Is it Observable

Episode : OPA vs Kyverno

This repository contains the files utilized during the tutorial presented in the dedicated IsItObservable episode related the comparison between OPA Gatekeeper and Kyvero

vs

This tutorial will install Kyverno and collect observability data from the various Components of Kyverno.

We will also utilize the following components :

• the OpenTelemetry Operator
• Dynatrace Operator to report the health of the boostrap cluster
• The Opentelemetry Demo
• Hipster-shop
• Unguard All the observability data generated by the environment would be sent to Dynatrace.

Prerequisite

The following tools need to be install on your machine :

• jq
• kubectl
• git
• curl
• Helm
• k8S cluster having the admission controller enabled

1.Create a Google Cloud Platform Project

PROJECT_ID="<your-project-id>"
gcloud services enable container.googleapis.com --project ${PROJECT_ID}
gcloud services enable monitoring.googleapis.com \
cloudtrace.googleapis.com \
clouddebugger.googleapis.com \
cloudprofiler.googleapis.com \
--project ${PROJECT_ID}

2.Create a GKE cluster

ZONE=europe-west3-a
NAME=isitobservable-opavskyberno
gcloud container clusters create ${NAME} --zone=${ZONE} --machine-type=e2-standard-4 --num-nodes=2 --monitoring=NONE --logging=NONE

3. Clone Github repo

git clone  https://github.com/isItObservable/OpavsKyverno
cd OpavsKyverno

Getting started

1. Dynatrace Tenant

1. Dynatrace Tenant - start a trial

If you don't have any Dynatrace tenant , then I suggest to create a trial using the following link : Dynatrace Trial Once you have your Tenant save the Dynatrace tenant url in the variable DT_TENANT_URL (for example : https://dedededfrf.live.dynatrace.com)

DT_TENANT_URL=<YOUR TENANT Host>

2. Create the Dynatrace API Tokens

The dynatrace operator will require to have several tokens:

• Token to deploy and configure the various components
• Token to ingest metrics and Traces

Operator Token

One for the operator having the following scope:

• Create ActiveGate tokens
• Read entities
• Read Settings
• Write Settings
• Access problem and event feed, metrics and topology
• Read configuration
• Write configuration
• Paas integration - installer downloader

Save the value of the token . We will use it later to store in a k8S secret

API_TOKEN=<YOUR TOKEN VALUE>

Ingest data token

Create a Dynatrace token with the following scope:

• Ingest metrics (metrics.ingest)
• Ingest logs (logs.ingest)
• Ingest events (events.ing est)
• Ingest OpenTelemetry
• Read metrics

Save the value of the token . We will use it later to store in a k8S secret

DATA_INGEST_TOKEN=<YOUR TOKEN VALUE>

Spinup a k8S cluster with the Admission Controller enabled

Deploy most of the components testing the Admission controller**

The application will deploy the entire environment:

chmod 777 deployment.sh
./deployment.sh  --clustername "${NAME}" --dturl "${DT_TENANT_URL}" --dtingesttoken "${DATA_INGEST_TOKEN}" --dtoperatortoken "${API_TOKEN}" 

Let's wait one hour to collect enough data on the behavior ( mark the time to be able to report the usage later)

Update with kyverno

The application will deploy the entire environment:

chmod 777 deployment.sh
./upgrade.sh --type KYVERNO --old ADMISSION 

Let's wait one hour to collect enought data on the behavior ( mark the time to be able to report the usage later)

Update with OPA

The application will deploy the entire environment:

chmod 777 deployment.sh
./upgrade.sh --old KYVERNO --type OPA