►
Description
Policy-driven Deployments in Spinnaker - Beth Fuller, Armory
A
Hi,
everyone
welcome
to
cdcon
2020.,
hopefully,
you've
been
enjoying
the
talks
that
you've
already
been
to
and
the
rest
of
your
day
ends
up
being
it's
delightful.
I
hope
I
can
bring
you
something
interesting.
I
will
for
sure
be
taking
a
slightly
different
approach
than
the
other
folks,
I'm
here
to
talk
to
you
about
policy
driven
deployment.
A
A
So
what
drives
you
when
I
think
about
the
ops
folks
as
one
of
the
personas
that
would
benefit
from
this?
I
think
about
the
devops
team
or
the
ops
team
at
puppet,
and
they
were
delightful.
We
had
some
of
the
best
conversations
and
they
really
they.
Let
me
become
embedded
in
the
team
and
become
part
of
the
team
which
was
really
important
to
me
as
a
product
manager
where
I
was
building
products
for
ops
people.
A
As
part
of
that,
I
got
the
opportunity
to
learn
some
of
the
things
that
drive
them.
One
of
those
things
is
they
actually
don't
mind,
sometimes
when
there's
a
couple
of
emergencies,
because
it
makes
things
a
little
bit
different,
it
breaks
things
up.
I
found
this
to
be
interesting,
but
that's
why
the
whole
this
is
fine.
Everything
is
fine.
A
They
love
that
challenge.
The
other
thing
that
they
love.
Is
they
love
meeting
their
slas
and
slos?
Do
they
really?
No,
they
do
the
thing
that
drives
ops.
People
is
actually
keeping
that
infrastructure
up
and
running,
making
sure
that
people
have
the
ability
to
do
their
jobs.
They
have
this
really
important
job.
Their
job
is
to
make
sure
that
everybody
else
gets
to
do
their
job
and
they
need
to
do
it
via
monitoring
tools.
A
A
The
other
thing
that
impacts
them
would
be
new
release,
new
code
and
old
code.
So,
from
a
new
release
perspective,
they
need
to
make
sure
that
whatever
is
released
into
the
wild
does
not
impact
the
slas
and
slos
for
the
customers,
and
that
becomes
very
important.
So
how
do
you
make
sure
that
all
those
things
are
taken
into
consideration?
A
We'll
talk
a
little
bit
about
that
and
then
there's
old
code.
I
think
we've
all
experienced
that
tech
debt,
that
old,
fragile
code
where
you're
like
how
do
we
gently
move
our
infrastructure
away
from
this
into
something
that's
a
little
bit
safer,
hops
people.
This
is
a
thing
that
they
have
to
think
about
on
a
pretty
regular
basis,
and
it
is
a
thing
that
keeps
them
up
at
night.
A
A
A
The
other
thing
that
they
really
love
and
really
drives
their
everyday
is
making
sure
that
their
product
manager
is
super
happy
yeah,
but
I
care
about
making
sure
that
we
all
get
to
work
together
and
that
I'm
understanding
the
challenges
that
they
have,
that
our
ops
people
have
and
then
next
we're
gonna
talk
about
cves
and
then
security
people
and
how
all
of
that
ties
together
with
the
sdlc
process,
so
keep
walking
with
me.
It's
going
to
be
fun.
A
I
promise
so
grab
your
girl
gang
and
let's
talk
about
the
importance
of
open
source
vulnerability
management
process.
I
know
it
sounds
exciting,
not
nearly
as
exciting
as
harley
quinn
and
all
her
and
all
the
birds
of
prey,
but
it
is
exciting
nonetheless,
so
having
a
security
posture
for
your
open
source
project
actually
helps
with
adoption.
A
In
fact,
there
might
be
full
teams
sets
of
teams
whole
teams,
dozens
of
teams
within
that
organization
that
care
about
all
the
software
that
gets
included
into
that
ecosystem.
So
if
you
have
an
open
source
project,
one
of
the
things
that
you
might
take
into
consideration
doing
or
adding,
including
is
a
vulnerability
management
process.
A
A
Let's
talk
about
that
security,
secops
and
ctec
astronomy
for
those
of
you
who
haven't
seen
sneakers.
I
am
going
to
use
this
couple
minutes
to
strongly
encourage
that
you
watch
it.
It's
a
rad
movie.
So
there's
no
point
me
talking
about
c-tech
astronomy,
except
for
the
fact
that
that
was
a
plug
for
sneakers.
I
think
it's
streaming
on
something
when
I
think
about
the
sec
ops
for
security
folks,
I
think
of
this
scene
in
deadpool
2.,
I'm
a
big
deadpool
fan.
A
So
I'm
going
to
try
to
limit
the
deadpool
references
here,
but
there's
a
scene
where
cable
and
deadpool
are
fighting
in
the
prison.
Hopefully
you've
seen
it.
It's
been
out
for
a
few
years,
probably
not
a
spoiler
alert
and
at
one
point
deadpool
and
his
ryan
reynolds
way
says
you're.
So
dark,
are
you
sure
you're
not
from
the
dc
universe?
And
all
I
could
think
of
is
like
oh
security
people.
A
They
are
kind
of
they're
super
witty
they're,
smart,
they're
sarcastic.
They
have
to
think
about
things
in
all
sorts
of
different
ways.
Sometimes
they
can
be
a
little
bit
dark.
Are
they
marvel?
Are
they
dc,
maybe
they're
a
crossover
who's
to
say
so?
What
really
motivates
security
folks,
a
lot
of
things?
A
A
Well
it's
not
a
win,
because
automation
means
that
you
can
deliver
that
much
more,
that
much
quicker,
which
means
they
have
smaller
and
smaller
and
smaller
windows
to
verify
that
what
you're
delivering
is
okay,
because
they
don't
want
their
name
in
the
news
that
makes
them
sad.
It
makes
a
lot
of
us
sad
because
it's
usually
in
the
news
for
a
bad
reason.
A
Instead,
what
they
really
want
to
do
is
they
want
to
make
sure
that
things
are
people
are
educated
that
things
are
working
the
way
they
should
they
don't
want
to
have
to
worry
about
every
single
deployment
that
happens.
What
they
want
to
worry
about
is
why
are
the
api
keys
in
github?
Why
did
why?
Are
they
there?
Github
actions
is
causing
some
people
to
do
some
different
things
that
perhaps
they
have
already
learned
not
to,
but
those
guard
rails
aren't
quite
in
place.
So
security
people
really
want
to
focus
on
that.
A
A
At
least
it
doesn't
make
reference
to
it's
a
password
and
what
specifically
it
is,
I
don't
know
I'm
sure,
there's
a
rule
there,
because
I
think
I
use
post-it
notes
so,
but
don't
it's
bad
and
they
want
to
make
sure
that
your
password
isn't
like
your
child's
name
and
birth
date,
because
that's
pretty
easy
to
figure
out.
So
they
want
to
be
able
to
educate
people
on
what
are
great
ways
to
do.
It
use
a
passphrase
use
like
your
favorite
place
to
travel
the
year
that
you
went
there
and
something
else.
No.
A
You
could
probably
hack
that
I
don't
know,
I'm
sure
they
have
a
system.
I'm
not
in
security.
The
other
thing
they
want
to
do
is
make
sure
that
you
don't
click
on
that
link.
You
don't
know
what
it
is
sure.
It
looks
like
it's
an
amazing
coffee
shop
that
just
opened
up
near
you,
and
that
sounds
amazing,
because
you
care
about
all
the
new
rotisseries
coffee
rotisseries,
but
you
don't
want
to
click
on
that
link.
A
We
just
talked
about
how
all
those
different
people
have
an
impact
on
each
other,
but
we
didn't
talk
about
how
they
work
with
each
other
and
the
answer:
is
they
typically
don't
so
one
of
the
things
with
policy
driven
deployment
is
how
to
get
people
to
start
collaborating
more
with
each
other
and
with
their
technology,
and
so
we're
going
to
talk
about
those
three
pillars.
Now
that
we
mentioned
keep
with
me,
I'm
sure
it's
going
to
make
sense
at
the
end.
A
A
So
one
of
the
things
that
you
can
do
is
with
your
pipelines
as
code.
Is
you
can
start
to
build
out
some
of
those
backs
pack
best
practices?
You
can
start
to
build
out
that
templatized
way
of
delivering
of
building
out
your
pipeline.
So
you
have
your
version
control.
You
have
your
code
review
changes,
so
you
might
have
within
your
pipeline.
You
have
a
process
where
bob
who's
an
intern.
Maybe
he
can
deploy
to
production,
but
before
it
goes
to
production,
somebody
else
has
to
review
it.
A
A
A
It
helps
to
build
that
in.
So,
if
you
need
to
care
about
gdpr,
you
can
care
about
gdpr.
If
you
need
to
care
about
pci
dss,
you
can
care
about
that.
Whatever
your
best
practices
are
for
least
privilege.
You
can
do
that
if
you
have
other
best
practices,
you
can
do
that
if
you
need
to
do
something
so
that
your
internal
auditor
sees
things
or
you
have
qa
and
qa
needs
to
approve
it
or
you
have
security
scans
and
everything
needs
to
be
scanned
before
it
goes
to
production.
A
Your
policies
as
code
using
something
like
opa
will
help
to
build
all
of
that
in
and
then
you
have
like
this
amazing
process
right.
All
of
those
things
builds
your
sdlc
platform,
that's
great,
but
I
just
talked
to
you
about
a
whole
bunch
of
single
panes
of
glass.
Didn't
I
yep,
I
did
so
one
of
the
things
with
the
concept
of
a
single
pane
of
glass.
That
I'll
be
honest
with
you,
I
don't
like
it.
I
don't
like
it,
because
it's
not
actually
how
things
work
today.
A
A
You
have
your
ops
people,
you
have
your
your
devs,
slash,
app
app
devs,
you
have
your
secops,
your
security
folks
and,
depending
on
what
time
of
the
life
cycle
within
your
organization,
they
joined,
they're,
probably
all
using
different
tools,
in
fact,
they're,
probably
using
like
a
dozen
different
tools
and
with
that
there's
a
lot
of
context.
Switching
they
just
have
disparate
tools,
different
languages
in
order
to
accomplish
simple
tasks
like
provisioning
code.
That
sdlc
process
is
a
whole
lot
of
single
panes
of
glass.
A
A
You
can,
and
in
doing
that,
you
are
starting
to
create
your
willy
wonka
golden
ticket
golden
provisioning
set,
it's
golden
provisioning
infrastructure,
and
then
you
have
your
pipelines
as
code
where
you
get
to
specify
your
pipeline
definition
and
you
get
to
do
that
once
in
source
code
repos
and
then
it's
a
template
that
you
can
share
across
all
the
teams
and
that's
magic
again.
That's
your
willy
wonka
ticket
and
then
you
have
your
security
and
compliance
where
you
get
a
codify
security.
A
A
I
didn't
talk
about
the
specific
tech
so
for
your
provisioning,
maybe
you're
using
terraform
group
of
bash
scripts,
you're
using
puppet
and,
let's
say
you're,
using
ansible
for
your
pipelines
as
code,
maybe
you're
using
argo
cd,
you're
using
tecton
you're,
using
spinnaker
and
you're
using
jenkins
and
then
for
your
security
and
compliance
you're
using
opa,
there's,
probably
something
else
out
there,
but
I
know
opa.
So
that's
what
you're,
probably
using
and
all
of
those
things
whatever
that
combination
is.
Is
your
stained
glass
window,
those
policies?
A
This
code
are
connecting
all
those
bits
so
that
the
policy
is
the
bit
that
is
driving.
What
those
guard
rails
and
that
protection
is
for
your
provisioning
and
for
your
pipelines
as
code,
so
that
you
can
ensure
only
the
right.
People
are
delivering
code
so
that
you
can
ensure
that
your
infrastructure
is
exactly
the
way.
It
should
be
that
it
has
all
those
policies
already
in
place.