SlideShare una empresa de Scribd logo

Flux’s Security & Scalability with OCI & Helm Slides.pdf

Weaveworks
Weaveworks

During this session Kingdon Barrett, OSS Engineer at Weaveworks & Flux Maintainer, will show you how to quickly create scalable and Cosign-verified GitOps configurations with Flux using the same process with two demo environments: one will be a Kustomize Environment and the other a Helm-based environment.

Software
1 de 40
Descargar para leer sin conexión
1 November 29, 2022 Flux’s Security & Scalability with OCI & Helm Kingdon Barrett OSS Engineer, Weaveworks Vanessa Abankwah DX Community Manager, Weaveworks
2 Weaveworks is founded on open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● EKSctl: Create an Amazon EKS cluster with one command ● (and many many more projects!) And now … Weave GitOps......Built on Flux! weave.works
3 Speakers Help/Support Kingdon Barrett OSS Engineer Vanessa Abankwah DX Community Manager ,Weaveworks Duration 30-40 Minutes Browser Safari copy/paste shortcuts may not work Using Zoom Questions? • Use chat (button: top left corner of screen) • Escape to exit full screen • “To Everyone” or “To all panelists and attendees” Support: https://support.zoom.us/hc/ en-us/articles/206175806-T op-Questions Troubleshooting Use chat If the issue is not easily resolved, we ask that you follow along as we demo the sample app. Flux’s Security & Scalability with OCI & Helm
4 HashiCorp User Group Luxembourg (virtual) Nov 30 WOUG: Implementing Flux for Scale with Soft Multi-tenancy (Dec 13) Upcoming Events
5 5 ● Operating model for cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively Recap: What is GitOps
6 6 ● 2 wks ago: (https://youtu.be/Bmh7kKYLIhY) Flux with “OCI Bootstrap” ● OCIRepository “standing in” for GitRepository as root Source Of Truth ○ “Bootstrap Lite” ● Non-standard config ○ We started to get ideas about where OCI can be used ○ Primitives: use them how you want, these are only examples ● (Podinfo app still managed via Git) ○ stand in for “upstreams we can’t control” ● Today is “Part 2” of the series Recap: Flux Security & Scalability (VSCode + OCI + Cosign)
7 7 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux
8 8 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux ○ New opportunities for validation, etc. ○ (We added a CI Step!)
9 Source: GitOps Working Group https://opengitops.dev/
10 10 Demo Time!
11 11 Security & Scalability ● Pulling an OCI image is much less resource-intensive compared to a full or shallow Git clone ● Highly available registries are on every cloud provider ● Flux leverages Kubernetes workload identity and IAM when pulling OCI artifacts from managed registries ○ => No more key management ○ => No more SSH keys to generate ○ => No more proprietary API usage for token generation
12 12 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● This time: …
13 13 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● Today: let’s add ○ Helm Charts, and Cosign verification on HelmReleases ○ Keyless Cosign Signatures (and keyed) ● Bonus: ○ App runtime image verification with Kyverno
14 14 ● Software supply chain attacks ● OCI Artifact authenticity ● Sigstore cosign ○ Sponsored by Open Source Security Foundation (OpenSSF) ○ OpenID Connect, Root CA and Public Ledger ○ Keys: text-based, cloud KMS, Kubernetes Secret ● Container registry must support signed images ○ GitHub offers a simple way to get started with OCI and cosign Recap: Features of verification with cosign
15 15 ● What does it mean? ○ Overlapping protections ○ Risk assessment ○ Multiple mitigations ● Swiss-Cheese Strategy for Security ○ When there is a hole in one layer… ○ …the other layers enhance the probability of blocking attacks Defense in Depth
16 16 ● What does it mean for us? ○ Traditional approaches still apply: ■ Use a protected main branch, and CI checks ■ Use immutable images (req. support from Container Registry) ○ New approaches we can add: ■ Signatures and verification ■ Verify: ● YAML manifests (declarative representation of prod/app) ● App Runtime Images Defense in Depth
17 17 ● Helm ● Flux’s Helm Controller & Source Controller ● Sigstore cosign ● Git repository (GitHub) ● CI workflows (GitHub Actions) ● Container registry (GHCR) Agenda: Tools we are using
18 18 ● Helm ○ It’s ubiquitous ○ If you are using Kubernetes and you are not Google-scale ■ You basically can’t avoid Helm (everybody has helm charts) ■ Lots of nice features including lifecycle hooks ■ (Don’t over-analyze it) ○ Software + config distro commonly done with Helm charts ■ But it has some limitations Agenda: Tools we are using
19 19 ● Flux’s Helm Controller & Source Controller ○ Allows Helm to be used declaratively ○ Remediation and CRD upgrades ■ Features that aren’t natively in Helm ○ Helm + GitOps => (Flux implements this) Agenda: Tools we are using
20 20 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow ○ OCI signatures ○ Flexible attestations Agenda: Tools we are using
21 21 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? Agenda: Tools we are using
22 22 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? Agenda: Tools we are using
23 23 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? ○ (If we don’t sign releases now, could it get any worse?) Agenda: Tools we are using
24 24 ● Git repository (GitHub) ○ (Also an OIDC provider) ○ Place to store and version code Agenda: Tools we are using
25 25 ● CI workflows (GitHub Actions) ○ Place for CI actions to run ○ (environment with ephemeral GITHUB_TOKEN) Agenda: Tools we are using
26 26 ● Container registry (GHCR) ○ Place for CI actions to store the results ○ (Signatures go in here, as OCI artifacts as well) ■ sha256-abcd1234ef98765.sig ○ Images have a “digest” which hashes their content ○ Cosign attestations can make+certify assertions (“CI Passed”) ○ “Packages” hold the manifests or app runtime images ■ Serve them up as an OCI Repository Agenda: Tools we are using
27 27 Demo Time! (x2)
28 28 ● Demo Example Docs ○ https://github.com/kingdonb/flux-oci-demo-nov-29 ○ (The repo we worked in today, with “solutions” Text in README shows what we did) Links
29 29 ● Podinfo ○ https://github.com/stefanprodan/podinfo ○ Keyless: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L90-L97 ○ Keyed: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L118-L125 Links
30 30 ● Flux Blog & Docs ○ https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/ ○ https://fluxcd.io/blog/2022/11/verify-the-integrity-of-the-helm-charts-stored-as- oci-artifacts-before-reconciling-them-with-flux/ ○ https://fluxcd.io/blog/2022/08/manage-kyverno-policies-as-ocirepositories/ ○ https://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification ● Security ○ https://fluxcd.io/flux/security/contextual-authorization/ ○ https://fluxcd.io/flux/security/secrets-management/ Links
31 31 ● Kyverno ○ https://kyverno.io/docs/writing-policies/verify-images/#verifying-image-attestations ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/generate-flux- multi-tenant-resources/ <- Flux Multi-Tenancy Resource ● Kyverno uses Flux and Cosign: ● https://github.com/kyverno/kyverno/blob/main/.github/workflows/relea se.yaml#L155-L172 Links
32 32 ● (Who else uses Cosign today in their release process?) ● Prometheus Community does now: ○ https://github.com/prometheus-community/helm-charts/tree/main/ charts/kube-prometheus-stack ○ https://github.com/orgs/prometheus-community/packages?repo_ name=helm-charts ● Flux Monitoring ■ https://fluxcd.io/flux/guides/monitoring/ Links
33 33 ● (Who else uses Cosign today in their release process?) ● Cert-Manager does now: ○ https://cert-manager.io/docs/installation/code-signing/#container-images- -cosign Links
34 34 ● (Who else uses Cosign today in their release process?) ● Harbor curiously does not: ○ However, Harbor users do already enjoy Cosign verification now: ○ https://goharbor.io/blog/cosign-2.5.0/ ● You can see attestations and verify the signatures in Harbor UI Links
35 35 ● Is coming! ● You can help by… Adoption
36 36 ● Is coming! ● You can help by… ○ Trying this workflow out and reporting any issues you may have ○ Joining the community ● Flux Dev Meetings ● Flux Bug Scrub ○ https://fluxcd.io/#calendar ● (We’d love to have you join!) Adoption
37 37 GitOps Tools for Flux Visual Studio Code Extension ● An extension to enhance the developer experience ● An intuitive way to manage, troubleshoot and operate your Kubernetes environment following the GitOps operating model ● Accelerate your development lifecycle and simplify your continuous delivery pipelines ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/vscode-gitops-tools ● GitOps Tools for Flux in Visual Studio Marketplace: https://marketplace.visualstudio.com/items?itemName=Weavework s.vscode-gitops-tools
38 38 Weave GitOps ● Adds a web UI that surfaces key information to help application operators easily discover and resolve issues ● An intuitive interface that provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/weave-gitops ● Weave GitOps Documentation: https://docs.gitops.weave.works/docs/intro/
39 ● Join us on Flux discussions if you have more questions: https://github.com/fluxcd/flux2/discussions ● Flux Community: https://github.com/fluxcd/community/blob/main/community-roles.md ● Join the GitOps Community Group: https://www.meetup.com/GitOps-Community/ ● Join the GitOps Community LinkedIn Group: https://www.linkedin.com/groups/13914610/ ● VS Code Extension: https://code.visualstudio.com/ Next Steps
Confidential do not distribute 4 0 weave.works Thank you

Recomendados

Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Paris.py
Paris.pyParis.py
Paris.py
Dimitri Merejkowsky
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
aspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
All Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 

Recomendados

Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Paris.py
Paris.pyParis.py
Paris.py
Dimitri Merejkowsky
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
aspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
All Things Open
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
Łukasz Piątkowski
 
meetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish Aprilmeetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish April
Frederic Leger
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
All Things Open
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Continuous integration is not a solved problem
Continuous integration is not a solved problemContinuous integration is not a solved problem
Continuous integration is not a solved problem
Kristian Van Der Vliet
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
Matthias Luebken
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOps
Juraj Hantak
 
Cloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps ApproachCloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps Approach
Nicola Ferraro
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
C4Media
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Brian Rosmaita
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
sparkfabrik
 
Contributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium projectContributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium project
Igalia
 
Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 

Más contenido relacionado

Similar a Flux’s Security & Scalability with OCI & Helm Slides.pdf

WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
All Things Open
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
Matthias Luebken
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
CocoaHeads Tricity
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
C4Media
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 

Similar a Flux’s Security & Scalability with OCI & Helm Slides.pdf (20)

Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
 
meetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish Aprilmeetup devops 2023/04/04 - Astonish April
meetup devops 2023/04/04 - Astonish April
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
 
Continuous integration is not a solved problem
Continuous integration is not a solved problemContinuous integration is not a solved problem
Continuous integration is not a solved problem
 
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...
 
Who needs containers in a serverless world
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
 
Promise of DevOps
Promise of DevOpsPromise of DevOps
Promise of DevOps
 
Cloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps ApproachCloud Native Applications on Kubernetes: a DevOps Approach
Cloud Native Applications on Kubernetes: a DevOps Approach
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Pentester++
Pentester++Pentester++
Pentester++
 
2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit2013-03-07 indie developer toolkit
2013-03-07 indie developer toolkit
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFix
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
 
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
Cinder Update, OpenInfra Meetup Q3 China, 2020-09-26
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
Contributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium projectContributions to an open source project: Igalia and the Chromium project
Contributions to an open source project: Igalia and the Chromium project
 

Más de Weaveworks

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Weaveworks
 

Más de Weaveworks (20)

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
 

Último

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Último (20)

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 

Flux’s Security & Scalability with OCI & Helm Slides.pdf

  • 1. 1 November 29, 2022 Flux’s Security & Scalability with OCI & Helm Kingdon Barrett OSS Engineer, Weaveworks Vanessa Abankwah DX Community Manager, Weaveworks
  • 2. 2 Weaveworks is founded on open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● EKSctl: Create an Amazon EKS cluster with one command ● (and many many more projects!) And now … Weave GitOps......Built on Flux! weave.works
  • 3. 3 Speakers Help/Support Kingdon Barrett OSS Engineer Vanessa Abankwah DX Community Manager ,Weaveworks Duration 30-40 Minutes Browser Safari copy/paste shortcuts may not work Using Zoom Questions? • Use chat (button: top left corner of screen) • Escape to exit full screen • “To Everyone” or “To all panelists and attendees” Support: https://support.zoom.us/hc/ en-us/articles/206175806-T op-Questions Troubleshooting Use chat If the issue is not easily resolved, we ask that you follow along as we demo the sample app. Flux’s Security & Scalability with OCI & Helm
  • 4. 4 HashiCorp User Group Luxembourg (virtual) Nov 30 WOUG: Implementing Flux for Scale with Soft Multi-tenancy (Dec 13) Upcoming Events
  • 5. 5 5 ● Operating model for cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively Recap: What is GitOps
  • 6. 6 6 ● 2 wks ago: (https://youtu.be/Bmh7kKYLIhY) Flux with “OCI Bootstrap” ● OCIRepository “standing in” for GitRepository as root Source Of Truth ○ “Bootstrap Lite” ● Non-standard config ○ We started to get ideas about where OCI can be used ○ Primitives: use them how you want, these are only examples ● (Podinfo app still managed via Git) ○ stand in for “upstreams we can’t control” ● Today is “Part 2” of the series Recap: Flux Security & Scalability (VSCode + OCI + Cosign)
  • 7. 7 7 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux
  • 8. 8 8 Still GitOps? OCI + Flux == GitOps ● Git is still the source of truth ● Before: ○ Git => Flux ● After: ○ Git => OCI registry => Flux ○ New opportunities for validation, etc. ○ (We added a CI Step!)
  • 9. 9 Source: GitOps Working Group https://opengitops.dev/
  • 11. 11 11 Security & Scalability ● Pulling an OCI image is much less resource-intensive compared to a full or shallow Git clone ● Highly available registries are on every cloud provider ● Flux leverages Kubernetes workload identity and IAM when pulling OCI artifacts from managed registries ○ => No more key management ○ => No more SSH keys to generate ○ => No more proprietary API usage for token generation
  • 12. 12 12 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● This time: …
  • 13. 13 13 Recap: Security & Scalability ● Last time: Image verification with cosign ○ “Two types” of images ■ Application runtime (not verified) ■ Manifests (YAML) - and how to publish as OCI, sign, etc. ● Today: let’s add ○ Helm Charts, and Cosign verification on HelmReleases ○ Keyless Cosign Signatures (and keyed) ● Bonus: ○ App runtime image verification with Kyverno
  • 14. 14 14 ● Software supply chain attacks ● OCI Artifact authenticity ● Sigstore cosign ○ Sponsored by Open Source Security Foundation (OpenSSF) ○ OpenID Connect, Root CA and Public Ledger ○ Keys: text-based, cloud KMS, Kubernetes Secret ● Container registry must support signed images ○ GitHub offers a simple way to get started with OCI and cosign Recap: Features of verification with cosign
  • 15. 15 15 ● What does it mean? ○ Overlapping protections ○ Risk assessment ○ Multiple mitigations ● Swiss-Cheese Strategy for Security ○ When there is a hole in one layer… ○ …the other layers enhance the probability of blocking attacks Defense in Depth
  • 16. 16 16 ● What does it mean for us? ○ Traditional approaches still apply: ■ Use a protected main branch, and CI checks ■ Use immutable images (req. support from Container Registry) ○ New approaches we can add: ■ Signatures and verification ■ Verify: ● YAML manifests (declarative representation of prod/app) ● App Runtime Images Defense in Depth
  • 17. 17 17 ● Helm ● Flux’s Helm Controller & Source Controller ● Sigstore cosign ● Git repository (GitHub) ● CI workflows (GitHub Actions) ● Container registry (GHCR) Agenda: Tools we are using
  • 18. 18 18 ● Helm ○ It’s ubiquitous ○ If you are using Kubernetes and you are not Google-scale ■ You basically can’t avoid Helm (everybody has helm charts) ■ Lots of nice features including lifecycle hooks ■ (Don’t over-analyze it) ○ Software + config distro commonly done with Helm charts ■ But it has some limitations Agenda: Tools we are using
  • 19. 19 19 ● Flux’s Helm Controller & Source Controller ○ Allows Helm to be used declaratively ○ Remediation and CRD upgrades ■ Features that aren’t natively in Helm ○ Helm + GitOps => (Flux implements this) Agenda: Tools we are using
  • 20. 20 20 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow ○ OCI signatures ○ Flexible attestations Agenda: Tools we are using
  • 21. 21 21 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? Agenda: Tools we are using
  • 22. 22 22 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? Agenda: Tools we are using
  • 23. 23 23 ● Sigstore cosign ○ Popular new tool for verification of signatures ○ Enables traditional “keyed” signatures or ■ Keyless - OIDC-based workflow Q: How many people are signing releases now? ● What does keyless verification get us? ○ (If we don’t sign releases now, could it get any worse?) Agenda: Tools we are using
  • 24. 24 24 ● Git repository (GitHub) ○ (Also an OIDC provider) ○ Place to store and version code Agenda: Tools we are using
  • 25. 25 25 ● CI workflows (GitHub Actions) ○ Place for CI actions to run ○ (environment with ephemeral GITHUB_TOKEN) Agenda: Tools we are using
  • 26. 26 26 ● Container registry (GHCR) ○ Place for CI actions to store the results ○ (Signatures go in here, as OCI artifacts as well) ■ sha256-abcd1234ef98765.sig ○ Images have a “digest” which hashes their content ○ Cosign attestations can make+certify assertions (“CI Passed”) ○ “Packages” hold the manifests or app runtime images ■ Serve them up as an OCI Repository Agenda: Tools we are using
  • 28. 28 28 ● Demo Example Docs ○ https://github.com/kingdonb/flux-oci-demo-nov-29 ○ (The repo we worked in today, with “solutions” Text in README shows what we did) Links
  • 29. 29 29 ● Podinfo ○ https://github.com/stefanprodan/podinfo ○ Keyless: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L90-L97 ○ Keyed: ■ https://github.com/stefanprodan/podinfo/blob/master/.github/ workflows/release.yml#L118-L125 Links
  • 30. 30 30 ● Flux Blog & Docs ○ https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/ ○ https://fluxcd.io/blog/2022/11/verify-the-integrity-of-the-helm-charts-stored-as- oci-artifacts-before-reconciling-them-with-flux/ ○ https://fluxcd.io/blog/2022/08/manage-kyverno-policies-as-ocirepositories/ ○ https://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification ● Security ○ https://fluxcd.io/flux/security/contextual-authorization/ ○ https://fluxcd.io/flux/security/secrets-management/ Links
  • 31. 31 31 ● Kyverno ○ https://kyverno.io/docs/writing-policies/verify-images/#verifying-image-attestations ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/generate-flux- multi-tenant-resources/ <- Flux Multi-Tenancy Resource ● Kyverno uses Flux and Cosign: ● https://github.com/kyverno/kyverno/blob/main/.github/workflows/relea se.yaml#L155-L172 Links
  • 32. 32 32 ● (Who else uses Cosign today in their release process?) ● Prometheus Community does now: ○ https://github.com/prometheus-community/helm-charts/tree/main/ charts/kube-prometheus-stack ○ https://github.com/orgs/prometheus-community/packages?repo_ name=helm-charts ● Flux Monitoring ■ https://fluxcd.io/flux/guides/monitoring/ Links
  • 33. 33 33 ● (Who else uses Cosign today in their release process?) ● Cert-Manager does now: ○ https://cert-manager.io/docs/installation/code-signing/#container-images- -cosign Links
  • 34. 34 34 ● (Who else uses Cosign today in their release process?) ● Harbor curiously does not: ○ However, Harbor users do already enjoy Cosign verification now: ○ https://goharbor.io/blog/cosign-2.5.0/ ● You can see attestations and verify the signatures in Harbor UI Links
  • 35. 35 35 ● Is coming! ● You can help by… Adoption
  • 36. 36 36 ● Is coming! ● You can help by… ○ Trying this workflow out and reporting any issues you may have ○ Joining the community ● Flux Dev Meetings ● Flux Bug Scrub ○ https://fluxcd.io/#calendar ● (We’d love to have you join!) Adoption
  • 37. 37 37 GitOps Tools for Flux Visual Studio Code Extension ● An extension to enhance the developer experience ● An intuitive way to manage, troubleshoot and operate your Kubernetes environment following the GitOps operating model ● Accelerate your development lifecycle and simplify your continuous delivery pipelines ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/vscode-gitops-tools ● GitOps Tools for Flux in Visual Studio Marketplace: https://marketplace.visualstudio.com/items?itemName=Weavework s.vscode-gitops-tools
  • 38. 38 38 Weave GitOps ● Adds a web UI that surfaces key information to help application operators easily discover and resolve issues ● An intuitive interface that provides a guided experience to build understanding and simplify getting started for new users; they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required ● GitOps Tools Visual Studio Code on GitHub: https://github.com/weaveworks/weave-gitops ● Weave GitOps Documentation: https://docs.gitops.weave.works/docs/intro/
  • 39. 39 ● Join us on Flux discussions if you have more questions: https://github.com/fluxcd/flux2/discussions ● Flux Community: https://github.com/fluxcd/community/blob/main/community-roles.md ● Join the GitOps Community Group: https://www.meetup.com/GitOps-Community/ ● Join the GitOps Community LinkedIn Group: https://www.linkedin.com/groups/13914610/ ● VS Code Extension: https://code.visualstudio.com/ Next Steps
  • 40. Confidential do not distribute 4 0 weave.works Thank you