Building Trust in Your Deployment Tools

The Cloud Native Computing Foundation found an extraordinary 300 percent increase in container use between 2016 and 2020. Kubernetes’ popularity is steadily rising, with 83 percent of respondents using it for production as of mid-2020.

Kubernetes’s out-of-the-box capabilities enable organizations to accelerate delivery cycles and rapidly scale their operation, contributing to its increasing adoption. However, organizations must support the container orchestration engine with secure and efficient release and deployment workflows to get the most out of it. The CNCF 2020 report highlights container release and deployment complexity among the top challenges the respondents faced.

DevOps engineers deploy to Kubernetes (K8s) by updating associated YAML files. While it may look easy for a single deployment, it quickly becomes arduous when performing multiple deployments across various environments. These include things like development, quality assurance (QA), user acceptance testing (UAT), staging, and production.

Although Kubernetes supports rolling updates, it’s challenging to do it manually since a Kubernetes application requires multiple YAML files. Manually building these files can be error-prone because of the white space syntax.

Also, handcrafting files requires substantial knowledge of Kubernetes components. These components can complicate the overall deployment process when you need to upgrade some to get the application working.

Auditing upgrades to track new and old deployments is also challenging to do manually, as is managing rollbacks for applications comprising several deployed services. Secrets management also becomes challenging when teams work on a distributed app across various repositories. Yet, containers must be secure to be trustworthy.

Some of these challenges are unique to Kubernetes, but the other, broader issues apply to successful software delivery. Adopting continuous integration and continuous deployment (CI/CD) practices can address these challenges. Using tools to automate the entire deployment process reduces Kubernetes management effort so organizations can focus on core business needs.

Let’s explore how automated tools like Armory Agent help with CI/CD and address Kubernetes scaling and security concerns.

CI/CD Solutions Aid Kubernetes Deployment

Self-serving enterprise development teams use continuous integration and continuous deployment (CI/CD) to deliver applications faster. These CI/CD practices enable business agility to give organizations a competitive advantage. CI/CD also leaves more time for innovation within your organization.

Rolling out applications to Kubernetes requires CI/CD solutions aimed at solving deployment challenges. Several open-source solutions help automate continuous delivery pipelines to Kubernetes, like Spinnaker, ArgoCD, and Flux CD. These solutions treat Kubernetes applications as first-class citizens, deploying the applications across various Kubernetes platforms, including Google Kubernetes Engine (GKE) and Amazon Elastic Container Service for Kubernetes (EKS).

These CI/CD tools give organizations agility and control. They can implement various deployment strategies and perform rollbacks with all the required release governance.

Additionally, these tools support the GitOps strategy. This strategy leverages Git as the single source of truth and control mechanism for creating, updating, and deleting system architecture. First, Git provides permissions control, ensuring not just anyone can make changes. Second, because Git makes all the changes, organizations can define the infrastructure immutably to prevent other changes.

Organizations Face Kubernetes Scaling Issues

Open-source CI/CD solutions work well when organizations are early adopters, with small cluster sizes and a few deployed applications. However, they aren’t well-suited to large clusters.

For one, when a cluster contains many applications, the user can experience a delayed response to their action, and deploying changes becomes painfully slow. When the service is slow to respond to invocations by Kubernetes cluster components like kubelets, registries, API servers, and more, it causes timeouts and failed deployments.

Dashboards also often fail to capture deployment changes in near real-time and display stale information. The refresh slows as the application purges all the data.

Finally, these open-source solutions are not suited to scaling individual components to handle many clusters from the centralized instance. It’s challenging to understand the working details of the open-source solution.

One open-source CI/CD solution, Spinnaker, has an enterprise version that addresses these scaling challenges. Armory Enterprise, which is built on top of Spinnaker, works on clusters of any size, addressing scalability issues through improved redundancy. Its complementary features like infrastructure dashboards, drift monitoring, role-based access control (RBAC), audits, and more fulfill the development team’s needs.

Open-Source Tools Trigger Security Concerns

As open-source CI/CD pipelines automate and improve the software delivery workflow, they pose significant security risks. You need to trust that these solutions are not making your organization vulnerable to attack. Let’s examine some of these risks then see how an enterprise-level solution helps.

As enterprises prioritize software delivery speed, security and compliance are sometimes an afterthought. However, to trust their deployment tools, organizations must actively integrate security and compliance throughout their Kubernetes pipeline. Their ability to adopt specific cloud-native tools depends on their current IT topology and organizational maturity.

Adopting a centralized CI/CD solution presents security concerns that require rigorous monitoring, command, control, and policy mechanisms. The CI/CD solution is a single source with access to all Kubernetes objects in all clusters. It often runs with full-access service accounts that can provision new components, stop existing services, read secrets, access external components including other clusters, and more. Additionally, it persists information to perform various analyses and generate dashboards.

Enterprise-level solutions like Armory Agent can help decentralize and monitor your CI/CD pipeline to improve security and make deployment more trustworthy.

Using Armory Agent for Trustworthy Deployment

Armory Agent is a departure from the centralized CI/CD solutions. It builds upon Spinnaker’s capabilities and makes the deployment process trustworthy at a massive scale — even when you have thousands of Kubernetes clusters.

The Agent is a lightweight, scalable service you deploy in a Kubernetes cluster. Each agent manages a single cluster so that you can scale the distributed approach for any number of clusters.

The embedded agent monitors all infrastructure and streams changes back to Spinnaker’s Clouddriver service. The distributed approach delivers several security benefits.

First, the Agent’s real-time sync captures the latest deployed changes. Also, since Spinnaker Clouddriver interacts with the agent, it decouples direct access to the Kubernetes API server, limiting a bad actor’s potential access.

Instead of centralizing account management, storing all Kubernetes accounts and credentials within Spinnaker, the Agent manages service account credentials in each cluster. This approach improves security by limiting teams to the clusters they manage.

Teams can manage permissions specifically for their clusters and quickly add new accounts without restarting Spinnaker. Finally, organizations can keep K8s clusters private with limited access since only the information Armory Enterprise requires leaves the cluster.

The Agent mitigates performance and latency issues associated with a centralized Spinnaker. It optimizes how infrastructure information is cached, making force cache refresh almost instantaneous. End-users benefit from optimal application performance, and DevOps teams benefit from optimal pipeline executions.

Summary

Kubernetes and cloud-native applications unlock business agility, but only when organizations support them with Kubernetes-specific CI/CD tools. Processes requiring manual intervention are error-prone and often cause bottlenecks. Organizations need automation to get the most out of their containerized services. They also need enterprise-level tools to trust that their deployments are secure.

Armory provides the secure, scalable, efficient, and reliable continuous delivery (CD) platform that you need. It builds on Spinnaker with policy-driven deployments that enable you to innovate with speed and safety.

Contact Armory today for a complimentary assessment of your software delivery practices and learn more about how your organization can benefit from safe, reliable deployments.

If you’re interested in developing expert technical content that performs, let’s have a conversation today.

Facebook
Twitter
LinkedIn
Reddit
Email

POST INFORMATION

If you work in a tech space and aren’t sure if we cover you, hit the button below to get in touch with us. Tell us a little about your content goals or your project, and we’ll reach back within 2 business days. 

Share via
Copy link