Skip to content

tanzu-end-to-end/governance-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Tanzu Governance and Compliance Demo Environment

Provides a lab environment for demonstrating governance and compliance for a Java application deployed to the VMware Tanzu Platform. The lab builds upon the great work my colleauges have done on [TKG Lab] (https://github.com/Tanzu-Solutions-Engineering/tkg-lab) and on creating an [end-to-end demonstration of the developer and operator experience] (https://github.com/doddatpivotal/tkg-lab-e2e-adaptation) showcasing Tanzu.

The Lab uses the Spring Pet Clinic application as the codebase for the demonstration.

Why Use This Lab

This lab is designed to explore and demonstrate the governance points in the Tanzu portfolio. It incorporates some additional capabilities, like static and dynamic application scanning, to highlight the full context in which the Tanzu capabilities operate and establish a real-life layering of controls.

The high-level architecture of the Tanzu portfolio and its capabilities is shown in the Tanzu Overview Whiteboard

Tanzu Overvierw Whiteboard

many Tanzu components provide automated governance controls that increase security, consistency, and resiliency to the process you use to build, run, and manage software workloads.

Controls in the CI/CD Pipeline

VMware's open source Concourse orchestrates the CI/CD pipeline that builds, validates, and deploys the application. The pipeline uses Tanzu Build Service and it's cloud-native buildpacks to assure the container is build with a trusted version of the JDK and the underlying operating system.

CI/CD pipeline with Tanzu Build Service

The pipeline uses additional open source tools to assure that both the application and the Kubernetes objects that deploy it are secure. Sonarqube scans the Java code before it passing the JAR file to TBS to containerize. Before deploying the container, Conftest checks the Kubernetes manifests to assure they are compliant with the workload polices we'll later enforce at runtime.

After building the images and confirming tha the Kubernetes manifests pass muster, the pipeline does a staging deployment and runs the open source OWASP ZAP to do a quick scan of the running application. This is not a deep penetration test but gives a quick analysis of whether the application is safe as deployed.

Lastly, the code is deployed to TKG. The pipeline ends there, but other controls are at play both as part of the deployment and as part of the ongoing management of the workload.

Workload Assurance

Using Tanzu Build Service we assure that our in-house workloads are containerized with a set of trusted dependencies. Our workload and the services supporting our pipeling depend on open source databases to store their data. We use images and Helm charts from Tanzu Application Catalog to assure we can trust these dependencies.

Building workload trust

Part of setting up the lab is replicating trusted images from TAC into our private registry to comply with our policies.

Workload Control Points

To assure that our running workloads are compliant and secure, we use the open source Harbor registry (sponsored primarily by VMware) together with Tanzu Mission Control.

Harbor and TMC control points

Harbor scans our workloads to help us to understand the CVEs that are present in each container workload. It also prevents workloads with CVEs above a certain level from executing. Workloads are cleared by Harbor are subject to additional policy enforced by TMC.

TMC ensures that our workload namespaces only allow workloads pulled from the Harbor registry to run. It also validates the deployment and ingress objects against policies that assure that a minimum number of replicas run and that HTTPS is used to access the code.

Standing Up the Lab

See the step by step instructions on how to configure the lab.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published