適用於 AKS 的安全 DevOpsSecure DevOps for AKS

解決方案構想 Solution Idea

如果您想要看到我們展開這篇文章,其中包含詳細資訊(執行詳細資料、定價指引、程式碼範例等),請讓我們知道GitHub 的意見反應!If you'd like to see us expand this article with more information (implementation details, pricing guidance, code examples, etc), let us know with GitHub Feedback!

DevOps 和 Kubernetes 的合作效果更好。DevOps and Kubernetes are better together. 搭配 Azure 上的 Kubernetes 來執行安全 DevOps,您可以在速度和安全性之間達到平衡,並以更快速度提供程式碼。Implementing secure DevOps together with Kubernetes on Azure, you can achieve the balance between speed and security and deliver code faster at scale. 使用 CI/CD 搭配動態原則控制來護欄開發程式,並利用持續的監視來加速意見反應迴圈。Put guardrails around the development processes using CI/CD with dynamic policy controls and accelerate feedback loop with constant monitoring. 使用 Azure Pipelines 以快速傳遞,同時確保 Azure 原則強制執行重大原則。Use Azure Pipelines to deliver fast while ensuring enforcement of critical policies with Azure Policy. Azure 為您的組建和發行管線提供即時的可檢視性,並可輕鬆地套用合規性的審核與重新管理功能。Azure provides you real-time observability for your build and release pipelines, and the ability to apply compliance audit and reconfigurations easily.

架構Architecture

架構圖 下載此架構的SVGArchitecture diagram Download an SVG of this architecture.

開發人員在相同的 Kubernetes 叢集中快速逐一查看、測試和偵測應用程式的不同部分Developers rapidly iterate, test, and debug different parts of an application together in the same Kubernetes cluster

程式碼會合並到 GitHub 存放庫中,在此之後,會執行自動化組建和測試 Azure PipelinesCode is merged into a GitHub repository, after which automated builds and tests are run by Azure Pipelines

Kubernetes 叢集會使用 Terraform 之類的工具來布建;Helm 由 Terraform 安裝的圖表會定義所需的應用程式資源和設定狀態Kubernetes clusters are provisioned using tools like Terraform; Helm charts, installed by Terraform, define the desired state of app resources and configurations

發行管線會在每次程式碼變更時自動執行預先定義的部署策略Release pipeline automatically executes pre-defined deployment strategy with each code change

應用程式遙測、容器健全狀況監視和即時 log analytics 是使用 Azure 監視器取得App telemetry, container health monitoring, and real-time log analytics are obtained using Azure Monitor

資料流程Data Flow

  1. 開發人員在相同的 Kubernetes 叢集中快速逐一查看、測試和偵測應用程式的不同部分Developers rapidly iterate, test, and debug different parts of an application together in the same Kubernetes cluster
  2. 程式碼會合並到 GitHub 存放庫中,在此之後,會執行自動化組建和測試 Azure PipelinesCode is merged into a GitHub repository, after which automated builds and tests are run by Azure Pipelines
  3. 容器映射已在 Azure Container Registry 中註冊Container image is registered in Azure Container Registry
  4. Kubernetes 叢集會使用 Terraform 之類的工具來布建;Helm 由 Terraform 安裝的圖表會定義所需的應用程式資源和設定狀態Kubernetes clusters are provisioned using tools like Terraform; Helm charts, installed by Terraform, define the desired state of app resources and configurations
  5. 操作員強制原則來管理 AKS 叢集的部署Operators enforce policies to govern deployments to the AKS cluster
  6. 發行管線會在每次程式碼變更時自動執行預先定義的部署策略Release pipeline automatically executes pre-defined deployment strategy with each code change
  7. 原則強制執行和審核會使用 Azure 原則新增至 CI/CD 管線Policy enforcement and auditing is added to CI/CD pipeline using Azure Policy
  8. 應用程式遙測、容器健全狀況監視和即時 log analytics 是使用 Azure 監視器取得App telemetry, container health monitoring, and real-time log analytics are obtained using Azure Monitor
  9. 用來解決問題並送入下一個短期衝刺計畫的見解Insights used to address issues and fed into next sprint plans