Hardening Git for GitOps
By Andrew Martin
Originally posted at https://www.weave.works/blog/whitepaper-hardening-git-for-gitops
Download the whitepaper ‘Hardening Git for GitOps’ written by security expert and Weaveworks technology partner Andrew Martin of ControlPlane. In this report, find out what the 4 most common Git threats are and how you can mitigate them.
GitOps extends infrastructure as code
Because cloud native systems like Kubernetes were designed from the beginning with the idea of software development and operations working together, operations tasks and how they get performed are central to cloud native architecture and design. Cloud native systems use declarative constructs that describe how applications are composed, how they interact and how they are managed. This enables a significant increase in the operability, resiliency, agility and portability of modern software systems.
GitOps is an extension of infrastructure as code that can be applied to Kubernetes workloads. This means that the configuration of the application - and as much of the system as possible - can be stored in Git and deployed automatically from Git without manual operator intervention. Since GitOps is an operating model for application deployment, it is natural for any security professional to ask “what are the threat vectors?”.
The GitOps Workflow
GitOps is an automation-driven process based on Pull Requests (or PRs). A PR is a machine and human-readable “change control note” that can be automatically applied to existing code in a Git repository. It contains the code to be changed, added, or removed, as well as some non-code text describing the change.
This does not prevent policy gateways from being used, and most real world GitOps deployments will also include some manual approval steps. For example you may need the release manager or the security team’s sign off on a PR before it gets deployed to production.
Attack surfaces and the cloud native delivery system
In a modern cloud native delivery system, the most common attack vectors are:
- The runtime containers (“workloads”) and clusters (including dev and test clusters, but especially production).
- Mechanisms to deploy or update workloads on a cluster, change their config, secrets, etc.
- The build pipeline, assumed to be implemented using CI servers, GitHub Actions, or similar.
- Third party components (e.g. containers) and their repos (e.g. Docker Hub).
- The Git repos used to store application, infrastructure, security, and compliance code, and hosted version control systems (VCS, e.g. GitHub or GitLab).
- Identity and Access management for the entire system.
Download the whitepaper ‘Hardening Git for GitOps’, and learn what the 4 most common threats are and how they to mitigate them:
- Git users can impersonate each other
- Malicious user rewrites history
- Malicious user removes security features
- Old Git client versions are insecure
Find out how to secure Git using standard signing techniques and software configuration, and how to avoid other common attacks.