Kubernetes Validating Admission Policy Changes The Game

Will not replace, but those tools will add additional layer of rules / customization / reporting that doesnt come baked in k8s. Same as eBPF will not kill for ex. service mesh, the players in the field will just adopt and adjust.

Thanks for another excellent intro vid Viktor, as always! The new built-in validation resources may present threats to tools like Kyverno, not so much to OPA Gatekeeper, IMHO. As a general purpose "policy engine" (aka, rule engine), OPA comes with advanced rule/policy evaluation capabilities such as forward/reverse chaining to deal with conflicting policies which may be desirable for handling complex scenarios.

Guess Kyverno will die, unfortunately =(
Others could rely on idea "universal" policies, and adopt kube-val-adm-policy as an optional engine or something

My best guess is that kyverno will add the support for the new API by the time VAP goes GA.

If you run an org where lots of people are kubectl'ing random things into the cluster, then I guess they're decent (so long as you're using CRDs and deploy manifests transactionally in pipelines)
That said, I think it's better to build an IDP. I think a really modern IDP is sort of like a monolithic full-stack app that lets you lock down the cluster and cloud. Because of that, I think it can get away with a lot of client-side logic such as validation.
An IDP that was multi-client, single-backend would be interesting. Maybe you could be a hand-tailored IDP vendor for multiple companies? Maybe you want to break up the frontend experience with one frontend for data, one for backend, and one for frontend? Either way, it seems like building a battleship in a world where building a tugboat is seen as already pretty overpowered.

If it doesn't already exist, I would imagine someone will just make a tool based on the admission policy controller that can run over static manifests

@@chastriq if we can run the whole of kubernetes in docker then i don't see why this couldn't exist aha

I think i bought I on Amazon.

Yeah. I just reliazed that an hour ago :(

I do think they can all coexist. It's just that I prefer using tools that build on top of a standard than with their own API. A good example is Open Telemetry. I would prefer using observability tool that uses the otel API than one that doesn't. That does not mean that those tools should not have additional features. Ofcourse they should but, from my perspective, those should be on top of otel. I think that the same applies (or will apply) to the Validating Admission Policy.
As a side note, I think it's also OK to have a different API (other than the standard) but, in those cases, there must be a good justification (e.g., with the default API we cannot do XYZ and there is no way to extend it).

Simply put - avoiding vendor lock-in ;)
It will be interesting to see the adoption and how expressive CEL will be for most use cases

@ofir2565 I don't think it will replace solutions like kyverno. To begin with, it has only validating policies (no mutating). Also, there are many cases it won't be able to cover. That being said, VAP will be enough for many and, since it will be baked into kubernetes, many will not have to add additional solutions on top.

@@DevOpsToolkit I think at Rejekts Paris, a talk mentioned that there will be soon mutating policies too! I think even creation of resources via policy.

@dirien Im guessing it will be a separate project or remove "Validating" from the name 🙂