Separate Development in Directories, Not Branches Trunk-Based Development Policies and Security Summary 25 Chapter 5–Repository and Directory Structures Best Practices DRY Chapter 8–Other Considerations Multicluster Management Non-Declarative Infrastructure Security Base Image Selection Everything as Code Conclusion 45 About the Author The Path recurring show. Eventually, this work led us to the Cloud Native Computing Foundation’s GitOps Working Group (and later the OpenGitOps project). By then, GitOps was a topic everyone wanted to know about. Suddenly

your previous application state. With Git’s excellent security guarantees, you can also use your SSH key to sign commits that enforce strong security guarantees about the authorship and provenance of your operations tasks are also fully reproducible through Git. 6. Stronger Security Guarantees Git’s strong correctness and security guarantees, backed by the strong cryptography used to track and manage DEPLOYMENT Write Code VCS Code Base Unit Tests Integ Tests Container Registry DEPLOY eBook 8 Security and the Typical CI/CD Pipeline How secure is the typical CI/CD pipeline? With this approach

move it forward. Instead of a single developer who owns the codebase making all the decisions, a group of developers works together to make a product. In this situation, developer experience is of utmost developers to be more effective, by making the good thing the easy thing – in areas such as testing, security and observability this is increasingly important. Good DX allows for shift left.” — James Governor cloud to edge Scale infrastructure to meet demands Enable built-in compliance Enforce zero-trust security Let’s look at each of these reasons in detail. 1 2 3 4 weave.works THE GITOPS GUIDE TO BUILDING

planning your GitOps strategy, review the OpenGitOps Principles, published by the GitOps Working Group: The desired state of a GitOps managed system must be: 1. Declarative A system managed set of “gotchas.” This com- plexity is compounded by the need to ensure consistency in deployment, security, and operations across various platforms. | 08 3 KEY ELEMENTS FOR YOUR GITOPS STRATEGY Copyright cloud-native applications requires continuous monitoring, updates, and security checks to ensure optimal performance and security. Push vs. Pull-Based Architecture Kubernetes Cluster Git Repository

development, there is more than one way to implement DevOps. As the DevOps Research and Assessment group (DORA) found in their recent report, ‘Accelerate: The State of DevOps 2019’, there are significant cloud-native world, GitOps makes developers more productive while improving application stability, security and compliance – and it does all this without the need for developers to learn new tools. On the way to implement GitOps is to use Git, since it already includes many advantages such as built-in security guarantees with full audit trails. Another key concept behind GitOps is the fact that Kubernetes

business and team needs. Managing these clusters and keeping configuration and organizational security and other policies consistent across these clusters is a big ask for the Ops team. GitOps takes has Infrastructure as code as one of its characteristics. STRONGER SECURITY GUARANTEES Git’s firm correctness and security guarantees — backed by the strong cryptography used to track and manage authorship and origin — are key to a correct and secure definition of the cluster’s desired state. If a security breach does occur, the immutable and auditable source of truth can be used to recreate a new

there. This means that tasks such as… ● Compiling code ● Running unit/integration tests ● Security scanning ● Static analysis ...are not a concern of GitOps tools and are assumed to already several other tasks until that point that deals with the packaging of the artifact, the unit tests, security scanning, etc. And even post-deployment there are several actions (such as running smoke tests) not only offer a secure storage mechanism for all secrets, but also a comprehensive way on how to group them according to each environment and how to pass them in the respective cluster. The underlying

monitoring, and managing Kubernetes, teams can increase their overall output 2-3 times and easily meet security and compliance regulations. Deploy Operate & Manage Monitor GIT P.6 Enhance and extend driven by pull requests and fully reproducible through Git. Embed security Leverage Git’s correctness and strong cryptography and security guarantees to track and manage changes across the entire cluster Fortune 100 companies to run their most sensitive and mission critical applications because of its security, reliability, and scalability. Amazon EKS is deeply integrated with other AWS services such as

applications rapidly 2 Continuous Integration(CI) & Continuous Delivery (CD) 3 Build Test Security Checks Release Deploy Stage Deploy Prod Continuous Integration Continuous Delivery A key DevOps Visibility and Audit Review changes beforehand, detect configuration drifts, and take action Enhanced Security Familiar tools and Git workflows from application development teams Standard Workflow Multi-cluster Detect drift Take action CD Continuous Integration & Continuous Delivery 10 Build Test Security Checks Release Deploy Stage Deploy Prod OpenShift Build Automate building container images

specific limitation, security requirements, etc. ● Configure business applications to confirm it provides what business requires ● Break, debug, pinpoint, and fix ● Security ● Observability ● Install in cluster with other business applications, where there is some specific limitation, security requirements, etc. ● Configure business applications to confirm it provides what business requires @rytswd #IstioCon What is NOT covered in the talk ● Multiclutser observability challenges ● Security considerations ● Secret management ● GitOps implementation details Target Audience What to expect