Magalix joins Weaveworks to bring Policy to GitOps
Weaveworks acquired Magalix, bringing an enterprise grade policy and compliance engine into Weave GitOps Enterprise. Policy is available via commercial SaaS and Enterprise form factors, and extends your GitOps pipeline with governance, verification and security. Learn more about what that means for our customers.
KubeCon NA 2022 Recap – Kubernetes gets Serious
KubeCon NA 2022: Eye-opening Sessions on Cloud Native Environmental Sustainability with GitOps
Components of a GitOps Software Delivery Pipeline - an Infographic
Weaveworks customers frequently say to us “I love the idea of automation but it is a big change from all my manual approvals. How can I go faster with GitOps but respect compliance?”
GitOps, by its nature, already provides an auditable and regulatory compliant method to manage deployments. With GitOps we can guarantee replicas of your desired stack and we can guarantee that legitimate changes are audited (in Git). Now, a recent survey piece by James Governor at Redmonk argues that customers want a richer set of controls to prevent a wide range of illegitimate activities:
- Policy Guardrails stop non-compliant deployments before they happen, with policies expressed ‘as code’
- Verifiable Supply Chains - signed artefacts, attestation and provable workflows
- Enforced Best Practises - regarding IAM, vulnerability and secrets management
- Governance - Security and Compliance processes that scale with the same velocity as developer productivity and platform accessibility
We call this Trusted Delivery - and you can now achieve it with Weave GitOps. Weaveworks is merging with Magalix, bringing an enterprise grade policy and compliance engine into our Weave GitOps Enterprise product. Policy is available via commercial SaaS and Enterprise form factors, and extends your GitOps pipeline with governance, verification and security.
We are meeting customers where they are today. If you need to insert checkpoints into your systems - we can do that. If you want to do 1,000s of fleet scale changes a day - we can do that too. This is now possible for all our customers using Kubernetes and GitOps pipelines.
A great team
Magalix and Weaveworks started working together last year and soon found common ground due to our shared belief in automation. With Magalix policy as code we can add automated and manual policy checks to GitOps, keeping Sec and Ops Compliance happy. Customer opportunities led to deeper integration and a product plan for Weave GitOps Enterprise to deliver policy as code. We have one strategy: to bring security, governance and scale to enterprise GitOps.
Our merger strengthens Weaveworks’ executive team and engineering capability. Mohammed Ahmed becomes Weaveworks VP of Developer Platforms and Ahmed Badran a Director of Engineering. Both are based in Seattle and bring great depth in cloud infrastructure and policy, both from their time building Magalix, and their track records with Amazon and Microsoft respectively. We’re excited to integrate their 30 strong Egypt-based product engineering team and learn more about the growing tech scene there. Weaveworks is a remote-first company, but the merger means we now have significant hubs in the UK, US and Egypt. It would, of course, be remiss of me not to mention that we are hiring.
Tech Example - Magalix governs Flux
Many solutions exist - why is ours unique? Magalix works with Kubernetes, OPA, and the broader DevSecOps ecosystem, but has a special affinity with Flux, the core of Weave GitOps.
This is because: policies can be used against the Flux delivery pipeline itself because that pipeline is itself declarative and lives in Kubernetes as native objects. We can then extend all of this natively using Kubernetes RBAC, CRDs and operators, in our Weave GitOps product. That means we can apply integrated policy to any Trusted Delivery use case for cloud native apps.
This combination of CD pipelines, compliance and security is frequently cited as a major goal of regulated organisations that want to accelerate adoption of digital platforms.
Enterprises want to know that they can trust their pipeline:
- Verify all artefacts for a cryptographic identity (signed images & commits)
- Block insecure or unverified upgrades eg. “upgrade Nginx to latest”
- Add 3rd party scanning and signing tools easily, for pre- and post-deploy checks
- Enforce least privileges and safe use of Git, image repos, and upstream systems
- Firewall direct Kubernetes changes and enforce compliant use of Flux GitOps pipeline
In summary: to provide trusted delivery we need a valid supply chain plus both policy and security acting as an integrated system. And integration enables value such as violation detection after a PR is created, coupled with proposed auto-remediations (see eg. screenshots below).
[Image: Github generated by Magalix when a violation is detect after a PR is created. Showing Magalix auto-remediation by creating an automatic PR with suggested fixes.]
Integrated platform security and multi vendor support
In addition to securing DevOps pipelines, the second key piece of GitOps is the runtime platform. We already know that GitOps provides a safety barrier between the pipeline and the production runtime. But, for trusted delivery, we want to allow some degree of coordination, for example:
- Enforce tenant isolation and immutable app containers with no escalated admin rights
- Allow tenants’ access only to repositories under a specific Github organisation
- Enforceable hierarchy of platform, tenants, and app end users, in dev and ops tools
- Validate any Flux custom resource in the cluster or upstream
Stepping back further, the big picture is that enterprise compliance is an integration problem. Thus in addition to Flux and Kubernetes, policy is how we shall integrate Weave GitOps with external systems. This is especially important for customers who use multiple Kubernetes vendors and are looking to Weave GitOps for an additive and safe application platform. You can consolidate policy lifecycle and take action against all relevant compliance violations.
Open source Weave GitOps and Flux users can add policy as a commercial option. The Magalix engine is today part of Weave GitOps Enterprise. Customers can add policy libraries to Weave GitOps, with detailed severity reporting and extensive dashboards (eg below).
Your GitOps policy journey starts today
Weaveworks customers are modernising operations with GitOps - today. Whether adopting cloud application platforms or accelerating continuous delivery, trust is essential. Developer productivity and feature velocity are wonderful provided you can also be safe.
We want to hear from you. Maybe you are already using open source Flux and want to add security and governance. Or perhaps you have heard about GitOps, but do not need full automation because you will bring your existing approvals and compliance systems along. We’ll meet you where you are.
If you wish to learn more, our first show and tell on trusted application delivery with GitOps and Policy as Code will be held on February 23 and 24 in a US and EMEA friendly timezone. (Register Now!) Not soon enough? Contact us for a demo today on codified policies for GitOps.