Member post originally published on the Weaveworks blog by Twain Taylor
Discover the power of Weave Policy Engine for automated security in GitOps pipelines. Strengthen your Kubernetes applications’ security and compliance with policy-as-code enforcement. Learn more.
Enterprises stepping up from DevOps to DevSecOps by adding continuous security validations to their CI/CD pipelines is not news. This model has been largely successful in securing applications at an early stage so that production releases have minimal vulnerabilities and defects. And while it has several long-term benefits for the product, developers often tend to overlook the security aspect in the development processes.
Organizations are readily automating their CI/CD pipelines to minimize development efforts and time to market. Thus maintaining product integrity becomes crucial, especially as developers seek to focus solely on their core tasks and relinquish operational responsibilities.
In this blog post, we delve into the significance of policy-as-code in securing GitOps pipelines. We discuss common security threats faced by organizations today and explore practical steps to prevent security defects using Weave Policy Engine, an open-source policy enforcement engine.
Securing the GitOps Pipeline
Let’s start by discussing the various security threats today, and how we can mitigate them.
Just as a chain is only as strong as its weakest link, the GitOps pipeline is only as secure as its weakest stage. Code-centric processes like build, test, and configuration management are prone to attacks and malware injection. And any persistent attacker will be able to infiltrate the pipeline with enough time. Here are some common causes of vulnerabilities found in the GitOps pipeline:
Insecure Source Repository: An insecure source repository allows the attacker to leverage weak or compromised access control processes and modify the code at will.
Third-Party or Open-Source Libraries: Using third-party or open-source libraries can potentially include malware and render the build process exploitable.
Insecure testing stage: If the testing stage is insecure, an attacker can hide the presence of existing malware or vulnerabilities by exploiting the code.
To ensure a robust and secure GitOps pipeline, it is crucial to address these vulnerabilities proactively and implement appropriate security measures throughout the development process.
Implementing Security Controls
Software development services and tools form the first line of defense against security breaches, and we need sturdy infrastructure controls to detect those attacks and secure the source code along with the pipeline. Techniques such as access controls to prevent unauthorized access, encryption to maintain confidentiality, and hashing to prevent unauthorized modification are standard for protecting the integrity of the source code. Additionally, software testing should cover vulnerabilities in code and use pattern matching to detect malware.
Security Best Practices
While the GitOps pipeline is subjective for every organization, there are certain best practices to address critical threats:
- All applications and tools need to be updated with timely security patches.
- All third-party entities that are integral to the GitOps pipeline must be audited for security standards.
- Map threats to the pipeline and scan all devices that connect to it, and block them if they don’t connect over TLS or if they don’t meet other policy requirements.
- Enforce permissions for pipeline access to decide who can create containers, deploy code to different environments, and commit it to the repositories.
By adhering to these security controls and best practices, organizations can bolster the resilience of their GitOps pipelines and establish a secure development environment. Proactive measures in protecting against potential security threats not only safeguard the integrity of the pipeline, but also instill confidence in the development process, leading to more reliable and secure software releases.
Automating Security with Policy-as-Code
Traditionally, ensuring product security and compliance has been largely a manual process. It’s always been tedious and has always failed to scale effectively. But with policy-as-code, you can now manage security and compliance policies to protect the GitOps process while automating pipeline operations. This prevents the developer from bypassing security controls, and greatly improves pipeline flows.
Kubernetes offers developers the opportunity to implement various security best practices at the cluster level. The cloud-native technology is witnessing rapid adoption across industries. According to a new market research report, the cloud computing market is expected to reach USD 832.1 billion by 2025. And partly because of such massive adoption, security is a major concern for enterprises dealing with Kubernetes clusters. According to the State of Containers and Kubernetes Security Report, 55% of the respondents had to delay operations due to security reasons.
Enforcing Cloud-Native Security
As a security reinforcement, you can implement an array of recommendations for securely setting up networks, IT systems, and cloud infrastructure called the CIS benchmarks for Kubernetes. It covers the following:
- Control plane configurations, including logging, authentication and authorization, and audit policies
- Configurations for Kubernetes control plane components, including Master Node Configurations, API server, Controller Manager, and Scheduler
- Recommendations for Kubernetes worker nodes configuration files and Kubelet
- Configurations for etcd
- Recommendations for Kubernetes policies for RBAC and service accounts, network policies and CNI, and extensive admission control, among other things
The above CIS Kubernetes benchmarks can be automated using policy-as-code, thus reducing the use of non-conforming resources. But that’s not the only benefit — it helps mitigate the possibility of human errors, save implementation time, and pinpoint insecure configurations.
Security Against Misconfigurations
Cloud misconfigurations were the reason behind data breaches affecting 33.4 billion records between 2018 and 2019 and costing companies nearly $5 trillion. Kubernetes network policies are the new standard of network security in clusters, and misconfigurations on that front pose a huge security risk. But with policy-as-code, organizations can now manage Kubernetes cluster resources and limit such misconfigurations by automating the entire workflow.
Enforcing Security & Compliance Standards with Weave Policy Engine
The Weave Policy Engine is a robust open-source policy-as-code engine built on Open Policy Agent (OPA). Its primary function is to strengthen the security, compliance, and adherence to best practices for Kubernetes applications. By seamlessly integrating with GitOps workflows, especially Flux CD and Weave GitOps, it grants users the ability to apply highly detailed policies to Flux CD applications and tenants. This ensures a resilient isolation and compliance framework across all their Kubernetes deployments.
Weave Policy Engine empowers organizations to automate security, enhance compliance, expedite deployments, and maintain a robust governance framework in their cloud-native environments. The Weave Policy Engine enables users to create and implement policies based on specified criteria such as environment, workload, and geography. It can also detect unconfigured security settings and non-compliant or misconfigured resources through our auto-remediation feature.
Furthermore, Weave Policy Agent offers advanced policy configurations specifically targeting Flux CD applications. It allows for fine-grained access controls and tenancy-aware policies, enabling isolation and compliance in multi-tenant environments. This ensures that security policies are applied precisely to Flux CD applications, providing granular control and reducing the risk of unauthorized access. Explore the features, capabilities, and benefits of Weave Policy Engine in this blog.
To get started with the Weave Policy Agent, follow this Getting Started Guide.
Accelerate Security & Compliance with Weave GitOps & Weave Policy Engine
Teams looking to integrate security and compliance guardrails in their GitOps pipelines can do so with our GitOps solutions: Weave GitOps Assured and Weave GitOps Enterprise. Weave Policy OSS comes equipped with sample policies targeting Kubernetes and Flux CD to get the users started. Extended policy libraries are available exclusively to Weave GitOps Assured and Weave GitOps Enterprise customers.
The Assured policy library comprises 50 policies focusing on Flux CD security and configuration best practices, while the Enterprise policy library boasts hundreds of policies covering essential compliance benchmarks, including HIPAA, PCI-DSS, SOC2, and more.
In addition to the policy enforcement aspect of the engine, teams can leverage the Weave GitOps UI for observability, gaining insights into enforced policies, compliance status, and auditing results. The new solution offers unparalleled access to expert guidance, professional services, and customer support for organizations seeking to accelerate their cloud-native journeys. Contact us for a free consultation.