SlideShare a Scribd company logo

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Weaveworks
Weaveworks

Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance. Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production. In this webinar we will demonstrate: Deepfence container scanning Git-to-Kubernetes using FluxCD Deepfence continuous runtime security

Technology
1 of 38
Download to read offline
Hardening Your CI/CD Pipelines with GitOps and Continuous Security Owen Garrett, Deepfence Matt Kryshak, Deepfence Richard Case, Weaveworks May, 2021
Webinar Platform - FAQs Using Zoom Questions? • You are in listen only mode • Q&A session will follow the presentation, please use the Q&A panel to submit questions • Hit escape to exit full screen Technical Issues - please visit Zoom Help https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
3 Speaker Introduction Owen Garrett, Head of Product and Community, Deepfence Owen joined Deepfence in May 2021, having previously managed the NGINX open source project and NGINX’s microservices and Kubernetes-centric solutions. During his time at NGINX, the NGINX open source project rose from relative obscurity to become the most widely-deployed of any webserver in the world. Owen is fascinated by the application of technology, particularly microservices and Kubernetes, and is determined to assist developers to build safe and secure applications. Twitter: @owengarrett Richard Case, Tech Lead / Solution Architect, Weaveworks Richard is tech lead for Kubernetes on Baremetal at Weaveworks. Previously he worked in customer success and helped to design and build GitOps/Cloud Native solutions for Weaveworks customers. Richard is also a maintainer of Cluster API Provider AWS. Twitter: @fruit_case
What is GitOps?
5 GitOps is... An operation model
6 GitOps is... An operation model Derived from CS and operational knowledge
7 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding)
8 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
9 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
11 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
The GitOps Model 12
13 GitOps ON Kubernetes Kubectl / Direct access Kubernetes Cluster
14 GitOps ON Kubernetes
15 GitOps ON Kubernetes Image Repository 1 The entire system is described declaratively.
16 GitOps ON Kubernetes Image Repository 2 The desired system state is versioned
17 GitOps ON Kubernetes Image Repository 3 Approved changes to the desired state are automatically applied to the system
18 GitOps ON Kubernetes Image Repository 4 Software agents ensure correctness and alert on divergence
19 GitOps ON Kubernetes Security Boundary In-cluster / pull based
The entire system is described declaratively The canonical desired system state is versioned in git Approved changes can be automatically applied to the system Software agents ensure correctness and alert (diffs & actions) 20 Principles of GitOps Operate an agile cloud native platform with GitOps
GitOps – An Operating Model for Cloud Native Provides Separation of Concerns between the Development process and the Deployment process Transparency and Auditability at All Levels is Automatic Authentication & Authorization Isolated Between Concerns Risk Reduction: Complete Application Rollback and Logging 21 Deployment (clusters, apps) Monitoring Logging (Observability) Management (operations) Git Build GIT Test IDE “Immutability Firewall” Kubernetes GitOps Continuous Integration
Secured Deployment with GitOps
Typical CICD pipeline Continuous Integration Kubernetes Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI creds Git creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW CR creds2
Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Canonical desired state store Config Repo
Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Operator RW Config Repo
Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW RW Config Repo Process & constraints enforcement
Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW RW Config Repo Exceptional auditing and attribution*
Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev Deploy Various points to integrate extra security measures. Config Repo ← Image and code scanning → Artifact scanning (conftest, kube-sec) Policy enforcement (OPA, Kyverno) Runtime scanning (continuous)
Introducing Deepfence
Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. The apps we build are deeply interconnected 528 open-source components (2020 average) The typical commercially-developed application uses 528 open-source components. This includes direct and indirect dependencies. Source: Synopsis OSSRA Report 2021 > 10% # of open-source components with known vulnerabilities 10.4% of Java components from Maven Repository had at least one known vulnerability. Almost 40% of npm packages rely on code known to be vulnerable. Source: Sonatype 2020, University of Darmstadt 2019 Equifax Undetected Apache Struts vulnerability led to the leak of 143m customer details. $1.4bn – cost to remediate security. Capital One Misconfiguration of ModSecurity enabled an anomalous request flow. 106m customer details leaked. British Airways Hack of third-party javascript led to 380,000 stolen payment card records. $257m fine (reduced to $26m on appeal) npm left-pad: When an unregarded, 11-line module with 10 GH stars was removed from npm, the blast radius was huge. Medium Direct and Transitive Dependencies per repo Source: GitHub State of the Octoverse 2020 Direct Dependencies Transitive Dependencies PHP 9 70 JavaScript 10 683 Python 9 19 Ruby 9 68 PHP 9 70
Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Vulnerabilities lie undetected for 4 years (average) GitHub 2020 Octoverse Report: On average, vulnerabilities in open-source software lie undetected for over 4 years. Once alerted, it takes 4.4 weeks to find a fix and 10 weeks to publish. Sonatype 2020 State of the Software Supply Chain 49% of organizations remediate an OSS dependency vulnerability within 1 week. Source: The 2020 State of the Octoverse, GitHub, Inc. The full lifecycle of a Vulnerability (GitHub) Applications contain a timebomb of to-be-announced vulnerabilities, and security teams need to be ready to move fast!
Deepfence provides a full-lifecycle security solution. It observes and secures your application from development to production.
Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Continuous Integration Dev Commit Build Test Push to Repo Continuous Delivery Devops Review Deploy Production Prod 2 DR 1 Staging Prod 1 Users Insert Security all stages of the lifecycle Lightweight DF agents Operations Ops Monitor Logs Deepfence Management Console
Let’s see Flux and Deepfence in action..
Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Once in production, Deepfence’s security monitoring takes over 1. Audits containers and hosts to detect file system, process and network related misconfigurations 2. Performs detailed inspection of network traffic, system and application behavior, and correlates suspicious events 3. Supports manual triage or automated quarantine of tainted workloads
Runtime Threat and Anomaly Scanning
Questions?
Thank you!

Recommended

GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
Weaveworks
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
LibbySchulze1
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operations
Mariano Cunietti
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Vietnam Open Infrastructure User Group
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
GitOps w/argocd
GitOps w/argocdGitOps w/argocd
GitOps w/argocd
Jean-Philippe Bélanger
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 

Recommended

GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
Weaveworks
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
LibbySchulze1
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operations
Mariano Cunietti
 
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOpsMeetup 23 - 03 - Application Delivery on K8S with GitOps
Meetup 23 - 03 - Application Delivery on K8S with GitOps
Vietnam Open Infrastructure User Group
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
GitOps w/argocd
GitOps w/argocdGitOps w/argocd
GitOps w/argocd
Jean-Philippe Bélanger
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
CloudOps2005
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
Omar Fathy
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with Kubernetes
Volodymyr Shynkar
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
William Caban
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-Depth
Siva Rama Krishna Chunduru
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cd
Billy Yuen
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
sparkfabrik
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
Codefresh
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
Nicola Baldi
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
amanmakwana3
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Gibran Badrulzaman
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
RastinKenarsari
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
Opsta
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
Brice Fernandes
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 

More Related Content

What's hot

Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Gibran Badrulzaman
 

What's hot (20)

Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
GitOps and ArgoCD
GitOps and ArgoCDGitOps and ArgoCD
GitOps and ArgoCD
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with Kubernetes
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-Depth
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cd
 
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastrutturaGitOps: Git come unica fonte di verità per applicazioni e infrastruttura
GitOps: Git come unica fonte di verità per applicazioni e infrastruttura
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
 
The journey to GitOps
The journey to GitOpsThe journey to GitOps
The journey to GitOps
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCDKubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
 
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
Understanding the GitOps Workflow and CICD Pipeline - What It Is, Why It Matt...
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 

Similar to Hardening Your CI/CD Pipelines with GitOps and Continuous Security

Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
matteo mazzeri
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
William Yeh
 
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ... Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
MayaData Inc
 
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshift
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshiftTekton_ArgoCD-_KCD_Taiwan-cicd-openshift
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshift
bashwen2022
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
Weaveworks
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Sonja Schweigert
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Weaveworks
 
Weave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any Kubernetes
Weaveworks
 
Dipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application DevelopmentDipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application Development
Matthew Farina
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
gitopsthekubernetesway-201026090439.pdf
gitopsthekubernetesway-201026090439.pdfgitopsthekubernetesway-201026090439.pdf
gitopsthekubernetesway-201026090439.pdf
saraichiba2
 

Similar to Hardening Your CI/CD Pipelines with GitOps and Continuous Security (20)

Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
Yann Albou & Sébastien Féré - GitOps as a way to manage enterprise K8s and vi...
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
 
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ... Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
 
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshift
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshiftTekton_ArgoCD-_KCD_Taiwan-cicd-openshift
Tekton_ArgoCD-_KCD_Taiwan-cicd-openshift
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOpsHybrid and Multi-Cloud Strategies for Kubernetes with GitOps
Hybrid and Multi-Cloud Strategies for Kubernetes with GitOps
 
Weave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any KubernetesWeave GitOps - continuous delivery for any Kubernetes
Weave GitOps - continuous delivery for any Kubernetes
 
Dipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application DevelopmentDipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application Development
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
gitopsthekubernetesway-201026090439.pdf
gitopsthekubernetesway-201026090439.pdfgitopsthekubernetesway-201026090439.pdf
gitopsthekubernetesway-201026090439.pdf
 
Supply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptxSupply chain security - Develop quickly without inviting The Nefarious.pptx
Supply chain security - Develop quickly without inviting The Nefarious.pptx
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 

More from Weaveworks

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 

More from Weaveworks (20)

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdfFlux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdf
 
Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Hardening Your CI/CD Pipelines with GitOps and Continuous Security

  • 1. Hardening Your CI/CD Pipelines with GitOps and Continuous Security Owen Garrett, Deepfence Matt Kryshak, Deepfence Richard Case, Weaveworks May, 2021
  • 2. Webinar Platform - FAQs Using Zoom Questions? • You are in listen only mode • Q&A session will follow the presentation, please use the Q&A panel to submit questions • Hit escape to exit full screen Technical Issues - please visit Zoom Help https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
  • 3. 3 Speaker Introduction Owen Garrett, Head of Product and Community, Deepfence Owen joined Deepfence in May 2021, having previously managed the NGINX open source project and NGINX’s microservices and Kubernetes-centric solutions. During his time at NGINX, the NGINX open source project rose from relative obscurity to become the most widely-deployed of any webserver in the world. Owen is fascinated by the application of technology, particularly microservices and Kubernetes, and is determined to assist developers to build safe and secure applications. Twitter: @owengarrett Richard Case, Tech Lead / Solution Architect, Weaveworks Richard is tech lead for Kubernetes on Baremetal at Weaveworks. Previously he worked in customer success and helped to design and build GitOps/Cloud Native solutions for Weaveworks customers. Richard is also a maintainer of Cluster API Provider AWS. Twitter: @fruit_case
  • 6. 6 GitOps is... An operation model Derived from CS and operational knowledge
  • 7. 7 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding)
  • 8. 8 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)
  • 9. 9 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how
  • 10.
  • 11. 11 GitOps is... An operation model Derived from CS and operational knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team
  • 13. 13 GitOps ON Kubernetes Kubectl / Direct access Kubernetes Cluster
  • 15. 15 GitOps ON Kubernetes Image Repository 1 The entire system is described declaratively.
  • 16. 16 GitOps ON Kubernetes Image Repository 2 The desired system state is versioned
  • 17. 17 GitOps ON Kubernetes Image Repository 3 Approved changes to the desired state are automatically applied to the system
  • 18. 18 GitOps ON Kubernetes Image Repository 4 Software agents ensure correctness and alert on divergence
  • 20. The entire system is described declaratively The canonical desired system state is versioned in git Approved changes can be automatically applied to the system Software agents ensure correctness and alert (diffs & actions) 20 Principles of GitOps Operate an agile cloud native platform with GitOps
  • 21. GitOps – An Operating Model for Cloud Native Provides Separation of Concerns between the Development process and the Deployment process Transparency and Auditability at All Levels is Automatic Authentication & Authorization Isolated Between Concerns Risk Reduction: Complete Application Rollback and Logging 21 Deployment (clusters, apps) Monitoring Logging (Observability) Management (operations) Git Build GIT Test IDE “Immutability Firewall” Kubernetes GitOps Continuous Integration
  • 23. Typical CICD pipeline Continuous Integration Kubernetes Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI creds Git creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW CR creds2
  • 24. Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Canonical desired state store Config Repo
  • 25. Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Operator RW Config Repo
  • 26. Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RO Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW RW Config Repo Process & constraints enforcement
  • 27. Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI creds Git creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW RW Config Repo Exceptional auditing and attribution*
  • 28. Operator Kubernetes GitOps pipeline Container Registry CI Code Repo Dev Deploy Various points to integrate extra security measures. Config Repo ← Image and code scanning → Artifact scanning (conftest, kube-sec) Policy enforcement (OPA, Kyverno) Runtime scanning (continuous)
  • 30. Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. The apps we build are deeply interconnected 528 open-source components (2020 average) The typical commercially-developed application uses 528 open-source components. This includes direct and indirect dependencies. Source: Synopsis OSSRA Report 2021 > 10% # of open-source components with known vulnerabilities 10.4% of Java components from Maven Repository had at least one known vulnerability. Almost 40% of npm packages rely on code known to be vulnerable. Source: Sonatype 2020, University of Darmstadt 2019 Equifax Undetected Apache Struts vulnerability led to the leak of 143m customer details. $1.4bn – cost to remediate security. Capital One Misconfiguration of ModSecurity enabled an anomalous request flow. 106m customer details leaked. British Airways Hack of third-party javascript led to 380,000 stolen payment card records. $257m fine (reduced to $26m on appeal) npm left-pad: When an unregarded, 11-line module with 10 GH stars was removed from npm, the blast radius was huge. Medium Direct and Transitive Dependencies per repo Source: GitHub State of the Octoverse 2020 Direct Dependencies Transitive Dependencies PHP 9 70 JavaScript 10 683 Python 9 19 Ruby 9 68 PHP 9 70
  • 31. Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Vulnerabilities lie undetected for 4 years (average) GitHub 2020 Octoverse Report: On average, vulnerabilities in open-source software lie undetected for over 4 years. Once alerted, it takes 4.4 weeks to find a fix and 10 weeks to publish. Sonatype 2020 State of the Software Supply Chain 49% of organizations remediate an OSS dependency vulnerability within 1 week. Source: The 2020 State of the Octoverse, GitHub, Inc. The full lifecycle of a Vulnerability (GitHub) Applications contain a timebomb of to-be-announced vulnerabilities, and security teams need to be ready to move fast!
  • 32. Deepfence provides a full-lifecycle security solution. It observes and secures your application from development to production.
  • 33. Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Continuous Integration Dev Commit Build Test Push to Repo Continuous Delivery Devops Review Deploy Production Prod 2 DR 1 Staging Prod 1 Users Insert Security all stages of the lifecycle Lightweight DF agents Operations Ops Monitor Logs Deepfence Management Console
  • 34. Let’s see Flux and Deepfence in action..
  • 35. Copyright 2021 Deepfence, Inc. Copyright 2021 Deepfence, Inc. Once in production, Deepfence’s security monitoring takes over 1. Audits containers and hosts to detect file system, process and network related misconfigurations 2. Performs detailed inspection of network traffic, system and application behavior, and correlates suspicious events 3. Supports manual triage or automated quarantine of tainted workloads