DEVOPS WEEKLY ISSUE #424 - 10th February 2019
A bit of a security theme this week, with posts on formal methods for firewall configuration, tools for managing TLS, discussions of the role of perimeter defence and an interesting Kubernetes case study. Lots more content too on monitoring and scaling devops in large organisations.
From our sponsor, VictorOps
Collaboration, transparency and deeper automation in tooling and processes leads to heightened observability and insight for DevOps teams. See how building collaborative transparency into operations drives continuous DevOps success:
http://try.victorops.com/devopsweekly/why-devops-matters-ebook
News
A good question and answer post on adopting devops practices in large organisations. Good discussion on scaling out from early efforts, training, how devops interacts with service management and more.
https://blog.xebialabs.com/2019/01/29/devops-in-2019-whats-next/
A look at several emerging standards in the monitoring space; opencensus, opentracing and openmetrics. Covering what they are and how to instrument your application.
https://www.datadoghq.com/blog/instrument-opencensus-opentracing-and-openmetrics/
The use of formal methods is often seen as an academic subject, but this post explores a practical use the Z3 constraint solver to test firewall rules.
https://medium.com/@ahelwer/checking-firewall-equivalence-with-z3-c2efe5051c8f
Adopting devops practices often goes hand-in-hand with adopting new technologies, so doing that thoughtfully is important. This post features a series of questions to help make good choices.
https://kellanem.com/notes/new-tech
An interesting discussion of the difference between the simplicity of the Kubernetes API and the complexity of the implementation, as well as a proposal for an implementation in Rust.
https://www.cloudatomiclab.com/rustyk8s/
A write up of a master thesis, exploring enforcing bare-metal hypervisor-based sandboxing for Kubernetes clusters and a classification system to represent the separation demands of the containerized applications.
https://medium.com/@chrismessiah/docker-and-kubernetes-in-high-security-environments-d851645e8b99
A post on the problems of only focusing on the perimeter when it comes to firewalls, and the impact of service mesh technologies.
https://neuvector.com/cloud-security/container-security-micro-perimeters/
A tale of migrating between AWS services, in this case from ECS to EKS. The post steps though different options and tradeoffs relevant to moving dynamic infrastructure.
https://medium.com/attest-engineering/migrating-from-ecs-to-eks-service-discovery-bc5df39e4b3b
An example pattern for writing functional tests for Helm charts, using the bats testing tool.
https://blog.deimos.fr/2019/02/08/k8s-euft-run-functional-tests-on-your-helm-charts/
Tools
Step Certificates is an open source project that makes secure automated certificate management simpler, making it much easier to use TLS to secure services.
https://github.com/smallstep/certificates
https://smallstep.com/blog/step-certificates.html
Pomerium is a proxy for managing secure access to internal applications and resources. It provide a unified gateway (reverse-proxy) to internal corporate applications and can enforce dynamic access policy based on context, identity, and device state.
https://github.com/pomerium/pomerium
Collaboration, transparency and deeper automation in tooling and processes leads to heightened observability and insight for DevOps teams. See how building collaborative transparency into operations drives continuous DevOps success:
http://try.victorops.com/devopsweekly/why-devops-matters-ebook