This document summarizes a webinar about implementing multi-tenancy in Kubernetes without catastrophes using GitOps. It recommends 5 easy steps: 1) implement a zero trust posture, 2) apply least privilege practices, 3) use policies to enforce governance, 4) leverage GitOps audit capabilities, and 5) reduce the blast radius. The webinar discusses how Weaveworks' Workspaces product establishes boundaries and defines access controls to securely support multiple teams deploying applications.
2. 2
Webinar Platform - FAQs
Using Zoom
• You are in listen only mode
• This webinar is being recorded
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
• Slides and recording will be shared after the webinar
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
3. 3
Joe Dahlquist
VP of Product Marketing,
Weaveworks
Joe Dahlquist leads product marketing at Weaveworks.
An accomplished product leader with over 20 years of
experience in PM and PMM roles, Joe has worked on
software, hardware, and services products that have
delighted millions of users and partners in cybersecurity,
consumer electronics, financial services, access control,
and more.
Speaker introductions
David Stauffer
Senior Product Manager,
Weaveworks
David Stauffer is a Senior Product Manager at
Weaveworks. For David, the most exciting job in the world
is building the right product for the customer. Passionate
about any and all end-users, he has experience working in
different startups across the globe. He has worked on
making the edge real through Kubernetes and working in
the GSMA aligning on the architectural design for a
federated edge.
4. Weaveworks is backed by amazing teams
Weaveworks partners with all the
major infrastructure and Kubernetes vendors
We’re the GitOps Company
Weaveworks is deeply committed
to the Open Source Community
5. Confidential do not distribute
Financial Services
Companies Doing GitOps with Weaveworks
Technology Other Industries
6. ● Tenancy is ubiquitous
● Catastrophes can occur
● You can get it right
● 5 easy steps how to do it
Tenancy in Weave GitOps Enterprise
7. 7
WTF is Tenancy and why is it needed?
● A person, place or thing?
● Team?
● Application?
Tenancy in the World of GitOps
8. 8
● Many ways to handle Tenancy in Kubernetes, which is right for you?
● Defining overall Tenancy posture can get really complicated
○ Companies need end-to-end tenancy solution
○ Granular control over all the moving parts
○ Policies, RBAC, Isolation, and more
Tenancy in the World of GitOps
9. ● Some real world examples
Getting it Wrong can be Catastrophic
10. 10
1. Implement a Zero Trust posture
2. Apply Least Privilege Practices
3. Use Policies to Enforce Governance
4. GitOps Audit Capabilities
5. Reduce the Blast Radius
5 Easy Things You Can Do
11. 11
● Implement a Zero Trust posture
○ Trust nothing, verify everything
○ Neighbours can be noisy
○ Flux is your gate/root of trust
5 Easy Things You Can Do
1
12. 12
● Apply Least Privilege Practices
○ Permissions and Role management
○ Distrust until proven otherwise
○ Continuous assessment
5 Easy Things You Can Do
2
13. 13
● Use Policies to Enforce Governance
○ Audit vs. Admission
○ Policy as Guardrails
○ Control Sources and Configs
5 Easy Things You Can Do
3
14. 14
● GitOps Audit Capabilities
○ Git history
○ Git gate to your cluster
○ Change control and checks
5 Easy Things You Can Do
4
15. 15
● Reduce the Blast Radius
○ Do all of the above…
○ Secrets rotation
○ Isolation (not all in one git repo)
5 Easy Things You Can Do
5
16. 16
● Workspaces establishes boundaries, defines what can be deployed by whom
● Creates trusted Workspaces for application teams
● Protects sensitive environments
● Adds governance and compliance
Workspaces in Weave GitOps
Namespace
Policy
Role
RoleBinding
17. 17
Team Workspaces gives the power to define:
● Access to sources ( Git repos, Helm repos, Buckets etc )
● Access to targets ( Cluster + namespaces )
● Definition of what can get deployed ( examples: Roles, Network Policies, Deployments, ... )
● Use/set the correct Service Account and Role + Rolebindings
Workspaces in Weave GitOps
18. 18
● Workspaces empowers app dev teams to go much faster
● Enables multiple DevOps teams to work seamlessly together
● Enables DevOps teams to focus on their area of concern
● Protects sensitive environments
Result: Race Car with Seatbelts
19. 19
Confidential do not distribute
Questions?
Please use the Q&A panel in your Zoom menu
20. 20
Whitepaper: Trusted Application Delivery
https://bit.ly/3A0JMOe
Learn more about Weave GitOps
www.weave.works/enterprise and a 5 min demo
https://youtu.be/aqJaHNCz2lM
Request a personal demo
www.weave.works/contact
Thank You