Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

Securing Developer Workflows March 2019 Webinar Brice Fernandes – brice@weave.works – @fractallambda Simon Maple - simon@snyk.io – @sjmaple 1

● Building cloud-native OSS and commercial products since 2014 (Weave Net, Moby, Kubernetes, Prometheus) ● Founding member of CNCF ● Weave Cloud runs on Kubernetes since 2015 ● We developed “GitOps” - more later! ● Kubernetes support subscriptions, training and consulting 2 About Weaveworks

snyk.io About Snyk Snyk helps developers use open source code and stay secure ● Detect: Uncover vulnerabilities & license violations in the libraries your apps use ● Fix: Seamlessly fix discovered issues through automated upgrades and custom patches ● Monitor: Get alerted when new vulnerabilities affect your apps and fix them before attackers act

Transform your CICD pipeline with GitOps 4

Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2

7 GitOps is... An operation model

8 GitOps is... An operation model Derived from CS and operation knowledge

9 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding)

10 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How)

11 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) Although Weaveworks can help with how

12 GitOps is... An operation model Derived from CS and operation knowledge Technology agnostic (name notwithstanding) A set of principles (Why instead of How) A way to speed up your team

13 1 The entire system is described declaratively.

14 1 The entire system is described declaratively. Beyond code, data ⇒ Implementation independent Easy to abstract in simple ways Easy to validate for correctness Easy to generate & manipulate from code

15 The canonical desired system state is versioned (with Git) 2

16 The canonical desired system state is versioned (with Git) Canonical Source of Truth (DRY) With declarative definition, trivialises rollbacks Excellent security guarantees for auditing Sophisticated approval processes (& existing workflows) Great Software ↔ Human collaboration point 2

17 Approved changes to the desired state are automatically applied to the system 3

18 Approved changes to the desired state are automatically applied to the system Significant velocity gains Privileged operators don’t cross security boundaries Separates What and How. 3

19 Software agents ensure correctness and alert on divergence 4

20 Software agents ensure correctness and alert on divergence 4 Continuously checking that desired state is met System can self heal Recovers from errors without intervention (PEBKAC) It’s the control loop for your operations

21 1 The entire system is described declaratively. 2 The canonical desired system state is versioned (with Git) 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence

22 Canonical source of truth People Software Agents Software Agents

Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Can al re s a s e Config Repo

Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo

Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Pro s & co t t en c e t

Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2 CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Ex e t a di g an t ut

Secure your GitOps pipeline 28

Move from access to cluster to access to repository. ...So how to secure your repository? Controls 29

Mitigating user impersonation 31 1. Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits 2. Use Physical GPG Keys to increase security 3. Run GPG-Validating Code in CI

Prevent History Rewrites 32 1. Prevent Force Pushes to Master Branch 2. Backup Git Repositories

Prevent Removal of Security Features 33 1. Configure Git Provider with Infrastructure as Code 2. Monitor Git Provider’s Audit Logs 3. Verify Commits to Master

Don’t use deprecated software 34

snyk.io Do You Know Which Dependencies You Have?

snyk.io Each Dependency Is A Security Risk

snyk.io Direct Deps only All Deps (410!) What is NPM Inception? Package within a package within a package?

snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?

snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it underwent any Security Testing?

snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has any Known Vulnerabilities?

Get in touch brice@weave.works simon@snyk.io @fractallambda @sjmaple 45 Thank you Back to you, Sonja!

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

More Related Content

What's hot

Similar to Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks

More from Weaveworks

Recently uploaded

Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks