Save 37% off PRO during our Black Friday Sale! »

Layered Governance for your Infrastructure with Kubernetes, OPA, and Terraform

Layered Governance for your Infrastructure with Kubernetes, OPA, and Terraform

When writing policy as code, we aim to implement the best practices in our work, but we might not always know how to iterate on policies, nor how to make them transparent to the teams we work with.

The best way to enforce policy is to make it easy and to incorporate these practices into an automated pipeline that will make for efficient workflows and by making all policies visible to end-users. We will demonstrate using the Open Policy Agent, Terraform, and Flux in a declarative fashion.

488c726b68a40da4c3d8bbdff2f4ff8f?s=128

Taylor Dolezal
PRO

February 06, 2021
Tweet

Transcript

  1. None
  2. Layered Governance for your Infrastructure

  3. Taylor Dolezal (He/Him) Developer Advocate at HashiCorp

  4. @onlydole on GitHub and Twitter Developer Advocate at HashiCorp

  5. Agenda

  6. Agenda GitOps Cloud Native Continuous Deployment

  7. Agenda GitOps Cloud Native Continuous Deployment Policy as Code Enforcing

    Policy Automatically
  8. Agenda GitOps Cloud Native Continuous Deployment Policy as Code Enforcing

    Policy Automatically Live Demo Terraform, Flux, OPA, and Kubernetes
  9. GitOps

  10. None
  11. GitOps ▪ Framework using DevOps best practices

  12. GitOps ▪ Framework using DevOps best practices ▪ Enables Collaboration

  13. GitOps ▪ Framework using DevOps best practices ▪ Enables Collaboration

    ▪ Helps Govern Access Control
  14. GitOps ▪ Framework using DevOps best practices ▪ Enables Collaboration

    ▪ Helps Govern Access Control ▪ Less Risk, Less Error Prone
  15. GitOps ▪ Framework using DevOps best practices ▪ Enables Collaboration

    ▪ Helps Govern Access Control ▪ Less Risk, Less Error Prone ▪ Acts as a Feedback Loop
  16. None
  17. Flux Concepts How Does One Use Flux?

  18. Bootstrap

  19. Bootstrap ▪ The process of installing the Flux components

  20. Bootstrap ▪ The process of installing the Flux components ▪

    Manifests are applied to a cluster, a GitRepository and Kustomization are created for the Flux components, and the manifests are pushed to an existing Git repository (or a new one is created)
  21. Bootstrap ▪ The process of installing the Flux components ▪

    Manifests are applied to a cluster, a GitRepository and Kustomization are created for the Flux components, and the manifests are pushed to an existing Git repository (or a new one is created) ▪ Flux can manage itself just as it manages other resources
  22. Sources

  23. Sources ▪ Defines the origin of a source and the

    requirements to obtain it
  24. Sources ▪ Defines the origin of a source and the

    requirements to obtain it ▪ GitRepository
  25. Sources ▪ Defines the origin of a source and the

    requirements to obtain it ▪ GitRepository ▪ HelmRepository
  26. Sources ▪ Defines the origin of a source and the

    requirements to obtain it ▪ GitRepository ▪ HelmRepository ▪ Bucket
  27. Kustomization

  28. Kustomization ▪ Represents a local set of Kubernetes resources that

    Flux is supposed to reconcile within a Kubernetes cluster
  29. Reconciliation

  30. Reconciliation ▪ Ensuring that a given state matches a declarative

    desired state
  31. Reconciliation ▪ Ensuring that a given state matches a declarative

    desired state ▪ HelmRelease reconciliation
  32. Reconciliation ▪ Ensuring that a given state matches a declarative

    desired state ▪ HelmRelease reconciliation ▪ Bucket reconciliation
  33. Reconciliation ▪ Ensuring that a given state matches a declarative

    desired state ▪ HelmRelease reconciliation ▪ Bucket reconciliation ▪ Kustomization reconciliation
  34. Add podinfo repository to Flux TERMINAL $ flux create source

    git podinfo \ --url=https://github.com/stefanprodan/podinfo \ --branch=master \ --interval=30s \ --export > ./staging-cluster/podinfo-source.yaml
  35. GitRepository Manifest CODE EDITOR apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository metadata: name:

    podinfo namespace: flux-system spec: interval: 30s ref: branch: master url: https://github.com/stefanprodan/podinfo
  36. Deploy podinfo application TERMINAL $ flux create kustomization podinfo \

    --source=podinfo \ --path="./kustomize" \ --prune=true \ --validation=client \ --interval=5m \ --export > ./staging-cluster/podinfo- kustomization.yaml
  37. Kustomization Manifest CODE EDITOR apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 kind: Kustomization metadata: name:

    podinfo namespace: flux-system spec: interval: 5m0s path: ./kustomize prune: true sourceRef: kind: GitRepository name: podinfo validation: client
  38. Policy as Code

  39. None
  40. None
  41. None
  42. Live Demo

  43. Thank You tdolezal@hashicorp.com