SlideShare une entreprise Scribd logo

Adding Security to your SLO-based Release Validation with Keptn

Télécharger en tant que PPTX, PDF
Andreas Grabner
Andreas Grabner

This talk was given at DevSecOps Days Boston and DevOps & Security Meetup Vienna in 2021 Automatic Release Validation, aka Quality Gates, is not a new concept but often only covers functional or performance metrics. Keptn’s open SLO-based evaluation allows DevSecOps to have their favorite security tool report SLOs such as number of detected vulnerabilities as part of delivery automation

Logiciels
1  sur  24
Adding Security to your SLO-based Release Validation with Andreas Grabner DevOps Activist at Dynatrace DevRel for Keptn @grabnerandi https://www.linkedin.com/in/grabnerandi Star us @ https://github.com/keptn/keptn Follow us @keptnProject Slack Us @ https://slack.keptn.sh Visit us @ https://keptn.sh DevSecOps Boston, July 26 2021 + Vienna DevOps & Security, Nov 9 2021
What is Keptn Whichproblemdoesitsolve? Service Level Objectives Forautomatedreleasevalidation Extending Keptn Howtointegrateyoursectools Talk outline: so you know whats gonna happen 
What is Keptn Which problemdoes it solve
DevOps & SREs must automate many tasks through pipelines Deployment Performance Engineering Quality Gates Security & Vulnerability Scans Chat Notifications Configure Monitoring Chaos Testing Integrate Approval Process Canary Blue/Green Feature Flagging SLO Monitoring Setup Alerting Auto Remediation API Test SLA Validation Functional Test Rollbacks
ChristianHeckelmann SeniorDevOps Engineer 2800 projects 966 CI/CDs „I am constantly reacting to ‚Pipeline Broken – please fix!‘“ DIY (Do It Yourself) can become very complex and hard to maintain
pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘helm’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘kustomize’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } 1 Service = 1 Pipeline 1 Project = x Pipelines n Teams = n*x Pipelines pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘helm’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } 25 services 96 workloads DieterLadenhauf SeniorACE Engineer „Onboarding or updating pipelines is manual & error prone!‘“ Scaling DIY to many projects often highlights technical debt in your automation
Oh Keptn, my Keptn!
classical-automation-script { } // 1000+ lines later Keptn removes hard-coded dependencies of classical automation approaches Prepare Deploy Test SLO Evaluation Promote Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 config
stage: automation-seqeuence SLO Evaluation Keptn separates process, tooling and configuration and connects via events Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 Eventing Prepare Deploy Test Promote config Git
Example #1: automate performance sequence in staging Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 Eventing Deploy Test SLO Evaluation Git $ keptn trigger performance --stage=staging --image=myapp:2.0 staging: performance Task: get-sli Service:myapp Stage:staging Time: last 10min Task: Test Stage:staging Strategy:Performance Prepare Promote Shipyard Sequence of automation tasks grouped in stages CloudEvents Task specific with metadata Uniform Subscribed Keptn Services Config Tool specific Task: Deploy Image:myapp:2.0 Stage:staging Strategy:Blue/Green
Example #2: remediate production security issue Infra Autom. Tool I1 Monitoring Tool M1 Notification Tool N2 Eventing Action: block-traffic SLO Evaluation SLO Evaluation Escalate Git $ keptn trigger remediation --stage=production --problem=high-vulnerability-attack --rootcause=bad-library-version production: remediation Task: Remedation Action:block-traffic Stage:production Data:172.31.0.0/24 Task: Remediation Action: rollback Stage:production Image:myapp:1.0 Action: rollback Shipyard Sequence of automation tasks grouped in stages CloudEvents Task specific with metadata Uniform Subscribed Keptn Services Config Tool specific Deployment Tool D2 Task: Escalate Reason: Failure Rate Stage:production Ticketing Tool T1 remediation.yaml (bad-library-version)
Reduce your pipeline‘s complexity by letting orchestrate declarative, data-driven delivery and ops automation 90% less automation code SLOs built-in Connects with all your tools Separation of process & tool GitOps: all config in git Keptn brings opinionated cloud native automation to all your projects
Service Level Objectives For automated release validation
Applying SRE Best Practices across the lifecycle Authentication Service 0.89s 0.5% Oct 2021 Nov 2021 0.61s 2.5% 1000/s 1600/s Service X xxs xx% yys yy% xx/s yy/s Production Shift-Left Continuous Delivery Authentication Service Commit #1 Commit #2 Commit #3 Commit #4 SLO Evaluation Service X
An example: SLOs defined by DevSecOps validated as part of automated delivery Overall Failure Rate Query: builtin:service.errors.total Test Step LOGIN Response Time Query: calc:service.teststeprt:filter(Test, LOGIN) Test Step LOGIN # Service Calls Query: calc:service.testsvc:filter(tx, LOGIN) <= 5% <= 2% <=150ms & <=+10% <= 400ms <= +0% Build 1 0% 80ms 100ms SLO: Overall Score Goal 90% 75% Response Time 95th Perc Query: builtin:service.responsetime(p95) <=100ms <= 250ms SLO SLIs (Service Level Indicators) warn pass 1 100% Build 2 4% 120ms 90ms 2 50% Build 3 1% 90ms 120ms 1 70.0% Build 4 0% 95ms 95ms 1 100% Build 1 Build 2 Build 3 Build 4 $ keptn send event start-evaluation myproject myservice starttime=build1_deploy endtime=build1_testsdone $ keptn send event start-evaluation myproject myservice starttime=build2_deploy endtime=build2_testsdone $ keptn send event start-evaluation myproject myservice starttime=build3_deploy endtime=build3_testsdone $ keptn send event start-evaluation myproject myservice starttime=build4_teststart endtime=build4_testsend Open Security Vulnerabilities Query: calc:secproblems:filter(risk,CRITICAL) <=0 0 0 1 0
How SLOs work in Keptn behind the scene! sli.yaml (Dynatrace) indicators: error_rate: "builtin:service.errors.total.count" count_dbcalls: "calc:service.toptestdbcalls" jvm_memory: "builtin:tech.jvm.memory.pool.committed" sec_critical: "calc:secproblems:filter(risk,CRITICAL)" slo.yaml (SLI Provider independent) objectives: - sli: error_rate pass: - criteria: - "<=1“ # We expect a max error rate of 1% - sli: jvm_memory - sli: count_dbcalls pass: - criteria: - "=+2%" # We allow a 2% increase in DB Calls between builds warning: - criteria: - "<=10" # We expect no more than 10 DB Calls per TX - sli: sec_critical pass: - criteria: - "<=0" # We do not allow any critical security issues total_score: pass: "90%" warning: "75%" sli.yaml (Prometheus) indicators: error_rate: "http_requests_total{status=“error"}" jvm_memory: "jvm_memory_used_bytes{area="heap"}[1m]" sec_critical: "rate(falco_events[5m])" SLI Providers: Query SLIs based on sli.yaml and return individual values Lighthouse Service: Retrieves SLIs and compares them against SLOs ... *get-sli* *evaluation* count_dbcalls: 5 jvm_memory: 360MB error_rate: 4.3% sec_critial: 1
triggers an automation sequence orchestrates monitoring config, deployment, test execution, SLO evaluation & remediation Integrating SLO evaluation (and other Keptn use cases) with your existing tooling
Release Readiness for Austrian Online Banking #1 List of release relevant SLOs #3 Link back to Jenkins https://medium.com/keptn/keptn-automates-release-readiness-validation-for-austrian-online-banking-software-eaaab7ad7856
Extending Keptn How to integrate your sec tools
• Build your own Keptn Service in minutes! • https://github.com/keptn-sandbox/keptn-service-template-go • https://github.com/keptn-contrib/job-executor-service Integrate your security testing tools with Keptn type: sh.keptn.event.test.triggered data: - test.strategy: functional - deployment.url: https://yoururl type: sh.keptn.event.test.started data: - status: succeeded | failed type: sh.keptn.event.test.finished data: - status: succeeded | failed - result: pass | fail Run Test Distributor: Subscribing to *.test.* Your Tool ... $ zap.sh cmd -quickurl https://yoururl -quickprogress
Integrate your security results/reports as an SLI Provider type: sh.keptn.event.get-sli.triggered data: - timeframe: 30m - sli: sec_critical type: sh.keptn.event.get-sli.started data: - status: succeeded | failed type: sh.keptn.event.get-sli.finished data: - status: succeeded | failed - values: sec_critical=4 Query Data Distributor: Subscribing to *.get-sli.* Your Tool ... • Build your own Keptn Service in minutes! • https://github.com/keptn-sandbox/keptn-service-template-go • https://github.com/keptn-contrib/job-executor-service
Wrap Up AutomatingSecuritySLOswith Keptnandyourfavoritesecuritytools
Confidential 2 5 Get startedwithour tutorials:tutorials.keptn.sh live public demo
Adding Security to your SLO-based Release Validation with Andreas Grabner DevOps Activist at Dynatrace DevRel for Keptn @grabnerandi https://www.linkedin.com/in/grabnerandi Star us @ https://github.com/keptn/keptn Follow us @keptnProject Slack Us @ https://slack.keptn.sh Visit us @ https://keptn.sh DevSecOps Boston, July 26 2021

Recommandé

Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with Micronaut
QAware GmbH
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Continuous Delivery and Automated Operations on k8s with keptn
Continuous Delivery and Automated Operations on k8s with keptnContinuous Delivery and Automated Operations on k8s with keptn
Continuous Delivery and Automated Operations on k8s with keptn
Andreas Grabner
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
Pierre Mavro
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxies
LibbySchulze
 
Google Cloud Networking Deep Dive
Google Cloud Networking Deep DiveGoogle Cloud Networking Deep Dive
Google Cloud Networking Deep Dive
Michelle Holley
 
Cloud for Kubernetes : Session4
Cloud for Kubernetes : Session4Cloud for Kubernetes : Session4
Cloud for Kubernetes : Session4
WhaTap Labs
 

Recommandé

Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with Micronaut
QAware GmbH
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Continuous Delivery and Automated Operations on k8s with keptn
Continuous Delivery and Automated Operations on k8s with keptnContinuous Delivery and Automated Operations on k8s with keptn
Continuous Delivery and Automated Operations on k8s with keptn
Andreas Grabner
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
Pierre Mavro
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxies
LibbySchulze
 
Google Cloud Networking Deep Dive
Google Cloud Networking Deep DiveGoogle Cloud Networking Deep Dive
Google Cloud Networking Deep Dive
Michelle Holley
 
Cloud for Kubernetes : Session4
Cloud for Kubernetes : Session4Cloud for Kubernetes : Session4
Cloud for Kubernetes : Session4
WhaTap Labs
 
Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backend
Sebastian Poxhofer
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
Josef Adersberger
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp VaultSecuring Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp Vault
Mitchell Pronschinske
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
David Pasek
 
Dapr logicapps
Dapr logicappsDapr logicapps
Dapr logicapps
Andrea Tosato
 
Monitoring&Logging - Stanislav Kolenkin
Monitoring&Logging - Stanislav Kolenkin Monitoring&Logging - Stanislav Kolenkin
Monitoring&Logging - Stanislav Kolenkin
Kuberton
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / Kubernetes
Paul Czarkowski
 
Cloud-native Application Lifecycle Management
Cloud-native Application Lifecycle ManagementCloud-native Application Lifecycle Management
Cloud-native Application Lifecycle Management
Neil Gehani
 
What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021
Robert John
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring
Conor Svensson
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
SlideTeam
 
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Alexandre Dutra
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using Ansible
Joel W. King
 
CNCF, State of Serverless & Project Nuclio
CNCF, State of Serverless & Project NuclioCNCF, State of Serverless & Project Nuclio
CNCF, State of Serverless & Project Nuclio
Lee Calcote
 
What’s New in Spring Data MongoDB
What’s New in Spring Data MongoDBWhat’s New in Spring Data MongoDB
What’s New in Spring Data MongoDB
VMware Tanzu
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Tobias Schneck
 
Fabio Ferrari | particles.io | Presentation
Fabio Ferrari | particles.io | PresentationFabio Ferrari | particles.io | Presentation
Fabio Ferrari | particles.io | Presentation
Fabio Ferrari
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
Cloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy AgentCloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy Agent
QAware GmbH
 
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with KeptnJenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Andreas Grabner
 
Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s WorkloadsUsing SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
ScyllaDB
 
A Guide to Event-Driven SRE-inspired DevOps
A Guide to Event-Driven SRE-inspired DevOpsA Guide to Event-Driven SRE-inspired DevOps
A Guide to Event-Driven SRE-inspired DevOps
Andreas Grabner
 

Contenu connexe

Tendances

An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
SlideTeam
 
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Alexandre Dutra
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Tobias Schneck
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
Cloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy AgentCloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy Agent
QAware GmbH
 

Tendances (19)

Opentelemetry - From frontend to backend
Opentelemetry - From frontend to backendOpentelemetry - From frontend to backend
Opentelemetry - From frontend to backend
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp VaultSecuring Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp Vault
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
 
Dapr logicapps
Dapr logicappsDapr logicapps
Dapr logicapps
 
Monitoring&Logging - Stanislav Kolenkin
Monitoring&Logging - Stanislav Kolenkin Monitoring&Logging - Stanislav Kolenkin
Monitoring&Logging - Stanislav Kolenkin
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / Kubernetes
 
Cloud-native Application Lifecycle Management
Cloud-native Application Lifecycle ManagementCloud-native Application Lifecycle Management
Cloud-native Application Lifecycle Management
 
What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021What is Google Cloud Good For at DevFestInspire 2021
What is Google Cloud Good For at DevFestInspire 2021
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
 
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
Staying Ahead of the Curve with Spring and Cassandra 4 (SpringOne 2020)
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using Ansible
 
CNCF, State of Serverless & Project Nuclio
CNCF, State of Serverless & Project NuclioCNCF, State of Serverless & Project Nuclio
CNCF, State of Serverless & Project Nuclio
 
What’s New in Spring Data MongoDB
What’s New in Spring Data MongoDBWhat’s New in Spring Data MongoDB
What’s New in Spring Data MongoDB
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
 
Fabio Ferrari | particles.io | Presentation
Fabio Ferrari | particles.io | PresentationFabio Ferrari | particles.io | Presentation
Fabio Ferrari | particles.io | Presentation
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
Cloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy AgentCloud Compliance with Open Policy Agent
Cloud Compliance with Open Policy Agent
 

Similaire à Adding Security to your SLO-based Release Validation with Keptn

Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s WorkloadsUsing SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
ScyllaDB
 
Overcoming (organizational) scalability issues in your Prometheus ecosystem
Overcoming (organizational) scalability issues in your Prometheus ecosystemOvercoming (organizational) scalability issues in your Prometheus ecosystem
Overcoming (organizational) scalability issues in your Prometheus ecosystem
QAware GmbH
 
Embracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CDEmbracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps DeploymentsDon't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
Andreas Grabner
 

Similaire à Adding Security to your SLO-based Release Validation with Keptn (20)

Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with KeptnJenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
 
Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s WorkloadsUsing SLOs for Continuous Performance Optimizations of Your k8s Workloads
Using SLOs for Continuous Performance Optimizations of Your k8s Workloads
 
A Guide to Event-Driven SRE-inspired DevOps
A Guide to Event-Driven SRE-inspired DevOpsA Guide to Event-Driven SRE-inspired DevOps
A Guide to Event-Driven SRE-inspired DevOps
 
Overcoming (organizational) scalability issues in your Prometheus ecosystem
Overcoming (organizational) scalability issues in your Prometheus ecosystemOvercoming (organizational) scalability issues in your Prometheus ecosystem
Overcoming (organizational) scalability issues in your Prometheus ecosystem
 
Overcoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystemOvercoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystem
 
Auto sre with keptn
Auto sre with keptnAuto sre with keptn
Auto sre with keptn
 
Embracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CDEmbracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CD
 
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps DeploymentsDon't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
Don't Deploy Into the Dark: DORA Metrics for your K8s GitOps Deployments
 
Performance Engineering Masterclass: Efficient Automation with the Help of SR...
Performance Engineering Masterclass: Efficient Automation with the Help of SR...Performance Engineering Masterclass: Efficient Automation with the Help of SR...
Performance Engineering Masterclass: Efficient Automation with the Help of SR...
 
Keptn: Unbreakable Continuous Delivery - Berlin CI/CD Meetup
Keptn: Unbreakable Continuous Delivery - Berlin CI/CD MeetupKeptn: Unbreakable Continuous Delivery - Berlin CI/CD Meetup
Keptn: Unbreakable Continuous Delivery - Berlin CI/CD Meetup
 
Keptn - Automated Operations & Continuous Delivery for k8s
Keptn - Automated Operations & Continuous Delivery for k8sKeptn - Automated Operations & Continuous Delivery for k8s
Keptn - Automated Operations & Continuous Delivery for k8s
 
Building Autonomous Operations for Kubernetes with keptn
Building Autonomous Operations for Kubernetes with keptnBuilding Autonomous Operations for Kubernetes with keptn
Building Autonomous Operations for Kubernetes with keptn
 
Shipping Code like a keptn: Continuous Delivery & Automated Operations on k8s
Shipping Code like a keptn: Continuous Delivery & Automated Operations on k8sShipping Code like a keptn: Continuous Delivery & Automated Operations on k8s
Shipping Code like a keptn: Continuous Delivery & Automated Operations on k8s
 
PAC 2020 Santorin - Andreas Grabner
PAC 2020 Santorin - Andreas Grabner PAC 2020 Santorin - Andreas Grabner
PAC 2020 Santorin - Andreas Grabner
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
 
Stating the obvious - All Day DevOps 2017
Stating the obvious - All Day DevOps 2017Stating the obvious - All Day DevOps 2017
Stating the obvious - All Day DevOps 2017
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
When Web Services Go Bad
When Web Services Go BadWhen Web Services Go Bad
When Web Services Go Bad
 
Chicago DevOps Meetup Nov2019
Chicago DevOps Meetup Nov2019Chicago DevOps Meetup Nov2019
Chicago DevOps Meetup Nov2019
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 

Plus de Andreas Grabner

KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an OpportunityKCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
Andreas Grabner
 
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to ProductionOpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
Andreas Grabner
 
Observability and Orchestration of your GitOps Deployments with Keptn
Observability and Orchestration of your GitOps Deployments with KeptnObservability and Orchestration of your GitOps Deployments with Keptn
Observability and Orchestration of your GitOps Deployments with Keptn
Andreas Grabner
 
How to explain DevOps to your mom
How to explain DevOps to your momHow to explain DevOps to your mom
How to explain DevOps to your mom
Andreas Grabner
 
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code DeploysDevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 

Plus de Andreas Grabner (20)

KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an OpportunityKCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
KCD Munich - Cloud Native Platform Dilemma - Turning it into an Opportunity
 
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to ProductionOpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
OpenTelemetry For GitOps: Tracing Deployments from Git Commit to Production
 
Observability and Orchestration of your GitOps Deployments with Keptn
Observability and Orchestration of your GitOps Deployments with KeptnObservability and Orchestration of your GitOps Deployments with Keptn
Observability and Orchestration of your GitOps Deployments with Keptn
 
Release Readiness Validation with Keptn for Austrian Online Banking Software
Release Readiness Validation with Keptn for Austrian Online Banking SoftwareRelease Readiness Validation with Keptn for Austrian Online Banking Software
Release Readiness Validation with Keptn for Austrian Online Banking Software
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
Applying AI to Performance Engineering: Shift-Left, Shift-Right, Self-Healing
Applying AI to Performance Engineering: Shift-Left, Shift-Right, Self-HealingApplying AI to Performance Engineering: Shift-Left, Shift-Right, Self-Healing
Applying AI to Performance Engineering: Shift-Left, Shift-Right, Self-Healing
 
Monitoring as a Self-Service in Atlassian DevOps Toolchain
Monitoring as a Self-Service in Atlassian DevOps ToolchainMonitoring as a Self-Service in Atlassian DevOps Toolchain
Monitoring as a Self-Service in Atlassian DevOps Toolchain
 
How to explain DevOps to your mom
How to explain DevOps to your momHow to explain DevOps to your mom
How to explain DevOps to your mom
 
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code DeploysDevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
 
AWS Summit - Trends in Advanced Monitoring for AWS environments
AWS Summit - Trends in Advanced Monitoring for AWS environmentsAWS Summit - Trends in Advanced Monitoring for AWS environments
AWS Summit - Trends in Advanced Monitoring for AWS environments
 
DevOps Transformation at Dynatrace and with Dynatrace
DevOps Transformation at Dynatrace and with DynatraceDevOps Transformation at Dynatrace and with Dynatrace
DevOps Transformation at Dynatrace and with Dynatrace
 
DevOps Pipelines and Metrics Driven Feedback Loops
DevOps Pipelines and Metrics Driven Feedback LoopsDevOps Pipelines and Metrics Driven Feedback Loops
DevOps Pipelines and Metrics Driven Feedback Loops
 
Boston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and How
Boston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and HowBoston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and How
Boston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and How
 
Top Java Performance Problems and Metrics To Check in Your Pipeline
Top Java Performance Problems and Metrics To Check in Your PipelineTop Java Performance Problems and Metrics To Check in Your Pipeline
Top Java Performance Problems and Metrics To Check in Your Pipeline
 
Metrics Driven DevOps - Automate Scalability and Performance Into your Pipeline
Metrics Driven DevOps - Automate Scalability and Performance Into your PipelineMetrics Driven DevOps - Automate Scalability and Performance Into your Pipeline
Metrics Driven DevOps - Automate Scalability and Performance Into your Pipeline
 
Four Practices to Fix Your Top .NET Performance Problems
Four Practices to Fix Your Top .NET Performance ProblemsFour Practices to Fix Your Top .NET Performance Problems
Four Practices to Fix Your Top .NET Performance Problems
 
OOP 2016 - Building Software That Eats The World
OOP 2016 - Building Software That Eats The WorldOOP 2016 - Building Software That Eats The World
OOP 2016 - Building Software That Eats The World
 
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyDocker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
 
JavaOne 2015: Top Performance Patterns Deep Dive
JavaOne 2015: Top Performance Patterns Deep DiveJavaOne 2015: Top Performance Patterns Deep Dive
JavaOne 2015: Top Performance Patterns Deep Dive
 
Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...
Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...
Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...
 

Dernier

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

Dernier (20)

HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Adding Security to your SLO-based Release Validation with Keptn

  • 1. Adding Security to your SLO-based Release Validation with Andreas Grabner DevOps Activist at Dynatrace DevRel for Keptn @grabnerandi https://www.linkedin.com/in/grabnerandi Star us @ https://github.com/keptn/keptn Follow us @keptnProject Slack Us @ https://slack.keptn.sh Visit us @ https://keptn.sh DevSecOps Boston, July 26 2021 + Vienna DevOps & Security, Nov 9 2021
  • 2. What is Keptn Whichproblemdoesitsolve? Service Level Objectives Forautomatedreleasevalidation Extending Keptn Howtointegrateyoursectools Talk outline: so you know whats gonna happen 
  • 3. What is Keptn Which problemdoes it solve
  • 4. DevOps & SREs must automate many tasks through pipelines Deployment Performance Engineering Quality Gates Security & Vulnerability Scans Chat Notifications Configure Monitoring Chaos Testing Integrate Approval Process Canary Blue/Green Feature Flagging SLO Monitoring Setup Alerting Auto Remediation API Test SLA Validation Functional Test Rollbacks
  • 5. ChristianHeckelmann SeniorDevOps Engineer 2800 projects 966 CI/CDs „I am constantly reacting to ‚Pipeline Broken – please fix!‘“ DIY (Do It Yourself) can become very complex and hard to maintain
  • 6. pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘helm’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘kustomize’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } 1 Service = 1 Pipeline 1 Project = x Pipelines n Teams = n*x Pipelines pipeline { stages { stage('Deploy to dev namespace') { steps { container(‘helm’) { } } } stage('Run tests') { steps { container(‘jmeter’) { } } } stage(‘Evaluate performance’) { steps { container(‘curl’) { } } } if (evaluation.passed) { stage('Deploy to staging') { steps { container(‘helm’) { } } } } } } 25 services 96 workloads DieterLadenhauf SeniorACE Engineer „Onboarding or updating pipelines is manual & error prone!‘“ Scaling DIY to many projects often highlights technical debt in your automation
  • 7. Oh Keptn, my Keptn!
  • 8. classical-automation-script { } // 1000+ lines later Keptn removes hard-coded dependencies of classical automation approaches Prepare Deploy Test SLO Evaluation Promote Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 config
  • 9. stage: automation-seqeuence SLO Evaluation Keptn separates process, tooling and configuration and connects via events Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 Eventing Prepare Deploy Test Promote config Git
  • 10. Example #1: automate performance sequence in staging Deployment Tool D1 Testing Tool T1 Monitoring Tool M1 Notification Tool N1 Eventing Deploy Test SLO Evaluation Git $ keptn trigger performance --stage=staging --image=myapp:2.0 staging: performance Task: get-sli Service:myapp Stage:staging Time: last 10min Task: Test Stage:staging Strategy:Performance Prepare Promote Shipyard Sequence of automation tasks grouped in stages CloudEvents Task specific with metadata Uniform Subscribed Keptn Services Config Tool specific Task: Deploy Image:myapp:2.0 Stage:staging Strategy:Blue/Green
  • 11. Example #2: remediate production security issue Infra Autom. Tool I1 Monitoring Tool M1 Notification Tool N2 Eventing Action: block-traffic SLO Evaluation SLO Evaluation Escalate Git $ keptn trigger remediation --stage=production --problem=high-vulnerability-attack --rootcause=bad-library-version production: remediation Task: Remedation Action:block-traffic Stage:production Data:172.31.0.0/24 Task: Remediation Action: rollback Stage:production Image:myapp:1.0 Action: rollback Shipyard Sequence of automation tasks grouped in stages CloudEvents Task specific with metadata Uniform Subscribed Keptn Services Config Tool specific Deployment Tool D2 Task: Escalate Reason: Failure Rate Stage:production Ticketing Tool T1 remediation.yaml (bad-library-version)
  • 12. Reduce your pipeline‘s complexity by letting orchestrate declarative, data-driven delivery and ops automation 90% less automation code SLOs built-in Connects with all your tools Separation of process & tool GitOps: all config in git Keptn brings opinionated cloud native automation to all your projects
  • 13. Service Level Objectives For automated release validation
  • 14. Applying SRE Best Practices across the lifecycle Authentication Service 0.89s 0.5% Oct 2021 Nov 2021 0.61s 2.5% 1000/s 1600/s Service X xxs xx% yys yy% xx/s yy/s Production Shift-Left Continuous Delivery Authentication Service Commit #1 Commit #2 Commit #3 Commit #4 SLO Evaluation Service X
  • 15. An example: SLOs defined by DevSecOps validated as part of automated delivery Overall Failure Rate Query: builtin:service.errors.total Test Step LOGIN Response Time Query: calc:service.teststeprt:filter(Test, LOGIN) Test Step LOGIN # Service Calls Query: calc:service.testsvc:filter(tx, LOGIN) <= 5% <= 2% <=150ms & <=+10% <= 400ms <= +0% Build 1 0% 80ms 100ms SLO: Overall Score Goal 90% 75% Response Time 95th Perc Query: builtin:service.responsetime(p95) <=100ms <= 250ms SLO SLIs (Service Level Indicators) warn pass 1 100% Build 2 4% 120ms 90ms 2 50% Build 3 1% 90ms 120ms 1 70.0% Build 4 0% 95ms 95ms 1 100% Build 1 Build 2 Build 3 Build 4 $ keptn send event start-evaluation myproject myservice starttime=build1_deploy endtime=build1_testsdone $ keptn send event start-evaluation myproject myservice starttime=build2_deploy endtime=build2_testsdone $ keptn send event start-evaluation myproject myservice starttime=build3_deploy endtime=build3_testsdone $ keptn send event start-evaluation myproject myservice starttime=build4_teststart endtime=build4_testsend Open Security Vulnerabilities Query: calc:secproblems:filter(risk,CRITICAL) <=0 0 0 1 0
  • 16. How SLOs work in Keptn behind the scene! sli.yaml (Dynatrace) indicators: error_rate: "builtin:service.errors.total.count" count_dbcalls: "calc:service.toptestdbcalls" jvm_memory: "builtin:tech.jvm.memory.pool.committed" sec_critical: "calc:secproblems:filter(risk,CRITICAL)" slo.yaml (SLI Provider independent) objectives: - sli: error_rate pass: - criteria: - "<=1“ # We expect a max error rate of 1% - sli: jvm_memory - sli: count_dbcalls pass: - criteria: - "=+2%" # We allow a 2% increase in DB Calls between builds warning: - criteria: - "<=10" # We expect no more than 10 DB Calls per TX - sli: sec_critical pass: - criteria: - "<=0" # We do not allow any critical security issues total_score: pass: "90%" warning: "75%" sli.yaml (Prometheus) indicators: error_rate: "http_requests_total{status=“error"}" jvm_memory: "jvm_memory_used_bytes{area="heap"}[1m]" sec_critical: "rate(falco_events[5m])" SLI Providers: Query SLIs based on sli.yaml and return individual values Lighthouse Service: Retrieves SLIs and compares them against SLOs ... *get-sli* *evaluation* count_dbcalls: 5 jvm_memory: 360MB error_rate: 4.3% sec_critial: 1
  • 17. triggers an automation sequence orchestrates monitoring config, deployment, test execution, SLO evaluation & remediation Integrating SLO evaluation (and other Keptn use cases) with your existing tooling
  • 18. Release Readiness for Austrian Online Banking #1 List of release relevant SLOs #3 Link back to Jenkins https://medium.com/keptn/keptn-automates-release-readiness-validation-for-austrian-online-banking-software-eaaab7ad7856
  • 19. Extending Keptn How to integrate your sec tools
  • 20. • Build your own Keptn Service in minutes! • https://github.com/keptn-sandbox/keptn-service-template-go • https://github.com/keptn-contrib/job-executor-service Integrate your security testing tools with Keptn type: sh.keptn.event.test.triggered data: - test.strategy: functional - deployment.url: https://yoururl type: sh.keptn.event.test.started data: - status: succeeded | failed type: sh.keptn.event.test.finished data: - status: succeeded | failed - result: pass | fail Run Test Distributor: Subscribing to *.test.* Your Tool ... $ zap.sh cmd -quickurl https://yoururl -quickprogress
  • 21. Integrate your security results/reports as an SLI Provider type: sh.keptn.event.get-sli.triggered data: - timeframe: 30m - sli: sec_critical type: sh.keptn.event.get-sli.started data: - status: succeeded | failed type: sh.keptn.event.get-sli.finished data: - status: succeeded | failed - values: sec_critical=4 Query Data Distributor: Subscribing to *.get-sli.* Your Tool ... • Build your own Keptn Service in minutes! • https://github.com/keptn-sandbox/keptn-service-template-go • https://github.com/keptn-contrib/job-executor-service
  • 23. Confidential 2 5 Get startedwithour tutorials:tutorials.keptn.sh live public demo
  • 24. Adding Security to your SLO-based Release Validation with Andreas Grabner DevOps Activist at Dynatrace DevRel for Keptn @grabnerandi https://www.linkedin.com/in/grabnerandi Star us @ https://github.com/keptn/keptn Follow us @keptnProject Slack Us @ https://slack.keptn.sh Visit us @ https://keptn.sh DevSecOps Boston, July 26 2021

Notes de l'éditeur

  1. But Keptn does more than just SLOs – it solves a bigger automation challenge