And if you're truly looking to adopt one method for applying policy across your enterprise, you should definitely give OPA a look. The main power behind OPA is its ability to apply to more than just Kubernetes, but do so with a unified language. Gatekeeper presently only operates as a validation webhook it does not have mutation ability. In the context of Kubernetes, both of them operate as admission controllers, allowing their engines to check incoming requests prior to creation to ensure they conform to whatever pattern is defined.
#OPERA NEON DOCKER HOW TO#
When it comes to making a choice on how to apply policy to Kubernetes, the two leading options are OpenPolicy Agent (OPA) (via Gatekeeper), and Kyverno. So rather than learning yet another Terraform or yet another Ansible or yet another, wouldn't it be nice if you could repurpose that knowledge of how Kubernetes and YAML works to go straight into being productive with a new tool without having to feel like you're learning a new programming language? Who's saying "nah, I want more complexity" here? If you're like most, you probably need yet another one of those things like you need another hole in your head. If you're already using Kubernetes, it's a sure bet you're using other tools, languages, and frameworks to complete whatever picture you're painting, right? How much knowledge have you acquired that is only applicable to one of those? How much technical debt do you carry on your shoulders? It's so much, you might not even be able to keep track.
![opera neon docker opera neon docker](https://techwisdombyajinkya.files.wordpress.com/2017/09/ara-with-icon.png)
#OPERA NEON DOCKER SERIES#
I think this project has enormous potential to become the defacto standard of Kubernetes policy application, and in this multi-part series of articles I hope to explain why. I'm glad I did, because what I found was frankly awesome. Not until it was accepted into the CNCF did I decide to really give it a hard look and dig in. Although it's a project I had seen before, I had only paid cursory attention. It's a project that came out of Nirmata and was just recently donated to the CNCF as a Sandbox project. Kyverno is an open-source policy engine built specifically for Kubernetes to not only validate and ensure requests conform to your internal best practices and policies, but to modify those requests if needed and even create new objects based on a variety of conditions. Stick around and let me show you Kyverno, an extensive, Kubernetes-native policy engine. For the first time, policy in Kubernetes can be easy, effective, flexible, and also (dare I say) fun to write.
![opera neon docker opera neon docker](https://d3rf6j5nx5r04a.cloudfront.net/_IR4Qwgh6YfGjYkeGpeDa_BND_M=/71x71/product/1/e/9f89647851e9463db71af260d97b1bd7.jpg)
It's the latter I wish to explore in this multi-part series, and I'm honestly really excited to write about this open-source project. Those days are gone or, at the very least, are rapidly waning into the sunset thanks to tools like OpenPolicy Agent and Kyverno. Or, in other cases, policy was like an "extra" or "value add" feature that only came when using a managed platform of some sort. And it's not because there aren't enough lessons learned to build a series of good hygienical practices, it's because the tooling has either been nonexistent or painful to work with. The ability to reign in what seems like the Wild West and build guard rails and governance, ensuring users can't do dangerous or non-compliant things, is sadly all too absent from Kubernetes adopters at this point. Everyone seems to be talking about it, more and more companies are using it, but what isn't growing at the same rate is security and controls for it. If you guessed "Kubernetes" you'd be partially right. Articles in the Exploring Kyverno series Part 1, Validation Part 2, Mutation Part 3, Generation