SlideShare a Scribd company logo
1 of 38
Download to read offline
2021 | intellias.com
is the best modern practice for CD with Kubernetes
GitOps approach
by Volodymyr Shynkar
Senior Lead DevOps Engineer
#!/BIN/ABOUT_ME
Volodymyr Shynkar
Senior Lead DevOps Engineer at Intellias
6+ years of commercial DevOps experience. Overall 8+ years of Engineering
Successfully migrated, rolled out, consulted over 15 projects in the healthcare,
gambling, automotive, e-commerce industries
Member of the Center of Excellence
Lead of the CCI team in the automotive segment
Certified SAFe Agile Software Engineer
Addicted to IoT and Smart Home
Cyclist, promoter of a healthy lifestyle
Contents
01
Introducing to GitOps
02
The Principles of GitOps
03
Secure your pipeline
04
CD - Why? How?
01
Introducing to GitOps
GitOps is
An evolution of infrastructure as code, a framework
that can drastically improve deployment speed and
development efficiency.
GitOps is…
v An operations model for building Cloud Native apps
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
v A way to speed up your team
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
v A way to speed up your team
v GitOps applies to everything
v Config is a code
v Code must be version controlled
v Config must be version controlled too!
02
The Principles of GitOps
The Principles of GitOps
The entire system is described
declaratively
The canonical desired system
state is versioned in git
Approved changes can be
automatically applied to the
system
Software agents
ensure correctness and alert
on divergence
Benefits from GitOps
Productivity Enhanced Experience Stability
• Allows for simplified continuous
delivery, which lowers the
“Mean Time to Deployment”
• Increases overall development
output 2-3 times.
• Pushes code and not containers.
• Manages Kubernetes resources
without having to know the internal
of Kubernetes.
• Automatically gains a convenient
audit log of all cluster changes
outside of Kubernetes.
• Always kept in sync
Benefits from GitOps
Reliability Consistency Security / Audit
• In case of a problem, rollback is as easy as
revert commit in Git. Single source of
truth simplifies the process and reduces
delays
• One entry point for changes. Everything
is driven through commits in a Git
repository. Everything is described at one
place (Single pane of glass). PR - Review –
Merge – Apply
• Leveraging Git build-in security and
signature. Allows for easy tracking of
changes and their approvals
Three pillars of GitOps
Pipelines Observability
• Continuous Integration
• Continuous Deployment
• Release Automation
Git as a source of truth
for desired system state
• Monitoring
• Logging
• Tracing & Visualization
Holistic view of the real
system state “right now”
• Everything via Git (updates, policy,
security)
• Orchestration
• Diff and Sync
Automation is Convergence
Control
03
Secure your pipeline
Move the burden of security
Move from access to cluster to access to repository!
…So how to secure your repository?
It seems to be a fashion these days to share
your deepest secrets with everyone.
v Third party companies who want an admin
access to your cloud env or prod cluster
v Third party (opensource) repositories/providers
v Outdated software or plugins used on dev
workstation or on CI server.
v Shared space/server with other teams
Sharing is not caring
What is solution for this?
v Move humans as far away from that final
production deployment as possible
v Statically analyse everything
v Run through multiple layers of checks
v Have individuals sign off the change, but not
modify the change that goes through
v All above are fundamentally based on using git
as the basis for everything
Root Causes of Unplanned Outages
Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
The OWASP project lists ten principles that should
be applied when designing secure applications:
v Minimize attack surface area
v Establish secure defaults
v Principle of Least privilege
v Principle of Defence in depth
v Fail securely
v Don’t trust services
v Separation of duties
v Avoid security by obscurity
v Keep security simple
v Fix security issues correctly
Security By Design
Source: https://wiki.owasp.org/index.php/Security_by_Design_Principles#Minimize_attack_surface_area
Threats:
v Git users can impersonate each other
• Mitigation: Enforce strong identity in VCS with GPG
Signed Commits
v Malicious user rewrites history
• Mitigation: Prevent force pushes to Master/Main branch
• Mitigation: Backup Git repositories
v Malicious user removes security features
• Mitigation: Configure Git provider with IaC
• Mitigation: Verify commits to Master/Main
Continuous Deployment and Continuous Security
Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
v Everyone on the team can easily pull the deploy
secrets
v To pull the secrets out you just need to push changes
to a branch that print out the environment variables
during a job run, or POST them to an endpoint
v In the above scenario, compromising a single
engineer is enough to gain access to production
through the CI.
Free-for-all secrets
What is solution for this?
v Paper/USB/CDR two fireproof safes?
v Vault (or actually Consul)?
Where do I version control my secrets?
What is solution for this?
v Sealed Secrets (a Kubernetes controller and a
tool for one-way encrypted Secrets):
https://github.com/bitnami-labs/sealed-secrets
v Git Crypt - transparent file encryption in git:
https://www.agwa.name/projects/git-crypt/
Where do I version control my secrets?
Sealed Secrets as templates for secrets
Sealed Secrets as templates for secrets
The controller will unseal that into something like:
04
CD - Why? How?
Two ways to GitOps
• There are two ways to implement the deployment
strategy for GitOps:
Push-based and Pull-based.
The push-based CD
The push-based strategy is much closer to the classic deployment pipelines and
also easier to implement.
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment
Questions to ask include:
• Does your CI environment have direct access to the
container image repository?
• Does your CI environment have direct access to the
production cluster?
The push-based CD
The push-based strategy is much closer to the classic deployment pipelines and
also easier to implement.
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment
The pull-based CD
The pull-based GitOps strategy is mostly used for Kubernetes environments
because this approach requires unusual tooling
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment with an agent inside
Multicluster architecture
The App of Apps pattern:
• The Application is the Kubernetes resource
representing a deployed application in an
environment.
Two key pieces of information define it:
• source reference to the desired state in Git
• destination reference to the target cluster and namespace
• Create an app that creates other apps — which, in its
turn, can create different apps.
• This allows you to declaratively manage a group of
applications that can be deployed and configured in
concert.
Source: https://argoproj.github.io/argo-cd/operator-manual/architecture/
ArgoCD CRD
You must add the finalizer if you want to perform a cascade resource deletion
A minimal Application spec is as follows:
ArgoCD CRD
The AppProject is the Kubernetes resource object of a logical grouping of applications.
clusterResourceWhitelist – Specify which cluster-scoped resources can be created
namespaceResourceBlacklist – Specify which namespaced-scoped resources can be created
namespaceResourceWhitelist - Specify which namespaced-scoped resources cannot be created
Demo time
Questions?
2021 | intellias.com
Thank you!
by Volodymyr Shynkar
Senior Lead DevOps Engineer
https://www.linkedin.com/in/vshynkar/
https://github.com/sqerison

More Related Content

What's hot

GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfssuser31375f
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdBilly Yuen
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes waysparkfabrik
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOpsNicola Baldi
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCDOmar Fathy
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitWeaveworks
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsWeaveworks
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
 
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps_Fest
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on KubernetesOpsta
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Weaveworks
 
GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...Weaveworks
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub ActionsBo-Yi Wu
 
Introducing GitLab (September 2018)
Introducing GitLab (September 2018)Introducing GitLab (September 2018)
Introducing GitLab (September 2018)Noa Harel
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyWeaveworks
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 

What's hot (20)

GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
GitOps with Gitkube
GitOps with GitkubeGitOps with Gitkube
GitOps with Gitkube
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cd
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on Kubernetes
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub Actions
 
Gitlab CI/CD
Gitlab CI/CDGitlab CI/CD
Gitlab CI/CD
 
Introducing GitLab (September 2018)
Introducing GitLab (September 2018)Introducing GitLab (September 2018)
Introducing GitLab (September 2018)
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 

Similar to GitOps is the best modern practice for CD with Kubernetes

Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersWeaveworks
 
Stop Caring About Kubernetes
Stop Caring About KubernetesStop Caring About Kubernetes
Stop Caring About KubernetesDavid Lewis
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Vietnam Open Infrastructure User Group
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteWeaveworks
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsWeaveworks
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsSonja Schweigert
 
Weave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Weaveworks
 
Ondat komodor webinar
Ondat komodor webinarOndat komodor webinar
Ondat komodor webinarKomodor
 
Journey Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityAltoros
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewCisco DevNet
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...Weaveworks
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesWeaveworks
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Cisco DevNet
 
OpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function VirtualizationOpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function VirtualizationGlenn West
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsWeaveworks
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your BusinessWeCode Inc
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformDevOps Indonesia
 

Similar to GitOps is the best modern practice for CD with Kubernetes (20)

Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
Stop Caring About Kubernetes
Stop Caring About KubernetesStop Caring About Kubernetes
Stop Caring About Kubernetes
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Weave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any Kubernetes
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Ondat komodor webinar
Ondat komodor webinarOndat komodor webinar
Ondat komodor webinar
 
Journey Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment Maturity
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
 
OpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function VirtualizationOpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function Virtualization
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
 

Recently uploaded

Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Amil baba
 
1- Practice occupational health and safety procedures.pptx
1- Practice occupational health and safety procedures.pptx1- Practice occupational health and safety procedures.pptx
1- Practice occupational health and safety procedures.pptxMel Paras
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical trainingGladiatorsKasper
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfManish Kumar
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...KrishnaveniKrishnara1
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliNimot Muili
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studydhruvamdhruvil123
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxPoonam60376
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Amil baba
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
Introduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxIntroduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxPavan Mohan Neelamraju
 
Machine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfMachine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfadeyimikaipaye
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...shreenathji26
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...gerogepatton
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 

Recently uploaded (20)

Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
 
1- Practice occupational health and safety procedures.pptx
1- Practice occupational health and safety procedures.pptx1- Practice occupational health and safety procedures.pptx
1- Practice occupational health and safety procedures.pptx
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training
 
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdfModule-1-(Building Acoustics) Noise Control (Unit-3). pdf
Module-1-(Building Acoustics) Noise Control (Unit-3). pdf
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain study
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptx
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Versatile Engineering Construction Firms
Versatile Engineering Construction FirmsVersatile Engineering Construction Firms
Versatile Engineering Construction Firms
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
Introduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptxIntroduction to Machine Learning Part1.pptx
Introduction to Machine Learning Part1.pptx
 
Machine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdfMachine Learning 5G Federated Learning.pdf
Machine Learning 5G Federated Learning.pdf
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 

GitOps is the best modern practice for CD with Kubernetes

  • 1. 2021 | intellias.com is the best modern practice for CD with Kubernetes GitOps approach by Volodymyr Shynkar Senior Lead DevOps Engineer
  • 2. #!/BIN/ABOUT_ME Volodymyr Shynkar Senior Lead DevOps Engineer at Intellias 6+ years of commercial DevOps experience. Overall 8+ years of Engineering Successfully migrated, rolled out, consulted over 15 projects in the healthcare, gambling, automotive, e-commerce industries Member of the Center of Excellence Lead of the CCI team in the automotive segment Certified SAFe Agile Software Engineer Addicted to IoT and Smart Home Cyclist, promoter of a healthy lifestyle
  • 3. Contents 01 Introducing to GitOps 02 The Principles of GitOps 03 Secure your pipeline 04 CD - Why? How?
  • 5. GitOps is An evolution of infrastructure as code, a framework that can drastically improve deployment speed and development efficiency.
  • 6. GitOps is… v An operations model for building Cloud Native apps
  • 7. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience
  • 8. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles
  • 9. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles v A way to speed up your team
  • 10. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles v A way to speed up your team v GitOps applies to everything v Config is a code v Code must be version controlled v Config must be version controlled too!
  • 12. The Principles of GitOps The entire system is described declaratively The canonical desired system state is versioned in git Approved changes can be automatically applied to the system Software agents ensure correctness and alert on divergence
  • 13. Benefits from GitOps Productivity Enhanced Experience Stability • Allows for simplified continuous delivery, which lowers the “Mean Time to Deployment” • Increases overall development output 2-3 times. • Pushes code and not containers. • Manages Kubernetes resources without having to know the internal of Kubernetes. • Automatically gains a convenient audit log of all cluster changes outside of Kubernetes. • Always kept in sync
  • 14. Benefits from GitOps Reliability Consistency Security / Audit • In case of a problem, rollback is as easy as revert commit in Git. Single source of truth simplifies the process and reduces delays • One entry point for changes. Everything is driven through commits in a Git repository. Everything is described at one place (Single pane of glass). PR - Review – Merge – Apply • Leveraging Git build-in security and signature. Allows for easy tracking of changes and their approvals
  • 15. Three pillars of GitOps Pipelines Observability • Continuous Integration • Continuous Deployment • Release Automation Git as a source of truth for desired system state • Monitoring • Logging • Tracing & Visualization Holistic view of the real system state “right now” • Everything via Git (updates, policy, security) • Orchestration • Diff and Sync Automation is Convergence Control
  • 17. Move the burden of security Move from access to cluster to access to repository! …So how to secure your repository?
  • 18. It seems to be a fashion these days to share your deepest secrets with everyone. v Third party companies who want an admin access to your cloud env or prod cluster v Third party (opensource) repositories/providers v Outdated software or plugins used on dev workstation or on CI server. v Shared space/server with other teams Sharing is not caring
  • 19. What is solution for this? v Move humans as far away from that final production deployment as possible v Statically analyse everything v Run through multiple layers of checks v Have individuals sign off the change, but not modify the change that goes through v All above are fundamentally based on using git as the basis for everything Root Causes of Unplanned Outages Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
  • 20. The OWASP project lists ten principles that should be applied when designing secure applications: v Minimize attack surface area v Establish secure defaults v Principle of Least privilege v Principle of Defence in depth v Fail securely v Don’t trust services v Separation of duties v Avoid security by obscurity v Keep security simple v Fix security issues correctly Security By Design Source: https://wiki.owasp.org/index.php/Security_by_Design_Principles#Minimize_attack_surface_area
  • 21. Threats: v Git users can impersonate each other • Mitigation: Enforce strong identity in VCS with GPG Signed Commits v Malicious user rewrites history • Mitigation: Prevent force pushes to Master/Main branch • Mitigation: Backup Git repositories v Malicious user removes security features • Mitigation: Configure Git provider with IaC • Mitigation: Verify commits to Master/Main Continuous Deployment and Continuous Security Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
  • 22. v Everyone on the team can easily pull the deploy secrets v To pull the secrets out you just need to push changes to a branch that print out the environment variables during a job run, or POST them to an endpoint v In the above scenario, compromising a single engineer is enough to gain access to production through the CI. Free-for-all secrets
  • 23. What is solution for this? v Paper/USB/CDR two fireproof safes? v Vault (or actually Consul)? Where do I version control my secrets?
  • 24. What is solution for this? v Sealed Secrets (a Kubernetes controller and a tool for one-way encrypted Secrets): https://github.com/bitnami-labs/sealed-secrets v Git Crypt - transparent file encryption in git: https://www.agwa.name/projects/git-crypt/ Where do I version control my secrets?
  • 25. Sealed Secrets as templates for secrets
  • 26. Sealed Secrets as templates for secrets The controller will unseal that into something like:
  • 27. 04 CD - Why? How?
  • 28. Two ways to GitOps • There are two ways to implement the deployment strategy for GitOps: Push-based and Pull-based.
  • 29. The push-based CD The push-based strategy is much closer to the classic deployment pipelines and also easier to implement. Main components of such infrastructure are: v repository with configuration v automation tool v target environment
  • 30. Questions to ask include: • Does your CI environment have direct access to the container image repository? • Does your CI environment have direct access to the production cluster?
  • 31. The push-based CD The push-based strategy is much closer to the classic deployment pipelines and also easier to implement. Main components of such infrastructure are: v repository with configuration v automation tool v target environment
  • 32. The pull-based CD The pull-based GitOps strategy is mostly used for Kubernetes environments because this approach requires unusual tooling Main components of such infrastructure are: v repository with configuration v automation tool v target environment with an agent inside
  • 33. Multicluster architecture The App of Apps pattern: • The Application is the Kubernetes resource representing a deployed application in an environment. Two key pieces of information define it: • source reference to the desired state in Git • destination reference to the target cluster and namespace • Create an app that creates other apps — which, in its turn, can create different apps. • This allows you to declaratively manage a group of applications that can be deployed and configured in concert. Source: https://argoproj.github.io/argo-cd/operator-manual/architecture/
  • 34. ArgoCD CRD You must add the finalizer if you want to perform a cascade resource deletion A minimal Application spec is as follows:
  • 35. ArgoCD CRD The AppProject is the Kubernetes resource object of a logical grouping of applications. clusterResourceWhitelist – Specify which cluster-scoped resources can be created namespaceResourceBlacklist – Specify which namespaced-scoped resources can be created namespaceResourceWhitelist - Specify which namespaced-scoped resources cannot be created
  • 38. 2021 | intellias.com Thank you! by Volodymyr Shynkar Senior Lead DevOps Engineer https://www.linkedin.com/in/vshynkar/ https://github.com/sqerison