regolibrary VS gatekeeper-library

The question you're asking is missing the important piece: how useful are they _to whom_.

To a developer, think of them as glorified linters (most of them are, including Kubescape, I believe). Someone on your team chooses which included things should be flagged (e.g. "require resource limits to be set on pods", see the list here: https://github.com/kubescape/regolibrary), and then the tool yells at you when you try to do something it doesn't like. It's then up to you to figure out how to comply with the tool's decisions. Some people really like them, some people really hate them.

To an engineering manager or SRE team, I think they're great at preventing common errors that would otherwise be enforced through code reviews or other processes; they're basically the remediation after an outage where a pod OOMed ("if we set sane resource limits and enforce them, this won't happen" --> enforce resource limits policy).

To your company's legal and compliance team, they usually fulfill a checkbox requirement along the way to $COMPLIANCE_FRAMEWORK. By the time your company is at sufficient scale, you'll have a number of these, and automation is the only way to keep everyone sane (developers and auditors alike).

In general, I think they're well intentioned, and can be useful, but aren't a panacea--they aren't going to catch anything you're not already looking for, they're just going to make it easier to remedy/enforce the problems you already know about.

Kubescape retrieves the Kubernetes objects from the API server and scan them by running a set of snippets developed by ARMO.

I guess I was not understood correctly and I apologize for that. When a new CVE is reported, we publish a control testing and alerting users if they are exposed. For example when CVE-2021-25742 was reported, we published the control less than a day later.

Here is a library or rules for the Open Policy Agent.

https://github.com/open-policy-agent/gatekeeper-library is the library of OPA Gatekeeper policies.

Many more examples are available in the OPA Gatekeeper library project!

by default and exposes metrics on path ```/metrics``` . It can run locally on your development box as long as you have a valid Kubernetes configuration in your home folder (i.e. if you can run kubectl and have the right permissions). When running on the cluster a ```incluster``` parameter is passed in so that it knows where to look up for the cluster credentials. Exporter program connects to Kubernetes API every 10 seconds to scrape data from Kubernetes API. We've used [this](https://medium.com/teamzerolabs/15-steps-to-write-an-application-prometheus-exporter-in-go-9746b4520e26) blog post as the base for the code. ## Demo Let's go ahead and prepare our components so that we have a Grafana dashboard to show us which constraints have been violated and how the number of violations evolve over time. ### 0) Required tools - [Git](https://git-scm.com/downloads): A git cli is required to checkout the repo and - [Kubectl](https://kubernetes.io/docs/tasks/tools/) and a working K8S cluster - [Ytt](https://carvel.dev/ytt/): This is a very powerful yaml templating tool, in our setup it's used for dynamically overlaying a key/value pair in all constraints. It's similar to Kustomize, it's more flexibel than Kustomize and heavily used in some [Tanzu](https://tanzu.vmware.com/tanzu) products. - [Kustomize](https://kustomize.io/): Gatekeeper-library relies on Kustomize, so we need it too. - [Helm](https://helm.sh/): We will install Prometheus and Grafana using helm - Optional: [Docker](https://www.docker.com/products/docker-desktop): Docker is only optional as we already publish the required image on dockerhub. ### 1) Git submodule update Run ```git submodule update --init``` to download gatekeeper-library dependency. This command will download the [gatekeeper-library](https://github.com/open-policy-agent/gatekeeper-library) dependency into folder ```gatekeeper-library/library``` . ### 2) Install OPA/Gatekeeper If your K8S cluster does not come with Gatekeeper preinstalled, you can use install it as explained [here](https://open-policy-agent.github.io/gatekeeper/website/docs/install/). If you are familiar with helm, the easiest way to install is as follows: ```bash helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper --generate-name

Gatekeeper library has example policies for restricting image repositories: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general

You should check out the Gatekeeper project. There's plenty of templates available for use without having to write a single line of rego for most use cases (e.g https://github.com/open-policy-agent/gatekeeper-library)