Kyverno as resource generator
Problem
Each APPUiO namespace requires user-immutable resources, such as ResourceQuota or LimitRanges.
A solution is needed that creates and maintains such resources immediately upon creating Namespaces.
All generated resources are generally the same, but the solution must be able to deviate from the default for selected Namespaces.
Proposals
-
APPUiO Operator
A custom controller or operator that watches Namespaces resources and generates resources from a template.
-
An operator designed to generate resources in every selected Namespace. The feature for deviating from defaults resp. the cleanup after changing the default must yet be implemented.
-
Kyverno is a Kubernetes native policy engine that uses Kyverno-specific CRDs to configure policies. It also supports "generating" policies, for example depending on configurable conditions, arbitrary resources can be created.
Rationale
Both Espejo and a potential APPUiO operator need programming effort for features that don’t yet exist. Kyverno supports the given use case already, thus writing such generator policies is considered to be a lower effort.
| Choosing Kyverno as policy engine and resource generator reduces complexity. |