SlideShare una empresa de Scribd logo

KubeCon 2022 EU Flux Security.pdf

Weaveworks
Weaveworks

In this session Stefan will go deep into the security aspects of Flux v2. We’ll start by explaining the Flux authorization model and how it relates to Kubernetes RBAC and account impersonation. Then we’ll compare the soft and hard multitenancy models from a GitOps perspective. We’ll explore the configuration options on how platform admins can lockdown Flux on multitenant environments and how they can onboard tenants onto clusters using the Flux CLI and Git. Finally we’ll talk about the Flux roadmap for 2022.

Tecnología
1 de 24
Descargar para leer sin conexión
Flux Security Deep Dive Stefan Prodan Flux & Flagger Maintainer Principal Engineer @ Weaveworks
Flux - Project overview The Flux project aims to provide a complete Continuous Delivery platform on top of Kubernetes, supporting all the common practices and tooling in the field. Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy. Flagger is a Progressive Delivery tool that automates the release process for applications running on Kubernetes. Flagger comes with a declarative model for decoupling the deployment of apps on Kubernetes from the release process. https://github.com/fluxcd/flux2 https://github.com/fluxcd/flagger
Flux - GitOps Continuous Delivery
Agenda ● How is Flux made ● How secure is Flux ● Are my secrets safe in Git ● Is Kubernetes really multi-tenant ● Flux soft vs hard multi-tenancy ● When will Flux v2 be GA
Flux is made of many things ● Kubernetes API extensions (CRDs) ● Specialized Kubernetes operators (powered by controller-runtime) ● Flux command-line tool (powered by Kubernetes cli-utils) ● Flux Terraform provider ● Go & C libraries (Go stdlib, Kubernetes client-go, kstatus, go-git, libgit2, kustomize, helm, minio, oras, sops, age, aws, azure, gcp, github, gitlab, bitbucket SDKs… and some more) What is Flux made of?
WELCOME TO VALENCIA How can a handful of people maintain such a project? With care… A helpful community And lots of automations
Flux Libraries, controllers and CLI UNIT TEST OSS FUZZ BUILD RELEASE E2E TEST Flux - release pipeline ASSEMBLE AMD64 E2E ARM64 E2E RELEASE CLOUD E2E GitHub Linux & macOS Equinix Metal Linux AKS + DevOps, EKS, GKE Kubernetes KIND 1.20…1.24 Flux GitHub Bot SCAN GitHub CodeQL, Snyk Cosign & SBOM
A Flux release is comprised of ● Multi-arch container images (GHCR & DockerHub) ● Signed images and checksums (Cosign + GitHub OIDC) ● Software Bill of Materials (SBOM SPDX) ● Deployment manifests (YAML) ● OpenAPI specs (JSON) ● CLI binaries (Linux, macOS & Windows) ● Packages (Homebrew, Arch Aur, NIX, Chocolatey) ● Flux Terraform provider (Terraform Registry) ● Flux GitHub Action (AMD64 & ARM64 runners) Flux - release artifacts
What makes the Flux controllers secure? ● No shell-out to 3rd party binaries ● All Linux capabilities are dropped ● The root filesystem is set to read-only ● The seccomp profile is runtime default ● Controllers run as non-root ● Uses Kubernetes impersonation API
Unlike most CD products, Flux has a small attack surface ● Flux controllers are statically built and have no dependencies on OS packages ● No shell-exec to git, kubectl, helm, kustomize, sops, aws, gcloud, etc ● No HTTP APIs, you can control Flux only via Kubernetes API ● All actions performed on the cluster are auditable and subject to Kubernetes RBAC ● Flux execution is predictable, there are no plugins nor scripting ● Flux can only be extended with other controllers that adhere to the GitOps Toolkit std Flux vs competition?
Flux is embedded in ● Azure Arc ● Amazon EKS Anywhere ● VMware Tanzu ● D2iQ Enterprise Kubernetes Platform ● Platform One (US DoD & US Air Force) ● Deutsche Telekom Das Schiff ● And many more Who trusts in Flux?
● In 2021 Flux has undergone a security audit (OSTIF & ADA Logics) ○ We’ve addressed all the security issues found in record time ○ We’ve put in place an RFC process for changes to Flux security posture ● In 2022 the Flux team focused on security hardening ○ We’ve found and addressed a series of multi-tenancy vulnerabilities ○ We’ve made secrets decryption safer on multi-tenant environments ○ We’ve improved the test coverage of sensitive operations ● Flux is scheduled to undergo a security review by CNCF TAG Security How secure is Flux?
Is Flux bulletproof?
How to keep Flux up-to-date? Flux is able to update itself from Git. We offer a GitHub Action that checks for new releases and opens a pull request on your bootstrap repository when a newer Flux version is available. For GitLab, BitBucket, Azure DevOps and other platforms, you can use Renovate Bot which offers the same update automation for Flux.
What security challenges come with GitOps? ● Keeping secrets safe ● Restricting access to sensitive data ● Compromised Git credentials ● Prevent destructive cluster ops
Flux comes with built-in secrets management ● Client-side encryption with Mozilla SOPS ● Server-side decryption with Flux ● Supported technologies ○ Age Encryption and OpenPGP ○ Hashicorp Vault ○ AWS Key Management Service ○ Azure Key Vault ○ Google Cloud KMS The Flux team is committed to SOPS’ development and maintenance Are my secrets safe in Git?
Secrets operations
WELCOME TO VALENCIA Is Kubernetes truly multi-tenant? In some regards YES but soft multi-tenancy is difficult to secure while hard multi-tenancy can be easier to reason with but hard to orchestrate.
Flux bridges the gap between Kubernetes and Git tenancy models. ● Kubernetes ○ Dedicated clusters per tenant (hard multi-tenancy) ○ Namespaces and role bindings ○ Node groups, taints and tolerations ○ Resource quotas and network policies ○ 3rd party policies (OPA & Kyverno) ● Git ○ Dedicated repositories per tenant (hard multi-tenancy) ○ Protected branches ○ Team access management (GitHub, GitLab, etc) Tenant isolation boundaries
Flux - GitOps Multi-Tenancy Flux enables multi-tenancy by allowing platform admins to assign restricted Kubernetes accounts to the tenants’ sources. When Flux reconciles the tenant’s Kubernetes resources, it does so by impersonating the tenant’s account, thus enforcing the isolation boundary as defined by platform admins in their Git repo.
Demo Multi-tenancy with Flux and Kubernetes namespace-as-a-service https://github.com/fluxcd/flux2-multi-tenancy
When will Flux v2 reach GA? TODOs ● Adopt kstatus for all Flux APIs ● Helm controller refactoring ● Support for Helm OCI ● Notification API improvements ● Documentation refactoring https://fluxcd.io/roadmap
Additional Resources https://fluxcd.io/security https://fluxcd.io/docs/security https://github.com/fluxcd/flux 2-multi-tenancy https://fluxcd.io/docs/guides/ mozilla-sops/
THANK YOU! https://twitter.com/stefanprodan

Recomendados

Terraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application StackTerraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Weaveworks
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdf
ssuser1490e8
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
LibbySchulze1
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
DLT Solutions
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 

Recomendados

Terraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application StackTerraform and Weave GitOps: Build a Fully Automated Application Stack
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Weaveworks
 
OpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdfOpenShift Virtualization- Technical Overview.pdf
OpenShift Virtualization- Technical Overview.pdf
ssuser1490e8
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
Weaveworks
 
Get started with gitops and flux
Get started with gitops and fluxGet started with gitops and flux
Get started with gitops and flux
LibbySchulze1
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
DLT Solutions
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
The Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps ToolkitThe Power of GitOps with Flux & GitOps Toolkit
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
OpenShift Enterprise
OpenShift EnterpriseOpenShift Enterprise
OpenShift Enterprise
Ali Sadeghi Ardestani
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
Weaveworks
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
MamathaBusi
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
Brice Fernandes
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott Rigby
Weaveworks
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Fantastic Buildpacks and Where to Find Them
Fantastic Buildpacks and Where to Find ThemFantastic Buildpacks and Where to Find Them
Fantastic Buildpacks and Where to Find Them
Joe Kutner
 
Introduction of kubernetes rancher
Introduction of kubernetes rancherIntroduction of kubernetes rancher
Introduction of kubernetes rancher
cyberblack28 Ichikawa
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
Rancher and Kubernetes Best Practices
Rancher and Kubernetes Best PracticesRancher and Kubernetes Best Practices
Rancher and Kubernetes Best Practices
Avinash Patil
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
loodse
 
How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git
Weaveworks
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
Weaveworks
 

Más contenido relacionado

La actualidad más candente

THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott Rigby
Weaveworks
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 

La actualidad más candente (20)

THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
OpenShift Enterprise
OpenShift EnterpriseOpenShift Enterprise
OpenShift Enterprise
 
Intro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdfIntro to GitOps & Flux.pdf
Intro to GitOps & Flux.pdf
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott Rigby
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
 
Fantastic Buildpacks and Where to Find Them
Fantastic Buildpacks and Where to Find ThemFantastic Buildpacks and Where to Find Them
Fantastic Buildpacks and Where to Find Them
 
Introduction of kubernetes rancher
Introduction of kubernetes rancherIntroduction of kubernetes rancher
Introduction of kubernetes rancher
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
Rancher and Kubernetes Best Practices
Rancher and Kubernetes Best PracticesRancher and Kubernetes Best Practices
Rancher and Kubernetes Best Practices
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
 

Similar a KubeCon 2022 EU Flux Security.pdf

WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
All Things Open
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
Moby KubeCon 2017
Moby KubeCon 2017Moby KubeCon 2017
Moby KubeCon 2017
Patrick Chanezon
 
20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup
Stéphane Este-Gracias
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
Weaveworks
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
CezzaineZaher1
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
Reconcile Terraform Resources the GitOps Way with Priyanka RaviReconcile Terraform Resources the GitOps Way with Priyanka Ravi
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
Weaveworks
 

Similar a KubeCon 2022 EU Flux Security.pdf (20)

How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git How to manage Kubernetes at scale with just git
How to manage Kubernetes at scale with just git
 
The Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCFThe Story of Flux Reaching Graduation in the CNCF
The Story of Flux Reaching Graduation in the CNCF
 
WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?WTF is GitOps & Why Should You Care?
WTF is GitOps & Why Should You Care?
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
GitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka RaviGitOps & Flux - A Refresher with Priyanka Ravi
GitOps & Flux - A Refresher with Priyanka Ravi
 
Implementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancyImplementing Flux for Scale with Soft Multi-tenancy
Implementing Flux for Scale with Soft Multi-tenancy
 
[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes
 
Moby KubeCon 2017
Moby KubeCon 2017Moby KubeCon 2017
Moby KubeCon 2017
 
Flux is incubating + the road ahead
Flux is incubating + the road aheadFlux is incubating + the road ahead
Flux is incubating + the road ahead
 
20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
 
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
 
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCIFlux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI Flux Beyond Git Harnessing the Power of OCI
Flux Beyond Git Harnessing the Power of OCI
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
 
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
Reconcile Terraform Resources the GitOps Way with Priyanka RaviReconcile Terraform Resources the GitOps Way with Priyanka Ravi
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
 

Más de Weaveworks

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Weaveworks
 

Más de Weaveworks (20)

Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)Weave AI Controllers (Weave GitOps Office Hours)
Weave AI Controllers (Weave GitOps Office Hours)
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)Flamingo: Expand ArgoCD with Flux (Office Hours)
Flamingo: Expand ArgoCD with Flux (Office Hours)
 
Six Signs You Need Platform Engineering
Six Signs You Need Platform EngineeringSix Signs You Need Platform Engineering
Six Signs You Need Platform Engineering
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdfSRE and GitOps for Building Robust Kubernetes Platforms.pdf
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes ClustersAutomated Provisioning, Management & Cost Control for Kubernetes Clusters
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy CatastrophesHow to Avoid Kubernetes Multi-tenancy Catastrophes
How to Avoid Kubernetes Multi-tenancy Catastrophes
 
Building internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOpsBuilding internal developer platform with EKS and GitOps
Building internal developer platform with EKS and GitOps
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdfGitOps Testing in Kubernetes with Flux and Testkube.pdf
GitOps Testing in Kubernetes with Flux and Testkube.pdf
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKSAccelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdfFlux’s Security & Scalability with OCI & Helm Slides.pdf
Flux’s Security & Scalability with OCI & Helm Slides.pdf
 
Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension Flux Security & Scalability using VS Code GitOps Extension
Flux Security & Scalability using VS Code GitOps Extension
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOpsDeploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdfSimplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

KubeCon 2022 EU Flux Security.pdf

  • 1. Flux Security Deep Dive Stefan Prodan Flux & Flagger Maintainer Principal Engineer @ Weaveworks
  • 2. Flux - Project overview The Flux project aims to provide a complete Continuous Delivery platform on top of Kubernetes, supporting all the common practices and tooling in the field. Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy. Flagger is a Progressive Delivery tool that automates the release process for applications running on Kubernetes. Flagger comes with a declarative model for decoupling the deployment of apps on Kubernetes from the release process. https://github.com/fluxcd/flux2 https://github.com/fluxcd/flagger
  • 3. Flux - GitOps Continuous Delivery
  • 4. Agenda ● How is Flux made ● How secure is Flux ● Are my secrets safe in Git ● Is Kubernetes really multi-tenant ● Flux soft vs hard multi-tenancy ● When will Flux v2 be GA
  • 5. Flux is made of many things ● Kubernetes API extensions (CRDs) ● Specialized Kubernetes operators (powered by controller-runtime) ● Flux command-line tool (powered by Kubernetes cli-utils) ● Flux Terraform provider ● Go & C libraries (Go stdlib, Kubernetes client-go, kstatus, go-git, libgit2, kustomize, helm, minio, oras, sops, age, aws, azure, gcp, github, gitlab, bitbucket SDKs… and some more) What is Flux made of?
  • 6. WELCOME TO VALENCIA How can a handful of people maintain such a project? With care… A helpful community And lots of automations
  • 7. Flux Libraries, controllers and CLI UNIT TEST OSS FUZZ BUILD RELEASE E2E TEST Flux - release pipeline ASSEMBLE AMD64 E2E ARM64 E2E RELEASE CLOUD E2E GitHub Linux & macOS Equinix Metal Linux AKS + DevOps, EKS, GKE Kubernetes KIND 1.20…1.24 Flux GitHub Bot SCAN GitHub CodeQL, Snyk Cosign & SBOM
  • 8. A Flux release is comprised of ● Multi-arch container images (GHCR & DockerHub) ● Signed images and checksums (Cosign + GitHub OIDC) ● Software Bill of Materials (SBOM SPDX) ● Deployment manifests (YAML) ● OpenAPI specs (JSON) ● CLI binaries (Linux, macOS & Windows) ● Packages (Homebrew, Arch Aur, NIX, Chocolatey) ● Flux Terraform provider (Terraform Registry) ● Flux GitHub Action (AMD64 & ARM64 runners) Flux - release artifacts
  • 9. What makes the Flux controllers secure? ● No shell-out to 3rd party binaries ● All Linux capabilities are dropped ● The root filesystem is set to read-only ● The seccomp profile is runtime default ● Controllers run as non-root ● Uses Kubernetes impersonation API
  • 10. Unlike most CD products, Flux has a small attack surface ● Flux controllers are statically built and have no dependencies on OS packages ● No shell-exec to git, kubectl, helm, kustomize, sops, aws, gcloud, etc ● No HTTP APIs, you can control Flux only via Kubernetes API ● All actions performed on the cluster are auditable and subject to Kubernetes RBAC ● Flux execution is predictable, there are no plugins nor scripting ● Flux can only be extended with other controllers that adhere to the GitOps Toolkit std Flux vs competition?
  • 11. Flux is embedded in ● Azure Arc ● Amazon EKS Anywhere ● VMware Tanzu ● D2iQ Enterprise Kubernetes Platform ● Platform One (US DoD & US Air Force) ● Deutsche Telekom Das Schiff ● And many more Who trusts in Flux?
  • 12. ● In 2021 Flux has undergone a security audit (OSTIF & ADA Logics) ○ We’ve addressed all the security issues found in record time ○ We’ve put in place an RFC process for changes to Flux security posture ● In 2022 the Flux team focused on security hardening ○ We’ve found and addressed a series of multi-tenancy vulnerabilities ○ We’ve made secrets decryption safer on multi-tenant environments ○ We’ve improved the test coverage of sensitive operations ● Flux is scheduled to undergo a security review by CNCF TAG Security How secure is Flux?
  • 14. How to keep Flux up-to-date? Flux is able to update itself from Git. We offer a GitHub Action that checks for new releases and opens a pull request on your bootstrap repository when a newer Flux version is available. For GitLab, BitBucket, Azure DevOps and other platforms, you can use Renovate Bot which offers the same update automation for Flux.
  • 15. What security challenges come with GitOps? ● Keeping secrets safe ● Restricting access to sensitive data ● Compromised Git credentials ● Prevent destructive cluster ops
  • 16. Flux comes with built-in secrets management ● Client-side encryption with Mozilla SOPS ● Server-side decryption with Flux ● Supported technologies ○ Age Encryption and OpenPGP ○ Hashicorp Vault ○ AWS Key Management Service ○ Azure Key Vault ○ Google Cloud KMS The Flux team is committed to SOPS’ development and maintenance Are my secrets safe in Git?
  • 18. WELCOME TO VALENCIA Is Kubernetes truly multi-tenant? In some regards YES but soft multi-tenancy is difficult to secure while hard multi-tenancy can be easier to reason with but hard to orchestrate.
  • 19. Flux bridges the gap between Kubernetes and Git tenancy models. ● Kubernetes ○ Dedicated clusters per tenant (hard multi-tenancy) ○ Namespaces and role bindings ○ Node groups, taints and tolerations ○ Resource quotas and network policies ○ 3rd party policies (OPA & Kyverno) ● Git ○ Dedicated repositories per tenant (hard multi-tenancy) ○ Protected branches ○ Team access management (GitHub, GitLab, etc) Tenant isolation boundaries
  • 20. Flux - GitOps Multi-Tenancy Flux enables multi-tenancy by allowing platform admins to assign restricted Kubernetes accounts to the tenants’ sources. When Flux reconciles the tenant’s Kubernetes resources, it does so by impersonating the tenant’s account, thus enforcing the isolation boundary as defined by platform admins in their Git repo.
  • 21. Demo Multi-tenancy with Flux and Kubernetes namespace-as-a-service https://github.com/fluxcd/flux2-multi-tenancy
  • 22. When will Flux v2 reach GA? TODOs ● Adopt kstatus for all Flux APIs ● Helm controller refactoring ● Support for Helm OCI ● Notification API improvements ● Documentation refactoring https://fluxcd.io/roadmap