《Self Healing GitOps_ Continuous, Secure GitOps using Argo CD, Helm and OPA - Tenable - Upkar Lidder.pdf》由会员分享,可在线阅读,更多相关《Self Healing GitOps_ Continuous, Secure GitOps using Argo CD, Helm and OPA - Tenable - Upkar Lidder.pdf(15页珍藏版)》请在三个皮匠报告上搜索。
1、Self Healing GitOps:Continuous,Secure GitOps using Argo CD,Helm and OPAUpkar LidderSenior Product Manager,Tenable CLOUD NATIVE INFRASTRUCTURE IS FUELING INNOVATIONCNCF Survey 2020CREATING INCREASED VELOCITY,LESS PROCESS FRICTION Easy developer interface,complex underpinningExtremely high paced infra
2、structureEasier runtime management,deployment,and scalability92%organizations using containers in production83%organizations using Kubernetes in production30%organizations using serverless in productionSOUNDS GREAT,RIGHT?But,is velocity leaving you vulnerable?WHAT MAKES KUBERNETES SECURITY DIFFICULT
3、 Developer focused managementComplex privilege managementDefault configurations are not secureSO,WHAT CAN YOU DO?4 TENETS OF K8 SECURITYK8s Misconfigurations Create a single policy framework for governance and access controlSecurity Guardrails Integrate policy into DevOps workflowsContainer Image Vu
4、lnerabilities Scan container images and registriesExposure Mgmt Identify and remediate runtime vulnerabilitiesSECURITY GUARDRAILS Kubernetes security depends on the development process and should be built into build and delivery processes using existing development tools and frameworks.THE POWER OF
5、POLICYPolicy as Code can be applied at several different stages in the development process,and we encourage users to apply it everywhere they can.1.Low Friction2.Secure by default3.Increased Security VisibilityOpen Source Policy as Code for Secure Cloud Infrastructure500+out-of-the-box policies Scan
6、 IaC against common policy standards such as the CISLeverages the Open Policy Agent(OPA)engine for custom policy creation 9TYPICAL GITOPS CI/CD WORKFLOWSECURE GITOPS CI/CD WORKFLOWSECURE GITOPS CI/CD WORKFLOWSECURE GITOPS CI/CD WORKFLOWSECURE GITOPS CI/CD WORKFLOWWHERE DO YOU GO FROM HERE?Automated
7、continuous assessment Create codified security policies(e.g.,CIS benchmark)Enforce policies and detect violations across the pipeline Stage 1Policy as codeAutomated governance Capture security governance decisions(e.g.,exception)within IaC Use code repositories for governance workflow and auditStage
8、 2Governance as codeAutomated continuous detectionContinuously detect infrastructure changes in runtime and report policy violations as IaCStage 3Drift as codeAutomated breach pathanalysisUnderstand application vulnerabilities and prioritize risk resolution by identifying potential breach paths and
9、assessing scope of impact Stage 4Security as codeOperational efficiencyTHE ROAD TO COMPLETE CLOUD VISIBILITYAutomated remediation Automatically generate the IaC code needed to fix vulnerabilities and exposures Push security fixes as IaC directly to developers through pull requests(GitOps)Stage 5Remediation as codeTRY IT YOURSELF T