SlideShare a Scribd company logo

Flux’s Security & Scalability with OCI & Helm Slides.pdf

Weaveworks
Weaveworks

During this session Kingdon Barrett, OSS Engineer at Weaveworks & Flux Maintainer, will show you how to quickly create scalable and Cosign-verified GitOps configurations with Flux using the same process with two demo environments: one will be a Kustomize Environment and the other a Helm-based environment.

Software
1 of 40
Download to read offline
1 November 29, 2022 Flux’s Security & Scalability with OCI & Helm Kingdon Barrett OSS Engineer, Weaveworks Vanessa Abankwah DX Community Manager, Weaveworks
2 Weaveworks is founded on open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● EKSctl: Create an Amazon EKS cluster with one command ● (and many many more projects!) And now … Weave GitOps......Built on Flux! weave.works
3 Speakers Help/Support Kingdon Barrett OSS Engineer Vanessa Abankwah DX Community Manager ,Weaveworks Duration 30-40 Minutes Browser Safari copy/paste shortcuts may not work Using Zoom Questions? • Use chat (button: top left corner of screen) • Escape to exit full screen • “To Everyone” or “To all panelists and attendees” Support: https://support.zoom.us/hc/ en-us/articles/206175806-T op-Questions Troubleshooting Use chat If the issue is not easily resolved, we ask that you follow along as we demo the sample app. Flux’s Security & Scalability with OCI & Helm
4 HashiCorp User Group Luxembourg (virtual) Nov 30 WOUG: Implementing Flux for Scale with Soft Multi-tenancy (Dec 13) Upcoming Events
5 5 ● Operating model for cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively Recap: What is GitOps
6 6 ● 2 wks ago: (https://youtu.be/Bmh7kKYLIhY) Flux with “OCI Bootstrap” ● OCIRepository “standing in” for GitRepository as root Source Of Truth ○ “Bootstrap Lite” ● Non-standard config ○ We started to get ideas about where OCI can be used ○ Primitives: use them how you want, these are only examples ● (Podinfo app still managed via Git) ○ stand in for “upstreams we can’t control” ● Today is “Part 2” of the series Recap: Flux Security & Scalability (VSCode + OCI + Cosign)
7 7 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux
8 8 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux ○ New opportunities for validation, etc. ○ (We added a CI Step!)
9 Source: GitOps Working Group https://opengitops.dev/
10 10 Demo Time!
11 11 Security & Scalability ● Pulling an OCI image is much less resource-intensive compared to a full or shallow Git clone ● Highly available registries are on every cloud provider ● Flux leverages Kubernetes workload identity and IAM when pulling OCI artifacts from managed registries ○ => No more key management ○ => No more SSH keys to generate ○ => No more proprietary API usage for token generation
12 12 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● This time: …
13 13 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● Today: let’s add ○ Helm Charts, and Cosign verification on HelmReleases ○ Keyless Cosign Signatures (and keyed) ● Bonus: ○ App runtime image verification with Kyverno
14 14 ● Software supply chain attacks ● OCI Artifact authenticity ● Sigstore cosign ○ Sponsored by Open Source Security Foundation (OpenSSF) ○ OpenID Connect, Root CA and Public Ledger ○ Keys: text-based, cloud KMS, Kubernetes Secret ● Container registry must support signed images ○ GitHub offers a simple way to get started with OCI and cosign Recap: Features of verification with cosign
15 15 ● What does it mean? ○ Overlapping protections ○ Risk assessment ○ Multiple mitigations ● Swiss-Cheese Strategy for Security ○ When there is a hole in one layer… ○ …the other layers enhance the probability of blocking attacks Defense in Depth
16 16 ● What does it mean for us? ○ Traditional approaches still apply: ■ Use a protected main branch, and CI checks ■ Use immutable images (req. support from Container Registry) ○ New approaches we can add: ■ Signatures and verification ■ Verify: ● YAML manifests (declarative representation of prod/app) ● App Runtime Images Defense in Depth
17 17 ● Helm ● Flux’s Helm Controller & Source Controller ● Sigstore cosign ● Git repository (GitHub) ● CI workflows (GitHub Actions) ● Container registry (GHCR) Agenda: Tools we are using
18 18 ● Helm ○ It’s ubiquitous ○ If you are using Kubernetes and you are not Google-scale ■ You basically can’t avoid Helm (everybody has helm charts) ■ Lots of nice features including lifecycle hooks ■ (Don’t over-analyze it) ○ Software + config distro commonly done with Helm charts ■ But it has some limitations Agenda: Tools we are using
19 19 ● Flux’s Helm Controller & Source Controller ○ Allows Helm to be used declaratively ○ Remediation and CRD upgrades ■ Features that aren’t natively in Helm ○ Helm + GitOps => (Flux implements this) Agenda: Tools we are using
20 20 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow ○ OCI signatures ○ Flexible attestations Agenda: Tools we are using
21 21 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? Agenda: Tools we are using
22 22 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? Agenda: Tools we are using
23 23 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? ○ (If we don’t sign releases now, could it get any worse?) Agenda: Tools we are using
24 24 ● Git repository (GitHub) ○ (Also an OIDC provider) ○ Place to store and version code Agenda: Tools we are using
25 25 ● CI workflows (GitHub Actions) ○ Place for CI actions to run ○ (environment with ephemeral GITHUB_TOKEN) Agenda: Tools we are using
26 26 ● Container registry (GHCR) ○ Place for CI actions to store the results ○ (Signatures go in here, as OCI artifacts as well) ■ sha256-abcd1234ef98765.sig ○ Images have a “digest” which hashes their content ○ Cosign attestations can make+certify assertions (“CI Passed”) ○ “Packages” hold the manifests or app runtime images ■ Serve them up as an OCI Repository Agenda: Tools we are using
27 27 Demo Time! (x2)
28 28 ● Demo Example Docs ○ https://github.com/kingdonb/flux-oci-demo-nov-29 ○ (The repo we worked in today, with “solutions” Text in README shows what we did) Links
29 29 ● Podinfo ○ https://github.com/stefanprodan/podinfo ○ Keyless: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L90-L97 ○ Keyed: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L118-L125 Links
30 30 ● Flux Blog & Docs ○ https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/ ○ https://fluxcd.io/blog/2022/11/verify-the-integrity-of-the-helm-charts-stored-as- oci-artifacts-before-reconciling-them-with-flux/ ○ https://fluxcd.io/blog/2022/08/manage-kyverno-policies-as-ocirepositories/ ○ https://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification ● Security ○ https://fluxcd.io/flux/security/contextual-authorization/ ○ https://fluxcd.io/flux/security/secrets-management/ Links
31 31 ● Kyverno ○ https://kyverno.io/docs/writing-policies/verify-images/#verifying-image-attestations ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/generate-flux- multi-tenant-resources/ <- Flux Multi-Tenancy Resource ● Kyverno uses Flux and Cosign: ● https://github.com/kyverno/kyverno/blob/main/.github/workflows/relea se.yaml#L155-L172 Links
32 32 ● (Who else uses Cosign today in their release process?) ● Prometheus Community does now: ○ https://github.com/prometheus-community/helm-charts/tree/main/ charts/kube-prometheus-stack ○ https://github.com/orgs/prometheus-community/packages?repo_ name=helm-charts ● Flux Monitoring ■ https://fluxcd.io/flux/guides/monitoring/ Links
33 33 ● (Who else uses Cosign today in their release process?) ● Cert-Manager does now: ○ https://cert-manager.io/docs/installation/code-signing/#container-images- -cosign Links
34 34 ● (Who else uses Cosign today in their release process?) ● Harbor curiously does not: ○ However, Harbor users do already enjoy Cosign verification now: ○ https://goharbor.io/blog/cosign-2.5.0/ ● You can see attestations and verify the signatures in Harbor UI Links
35 35 ● Is coming! ● You can help by… Adoption
36 36 ● Is coming! ● You can help by… ○ Trying this workflow out and reporting any issues you may have ○ Joining the community ● Flux Dev Meetings ● Flux Bug Scrub ○ https://fluxcd.io/#calendar ● (We’d love to have you join!) Adoption
37 37 GitOps Tools for Flux Visual Studio Code Extension ● An extension to enhance the developer experience ● An intuitive way to manage, troubleshoot and operate your Kubernetes environment following the GitOps operating model ● Accelerate your development lifecycle and simplify your continuous delivery pipelines ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/vscode-gitops-tools ● GitOps Tools for Flux in Visual Studio Marketplace: https://marketplace.visualstudio.com/items?itemName=Weavework s.vscode-gitops-tools
38 38 Weave GitOps ● Adds a web UI that surfaces key information to help application operators easily discover and resolve issues ● An intuitive interface that provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/weave-gitops ● Weave GitOps Documentation: https://docs.gitops.weave.works/docs/intro/
39 ● Join us on Flux discussions if you have more questions: https://github.com/fluxcd/flux2/discussions ● Flux Community: https://github.com/fluxcd/community/blob/main/community-roles.md ● Join the GitOps Community Group: https://www.meetup.com/GitOps-Community/ ● Join the GitOps Community LinkedIn Group: https://www.linkedin.com/groups/13914610/ ● VS Code Extension: https://code.visualstudio.com/ Next Steps
Confidential do not distribute 4 0 weave.works Thank you

Recommended

Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Paris.py
Paris.pyParis.py
Paris.py
Dimitri Merejkowsky
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
aspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
All Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 

Recommended

Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Paris.py
Paris.pyParis.py
Paris.py
Dimitri Merejkowsky
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
aspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
All Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
Łukasz Piątkowski
 
meetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish Aprilmeetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish April
Frederic Leger
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
All Things Open
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Continuous integration is not a solved problem
Continuous integration is not a solved problemContinuous integration is not a solved problem
Continuous integration is not a solved problem
Kristian Van Der Vliet
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
Matthias Luebken
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOps
Juraj Hantak
 
Cloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps ApproachCloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps Approach
Nicola Ferraro
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
C4Media
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Brian Rosmaita
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
sparkfabrik
 
Contributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium projectContributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium project
Igalia
 
Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 

More Related Content

Similar to Flux’s Security & Scalability with OCI & Helm Slides.pdf

Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
Łukasz Piątkowski
 
meetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish Aprilmeetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish April
Frederic Leger
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
All Things Open
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Continuous integration is not a solved problem
Continuous integration is not a solved problemContinuous integration is not a solved problem
Continuous integration is not a solved problem
Kristian Van Der Vliet
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
Matthias Luebken
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOps
Juraj Hantak
 
Cloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps ApproachCloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps Approach
Nicola Ferraro
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
C4Media
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Brian Rosmaita
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
sparkfabrik
 
Contributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium projectContributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium project
Igalia
 

Similar to Flux’s Security & Scalability with OCI & Helm Slides.pdf (20)

Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
 
meetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish Aprilmeetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish April
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
 
Continuous integration is not a solved problem
Continuous integration is not a solved problemContinuous integration is not a solved problem
Continuous integration is not a solved problem
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOps
 
Cloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps ApproachCloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps Approach
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Pentester++
Pentester++Pentester++
Pentester++
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
 
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
Contributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium projectContributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium project
 

More from Weaveworks

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Weaveworks
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Weaveworks
 

More from Weaveworks (20)

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
 

Recently uploaded

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 

Recently uploaded (20)

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech AgencyPreparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 

Flux’s Security & Scalability with OCI & Helm Slides.pdf

  • 1. 1 November 29, 2022 Flux’s Security & Scalability with OCI & Helm Kingdon Barrett OSS Engineer, Weaveworks Vanessa Abankwah DX Community Manager, Weaveworks
  • 2. 2 Weaveworks is founded on open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● EKSctl: Create an Amazon EKS cluster with one command ● (and many many more projects!) And now … Weave GitOps......Built on Flux! weave.works
  • 3. 3 Speakers Help/Support Kingdon Barrett OSS Engineer Vanessa Abankwah DX Community Manager ,Weaveworks Duration 30-40 Minutes Browser Safari copy/paste shortcuts may not work Using Zoom Questions? • Use chat (button: top left corner of screen) • Escape to exit full screen • “To Everyone” or “To all panelists and attendees” Support: https://support.zoom.us/hc/ en-us/articles/206175806-T op-Questions Troubleshooting Use chat If the issue is not easily resolved, we ask that you follow along as we demo the sample app. Flux’s Security & Scalability with OCI & Helm
  • 4. 4 HashiCorp User Group Luxembourg (virtual) Nov 30 WOUG: Implementing Flux for Scale with Soft Multi-tenancy (Dec 13) Upcoming Events
  • 5. 5 5 ● Operating model for cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively Recap: What is GitOps
  • 6. 6 6 ● 2 wks ago: (https://youtu.be/Bmh7kKYLIhY) Flux with “OCI Bootstrap” ● OCIRepository “standing in” for GitRepository as root Source Of Truth ○ “Bootstrap Lite” ● Non-standard config ○ We started to get ideas about where OCI can be used ○ Primitives: use them how you want, these are only examples ● (Podinfo app still managed via Git) ○ stand in for “upstreams we can’t control” ● Today is “Part 2” of the series Recap: Flux Security & Scalability (VSCode + OCI + Cosign)
  • 7. 7 7 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux
  • 8. 8 8 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux ○ New opportunities for validation, etc. ○ (We added a CI Step!)
  • 9. 9 Source: GitOps Working Group https://opengitops.dev/
  • 11. 11 11 Security & Scalability ● Pulling an OCI image is much less resource-intensive compared to a full or shallow Git clone ● Highly available registries are on every cloud provider ● Flux leverages Kubernetes workload identity and IAM when pulling OCI artifacts from managed registries ○ => No more key management ○ => No more SSH keys to generate ○ => No more proprietary API usage for token generation
  • 12. 12 12 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● This time: …
  • 13. 13 13 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● Today: let’s add ○ Helm Charts, and Cosign verification on HelmReleases ○ Keyless Cosign Signatures (and keyed) ● Bonus: ○ App runtime image verification with Kyverno
  • 14. 14 14 ● Software supply chain attacks ● OCI Artifact authenticity ● Sigstore cosign ○ Sponsored by Open Source Security Foundation (OpenSSF) ○ OpenID Connect, Root CA and Public Ledger ○ Keys: text-based, cloud KMS, Kubernetes Secret ● Container registry must support signed images ○ GitHub offers a simple way to get started with OCI and cosign Recap: Features of verification with cosign
  • 15. 15 15 ● What does it mean? ○ Overlapping protections ○ Risk assessment ○ Multiple mitigations ● Swiss-Cheese Strategy for Security ○ When there is a hole in one layer… ○ …the other layers enhance the probability of blocking attacks Defense in Depth
  • 16. 16 16 ● What does it mean for us? ○ Traditional approaches still apply: ■ Use a protected main branch, and CI checks ■ Use immutable images (req. support from Container Registry) ○ New approaches we can add: ■ Signatures and verification ■ Verify: ● YAML manifests (declarative representation of prod/app) ● App Runtime Images Defense in Depth
  • 17. 17 17 ● Helm ● Flux’s Helm Controller & Source Controller ● Sigstore cosign ● Git repository (GitHub) ● CI workflows (GitHub Actions) ● Container registry (GHCR) Agenda: Tools we are using
  • 18. 18 18 ● Helm ○ It’s ubiquitous ○ If you are using Kubernetes and you are not Google-scale ■ You basically can’t avoid Helm (everybody has helm charts) ■ Lots of nice features including lifecycle hooks ■ (Don’t over-analyze it) ○ Software + config distro commonly done with Helm charts ■ But it has some limitations Agenda: Tools we are using
  • 19. 19 19 ● Flux’s Helm Controller & Source Controller ○ Allows Helm to be used declaratively ○ Remediation and CRD upgrades ■ Features that aren’t natively in Helm ○ Helm + GitOps => (Flux implements this) Agenda: Tools we are using
  • 20. 20 20 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow ○ OCI signatures ○ Flexible attestations Agenda: Tools we are using
  • 21. 21 21 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? Agenda: Tools we are using
  • 22. 22 22 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? Agenda: Tools we are using
  • 23. 23 23 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? ○ (If we don’t sign releases now, could it get any worse?) Agenda: Tools we are using
  • 24. 24 24 ● Git repository (GitHub) ○ (Also an OIDC provider) ○ Place to store and version code Agenda: Tools we are using
  • 25. 25 25 ● CI workflows (GitHub Actions) ○ Place for CI actions to run ○ (environment with ephemeral GITHUB_TOKEN) Agenda: Tools we are using
  • 26. 26 26 ● Container registry (GHCR) ○ Place for CI actions to store the results ○ (Signatures go in here, as OCI artifacts as well) ■ sha256-abcd1234ef98765.sig ○ Images have a “digest” which hashes their content ○ Cosign attestations can make+certify assertions (“CI Passed”) ○ “Packages” hold the manifests or app runtime images ■ Serve them up as an OCI Repository Agenda: Tools we are using
  • 28. 28 28 ● Demo Example Docs ○ https://github.com/kingdonb/flux-oci-demo-nov-29 ○ (The repo we worked in today, with “solutions” Text in README shows what we did) Links
  • 29. 29 29 ● Podinfo ○ https://github.com/stefanprodan/podinfo ○ Keyless: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L90-L97 ○ Keyed: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L118-L125 Links
  • 30. 30 30 ● Flux Blog & Docs ○ https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/ ○ https://fluxcd.io/blog/2022/11/verify-the-integrity-of-the-helm-charts-stored-as- oci-artifacts-before-reconciling-them-with-flux/ ○ https://fluxcd.io/blog/2022/08/manage-kyverno-policies-as-ocirepositories/ ○ https://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification ● Security ○ https://fluxcd.io/flux/security/contextual-authorization/ ○ https://fluxcd.io/flux/security/secrets-management/ Links
  • 31. 31 31 ● Kyverno ○ https://kyverno.io/docs/writing-policies/verify-images/#verifying-image-attestations ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/generate-flux- multi-tenant-resources/ <- Flux Multi-Tenancy Resource ● Kyverno uses Flux and Cosign: ● https://github.com/kyverno/kyverno/blob/main/.github/workflows/relea se.yaml#L155-L172 Links
  • 32. 32 32 ● (Who else uses Cosign today in their release process?) ● Prometheus Community does now: ○ https://github.com/prometheus-community/helm-charts/tree/main/ charts/kube-prometheus-stack ○ https://github.com/orgs/prometheus-community/packages?repo_ name=helm-charts ● Flux Monitoring ■ https://fluxcd.io/flux/guides/monitoring/ Links
  • 33. 33 33 ● (Who else uses Cosign today in their release process?) ● Cert-Manager does now: ○ https://cert-manager.io/docs/installation/code-signing/#container-images- -cosign Links
  • 34. 34 34 ● (Who else uses Cosign today in their release process?) ● Harbor curiously does not: ○ However, Harbor users do already enjoy Cosign verification now: ○ https://goharbor.io/blog/cosign-2.5.0/ ● You can see attestations and verify the signatures in Harbor UI Links
  • 35. 35 35 ● Is coming! ● You can help by… Adoption
  • 36. 36 36 ● Is coming! ● You can help by… ○ Trying this workflow out and reporting any issues you may have ○ Joining the community ● Flux Dev Meetings ● Flux Bug Scrub ○ https://fluxcd.io/#calendar ● (We’d love to have you join!) Adoption
  • 37. 37 37 GitOps Tools for Flux Visual Studio Code Extension ● An extension to enhance the developer experience ● An intuitive way to manage, troubleshoot and operate your Kubernetes environment following the GitOps operating model ● Accelerate your development lifecycle and simplify your continuous delivery pipelines ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/vscode-gitops-tools ● GitOps Tools for Flux in Visual Studio Marketplace: https://marketplace.visualstudio.com/items?itemName=Weavework s.vscode-gitops-tools
  • 38. 38 38 Weave GitOps ● Adds a web UI that surfaces key information to help application operators easily discover and resolve issues ● An intuitive interface that provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/weave-gitops ● Weave GitOps Documentation: https://docs.gitops.weave.works/docs/intro/
  • 39. 39 ● Join us on Flux discussions if you have more questions: https://github.com/fluxcd/flux2/discussions ● Flux Community: https://github.com/fluxcd/community/blob/main/community-roles.md ● Join the GitOps Community Group: https://www.meetup.com/GitOps-Community/ ● Join the GitOps Community LinkedIn Group: https://www.linkedin.com/groups/13914610/ ● VS Code Extension: https://code.visualstudio.com/ Next Steps
  • 40. Confidential do not distribute 4 0 weave.works Thank you