www-project-kubernetes-top-ten icon indicating copy to clipboard operation
www-project-kubernetes-top-ten copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Update K04-policy-enforcement.md

Open Ali-Yazdani opened this issue 1 year ago • 5 comments

Adding a quick description of tools (OPA Gatekeeper, Kyverno, and Kubewarden).

Ali-Yazdani avatar Apr 12 '23 12:04 Ali-Yazdani

Another idea: to state the differences per Language, Scope and Architecture.

e.g. Kyverno vs Gatekeeper core differences:

  • Language: Kyverno policies are written in YAML, while Gatekeeper policies are written in Rego (a declarative language).

  • Scope: Kyverno is a Kubernetes-native policy engine that focuses on validating and mutating resources at the time of admission. In contrast, Gatekeeper is a general-purpose policy engine that can be used to validate any kind of resource, not just Kubernetes resources (but cannot mutate values).

  • Architecture: Kyverno is a standalone admission controller that runs within the Kubernetes cluster. In contrast, Gatekeeper is a Kubernetes controller that runs outside the cluster, as a separate process.

elgalu avatar Apr 12 '23 13:04 elgalu

I'm thinking about shaping this information in a table format. (I'm thinking loudly 🤔 )

Ali-Yazdani avatar Apr 12 '23 13:04 Ali-Yazdani

@elgalu Please check the table.

Ali-Yazdani avatar Apr 12 '23 18:04 Ali-Yazdani

I would omit entries for which they all share the same properties, e.g. all 3 written in Go so doesn't help for choosing one over the other.

elgalu avatar Apr 12 '23 18:04 elgalu

So Gatekeeper actually also supports mutating, good to know. Found: Gatekeeper has (2 years ago) introduced the ability to mutate resources.

elgalu avatar Apr 12 '23 18:04 elgalu