GitOps
GitOps offers significant benefits in terms of security within the context of DevSecOps, combining development, operations and security practices in an integrated approach. Some key points about how GitOps contributes to security in DevSecOps are:
-
Visibility and Traceability:
- Change record: Storing all infrastructure configurations and definitions in Git repositories provides full traceability of all changes made to the environment.
- Enhanced Auditing: Facilitates better auditing by recording who, when, and what changes have been made to the system.
-
Version Control and Revision:
- Structured Versioning: GitOps allows detailed version control for all configuration changes, which facilitates revisions and the identification of discrepancies.
- Secure checks: The ability to perform controlled rollbacks to previous versions reduces the risks associated with faulty changes or security issues.
-
Secure Automation:
- Controlled Deployments: Automation through GitOps ensures that deployments follow established security policies and approval practices.
- Declarative Execution: Declaratively executing changes from Git repositories avoids unexpected or unauthorized changes to the infrastructure.
-
Centralized Management:
- Access and Permissions Management: Git becomes the central point for managing and controlling access, facilitating permissions management and security of sensitive data.
- Consistency and Standards: Centralized management enables security policies and standards to be applied and enforced across the infrastructure and applications.
-
Security in the Software Supply Chain:
- Change Validation: GitOps allows automatic security validations to be performed before changes are applied, ensuring that only authorized and secure changes are implemented.
- Integration with Security Tools: Facilitates the integration of security tools into the workflow, allowing static and dynamic analysis of code and infrastructure.
-
Resilience and Recovery:
- Recovery capability: In case of security incidents, the ability to perform quick rollbacks to previous versions ensures faster and safer recovery.
- Backups and Restore: GitOps enables backup management and restoration of critical configurations to improve system resiliency. GitOps, when integrated with DevSecOps, improves security by providing more secure, traceable and controlled management of infrastructure and applications, thus contributing to the creation of a more secure and robust environment.
Manifest example
apiVersion: apps/v1
kind: Deployment
metadata:
name: database-deployment
namespace: vulnapp
labels:
app: database
spec:
replicas: 1
selector:
matchLabels:
app: database
strategy:
type: Recreate
template:
metadata:
labels:
app: database
spec:
containers:
- env:
- name: MYSQL_DATABASE
value: docker
- name: MYSQL_PASSWORD
value: docker
- name: MYSQL_ROOT_PASSWORD
value: docker
- name: MYSQL_USER
value: docker
image: mysql:8
name: vulnerable-app-db
resources: {}
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d
name: database-claim0
- mountPath: /var/lib/mysql
name: database-claim1
restartPolicy: Always
volumes:
- name: database-claim0
configMap:
name: docker-entrypoint
- name: database-claim1
persistentVolumeClaim:
claimName: database-claim1
status: {}
Configuration steps in ArgoCD
- First we must add the repository from which we want to extract the manifests, for it in the ArgoCD interface we go to Settings and there we give the button Connect new Repo.
- Choose the connection method, fill in the data for this method and save.
- Then we go to Applications and here we click on new app.
- We will appear to fill in information about the application we want to deploy, we must take into account that the Source section is where we will choose the previously connected repository and Destination section we place the namespace and the cluster to which we want to deploy.
With that, the ArgoCD connects to our repository, extracts the manifests from the source code, and proceeds to deploy them in the place indicated by us, and with this, we can observe how the deployment is synchronized.
📄️ Job
To proceed with database migrations after deployment, a job is created in kubernetes that performs the relevant executions within the application pod.
📄️ Secrets
In order to have a correct creation of database and other elements that are deployed with the application we must create by hand some secrets in the namespace of osdo.