DevSecOps — Deploying WebApp on Azure AKS cluster with Github Actions
DevSecOps CI/CD pipeline diagram
DevSecOps, the combination of Development, Security, and Operations, focuses on integrating security practices into the DevOps workflow. When deploying a web application on an Azure AKS (Azure Kubernetes Service) cluster using GitHub Actions, organizations can automate and enhance the security of their deployment process.
The deployment process on Azure AKS with GitHub Actions typically involves the following steps:
Before you get started you need following minimum requirements to successfully deploy DevSecOps pipeline to AKS cluster using Github Actions.
- Azure Account
- az CLI
- kubectl
- Github account
- Slack webhook
Cluster Setup: Provision an AKS cluster on the Azure platform to host the web application. Configure networking, security, and resource settings according to requirements. (This will be replaced with IaC code with terraform or pulumi)
Application Configuration: Define the desired state of the web application using Kubernetes manifests. These manifests describe the deployment, services, and other resources needed for the application’s operation.
Kubernetes Application manifests
Create namespace and service account for application workload to isolate from other workloads, inject values from environment variables during a deployment into place holder variables
Create application pod deployment manifest
Create application service endpoint via Kubernetes service object
This application also requires a database to store information related to who used what EndPoint with login, date, endpoint, and action information. For this purpose I used PostgreSQL database to store historical user, endpoint action information that use Kubernetes Container Storage Interface (Azure Disk in this case) for its StatefulSets
Define storage class manifest
Create persistent volume claim (PVC) and bind it to storage class you just created above
Create Secret, Service, and Deployment (3 replicas)
Containerization: Build a container image of the web application using a Dockerfile. Containerization ensures consistent deployment across different environments and encapsulates the application and its dependencies.
Build Dockerfile to build image
Version Control: Create a GitHub repository to store the web application’s source code. GitHub serves as a centralized location for version control, code collaboration, and automated workflows.
If you are new to Github/HitLab, create an account to use as a source control system
GitHub Actions: Leverage GitHub Actions, which are workflow automation scripts, to orchestrate the deployment process. Actions can be triggered by events like code pushes, pull requests, or manual triggers.
Set up a action trigger on push
name: Build and deploy an app to AKS
on:
push:
branches: [ "master", "testing_azure" ]
workflow_dispatch:
Continuous Integration (CI): Implement a CI pipeline within the GitHub Actions workflow to automatically build and test the application whenever changes are pushed to the repository. This facilitates continuous integration and validation of the code.
Set environment variables
Setup Build steps
Build
Security Scanning: Integrate security scanning tools into the CI pipeline to identify vulnerabilities, security flaws, or compliance issues. These tools can include static code analysis, dependency scanning, container image scanning, or vulnerability assessments.
Scan Image
Deployment: Utilize GitHub Actions to deploy the containerized web application to the AKS cluster. This involves applying the Kubernetes manifests and ensuring the desired state is achieved.
Deploy
Test and Validate Application Service End Points
Notify pipeline status via Slack
Continuous Delivery (CD): Implement CD practices by automating the deployment pipeline, enabling seamless delivery of new versions or updates to the web application. Strategies like blue-green deployments or canary releases can be employed to minimize downtime and risks.
See above steps
Monitoring and Logging: Set up monitoring and logging solutions to gain insights into the web application’s performance, availability, and security. Monitoring allows for proactive issue identification and facilitates rapid troubleshooting.
There are many ways to monitor infrastructure, networking, compute, storage, applications using the infrastructure, Kubernetes platform using cloud native tools, open source tools, and the observability as a service (Open Telemetry), log collectors, log aggregators to capture and transfer service level metrics to monitoring dash board get real time insights.
Here are few screenshots out of the box from Azure monitoring.
Continuous Feedback:
Continuous Feedback in DevSecOps refers to the practice of gathering and utilizing feedback at every stage of the software development lifecycle to improve the quality, security, and performance of an application. It emphasizes the iterative and continuous improvement of processes, products, and teams based on real-time feedback and data.
Collaboration and Communication: Continuous feedback promotes effective collaboration and communication among different teams involved in software development, including developers, operations, security, and quality assurance. Feedback is shared transparently and promptly, fostering a culture of open communication and knowledge sharing.
Automated Testing and Validation: Continuous feedback relies on automated testing and validation mechanisms, such as unit testing, integration testing, and security testing, to provide immediate feedback on code quality, vulnerabilities, and compliance issues. These tests are integrated into the development process, ensuring early detection and resolution of issues.
Real-Time Monitoring and Observability: Continuous feedback involves monitoring the application and infrastructure in real-time to gather data on performance, availability, and security. Metrics, logs, and alerts are used to identify anomalies, bottlenecks, and security threats, enabling teams to address issues proactively and optimize system performance.
User Feedback and Experience: Continuous feedback incorporates user feedback and user experience data to understand the application’s usability, functionality, and performance from the end-users’ perspective. This can be obtained through surveys, user analytics, feedback forms, and usability testing. User feedback helps prioritize improvements and enhancements.
Post-Release Feedback: Continuous feedback extends beyond the development and deployment stages. It encompasses feedback obtained from users, stakeholders, and incident reports after the application is released. This feedback informs future iterations and updates, enabling organizations to address any issues or gaps that may arise in real-world usage.
Continuous Improvement: Continuous feedback drives a culture of continuous improvement. Teams actively seek feedback, analyze data, and iterate on processes, tools, and workflows to enhance efficiency, security, and quality. Lessons learned from previous iterations are incorporated into future development cycles.
The benefits of continuous feedback in DevSecOps include faster detection and resolution of issues, improved security posture, enhanced user satisfaction, increased operational efficiency, and overall improvement of software quality. By leveraging feedback throughout the software development lifecycle, organizations can continuously optimize their processes, products, and security measures, resulting in more reliable and secure applications.
By incorporating DevSecOps principles into the deployment process on an Azure AKS cluster with GitHub Actions, organizations can achieve an automated, secure, and efficient deployment process for their web applications. This approach promotes collaboration, reduces manual effort, and ensures that security is integrated throughout the software development lifecycle.