VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations DevSecOps with Project Syn 1

VSHN – The DevOps Company 1. Introduction to Project Syn 2. How Project Syn supports DevSecOps 3. Call to action Agenda 2

VSHN – The DevOps Company Pronounced ˈvɪʒn – like "vision" Founded 2014 Switzerland’s leading DevOps, Docker, Kubernetes, Rancher, OpenShift and 24/7 cloud operations partner First Kubernetes Certi ed Provider in 3

VSHN – The DevOps Company   4

VSHN – The DevOps Company 42 VSHNeers 350+ di erent customers partners 1’500+ servers Di erent cloud providers On-premises 88’000+ services Some Figures 5

VSHN – The DevOps Company Pre-integrated set of tools to provision, update, backup, observe and react/alert production applications on Kubernetes and in the cloud. It supports DevOps through full self-service and automation using containers, Kubernetes and GitOps. 6

VSHN – The DevOps Company 7

VSHN – The DevOps Company Automated service deployment with Backup of data with and GitOps with Secrets management with Monitoring and alerting with , and Bene ts for Developers Crossplane K8up Restic Argo CD Vault Prometheus Alertmanager Signalilo 8

VSHN – The DevOps Company 9

VSHN – The DevOps Company Con guration management with , and with a hierarchical store Central cluster registry and inventory (including GitOps Git repository management) provided by , and Automated component maintenance with Policy control through Bene ts for Operations Commodore Kapitan Jsonnet Lieutenant API Lieutenant Operator Steward Renovate Open Policy Agent 10

VSHN – The DevOps Company 11

VSHN – The DevOps Company DevSecOps Container Registry Policy Management GitOps Maintenance Logging 12

VSHN – The DevOps Company  All about auditability Based on Signed commits required for triggering changes Git commit history provides key information Who When What Con guration rollback 1. GitOps ArgoCD 13

VSHN – The DevOps Company  All about vulnerability All images provided from a centralized repository Images validated by VSHN team Compatible with plain K8s & OpenShift Vulnerability scanning by default 2. Container Registry 14

VSHN – The DevOps Company  All about immutability Based on Keep all systems up-to-date, continuously Matches tags with hashes to avoid spoo ng Integrated through manifests Central view of open maintenance pull requests 3. Maintenance Renovate 15

VSHN – The DevOps Company  All about traceability Based on The full activity of the system in a single place 4. Logging Prometheus 16

VSHN – The DevOps Company  All about enforceability Based on (OPA project from the CNCF) Policies described in the Rego language "All images must come from this registry" "No images allowed with the :latest tag" "No image runs as root" Con guration policy enforcement 5. Policy Management Open Policy Agent 17

VSHN – The DevOps Company 1 Reject request and show error message msg if the conditions in the body are true. 2 Object being sought after 3 Condition that must never be true 4 Error message returned to the caller package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "verboten.com/") msg := sprintf("image '%v' comes from untrusted registry", [image]) } 1 2 3 4 18

VSHN – The DevOps Company GitOps Auditability Container Registry Vulnerability Maintenance Immutability Logging Traceability Policy Management Enforceability Summaribility 19

VSHN – The DevOps Company DevSecOps Container Registry Policy Management GitOps Maintenance Logging 20

VSHN – The DevOps Company Preview release 0.1 soon! Call to Action vshn.ch/en/syn docs.syn.tools github.com/projectsyn 21

VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations: VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – – Thanks! [email protected] vshn.ch [email protected] 22