Open timebertt opened 2 years ago
Thanks @timebertt for the suggestion. I'm game for it for same reasons.
If the switch is seemingly simple then we need to consider the following to achieve it.
However, If I understand we need to do it before we upgrade the landscapes to k8s 1.22. So i'm not sure if we can avoid ref, #32 in time.
I came across this https://kyverno.io/ in a conversation with @unmarshall. This looks exhaustive and might even be a good replacement for opa-gatekeeper
@timebertt, @dguendisch -- Do you think we will think of using kyverno
instead of opa-gatekeeper
in gardener landscapes for its declarative semantics which are similar to what kupid
does although in a limited scope.
Just checking if we should relook?
kyverno looks straight forward, seems promising to me (though I have no experience with gatekeeper and kupid), maybe @hendrikKahl wants to comment as well.
Well, I have not a lot of practical experience, so probably the best colleagues to judge would be those already familiar with either (probably OPA Gatekeeper, then testing also Kyverno) but from what I have seen/heard/read, the answer is clearly Kyverno, because:
Well, I used Gatekeeper (k8s implementation of OPA) to inject labels to specific pods. That worked quite well and could be done with a rather simple custom resource object. So I'm not too familiar with rego and wouldn't want to judge, whether it is suitable to replace the code in this repo.
After a first glimpse at kyverno, I think it is much easier to modify things or inject certain configuration. When it comes to policies, I guess OPA is still more powerful.
Yes, a programming language will always be more powerful. Question is, whether that's required or needless complexity. If it's only about Kubernetes, people seem to prefer and be just as expressive with Kyverno. Just saying - that seems to be the verdict of many who compared the two.
I don't have much experience with OPA/Rego, however when i looked at the OPA policy that was very recently created as a hack to make multi-zone seed, it was a not a very pretty site.
To have a look at it: connect to aws-ha
seed and look at policies
configmap k get cm -n opa policies -oyaml
. Maybe it is not at all common to update/patch the configmap directly (as that would be very error prone). Try reading that minified rego and it will be fun ;)
Just read a bit more, indeed many recommend Kyverno in blogs and such. See also: https://www.youtube.com/watch?v=9gSrRNmmKBc&t=926s and the following summary. So, +1 for @unmarshall recommendation to look into/consider that over OPA Gatekeeper.
Added a document #45 capturing the evaluation done on Kyverno
as a replacement.
Looks promising to me.
cc @unmarshall @shreyas-s-rao
I also recently tried out kyverno (just some basic stuff with validating and mutating policies). It seemed very promising to me as well. It's very easy to setup and intuitive to use/understand :)
What would you like to be added:
Readme says:
However, it doesn't seem this justifies building our own component (which is currently unmaintained?) in comparison to the relatively low effort to reuse a well-established project from the community.
This repository could basically be a few yaml files instead of thousands of lines of code.
Why is this needed: