Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps with Project Syn

DevSecOps with Project Syn

Presentation shown during the February 26th edition of the Zurich DevSecOps Meetup. https://www.meetup.com/Zurich-DevSecOps-Meetup-Group/events/267292394/

Adrian Kosmaczewski

February 26, 2020
Tweet

More Decks by Adrian Kosmaczewski

Other Decks in Technology

Transcript

  1. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations
    DevSecOps with
    Project Syn
    1

    View Slide

  2. VSHN – The DevOps Company
    1. Introduction to Project Syn
    2. How Project Syn supports DevSecOps
    3. Call to action
    Agenda
    2

    View Slide

  3. VSHN – The DevOps Company
    Pronounced ˈvɪʒn – like "vision"
    Founded 2014
    Switzerland’s leading DevOps, Docker, Kubernetes,
    Rancher, OpenShift and 24/7 cloud operations partner
    First Kubernetes Certi ed Provider in
    3

    View Slide

  4. VSHN – The DevOps Company
     
    4

    View Slide

  5. VSHN – The DevOps Company
    42 VSHNeers
    350+ di erent customers partners
    1’500+ servers
    Di erent cloud providers
    On-premises
    88’000+ services
    Some Figures
    5

    View Slide

  6. VSHN – The DevOps Company
    Pre-integrated set of tools to provision,
    update, backup, observe and react/alert
    production applications on Kubernetes and
    in the cloud.
    It supports DevOps through full self-service
    and automation using containers,
    Kubernetes and GitOps.
    6

    View Slide

  7. VSHN – The DevOps Company 7

    View Slide

  8. VSHN – The DevOps Company
    Automated service deployment with
    Backup of data with and
    GitOps with
    Secrets management with
    Monitoring and alerting with ,
    and
    Bene ts for Developers
    Crossplane
    K8up Restic
    Argo CD
    Vault
    Prometheus
    Alertmanager Signalilo
    8

    View Slide

  9. VSHN – The DevOps Company 9

    View Slide

  10. VSHN – The DevOps Company
    Con guration management with ,
    and with a hierarchical store
    Central cluster registry and inventory (including GitOps
    Git repository management) provided by
    , and
    Automated component maintenance with
    Policy control through
    Bene ts for Operations
    Commodore Kapitan
    Jsonnet
    Lieutenant
    API Lieutenant Operator Steward
    Renovate
    Open Policy Agent
    10

    View Slide

  11. VSHN – The DevOps Company 11

    View Slide

  12. VSHN – The DevOps Company
    DevSecOps
    Container Registry Policy Management
    GitOps Maintenance Logging
    12

    View Slide

  13. VSHN – The DevOps Company
     All about auditability
    Based on
    Signed commits required for triggering changes
    Git commit history provides key information
    Who
    When
    What
    Con guration rollback
    1. GitOps
    ArgoCD
    13

    View Slide

  14. VSHN – The DevOps Company
     All about vulnerability
    All images provided from a centralized repository
    Images validated by VSHN team
    Compatible with plain K8s & OpenShift
    Vulnerability scanning by default
    2. Container Registry
    14

    View Slide

  15. VSHN – The DevOps Company
     All about immutability
    Based on
    Keep all systems up-to-date, continuously
    Matches tags with hashes to avoid spoo ng
    Integrated through manifests
    Central view of open maintenance pull requests
    3. Maintenance
    Renovate
    15

    View Slide

  16. VSHN – The DevOps Company
     All about traceability
    Based on
    The full activity of the system in a single place
    4. Logging
    Prometheus
    16

    View Slide

  17. VSHN – The DevOps Company
     All about enforceability
    Based on (OPA project from the
    CNCF)
    Policies described in the Rego language
    "All images must come from this registry"
    "No images allowed with the :latest tag"
    "No image runs as root"
    Con guration policy enforcement
    5. Policy Management
    Open Policy Agent
    17

    View Slide

  18. VSHN – The DevOps Company
    1
    Reject request and show error message msg if the
    conditions in the body are true.
    2 Object being sought after
    3 Condition that must never be true
    4 Error message returned to the caller
    package kubernetes.admission
    deny[msg] {
    input.request.kind.kind == "Pod"
    image := input.request.object.spec.containers[_].image
    not startswith(image, "verboten.com/")
    msg := sprintf("image '%v' comes from untrusted registry", [image])
    }
    1
    2
    3
    4
    18

    View Slide

  19. VSHN – The DevOps Company
    GitOps Auditability
    Container Registry Vulnerability
    Maintenance Immutability
    Logging Traceability
    Policy Management Enforceability
    Summaribility
    19

    View Slide

  20. VSHN – The DevOps Company
    DevSecOps
    Container Registry Policy Management
    GitOps Maintenance Logging
    20

    View Slide

  21. VSHN – The DevOps Company
    Preview release 0.1
    soon!
    Call to Action
    vshn.ch/en/syn
    docs.syn.tools
    github.com/projectsyn
    21

    View Slide

  22. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations:
    VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
    Thanks!
    [email protected]
    vshn.ch [email protected]
    22

    View Slide