Last active
March 2, 2023 07:25
-
-
Save vfarcic/bb25a1ed0b26cbb285b9e55aed48036b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source: https://gist.github.com/bb25a1ed0b26cbb285b9e55aed48036b | |
############################################################################## | |
# Kubernetes Policies And Admission Controllers Compared - Kyverno vs Datree # | |
# https://youtu.be/A4SIpyG5BNU # | |
############################################################################## | |
# Additional Info: | |
# - Kyverno: https://kyverno.io | |
# - Datree: https://datree.io | |
# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4 | |
# - Kubernetes Policy Management Tools Compared - OPA with Gatekeeper vs. Kyverno: https://youtu.be/9gSrRNmmKBc | |
# - Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA | |
# - How To Write And Test Kubernetes Manifests With Datree: https://youtu.be/3jZTqCETW2w | |
# - Metacontroller - Custom Kubernetes Controllers The Easy Way: https://youtu.be/3xkLYOpXy2U | |
# - Crossplane - GitOps-based Infrastructure as Code through Kubernetes API: https://youtu.be/n8KjVmuHm7A | |
# - How To Apply GitOps To Everything - Combining Argo CD And Crossplane: https://youtu.be/yrj4lmScKHQ | |
# - How To Shift Left Infrastructure Management Using Crossplane Compositions: https://youtu.be/AtbS1u2j7po | |
# - Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM): https://youtu.be/eEcgn_gU3SM | |
# - Cloud-Native Apps With Open Application Model (OAM) And KubeVela: https://youtu.be/2CBu6sOTtwk | |
######### | |
# Setup # | |
######### | |
# Create two Kubernetes clusters, one for Kyverno and the other for Datree. | |
# Switch to one cluster or another depending on the comments like `# Kyverno` or `# Datree`. | |
git clone https://github.com/vfarcic/policies-compared-demo | |
cd policies-compared-demo | |
# Kyverno | |
helm repo add kyverno \ | |
https://kyverno.github.io/kyverno | |
# Kyverno | |
helm repo add policy-reporter \ | |
https://kyverno.github.io/policy-reporter | |
# Datree | |
helm repo add datree-webhook \ | |
https://datreeio.github.io/admission-webhook-datree/ | |
helm repo update | |
# Kyverno | |
helm upgrade --install \ | |
kyverno kyverno/kyverno \ | |
--namespace kyverno \ | |
--create-namespace \ | |
--wait | |
# Kyverno | |
helm upgrade --install \ | |
kyverno-policies kyverno/kyverno-policies \ | |
--namespace kyverno \ | |
--wait | |
# Kyverno | |
helm upgrade --install \ | |
policy-reporter policy-reporter/policy-reporter \ | |
--namespace kyverno \ | |
--create-namespace \ | |
--set kyvernoPlugin.enabled=true \ | |
--set ui.enabled=true \ | |
--set ui.plugins.kyverno=true \ | |
--set metrics.enabled=true \ | |
--wait | |
# Datree | |
# Replace `[...]` with your Datree token. | |
# If you do not have it already, please head to https://app.datree.io/settings/token-management and generate one. | |
export DATREE_TOKEN=[...] | |
# Datree | |
datree publish datree/policies.yaml | |
# Datree | |
helm upgrade --install \ | |
datree-webhook \ | |
datree-webhook/datree-admission-webhook \ | |
--namespace datree \ | |
--create-namespace \ | |
--set datree.token=$DATREE_TOKEN \ | |
--set datree.policy=dot \ | |
--set replicaCount=1 | |
# Kyverno | |
kubectl create namespace kyverno-demo | |
# Kyverno | |
kubectl label namespaces kyverno-demo \ | |
"admission.datree/validate=skip" | |
# Datree | |
kubectl create namespace datree-demo | |
# Kyverno | |
# Install `kyverno` CLI from https://kyverno.io/docs/kyverno-cli/#building-and-installing-the-cli | |
# Datree | |
# Install `datree` CLI from https://hub.datree.io/#1-install-the-datree-cli | |
# Datree | |
datree config set token $DATREE_TOKEN | |
# Datree | |
# Open https://app.datree.io/settings/user-settings and toggle on the `Policy-as-code` switch | |
########## | |
# Syntax # | |
########## | |
# Kyverno | |
cat kyverno/replicas.yaml | |
# Datree | |
cat datree/policies.yaml | |
##################### | |
# Pre-Made Policies # | |
##################### | |
# Kyverno | |
kubectl get clusterpolicies | |
# Kyverno | |
# Open https://kyverno.io/policies/?policytypes=validate | |
# Datree | |
# Open https://app.datree.io/cli/policies | |
################### | |
# Custom Policies # | |
################### | |
# Kyverno | |
cat kyverno/replicas.yaml | |
# Datree | |
cat datree/policies.yaml | |
########################### | |
# Client-Side Validations # | |
########################### | |
# Kyverno | |
kyverno apply kyverno/replicas.yaml \ | |
--resource k8s/no-replicas | |
# Datree | |
datree test k8s/no-replicas/*.yaml | |
#################################### | |
# Validating Admission Controllers # | |
#################################### | |
# Kyverno | |
kubectl apply \ | |
--filename kyverno/replicas.yaml | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename k8s/no-replicas | |
# Datree | |
kubectl --namespace datree-demo apply \ | |
--filename k8s/no-replicas | |
################################## | |
# Mutating Admission Controllers # | |
################################## | |
# Kyverno | |
cat kyverno/image.yaml | |
# Kyverno | |
kubectl apply \ | |
--filename kyverno/image.yaml | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename k8s/mutate | |
# Kyverno | |
kubectl --namespace kyverno-demo \ | |
get deployments \ | |
--selector "app.kubernetes.io/name=silly-demo" | |
# Kyverno | |
kubectl --namespace kyverno-demo get \ | |
deployment silly-demo \ | |
--output yaml | |
# Kyverno | |
kubectl --namespace kyverno-demo delete \ | |
--filename k8s/mutate | |
################ | |
# Integrations # | |
################ | |
# Kyverno | |
cat kyverno/cosign.yaml | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename kyverno/cosign.yaml | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename k8s/not-signed | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename k8s/signed | |
# Kyverno | |
kubectl --namespace kyverno-demo delete \ | |
--filename k8s/signed | |
######################### | |
# Outputs and Reporting # | |
######################### | |
# Kyverno | |
kubectl --namespace kyverno-demo apply \ | |
--filename k8s/outputs | |
# Datree | |
kubectl --namespace datree-demo apply \ | |
--filename k8s/outputs | |
# Kyverno | |
kubectl get policyreports --all-namespaces | |
# Kyverno | |
kubectl --namespace kyverno-demo \ | |
describe policyreport polr-ns-kyverno-demo | |
# Kyverno | |
kubectl --namespace kyverno port-forward \ | |
service/policy-reporter-ui 8082:8080 | |
# Kyverno | |
# Open http://localhost:8082 | |
# Kyverno | |
# Stop with `ctrl+c` | |
# Datree | |
# Open https://app.datree.io/cli/policies | |
# Datree | |
# Open https://app.datree.io/cli/invocations | |
########### | |
# Destroy # | |
########### | |
# Destroy the two clusters |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment