Cloud-Native Development Features Latest News News Topics 

Weaveworks Acquires Magalix to Secure GitOps in K8s Environments

, , ,
by Mike Vizard

Weaveworks today announced it has acquired Magalix to improve Kubernetes security within the context of a GitOps workflow. Financial terms of the deal were not disclosed.

GitOps is a methodology for deploying applications that makes it simpler to automatically pull the code required for provisioning infrastructure from a Git repository along with the code for the application itself. The goal is to avoid manually provisioning infrastructure and then pushing application code out; instead, the target platform will automatically pull all the required code from the Git repository where it resides. Magalix created a platform that makes it possible to include security policies-as-code within a GitOps workflow.

Weaveworks CEO Alexis Richardson says the Weave GitOps Enterprise platform, created to manage GitOps workflows across a Kubernetes environment, can now be more easily employed within the context of a DevSecOps workflow.

Weaveworks and Magalix previously worked together to secure GitOps pipelines. The goal now is to tighten that integration to simplify the implementation of DevSecOps best practices, notes Richardson.

That issue has become especially acute in the wake of a series of high-profile breaches. Organizations are responding by continuing to review software supply chain security. In many cases, cloud services have been misconfigured by developers that typically lack cybersecurity expertise. A cybersecurity approach that employs a policy-as-code solution, like Magalix, makes it less likely cloud services will be misconfigured, says Richardson. Magalix’s KubeGuard agent also ensures any runtime drift is detected and automatically remediated to maintain a zero-trust IT environment, he adds.

It’s still early days for GitOps adoption, at least as an opinionated instance of a DevOps workflow is concerned. While GitOps can, in theory, be applied across a wide range of platforms, the consistent set of application programming interfaces (APIs) presented by Kubernetes clusters makes it easier to achieve in this context. In contrast, legacy platforms tend to have disparate APIs that make it challenging to continuously deliver applications. In fact, while most organizations have been able to achieve continuous integration within the context of an application development project, the ability to achieve continuous delivery has proven to be more challenging despite the adoption of continuous integration/continuous delivery (CI/CD) platforms. It’s not clear yet whether organizations will prefer to have a single CI/CD platform or whether developers will opt for a CI platform that is loosely coupled to a CD platform managed by an IT operations team.

Regardless of approach, the entire process for building and deploying applications needs to be more secure. Less clear is to what degree cybersecurity teams need to be involved in that process beyond helping to craft the initial security policies. Given the current chronic shortage of cybersecurity expertise, the overarching goal is to automate as much of the DevSecOps process as possible. After all, the only other alternative is to slow down the rate at which applications are being built and deployed to make sure they are secure. That option, however, is largely considered to be unacceptable.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1729 posts and counting. See all posts by Mike Vizard