What do you think about Kyverno? Is it a good alternative to OPA/Gatekeeper? Should I compare the two in one of the upcoming videos? I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!! Make sure to check out github.com/fjogeleit/policy-reporter. It helps with a better view of the reports.
@@DevOpsToolkit maybe you want to throw kubewarden.io into the mix? I didn't use it up to now, and I think that Kyverno looks already much easier, but maybe you value the complexity because things are possible with it, that I am now not even thinking of
I'll check it out. As for the complexity... The simpler something is, the more I like it and want to use it, as long as that something does what I need it to do. I'm not fond of the idea of using something overly complex just in case we might need it one day. On the other hand, whatever I'm using must do what I need it to do, otherwise it does not matter whether it is simple or not. I good example is docker Swarm. I loved it and used it for a long time but, eventually, I had to move everything to k8s simply because it could not do what I needed it to do (apart from being an abandoned project). In any case... Let me check kubewarden and get back to you.
@@DevOpsToolkit I really like your videos and the way that you present all these topics, they always inspire me to look at my own setup and see what maybe could be done better. Also I agree with a lot of you opinions on how to do things, so that just lets me think that I'm not so far off the correct way ;)
Just saw your video on Gatekeeper day before yesterday,and sent a presentation to the higher ups in the office as to why maybe we should start using Gatekeeper and other security tools in our AKS.and now this😂😂
My thinking is similar. I believe that openshift/okd makes sense for the companies that need that complexity and often want to pay a high price for a solution. OKD is mostly used as a way to evaluate OpenShift rather than a final solution.
My bad. I did not check the details when it failed in k3d so I cannot say what was wrong at the time. I just tried it again and it works like a charm. I just added the following message to the pinned comment: "I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!!"
Do anyone know 1. What if kyverno itself service down Will the police continue work ? 2. If we use ArgoCD I think it is not good to enable the auto correction by Kyverno otherwise they will keep in to the loop
1. If Kyverno controller is down, policies will not work. 2. I do not like Kyverno's ability to modify or create resources at runtime except in very special situation. Now, if you do need to do that you can instruct Argo CD which parts of resources to ignore and those created by Kyverno are not managed by Argo CD so it will not interfere (but will be against GitOps principles).
Not much. RBAC is about who can access what while Kyverno, and policies in general, is about who can do what on a more granular level. You can, for example, use RBAC to say "you can create this" but NOT to say "you are not allowed to create this with those parameters or properties".
What do you think about Kyverno? Is it a good alternative to OPA/Gatekeeper? Should I compare the two in one of the upcoming videos?
I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!!
Make sure to check out github.com/fjogeleit/policy-reporter. It helps with a better view of the reports.
Kyverno is interesting, I guess not having to learn Rego is good, but may be more powerful in the end? Thanks Viktor, looking forward to the next one.
Can we restrict to create service of a type load balancer on the base of label or annotation with kyverno?
Yes we can. We can filter resources to which policies are applied using any resource field.
Really great video. Refreshing to see you start with a concrete example
Very well explained , with simple examples !
Great overview, thank you!
Very useful! Thanks, Victor!
Thank you! I think I apply it in my work.
Amazing! I just found this video, and I your fan now! Subsrcribed!
Great overview, thank you Viktor
Great video. Thank you. Please compare gatekeeper and kyverno.
It's coming... I hope to have it done in 2 weeks from now.
@@DevOpsToolkit maybe you want to throw kubewarden.io into the mix? I didn't use it up to now, and I think that Kyverno looks already much easier, but maybe you value the complexity because things are possible with it, that I am now not even thinking of
I'll check it out.
As for the complexity... The simpler something is, the more I like it and want to use it, as long as that something does what I need it to do. I'm not fond of the idea of using something overly complex just in case we might need it one day. On the other hand, whatever I'm using must do what I need it to do, otherwise it does not matter whether it is simple or not. I good example is docker Swarm. I loved it and used it for a long time but, eventually, I had to move everything to k8s simply because it could not do what I needed it to do (apart from being an abandoned project).
In any case... Let me check kubewarden and get back to you.
@@DevOpsToolkit I really like your videos and the way that you present all these topics, they always inspire me to look at my own setup and see what maybe could be done better. Also I agree with a lot of you opinions on how to do things, so that just lets me think that I'm not so far off the correct way ;)
excellent video as always!!
Just saw your video on Gatekeeper day before yesterday,and sent a presentation to the higher ups in the office as to why maybe we should start using Gatekeeper and other security tools in our AKS.and now this😂😂
My thinking is similar. I believe that openshift/okd makes sense for the companies that need that complexity and often want to pay a high price for a solution. OKD is mostly used as a way to evaluate OpenShift rather than a final solution.
Great explanation!
Very Good overview, Thanks for sharing..:)
Very good summary and overview. I would love to get your opinion and comparsion of both tools.
If everything goes as planned, the comparison should be published this Thursday.
Awesome!
Amazing, since this video kyverno has added many policies, the number now stands as 292, which satisfies most of the cases..
Yeah. Kyverno is amazing.
hi Viktor! Which feature is missing in k3d preventing to run kyverno, as you said you had to use kind to test this? thanks!
Let me reproduce it and get back to you...
My bad. I did not check the details when it failed in k3d so I cannot say what was wrong at the time. I just tried it again and it works like a charm. I just added the following message to the pinned comment:
"I made a mistake in the video by saying that it did not work in k3d. When I tried it again a while later, everything worked like a charm. My guess is that there was a temporary problem or an issue I caused when I was recording the session. In any case, I stand corrected. it works in k3d!!!"
@@DevOpsToolkit thank you very much, quick and efficient! 😀
Hi , Can you please let me know if this can used in multicloud environment. Thanks
Yes it can :) It can run in any k8s cluster anywhere.
@@DevOpsToolkit Would you be able to share some documentation on multicloud. Thanks
It is essentially the same no matter how many clusters or clouds you have. You just have to install kyverno and apply the policies in each.
Do anyone know
1. What if kyverno itself service down
Will the police continue work ?
2. If we use ArgoCD I think it is not good to enable the auto correction by Kyverno otherwise they will keep in to the loop
1. If Kyverno controller is down, policies will not work.
2. I do not like Kyverno's ability to modify or create resources at runtime except in very special situation. Now, if you do need to do that you can instruct Argo CD which parts of resources to ignore and those created by Kyverno are not managed by Argo CD so it will not interfere (but will be against GitOps principles).
Is it similar to RBAC?
Not much. RBAC is about who can access what while Kyverno, and policies in general, is about who can do what on a more granular level. You can, for example, use RBAC to say "you can create this" but NOT to say "you are not allowed to create this with those parameters or properties".
which kyverno version did you test here ?
I do not remember which exact version I used. It was the latest at the time the video was published. Kyverno improved a lot since than.