Weave GitOps Trusted Delivery: A Road to Kubernetes Sanity?
Nobody will say managing Kubernetes environments is easy, but as these distributed and containerized environments become more prevalent, we’re seeing some progress on the feasibility front. While ways to make Kubernetes less unwieldy and complex to manage are not emerging as fast as many — if not — most users would like, its adoption is becoming more simple or less insane, depending on how you look at it.
It can also be assumed that GitOps will very likely serve as the underlying framework to support CI/CD for cloud native deployments now and for the future, thanks to the much-needed automation, security and the other popular attributes it offers. The rise of Kubernetes and GitOps to support application development, deployment and management on Kubernetes helps to explain a number of tools and frameworks that have emerged to support both. As a leading GitOps provider for CI/CD for Kubernetes whose founder and CEO Alexis Richardson is credited for inventing the term GitOps, Weaveworks’ latest release of Weave GitOps emphasizes what Weaveworks calls “trusted delivery” for Kubernetes deployments with policy as code serving as the main process to achieve that goal.
Indeed, policy-driven application deployment and management is at or near the top of DevOps pain points in 2022, Torsten Volk, an analyst for Enterprise Management Associates (EMA), told The New Stack. “Ad-hoc configuration changes are still common and they are the number one root cause for inconsistent app performance and for app downtime,” Volk said. “Only completely policy-driven deployment and operations automation can prevent these issues, but typically does not leave enough flexibility for DevOps teams.”
Among other things, the idea behind Weave GitOps, which is built on open source Flux, is to extend and expand upon automation in GitOps. An example of what an SRE, for example, should not be doing is configuring hundreds of YAML files to roll back a deployment on a cluster on GitHub. Instead, a proper GitOps platform should be able to automate that process.
Trusted delivery is important if teams are going to move quickly — they can’t keep doing all of this manual inspection stuff that they’re used to doing,” Steve George, Weaveworks’ chief operations officer at Weaveworks, told The New Stack.
The Policy-as-Code Misnomer
The Weave GitOps release features policy-as-code capabilities that Weaveworks has implemented following its recent purchase of Magalix, which offers tools to help DevOps teams codify security and compliance in their software development lifecycle. Built on Open Policy Agent (OPA), Weave GitOps has drawn on Magalix’s library of over a hundred policies for security, resilience and coding standards. Everything is stored and implemented from immutable Git, so that all policies extend to the development cycle (the shift left) and to the clusters themselves once applications and clusters are deployed.
Immutability is key for consistent and reliable Kubernetes application deployments to different infrastructure in the corporate data center, the public cloud or at the edge, Volk said. “Only a radically declarative approach can ensure continuous compliance and reliability across environments, as it minimizes the potential for configuration inconsistencies and human error,” Volk said. “This makes the Weave GitOps value proposition so exciting.”
However, policy-as-code enablements for DevOps teams should not be thought of as something limited to adhering to compliance and security during the entire CI/CD process. “The way we think of policy-as-code is not something that prevents people from doing things but that helps people to do work — it’s about workflow automation and about helping the team go faster, giving them support to do that,” George said.
Policy-as-code as such should thus serve to help implement automation in the development cycle and support the developer before they even issue that first commit request. George described it as “development guardrails.”
“When you say the word policy to me, it makes it sound like something where the auditing department is going to come around with a clipboard and checking if I’ve done things correctly,” George said. “Policy-as-code is often viewed as a security thing, and while it does really good things for security, but that’s not all positive.”
George offered the example of an unnamed software company in the manufacturing sector that had begun to make the shift to working with microservices and Kubernetes clusters. The main problem was many of the developers who had been working in enterprise Java for a long time were struggling with supporting deployments of microservices and learning the right labels for Kubernetes health checks and creating microservices for these environments. “So, for them, I think one of the things that this trusted application policy is doing is when you’ve got a standard pipeline with developers at one end pushing code, you can set the standards to alert the developer saying, ‘you haven’t done this right and I’m preventing you from doing something bad, but you can go fix it.’”
In some cases, fixes are available for the developer. “You can actually tell them you didn’t put this health check-in. I’ve given you a pull request just hit the button and it will fix this for you,” George said. “It has been all about automation.”
This does not mean that using policy as code for auditing and ensuring adherence to policy is maintained throughout CI/CD is not important. As Steve Waterworth, a Weaveworks technical marketing manager, noted during a recent Webinar, most organizations have standards for the way they want to annotate and label the resources inside Kubernetes. “We can say Weave GitOps now makes auditing much easier” by using policy as code to validate that coding standards have been adhered to.
The main features of the new Weave GitOps release also include:
- Continuous security and compliance: through the integration of policy-as-code into the GitOps pipelines. Configuration and security policies are held in Git’s version control, where changes can be made, reviewed and fed through an automated pipeline that verifies, deploys and monitors every update and change.
- Deployment guardrails: guarantee the highest level of governance and compliance while maintaining the highest deployment frequency. Deployments can automatically go through pre-flight checks reducing the steps development teams need to remember.
- Custom policy application: allows users to decide where and how policies are applied based on environment, workload, geography or other criteria.
- Multilayered protection: The GitOps policy as code engine protects the system throughout the software lifecycle — during code commit, deployment and at runtime. Weave GitOps allows each leaf cluster to run its own engine, ensuring continuous policy evaluation should network disruptions occur.
- Continuous compliance monitoring: any policy violation, across applications and clusters in any environment, will cause an alert on the central management console.