GitOps is a paradigm that puts Git at the heart of building and operating cloud- native applications by using Git as the single source of truth. GitOps empowers developers to perform what used to fall under IT operations. GitOps, as a development pattern, gained a fair share of popularity in recent times as it emphasizes declaratively expressing infrastructure and application configuration within Git repositories GitOps.
The 4 Principles of GitOps are:
- The entire system is described declaratively
- The canonical desired system state is versioned - (Git)
- Approved changes to the desired state → automatically applied to the system
- Agents ensure correctness, alert on divergence & self heal
GitOps is quite aligned with the Kubernetes way and ArgoCD captures exactly that - everything is declarative. This makes ArgoCD a tailor-made continuous delivery tool for Kubernetes.
It is worth noting that ArgoCD is in the process of joining forces with Flux, another popular GitOps tool, to create gitops-engine - a solution that will combine the benefits of both worlds.
In my previous blog we covered some of the core security risks and challenges associated with GitOps, and in this post I'd like to show you how to implement GitOps with ArgoCD based delivery systems.
SyncHooks - Hooking Progressive Security Into ArgoCD
When ArgoCD performs a Sync operation from Git repository into the cluster, ArgoCD offers synchronisation hooks that can be used to control and validate the synchronisation event.
Synchronisation can be configured using resource hooks. In ArgoCD, hooks are ways to run scripts before, during, and after a Sync operation. Hooks can also run if a Sync operation fails at any point.
Some use cases for using hooks are:
- Using a PreSync hook to perform a database schema migration before deploying a new version of the app.
- Using a Sync hook to orchestrate a complex deployment requires more sophistication than the Kubernetes rolling update strategy.
- Using a PostSync hook to run integration and health checks after a deployment.
- Using a SyncFail hook to run clean-up or finalizer logic if a Sync operation fails. SyncFail hooks are only available starting in v1.2
Alcide Advisor, is a policy driven, API only (also referred as agentless) configuration, risk and security scanner for Kubernetes and Istio.
With Alcide Advisor, you can detect security drifts and cover the following security checks:
- Kubernetes infrastructure vulnerability scanning.
- Hunting misplaced secrets, or excessive privileges for secret access.
- Workload hardening from Pod Security to network policies.
- Istio security configuration and best practices.
- Ingress Controllers for security best practices.
- Kubernetes API server access privileges.
- Kubernetes operators security best practices.
- Deployment conformance to labeling, annotating, resource limits..
See full example can be found here
Alcide Advisor, when run as a PostSync hook, will scan the deployed changes, and check on how they affect already deployed resources and detect any potential security drifts that would negatively affect the desired security state of the cluster.
Continuous Integration/Continuous Development (CI/CD) with the Kubernetes ecosystem does have a variety of tools to choose from and organizations should use the tools that are best suited for their specific use cases and culture. Glueing all the pieces together is not trivial. Integrating security and consuming security insights by various stakeholders is an equally challenging task to achieve. GitOps simplifies this in some aspects, but complicates in others.
Stay tuned for more on this.