Secure DevOps for AKS

Kubernetes Service
Monitor
Pipelines
Policy
GitHub

Solution Idea

If you'd like to see us expand this article with more information, implementation details, pricing guidance, or code examples, let us know with GitHub Feedback!

DevOps and Kubernetes are better together. By implementing secure DevOps together with Kubernetes on Azure, you can achieve the balance between speed and security and deliver code faster, at scale. Put guardrails around the development processes, by using CI/CD with dynamic policy controls, and then accelerate your feedback loop with constant monitoring. Use Azure Pipelines to deliver fast, while ensuring the enforcement of critical policies, with Azure Policy. Azure provides you real-time observability for your build and release pipelines, and the ability to apply a compliance audit and reconfigurations easily.

Architecture

Architecture diagram Download an SVG of this architecture.

Data flow

  1. Developers rapidly iterate, test, and debug different parts of an application together, in the same Kubernetes cluster.
  2. Code is merged into a GitHub repository, after which automated builds and tests are run by Azure Pipelines.
  3. Release pipeline automatically executes a pre-defined deployment strategy, with each code change.
  4. Kubernetes clusters are provisioned, by using tools like Helm charts that define the desired state of app resources and configurations.
  5. Container image is pushed to Azure Container Registry.
  6. Cluster operators define policies in Azure Policy, to govern deployments to the AKS cluster.
  7. Azure Policy audits requests from the pipeline, at the AKS control-plane level.
  8. App telemetry, container health monitoring, and real-time log analytics are obtained using Azure Monitor.
  9. Insights are used to address issues and are fed into next sprint plans.

Components

  • GitHub Enterprise hosts the source code, where developers can collaborate within your organization and the open-source communities. GitHub Enterprise offers advanced security features to identify vulnerabilities in the code you write and in open-source dependencies
  • Azure Pipelines is a service that provides Continuous Integration and Continuous Delivery jobs, to build and release your application automatically.
  • Azure Container Registry hosts your Docker container images. This service includes container image scanning with the integration with Azure Security Center.
  • Azure Kubernetes Service offers a Kubernetes cluster that is fully managed by Azure, to ensure availability and security of your infrastructure.
  • Azure Policy lets you create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. It integrates with Azure Kubernetes Service too.
  • Azure Monitor lets you get insights on the availability and performance of your application and infrastructure. It also gives you access to signals to monitor your solution's health and spot abnormal activity early.

Next steps

See the related architectures: