vfarcic/195-policies-compared.sh

## 195-policies-compared.sh
# Source: https://gist.github.com/bb25a1ed0b26cbb285b9e55aed48036b

##############################################################################
# Kubernetes Policies And Admission Controllers Compared - Kyverno vs Datree #
# https://youtu.be/A4SIpyG5BNU                                               #
##############################################################################

# Additional Info:
# - Kyverno: https://kyverno.io
# - Datree: https://datree.io
# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4
# - Kubernetes Policy Management Tools Compared - OPA with Gatekeeper vs. Kyverno: https://youtu.be/9gSrRNmmKBc
# - Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA
# - How To Write And Test Kubernetes Manifests With Datree: https://youtu.be/3jZTqCETW2w
# - Metacontroller - Custom Kubernetes Controllers The Easy Way: https://youtu.be/3xkLYOpXy2U
# - Crossplane - GitOps-based Infrastructure as Code through Kubernetes API: https://youtu.be/n8KjVmuHm7A
# - How To Apply GitOps To Everything - Combining Argo CD And Crossplane: https://youtu.be/yrj4lmScKHQ
# - How To Shift Left Infrastructure Management Using Crossplane Compositions: https://youtu.be/AtbS1u2j7po
# - Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM): https://youtu.be/eEcgn_gU3SM
# - Cloud-Native Apps With Open Application Model (OAM) And KubeVela: https://youtu.be/2CBu6sOTtwk

#########
# Setup #
#########

# Create two Kubernetes clusters, one for Kyverno and the other for Datree.
# Switch to one cluster or another depending on the comments like `# Kyverno` or `# Datree`.

git clone https://github.com/vfarcic/policies-compared-demo

cd policies-compared-demo

# Kyverno
helm repo add kyverno \
    https://kyverno.github.io/kyverno

# Kyverno
helm repo add policy-reporter \
    https://kyverno.github.io/policy-reporter

# Datree
helm repo add datree-webhook \
    https://datreeio.github.io/admission-webhook-datree/

helm repo update

# Kyverno
helm upgrade --install \
    kyverno kyverno/kyverno \
    --namespace kyverno \
    --create-namespace \
    --wait

# Kyverno
helm upgrade --install \
    kyverno-policies kyverno/kyverno-policies \
    --namespace kyverno \
    --wait

# Kyverno
helm upgrade --install \
    policy-reporter policy-reporter/policy-reporter \
    --namespace kyverno \
    --create-namespace \
    --set kyvernoPlugin.enabled=true \
    --set ui.enabled=true \
    --set ui.plugins.kyverno=true \
    --set metrics.enabled=true \
    --wait

# Datree
# Replace `[...]` with your Datree token.
# If you do not have it already, please head to https://app.datree.io/settings/token-management and generate one.
export DATREE_TOKEN=[...]

# Datree
datree publish datree/policies.yaml

# Datree
helm upgrade --install \
    datree-webhook \
    datree-webhook/datree-admission-webhook \
    --namespace datree \
    --create-namespace \
    --set datree.token=$DATREE_TOKEN \
    --set datree.policy=dot \
    --set replicaCount=1

# Kyverno
kubectl create namespace kyverno-demo

# Kyverno
kubectl label namespaces kyverno-demo \
    "admission.datree/validate=skip"

# Datree
kubectl create namespace datree-demo

# Kyverno
# Install `kyverno` CLI from https://kyverno.io/docs/kyverno-cli/#building-and-installing-the-cli

# Datree
# Install `datree` CLI from https://hub.datree.io/#1-install-the-datree-cli

# Datree
datree config set token $DATREE_TOKEN

# Datree
# Open https://app.datree.io/settings/user-settings and toggle on the `Policy-as-code` switch

##########
# Syntax #
##########

# Kyverno
cat kyverno/replicas.yaml

# Datree
cat datree/policies.yaml

#####################
# Pre-Made Policies #
#####################

# Kyverno
kubectl get clusterpolicies

# Kyverno
# Open https://kyverno.io/policies/?policytypes=validate

# Datree
# Open https://app.datree.io/cli/policies

###################
# Custom Policies #
###################

# Kyverno
cat kyverno/replicas.yaml

# Datree
cat datree/policies.yaml

###########################
# Client-Side Validations #
###########################

# Kyverno
kyverno apply kyverno/replicas.yaml \
    --resource k8s/no-replicas

# Datree
datree test k8s/no-replicas/*.yaml

####################################
# Validating Admission Controllers #
####################################

# Kyverno
kubectl apply \
    --filename kyverno/replicas.yaml

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename k8s/no-replicas

# Datree
kubectl --namespace datree-demo apply \
    --filename k8s/no-replicas

##################################
# Mutating Admission Controllers #
##################################

# Kyverno
cat kyverno/image.yaml

# Kyverno
kubectl apply \
    --filename kyverno/image.yaml

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename k8s/mutate

# Kyverno
kubectl --namespace kyverno-demo \
    get deployments \
    --selector "app.kubernetes.io/name=silly-demo"

# Kyverno
kubectl --namespace kyverno-demo get \
    deployment silly-demo \
    --output yaml

# Kyverno
kubectl --namespace kyverno-demo delete \
    --filename k8s/mutate

################
# Integrations #
################

# Kyverno
cat kyverno/cosign.yaml

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename kyverno/cosign.yaml

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename k8s/not-signed

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename k8s/signed

# Kyverno
kubectl --namespace kyverno-demo delete \
    --filename k8s/signed

#########################
# Outputs and Reporting #
#########################

# Kyverno
kubectl --namespace kyverno-demo apply \
    --filename k8s/outputs

# Datree
kubectl --namespace datree-demo apply \
    --filename k8s/outputs

# Kyverno
kubectl get policyreports --all-namespaces

# Kyverno
kubectl --namespace kyverno-demo \
    describe policyreport polr-ns-kyverno-demo

# Kyverno
kubectl --namespace kyverno port-forward \
    service/policy-reporter-ui 8082:8080

# Kyverno
# Open http://localhost:8082

# Kyverno
# Stop with `ctrl+c`

# Datree
# Open https://app.datree.io/cli/policies

# Datree
# Open https://app.datree.io/cli/invocations

###########
# Destroy #
###########

# Destroy the two clusters
	# Source: https://gist.github.com/bb25a1ed0b26cbb285b9e55aed48036b

	##############################################################################
	# Kubernetes Policies And Admission Controllers Compared - Kyverno vs Datree #
	# https://youtu.be/A4SIpyG5BNU #
	##############################################################################

	# Additional Info:
	# - Kyverno: https://kyverno.io
	# - Datree: https://datree.io
	# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4
	# - Kubernetes Policy Management Tools Compared - OPA with Gatekeeper vs. Kyverno: https://youtu.be/9gSrRNmmKBc
	# - Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA
	# - How To Write And Test Kubernetes Manifests With Datree: https://youtu.be/3jZTqCETW2w
	# - Metacontroller - Custom Kubernetes Controllers The Easy Way: https://youtu.be/3xkLYOpXy2U
	# - Crossplane - GitOps-based Infrastructure as Code through Kubernetes API: https://youtu.be/n8KjVmuHm7A
	# - How To Apply GitOps To Everything - Combining Argo CD And Crossplane: https://youtu.be/yrj4lmScKHQ
	# - How To Shift Left Infrastructure Management Using Crossplane Compositions: https://youtu.be/AtbS1u2j7po
	# - Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM): https://youtu.be/eEcgn_gU3SM
	# - Cloud-Native Apps With Open Application Model (OAM) And KubeVela: https://youtu.be/2CBu6sOTtwk

	#########
	# Setup #
	#########

	# Create two Kubernetes clusters, one for Kyverno and the other for Datree.
	# Switch to one cluster or another depending on the comments like `# Kyverno` or `# Datree`.

	git clone https://github.com/vfarcic/policies-compared-demo

	cd policies-compared-demo

	# Kyverno
	helm repo add kyverno \
	https://kyverno.github.io/kyverno

	# Kyverno
	helm repo add policy-reporter \
	https://kyverno.github.io/policy-reporter

	# Datree
	helm repo add datree-webhook \
	https://datreeio.github.io/admission-webhook-datree/

	helm repo update

	# Kyverno
	helm upgrade --install \
	kyverno kyverno/kyverno \
	--namespace kyverno \
	--create-namespace \
	--wait

	# Kyverno
	helm upgrade --install \
	kyverno-policies kyverno/kyverno-policies \
	--namespace kyverno \
	--wait

	# Kyverno
	helm upgrade --install \
	policy-reporter policy-reporter/policy-reporter \
	--namespace kyverno \
	--create-namespace \
	--set kyvernoPlugin.enabled=true \
	--set ui.enabled=true \
	--set ui.plugins.kyverno=true \
	--set metrics.enabled=true \
	--wait

	# Datree
	# Replace `[...]` with your Datree token.
	# If you do not have it already, please head to https://app.datree.io/settings/token-management and generate one.
	export DATREE_TOKEN=[...]

	# Datree
	datree publish datree/policies.yaml

	# Datree
	helm upgrade --install \
	datree-webhook \
	datree-webhook/datree-admission-webhook \
	--namespace datree \
	--create-namespace \
	--set datree.token=$DATREE_TOKEN \
	--set datree.policy=dot \
	--set replicaCount=1

	# Kyverno
	kubectl create namespace kyverno-demo

	# Kyverno
	kubectl label namespaces kyverno-demo \
	"admission.datree/validate=skip"

	# Datree
	kubectl create namespace datree-demo

	# Kyverno
	# Install `kyverno` CLI from https://kyverno.io/docs/kyverno-cli/#building-and-installing-the-cli

	# Datree
	# Install `datree` CLI from https://hub.datree.io/#1-install-the-datree-cli

	# Datree
	datree config set token $DATREE_TOKEN

	# Datree
	# Open https://app.datree.io/settings/user-settings and toggle on the `Policy-as-code` switch

	##########
	# Syntax #
	##########

	# Kyverno
	cat kyverno/replicas.yaml

	# Datree
	cat datree/policies.yaml

	#####################
	# Pre-Made Policies #
	#####################

	# Kyverno
	kubectl get clusterpolicies

	# Kyverno
	# Open https://kyverno.io/policies/?policytypes=validate

	# Datree
	# Open https://app.datree.io/cli/policies

	###################
	# Custom Policies #
	###################

	# Kyverno
	cat kyverno/replicas.yaml

	# Datree
	cat datree/policies.yaml

	###########################
	# Client-Side Validations #
	###########################

	# Kyverno
	kyverno apply kyverno/replicas.yaml \
	--resource k8s/no-replicas

	# Datree
	datree test k8s/no-replicas/*.yaml

	####################################
	# Validating Admission Controllers #
	####################################

	# Kyverno
	kubectl apply \
	--filename kyverno/replicas.yaml

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename k8s/no-replicas

	# Datree
	kubectl --namespace datree-demo apply \
	--filename k8s/no-replicas

	##################################
	# Mutating Admission Controllers #
	##################################

	# Kyverno
	cat kyverno/image.yaml

	# Kyverno
	kubectl apply \
	--filename kyverno/image.yaml

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename k8s/mutate

	# Kyverno
	kubectl --namespace kyverno-demo \
	get deployments \
	--selector "app.kubernetes.io/name=silly-demo"

	# Kyverno
	kubectl --namespace kyverno-demo get \
	deployment silly-demo \
	--output yaml

	# Kyverno
	kubectl --namespace kyverno-demo delete \
	--filename k8s/mutate

	################
	# Integrations #
	################

	# Kyverno
	cat kyverno/cosign.yaml

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename kyverno/cosign.yaml

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename k8s/not-signed

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename k8s/signed

	# Kyverno
	kubectl --namespace kyverno-demo delete \
	--filename k8s/signed

	#########################
	# Outputs and Reporting #
	#########################

	# Kyverno
	kubectl --namespace kyverno-demo apply \
	--filename k8s/outputs

	# Datree
	kubectl --namespace datree-demo apply \
	--filename k8s/outputs

	# Kyverno
	kubectl get policyreports --all-namespaces

	# Kyverno
	kubectl --namespace kyverno-demo \
	describe policyreport polr-ns-kyverno-demo

	# Kyverno
	kubectl --namespace kyverno port-forward \
	service/policy-reporter-ui 8082:8080

	# Kyverno
	# Open http://localhost:8082

	# Kyverno
	# Stop with `ctrl+c`

	# Datree
	# Open https://app.datree.io/cli/policies

	# Datree
	# Open https://app.datree.io/cli/invocations

	###########
	# Destroy #
	###########

	# Destroy the two clusters