Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
We’ve recently announced that Magalix is joining forces with Weaveworks, the GitOps company. And together, we will strive to accelerate continuous delivery and increase developer productivity so that organizations can get their software to market faster.
The two companies share some common goals:
And with the merger, we will be able to deliver on our promise to customers to “confidently and securely innovate’. This is what we call Trusted Delivery.
This article will briefly explain what GitOps, then explain Trusted Delivery and its benefits.
Pioneered by Weaveworks in 2017, GitOps is an operational framework for Kubernetes cluster management and application delivery. The fundamental idea behind GitOps is to simplify deployments using Git as the single source of truth.
Weaveworks defines GitOps as an operating model for cloud-native applications and summarizes it into these two things:
An operating model for Kubernetes and other cloud-native technologies, providing a set of best practices that unify Git deployment, management, and monitoring for containerized clusters and applications.
A path towards a developer experience for managing applications, where end-to-end CICD pipelines and Git workflows are applied to operations and development.
The entire system is described in a declarative state.
The desired system state is versioned in Git.
Approved changes are applied automatically to the desired state.
Ensured correctness and automatic alerts on divergence with software agents.
The continuously changing industry has placed high demands on development teams to deliver and operate software, quickly and reliably. The quicker organizations get their software to their market, the faster they can deliver value, run experiments, and make the necessary adjustments.
To ship products faster, developers make 10s and if they are very agile, maybe even 100s deployments a day. In fact, the 2021 DORA report classifies elite-performing teams as those with multiple deployments per day (code deployments to production or released to end-users).
The dilemma here is: how do organizations maintain their agility and maintain their frequent deployments, securely and reliably? This is where trusted application delivery comes in.
Trusted Application Delivery is all about enabling development teams to go as quickly as possible with their deployments, but protecting them with automated guard rails. These guardrails are enacted using policy as code. Security and compliance policies are codified and built into the system, according to company- and sector- mandated ‘playbooks’ and ‘recipes’.
By enforcing guardrails, you are promoting frequent deployments while ensuring that the reliability of the application platform remains intact. Trusted application delivery extends the GitOps pipeline with governance, verification, and security using Magalix’s policy enforcement platform.
GitOps users can now hit the ground running with 100s of ready-made security and compliance policies. You can use them as is or write your own policy with Magalix Rego playground. In addition, GitOps best practices can be enforced with Magalix's policy as code, such as Git host, repos, branches, and working directories.
By creating a centralized playbook, enacted and enforced across the whole SDLC lifecycle, you can then enable your teams to innovate faster without compromising security. The playbook can include industry regulatory policies or IT standards and benchmarks. Or customized rules you would like to enforce across the organization.
Analytics and reporting are essential in GitOps workflows; this is how GitOps users can see their security posture and take the necessary steps to ensure security and compliance. There are two kinds of reports:
1- Enforcing security and compliance, from source to production: DevOps teams can apply consistent policies and best practices across multiple Kubernetes environments. Customers will be able to bridge the gap between developers, DevOps, and security teams by shifting left using policy as code.
2- Runtime policy and drift management guards protect production deployments: Using our KubeGuard agent ensures any runtime drift is detected and automatically remediated. Customers are assured that policies are being enforced across all deployments and are immediately aware of any violations.
3- Embedding security in GitOps workflows: By integrating policy as code into GitOps workflows - the source, build, and deployment stages - we simplify DevSecOps initiatives and enable cloud-native environments to be more intrinsically secure.
GitOps users can now benefit from trusted application delivery benefits using Weave GitOps Enterprise. Request a Demo.
Magalix is in the business of programmatically enforcing security and compliance standards using policy as code. By enforcing policies across GitOps workflows, it helps build secure developer-centric experiences with continuous deployment for cloud-native applications.
Policies can be classified into three types:
Let’s dive deeper into the how of trusted delivery, in CI/CD pipelines.
In a typical flow, code on the developer machine (Dev) is pushed to Git (the code repository), which is then picked up by the Continuous Integration (CI) system. The CI system runs some tests and then builds an artifact (a container image) where it’s then pushed to the image repository (Container Registry) and then deployed to the orchestrator (Kubernetes).
Figure: Trusted Delivery: Policy-based Governance across GitOps Workflows
In the Kubernetes cluster, Weaveworks runs the reconciliation operator, which operates on a configuration git repository, with separate credentials. The operator reconciles the desired state (expressed in manifest files stored in the git repo) against the actual state of the cluster.
The above GitOps workflow is built with security in mind.
The guardrails are enacted at:
Git Repo: Infrastructure as Code Scanning.
This is where the developer receives commit time feedback. With the codified policies enforced with the Magalix agent, we scan the infrastructure as code (IaC) templates before they get committed to the repository and auto-remediate any violations. In this way, developers have frequent feedback, and misconfigurations are caught early on and fixed quickly.
CI System: Misconfiguration Guardrails.
To make sure there are multiple checks throughout the DevOps process, we have another guard rail in the CI system. Even if it may feel redundant, the multiple checks increase the chance of security issues getting caught and fixed. In the CI, the developer receives build-time feedback. The codified policies block the build if there are violating changes are discovered.
Kubernetes Clusters: Deploy-Time Feedback.
Prevent violating changes from leaking to runtime infrastructure. Enable policy-based Kubernetes admission controllers to deny any policy-violating objects from being created. Immediate feedback will be given explaining why the object creation was blocked.
Config Repo: Run-Time Security and Compliance Audit.
Perform runtime scanning of IaC and evaluate configuration changes over time. Continuously scan the Kubernetes runtime for Policy violations and identify any violations related to industry and region based regulations. Run reports to know your posture in real-time.
Register now for our upcoming
Show & Tell on Trusted Application Delivery
with GitOps and Policy as code
February 23th and 24th - 2022
(US and EMEA friendly timezones)
Incorporating policy checks into your SDLC, or GitOps workflows, alleviate some of the challenges with continuously having to fix the same entities causing the same violations again and again. Magalix simplifies the “shift left” process with our “write once, apply everywhere” model.
The Magalix policy library has 100s of read-made security and compliance policies available. You can use them as is or write your own with our very own Rego playground. These policies enable you to flag and alert teams with security and compliance violations every step of the software lifecycle.
Magalix K8s policy pack covers CIS, MITRE ATT&CK, PCI DSS, and many more.
Self-service developer platform is all about creating a frictionless development process, boosting developer velocity, and increasing developer autonomy. Learn more about self-service platforms and why it’s important.
More and more businesses are adopting GitOps. Learn about the 5 reasons why GitOps is important for businesses.