Topics Discussed:
- Micro services
- Continuous Integration and its tools
- Kaniko
- Tekton
- Github
- GitOps
- FluxCD
- GitOps Advantages
- Security measures and Vulnerability management
- Unmanaged vs Managed K8S clusters
Micro services – Independent small applications to build an entire application. Each micro services are decoupled in nature. Source code versioning for each apps can achieve using git. We can have separate Docker files for individual application’s git repo.
Continuous Integration and its tools –
We are discussing about two k8s native tools for ci/cd practices Kaniko and tekton .
- K8S based Continuous Integration will not use “docker build” in K8S due to complexities related to host and docker socket of the host where the CI container run.
- Also in latest versions of K8S containerD is the default is the runtime instead of docker so it won’t be a good idea to stick on with docker build
Kaniko – Kaniko is a Docker image builder tool. It will use same docker file to build image like docker do.
Tekton – Tekton is a K8s native CI tool. It will get advantages of k8s like other k8s native applications. It can create multiple tasks using CRDs.
For example:
- Task to clone code from git
- Task to build image
- Task to push image We can customize tasks using parameters and can create ci pipelines using the same.
Pipeline
Pipeline is a set of tasks, which will define tasks step by step.
- Pipelines can reuse
- Pipelines are static resources in k8s
- Pipeline run can use to parse parameters to the pipeline tasks
Tekton has catalogues to create tasks and it uses yaml syntax.
How to get reusable steps?
Go to tekton catalogues – search for kaniko – if it exists can reuse it or else can create our own. We can add tasks to push build artifacts to artifactory like Jfrog.
For ex: artifacts of “maven build” Container security scan can add in the steps of CI pipeline.
Clair can be used to scan docker images, and we can add this as a step in the tekton tasks. We can mention docker image and commands to run in tekton tasks as part of tekton topic. A pipeline formation will include identification of main task to perform and split it to smaller multiple tasks. Tekton will run each tasks in different pods and it will deploy pods to all possible nodes in the cluster. And persistent volume will be used to share data in between multiple containers. Tekton has permission settings to maintain RBAC for users. Tekton is k8s native so it will avoid manual work complexities like jenkins do like multiple tasks to run in single container. Tekton is having task as a CRD, and this eaziness will not be there for gitlab or jenkins pods. It can use as a k8s kind, so its flexible as other k8s native resources. Tekton will run tasks as pods and it can have multiple containers to run steps. Tekton can also be used for Continuos Delivery, but it is not advisable due to complexities. But still we can achieve Continuos Delivery using tasks. We can use kubectl client, docker images , and need to add secrets to pass cluster authentication. For this, we need to check for already available catalogue tasks to deploy using kubectl.
Github & Tekton –
Tekton can integrate with github for autotriggered builds. When code change happen github will send webhook to tekton and tekton receive this hook as trigger and will run tasks. Tekton has an event listener CRD. Using this CRD it will identify the PR and will create resources like pipelines run. Tekton will parse parameters to run through pipeline run. Tekton needs a public ingress URL and need to create tasks to execute when it receives a trigger.
GitOps –
In GitOps practice we can deploy apps using helm or kustomize in k8s. Using helm we can create charts and yaml templates and can parameterize applications for deployment. Helm charts will maintain in git repos and can use kubectl or any other tools to deploy. Here we have another tool called argocd. Argocd will watch cluster and compare changes with git repo, if any changes identified it will push the same to the cluster. Argocd is also have a CRD and we will update details like git repo, webhook token etc. Argo has automatic prune , to delete and update resources in cluster. Cluster state will update in git and desired state will push to cluster using argo.
FluxCD –
Weaveworks provided operator based tool for gitops.
Kustomize –
k8s native resource configuration management tool.
Gitops advantages :
Autosync and manual sync o cluster state from git repo. In Autosync , Operator will watch the code changes and will help to autosync Declarative state. Gitops will help us to have a Developer perspective for operations and can have strategies to segregate deployments to different clusters like a development branch for dev clusters , prod branch for prod clusters…
Security :
Vulnerability management for public cloud k8s clusters can be perform by native scanning tools for each cloud provider like gcp, azure etc.. Ongoing docker scan can initiate from image build step in CI pipeline and Synk can use for container image scan.
Enterprise Synk : can be used to add a remedy for the vulnerability also.
Falco : is one of the tools for container runtime security.
Padbot : for security compliance monitoring for the entire platform and runtime.
Tekton : step can also use to check for vulnerability and if it is vulnerabile we can fail the pipeline using the tekton task.
Encrypted rests : can be implemented to improve security of etcd objects like secrets
Unmanaged(self managed) vs Managed K8S Clusters :
Flexibility can achieve as per our decisions in self managed clusters. Integrations as per our needs in self managed clusters. Security compliance as we decide in self managed clusters . Audit events customization is not possible in managed clusters. Each pod needs an ip in the vpc of the managed cluster but it will be difficult in clusters having a large number of pods. Encrypted rests can easily achieve in managed cloud but for self managed cluster its complex to implement.