Join ControlPlane and Weaveworks on April 16th at 10:00am PT for an in-depth webinar on securing GitOps development pipelines for Kubernetes.

Credentials are kept in the cluster

Adopting GitOps best practices in your CICD pipelines already increases the security of your application and systems. With GitOps, a reconciliation operator is installed to the cluster itself that acts on a configuration repo that uses with separate credentials. The operator reconciles the desired state as expressed in the manifest files, stored in the git repo, against the actual state of the cluster.

This means that credentials and other secrets don’t ever leave the cluster. This means that continuous integration operates independently rather than on the cluster directly and that each pipeline component needs only a single read-write credential. Since cluster credentials never leave the cluster, your secrets are kept close.

Security concerns shift to git

Automating releases by writing them to git and only applying changes when they’ve already happened in git ensures that a record of the desired state of the cluster isn’t dependant on the cluster itself. If the cluster is lost, it can be quickly restored from the independent record left in the config git repo without having to re-run build pipelines for the entire application.

Pull Requests enabled on the config repo are independent of the cluster itself can be reviewed by developers. This leaves a complete audit trail of every tag update and config change, regardless of whether it was made manually or automatically. Although using git as part of your CICD pipeline adds another layer of defense, it also means that the security onus is shifted to git itself.

For organizations who wish to defend themselves from malicious internal or external actors, or who operate under high compliance requirements, implementing additional security measures to git provides identity guarantees, as well as automation of change control.

In this webinar, we’ll discuss 4 common Git attacks and how to mitigate them:

  1. User impersonation
  2. Malicious user tampering with the repository’s history
  3. Malicious user attacking the Git platform
  4. Historical attacks on Git clients and their impact

Join ControlPlane and Weaveworks on April 16th at 10:00am PT for an in-depth webinar on securing GitOps development pipelines for Kubernetes.