CI/CD / Kubernetes / Security

ArgoCD Gets DevSecOps Nod with CNCF

13 Oct 2021 12:09pm, by

The GitOps-focused Application deployment and lifecycle management platform ArgoCD is extending its sphere of influence by becoming an accepted DevSecOps tool. After becoming a popular CD tool for GitOps for Kubernetes, ArgoCD has now achieved “Adopt” status for DevSecOps in the Cloud Native Computing Foundation (CNCF) Tech Radar report. This follows ArgoCD’s listing in the “Assess” category in the CNCF Technology Radar in 2020.

“Overall, ArgoCD is emerging as a CD tool, as well as a DevSecOps tool, since it facilitates a secure release within a cross-functional organization,” Katie Gamanji, ecosystem manager of the Cloud Native Computing Foundation, told The New Stack.

The CNCF End User Technology Radar is a guide to a set of emerging technologies based on the experience of the CNCF End User Community. The theme of this sixth edition for the third quarter of 2021 is DevSecOps.

The CNCF describes DevSecOps as the practice of integrating security into release cycles in cloud native applications. It builds on DevOps by bridging the gap between development and security teams and automating many security processes. The Radar team selected DevSecOps as a topic because the members felt it was one of the fastest-changing spaces in application development, the CNCF said.

Specific to ArgoCD, ArgoCD is widely adopted to build automation around application releases, Gamanji said. Argo CD was listed as an “Assess” tool in the Continuous Delivery Technology Radar in 2020, as it brings the automatic reconciliation to the application within a cluster. At the same time, the GitOps model improves the deployment security model since secrets and tokens are stored and available within the cluster and not managed separately by the traditional CI/CD tool, Gamanji said.

“As a result, ArgoCD is also featured in the DevSecOps Radar under the ‘Adopt’ circle,” she said.

Since GitOps involves pulling changes from a state defined in a Git repository, it, by default, has different security implications, Gamanji said. ArgoCD security is handled in many ways: for example, the user can examine the config divergences and validate them before the production release, she said. Also, ArgoCD can be configured to have restricted permissions while managing resources within a cluster, she noted. These different possibilities help to explain its adoption both for CD in GitOps and for DevSecOps.

Meanwhile, ArgoCD is one among several tools listed in the DevSecOps Technology Radar. The microsegmentation in the DevSecOps category is due, in part, to the wide choice of tools and how requirements change depending on a network’s topology. In many ways, the freedom of choice is a good thing, Keith Nielsen, director, cloud architecture, at Discover Financial Services, said. “There are great tools that allow you to actually improve your security posture, make no mistake about it,” he said.

In today’s DevSecOps context, microsegmentation is also caused by how older tools and services are on offer with emerging tools and technologies. “The real challenge… in this area of microsegmentation that we’re bumping up against is whether [in a particular organization] there are API gateways versus service mesh, for example, or whether it’s edge firewalls versus a sort of Kubernetes sort of federated firewall functions with something like Calico,” Nielsen said. “There are multiple aspects.”

A newsletter digest of the week’s most important stories & analyses.