1. That's my bad. That part was not supposed to compare it with Kyverno YAML, but only to show that Rego can get big and (semi) complex. At the same time, Kyverno does not allow us to do complex things. I made a mistake of not being clear on that one. 2. Kyverno is targeting Pods. You can see that from the `spec.rules.match.resources.kinds` section inkyverno.io/policies/best-practices/require_pod_requests_limits/require_pod_requests_limits/. Now, what Kyverno does below the hood is a different question. It is indeed checking pod templates of the resources that might create pods. 3. Kyverno is more limited than OPA/Gatekeeper. I thought I made that clear in the video, but I obviously failed. My bad. As for the "unholy mess of YAML"... It's Kubernetes. YAML is unavoidable, one way or another. I could agree that YAML might be a mess, that templating might not be ideal, etc. However, that is not specific to policies, but is (or isn't) a general problem in Kubernetes. Using Rego has advantages, but avoiding "unholy mess of yaml" is not one of them. Using Gatekeeper will not result in not using YAML or templating at all, but not using YAML and templating only for a fraction of what we do with k8s. The discussion about Rego is, to me, similar, to the discussion about using Cue in tools like, for example KubeVela/OAM. Is it better than Kube, Helm, or whichever other options is offters? Yes it is. Is it worth learning yet another language? Yes it is, for some. Is it going to become mainstream and used by majority? That's the part I'm not sure. Should we use Rego and Cue and Go template and ... all at once? Probably not. Which ones will survive? I have no idea.

​@@DevOpsToolkit Got ya! As for 2 that's quite interesting then if Kyverno can deduce that that Deployment will produce Pods that don't match the policy. For 3. you were very clear on the fact that Kyverno is more limited, but I felt that in this case the devil is in the details of how limited is it exactly. I'll look into that myself a bit more. And you're right, everything in K8s land is a lot of yaml, so it's is quite natural to express policies in this way too. I just feel that policies are somewhat different. You are not just listing a ton of config parameters like with other K8s objects but practically defining a yaml-based programming language. But you're right if that get's you 80% of the way that's pretty good.

@@adamsandor1637 I do not agree with the 80% part. That is exactly the reason why I did go with Gatekeeper. I do not want to run into something that I want and cannot implement with Kyverno. Would be nice to see what kind of policies cannot be implemented with kyverno that is used normally in prod clusters.

Hi there, Kyverno contributor here. Just a couple of clarifications and relevant additions. 2. Kyverno intelligently translates rules for Pods to higher-level controllers like Deployments, DaemonSets, etc. This feature is called the auto-gen controller (kyverno.io/docs/writing-policies/autogen/). So in Victor's example, yes it really is "that fancy" but also that simple. There's no need (in almost all cases, anyway) to duplicate a policy for Pods N number of times to cover all the controllers capable of creating Pods. Kyverno will do that for you automatically. 3. Anytime a tool doesn't expose a programming language, its capabilities are naturally going to be more limited than another which does. But the matter shouldn't be an academic or theoretical discussion as far as which one might be more limited but rather answers the question *does it solve YOUR problems*? In my experience, seeing and hearing what problems people are trying to solve with a policy engine, anecdotally Kyverno solves more than 90% of those use cases. And that gap narrows even further which each release. Also, as for the ability to not have an "unholy mess" of YAML by using the same policy for different needs with templating, Kyverno has several options including sourcing of values from a ConfigMap, for example.

@@chipzoller Thanks for the clarification Chip! The auto-gen controller feature looks really cool.

I haven't tried it with dryrun so I'm not sure. I tend to create preview envs for each PR and do the same process as when going to permanent envs.

I feel that kyverno grew in the meantime abd that if i would do a comparison it would be a very short one: "manage stuff with kubernetes, use kyverno for policies. There is no alternative."

Both products are in early stages and they will likely be very different a year from now. Also, anything related to security (directly or indirectly) is hot and receives a lot of investment money. That means that we will likely have a bunch of other similar tools not long from now. As for PSP... It's dead, so the tools like GK and Kyverno are even more important than before.

You can solve the "hidden" validation issue by creating a separate CRD for Deployments or, even better, for all the resources that use `podTemplate` (e.g., Deployment, StatefulSet, etc.). Mutation is possible with Gatekeeper, but is in very early stages.

I do not see a reason why not to use both if there is a good use case for that.

Yes, and you can hook it up into a "report" easily with prometheus+grafana that you use anyway in your cluster :)

I haven't used that one (yet). Do you have a link? P.S. KZbin tends to remove comments with links. Post it without

@@DevOpsToolkit www.tremolosecurity.com/technology/kubernetes and github.com/OpenUnison/openunison-k8s-login-activedirectory ! Please share your views and simple video on setting up open unison for k8s namespace management..

@@dharmeshp4697 Looks intersting... Adding it to my TODO list... :)

Technically, you can use both in parallel. Practically, I think that would be an overkill with no tangible benefits.

Thanks. I'm very excited about being a part of a product I believe has a lot of potentials.

@@DevOpsToolkit Congrats, looking forward to in depth videos about all Crossplane products :)

Just finished another one about crossplane. It'll be published next Thursday.

It definitely can and, in general, should. Traditionally, enterprises preferred one tool that does it all. Since then, we all learned that such solutions tend to be bad at everything, instead of being good at something. So, yes. Tools can be combined in general, and in the case of Kyverno and OPA, I do not see the reason why that would not be the case. Now, the more tools you have, the more there is to learn, so it's always about finding the right balance. If in your case, there is a use case for using both, I would say go for it. In the worst-case scenario, you'll learn in more depth how both of those work and will be able to make an educated decision on what to do next (e.g., keep both, keep only one of those, etc.).

@@DevOpsToolkit ❤

I almost always prefer SaaS solutions in general, logging and monitoring included. The less things I need to worry about, the better (as long as the price is right). From that perspective, SaaS offers like datadog are great. Now, if you prefer self-hosting it, Loki for logging and Prometheus for metrics are my choices.

​@@DevOpsToolkit I tried loki and it still seems to take a lot of work in terms of propagating labels and setting up and it's also memory heavy so I agree that Sass solutions are better. Prometheus setup was easy though. Datadog seems very expensive but people seem to love it. Do you have experience using any other SaaS solution for logging and monitoring? I might just go for Datadog. Thank you :)

@@quant-daddy Whether Loki uses a lot of memory depends with what you compare it. For example, it is lightweight compared to ElasticSearch.

I'm also on the DataDog train. Yes, it's expensive, but the "ease of use" factor and features are well worth it, _as long as you can pay for it_. I've never used Loki, to be fair.

If you can afford it, SaaS almost always beats self-managed solutions. I would not switch from DataDog to Loki unless you have a mission to remove the cost of DD.

I would not say that it's going backwards. There are advantages to using Rego. The question is more whether those advantages justify it? For some, the answer is yes, and for others it's no.