Stay up to date
GitOps — Enhancing security and ensuring compliance in Kubernetes deployments

GitOps — Enhancing security and ensuring compliance in Kubernetes deployments

Nov 9, 2023

Rotem Refael
Director of Engineering

GitOps can be a powerful means of achieving continuous compliance in Kubernetes deployments. It provides transparency for any changes made to your infrastructure, along with the ability to trace and audit these changes.

In this article, we will discuss how GitOps can enhance security and ensure compliance in Kubernetes deployments. We will also discuss potential security threats that GitOps could introduce into a Kubernetes infrastructure. Lastly, we’ll propose GitOps best practices to boost the security of Kubernetes security and make sure your organization complies with any relevant standards. 

What is GitOps?

GitOps is a DevOps approach in which the Git repository where your infrastructure and application configuration are stored as code serves as a single source of truth. 

GitOps works based on the concept of pull-based deployments to make sure your infrastructure and applications are always consistent with the desired state defined in the Git repository. The deployment tool compares this desired state to the actual state of your system. If there are any differences, the deployment tool will automatically deploy the necessary changes, made through pull requests and merges, to bring the system to the desired state.

Key components of a GitOps workflow

A GitOps workflow will usually consist of the following components.

Git repository 

The Git repository stores all infrastructure and application configurations in the form of infrastructure as code (IaC). This includes configuration files like Kubernetes manifests, Helm charts, Ansible playbooks, and Terraform configurations.

Continuous integration (CI) pipeline 

The CI pipeline builds and tests infrastructure and application code changes before they are deployed to production. The CI pipeline typically uses automation tools such as GitHub Actions to create workflows for automating the build and test process. It is usually triggered by a commit or merge to the Git repository.

Continuous delivery (CD) pipeline 

After the code passes tests in the CI pipeline, the CD pipeline provisions the infrastructure, packages the application, and deploys the code changes to the target environment after the build stage. The deployment tool in the CD pipeline is responsible for managing the infrastructure and application resources in the target environment. Popular deployment open-source tools for GitOps include Argo CD and Flux.

Monitoring system 

The monitoring system tracks the health of your infrastructure and applications; it ensures that the desired state in the Git repository and the observed state of the target environment are the same.

By Security standards, at DevOps pace.

Actionable, contextual,
end-to-end
Kubernetes-native security

Kubernetes security benefits of GitOps

GitOps can help organizations establish robust security practices and maintain compliance standards throughout their Kubernetes infrastructure. Here are some of the security benefits of GitOps in Kubernetes clusters.

Audit trail 

By utilizing Git as a single source of truth, GitOps provides a clear audit trail for all changes applied to your Kubernetes cluster through your IaC. Security policies, configuration files, and deployment manifests can be version-controlled, which makes it easy to track modifications and simplify compliance audits in the cluster.

Gating 

GitOps enables you to gate pull requests based on security criteria, which means that pull requests containing critical security vulnerabilities or secrets can be blocked from being merged into the Git repository. This will help make sure critical security vulnerabilities don’t make it into your cluster.

Automated code analysis and scans

GitOps allows you to automate code analysis and security scanning for Kubernetes applications. This helps identify known security vulnerabilities in your code so that you can prioritize vulnerabilities and identify remediation efforts to patch the most important vulnerabilities before deploying your code to a cluster.

Automated deployments and rollbacks

With GitOps, you can also automate the release management for Kubernetes applications. This means that the deployment of new applications or application updates will be automated and rollbacks will be performed quickly if necessary. 

Automation eliminates the risk of human error and makes sure your cluster is always in the desired secure state.

Configuration drift detection 

GitOps detects configuration drift in Kubernetes clusters and tracks changes made to the cluster configuration over time. This aids in identifying security vulnerabilities and compliance issues that may have been introduced into the cluster, who made the changes, and what caused the issue.

Security threats in GitOps workflows

While GitOps offers significant benefits in streamlining the management of infrastructure and application deployments, it also introduces some security risks in a Kubernetes environment. Here are some of the most common concerns users may face in GitOps workflows.

Malware injection of Git repositories 

GitOps workflows typically use a pull-based deployment tool such as Argo CD or Flux, which means that changes to the infrastructure or application are only made after they have been approved and merged into the Git repository. 

However, if an attacker is able to gain unauthorized access to the Git repository with IaC configuration files, they could make unauthorized changes to the deployment configuration or inject malicious code. This will result in the deployment of compromised or vulnerable resources.

Improper handling of secrets within Git repositories 

Always ensure that secrets such as API keys, credentials, and passwords in Git repositories are encrypted. If an attacker gains access to a Git repository that contains unencrypted secrets, they could steal the secrets and use them to access sensitive resources.

Unauthorized access to GitOps workflows 

GitOps workflows typically involve multiple steps that often rely on access to a variety of resources, such as Kubernetes clusters and cloud providers. If an attacker gains unauthorized access to any of these resources, they could compromise the entire workflow and introduce security vulnerabilities into your infrastructure and application.

Misconfigurations in configuration files and deployment manifests 

Such misconfigurations are yet another way to expose clusters to security risks. For example, a misconfigured network policy could allow attackers to access sensitive resources in the cluster. Overly permissive RBAC policies in deployment manifests could be exploited by attackers to launch privilege escalation attacks in the cluster. These could include adding users to the system:master group or granting roles with unnecessary permissions that allow access to cluster resources beyond the application’s functionality. 

Code/package vulnerabilities 

Vulnerabilities in the code or packages used in a GitOps workflow can also introduce security vulnerabilities into the infrastructure and application deployment. If an attacker then exploits these, they could gain access to your Kubernetes environment. When using external packages, it is crucial to check these packages for vulnerabilities and misconfigurations, for example, via registry scanning.

GitOps best practices for Kubernetes security and compliance

Below, we cover some specific GitOps practices to enhance the security of your Kubernetes deployments and ensure you adhere to compliance regulations. 

Encrypt secrets 

Kubernetes secrets are not encrypted by default. They are Base64 encoded strings, which are stored, by default, unencrypted in an etcd key-value store.

You should never store secrets, including passwords, access keys, and API tokens, in plain text in a Git repository. You should instead encrypt and store them in a secure location with least-privilege access. 

There are a variety of tools for storing secrets, such as HashiCorp Vault or AWS Secrets Manager, to help you achieve proper secrets management.

Implement role-based access control (RBAC) 

Kubernetes RBAC is great for restricting access to deployment pipelines and cluster resources based on the principle of least privilege. This will prevent unauthorized users from making changes to the Kubernetes cluster.

You should also implement RBAC for any Kubernetes-native deployment tools that are implemented as controllers (e.g., Argo CD and Flux), as well as for custom resources within the cluster.

Leverage automated security scanning 

Automated solutions exist to scan IaC configuration files for security vulnerabilities before they are deployed to the cluster environment. Kubescape can be integrated with CI/CD frameworks like GitHub Actions and Argo CD at every step of the GitOps workflow for this purpose—from vulnerability and secrets scanning in the CI pipeline to registry and repository scanning in the CD pipeline. To prevent the deployment of non-compliant configuration changes in your cluster environment, you should implement a policy engine such as Kyverno. It functions as an admission controller to enforce security policies and reject insecure requests to the Kubernetes API server.

Conclusion

Enhance your GitOps workflow with ARMO Platform, a solution leveraging Kubescape. ARMO Platform offers automated security scanning of Kubernetes manifests and Helm charts, all within your GitOps workflow. With its unique security gating option and more, ARMO Platform is designed to elevate the security of your GitOps practices.

Ready to take your GitOps security game to the next level? Check out a demo, or start your free trial of ARMO Platform today!

Actionable, contextual, end-to-end
{Kubernetes-native security}

From code to cluster, helm to node, we’ve got your Kubernetes covered:

Cut the CVE noise by significantly reducing CVE-related work by over 90%

Automatic Kubernetes compliance for CIS, NSA, Mitre, SOC2, PCI, and more

Manage Kubernetes role-based-access control (RBAC) visually