Leveraging Gitops to Deploy Cloud Native Security
Monday, November 8th, 2021
GitOps is increasingly popular among developers as it accelerates development, but as security requirements grow, a new approach is needed. GitOps security needs to shift left. Here’s how to secure your GitOps repository.
GitOps is gaining traction among developers as it accelerates development work significantly in the CI/CD process. GitOps provides developers with a single, unified source of truth, which eliminates many of the teams’ workflow administrative hurdles. It also simplifies sharing code and working collaboratively on shared repositories.
Why should you adopt GitOps for cloud native security?
There are multiple reasons to adopt GitOps. Here are a few: A GitOps repository contains up-to-date declarative descriptions of the infrastructure applicable to the production environment. Dedicated GitOps tools then automate the process of updating the production environment to match the repository updates.
In practice, this translates into eliminating the need to deploy new applications or updates. You can simply achieve this by updating the GitOps repository.
As far as Infrastructure-as-Code is concerned, GitOps is a valuable resource. It is often used in conjunction with tools that automate synchronization between the GitOps repository and the infrastructure, such as ArgoCD. These tools provide accountability by saving changes as files. The synchronization process can be fully automated to reflect any change in the repository, scheduled at regular intervals or manually activated as required.
- Common unified interface - GitOps is a single source of truth for all development environments that eliminates many potential errors.
- Pull requests become change agents - It enables pushing code from work in progress at any stage - dev, staging, production - to the target environment. When changes are ready to be pushed, they are reviewed by other members of the team who ensure that all aspects of the code are up to security and compliance standards. They also check additional elements such as tightened access policies, etc. When approved by all the stakeholders, they are pushed to the desired environment.
- Prevention of configuration drifts - instead of regularly pushing CICD pipelines, even in the absence of any modification, GitOps automates the process and guarantees a full match between the CICD and the development environment.
- Documenting automatic updates - Out-of-date documentation introduces a source of error and slows down new team members’ onboarding experience. GitOps’ automated documentation updates eliminates those issues.
- Easy duplication - when duplication is needed for development in different environments or regions, Gitops facilitates the duplication and provisioning process, eliminating potential errors.
- Version control - Full control on roll-backs and roll-forwards enables fast recovery by rolling back to the latest clean version. It also allows developers to investigate the defective version in isolation, therefore preventing loss of business by providing continuity of service and accelerating recovery.
- Hardened credentials security - credentials between tools are read-only all the way through the pipeline.
- Security and compliance can be incorporated into the
infrastructure management process, including:
- Permission management - for example, limiting the number of team members granted permission to push or merge changes potentially affecting the infrastructure.
- Audit and Compliance - the simplified approval process for pull requests can be used to include security teams in the process of change management. This is crucial to tighten cloud native security.
What are the cloud native security downsides of GitOps?
For all its advantages, GitOps is not quite yet free of issues. For starters, not all developers are security conscious. As GitOps gives them the opportunity to push their code as soon as they deem it ready, it generates a perilous garbage in - garbage out situation. This is compounded by the copious amount of documentation produced that reduces visibility. Unchecked, this freedom to push at will may introduce serious vulnerabilities.
Avoiding this scenario requires DevOps to update their mindset and focus on integrating security at every stage of the development lifecycle.
Security is everyone’s responsibility and must permeate all levels of each development team. Panoptica, which provides Kubernetes, Container, and API security, integrates with GitOps. Panoptica vastly improves cloud native security on GitOps. Here’s how:
Panoptica Git Security Model
Cloud native security with GitOps can be achieved with Panoptica when using a certified deployer, such as ArgoCD, to automate GitOps.
- Allows upstream visibility into workloads at the CD stage. This occurs before they’re deployed to production clusters, allowing DevSecOps to see vulnerabilities. It does this by tracking policy changes enacted by security experts. When security experts update the Git repository, Panoptica tracks the changes and ensures that ArgoCD and Git repositories both stay updated. This is achieved without interacting directly with the policy engine, through a YAML file, for example:
Developers can then integrate these YAML file security rules directly into their policies, facilitating keeping up with best practices for secure development. These policies are updated every time a change is made.
- Applies protection by automatically updating the policy when workloads are deployed.
- Prevents deployment of risky or vulnerable workloads on production environments by creating Panoptica Policies based on these deployments. It does this by preventing developers lacking defined privilege access from pushing changes to the cluster.
These rules and their modification can be viewed both in the connection area and in the CICD.
When GitOps is fully integrated with a cloud native security solution like Panoptica, without sacrificing speed, it considerably enhances the entire development process while minimizing risks, a double advantage worth considering.
To test out Panoptica with GitOps, access a free trial here.