1. The webinar discussed securing developer workflows through implementing GitOps principles and securing repositories.
2. GitOps is described as an operations model that defines the entire system declaratively with the canonical desired system state versioned in Git.
3. Approved changes to the desired state are automatically applied to the system by software agents that ensure correctness and alert on any divergence from the declared state.
4. The presentation provided recommendations for securing repositories by enforcing strong identity, preventing history rewrites and removal of security features, and avoiding deprecated software.
Report
Share
Report
Share
1 of 45
Download to read offline
More Related Content
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
2. ● Building cloud-native OSS and commercial products since
2014 (Weave Net, Moby, Kubernetes, Prometheus)
● Founding member of CNCF
● Weave Cloud runs on Kubernetes since 2015
● We developed “GitOps” - more later!
● Kubernetes support subscriptions, training and consulting
2
About Weaveworks
3. snyk.io
About Snyk
Snyk helps developers use open source code and stay secure
● Detect: Uncover vulnerabilities & license violations in the libraries your apps use
● Fix: Seamlessly fix discovered issues through automated upgrades and custom patches
● Monitor: Get alerted when new vulnerabilities affect your apps and fix them before attackers act
9. 9
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
10. 10
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
11. 11
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
Although
Weaveworks
can help
with how
12. 12
GitOps is...
An operation model
Derived from CS and operation knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
A way to speed up your team
14. 14
1 The entire system is described declaratively.
Beyond code, data ⇒
Implementation independent
Easy to abstract in simple ways
Easy to validate for correctness
Easy to generate & manipulate from code
16. 16
The canonical desired system state is versioned
(with Git)
Canonical Source of Truth (DRY)
With declarative definition, trivialises rollbacks
Excellent security guarantees for auditing
Sophisticated approval processes (& existing workflows)
Great Software ↔ Human collaboration point
2
18. 18
Approved changes to the desired state are
automatically applied to the system
Significant velocity gains
Privileged operators don’t cross security boundaries
Separates What and How.
3
20. 20
Software agents ensure correctness
and alert on divergence
4
Continuously checking that desired state is met
System can self heal
Recovers from errors without intervention (PEBKAC)
It’s the control loop for your operations
21. 21
1 The entire system is described declaratively.
2 The canonical desired system state is versioned
(with Git)
3 Approved changes to the desired state are
automatically applied to the system
4 Software agents ensure correctness
and alert on divergence
23. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Can al re
s a s e
Config Repo
24. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
25. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
Pro s & co t t
en c e t
26. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2
CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
Ex e t a di g
an t ut
31. Mitigating user impersonation
31
1. Enforce Strong Identity in VCS (GitHub/GitLab)
with GPG Signed Commits
2. Use Physical GPG Keys to increase security
3. Run GPG-Validating Code in CI