Hey everyone! I'm a DevOps engineer with about a year and a half of experience (you can call me noobOps). I've been diving into security and compliance lately, but I'm curious why many teams still choose Kyverno over Kubernetes' Valdidaing Admission Policies (VAP), especially now that it's been available since version 1.30. Is the hesitation mostly because of the complexity of writing policies with CEL expressions or are there other reasons at play?
5 Answers
There are a few solid reasons for sticking with Kyverno. For one, it allows for complex policies and even resource mutations. Plus, testing these policies is relatively straightforward. Many teams just feel comfortable with what they already have in place, which makes switching over a bit daunting even if VAP is better in some respects.
Exactly! And I think there's often a fear of the unknown when it comes to migrating.
I just learned about Validating Admission Policy recently. We've been using Kyverno not just for validation but also for mutation rules. It seems like I’d still need to stick with Kyverno for now, given its broader functionality.
Yeah, I’ve heard that native mutating admission policies are still in alpha, so it might be a while before they’re reliable.
Kyverno is capable of pretty advanced logic. For instance, I once set it up to automatically generate VirtualServices when ACME requests were made with cert manager, which was essential for passing the ACME challenge via HTTP. While some basic validation can be handled by the new admission policies, Kyverno still seems to shine in its advanced use cases.
For sure! It's excellent for more complex scenarios, but I've noticed that even large tech companies stick with Kyverno just for validation mostly, likely due to migration effort.
Kyverno has unique features that Kubernetes native solutions can’t replicate, like reporting capabilities and resource generation. Adopting VAP would require rewriting existing validation policies, which isn’t appealing if teams are already happy with Kyverno.
True! It seems like the organizations that use these tools get ingrained into their solutions, making it more of a cultural shift rather than purely technical.
We initially tried using Kyverno because it can validate resources offline before they're pushed. Running it in cluster with admission policies feels like a long detour for what we needed. Eventually, we went with Conftest using Rego - it's more challenging to write, but super quick for resource validation. Kyverno can be a bit slow, honestly.
Yeah, I get that. I’m skeptical about AI tools unless they’ve been thoroughly tested by QA; I've seen more production issues with AI malfunctions than simple YAML errors.
Definitely agree! Kyverno is pretty robust for those advanced use cases, but migrating from something that’s already working is a lot of effort.