SlideShare ist ein Scribd-Unternehmen logo
1 von 38
Downloaden Sie, um offline zu lesen
2021 | intellias.com
is the best modern practice for CD with Kubernetes
GitOps approach
by Volodymyr Shynkar
Senior Lead DevOps Engineer
#!/BIN/ABOUT_ME
Volodymyr Shynkar
Senior Lead DevOps Engineer at Intellias
6+ years of commercial DevOps experience. Overall 8+ years of Engineering
Successfully migrated, rolled out, consulted over 15 projects in the healthcare,
gambling, automotive, e-commerce industries
Member of the Center of Excellence
Lead of the CCI team in the automotive segment
Certified SAFe Agile Software Engineer
Addicted to IoT and Smart Home
Cyclist, promoter of a healthy lifestyle
Contents
01
Introducing to GitOps
02
The Principles of GitOps
03
Secure your pipeline
04
CD - Why? How?
01
Introducing to GitOps
GitOps is
An evolution of infrastructure as code, a framework
that can drastically improve deployment speed and
development efficiency.
GitOps is…
v An operations model for building Cloud Native apps
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
v A way to speed up your team
GitOps is…
v An operations model for building Cloud Native apps
v Based on years of operations experience
v A set of principles
v A way to speed up your team
v GitOps applies to everything
v Config is a code
v Code must be version controlled
v Config must be version controlled too!
02
The Principles of GitOps
The Principles of GitOps
The entire system is described
declaratively
The canonical desired system
state is versioned in git
Approved changes can be
automatically applied to the
system
Software agents
ensure correctness and alert
on divergence
Benefits from GitOps
Productivity Enhanced Experience Stability
• Allows for simplified continuous
delivery, which lowers the
“Mean Time to Deployment”
• Increases overall development
output 2-3 times.
• Pushes code and not containers.
• Manages Kubernetes resources
without having to know the internal
of Kubernetes.
• Automatically gains a convenient
audit log of all cluster changes
outside of Kubernetes.
• Always kept in sync
Benefits from GitOps
Reliability Consistency Security / Audit
• In case of a problem, rollback is as easy as
revert commit in Git. Single source of
truth simplifies the process and reduces
delays
• One entry point for changes. Everything
is driven through commits in a Git
repository. Everything is described at one
place (Single pane of glass). PR - Review –
Merge – Apply
• Leveraging Git build-in security and
signature. Allows for easy tracking of
changes and their approvals
Three pillars of GitOps
Pipelines Observability
• Continuous Integration
• Continuous Deployment
• Release Automation
Git as a source of truth
for desired system state
• Monitoring
• Logging
• Tracing & Visualization
Holistic view of the real
system state “right now”
• Everything via Git (updates, policy,
security)
• Orchestration
• Diff and Sync
Automation is Convergence
Control
03
Secure your pipeline
Move the burden of security
Move from access to cluster to access to repository!
…So how to secure your repository?
It seems to be a fashion these days to share
your deepest secrets with everyone.
v Third party companies who want an admin
access to your cloud env or prod cluster
v Third party (opensource) repositories/providers
v Outdated software or plugins used on dev
workstation or on CI server.
v Shared space/server with other teams
Sharing is not caring
What is solution for this?
v Move humans as far away from that final
production deployment as possible
v Statically analyse everything
v Run through multiple layers of checks
v Have individuals sign off the change, but not
modify the change that goes through
v All above are fundamentally based on using git
as the basis for everything
Root Causes of Unplanned Outages
Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
The OWASP project lists ten principles that should
be applied when designing secure applications:
v Minimize attack surface area
v Establish secure defaults
v Principle of Least privilege
v Principle of Defence in depth
v Fail securely
v Don’t trust services
v Separation of duties
v Avoid security by obscurity
v Keep security simple
v Fix security issues correctly
Security By Design
Source: https://wiki.owasp.org/index.php/Security_by_Design_Principles#Minimize_attack_surface_area
Threats:
v Git users can impersonate each other
• Mitigation: Enforce strong identity in VCS with GPG
Signed Commits
v Malicious user rewrites history
• Mitigation: Prevent force pushes to Master/Main branch
• Mitigation: Backup Git repositories
v Malicious user removes security features
• Mitigation: Configure Git provider with IaC
• Mitigation: Verify commits to Master/Main
Continuous Deployment and Continuous Security
Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
v Everyone on the team can easily pull the deploy
secrets
v To pull the secrets out you just need to push changes
to a branch that print out the environment variables
during a job run, or POST them to an endpoint
v In the above scenario, compromising a single
engineer is enough to gain access to production
through the CI.
Free-for-all secrets
What is solution for this?
v Paper/USB/CDR two fireproof safes?
v Vault (or actually Consul)?
Where do I version control my secrets?
What is solution for this?
v Sealed Secrets (a Kubernetes controller and a
tool for one-way encrypted Secrets):
https://github.com/bitnami-labs/sealed-secrets
v Git Crypt - transparent file encryption in git:
https://www.agwa.name/projects/git-crypt/
Where do I version control my secrets?
Sealed Secrets as templates for secrets
Sealed Secrets as templates for secrets
The controller will unseal that into something like:
04
CD - Why? How?
Two ways to GitOps
• There are two ways to implement the deployment
strategy for GitOps:
Push-based and Pull-based.
The push-based CD
The push-based strategy is much closer to the classic deployment pipelines and
also easier to implement.
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment
Questions to ask include:
• Does your CI environment have direct access to the
container image repository?
• Does your CI environment have direct access to the
production cluster?
The push-based CD
The push-based strategy is much closer to the classic deployment pipelines and
also easier to implement.
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment
The pull-based CD
The pull-based GitOps strategy is mostly used for Kubernetes environments
because this approach requires unusual tooling
Main components of such infrastructure are:
v repository with configuration
v automation tool
v target environment with an agent inside
Multicluster architecture
The App of Apps pattern:
• The Application is the Kubernetes resource
representing a deployed application in an
environment.
Two key pieces of information define it:
• source reference to the desired state in Git
• destination reference to the target cluster and namespace
• Create an app that creates other apps — which, in its
turn, can create different apps.
• This allows you to declaratively manage a group of
applications that can be deployed and configured in
concert.
Source: https://argoproj.github.io/argo-cd/operator-manual/architecture/
ArgoCD CRD
You must add the finalizer if you want to perform a cascade resource deletion
A minimal Application spec is as follows:
ArgoCD CRD
The AppProject is the Kubernetes resource object of a logical grouping of applications.
clusterResourceWhitelist – Specify which cluster-scoped resources can be created
namespaceResourceBlacklist – Specify which namespaced-scoped resources can be created
namespaceResourceWhitelist - Specify which namespaced-scoped resources cannot be created
Demo time
Questions?
2021 | intellias.com
Thank you!
by Volodymyr Shynkar
Senior Lead DevOps Engineer
https://www.linkedin.com/in/vshynkar/
https://github.com/sqerison

Weitere ähnliche Inhalte

Was ist angesagt?

The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
Simplilearn
 

Was ist angesagt? (20)

Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
 
GitOps w/argocd
GitOps w/argocdGitOps w/argocd
GitOps w/argocd
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cd
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CI
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
GitOps with Gitkube
GitOps with GitkubeGitOps with Gitkube
GitOps with Gitkube
 
Introducing GitLab (June 2018)
Introducing GitLab (June 2018)Introducing GitLab (June 2018)
Introducing GitLab (June 2018)
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 

Ähnlich wie GitOps is the best modern practice for CD with Kubernetes

Ähnlich wie GitOps is the best modern practice for CD with Kubernetes (20)

Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
Stop Caring About Kubernetes
Stop Caring About KubernetesStop Caring About Kubernetes
Stop Caring About Kubernetes
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Weave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any Kubernetes
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Ondat komodor webinar
Ondat komodor webinarOndat komodor webinar
Ondat komodor webinar
 
Journey Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment Maturity
 
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overviewEnabling Fast IT using Containers, Microservices and DAVROS models: an overview
Enabling Fast IT using Containers, Microservices and DAVROS models: an overview
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
 
OpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function VirtualizationOpenNfv Talk On Kubernetes and Network Function Virtualization
OpenNfv Talk On Kubernetes and Network Function Virtualization
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
 
[WSO2Con EU 2017] Continuous Integration, Delivery and Deployment: Accelerate...
[WSO2Con EU 2017] Continuous Integration, Delivery and Deployment: Accelerate...[WSO2Con EU 2017] Continuous Integration, Delivery and Deployment: Accelerate...
[WSO2Con EU 2017] Continuous Integration, Delivery and Deployment: Accelerate...
 
Kubernetes Cheatsheet
Kubernetes CheatsheetKubernetes Cheatsheet
Kubernetes Cheatsheet
 

Kürzlich hochgeladen

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
Tonystark477637
 

Kürzlich hochgeladen (20)

Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon  6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon  6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated  Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated  Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSUNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 

GitOps is the best modern practice for CD with Kubernetes

  • 1. 2021 | intellias.com is the best modern practice for CD with Kubernetes GitOps approach by Volodymyr Shynkar Senior Lead DevOps Engineer
  • 2. #!/BIN/ABOUT_ME Volodymyr Shynkar Senior Lead DevOps Engineer at Intellias 6+ years of commercial DevOps experience. Overall 8+ years of Engineering Successfully migrated, rolled out, consulted over 15 projects in the healthcare, gambling, automotive, e-commerce industries Member of the Center of Excellence Lead of the CCI team in the automotive segment Certified SAFe Agile Software Engineer Addicted to IoT and Smart Home Cyclist, promoter of a healthy lifestyle
  • 3. Contents 01 Introducing to GitOps 02 The Principles of GitOps 03 Secure your pipeline 04 CD - Why? How?
  • 5. GitOps is An evolution of infrastructure as code, a framework that can drastically improve deployment speed and development efficiency.
  • 6. GitOps is… v An operations model for building Cloud Native apps
  • 7. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience
  • 8. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles
  • 9. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles v A way to speed up your team
  • 10. GitOps is… v An operations model for building Cloud Native apps v Based on years of operations experience v A set of principles v A way to speed up your team v GitOps applies to everything v Config is a code v Code must be version controlled v Config must be version controlled too!
  • 12. The Principles of GitOps The entire system is described declaratively The canonical desired system state is versioned in git Approved changes can be automatically applied to the system Software agents ensure correctness and alert on divergence
  • 13. Benefits from GitOps Productivity Enhanced Experience Stability • Allows for simplified continuous delivery, which lowers the “Mean Time to Deployment” • Increases overall development output 2-3 times. • Pushes code and not containers. • Manages Kubernetes resources without having to know the internal of Kubernetes. • Automatically gains a convenient audit log of all cluster changes outside of Kubernetes. • Always kept in sync
  • 14. Benefits from GitOps Reliability Consistency Security / Audit • In case of a problem, rollback is as easy as revert commit in Git. Single source of truth simplifies the process and reduces delays • One entry point for changes. Everything is driven through commits in a Git repository. Everything is described at one place (Single pane of glass). PR - Review – Merge – Apply • Leveraging Git build-in security and signature. Allows for easy tracking of changes and their approvals
  • 15. Three pillars of GitOps Pipelines Observability • Continuous Integration • Continuous Deployment • Release Automation Git as a source of truth for desired system state • Monitoring • Logging • Tracing & Visualization Holistic view of the real system state “right now” • Everything via Git (updates, policy, security) • Orchestration • Diff and Sync Automation is Convergence Control
  • 17. Move the burden of security Move from access to cluster to access to repository! …So how to secure your repository?
  • 18. It seems to be a fashion these days to share your deepest secrets with everyone. v Third party companies who want an admin access to your cloud env or prod cluster v Third party (opensource) repositories/providers v Outdated software or plugins used on dev workstation or on CI server. v Shared space/server with other teams Sharing is not caring
  • 19. What is solution for this? v Move humans as far away from that final production deployment as possible v Statically analyse everything v Run through multiple layers of checks v Have individuals sign off the change, but not modify the change that goes through v All above are fundamentally based on using git as the basis for everything Root Causes of Unplanned Outages Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
  • 20. The OWASP project lists ten principles that should be applied when designing secure applications: v Minimize attack surface area v Establish secure defaults v Principle of Least privilege v Principle of Defence in depth v Fail securely v Don’t trust services v Separation of duties v Avoid security by obscurity v Keep security simple v Fix security issues correctly Security By Design Source: https://wiki.owasp.org/index.php/Security_by_Design_Principles#Minimize_attack_surface_area
  • 21. Threats: v Git users can impersonate each other • Mitigation: Enforce strong identity in VCS with GPG Signed Commits v Malicious user rewrites history • Mitigation: Prevent force pushes to Master/Main branch • Mitigation: Backup Git repositories v Malicious user removes security features • Mitigation: Configure Git provider with IaC • Mitigation: Verify commits to Master/Main Continuous Deployment and Continuous Security Source: https://www.ecmweb.com/power-quality-reliability/article/20900947/data-center-outage-costs-continue-to-rise
  • 22. v Everyone on the team can easily pull the deploy secrets v To pull the secrets out you just need to push changes to a branch that print out the environment variables during a job run, or POST them to an endpoint v In the above scenario, compromising a single engineer is enough to gain access to production through the CI. Free-for-all secrets
  • 23. What is solution for this? v Paper/USB/CDR two fireproof safes? v Vault (or actually Consul)? Where do I version control my secrets?
  • 24. What is solution for this? v Sealed Secrets (a Kubernetes controller and a tool for one-way encrypted Secrets): https://github.com/bitnami-labs/sealed-secrets v Git Crypt - transparent file encryption in git: https://www.agwa.name/projects/git-crypt/ Where do I version control my secrets?
  • 25. Sealed Secrets as templates for secrets
  • 26. Sealed Secrets as templates for secrets The controller will unseal that into something like:
  • 27. 04 CD - Why? How?
  • 28. Two ways to GitOps • There are two ways to implement the deployment strategy for GitOps: Push-based and Pull-based.
  • 29. The push-based CD The push-based strategy is much closer to the classic deployment pipelines and also easier to implement. Main components of such infrastructure are: v repository with configuration v automation tool v target environment
  • 30. Questions to ask include: • Does your CI environment have direct access to the container image repository? • Does your CI environment have direct access to the production cluster?
  • 31. The push-based CD The push-based strategy is much closer to the classic deployment pipelines and also easier to implement. Main components of such infrastructure are: v repository with configuration v automation tool v target environment
  • 32. The pull-based CD The pull-based GitOps strategy is mostly used for Kubernetes environments because this approach requires unusual tooling Main components of such infrastructure are: v repository with configuration v automation tool v target environment with an agent inside
  • 33. Multicluster architecture The App of Apps pattern: • The Application is the Kubernetes resource representing a deployed application in an environment. Two key pieces of information define it: • source reference to the desired state in Git • destination reference to the target cluster and namespace • Create an app that creates other apps — which, in its turn, can create different apps. • This allows you to declaratively manage a group of applications that can be deployed and configured in concert. Source: https://argoproj.github.io/argo-cd/operator-manual/architecture/
  • 34. ArgoCD CRD You must add the finalizer if you want to perform a cascade resource deletion A minimal Application spec is as follows:
  • 35. ArgoCD CRD The AppProject is the Kubernetes resource object of a logical grouping of applications. clusterResourceWhitelist – Specify which cluster-scoped resources can be created namespaceResourceBlacklist – Specify which namespaced-scoped resources can be created namespaceResourceWhitelist - Specify which namespaced-scoped resources cannot be created
  • 38. 2021 | intellias.com Thank you! by Volodymyr Shynkar Senior Lead DevOps Engineer https://www.linkedin.com/in/vshynkar/ https://github.com/sqerison