Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing Developer
Workflows
March 2019 Webinar
Brice Fernandes – brice@weave.works – @fractallambda
Simon Maple - simon@s...
● Building cloud-native OSS and commercial products since
2014 (Weave Net, Moby, Kubernetes, Prometheus)
● Founding member...
snyk.io
About Snyk
Snyk helps developers use open source code and stay secure
● Detect: Uncover vulnerabilities & license ...
Transform your CICD pipeline
with GitOps
4
Typical CICD pipeline
Continuous Integration
Cluster API
Continuous Delivery/Deployment
Container
Registry
CI
Code
Repo
De...
The GitOps Model
6
7
GitOps is...
An operation model
8
GitOps is...
An operation model
Derived from CS and operation knowledge
9
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
10
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A se...
11
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A se...
12
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A se...
13
1 The entire system is described declaratively.
14
1 The entire system is described declaratively.
Beyond code, data ⇒
Implementation independent
Easy to abstract in simp...
15
The canonical desired system state is versioned
(with Git)
2
16
The canonical desired system state is versioned
(with Git)
Canonical Source of Truth (DRY)
With declarative definition,...
17
Approved changes to the desired state are
automatically applied to the system
3
18
Approved changes to the desired state are
automatically applied to the system
Significant velocity gains
Privileged ope...
19
Software agents ensure correctness
and alert on divergence
4
20
Software agents ensure correctness
and alert on divergence
4
Continuously checking that desired state is met
System can...
21
1 The entire system is described declaratively.
2 The canonical desired system state is versioned
(with Git)
3 Approved...
22
Canonical
source of truth
People
Software
Agents
Software
Agents
Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
C...
Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
C...
Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
C...
Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
C...
27
GitO n
p a t
Secure your GitOps pipeline
28
Move from access to cluster to access to
repository.
...So how to secure your repository?
Controls
29
Securing your repositories
30
Mitigating user impersonation
31
1. Enforce Strong Identity in VCS (GitHub/GitLab)
with GPG Signed Commits
2. Use Physical...
Prevent History Rewrites
32
1. Prevent Force Pushes to Master Branch
2. Backup Git Repositories
Prevent Removal of Security Features
33
1. Configure Git Provider with Infrastructure as
Code
2. Monitor Git Provider’s Au...
Don’t use deprecated software
34
snyk.io 35
snyk.io
Do You Know
Which Dependencies
You Have?
snyk.io
Your App
snyk.io
Your Code
Your App
snyk.io
Each Dependency Is A Security
Risk
snyk.io
Direct Deps
only
All Deps
(410!)
What is NPM Inception?
Package within a package within a
package?
snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?
snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it underwent any
Security Testing?
snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it has any
Known Vulnerabilities?
snyk.io
Going Terminal
Get in touch
brice@weave.works simon@snyk.io
@fractallambda @sjmaple
45
Thank you
Back to you, Sonja!
Upcoming SlideShare
Loading in …5
×

of

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 1 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 2 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 3 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 4 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 5 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 6 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 7 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 8 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 9 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 10 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 11 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 12 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 13 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 14 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 15 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 16 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 17 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 18 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 19 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 20 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 21 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 22 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 23 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 24 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 25 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 26 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 27 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 28 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 29 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 30 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 31 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 32 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 33 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 34 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 35 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 36 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 37 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 38 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 39 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 40 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 41 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 42 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 43 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 44 Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks Slide 45
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

Download to read offline

Together with Snyk, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines combined with good security practices improves the overall security of your development workflow - from Git to production. In the webinar we will:
- Examine security concerns in a typical CICD pipeline
- Operate continuous delivery via pull request
- Discuss Read/Write access in a GitOps pipeline
- Share 5 tips and tricks on securing your source code repos from the beginning

Blog on this topic: https://www.weave.works/blog/secure-gitops-pipelines-for-kubernetes-with-snyk-and-weaveworks

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

  1. 1. Securing Developer Workflows March 2019 Webinar Brice Fernandes – brice@weave.works – @fractallambda Simon Maple - simon@snyk.io – @sjmaple 1
  2. 2. ● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks
  3. 3. snyk.io About Snyk Snyk helps developers use open source code and stay secure ● Detect: Uncover vulnerabilities & license violations in the libraries your apps use ● Fix: Seamlessly fix discovered issues through automated upgrades and custom patches ● Monitor: Get alerted when new vulnerabilities affect your apps and fix them before attackers act
  4. 4. Transform your CICD pipeline with GitOps 4
  5. 5. Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
  6. 6. The GitOps Model 6
  7. 7. 7 GitOps is... An operation model
  8. 8. 8 GitOps is... An operation model Derived from CS and operation knowledge
  9. 9. 9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)
  10. 10. 10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
  11. 11. 11 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
  12. 12. 12 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
  13. 13. 13 1 The entire system is described declaratively.
  14. 14. 14 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code
  15. 15. 15 The canonical desired system state is versioned (with Git) 2
  16. 16. 16 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2
  17. 17. 17 Approved changes to the desired state are automatically applied to the system 3
  18. 18. 18 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3
  19. 19. 19 Software agents ensure correctness and alert on divergence 4
  20. 20. 20 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations
  21. 21. 21 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
  22. 22. 22 Canonical source of truth People Software Agents Software Agents
  23. 23. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo
  24. 24. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
  25. 25. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t
  26. 26. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut
  27. 27. 27 GitO n p a t
  28. 28. Secure your GitOps pipeline 28
  29. 29. Move from access to cluster to access to repository. ...So how to secure your repository? Controls 29
  30. 30. Securing your repositories 30
  31. 31. Mitigating user impersonation 31 1. Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits 2. Use Physical GPG Keys to increase security 3. Run GPG-Validating Code in CI
  32. 32. Prevent History Rewrites 32 1. Prevent Force Pushes to Master Branch 2. Backup Git Repositories
  33. 33. Prevent Removal of Security Features 33 1. Configure Git Provider with Infrastructure as Code 2. Monitor Git Provider’s Audit Logs 3. Verify Commits to Master
  34. 34. Don’t use deprecated software 34
  35. 35. snyk.io 35
  36. 36. snyk.io Do You Know Which Dependencies You Have?
  37. 37. snyk.io Your App
  38. 38. snyk.io Your Code Your App
  39. 39. snyk.io Each Dependency Is A Security Risk
  40. 40. snyk.io Direct Deps only All Deps (410!) What is NPM Inception? Package within a package within a package?
  41. 41. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
  42. 42. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it underwent any Security Testing?
  43. 43. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?
  44. 44. snyk.io Going Terminal
  45. 45. Get in touch brice@weave.works simon@snyk.io @fractallambda @sjmaple 45 Thank you Back to you, Sonja!
  • h1pan

    Mar. 14, 2019

Together with Snyk, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines combined with good security practices improves the overall security of your development workflow - from Git to production. In the webinar we will: - Examine security concerns in a typical CICD pipeline - Operate continuous delivery via pull request - Discuss Read/Write access in a GitOps pipeline - Share 5 tips and tricks on securing your source code repos from the beginning Blog on this topic: https://www.weave.works/blog/secure-gitops-pipelines-for-kubernetes-with-snyk-and-weaveworks

Views

Total views

572

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

29

Shares

0

Comments

0

Likes

1

×