Primavera con il VMUGIT - DevSecOps with Tanzu Advanced 31 March 2021 - vmug.it
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Primavera con il VMUGIT
DevSecOps with Tanzu Advanced
31 March 2021
Confidential │ ©2021 VMware, Inc.
Welcome VMUGIT !
Gabriele Di Traglia
Senior Solution Engineer, VMware
@gabriol82
Ruggero Citterio
Senior Solution Engineer, VMware Tanzu
@ruggerocitterio
Confidential │ ©2020 VMware, Inc. 2
Agenda
What is Tanzu
Why DevSecOps
What is required to implement a successful DevSecOps strategy
How Tanzu Advanced is supporting you in this journey
Confidential │ ©2020 VMware, Inc. 3
VMware Tanzu - Structured Around Critical Capabilities
Deliver better software to production, faster and more frequently
Code and containerize Speed development with Automate deployment of
custom applications open source containers apps into production
Applications
DEVELOPER EXPERIENCE
Multi-cloud
Deploy and manage K8s Apply enterprise Ensure secure and
across clouds, clusters observability to drive reliable communication
and teams decisions between services
Infrastructure
OPERATOR EXPERIENCE
Confidential │ ©2020 VMware, Inc. 4
Software Factory Value Stream
BUILD RUN
DELIVER software to a secured and automated platform
CODE ASSEMBLE CURATE OPERATE Consistent K8s across every cloud
cloud native apps & containers data services &
application dev from internally written projects from public
framework source OSS
Java Spring Tanzu Build Tanzu Application
Runtime Service Catalog
MANAGE
OBSERVE UNIFY GOVERN
from application to single namespace multi-cluster K8s
infrastructure across clusters policy operation
Tanzu
Tanzu Service Tanzu Mission
Observability Mesh Control
by Wavefront
Confidential │ ©2020 VMware, Inc. @GuillaumeMorini @Alexandre_Roman 5
VMware Tanzu Editions
Tailored solutions for the most common enterprise challenges
DEPLOY CUSTOM APPS ON KUBERNETES
Tanzu Advanced
Simplify and secure the
container lifecycle at scale—
and speed app delivery
SIMPLIFY KUBERNETES ADOPTION
Tanzu Standard
Run and manage
Kubernetes across
multiple clouds
Tanzu Basic
Run Kubernetes in vSphere
Confidential │ ©2020 VMware, Inc. 6
Past VMUGIT – DevOps in 2019
Your code It DOES work
does NOT on my machine
work !!! J
OPS Team DEV Team
Member Member
Confidential │ ©2019 VMware, Inc. 7
(You must) Embrace DevSecOps Problem
New applications architecture, containers, multi-cloud
increased the complexity of maintaining a system secure
Containers and self-service give great powers but great
responsibilities
How to prevent vulnerabilities to be introduced into the
system?
Existing security practices are often not applicable in this
always changing & ephemeral environment
Security must be integrated into the development &
deployment process in an automated manner, and become
the way things are done.
Confidential │ ©2021 VMware, Inc. 8
Make Developing Secure (by default) Problem
Standardize the
development Secure your API with
process and kube-native software
dependencies driven API
management (2nd management and
factor of 12 factors) modern authentication
and include static pattern.
and dynamic code
analysis in your CI.
Spring Initializr
Spring Cloud Gateway
Leverage modern Provide the right abstraction
framework to to your developers so they can
manage critical focus only on application - less
data with the proper code, less vulnerabilities
infrastructure.
Spring Cloud Config Server
Tanzu Serverless
Confidential │ ©2021 VMware, Inc. 9
MORE THAN
90% Latest Container Images
with Vulnerabilities
On the Docker Image Repository
100 Official Tag: Latest Flawcheck
Images
Confidential │ ©2021 VMware, Inc. 10Build Secure Containers from your custom development Problem
Developers
provides ONLY the
application. Cloud Native Buildpacks are
managing this complexity for
Base image is you since 2011.
hardened through a
standard process.
… and make it cheap to run, quick to boot and rebase
OCI Image are composed of a set of layers,
clearly identified, to trace their origin and their
integrity.
Libraries composing layers are identified and
documented.
Confidential │ ©2021 VMware, Inc. 11“Scanned and verified ‘golden
images’ are the bedrock of your
container security.”
FORRESTER RESEARCH
"Best Practices For Container Security," July 2020
Confidential │ ©2020
©2021 VMware, Inc.Keep Analysing your containers
Registry is the security gateway
of your software building chain
Container images must be
frequently scanned and signed
Container images with CVEs
cannot be pulled
A proper governance RBAC-
based must be implemented.
Only automated pipeline must
interact with registry
Harbor Registry
Confidential │ ©2021 VMware, Inc. 13Secure used of third-party containers
Must be provided by your
private registry
Configure K8s clusters to only
run these approved services
Notify dev team when a patch
is released and the new
container image is built
Automated documentation
with list of libraries and CVEs
Tanzu Application Catalog
Confidential │ ©2021 VMware, Inc. 14Continuously update the infrastructure layer Problem
Secure containers on an non
secure runtime make no sense
Kubernetes is complex
distributed system - you need to
update it continuously with the
right technology
CNCF is leading effort to
standardize K8s management
technology
Adopt the same process on any
cloud.
Cluster API as the foundation of TKG
lifecycle management
Confidential │ ©2021 VMware, Inc. 15Use a centralized control plane to manage container runtime sprawlProblem
At scale, Consistency is key
Monitor clusters version, status
and security policies across cloud.
Tanzu Mission Control - RBAC
Strong access control policies
are mandatory to mitigate
escalation attacks.
Inspect frequently clusters for
Tanzu Mission Control - Security Policies
compliance and security standards.
Tanzu Mission Control - Inspection CIS
Confidential │ ©2021 VMware, Inc. 16Secure internal & external communications Problem
Uniform network policies at Communication threshold to Traffic must be encrypted at Modern ingress technology to act
enterprise scale, with end-to- limit repetitive un-secured every level - with standard tech as Web Application Firewall and
end visibility. access & service mesh. provide visibility & analytics.
Connect & Expose securely workloads
NSX ALB
NSX ALB Capabilities
(formerly AVI)
Confidential │ ©2021 VMware, Inc. 17Observe everything Problem
Store and correlate data from all
layers.
Log & Monitor events at every
layers of the stacks.
Monitor DNS traffic and build
alerts when anomalies are found.
Monitor Resource
Tanzu Observability - Integration
Consumptions to detect threats.
Use modern system to navigate
thru the complexity and avoid
false positive
Adopt a SRE SLI/SLO model to
implement an efficient patching
model.
Tanzu Observability - AI Alerting
Confidential │ ©2021 VMware, Inc. 18Observe everything (even more) Problem
Confidential │ ©2021 VMware, Inc. 19Demo
Confidential │ ©2021 VMware, Inc. 20VMware Tanzu Advanced DevSecOps Flow
Observability
• Visibility across
Consistent, Secure, Agile DevSecOps Environment applications, clusters based
on open standards
Developers: Ideas +
Design + Product
CI Centralized management for multiple
clusters across clouds
Automated Container
Packaging • Policy management, enforcement
CODE • Identity and access management CUSTOMER
• Validated
• Backup and restore
• Reproductible builds
• Security and patching
Development
Environment
• Tools
• Databases
Container image registry CD
• Services
• Validated Open Source aligned Kubernetes
• Kubernetes
• Reproductible builds • Certified, conformant K8s
Modern dev Modern applications
• Security and patching • Aligned with CNCF landscape
framework
• Any language/IDE • Revenue generating
• Any CI features
• Microservices • Security and confidence
Validated catalog of third-
• Data pipelines party runtimes and images • Differentiated experience
• Distributed systems • Secure, validated Connect and protect applications
• Relational DBs OSS building blocks
• Consistent traffic,
security policies
Confidential │ ©2019 VMware, Inc. 21VMware Tanzu Advanced Capabilities Stack
All Available Today!
Global Control Plane
VMware Tanzu Mission Control
VMware Tanzu Observability by Wavefront
VMware Tanzu Service Mesh
Container Build and Deploy
Spring Runtime
VMware Tanzu Application Catalog
VMware Tanzu Build Service
VMware Tanzu SQL
Harbor
Networking and Connectivity
VMware NSX Advanced Load Balancer (LB, Ingress)
VMware Container Networking with Antrea
Compute Runtime
Tanzu Kubernetes Grid
Fluent Bit, Fluentd
Velero
Sonobuoy
Confidential │ ©2019 VMware, Inc. 23Thank You Confidential │ ©2019 VMware, Inc.
You can also read
