Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
1 like717 views
1. The webinar discussed securing developer workflows through implementing GitOps principles and securing repositories. 2. GitOps is described as an operations model that defines the entire system declaratively with the canonical desired system state versioned in Git. 3. Approved changes to the desired state are automatically applied to the system by software agents that ensure correctness and alert on any divergence from the declared state. 4. The presentation provided recommendations for securing repositories by enforcing strong identity, preventing history rewrites and removal of security features, and avoiding deprecated software.
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
- 1. Securing Developer Workflows March 2019 Webinar Brice Fernandes – [email protected] – @fractallambda Simon Maple - [email protected] – @sjmaple 1
- 2. ● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks
- 3. snyk.io About Snyk Snyk helps developers use open source code and stay secure ● Detect: Uncover vulnerabilities & license violations in the libraries your apps use ● Fix: Seamlessly fix discovered issues through automated upgrades and custom patches ● Monitor: Get alerted when new vulnerabilities affect your apps and fix them before attackers act
- 4. Transform your CICD pipeline with GitOps 4
- 5. Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
- 7. 7 GitOps is... An operation model
- 8. 8 GitOps is... An operation model Derived from CS and operation knowledge
- 9. 9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)
- 10. 10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
- 11. 11 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
- 12. 12 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
- 13. 13 1 The entire system is described declaratively.
- 14. 14 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code
- 15. 15 The canonical desired system state is versioned (with Git) 2
- 16. 16 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2
- 17. 17 Approved changes to the desired state are automatically applied to the system 3
- 18. 18 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3
- 19. 19 Software agents ensure correctness and alert on divergence 4
- 20. 20 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations
- 21. 21 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
- 23. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo
- 24. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
- 25. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t
- 26. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut
- 27. 27 GitO n p a t
- 28. Secure your GitOps pipeline 28
- 29. Move from access to cluster to access to repository. ...So how to secure your repository? Controls 29
- 31. Mitigating user impersonation 31 1. Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits 2. Use Physical GPG Keys to increase security 3. Run GPG-Validating Code in CI
- 32. Prevent History Rewrites 32 1. Prevent Force Pushes to Master Branch 2. Backup Git Repositories
- 33. Prevent Removal of Security Features 33 1. Configure Git Provider with Infrastructure as Code 2. Monitor Git Provider’s Audit Logs 3. Verify Commits to Master
- 34. Don’t use deprecated software 34
- 35. snyk.io 35
- 36. snyk.io Do You Know Which Dependencies You Have?
- 37. snyk.io Your App
- 39. snyk.io Each Dependency Is A Security Risk
- 40. snyk.io Direct Deps only All Deps (410!) What is NPM Inception? Package within a package within a package?
- 41. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
- 42. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it underwent any Security Testing?
- 43. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?
- 45. Get in touch [email protected] [email protected] @fractallambda @sjmaple 45 Thank you Back to you, Sonja!