The kubernetes apiserver allows using CEL in CustomResourceDefinition validation rules:
- https://kubernetes.io/docs/reference/using-api/cel/
- https://kubernetes.io/docs/tasks/extend-kubernetes/custom-re...
replyIt also allows using CEL in ValidatingAdmissionPolicies: - https://kubernetes.io/docs/reference/access-authn-authz/vali...
I think apples to apples comparison would be comparing against Rego. To me CEL is more appealing due to its simplicity.
replyAnd even then, I'm not sure it's apples to apples, at least if by Rego you're thinking of OPA. CEL and Rego take very different approaches, with CEL being quite procedural, while Rego is about constraint satisfaction, not unlike Prolog. At $WORK, Rego (in the form of OPA) gets used quite a bit for complicated access control logic, while CEL gets used in places where we've simpler logic that needs to be broken out and made configurable, and a more procedural focus works there.
replyRego is much more powerful, and can do things cel can't.
replyCEL is much more computationally limited as it aims to keep evaluations in the microsecond range.
replyWith OPA you can easily create policies that take tens, hundreds or even thousands of millisecond.
That comes at the expense of a lot of power though, so much of the complex logic that you can write in OPA simply isn't achievable in CEL.