Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps with Project Syn

DevSecOps with Project Syn

Presentation shown during the February 26th edition of the Zurich DevSecOps Meetup. https://www.meetup.com/Zurich-DevSecOps-Meetup-Group/events/267292394/

Adrian Kosmaczewski

February 26, 2020
Tweet

More Decks by Adrian Kosmaczewski

Other Decks in Technology

Transcript

  1. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations
    DevSecOps with
    Project Syn
    1

    View full-size slide

  2. VSHN – The DevOps Company
    1. Introduction to Project Syn
    2. How Project Syn supports DevSecOps
    3. Call to action
    Agenda
    2

    View full-size slide

  3. VSHN – The DevOps Company
    Pronounced ˈvɪʒn – like "vision"
    Founded 2014
    Switzerland’s leading DevOps, Docker, Kubernetes,
    Rancher, OpenShift and 24/7 cloud operations partner
    First Kubernetes Certi ed Provider in
    3

    View full-size slide

  4. VSHN – The DevOps Company
     
    4

    View full-size slide

  5. VSHN – The DevOps Company
    42 VSHNeers
    350+ di erent customers partners
    1’500+ servers
    Di erent cloud providers
    On-premises
    88’000+ services
    Some Figures
    5

    View full-size slide

  6. VSHN – The DevOps Company
    Pre-integrated set of tools to provision,
    update, backup, observe and react/alert
    production applications on Kubernetes and
    in the cloud.
    It supports DevOps through full self-service
    and automation using containers,
    Kubernetes and GitOps.
    6

    View full-size slide

  7. VSHN – The DevOps Company 7

    View full-size slide

  8. VSHN – The DevOps Company
    Automated service deployment with
    Backup of data with and
    GitOps with
    Secrets management with
    Monitoring and alerting with ,
    and
    Bene ts for Developers
    Crossplane
    K8up Restic
    Argo CD
    Vault
    Prometheus
    Alertmanager Signalilo
    8

    View full-size slide

  9. VSHN – The DevOps Company 9

    View full-size slide

  10. VSHN – The DevOps Company
    Con guration management with ,
    and with a hierarchical store
    Central cluster registry and inventory (including GitOps
    Git repository management) provided by
    , and
    Automated component maintenance with
    Policy control through
    Bene ts for Operations
    Commodore Kapitan
    Jsonnet
    Lieutenant
    API Lieutenant Operator Steward
    Renovate
    Open Policy Agent
    10

    View full-size slide

  11. VSHN – The DevOps Company 11

    View full-size slide

  12. VSHN – The DevOps Company
    DevSecOps
    Container Registry Policy Management
    GitOps Maintenance Logging
    12

    View full-size slide

  13. VSHN – The DevOps Company
     All about auditability
    Based on
    Signed commits required for triggering changes
    Git commit history provides key information
    Who
    When
    What
    Con guration rollback
    1. GitOps
    ArgoCD
    13

    View full-size slide

  14. VSHN – The DevOps Company
     All about vulnerability
    All images provided from a centralized repository
    Images validated by VSHN team
    Compatible with plain K8s & OpenShift
    Vulnerability scanning by default
    2. Container Registry
    14

    View full-size slide

  15. VSHN – The DevOps Company
     All about immutability
    Based on
    Keep all systems up-to-date, continuously
    Matches tags with hashes to avoid spoo ng
    Integrated through manifests
    Central view of open maintenance pull requests
    3. Maintenance
    Renovate
    15

    View full-size slide

  16. VSHN – The DevOps Company
     All about traceability
    Based on
    The full activity of the system in a single place
    4. Logging
    Prometheus
    16

    View full-size slide

  17. VSHN – The DevOps Company
     All about enforceability
    Based on (OPA project from the
    CNCF)
    Policies described in the Rego language
    "All images must come from this registry"
    "No images allowed with the :latest tag"
    "No image runs as root"
    Con guration policy enforcement
    5. Policy Management
    Open Policy Agent
    17

    View full-size slide

  18. VSHN – The DevOps Company
    1
    Reject request and show error message msg if the
    conditions in the body are true.
    2 Object being sought after
    3 Condition that must never be true
    4 Error message returned to the caller
    package kubernetes.admission
    deny[msg] {
    input.request.kind.kind == "Pod"
    image := input.request.object.spec.containers[_].image
    not startswith(image, "verboten.com/")
    msg := sprintf("image '%v' comes from untrusted registry", [image])
    }
    1
    2
    3
    4
    18

    View full-size slide

  19. VSHN – The DevOps Company
    GitOps Auditability
    Container Registry Vulnerability
    Maintenance Immutability
    Logging Traceability
    Policy Management Enforceability
    Summaribility
    19

    View full-size slide

  20. VSHN – The DevOps Company
    DevSecOps
    Container Registry Policy Management
    GitOps Maintenance Logging
    20

    View full-size slide

  21. VSHN – The DevOps Company
    Preview release 0.1
    soon!
    Call to Action
    vshn.ch/en/syn
    docs.syn.tools
    github.com/projectsyn
    21

    View full-size slide

  22. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations:
    VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
    Thanks!
    [email protected]
    vshn.ch [email protected]
    22

    View full-size slide