czwartek, 7 kwietnia 2022

Implementing DevSecOps in OpenShift

DevSecOps stands for development, security, and operations. It's an approach to 

culture, automation, and platform design that integrates security as a shared

 responsibility throughout the entire IT lifecycle.

DevOps isn’t just about development and operations teams. If you want to take 

full advantage of the agility and responsiveness of a DevOps approach, 

 IT security must also play an integrated role in the full life cycle of your apps.

Why? In the past, the role of security was isolated to a specific team in the final 

stage of development. That wasn’t as problematic when development cycles 

lasted months  or even years, but those days are over. Effective DevOps ensures 

rapid and frequent development cycles (sometimes weeks or days), but outdated

 security practices can undo even the most efficient DevOps initiatives.

Now, in the collaborative framework of DevOps, security is a shared responsibility 

integrated from end to end. It’s a mindset that is so important, it led some to coin

 the term "DevSecOps" to emphasize the need to build a security foundation 

into DevOps initiatives. 

 

OpenShift provides complete set of tools that makes it easy to implement DevSecOps 

pipelines:

  • OpenShift Pipelines based on community project Tekton allows implementation of CI processes 

including security gates like dependencies analysis, image scanning, deployment checks or 

digital signatures. 

 

  •  OpenShift Gitops based on community project ArgoCD allows implementation of 
CD procedures following the GitOps paradigm.

 

  • Quay Images Registry used for storing container images and signatures of images as well as 
for security images scanning.

  

  • Advanced Cluster Security based on community project Stackrox provides comprehensive 

application and platform lifecycle security management capabilities used during CI/CD processes 

as well as for monitoring running applications and compliance analysis. 

Please refer to our earlier blog post for more details. 

 

  • Sigstore used to sign container images as well as other artifacts and task executed in 

    CI pipelines.


  • Advanced Cluster Management provides complete OpenShift clusters lifecycle management 

    from a single pane of glass.


If you would like to deploy sample DevSecOps pipeline please visit my Github repo and follow 

Readme instructions.

Autor: o

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)