Kurtis Velarde

Left SDLC | Right Runtime

Left SDLC | Right Runtime

Optimizing Container Workflows in DevOps: An Insight into SDLC and Runtime Management

In today’s container-centric infrastructure landscape, DevOps professionals need a clear understanding of every tool and process involved. This article offers a concise overview, focusing on the culmination of the Software Development Life Cycle (SDLC) with container image deployment and subsequent monitoring.

Let’s begin with a high-level workflow representation:

  • Source Code Management: At the heart of every DevOps pipeline is a version control system. Git stands out as the de facto standard, providing a robust platform for hosting repositories, collaborating on code, and initiating CI/CD processes.
  • Security Scanning: Trivy is an exemplary tool for static Common Vulnerabilities and Exposures (CVE) analysis. This step ensures that the container images are devoid of known security vulnerabilities before they reach the production environment.
  • Containerization: With security checks in place, we move to the container building phase. Docker command

Transitioning to the runtime phase:xz

  • Runtime: This represents the live environment where the application container is up and running. Managing runtime efficiently is pivotal for application health and performance.
  • Monitoring & Security: In dynamic environments, passive monitoring isn’t enough. Active agents are required to both monitor and safeguard running workloads. were’re spotlighting the Aqua eBPF Tracee application in this context. eBPF (Extended Berkeley Packet Filter) is a revolutionary technology enabling superior observability, and when coupled with Aqua’s tracee, it provides an unparalleled runtime monitoring solution.

Shift Left SDLC

“Shift Left” in DevOps:

“shifting left” So, what’s it all about?

  • Handling Dependencies: First up, we’ve got to pull in our dependencies.
  • The Magic of Containerization: Once our code’s all prepped, we package it up using a Dockerfile. A container image, ready to be deployed and turned into a running workload

the fun doesn’t stop there:

  • Looking for Code Gremlins: Before letting our code out into the wild, we’ve got to check for any sneaky vulnerabilities
  • IaC Shenanigans: Ever use Terraform or something similar? It’s fantastic, but sometimes, things can go sideway. Imagine accidentally making your RDS database public.
  • Kubernetes Tune-up: If you’re playing in the Kubernetes world, you know how easy it is to misconfigure stuff. Like forgetting to set limits, authorized Ingress host names, PSP
  • Dockerfile Double-Check: And of course, we have to make sure our Dockerfile is using secure best practices. Running processes as the root user? That’s a no-no.

In a nutshell, “shifting left” is all about catching issues early. This is DevOps adventure, keeping things tight, right, and secure from the get-go.

Inside the Git Repo Universe

Your git repo? It’s not just about app code.

  • Got a Dockerfile? That’s our container Image recipe.
  • Spotted a Jenkinsfile? That’s the backstage magic and facilitates all build steps composing your SDLC.
  • Terraform files, Kubernetes YAMLs, or Helm charts? Our infrastructure deployment code.

In short, a git repo isn’t just storage—it’s an ecosystem.

Jenkinsfile

  • Break down process into stages
  • Defined in version control
  • Utilizes gates that assess different parts of the build 
pipeline {
    agent any

    environment {
      APP = 'headers'
      VERSION = "0.0.1"
      GIT_HASH = """${sh(
                    returnStdout: true,
                    script: 'git rev-parse --short HEAD'
                    )}"""
    dockerhub=credentials('dockerhub')
    }

    stages {
        stage('Remote Code Repo Scan') {
          steps {
            echo "Running ${env.BUILD_ID} on ${env.JENKINS_URL}"
            sh "trivy repo --exit-code 192 https://github.com/kurtiepie/headers.git"
          }
        }
        stage('Code Base Scan') {
          steps {
            sh "trivy fs --exit-code 192 --severity HIGH,CRITICAL --skip-dirs ssl ."
          }
        }
        stage('Docker Build') {
            steps {
              sh "docker build . -t ${APP}:${VERSION}-${GIT_HASH}"
            }
        }
        stage('Scan Generated Image Docker') {
            steps {
              sh "trivy image ${APP}:${VERSION}-${GIT_HASH}"
            }
        }
        stage('Push Docker Image to docker hub') {
            steps {
              sh 'echo docker tag ${APP}:${VERSION}-${GIT_HASH} kvad/headers:0.0.2'
              sh 'echo $dockerhub_PSW | docker login -u $dockerhub_USR --password-stdin'
              sh 'docker push kvad/headers:0.0.2'
            }
        }
        stage('Scan Helm IAC FILES') {
            steps {
              sh "helm template headerschart/ > temp.yaml"
              sh "trivy --severity HIGH,CRITICAL --exit-code 192 config ./temp.yaml"
              sh "rm ./temp.yaml"
            }
        }
    }
}

Dockerfile

FROM golang:1.16-alpine as builder

WORKDIR /app


COPY go.mod ./
COPY go.sum ./

RUN go mod download

COPY *.go ./

RUN go build -o ./headers

from alpine
COPY --from=builder /app/headers /bin/headers
# No root user

RUN adduser -D headeruser && chown headeruser /bin/headers

USER root
CMD [ "/bin/headers"]

Insure secure best practices are being followed

Using Trivy in this case? It’s to spot any nasty high-severity CVEs in our image.

Right side / Runtime

For applications, runtime is the endgame. Amidst diverse runtime workloads, many deploy without update capabilities. Ensure security with agents for behavioral monitoring, malware scans, and attack prevention.