SlideShare a Scribd company logo

Building a Security First Approach Across Hybrid Cloud with GitOps and Policy as Code

Weaveworks
Weaveworks

In this webinar, Darren Madams, Weaveworks Solution Architect and Steve Waterworth, Weaveworks Technical Marketing Manager demonstrate how to shift security best practices further left. They’ll walk through a practical example of how Weave GitOps helped a financial services organization move to a hybrid cloud environment for fully automated deployment and cluster provisioning that met their strict security, governance and compliance requirements. Learn: - The need for deploying clusters in on-premise environments because of compliance requirements such as PCI-DSS - How to shift from manual to automated cluster provisioning with policy and security checks in place - How to seamlessly expand automated processes across environments using Weave GitOps - How Weave GitOps features 100+ policies out-of-the box for shifting security further left in your SDLC

Technology
1 of 22
Download to read offline
1 Confidential do not distribute Building a Security First Approach Across Hybrid Cloud with GitOps and Policy as Code Steve Waterworth - Technical Marketing Manager England, UK steve.waterworth@weave.works Darren Madams - Solutions Architect Raleigh, NC, USA darren@weave.works
2 2 Webinar Platform - FAQs Using Zoom • You are in listen only mode • This webinar is being recorded • Q&A session will follow the presentation, please use the Q&A panel to submit questions • Hit escape to exit full screen • Slides and recording will be shared after the webinar Technical Issues - please visit Zoom Help https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
3 3 Steve Waterworth Technical Marketing Manager, Weaveworks Steve brings years of experience having worked in technical roles in the APM space since 2004 for companies including Wily Technology and AppDynamics. In that time, Steve has seen numerous technical revolutions and market disruptions giving him a unique insight into the rapidly changing DevOps environment. He has a background in electronics and programming before moving to software solutions. Speaker introductions Darren Madams Solutions Architect, Weaveworks Darren joined Weaveworks as a Solutions Architect in the RTP area. He has previously worked for Dell EMC, Hitachi, and Veritas facilitating enterprise storage and data management projects for the State of California and the largest healthcare companies in Northern California. Prior to moving to the vendor side he worked for Sutter Health as a Storage Engineer managing their SAN and backup environments. Previous startup experience includes software delivery firm Intraware and web collaboration company PictureTalk.
4 Confidential do not distribute 4 Continuous Application Delivery - Use GitOps to deploy and operate applications. Automation increases deployment velocity and developer productivity. Weave GitOps - Use Cases Kubernetes Everywhere - In the cloud or the datacenter Kubernetes is a universal platform that’s easy to manage with GitOps. DevOps Automation - Lifecycle management of the entire platform. All clusters and services, using automation and policy. 1 4 2 5 3 6 Self-Service Platforms - A complete platform giving developers autonomy while ensuring consistency and manageability. Trusted Delivery - Shift policy and security left - governance, risk and compliance are non-negotiables. Progressive Delivery Deploy services across many environments and regions reliably using GitOps.
5 5 Confidential do not distribute The Goal: Automate cluster creation and application deployment in a fully compliant manner
6 Confidential do not distribute 6 “ Large Financial Institution Kubernetes user since 2017 Large dev team, small platform team Strict regulatory security requirements Meet the Customer “Our traditional business has rapidly evolved from maintaining systems to maintaining platforms.” –Director of Cloud Innovation
7 Confidential do not distribute 7 ● PCI-DSS Compliance ● Developer Self Service ● On-premise cluster support ● Automate compliant cluster creation GitOps Design objectives
8 Confidential do not distribute 8 Weave GitOps Experience DEVELOPER EXPERIENCE • Continuous Delivery, observability, and monitoring  • Consistent developer workflows across multiple deployments            • Team workspaces for multi-tenanted usage OPERATOR EXPERIENCE • Extend Kubernetes to managed platform using GitOps model • An Open Source Kubernetes platform for on-premise deployment • Additive to manage Kubernetes (e.g., EKS, AKS or GKE) • Upgrades to new versions • Extensible controls to implement security and policy controls
9 Confidential do not distribute 9 Create Cluster CAPI Templates App Cluster App Bootstrap Configuration Pull Request Management Repo Profiles Cluster Creation Flow
10 10 Confidential do not distribute Demo: Profile Team Creates Compliant Cluster Templates for consistent experience The value of Profiles Weave Policy Agent installation
11 11 A Kubernetes native Hybrid Cloud Dev Platform CAPM VM MVM Creation Cluster Bootstrap Host Provisioning Flintlock Agent Install PUBLIC - CLOUD Dev Cluster Stage Cluster ON - PREMISE Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster EDGE
12 Confidential do not distribute 12 ● Platform Team are able to set up standard templates for Application Teams to use. ● Platform Team can categorize and control via Kubernetes RBAC who has access to which templates. ● Engineering teams will be able to bring their own technologies to the table. E.g. for infrastructure templates they are free to leverage Crossplane, Terraform, or CAPI. ● Application teams will not need to write any yaml or learn the intricacies of Kubernetes. Self Service via GitOps Templates
13 13 Confidential do not distribute Demo: Trusted Delivery with Weave Policy Engine Deploy An Application See Policy Stop Deployment PR Secure Deployment After Resolution
14 Confidential do not distribute 14 Trusted Delivery with Policy as Code Streamline Secure GitOps, from Code to Cloud According to IDC 2020 survey, 67% of cloud breaches and ops issues were due to misconfigured infra/apps Create App App Cluster App Pull Request Management Repo Policy Policy
15 Confidential do not distribute 15 Comprehensive & Extensible Policies Library By Category By Asset By Industry Standard Capacity Management 20 Organizational Standards 15 Access Control 9 Pod Security 14 Network Security 30 Software Supply Chain 13 Observability 6 Best Practices 25 Data Protection 18 Containers/Pods 44 Storage 12 IAM & RBAC 30 Network Policy 35 Service Mesh 30 OS 11 Orchestration Layer 12 DBs 50 Cache 14 PCI DSS 57 HIPAA 50 SOC2 49 CIS 46 GDPR 45 NIST 40
16 Confidential do not distribute 16 Demo - Enforcing Policies at Every step Commit Using GitHub actions Build Using CI/CD workflows Deploy K8s admission controllers Runtime Using GitHub actions Prevent violating changes from being merged Fail builds if there is a violating change Prevent violating changes done through kubectl or APIs Get notified and report violations as they occur
17 17 Confidential do not distribute Demo
18 Confidential do not distribute 18 ● Policy as Code extends OPA ● Policy checks at multiple points of the SDLC ○ Git ○ CI ○ Deploy ○ Runtime ● Automatic remediation via PR where possible ● Curated library of 100+ policies Trusted Delivery
19 Confidential do not distribute 19 Recap - Financial Customer Case Study Challenges: ● Enable developer self service that meets security audit team’s requirements ● Be able to ensure PCI-DSS compliance at every step Solution: ● Weave GitOps Enterprise is a modular solution: use what your environment requires ● Manage clusters, services, and applications from a single control plane all in a fully compliant manner Success Metrics: ● Developer productivity up 30% in first 90 days ● Compliance team “reportable events” down 80%
20 20 Confidential do not distribute Questions
21 21 Whitepaper: Trusted Delivery https://bit.ly/3A0JMOe Learn more about Weave GitOps www.weave.works/enterprise Request a personal demo www.weave.works/contact Thank You
22 Confidential do not distribute 2 2 www.weave.works/events

Recommended

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 

Recommended

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Weaveworks
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdfFlux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Weaveworks
 
Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Weaveworks
 
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End DeploymentsDevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
Weaveworks
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application StackTerraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Weaveworks
 

More Related Content

More from Weaveworks

How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Weaveworks
 
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End DeploymentsDevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
Weaveworks
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 

More from Weaveworks (20)

How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdfFlux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdf
 
Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
 
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End DeploymentsDevOps Automation with GitOps: Consistent and Secure End to End Deployments
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate Security
 
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application StackTerraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application Stack
 

Building a Security First Approach Across Hybrid Cloud with GitOps and Policy as Code

  • 1. 1 Confidential do not distribute Building a Security First Approach Across Hybrid Cloud with GitOps and Policy as Code Steve Waterworth - Technical Marketing Manager England, UK steve.waterworth@weave.works Darren Madams - Solutions Architect Raleigh, NC, USA darren@weave.works
  • 2. 2 2 Webinar Platform - FAQs Using Zoom • You are in listen only mode • This webinar is being recorded • Q&A session will follow the presentation, please use the Q&A panel to submit questions • Hit escape to exit full screen • Slides and recording will be shared after the webinar Technical Issues - please visit Zoom Help https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
  • 3. 3 3 Steve Waterworth Technical Marketing Manager, Weaveworks Steve brings years of experience having worked in technical roles in the APM space since 2004 for companies including Wily Technology and AppDynamics. In that time, Steve has seen numerous technical revolutions and market disruptions giving him a unique insight into the rapidly changing DevOps environment. He has a background in electronics and programming before moving to software solutions. Speaker introductions Darren Madams Solutions Architect, Weaveworks Darren joined Weaveworks as a Solutions Architect in the RTP area. He has previously worked for Dell EMC, Hitachi, and Veritas facilitating enterprise storage and data management projects for the State of California and the largest healthcare companies in Northern California. Prior to moving to the vendor side he worked for Sutter Health as a Storage Engineer managing their SAN and backup environments. Previous startup experience includes software delivery firm Intraware and web collaboration company PictureTalk.
  • 4. 4 Confidential do not distribute 4 Continuous Application Delivery - Use GitOps to deploy and operate applications. Automation increases deployment velocity and developer productivity. Weave GitOps - Use Cases Kubernetes Everywhere - In the cloud or the datacenter Kubernetes is a universal platform that’s easy to manage with GitOps. DevOps Automation - Lifecycle management of the entire platform. All clusters and services, using automation and policy. 1 4 2 5 3 6 Self-Service Platforms - A complete platform giving developers autonomy while ensuring consistency and manageability. Trusted Delivery - Shift policy and security left - governance, risk and compliance are non-negotiables. Progressive Delivery Deploy services across many environments and regions reliably using GitOps.
  • 5. 5 5 Confidential do not distribute The Goal: Automate cluster creation and application deployment in a fully compliant manner
  • 6. 6 Confidential do not distribute 6 “ Large Financial Institution Kubernetes user since 2017 Large dev team, small platform team Strict regulatory security requirements Meet the Customer “Our traditional business has rapidly evolved from maintaining systems to maintaining platforms.” –Director of Cloud Innovation
  • 7. 7 Confidential do not distribute 7 ● PCI-DSS Compliance ● Developer Self Service ● On-premise cluster support ● Automate compliant cluster creation GitOps Design objectives
  • 8. 8 Confidential do not distribute 8 Weave GitOps Experience DEVELOPER EXPERIENCE • Continuous Delivery, observability, and monitoring  • Consistent developer workflows across multiple deployments            • Team workspaces for multi-tenanted usage OPERATOR EXPERIENCE • Extend Kubernetes to managed platform using GitOps model • An Open Source Kubernetes platform for on-premise deployment • Additive to manage Kubernetes (e.g., EKS, AKS or GKE) • Upgrades to new versions • Extensible controls to implement security and policy controls
  • 9. 9 Confidential do not distribute 9 Create Cluster CAPI Templates App Cluster App Bootstrap Configuration Pull Request Management Repo Profiles Cluster Creation Flow
  • 10. 10 10 Confidential do not distribute Demo: Profile Team Creates Compliant Cluster Templates for consistent experience The value of Profiles Weave Policy Agent installation
  • 11. 11 11 A Kubernetes native Hybrid Cloud Dev Platform CAPM VM MVM Creation Cluster Bootstrap Host Provisioning Flintlock Agent Install PUBLIC - CLOUD Dev Cluster Stage Cluster ON - PREMISE Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster Prod Cluster EDGE
  • 12. 12 Confidential do not distribute 12 ● Platform Team are able to set up standard templates for Application Teams to use. ● Platform Team can categorize and control via Kubernetes RBAC who has access to which templates. ● Engineering teams will be able to bring their own technologies to the table. E.g. for infrastructure templates they are free to leverage Crossplane, Terraform, or CAPI. ● Application teams will not need to write any yaml or learn the intricacies of Kubernetes. Self Service via GitOps Templates
  • 13. 13 13 Confidential do not distribute Demo: Trusted Delivery with Weave Policy Engine Deploy An Application See Policy Stop Deployment PR Secure Deployment After Resolution
  • 14. 14 Confidential do not distribute 14 Trusted Delivery with Policy as Code Streamline Secure GitOps, from Code to Cloud According to IDC 2020 survey, 67% of cloud breaches and ops issues were due to misconfigured infra/apps Create App App Cluster App Pull Request Management Repo Policy Policy
  • 15. 15 Confidential do not distribute 15 Comprehensive & Extensible Policies Library By Category By Asset By Industry Standard Capacity Management 20 Organizational Standards 15 Access Control 9 Pod Security 14 Network Security 30 Software Supply Chain 13 Observability 6 Best Practices 25 Data Protection 18 Containers/Pods 44 Storage 12 IAM & RBAC 30 Network Policy 35 Service Mesh 30 OS 11 Orchestration Layer 12 DBs 50 Cache 14 PCI DSS 57 HIPAA 50 SOC2 49 CIS 46 GDPR 45 NIST 40
  • 16. 16 Confidential do not distribute 16 Demo - Enforcing Policies at Every step Commit Using GitHub actions Build Using CI/CD workflows Deploy K8s admission controllers Runtime Using GitHub actions Prevent violating changes from being merged Fail builds if there is a violating change Prevent violating changes done through kubectl or APIs Get notified and report violations as they occur
  • 17. 17 17 Confidential do not distribute Demo
  • 18. 18 Confidential do not distribute 18 ● Policy as Code extends OPA ● Policy checks at multiple points of the SDLC ○ Git ○ CI ○ Deploy ○ Runtime ● Automatic remediation via PR where possible ● Curated library of 100+ policies Trusted Delivery
  • 19. 19 Confidential do not distribute 19 Recap - Financial Customer Case Study Challenges: ● Enable developer self service that meets security audit team’s requirements ● Be able to ensure PCI-DSS compliance at every step Solution: ● Weave GitOps Enterprise is a modular solution: use what your environment requires ● Manage clusters, services, and applications from a single control plane all in a fully compliant manner Success Metrics: ● Developer productivity up 30% in first 90 days ● Compliance team “reportable events” down 80%
  • 20. 20 20 Confidential do not distribute Questions
  • 21. 21 21 Whitepaper: Trusted Delivery https://bit.ly/3A0JMOe Learn more about Weave GitOps www.weave.works/enterprise Request a personal demo www.weave.works/contact Thank You
  • 22. 22 Confidential do not distribute 2 2 www.weave.works/events