Golang From Code to Kubernetes
Published by Pearson
Deploy Secure Go Applications to Kubernetes with DevSecOps Pipelines
- Apply best practices for security vulnerability scanning for Go applications
- Deep dive into Docker container security for Go applications from a secure supply chain perspective
- Deploy Go applications to Kubernetes with GitOps and telemetry
- See practical examples of CI/CD pipelines using GitHub Actions that build, scan, sign, and deploy Docker containers for Go applications in a DevSecOps workflow context
Everybody is talking about DevSecOps and Shift Left Security these days, but to go from abstract concepts to practical skills is not easy. This class will teach you how to scan your Go application for security vulnerability, containerize it using industry best practices, deploy it to a Kubernetes cluster, and then observe and monitor its performance. Learn static security scanning and SBOM management for Go applications, taking an existing Open Source project as an example. Build and test the application, perform static security scanning and dependency scanning, and generate a Software Bill of Materials (SBOM).
Do a deep dive into creating Docker images for our example application using a variety of Docker build tools such as buildx, podman, ko, kaniko, and cloud native buildpacks. Learn how to scan Docker images for security vulnerabilities using tools such as trivy and grype, and how to generate a Docker-specific Software Bill of Materials (SBOM). Tackle software supply chain security using digital signatures and attestations with sigstore cosign.
Develop skills for deploying Go applications to Kubernetes with GitOps and telemetry. Deploy our Golang application using ArgoCD to a local Kubernetes cluster based on KIND, then perform runtime security scanning of Kubernetes workloads with trivy. Learn how to auto-instrument the application for observability using Open Telemetry and Signoz.
What you’ll learn and how you can apply it
- Supply chain security tools and processes for scanning, securing, attesting, and verifying Go application code and Docker images
- Best practices for creating and managing Docker images for Go applications using a variety of technologies
- How to deploy Go applications to Kubernetes with GitOps and telemetry
- Creation of CI/CD pipelines for building, scanning, signing, and deploying Docker images in a DevSecOps workflow context
And you’ll be able to:
- Build and test Go applications and create Docker images with a focus on performance and security
- Apply latest industry best practices for supply chain security in containerized workloads
- Use GitOps workflows to deploy Go applications to Kubernetes
- Instrument Go applications for observability
- Create CI/CD pipelines that help with automating the building, securing, and deploying of Docker images
This live event is for you because...
- You are a Golang developer who wants to build secure Go applications and create CI/CD pipelines for your source code, from building the code to deploying the code to Kubernetes
- You are a DevSecOps practitioner who wants to build, scan, and deploy microservice applications based on Docker containers
- You are a Cybersecurity professional who wants to verify the security of Docker containers running in your environment
Prerequisites
- Build a Go application
- Build a Docker image and store in a Docker registry
- Be familiar with CI/CD pipelines
- Be familiar with Unix shell commands
Course Set-up
- Docker Engine/Desktop installed on Windows or MacOS
- Command-line terminal
- Web browser
Recommended Preparation
- Read: Go for DevOps by John Doak and David Justice
- Watch: “From IT to DevOps” by Paul Furlan
- Watch: “Securing Your DevOps Pipelines” by Milecia McGregor
Recommended Follow-up
- Watch: “Docker Containers” by Christopher Negus
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Segment 1: Static security scanning and SBOM management for Go applications (45 minutes)
- Take an Open Source Go application as an example
- Build, test, code coverage
- Static security scanning (SAST)
- Code quality and security with SonarQube
- Dependency security scanning with govulncheck and OWASP Dependency Check
- SBOM generation with SPDX and CycloneDX
- SBOM management with OWASP Dependency Track
- Break (5 minutes)
- Q & A (10 minutes)
Segment 2: Building and securing Docker containers for Go applications (45 minutes)
- Docker image creation methods for Go applications using tools such as Docker buildx, Podman, Ko, Kaniko, and Cloud Native Buildpacks
- Dockerfile scanning with hadolint and trivy
- Docker image security scanning with trivy and grype
- Digital signatures and attestations with sigstore cosign
- Software Bill of Materials (SBOM) creation and attestation with syft
- Break (5 minutes)
- Q & A (10 minutes)
Segment 3: Deploying Go applications to Kubernetes with GitOps and telemetry (45 minutes)
- Deploy Go application to local Kubernetes cluster based on KIND
- Create and manage Kubernetes manifests using Kustomize and Helm (helmify)
- Deploy with GitOps using ArgoCD
- Creating Kubernetes admission policies using OPA / kyverno and verifying cosign signatures
- Runtime security scanning of Kubernetes workloads with trivy
- Observability with Open Telemetry and Signoz
- Break (5 minutes)
- Q & A (10 minutes)
Segment 4: CI/CD pipelines in a DevSecOps context (45 minutes)
- Overview of GitHub Actions CI/CD pipelines
- Build the source code into an artifact
- Create a Docker image for the built artifact
- Scan the Docker image for security vulnerabilities
- Sign the image with cosign
- Push the image to the GitHub container registry
- Push Kubernetes manifests to GitOps repository
- Deploy the image using ArgoCD
- Q & A (10 minutes)
- Course wrap-up and next steps (5 minutes)
Your Instructor
Grig Gheorghiu
Grig Gheorghiu is a co-founder of Timonier Systems, helping companies implement DevSecOps processes and workflows for running their applications securely in Kubernetes. Previously, Grig worked as a DevOps Lead at LinQuest in El Segundo, California. Grig has 30 years of industry experience working in diverse roles such as programmer, test engineer, research lab manager, system/network/security/cloud architect, and DevOps lead. For the past 25 years, Grig has been architecting and building the infrastructure for large consumer-facing and e-commerce websites such as Evite and NastyGal, as well as leading technical operations and engineering teams. He tries to blog regularly about technology topics. Grig has a BSc degree in Computer Science from the University of Bucharest, Romania, and a MSc degree in Computer Science from USC in Los Angeles.