SlideShare ist ein Scribd-Unternehmen logo

Continuous Security for GitOps

Weaveworks
Weaveworks

Join us for a webinar on securing the DevOps lifecycle with GitOps. Explore the best defenses for common security threats to code repositories, and see how to apply GitOps best practices to your CICD pipelines for Kubernetes. The adoption of GitOps already increases the security and stability of your Kubernetes deployment pipelines, keeping your deployment credentials and other secrets inside of the cluster. Although GitOps improves CICD pipeline security, it shifts the security burden to Git itself. For organizations who wish to defend themselves from malicious internal or external actors, or who operate under high compliance requirements, implementing additional security measures to Git provides identity guarantees, automation of change control, and detailed audit trails. In this webinar, we’ll discuss 4 common Git attacks and how to mitigate them: 1. User impersonation 2. Malicious user tampering with the repository’s history 3. Malicious user attacking the Git platform 4. Historical attacks on Git clients and their impact

Software
1 von 60
Downloaden Sie, um offline zu lesen
Continuous Security for GitOps April 2019 Webinar Brice Fernandes – brice@weave.works – @fractallambda 1
● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks
Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
The GitOps Model 4
5 GitOps is... An operation model
6 GitOps is... An operation model Derived from CS and operation knowledge
7 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)
8 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
11 1 The entire system is described declaratively.
12 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code
13 The canonical desired system state is versioned (with Git) 2
14 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2
15 Approved changes to the desired state are automatically applied to the system 3
16 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3
17 Software agents ensure correctness and alert on divergence 4
18 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations
19 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
20 Canonical source of truth People Software Agents Software Agents
Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo
Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t
Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut *
25 GitO n p a t
Secure your GitOps pipeline 26
Move from access to cluster to access to repository. ...So how to secure your repository? Moving the burden of security 27
Securing your repositories 28
29 Thank you Over to you Andy brice@weave.works @fractallambda
Hardening Git for GitOps @sublimino and @controlplaneio
I’m: - Andy - Dev-like - Sec-ish - Ops-y
Everything as Code
Applications, infrastructure, and security as code... are deployed as code, who protects that code?
Who protects that code?
Why Git?
How Git Works ● Git operates as a merkle tree. ● SHA-1 was considered broken for security purposes and deprecated by NIST in 2011 ● The Shattered attack pads data to collide two SHA-1 hashes, which could be used to overwrite existing trusted commits with malicious code ● Git v2.13.0 moved to a hardened SHA-1 implementation which isn't vulnerable to this attack. ● (for a deep dive see Ian Miell’s excellent Learn Git the Hard Way)
Source: https://www.ecmweb.com/power-quality/data-center-outage-costs-continue-rise
What is Continuous Security? ● Infrastructure as Code ● Security as Code ● Continuous Delivery
Veracity and Provenance
Threat #1: Git Users Can Impersonate Each Other
https://github.com/jayphelps/git-blame-someone-else/commit/e5cfe 4bb2190a2ae406d5f0b8f49c32ac0f01cd7
Threat #1: Git Users Can Impersonate Each Other ● Mitigation: Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits ● Physical GPG Keys increase security ● Mitigation: Run GPG-Validating Code in CI
Threat #2: Malicious User Rewrites History
Threat #2: Malicious User Rewrites History ● When to use Force Push ● Mitigation: Prevent Force Pushes to Master Branch ● Mitigation: Backup Git Repositories
Threat #3: Malicious User Removes Security Features
Threat #3: Malicious User Removes Security Features ● Mitigation: Configure Git Provider with Infrastructure as Code ● Mitigation: Monitor Git Provider’s Audit Logs ● Mitigation: Verify Commits to Master
Threat #4: Old Git client versions are insecure
Attacks on Git Teleport Attacks Branch Teleport Attack A branch merge point is moved to point to a “WIP” or to a buggy code commit. This gets automerged on a developer’s pull. Tag Teleport Attack A tag pointer is moved to a different place in the history and the wrong version is retrieved. For example to a previous version with known vulnerabilities. Rollback Attacks Branch Rollback Attack Critical code is omitted. Global Rollback Attack Critical code is omitted. Effort Duplication Attack Coding effort is increased. Deletion Attacks Branch Deletion Attack A branch is missing. Tag Deletion Attack A tag is deleted.
Threat #4: Old Git Client Versions Are Insecure ● Mitigation: Keep Software Versions Updated
Further considerations
Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes?
Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes? ● Vault (or actually Consul)? https://www.vaultproject.io/docs/auth/kubernetes.html
Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes? ● Vault (or actually Consul)? https://www.vaultproject.io/docs/auth/kubernetes.html ● Sealed Secrets (a Kubernetes controller and tool for one-way encrypted Secrets): https://github.com/bitnami-labs/sealed-secrets ● Git Crypt (GPG and Git integration): https://www.agwa.name/projects/git-crypt/
Further Considerations ● Restrict deployments with policy (working hours, prevent deployments to production on a Friday afternoon, or enforce security teams to review certain changes) ● Permitting only dedicated reviewers to merge Pull Requests can act as a change control or security review gate, with automatically generated release notes reflecting the application changes that are about to be deployed and that provide a clear picture of the changes. ● Static analysis can also be performed on the contents of the Pull Requests themselves with tools such as kubesec.io ● As part of a wider security strategy, tools like Notary, Grafeas, and in-toto prevent old Docker images from being deployed, as do Kubernetes cluster admission controllers such as Kritis and Porteiris.
Persisting Configuration: Continuous Security
Continuous Security
Thanks! https://control-plane.io @controlplaneio https://www.weave.works/blog/whitepaper-hardening-git-for-gitops

Empfohlen

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Weaveworks
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
Brice Fernandes
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
Weaveworks
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
Weaveworks
 

Empfohlen

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Weaveworks
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
Brice Fernandes
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
Weaveworks
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
Weaveworks
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
LibbySchulze
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Vietnam Open Infrastructure User Group
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
Nicola Baldi
 
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesDocker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Andrew Phillips
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
RastinKenarsari
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
sparkfabrik
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
Hands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersHands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm Users
Weaveworks
 
GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)
Weaveworks
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
Weaveworks
 
Real World CI/CD with Kubernetes
Real World CI/CD with KubernetesReal World CI/CD with Kubernetes
Real World CI/CD with Kubernetes
Opsta
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Weaveworks
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source Software
All Things Open
 
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Andrew Phillips
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Weaveworks
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Supply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptxSupply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptx
IvanMilchev1
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
Weaveworks
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Weaveworks
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source Software
All Things Open
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Weaveworks
 

Was ist angesagt? (20)

The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for KubernetesDocker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
Docker New York City: From GitOps to a scalable CI/CD Pattern for Kubernetes
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
Hands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersHands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm Users
 
GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
 
Kubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slidesKubecon seattle 2018 workshop slides
Kubecon seattle 2018 workshop slides
 
Real World CI/CD with Kubernetes
Real World CI/CD with KubernetesReal World CI/CD with Kubernetes
Real World CI/CD with Kubernetes
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison DowdneySetting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source Software
 
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
Continuous Delivery NYC: From GitOps to an adaptable CI/CD Pattern for Kubern...
 
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ... Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
Cloud Native Transformation (Alexis Richardson) - Continuous Lifecycle 2018 ...
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 

Ähnlich wie Continuous Security for GitOps

Git Gerrit Mit Teamforge
Git Gerrit Mit TeamforgeGit Gerrit Mit Teamforge
Git Gerrit Mit Teamforge
CollabNet
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Gibran Badrulzaman
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 

Ähnlich wie Continuous Security for GitOps (20)

Supply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptxSupply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptx
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
K8Guard - An Auditing System For Kubernetes
K8Guard - An Auditing System For KubernetesK8Guard - An Auditing System For Kubernetes
K8Guard - An Auditing System For Kubernetes
 
Git Gerrit Mit Teamforge
Git Gerrit Mit TeamforgeGit Gerrit Mit Teamforge
Git Gerrit Mit Teamforge
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 

Mehr von Weaveworks

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 

Mehr von Weaveworks (20)

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdfFlux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdf
 
Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
 

Kürzlich hochgeladen

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Kürzlich hochgeladen (20)

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Continuous Security for GitOps

  • 1. Continuous Security for GitOps April 2019 Webinar Brice Fernandes – brice@weave.works – @fractallambda 1
  • 2. ● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks
  • 3. Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
  • 6. 6 GitOps is... An operation model Derived from CS and operation knowledge
  • 7. 7 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)
  • 8. 8 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
  • 9. 9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
  • 10. 10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
  • 11. 11 1 The entire system is described declaratively.
  • 12. 12 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code
  • 13. 13 The canonical desired system state is versioned (with Git) 2
  • 14. 14 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2
  • 15. 15 Approved changes to the desired state are automatically applied to the system 3
  • 16. 16 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3
  • 17. 17 Software agents ensure correctness and alert on divergence 4
  • 18. 18 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations
  • 19. 19 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
  • 21. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo
  • 22. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
  • 23. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t
  • 24. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut *
  • 26. Secure your GitOps pipeline 26
  • 27. Move from access to cluster to access to repository. ...So how to secure your repository? Moving the burden of security 27
  • 29. 29 Thank you Over to you Andy brice@weave.works @fractallambda
  • 30. Hardening Git for GitOps @sublimino and @controlplaneio
  • 31. I’m: - Andy - Dev-like - Sec-ish - Ops-y
  • 32.
  • 34. Applications, infrastructure, and security as code... are deployed as code, who protects that code?
  • 36.
  • 38. How Git Works ● Git operates as a merkle tree. ● SHA-1 was considered broken for security purposes and deprecated by NIST in 2011 ● The Shattered attack pads data to collide two SHA-1 hashes, which could be used to overwrite existing trusted commits with malicious code ● Git v2.13.0 moved to a hardened SHA-1 implementation which isn't vulnerable to this attack. ● (for a deep dive see Ian Miell’s excellent Learn Git the Hard Way)
  • 40. What is Continuous Security? ● Infrastructure as Code ● Security as Code ● Continuous Delivery
  • 41.
  • 43. Threat #1: Git Users Can Impersonate Each Other
  • 45. Threat #1: Git Users Can Impersonate Each Other ● Mitigation: Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits ● Physical GPG Keys increase security ● Mitigation: Run GPG-Validating Code in CI
  • 46. Threat #2: Malicious User Rewrites History
  • 47. Threat #2: Malicious User Rewrites History ● When to use Force Push ● Mitigation: Prevent Force Pushes to Master Branch ● Mitigation: Backup Git Repositories
  • 48. Threat #3: Malicious User Removes Security Features
  • 49. Threat #3: Malicious User Removes Security Features ● Mitigation: Configure Git Provider with Infrastructure as Code ● Mitigation: Monitor Git Provider’s Audit Logs ● Mitigation: Verify Commits to Master
  • 50. Threat #4: Old Git client versions are insecure
  • 51. Attacks on Git Teleport Attacks Branch Teleport Attack A branch merge point is moved to point to a “WIP” or to a buggy code commit. This gets automerged on a developer’s pull. Tag Teleport Attack A tag pointer is moved to a different place in the history and the wrong version is retrieved. For example to a previous version with known vulnerabilities. Rollback Attacks Branch Rollback Attack Critical code is omitted. Global Rollback Attack Critical code is omitted. Effort Duplication Attack Coding effort is increased. Deletion Attacks Branch Deletion Attack A branch is missing. Tag Deletion Attack A tag is deleted.
  • 52. Threat #4: Old Git Client Versions Are Insecure ● Mitigation: Keep Software Versions Updated
  • 54. Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes?
  • 55. Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes? ● Vault (or actually Consul)? https://www.vaultproject.io/docs/auth/kubernetes.html
  • 56. Where do I version control my secrets? ● Paper/USB/CDR and two fireproof safes? ● Vault (or actually Consul)? https://www.vaultproject.io/docs/auth/kubernetes.html ● Sealed Secrets (a Kubernetes controller and tool for one-way encrypted Secrets): https://github.com/bitnami-labs/sealed-secrets ● Git Crypt (GPG and Git integration): https://www.agwa.name/projects/git-crypt/
  • 57. Further Considerations ● Restrict deployments with policy (working hours, prevent deployments to production on a Friday afternoon, or enforce security teams to review certain changes) ● Permitting only dedicated reviewers to merge Pull Requests can act as a change control or security review gate, with automatically generated release notes reflecting the application changes that are about to be deployed and that provide a clear picture of the changes. ● Static analysis can also be performed on the contents of the Pull Requests themselves with tools such as kubesec.io ● As part of a wider security strategy, tools like Notary, Grafeas, and in-toto prevent old Docker images from being deployed, as do Kubernetes cluster admission controllers such as Kritis and Porteiris.