Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

423 views

Published on

Together with Snyk, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines combined with good security practices improves the overall security of your development workflow - from Git to production. In the webinar we will:
- Examine security concerns in a typical CICD pipeline
- Operate continuous delivery via pull request
- Discuss Read/Write access in a GitOps pipeline
- Share 5 tips and tricks on securing your source code repos from the beginning

Blog on this topic: https://www.weave.works/blog/secure-gitops-pipelines-for-kubernetes-with-snyk-and-weaveworks

Published in: Technology
  • Login to see the comments

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

  1. 1. Securing Developer Workflows March 2019 Webinar Brice Fernandes – brice@weave.works – @fractallambda Simon Maple - simon@snyk.io – @sjmaple 1
  2. 2. ● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks
  3. 3. snyk.io About Snyk Snyk helps developers use open source code and stay secure ● Detect: Uncover vulnerabilities & license violations in the libraries your apps use ● Fix: Seamlessly fix discovered issues through automated upgrades and custom patches ● Monitor: Get alerted when new vulnerabilities affect your apps and fix them before attackers act
  4. 4. Transform your CICD pipeline with GitOps 4
  5. 5. Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
  6. 6. The GitOps Model 6
  7. 7. 7 GitOps is... An operation model
  8. 8. 8 GitOps is... An operation model Derived from CS and operation knowledge
  9. 9. 9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)
  10. 10. 10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
  11. 11. 11 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
  12. 12. 12 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
  13. 13. 13 1 The entire system is described declaratively.
  14. 14. 14 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code
  15. 15. 15 The canonical desired system state is versioned (with Git) 2
  16. 16. 16 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2
  17. 17. 17 Approved changes to the desired state are automatically applied to the system 3
  18. 18. 18 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3
  19. 19. 19 Software agents ensure correctness and alert on divergence 4
  20. 20. 20 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations
  21. 21. 21 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
  22. 22. 22 Canonical source of truth People Software Agents Software Agents
  23. 23. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo
  24. 24. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
  25. 25. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t
  26. 26. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut
  27. 27. 27 GitO n p a t
  28. 28. Secure your GitOps pipeline 28
  29. 29. Move from access to cluster to access to repository. ...So how to secure your repository? Controls 29
  30. 30. Securing your repositories 30
  31. 31. Mitigating user impersonation 31 1. Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits 2. Use Physical GPG Keys to increase security 3. Run GPG-Validating Code in CI
  32. 32. Prevent History Rewrites 32 1. Prevent Force Pushes to Master Branch 2. Backup Git Repositories
  33. 33. Prevent Removal of Security Features 33 1. Configure Git Provider with Infrastructure as Code 2. Monitor Git Provider’s Audit Logs 3. Verify Commits to Master
  34. 34. Don’t use deprecated software 34
  35. 35. snyk.io 35
  36. 36. snyk.io Do You Know Which Dependencies You Have?
  37. 37. snyk.io Your App
  38. 38. snyk.io Your Code Your App
  39. 39. snyk.io Each Dependency Is A Security Risk
  40. 40. snyk.io Direct Deps only All Deps (410!) What is NPM Inception? Package within a package within a package?
  41. 41. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
  42. 42. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it underwent any Security Testing?
  43. 43. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?
  44. 44. snyk.io Going Terminal
  45. 45. Get in touch brice@weave.works simon@snyk.io @fractallambda @sjmaple 45 Thank you Back to you, Sonja!

×