SlideShare a Scribd company logo

KubeCon 2022 EU Flux Security.pdf

Weaveworks, profile picture
Weaveworks

The document provides an overview of the Flux project, a continuous delivery platform for Kubernetes that leverages the GitOps toolkit and includes the Flagger tool for automated application releases. It discusses key components, security measures, multi-tenancy features, and the ongoing commitment to enhancing Flux's security posture. The document also outlines how Flux manages secrets and its ability to perform updates through Git integration.

Technology
1 of 24
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Flux Security Deep Dive Stefan Prodan Flux & Flagger Maintainer Principal Engineer @ Weaveworks
Flux - Project overview The Flux project aims to provide a complete Continuous Delivery platform on top of Kubernetes, supporting all the common practices and tooling in the field. Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy. Flagger is a Progressive Delivery tool that automates the release process for applications running on Kubernetes. Flagger comes with a declarative model for decoupling the deployment of apps on Kubernetes from the release process. https://github.com/fluxcd/flux2 https://github.com/fluxcd/flagger
Flux - GitOps Continuous Delivery
Agenda ● How is Flux made ● How secure is Flux ● Are my secrets safe in Git ● Is Kubernetes really multi-tenant ● Flux soft vs hard multi-tenancy ● When will Flux v2 be GA
Flux is made of many things ● Kubernetes API extensions (CRDs) ● Specialized Kubernetes operators (powered by controller-runtime) ● Flux command-line tool (powered by Kubernetes cli-utils) ● Flux Terraform provider ● Go & C libraries (Go stdlib, Kubernetes client-go, kstatus, go-git, libgit2, kustomize, helm, minio, oras, sops, age, aws, azure, gcp, github, gitlab, bitbucket SDKs… and some more) What is Flux made of?
WELCOME TO VALENCIA How can a handful of people maintain such a project? With care… A helpful community And lots of automations
Flux Libraries, controllers and CLI UNIT TEST OSS FUZZ BUILD RELEASE E2E TEST Flux - release pipeline ASSEMBLE AMD64 E2E ARM64 E2E RELEASE CLOUD E2E GitHub Linux & macOS Equinix Metal Linux AKS + DevOps, EKS, GKE Kubernetes KIND 1.20…1.24 Flux GitHub Bot SCAN GitHub CodeQL, Snyk Cosign & SBOM
A Flux release is comprised of ● Multi-arch container images (GHCR & DockerHub) ● Signed images and checksums (Cosign + GitHub OIDC) ● Software Bill of Materials (SBOM SPDX) ● Deployment manifests (YAML) ● OpenAPI specs (JSON) ● CLI binaries (Linux, macOS & Windows) ● Packages (Homebrew, Arch Aur, NIX, Chocolatey) ● Flux Terraform provider (Terraform Registry) ● Flux GitHub Action (AMD64 & ARM64 runners) Flux - release artifacts
What makes the Flux controllers secure? ● No shell-out to 3rd party binaries ● All Linux capabilities are dropped ● The root filesystem is set to read-only ● The seccomp profile is runtime default ● Controllers run as non-root ● Uses Kubernetes impersonation API
Unlike most CD products, Flux has a small attack surface ● Flux controllers are statically built and have no dependencies on OS packages ● No shell-exec to git, kubectl, helm, kustomize, sops, aws, gcloud, etc ● No HTTP APIs, you can control Flux only via Kubernetes API ● All actions performed on the cluster are auditable and subject to Kubernetes RBAC ● Flux execution is predictable, there are no plugins nor scripting ● Flux can only be extended with other controllers that adhere to the GitOps Toolkit std Flux vs competition?
Flux is embedded in ● Azure Arc ● Amazon EKS Anywhere ● VMware Tanzu ● D2iQ Enterprise Kubernetes Platform ● Platform One (US DoD & US Air Force) ● Deutsche Telekom Das Schiff ● And many more Who trusts in Flux?
● In 2021 Flux has undergone a security audit (OSTIF & ADA Logics) ○ We’ve addressed all the security issues found in record time ○ We’ve put in place an RFC process for changes to Flux security posture ● In 2022 the Flux team focused on security hardening ○ We’ve found and addressed a series of multi-tenancy vulnerabilities ○ We’ve made secrets decryption safer on multi-tenant environments ○ We’ve improved the test coverage of sensitive operations ● Flux is scheduled to undergo a security review by CNCF TAG Security How secure is Flux?
Is Flux bulletproof?
How to keep Flux up-to-date? Flux is able to update itself from Git. We offer a GitHub Action that checks for new releases and opens a pull request on your bootstrap repository when a newer Flux version is available. For GitLab, BitBucket, Azure DevOps and other platforms, you can use Renovate Bot which offers the same update automation for Flux.
What security challenges come with GitOps? ● Keeping secrets safe ● Restricting access to sensitive data ● Compromised Git credentials ● Prevent destructive cluster ops
Flux comes with built-in secrets management ● Client-side encryption with Mozilla SOPS ● Server-side decryption with Flux ● Supported technologies ○ Age Encryption and OpenPGP ○ Hashicorp Vault ○ AWS Key Management Service ○ Azure Key Vault ○ Google Cloud KMS The Flux team is committed to SOPS’ development and maintenance Are my secrets safe in Git?
Secrets operations
WELCOME TO VALENCIA Is Kubernetes truly multi-tenant? In some regards YES but soft multi-tenancy is difficult to secure while hard multi-tenancy can be easier to reason with but hard to orchestrate.
Flux bridges the gap between Kubernetes and Git tenancy models. ● Kubernetes ○ Dedicated clusters per tenant (hard multi-tenancy) ○ Namespaces and role bindings ○ Node groups, taints and tolerations ○ Resource quotas and network policies ○ 3rd party policies (OPA & Kyverno) ● Git ○ Dedicated repositories per tenant (hard multi-tenancy) ○ Protected branches ○ Team access management (GitHub, GitLab, etc) Tenant isolation boundaries
Flux - GitOps Multi-Tenancy Flux enables multi-tenancy by allowing platform admins to assign restricted Kubernetes accounts to the tenants’ sources. When Flux reconciles the tenant’s Kubernetes resources, it does so by impersonating the tenant’s account, thus enforcing the isolation boundary as defined by platform admins in their Git repo.
Demo Multi-tenancy with Flux and Kubernetes namespace-as-a-service https://github.com/fluxcd/flux2-multi-tenancy
When will Flux v2 reach GA? TODOs ● Adopt kstatus for all Flux APIs ● Helm controller refactoring ● Support for Helm OCI ● Notification API improvements ● Documentation refactoring https://fluxcd.io/roadmap
Additional Resources https://fluxcd.io/security https://fluxcd.io/docs/security https://github.com/fluxcd/flux 2-multi-tenancy https://fluxcd.io/docs/guides/ mozilla-sops/
THANK YOU! https://twitter.com/stefanprodan

More Related Content

PPTX
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Weaveworks
 
PPTX
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
PPSX
Docker Kubernetes Istio
Araf Karsh Hamid
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PPTX
Github in Action
Morten Christensen
 
PPTX
CICD Pipeline Using Github Actions
Kumar Shìvam
 
PDF
Prometheus monitoring
Hien Nguyen Van
 
PDF
Gitops Hands On
Brice Fernandes
 
Terraform and Weave GitOps: Build a Fully Automated Application Stack
Weaveworks
 
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
Docker Kubernetes Istio
Araf Karsh Hamid
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Github in Action
Morten Christensen
 
CICD Pipeline Using Github Actions
Kumar Shìvam
 
Prometheus monitoring
Hien Nguyen Van
 
Gitops Hands On
Brice Fernandes
 

What's hot (20)

PDF
GitOps with ArgoCD
CloudOps2005
 
PPTX
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
PDF
Kubernetes architecture
Janakiram MSV
 
PDF
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
PDF
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
PDF
Kubernetes 101
Winton Winton
 
PDF
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
PPTX
Jenkins CI presentation
Jonathan Holloway
 
PDF
Introduction to kubernetes
Raffaele Di Fazio
 
PDF
Kubernetes security
Thomas Fricke
 
PPTX
Understanding container security
John Kinsella
 
PPTX
Steering the Course with Helm
Dirk Jablonski
 
PDF
Gitlab ci-cd
Dan MAGIER
 
PDF
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
PDF
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Edureka!
 
PPTX
Introduction to CI/CD
Steve Mactaggart
 
PDF
Introduction to GitHub Actions
Bo-Yi Wu
 
PDF
Intro to containerization
Balint Pato
 
PDF
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
PPTX
DevOps with Kubernetes
EastBanc Tachnologies
 
GitOps with ArgoCD
CloudOps2005
 
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
Kubernetes architecture
Janakiram MSV
 
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Kubernetes 101
Winton Winton
 
The Power of GitOps with Flux & GitOps Toolkit
Weaveworks
 
Jenkins CI presentation
Jonathan Holloway
 
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes security
Thomas Fricke
 
Understanding container security
John Kinsella
 
Steering the Course with Helm
Dirk Jablonski
 
Gitlab ci-cd
Dan MAGIER
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
Docker Explained | What Is A Docker Container? | Docker Simplified | Docker T...
Edureka!
 
Introduction to CI/CD
Steve Mactaggart
 
Introduction to GitHub Actions
Bo-Yi Wu
 
Intro to containerization
Balint Pato
 
API Testing: The heart of functional testing" with Bj Rollison
TEST Huddle
 
DevOps with Kubernetes
EastBanc Tachnologies
 
Ad

Similar to KubeCon 2022 EU Flux Security.pdf (20)

PDF
How to manage Kubernetes at scale with just git
Weaveworks
 
PDF
The Story of Flux Reaching Graduation in the CNCF
Weaveworks
 
PDF
WTF is GitOps & Why Should You Care?
All Things Open
 
PDF
WTF is GitOps and Why You Should Care?
Weaveworks
 
PPTX
Moby Open Source Summit North America 2017
Patrick Chanezon
 
PDF
Intro to GitOps & Flux.pdf
Weaveworks
 
PDF
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
PDF
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
PDF
[Global logic] container runtimes and kubernetes
GlobalLogic Ukraine
 
PPTX
Moby KubeCon 2017
Patrick Chanezon
 
PDF
Flux is incubating + the road ahead
LibbySchulze
 
PDF
20221130 - Luxembourg HUG Meetup
Stéphane Este-Gracias
 
PDF
Free GitOps Workshop
Weaveworks
 
PDF
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Mario Ishara Fernando
 
PDF
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Imesh Gunaratne
 
PDF
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
PPTX
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
PPTX
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
PDF
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
PDF
Flux Beyond Git Harnessing the Power of OCI
CezzaineZaher1
 
How to manage Kubernetes at scale with just git
Weaveworks
 
The Story of Flux Reaching Graduation in the CNCF
Weaveworks
 
WTF is GitOps & Why Should You Care?
All Things Open
 
WTF is GitOps and Why You Should Care?
Weaveworks
 
Moby Open Source Summit North America 2017
Patrick Chanezon
 
Intro to GitOps & Flux.pdf
Weaveworks
 
GitOps & Flux - A Refresher with Priyanka Ravi
Weaveworks
 
Implementing Flux for Scale with Soft Multi-tenancy
Weaveworks
 
[Global logic] container runtimes and kubernetes
GlobalLogic Ukraine
 
Moby KubeCon 2017
Patrick Chanezon
 
Flux is incubating + the road ahead
LibbySchulze
 
20221130 - Luxembourg HUG Meetup
Stéphane Este-Gracias
 
Free GitOps Workshop
Weaveworks
 
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Mario Ishara Fernando
 
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Imesh Gunaratne
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
Flux Beyond Git Harnessing the Power of OCI
Weaveworks
 
Flux Beyond Git Harnessing the Power of OCI
CezzaineZaher1
 
Ad

More from Weaveworks (20)

PDF
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
PDF
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 
PDF
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
PDF
Six Signs You Need Platform Engineering
Weaveworks
 
PDF
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
PDF
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
PDF
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
PDF
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
PDF
Building internal developer platform with EKS and GitOps
Weaveworks
 
PDF
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
PDF
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
PDF
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Weaveworks
 
PDF
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
PDF
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
PDF
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Weaveworks
 
PDF
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
PDF
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
PDF
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
PDF
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Weaveworks
 
PDF
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 
Weave AI Controllers (Weave GitOps Office Hours)
Weaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
Weaveworks
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Six Signs You Need Platform Engineering
Weaveworks
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
Weaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
Weaveworks
 
Building internal developer platform with EKS and GitOps
Weaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
Weaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Weaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Weaveworks
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
Weaveworks
 
Flux Security & Scalability using VS Code GitOps Extension
Weaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
Weaveworks
 
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
Weaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
Weaveworks
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
August Patch Tuesday
Ivanti
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
A Presentation on Artificial Intelligence
memembruh336
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

KubeCon 2022 EU Flux Security.pdf

  • 1. Flux Security Deep Dive Stefan Prodan Flux & Flagger Maintainer Principal Engineer @ Weaveworks
  • 2. Flux - Project overview The Flux project aims to provide a complete Continuous Delivery platform on top of Kubernetes, supporting all the common practices and tooling in the field. Flux v2 is powered by the GitOps Toolkit, a set of composable APIs and specialized tools for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy. Flagger is a Progressive Delivery tool that automates the release process for applications running on Kubernetes. Flagger comes with a declarative model for decoupling the deployment of apps on Kubernetes from the release process. https://github.com/fluxcd/flux2 https://github.com/fluxcd/flagger
  • 3. Flux - GitOps Continuous Delivery
  • 4. Agenda ● How is Flux made ● How secure is Flux ● Are my secrets safe in Git ● Is Kubernetes really multi-tenant ● Flux soft vs hard multi-tenancy ● When will Flux v2 be GA
  • 5. Flux is made of many things ● Kubernetes API extensions (CRDs) ● Specialized Kubernetes operators (powered by controller-runtime) ● Flux command-line tool (powered by Kubernetes cli-utils) ● Flux Terraform provider ● Go & C libraries (Go stdlib, Kubernetes client-go, kstatus, go-git, libgit2, kustomize, helm, minio, oras, sops, age, aws, azure, gcp, github, gitlab, bitbucket SDKs… and some more) What is Flux made of?
  • 6. WELCOME TO VALENCIA How can a handful of people maintain such a project? With care… A helpful community And lots of automations
  • 7. Flux Libraries, controllers and CLI UNIT TEST OSS FUZZ BUILD RELEASE E2E TEST Flux - release pipeline ASSEMBLE AMD64 E2E ARM64 E2E RELEASE CLOUD E2E GitHub Linux & macOS Equinix Metal Linux AKS + DevOps, EKS, GKE Kubernetes KIND 1.20…1.24 Flux GitHub Bot SCAN GitHub CodeQL, Snyk Cosign & SBOM
  • 8. A Flux release is comprised of ● Multi-arch container images (GHCR & DockerHub) ● Signed images and checksums (Cosign + GitHub OIDC) ● Software Bill of Materials (SBOM SPDX) ● Deployment manifests (YAML) ● OpenAPI specs (JSON) ● CLI binaries (Linux, macOS & Windows) ● Packages (Homebrew, Arch Aur, NIX, Chocolatey) ● Flux Terraform provider (Terraform Registry) ● Flux GitHub Action (AMD64 & ARM64 runners) Flux - release artifacts
  • 9. What makes the Flux controllers secure? ● No shell-out to 3rd party binaries ● All Linux capabilities are dropped ● The root filesystem is set to read-only ● The seccomp profile is runtime default ● Controllers run as non-root ● Uses Kubernetes impersonation API
  • 10. Unlike most CD products, Flux has a small attack surface ● Flux controllers are statically built and have no dependencies on OS packages ● No shell-exec to git, kubectl, helm, kustomize, sops, aws, gcloud, etc ● No HTTP APIs, you can control Flux only via Kubernetes API ● All actions performed on the cluster are auditable and subject to Kubernetes RBAC ● Flux execution is predictable, there are no plugins nor scripting ● Flux can only be extended with other controllers that adhere to the GitOps Toolkit std Flux vs competition?
  • 11. Flux is embedded in ● Azure Arc ● Amazon EKS Anywhere ● VMware Tanzu ● D2iQ Enterprise Kubernetes Platform ● Platform One (US DoD & US Air Force) ● Deutsche Telekom Das Schiff ● And many more Who trusts in Flux?
  • 12. ● In 2021 Flux has undergone a security audit (OSTIF & ADA Logics) ○ We’ve addressed all the security issues found in record time ○ We’ve put in place an RFC process for changes to Flux security posture ● In 2022 the Flux team focused on security hardening ○ We’ve found and addressed a series of multi-tenancy vulnerabilities ○ We’ve made secrets decryption safer on multi-tenant environments ○ We’ve improved the test coverage of sensitive operations ● Flux is scheduled to undergo a security review by CNCF TAG Security How secure is Flux?
  • 14. How to keep Flux up-to-date? Flux is able to update itself from Git. We offer a GitHub Action that checks for new releases and opens a pull request on your bootstrap repository when a newer Flux version is available. For GitLab, BitBucket, Azure DevOps and other platforms, you can use Renovate Bot which offers the same update automation for Flux.
  • 15. What security challenges come with GitOps? ● Keeping secrets safe ● Restricting access to sensitive data ● Compromised Git credentials ● Prevent destructive cluster ops
  • 16. Flux comes with built-in secrets management ● Client-side encryption with Mozilla SOPS ● Server-side decryption with Flux ● Supported technologies ○ Age Encryption and OpenPGP ○ Hashicorp Vault ○ AWS Key Management Service ○ Azure Key Vault ○ Google Cloud KMS The Flux team is committed to SOPS’ development and maintenance Are my secrets safe in Git?
  • 18. WELCOME TO VALENCIA Is Kubernetes truly multi-tenant? In some regards YES but soft multi-tenancy is difficult to secure while hard multi-tenancy can be easier to reason with but hard to orchestrate.
  • 19. Flux bridges the gap between Kubernetes and Git tenancy models. ● Kubernetes ○ Dedicated clusters per tenant (hard multi-tenancy) ○ Namespaces and role bindings ○ Node groups, taints and tolerations ○ Resource quotas and network policies ○ 3rd party policies (OPA & Kyverno) ● Git ○ Dedicated repositories per tenant (hard multi-tenancy) ○ Protected branches ○ Team access management (GitHub, GitLab, etc) Tenant isolation boundaries
  • 20. Flux - GitOps Multi-Tenancy Flux enables multi-tenancy by allowing platform admins to assign restricted Kubernetes accounts to the tenants’ sources. When Flux reconciles the tenant’s Kubernetes resources, it does so by impersonating the tenant’s account, thus enforcing the isolation boundary as defined by platform admins in their Git repo.
  • 21. Demo Multi-tenancy with Flux and Kubernetes namespace-as-a-service https://github.com/fluxcd/flux2-multi-tenancy
  • 22. When will Flux v2 reach GA? TODOs ● Adopt kstatus for all Flux APIs ● Helm controller refactoring ● Support for Helm OCI ● Notification API improvements ● Documentation refactoring https://fluxcd.io/roadmap