DevOps is a practice and enterprise-wide philosophy where your delivery chain is agile and adaptable, with automated processes used everywhere possible. Part of adaptability is having the confidence that you can incorporate new types of tooling and applications without introducing undue risk or unnecessary effort. The advantage of automation and integrated security is that developers can develop without fear, allowing them to support shift-left security. And security teams can be confident that security is always there.
At least, that’s the theory behind DevOps. To help illustrate how you can actually implement these principles, let’s take a look at how Kubernetes supports the goals of DevOps. In so doing, this article will highlight the link between Kubernetes and DevOps, and use Kubernetes as a real-world example of a tool that reinforces the goals of DevOps.
Drive to Remove Complexity
Years ago, when I wrote about how containers aren’t necessary in a DevOps practice, I ironically went on at length about how containers greatly improve an organization’s DevOps approach. No argument can be made without first acknowledging this truth. In fact, containers allow developers to package running software and their dependencies into easily deployable units regardless of size, greatly empowering the DevOps culture.
Containers can be black-box tested, deployed consistently across environments (e.g. development, QA, and production), and provide a convenient way to enable cloud and microservice-based architectures and deployments. In a nutshell, containers reduce the complexity of deployment, which is a big goal (if not the biggest, along with security) of almost every organization’s DevOps practice.However, if developers simply throw containers over the wall, it’s left up to operations teams to deploy and manage them, and figure out how to scale them to meet user demand. This defeats the purpose of DevOps. Fortunately, Kubernetes helps here by allowing developers and operations to work together to automate the deployment and runtime orchestration of containers across nodes in your datacenter or cloud. Going further, Kubernetes can be used to orchestrate the process of upgrading containers in production so that users aren’t impacted.
Continuous Development, Integration,
In a DevOps world, continuous is an important and overloaded word. For example, tools are available to automatically and continuously perform software builds and deployments based on developer actions, called triggers. One trigger may be the simple act of checking code into a repository. The automation that continuous integration (CI) tools provides remove much of the manual effort (as well as bottlenecks and human error) from an otherwise mundane set of tasks. With the rise of containers, this automation needs to be extended to support a CI process.
Instead of moving code across different servers, or VMs running on cloud infrastructure, the same code can be automatically deployed across pods within a Kubernetes cluster. Kubernetes expands your DevOps culture within a container-based architecture by:
- Increasing collaboration between developers and operations staff
- Managing rolling container updates across Kubernetes nodes
- Orchestrating deployments regardless of platform (e.g. for Windows or Linux workloads)
- Scaling your containers across pods based on need predictably
- Increasing productivity by deploying software to containers for QA immediately
- Optimizing costs by efficiently utilizing server resources across a Kubernetes cluster (e.g. not using more cloud compute or bandwidth other than what’s required to meet user demand).
A test-driven approach to development (TDD) requires application owners to define tests alongside requirements, before code is even written. The theory is, if you can’t describe how to test it, how can you be sure you’re specifying the requirement thoroughly or even correctly? Additionally, thinking about how to test (or simply use) a software feature and its code often leads to more well-thought out software designs, and fewer bugs in production.
The trick is to make TDD part of your deployment process and part of your entire DevOps practice by integrating it into your tools. Breaking down your application into very testable stand-alone services increases confidence that the system won’t break when these services are individually deployed. Kubernetes supports this by taking your container-based microservice architecture and deploying container updates without disturbing other parts of your application.
In effect, Kubernetes extends the TDD mentality to your operations teams. This moves testing beyond individual feature unit and system tests, and enables a DevOps culture of end-to-end testing that more closely resembles the system-level experience your own users will be getting when they use your software in production.
Kubernetes Increases Security
Good DevOps tools adapt to your process as well as development tools. Kubernetes includes an API to help you integrate it into your CI/CD DevOps practice. And since the goal of DevOps is not only to improve developer efficiency but also to better serve your users’ needs, security is often at the top of the list when driving the DevOps culture. To help implement security into your practice, Kubernetes allows you to control who can access container clusters, manage and restrict updates to container code and environment variables, limit resource usage on specific pods, control the privileges that container-based workloads run with, restrict network access across containers, and more.
Here at Alcide, we built onto the Kubernetes API and available security features to empower a DevSecOps culture, automating many container-specific security concerns. Gone are the days where one would have to compromise on agility in order to keep pace with security needs and requirements. By instituting a security policy-driven approach to Kubernetes management, your DevOps practice will more readily maintain smooth, interruption-free operations for both your development teams and end-users. And by automatically discovering, managing and enforcing security policies across multi-cluster deployments, Alcide’s Advisor scanner for Kubernetes and Istio enables detecting and blocking vulnerabilities early on in the pipeline, before being exploited. This enables the smooth operation of business apps while protecting cloud deployments from malicious attacks.
This approach implements a feedback loop for security into your development and deployment processes. For example, we can automatically discover application and network-level security needs without requiring manual effort to do so. It will also secure your entire DevOps pipeline, from build to deployment within a production Kubernetes cluster to ensure nothing gets tampered with along the way. Once in production, your code will benefit from container-based security policies via an embedded firewall, and machine-learning algorithms will detect container usage anomalies to stop security breaches before they occur.
Ready to start using Alcide Kubernetes Advisor? Start now.
About Eric Bruno
Eric Bruno is a writer and editor for multiple online publications, with more than 25 years of experience in the information technology community. He is a highly requested moderator and speaker for a variety of conferences and other events on topics spanning the technology spectrum, from the desktop to the data center. He has written articles, blogs, white papers and books on software architecture and development for more than a decade. He is also an enterprise architect, developer, and industry analyst with expertise in full lifecycle, large-scale software architecture, design, and development for companies all over the globe. His accomplishments span highly distributed system development, multi-tiered web development, real-time development, and transactional software development. See his editorial work online at www.ericbruno.com.