What do you think about Kyverno? Is it a good alternative to OPA/Gatekeeper? Should I compare the two in one of the upcoming videos? I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!! Make sure to check out github.com/fjogeleit/policy-reporter. It helps with a better view of the reports.
Just saw your video on Gatekeeper day before yesterday,and sent a presentation to the higher ups in the office as to why maybe we should start using Gatekeeper and other security tools in our AKS.and now this😂😂
My thinking is similar. I believe that openshift/okd makes sense for the companies that need that complexity and often want to pay a high price for a solution. OKD is mostly used as a way to evaluate OpenShift rather than a final solution.
@@DevOpsToolkit maybe you want to throw kubewarden.io into the mix? I didn't use it up to now, and I think that Kyverno looks already much easier, but maybe you value the complexity because things are possible with it, that I am now not even thinking of
I'll check it out. As for the complexity... The simpler something is, the more I like it and want to use it, as long as that something does what I need it to do. I'm not fond of the idea of using something overly complex just in case we might need it one day. On the other hand, whatever I'm using must do what I need it to do, otherwise it does not matter whether it is simple or not. I good example is docker Swarm. I loved it and used it for a long time but, eventually, I had to move everything to k8s simply because it could not do what I needed it to do (apart from being an abandoned project). In any case... Let me check kubewarden and get back to you.
@@DevOpsToolkit I really like your videos and the way that you present all these topics, they always inspire me to look at my own setup and see what maybe could be done better. Also I agree with a lot of you opinions on how to do things, so that just lets me think that I'm not so far off the correct way ;)
Do anyone know 1. What if kyverno itself service down Will the police continue work ? 2. If we use ArgoCD I think it is not good to enable the auto correction by Kyverno otherwise they will keep in to the loop
1. If Kyverno controller is down, policies will not work. 2. I do not like Kyverno's ability to modify or create resources at runtime except in very special situation. Now, if you do need to do that you can instruct Argo CD which parts of resources to ignore and those created by Kyverno are not managed by Argo CD so it will not interfere (but will be against GitOps principles).
My bad. I did not check the details when it failed in k3d so I cannot say what was wrong at the time. I just tried it again and it works like a charm. I just added the following message to the pinned comment: "I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!!"
Not much. RBAC is about who can access what while Kyverno, and policies in general, is about who can do what on a more granular level. You can, for example, use RBAC to say "you can create this" but NOT to say "you are not allowed to create this with those parameters or properties".