Cloud Native Night, July 2020, online: Talk by Dr. Michael Adersberger (Full Stack Developer at Syncier Cloud) === Please download slides if blurred! === GitOps has turned out to be a very appealing concept to manage your Kubernetes cluster(s) in particular with respect to security & compliance. We are now in the state right after the first enthusiasm where the day 2 challenges but also success stories can be told. Now with this knowledge we can discuss why we still think GitOps is an amazing concept, what are the limitations and in particular how many dedicated solutions are needed to get your applications running. We will also demonstrate how we address some of the pains that are coming with GitOps and how to make your Information Security Officer happy. About Michael: Michael Adersberger is Full-Stack Developer at Syncier Cloud and has a wide experience as a speaker at national and international conferences and workshops. He has obtained his Ph.D. in Physics at the Ludwig-Maximilians University Munich being an associated scientist at CERN. During that time he had to deal with several 100 PB of data and analyzing them for the smallest hints for new physics. This rouse his enthusiasm for cloud computing following the highest security standards.

1. GitOps
Pain ‘n Gain
Dr. Michael Adersberger
michael.adersberger@syncier.com

2. Karl Heinz,
Information Security Officer ISO

3. MICHI !!!
We have several
requirements on our
cloud stack regarding
Security&Compliance
...
Karl Heinz,
Information Security Officer ISO

4. Dr. Michael Adersberger,
Full-stack Developer, Syncier Cloud
michael.adersberger@syncier.com

5. Karl Heinz,
Information Security Officer ISO
1. … track who has changed
what and when in your
cluster?
2. … ensure only reviewed
changes are rolled-out?
3. … roll-back in case of
problems?
4. … avoid complicated role
management?
5. … ensure your cluster-state
does not drift away?
… can you:

7. Michi,
GitOps enthusiast
YES,
GitOps can!

8. GitOps
in a nutshell

9. GitOps in a nutshell
9GitOps in a nutshell
1. Fully declarative description of
entire system as code
(Infrastructure, Deployments,
policies…)
2. Under version control
3. Synced with cluster

10. GitOps in practice
10GitOps in practice
Git K8s
DevOps
syncPR

11. GitOps in practice
11GitOps in practice
Git K8s
DevOps
syncPR
signed
commits
branch
protection
DevOps
review
git
history
read only

12. GitOps in practice
12GitOps in practice
1. … track who has changed what when
in your cluster?
2. … ensure only reviewed changes are
rolled-out?
3. … roll-back in case of problems?
4. … avoid complicated role
management?
5. … ensure your cluster-state does not
drift away?

13. GitOps
in practice

14. Push vs. Pull
14Push vs. Pull
cluster
cluster
Operator
watch&sync
pipeline
PUSH
PULL
K8s-cluster
K8s-cluster
vs.
CI/CD tool

15. Push vs. Pull
15Push vs. Pull
PUSH PULL
+ re-use existing pipelines
+ bullet proven tooling
+ very flexible
- system drifting away
- admin credentials needed
in pipeline
+ regular sync
+ credentials do not have to
leave the cluster pipeline
+ separation CI - CD
- new setup/concept
- rather new operators/tools

16. Single point of truth vs. config@Application
16Version control
cluster
Application A
Application B
Application C
App A
App B
App C
full config in one repo config@application
App A
App B
App C

17. Single point of truth vs. config@Application
17Push vs. Pull
Single point of truth Config@Application
+ full history in one repo
+ easy roll-back
- keeping several repos aligned
- updates in many repositories
+ easier staging
+ just values/parameters for
different environments
+ governance & permission
- roll-backs of several apps
can be tricky

18. Sealed secrets
18Sealed secrets
Operator
watch&sync
K8s-cluster
SealedSecret
SealedSecret
Controller
Secret
private
KubeSeal
SealedSecret
Secret
public
How to deal
with secrets?

19. GitOps
day2 experience

20. Manifest validation
20Manifest validation
Fail early

21. Manifest validation
21Manifest validation
How to
boost&secure?
K8s-cluster

22. Manifest validation
22Manifest validation
How to
boost&secure?
K8s-cluster
Open Policy Agent

23. Open Policy Agent
23Open Policy Agent
● High-level declarative language (Rego)
● Json validation in context
● Use cases:
○ Security => avoid potential vulnerabilities
■ e.g. Ingress only with TLS
○ Effectivity => reduced mistakes = reduce #PRs
■ e.g. Reject colliding Ingresses
Open Policy Agent

24. Open Policy Agent
24Open Policy Agent
cluster
K8s-cluster
OPA Gatekeeper
ValidatingWebhook
API server
validate
policies
policies
Open Policy Agent

25. Open Policy Agent
25Open Policy Agent
cluster
Syncier Cloud
Cockpit
policies
Open Policy Agent
webhook
feedback

26. Manifest validation
26Manifest validation
Development the
GitOps way

27. Open Policy Agent
27Open Policy Agent
Git sync
playground
cluster
drop master
protection
IDE commit
master

28. Manifest validation
28Manifest validation
50 shades of GitOps

29. Open Policy Agent
29Open Policy Agent
cluster
repo
sync
dev cluster
drop PR
review
requirement
pipeline
Appliciation
Code Repo
Image
Registry
create
+
merge
PR

30. Manifest validation
30Manifest validation
State & K8s

31. Allways the pain with the state
31Allways the pain with the state
● GitOps does not solve this for K8s
● no one fits all solution in place right now
○ operators are probably not yet advanced enough
○ waves and hooks can do the job - partially
○ your git-repo is your runbook
Git K8s
DevOps
syncPR

32. Time for a
DEMONSTRATION

33. Summary
33Allways the pain with the state
● GitOps ensures security & compliance measures
out-of-the-box
● there is not one way to GitOps
● It’s a change of mindset in many ways - allow that change
● Syncier is delivering Professional and Managed Services
with focus on regulated enterprises
cloud@syncier.com
https://www.linkedin.com/company/syncier-gmbh
https://www.syncier.com
we're hiring!

34. You are happy,
When your ISO is happy!