GithubHelp home page GithubHelp logo

google / devops-governance Goto Github PK

View Code? Open in Web Editor NEW
82.0 3.0 23.0 355 KB

A CI/CD Approach & Framework for infrastructure that can be used in governance heavy organizations and is intended to give the developers as much autonomy as possible to do their work following DevOps & GitOps principles.

License: Apache License 2.0

cloud devops devops-enablement devops-pipeline devops-team devops-tech-enablement devops-tools devops-workflow devsecops devsecops-best-practices gitops gitops-framework

devops-governance's Introduction

DevOps Governance

A CI/CD Approach & Framework for infrastructure that can be used in governance heavy organizations and is intended to give the developers as much autonomy as possible to do their work following DevOps & GitOps principles.

DevOps-Governance

The DevOps Governance framework is an opinionated developer centric approach to infrastructure CI/CD with the enterprise governance taken into account.

In order to reduce friction in enterprise adoption it makes sense to look at the main stakeholders of a CI/CD system which are developers. The worst pain for developers is being blocked by bureaucratic processes and approvals. To create a certain level of agility in enterprise environments developers need to be enabled and autonomous as possible (DevOps principles).

One of these approaches to create this agility is to utilize a system like Gitlab or Github, which allows developers to define their pipelines in code and take ownership of their DevOps infrastructure pipelines. In enterprise environments we are however faced with regulations (NIST, ISO) and therefore need to also work with the security teams to make sure that we align on governance requirements.

By making use of Gitlab or Github (or any other tools that offer protected branches & pipeline as code), Workload Identity Federation, Gitflow we are able to cover the security teams requirements whilst at the same time giving the developers the required autonomy to do their work.

DevOps governance will give infrastructure teams the required flexibility whilst still adhering to security requirements with “guardrails”.

Guardrail & pipeline examples for individual workloads

To demonstrate how to enforce guardrails and pipelines for Google Cloud we provide the "Guardrail Examples". The purpose of these examples is demonstrate how to provision access & guardrails to new workloads with IaC. We provide you with the following 3 different components:

Guardrail Examples

  • The Folder Factory creates folders and sets guardrails in the form of organisational policies on folders.

  • The Project Factory sets up projects for teams. For this it creates a deployment service account, links this to a Github repository and defines the roles and permissions that the deployment service account has.

The Folder Factory and the Project Factory are usually maintained centrally (by a cloud platform team) and used to manage the individual workloads.

  • The Skunkworks - IaC Kickstarter is a template that can be used to give any new teams a functioning IaC deployment pipeline and repository structure.

This template is based on an "ideal" initial pipeline which is as follows:

Ideal Pipeline Generic

A video tutorial covering how to set up the guardrails for Github can be found here: https://www.youtube.com/watch?v=bbUNsjk6G7I

The instructions above set out how to implement the Guardrail Examples for Github. We do however also provide support for other platforms.

Workload Identity federation

Traditionally, applications running outside Google Cloud (like CICD tools) can use service account keys to access Google Cloud resources. However, service account keys are powerful credentials, and can present a security risk if they are not managed correctly.

With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.

Workload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. This is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account.

The WIF strategy that we employ in our pipelining is to create environment branches for which we then map to service accounts.

Service Account Example

If you do require additional assitance to setup Workload Identity Federation have a look at: https://www.youtube.com/watch?v=BuyoENMmtVw

High Level Process

  • GCP

    • Create a Workload Identity Pool
    • Create a Workload Identity Provider
    • Create a Service Account and grant permissions
  • CICD tool

    • Specify where the pipeline configuration file resides
    • Configure variables to pass relevant information to GCP to genrate short-lived tokens

examples/guardrails section covers different CICD tools and how to leverage Workload Identity Federation.

Supported Platforms

Disclaimer

This is not an officially supported Google product.

devops-governance's People

Contributors

agutta avatar amgoogle avatar gauravtiwariis avatar shubhamkr619 avatar kkram01 avatar amruthasingh1 avatar anitagutta avatar pawanphalak avatar saborni-d avatar arod0719 avatar byronwhitlock-google avatar lkolluru05 avatar

Stargazers

 avatar David Dyer avatar Vineeth Sathiapal avatar Zigao Wang avatar Alex Krylov avatar Unmesh Gundecha avatar Lukas Nagelschmidt avatar Niran Maharjan avatar Alex Mills avatar  avatar  avatar Koichi Shiraishi avatar  avatar Shagun Sharma avatar Roy Cohen avatar  avatar Emile Hofsink avatar fst0 avatar Matheus da Silva Garcias avatar ChunliCui avatar Sandro Cícero avatar ktnn303 avatar Umapathy Girirajan avatar TrungNT86 avatar Edwin Dosado avatar Cornelius avatar Daniel Bodnar avatar Imaginary Stargazer avatar Dan Ilan avatar Garrett Wong avatar Prabhu Narayanan avatar Vesselin Tzvetkov avatar Doruk Sarp Aydın avatar Gurpreet Singh avatar Joel avatar Roei Zavida avatar Prerit Sarvaiya avatar  avatar Jaewoo Kim avatar  avatar zbyufei avatar David avatar Marco Mina avatar Sean Hughes avatar Tim Yardley avatar  avatar Alfredo Cedeno avatar Nicolás Georger avatar Filip Popić avatar gideonsuman avatar Fabian avatar  avatar  avatar  avatar Drine Ihsen avatar Chris Blackden avatar Jonathan Poczatek avatar BulstonPenny avatar Teddy Nzioka avatar Sania hashmi  avatar Aying Ayit47 avatar R ツ avatar Alin Antohe avatar EshBiz avatar Philip Mutua avatar Sabhya Grover avatar Raghav Sharma avatar Reza avatar Emerson Felipe avatar Aditya Rana avatar Gael Gentil avatar Kendall avatar Jimmy Nelle avatar Taehyun Lee avatar Lucas Vazquez avatar Stef avatar Christian Vadalà avatar Thomas Milox avatar Sascha W avatar S. M. Shamir Imtiaz avatar Mindula Dilthushan Manamperi avatar Rui Neto avatar

Watchers

James Cloos avatar  avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.