gatekeeper VS istio

When the Gatekeeper validatingwebhook came up, I was really worried that'd be the issue! Regardless I'd recommend anyone who cares about their cluster not collapsing to change the gatekeeper webhook to only intercept resources you care about: https://github.com/open-policy-agent/gatekeeper/pull/1806

Kyverno adds an extra layer of security where only the allowed type of manifest is deployed onto kubernetes, otherwise, it will reject or we can set validationFailureAction to audit which only logs the policy violation message for reporting. Kubewarden and Gatekeeper are alternative tools available to enforce policies on Kubernetes CRD.

Now, we have the hardest part resolved and let's turn our attention to the OPA Gatekeeper. Gatekeeper uses the OPA Constraint Framework to describe and enforce policy. Right now there are mainly 3 parts we should pay attention:

They enable you to establish the policies and regulations that govern cluster deployments and applications. Using predefined policies, policy engines can dynamically modify or create configurations. Policy engines such as Gatekeeper and Kyverno can be leveraged to meet legal and compliance requirements while maintaining operational flexibility and development speed.

Setup policy around what resource requirements can be requested by an app per environment. OPA and gatekeeper or kyverno can help. Setup access control for who can create or modify apps.

OPA Gatekeeper is an open source, general purpose policy engine. OPA decouples policy decisions from other responsibilities of an application, like those commonly referred to as business logic. OPA works equally well making decisions for Kubernetes, Microservices, functional application authorization and more, thanks to its single unified policy language.

AWS EKS provides a managed Kubernetes service, simplifying cluster management and deployment. Istio, an open-source service mesh, enables traffic management, security, and observability across microservices.

Istio is a popular open-source service mesh framework that provides a comprehensive solution for managing, securing, and observing microservices-based applications running on Kubernetes.

Leverage a service mesh like Istio or Linkerd to manage communication between microservices within the Kubernetes cluster. These service meshes can be configured to intercept JMX traffic and enforce access control policies. Benefits:

Open Source and Cloud Computing: A Match Made in Heaven The cloud is accelerating OSS adoption. Cloud-native technologies like Kubernetes [https://kubernetes.io/] and Istio [https://istio.io/], both open-source projects, are revolutionizing how applications are built and deployed across cloud platforms.

Consider the case of Bookinfo, a sample application provided by Istio, rewritten using CloudWeGo's Kitex for superior performance and extensibility.

It is a dedicated infrastructure layer that manages service-to-service communication, providing features like load balancing, encryption, authentication, and monitoring. Istio deploys sidecar proxies alongside each microservice instance. These proxies handle communication, providing features like load balancing, service discovery, encryption, monitoring and authentication.

5Y old post that sounds like they've done similar here: Caddy Issue Istio Issue but doesn't cover much of the implementation

In a production environment there will be a load balancer setup with an Ingress Controller, Service Mesh or some type of Custom Router. This allows all traffic to be sent to the single load balancer IP address and then route the traffic to a service based on the Domain name or subpath. We are using a NGINX ingress controller but service meshes like Istio have been becoming the most popular solution to use as they offer more segmentation, security and granular control.

Flagger is a progressive delivery tool that enables a Kubernetes operator to automate the promotion or rollback of deployments based on metrics analysis. It supports a variety of metrics including Prometheus, Datadog, and New Relic to name a few. It also works well with Istio service mesh, and can implement progressive traffic splitting between primary and canary releases.