CI/CD for Kubernetes: What you need to know
Read about automating CI/CD pipelines to Kubernetes, the latest addition to our Kubernetes library pages. Help inform your decision on why you need automation, how to keep your cluster secure and what’s available on the market today.
You aren't Doing GitOps without Drift Detection
KubeCon and GitOpsCon EU, 2022 - Git Involved!
ADAPT AND THRIVE: The Importance of Locking Down Your Software Development Pipeline
Today we’re announcing a new addition to the Weaveworks Kubernetes library - CICD for Kubernetes: What you need to know. On this page you can read about how to set up and automate a Continuous Delivery/Continuous Deployment pipeline to Kubernetes.
Automating deployments to Kubernetes is the ultimate goal for most development teams who are working with containerized applications and Kubernetes. But with the myriad of tools out there and the different philosophies and methods for achieving automation, it’s not easy to know where to begin. The goal of the CICD for Kubernetes pages is to help you cut through the noise so that you can make an informed decision about what tools are right for you.
The pages are separated into three main sections:
- Why manually deploying updates to your apps running in Kubernetes is a painful process.
- Achieving Continuous Integration/Continuous Deployment (CI/CD) - the components and features you need.
- Approaches to continuous delivery as well as an overview of CI/CD tools available to build your own automated pipeline.
In the first section we describe why manual deployments to Kubernetes can be tricky and also why it’s not good practice to allow your developers to deploy updates to your cluster with the command line interface ‘kubectl’. In fact many industry leaders are now advising to treat ‘kubectl’ like SSH access and to give it out sparingly (see Keynote: KubeCon Opening Keynote - Kelsey Hightower, Google ).
We’ll also take you through the steps of a manual deployment so that you can see for yourself what it takes to deploy an update to your cluster without the help of automation.
In the next section the different components of an automated pipeline as well as additional features you may need to round out the perfect CICD pipeline are discussed. Generally, these are the pieces that make up a pipeline:
- Version Control Software repository like Git.
- Continuous Integration system
- Docker image registry
- Kubernetes cluster
These are the components that you typically want to work together and automate. Other features that you may consider adding to your pipeline include the ability to do Blue/Green or even Rainbow deployments as well as Canary deployments.
Use Git as the Source of Truth
At Weaveworks, we are advocates of the GitOps methodology which says that declarative infrastructure as well as application manifests should be versioned and kept under source control. When deployments go wrong or even if disaster strikes and your entire cluster blows up, with everything version controlled, you can quickly recover.
Keep Your Cluster Secure
Many CI/CD tools on the market today don’t handle cluster credentials with a best practices approach in mind. This is why CI systems are known as attack vectors. We’ll show you how only Weave Cloud keeps your cluster credentials safe by never exposing them outside of the cluster.
See the post, “How secure is your CICD pipeline?” for more information on security.
Use a Pull vs Push-based Pattern
The CICD page also discusses how Weave Cloud employs a Kubernetes operator pattern which means that the agent lives inside the cluster. Not only does a pull-based pattern mean that your cluster is more secure but employing this over a push-based pipeline ensures that:
- Weave Cloud deployment policies can be set and changed (automatic or manual) in one place instead of keeping them scattered across your CI pipelines and embedded in custom scripts.
- Cluster configuration is always in-sync with what’s being kept in Git.
- CI is decoupled from CD, and that the CI system doesn’t have elevated access to your cluster. This ensures that secure credentials always remain with the cluster and are not widely shared across the pipeline or teams.
CICD Tool Landscape
In the final section of this page, we provide both a survey and commentary on the types of tools out there, and we discuss what these tools provide for you, as well as the pros and cons of each one.
If you want to learn the ‘ins and outs’ of building a CICD pipeline, then have a look at our newest addition to the Kubernetes library: CICD for Kubernetes: What you need to know.