Enterprise companies' operations must follow many regulatory requirements, data privacy regulations, and security standards. Security should follow the principle of least privilege access. Audits need to track who changed what and when on all production systems.
Organizations that use Kubernetes to run their application workloads have to follow these requirements when securing their clusters. Kubernetes isn't secure by default, but operators can use its features to make it secure.
GitOps is an operational framework for Kubernetes cluster management and application delivery. GitOps applies development practices like version control, collaboration, compliance, and continuous integration/continuous deployment (CI/CD) to infrastructure automation.
GitOps for Kubernetes places the cluster infrastructure desired state under version control. A component within the cluster continuously syncs the code. Rather than having direct access to the cluster, most operations happen through code changes that can be reviewed and audited. This approach supports the security principle of least privilege access.
This solution benefits any organization that wants the advantages of deploying applications and infrastructure as code, with an audit trail of every change.
- Installed kubectl command-line tool.
- Have a kubeconfig file (default location is ~/.kube/config).
- Install argocd namespace
kubectl create namespace argocd - Install ArgoCD using Helm
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml - Wait for pods to come up
sleep 30skubectl get pods -n argocd - Configure External Access
- Configure load balancer (unsafe because it exposes the cluster, dev only):
kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}' - Port forward to your local machine:
kubectl port-forward --address 0.0.0.0 svc/argocd-server -n argocd 8080:443 - Setup an Ingress Controller
- Configure load balancer (unsafe because it exposes the cluster, dev only):
- Access admin UI https://52.153.251.182/ by getting password from kubectl secerts
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo
Username: admin
Password: xxx
- Install argocd cli utility using install.sh
./install.shor
curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
chmod +x /usr/local/bin/argocd-
Login with ArgoCD CLI:
argocd login -
Change password:
argocd account update-password(Optional: You should delete the argocd-initial-admin-secret from the Argo CD namespace once you changed the password. The secret serves no other purpose than to store the initially generated password in clear and can safely be deleted at any time. It will be re-created on demand by Argo CD if a new admin password must be re-generated.) -
Setup argocd with external cluster:
kubectl config get-contexts -o name -
Set the context:
argocd cluster add ${clustername} -
Create Guestbook (demo) from CLI
argocd app create guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-server https://kubernetes.default.svc --dest-namespace default -
Get status
argocd app get guestbook -
Deploy (sync)
argocd app sync guestbook
azureuser@AZEISDEVMGMT2:~/argocd$ argocd app get guestbook
Name: guestbook
Project: default
Server: https://kubernetes.default.svc
Namespace: default
URL: https://52.153.251.182/applications/guestbook
Repo: https://github.com/argoproj/argocd-example-apps.git
Target: HEAD
Path: guestbook
SyncWindow: Sync Allowed
Sync Policy: <none>
Sync Status: Synced to HEAD (53e28ff)
Health Status: Progressing
GROUP KIND NAMESPACE NAME STATUS HEALTH HOOK MESSAGE
Service default guestbook-ui Synced Healthy service/guestbook-ui created
apps Deployment default guestbook-ui Synced Progressing deployment.apps/guestbook-ui created
You can test to see if the guestbook is deployed (Should return title):
kubectl exec "$(kubectl get pod -l app=helm-guestbook -o jsonpath='{.items[0].metadata.name}')" -c helm-guestbook -- curl -sS helm-guestbook | grep -o "<title>.*</title>"
ArgoCD also supports uploading local manifests directly, but this is anti-pattern and should only be used for development.
argocd app sync APPNAME --local /path/to/dir/
Helm has the ability to use differnt or multiple values.yaml files to derive parameters from. The flag can be repeated.
argocd app set helm-guestbook --values values-production.yaml
By default, the Helm release name is equal to the Application name to which it belongs. Sometimes, especially on a centralised ArgoCD, you may want to override that name, and it is possible with the release-name flag on the cli:
argocd app set helm-guestbook --release-name myRelease
- Open Policy Agent (OPA) Gatekeeper - enforces policies with a validating admission webhook. Gatekeeper validates cluster configuration changes against provisioned policies, and applies the changes only if they comply with policies.
- Flux Another GitOps operator that reconciles the cluster desired state in the Git repository with the deployed resources in the cluster.
- Digital Ocean
- Integration Istio with DevOps
- Argo Rollout Examples
- Microsoft Gitops
- OpenSource.com automating ArgoCD with apps of apps pattern
Vclusters allows you to create virtual clusters inside of your clusters.
- Helm
- Argocd CLI
- vcluster CLI
- vcluster create vc-argocd -n argocd --expose
- vcluster connect vc-argocd --namespace argocd --update-current
- kubectl get namespaces --context vcluster_argocd_vc-argocd
- argocd cluster add vcluster_argocd_vc-argocd
- argocd cluster list -argocd app create guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-name vcluster_argocd_vc-argocd --dest-namespace default
- kubectl get all