I've seen but haven't used CEL. Anybody with experience with competing tech have any strong opinions? I've used OPA, know CEL used by GCP and Kyverno, but otherwise haven't seen anything compelling enough to move away from the OPA ecosystem.

▲

erdii 4 hours ago | parent | next [-]

The kubernetes apiserver allows using CEL in CustomResourceDefinition validation rules: - https://kubernetes.io/docs/reference/using-api/cel/ - https://kubernetes.io/docs/tasks/extend-kubernetes/custom-re...

It also allows using CEL in ValidatingAdmissionPolicies: - https://kubernetes.io/docs/reference/access-authn-authz/vali...

▲

isacikgoz 4 hours ago | parent | prev | next [-]

I think apples to apples comparison would be comparing against Rego. To me CEL is more appealing due to its simplicity.

	▲	talideon 2 hours ago \| parent \| next [-]
		And even then, I'm not sure it's apples to apples, at least if by Rego you're thinking of OPA. CEL and Rego take very different approaches, with CEL being quite procedural, while Rego is about constraint satisfaction, not unlike Prolog. At $WORK, Rego (in the form of OPA) gets used quite a bit for complicated access control logic, while CEL gets used in places where we've simpler logic that needs to be broken out and made configurable, and a more procedural focus works there.
	▲	thayne 2 hours ago \| parent \| prev [-]
		Rego is much more powerful, and can do things cel can't.

▲

mtrimpe 4 hours ago | parent | prev [-]

CEL is much more computationally limited as it aims to keep evaluations in the microsecond range.

With OPA you can easily create policies that take tens, hundreds or even thousands of millisecond.

That comes at the expense of a lot of power though, so much of the complex logic that you can write in OPA simply isn't achievable in CEL.