Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build and secure containers to support your CI/CD pipeline - Xebia Knowledge Exchange 2019-01-22

João Rosa
January 22, 2019

Build and secure containers to support your CI/CD pipeline - Xebia Knowledge Exchange 2019-01-22

Today CI/CD servers support containers. However, in some restricted environments, people are not willing to shift the responsibility to create the containers to the development teams. Based on a recent assignment at a customer, it shows a way to allow teams to create their own build & deploy containers and at the same time maintain a level of security, paramount for a financial organisation.

João Rosa

January 22, 2019
Tweet

More Decks by João Rosa

Other Decks in Technology

Transcript

  1. Hello! I am João Rosa I am Software Consultant, focused

    on Quality. You can find me at @joaoasrosa 2
  2. Problems found with CI/CD server Lifecycle management There is not

    a lifecycle management on the tool. It has Critical CVE’s. Misconfiguration The server holds multiple services. Also, the configuration of the services is not secure. Agents drift The build and deploy agents are in a drift state. Plus, old frameworks are installed. 5
  3. LEAD TIME For new capabilities. Such as a new version

    of a framework, or new tool features. 6
  4. SaaS Move from the on-premises solution, to a SaaS solution.

    It will mitigate some of the risks. Proposed solution Shift responsibilities From manage tooling, to enable development teams to deliver value. 8
  5. Use containers to build and deploy ▪ Today, mature solutions

    offer containers as compute unit ▪ Isolated by default (between jobs) ▪ Granular capabilities ▪ Allow teams to create the container images 9
  6. How about security? Teams are creating their own containers! 11

    Photo by Alistair MacRobert on Unsplash
  7. What test means for containers in a financial institution? We

    can understand it as testing the capabilities and security. Other definitions? 14 Photo by Saffu on Unsplash
  8. Test Test the container image, to assert the dependencies are

    installed according to the expectations. What does that mean? Scan Scan the container image, discovering if there are problems with any of the dependencies. Bonus, is it possible to monitor it? 16
  9. Implementation ▪ The container image definition is a Dockerfile ▪

    Testing using Google’s Container Structure Tests ▪ Scanning and monitoring using Snyk However there are other tools! :) 17
  10. Container Structure Tests ▪ Command tests ▪ File Existence tests

    ▪ File Content tests ▪ Metadata tests ▪ License tests * 19 * (licenses allowed by Google)
  11. Credits Special thanks to all the people who made and

    released these awesome resources for free: ▪ Presentation template by SlidesCarnival ▪ Photographs by Unsplash 22