The solution I will discuss has two parts: ensuring that the applications and assets that get created follow your policies and best practices and remain up-to-date; and providing an easily accessible, easy-to-use service catalog for sharing the approved assets across your organization.
Creating a Set of Trusted Applications
The first step is to ensure that everything your teams create get packaged according to your company’s best practices. This means the applications and assets are built with tested and approved components, are free from known security issues, and that any hardening and other required policies have been applied. Getting to this state can be done by defining a set of trusted deployable assets that you and others can safely use in your environment.
There is an ongoing component here as well - the need to ensure that assets remain up-to-date and do not get stale over time. This means that whenever any component of an application needs updating, or an application includes components with known security issues, the application should be re-packaged to incorporate the latest versions and security-issue fixes.
This step can be accomplished - and even automated - with Bitnami Stacksmith. Stacksmith lets you automate and optimize the packaging of your applications for deployment to cloud and container platforms. It also lets you ensure that Sec and Ops best practices are included at packaging time, producing the trusted asset. And, it continuously monitors your applications and assets for updates, patches, and vulnerabilities, allowing you to automate maintenance and ensure that what gets packaged is always up to date and secure.
Distributing Trusted Applications via a Service Catalog
The next step is distribute these trusted applications across your organization. By providing a service catalog, you give your users a consistent, central repository from which they can locate and launch applications. Use of a service catalog also lets Ops ensure that only trusted applications and assets are available for users to launch, and that what is posted in the service catalog is the latest build of that asset, that contains any security or other updates.
This step can be accomplished for your Kubernetes cluster with Kubeapps along with a Helm chart repository. Kubeapps is an open source project that simplifies the discovery, launching, and managing of applications. It can be run inside your Kubernetes cluster to provide your users with a web-based UI, to make accessing applications in the chart repository easier.
Kubeapps provides a single place where people in your organization can start new applications, see what has been provisioned and manage their deployments inside the cluster. It allows you to manage available IT services and helps you achieve governance and meet your compliance requirements, while enabling users to deploy only IT approved services.
Better Together
Closing the loop between the two steps discussed above, there is an easy way to integrate the packaging and updating process of Stacksmith with the distribution of Kubeapps. The result delivers an automated and manageable way to ensure that trusted assets are created, are posted to your service catalog, and are always current.
Here is what that workflow from trusted input and policy, to packaging, to posting looks like:
Summary
As you can see, using Kubeapps along with Stacksmith allows your organization to create and maintain a catalog of trusted applications and services that can be launched in your clusters. This reduces the risk of users launching applications that are not compliant with your corporate standards and/or requirements.
Want to go deeper? For a step-by-step guide on how to set up Kubeapps and Stacksmith to provide a service catalog inside your Kubernetes cluster, go here.
To learn more about Stacksmith, visit bitnami.com/stacksmith. To learn more about Kubeapps, visit the GitHub project.
Or contact Bitnami at enterprise@bitnami.com for a personalized discussion and demonstration of how Stacksmith and Kubeapps can provide compliance and governance for your IT.