Trusted Delivery: Policy as Code Integrated into GitOps Workflows

We’ve recently announced that Magalix is joining forces with Weaveworks, the GitOps company. And together, we will strive to accelerate continuous delivery and increase developer productivity so that organizations can get their software to market faster.

The two companies share some common goals:

•  To make it easy to innovate fast without jeopardizing security and stability.  
•  We are both committed to security and compliance.

And with the merger, we will be able to deliver on our promise to customers to “confidently and securely innovate’. This is what we call Trusted Delivery.

This article will briefly explain what GitOps, then explain Trusted Delivery and its benefits.  

What is GitOps?

Pioneered by Weaveworks in 2017, GitOps is an operational framework for Kubernetes cluster management and application delivery.  The fundamental idea behind GitOps is to simplify deployments using Git as the single source of truth.

Weaveworks defines GitOps as an operating model for cloud-native applications and summarizes it into these two things:

1. An operating model for Kubernetes and other cloud-native technologies, providing a set of best practices that unify Git deployment, management, and monitoring for containerized clusters and applications.

2. A path towards a developer experience for managing applications, where end-to-end CICD pipelines and Git workflows are applied to operations and development.

Principles of GitOps

4 main principles drive GitOps:

1. The entire system is described in a declarative state.

2. The desired system state is versioned in Git.

3. Approved changes are applied automatically to the desired state.

4. Ensured correctness and automatic alerts on divergence with software agents.

To read more about the fundamentals of GitOps, check our 101 explainer guide here and Weaveworks Guide to GitOps.

Shifting Left

The continuously changing industry has placed high demands on development teams to deliver and operate software, quickly and reliably. The quicker organizations get their software to their market, the faster they can deliver value, run experiments, and make the necessary adjustments.

To ship products faster, developers make 10s and if they are very agile,  maybe even 100s deployments a day. In fact, the 2021 DORA report classifies elite-performing teams as those with multiple deployments per day (code deployments to production or released to end-users).

The dilemma here is: how do organizations maintain their agility and maintain their frequent deployments, securely and reliably? This is where trusted application delivery comes in.

What is Trusted Application Delivery?

Trusted Application Delivery is all about enabling development teams to go as quickly as possible with their deployments, but protecting them with automated guard rails. These guardrails are enacted using policy as code. Security and compliance policies are codified and built into the system, according to company- and sector- mandated ‘playbooks’ and ‘recipes’.

By enforcing guardrails, you are promoting frequent deployments while ensuring that the reliability of the application platform remains intact. Trusted application delivery extends the GitOps pipeline with governance, verification, and security using Magalix’s policy enforcement platform.

Enforcing Guardrails, in 3 Steps

Step 1: Codify Security and Compliance using Policies

GitOps users can now hit the ground running with 100s of ready-made security and compliance policies. You can use them as is or write your own policy with Magalix Rego playground. In addition, GitOps best practices can be enforced with Magalix's policy as code, such as Git host, repos, branches, and working directories.

Step 2: Build the Right Workflows

By creating a centralized playbook, enacted and enforced across the whole SDLC lifecycle, you can then enable your teams to innovate faster without compromising security. The playbook can include industry regulatory policies or IT standards and benchmarks. Or customized rules you would like to enforce across the organization.

Step 3: Get Actionable Insights

Analytics and reporting are essential in GitOps workflows; this is how GitOps users can see their security posture and take the necessary steps to ensure security and compliance. There are two kinds of reports:

• Tactical reports that will drive engineers to take immediate actions to fix any security/governance issues, such as discovered data protection violations.
• Compliance reports that will show you the trends and compliance status, such as your progression towards PCI-DSS, HIPAA, SOC, etc.

Trusted Delivery Benefits

1- Enforcing security and compliance, from source to production: DevOps teams can apply consistent policies and best practices across multiple Kubernetes environments. Customers will be able to bridge the gap between developers, DevOps, and security teams by shifting left using policy as code.

2- Runtime policy and drift management guards protect production deployments: Using our KubeGuard agent ensures any runtime drift is detected and automatically remediated. Customers are assured that policies are being enforced across all deployments and are immediately aware of any violations.

3- Embedding security in GitOps workflows: By integrating policy as code into GitOps workflows - the source, build, and deployment stages - we simplify DevSecOps initiatives and enable cloud-native environments to be more intrinsically secure.

GitOps users can now benefit from trusted application delivery benefits using Weave GitOps Enterprise. Request a Demo.

Policy as Code in Gitops Workflows, Explained

Magalix is in the business of programmatically enforcing security and compliance standards using policy as code. By enforcing policies across GitOps workflows, it helps build secure developer-centric experiences with continuous deployment for cloud-native applications.

Policies can be classified into three types:

• Security and compliance policies: these policies include security best practices policies such as the MITRE ATT&CK and the compliance policies such as PCI DSS policies.
• Resilience policies: These policies include the best practices for deploying applications on Kubernetes, such as configuring health probes ensures K8s can do its automation correctly.
• Coding Standards: these policies can be company-mandated policies and checks, helping organizations apply governance standards using a centralized playbook.

Let’s dive deeper into the how of trusted delivery, in CI/CD pipelines.

In a typical flow, code on the developer machine (Dev) is pushed to Git (the code repository), which is then picked up by the Continuous Integration (CI) system. The CI system runs some tests and then builds an artifact (a container image) where it’s then pushed to the image repository (Container Registry) and then deployed to the orchestrator (Kubernetes).

Figure: Trusted Delivery: Policy-based Governance across GitOps Workflows

In the Kubernetes cluster, Weaveworks runs the reconciliation operator, which operates on a configuration git repository, with separate credentials. The operator reconciles the desired state (expressed in manifest files stored in the git repo) against the actual state of the cluster.

The above GitOps workflow is built with security in mind.

The guardrails are enacted at:

1. Git Repo: Infrastructure as Code Scanning.
   This is where the developer receives commit time feedback. With the codified policies enforced with the Magalix agent, we scan the infrastructure as code (IaC) templates before they get committed to the repository and auto-remediate any violations. In this way, developers have frequent feedback, and misconfigurations are caught early on and fixed quickly.

2. CI System: Misconfiguration Guardrails.
   To make sure there are multiple checks throughout the DevOps process, we have another guard rail in the CI system. Even if it may feel redundant,  the multiple checks increase the chance of security issues getting caught and fixed. In the CI, the developer receives build-time feedback. The codified policies block the build if there are violating changes are discovered.

3. Kubernetes Clusters: Deploy-Time Feedback.
   Prevent violating changes from leaking to runtime infrastructure. Enable policy-based Kubernetes admission controllers to deny any policy-violating objects from being created. Immediate feedback will be given explaining why the object creation was blocked.

4. Config Repo: Run-Time Security and Compliance Audit.
   Perform runtime scanning of IaC and evaluate configuration changes over time. Continuously scan the Kubernetes runtime for Policy violations and identify any violations related to industry and region based regulations. Run reports to know your posture in real-time.

Register now for our upcoming 

Show & Tell on Trusted Application Delivery
with GitOps and Policy as code

February 23th and 24th - 2022

(US and EMEA friendly timezones) 

Magalix Policy Library

Incorporating policy checks into your SDLC, or GitOps workflows, alleviate some of the challenges with continuously having to fix the same entities causing the same violations again and again. Magalix simplifies the “shift left” process with our “write once, apply everywhere” model.

The Magalix policy library has 100s of read-made security and compliance policies available. You can use them as is or write your own with our very own Rego playground. These policies enable you to flag and alert teams with security and compliance violations every step of the software lifecycle.

Magalix K8s  policy pack covers CIS, MITRE ATT&CK, PCI DSS, and many more.