DevSecOps with Project Syn

Transcript

1. VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations DevSecOps

   with Project Syn 1

2. VSHN – The DevOps Company 1. Introduction to Project Syn

   2. How Project Syn supports DevSecOps 3. Call to action Agenda 2

3. VSHN – The DevOps Company Pronounced ˈvɪʒn – like "vision"

   Founded 2014 Switzerland’s leading DevOps, Docker, Kubernetes, Rancher, OpenShift and 24/7 cloud operations partner First Kubernetes Certi ed Provider in 3

4. VSHN – The DevOps Company   4

5. VSHN – The DevOps Company 42 VSHNeers 350+ di erent

   customers partners 1’500+ servers Di erent cloud providers On-premises 88’000+ services Some Figures 5

6. VSHN – The DevOps Company Pre-integrated set of tools to

   provision, update, backup, observe and react/alert production applications on Kubernetes and in the cloud. It supports DevOps through full self-service and automation using containers, Kubernetes and GitOps. 6

7. VSHN – The DevOps Company 7

8. VSHN – The DevOps Company Automated service deployment with Backup

   of data with and GitOps with Secrets management with Monitoring and alerting with , and Bene ts for Developers Crossplane K8up Restic Argo CD Vault Prometheus Alertmanager Signalilo 8

9. VSHN – The DevOps Company 9

10. VSHN – The DevOps Company Con guration management with ,

    and with a hierarchical store Central cluster registry and inventory (including GitOps Git repository management) provided by , and Automated component maintenance with Policy control through Bene ts for Operations Commodore Kapitan Jsonnet Lieutenant API Lieutenant Operator Steward Renovate Open Policy Agent 10

11. VSHN – The DevOps Company 11

12. VSHN – The DevOps Company DevSecOps Container Registry Policy Management

    GitOps Maintenance Logging 12

13. VSHN – The DevOps Company  All about auditability Based

    on Signed commits required for triggering changes Git commit history provides key information Who When What Con guration rollback 1. GitOps ArgoCD 13

14. VSHN – The DevOps Company  All about vulnerability All

    images provided from a centralized repository Images validated by VSHN team Compatible with plain K8s & OpenShift Vulnerability scanning by default 2. Container Registry 14

15. VSHN – The DevOps Company  All about immutability Based

    on Keep all systems up-to-date, continuously Matches tags with hashes to avoid spoo ng Integrated through manifests Central view of open maintenance pull requests 3. Maintenance Renovate 15

16. VSHN – The DevOps Company  All about traceability Based

    on The full activity of the system in a single place 4. Logging Prometheus 16

17. VSHN – The DevOps Company  All about enforceability Based

    on (OPA project from the CNCF) Policies described in the Rego language "All images must come from this registry" "No images allowed with the :latest tag" "No image runs as root" Con guration policy enforcement 5. Policy Management Open Policy Agent 17

18. VSHN – The DevOps Company 1 Reject request and show

    error message msg if the conditions in the body are true. 2 Object being sought after 3 Condition that must never be true 4 Error message returned to the caller package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "verboten.com/") msg := sprintf("image '%v' comes from untrusted registry", [image]) } 1 2 3 4 18

19. VSHN – The DevOps Company GitOps Auditability Container Registry Vulnerability

    Maintenance Immutability Logging Traceability Policy Management Enforceability Summaribility 19

20. VSHN – The DevOps Company DevSecOps Container Registry Policy Management

    GitOps Maintenance Logging 20

21. VSHN – The DevOps Company Preview release 0.1 soon! Call

    to Action vshn.ch/en/syn docs.syn.tools github.com/projectsyn 21

22. VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations: VSHN

    AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – – Thanks! [email protected] vshn.ch [email protected] 22