        True
one Helm chart.no database.no SaaS.100% your cluster

Image automation that lives in your cluster

Open source. Deploy the operator with a Helm chart in minutes.

Contact Us
Available for:
Apple macOS logomacOSMicrosoft Windows logoWindowsLinux logoLinux
Download Kunobi