Cloud Native Night, July 2020, online: Talk by Dr. Michael Adersberger (Full Stack Developer at Syncier Cloud)
=== Please download slides if blurred! ===
GitOps has turned out to be a very appealing concept to manage your Kubernetes cluster(s) in particular with respect to security & compliance. We are now in the state right after the first enthusiasm where the day 2 challenges but also success stories can be told. Now with this knowledge we can discuss why we still think GitOps is an amazing concept, what are the limitations and in particular how many dedicated solutions are needed to get your applications running.
We will also demonstrate how we address some of the pains that are coming with GitOps and how to make your Information Security Officer happy.
About Michael:
Michael Adersberger is Full-Stack Developer at Syncier Cloud and has a wide experience as a speaker at national and international conferences and workshops. He has obtained his Ph.D. in Physics at the Ludwig-Maximilians University Munich being an associated scientist at CERN. During that time he had to deal with several 100 PB of data and analyzing them for the smallest hints for new physics. This rouse his enthusiasm for cloud computing following the highest security standards.
5. Karl Heinz,
Information Security OfïŹcer ISO
1. ⊠track who has changed
what and when in your
cluster?
2. ⊠ensure only reviewed
changes are rolled-out?
3. ⊠roll-back in case of
problems?
4. ⊠avoid complicated role
management?
5. ⊠ensure your cluster-state
does not drift away?
⊠can you:
9. GitOps in a nutshell
9GitOps in a nutshell
1. Fully declarative description of
entire system as code
(Infrastructure, Deployments,
policiesâŠ)
2. Under version control
3. Synced with cluster
11. GitOps in practice
11GitOps in practice
Git K8s
DevOps
syncPR
signed
commits
branch
protection
DevOps
review
git
history
read only
12. GitOps in practice
12GitOps in practice
1. ⊠track who has changed what when
in your cluster?
2. ⊠ensure only reviewed changes are
rolled-out?
3. ⊠roll-back in case of problems?
4. ⊠avoid complicated role
management?
5. ⊠ensure your cluster-state does not
drift away?
14. Push vs. Pull
14Push vs. Pull
cluster
cluster
Operator
watch&sync
pipeline
PUSH
PULL
K8s-cluster
K8s-cluster
vs.
CI/CD tool
15. Push vs. Pull
15Push vs. Pull
PUSH PULL
+ re-use existing pipelines
+ bullet proven tooling
+ very ïŹexible
- system drifting away
- admin credentials needed
in pipeline
+ regular sync
+ credentials do not have to
leave the cluster pipeline
+ separation CI - CD
- new setup/concept
- rather new operators/tools
16. Single point of truth vs. conïŹg@Application
16Version control
cluster
Application A
Application B
Application C
App A
App B
App C
full conïŹg in one repo conïŹg@application
App A
App B
App C
17. Single point of truth vs. conïŹg@Application
17Push vs. Pull
Single point of truth ConïŹg@Application
+ full history in one repo
+ easy roll-back
- keeping several repos aligned
- updates in many repositories
+ easier staging
+ just values/parameters for
different environments
+ governance & permission
- roll-backs of several apps
can be tricky
31. Allways the pain with the state
31Allways the pain with the state
â GitOps does not solve this for K8s
â no one ïŹts all solution in place right now
â operators are probably not yet advanced enough
â waves and hooks can do the job - partially
â your git-repo is your runbook
Git K8s
DevOps
syncPR
33. Summary
33Allways the pain with the state
â GitOps ensures security & compliance measures
out-of-the-box
â there is not one way to GitOps
â Itâs a change of mindset in many ways - allow that change
â Syncier is delivering Professional and Managed Services
with focus on regulated enterprises
cloud@syncier.com
https://www.linkedin.com/company/syncier-gmbh
https://www.syncier.com
we're hiring!