This project showcases an end-to-end CI/CD pipeline showcasing DevSecOps practices, Infrastructure as Code, GitOps, and Monitoring for deploying resilient multi-tier applications on Kubernetes (Amazon EKS).
- Where feature code and pipeline/workflow definition lives (Current repo)
- K8s Manifests Click Here
- Infrastructure-as-Code of EKS and networking Click Here
Anything related to my K8s deployment architecture, resource details, and operational patterns documented in the manifests repo.
The pipeline follows a sequential workflow from code commit to deployment:
The pipeline begins with secret detection to identify accidentally committed credentials, API keys, or sensitive data in the codebase.
Compiles source code and executes unit tests to validate functionality and catch bugs early in the development cycle.
Analyzes source code for security vulnerabilities, insecure coding patterns, and compliance violations without executing the application.
Scans project dependencies for known CVEs in libraries and packages. Trivy was selected over OWASP Dependency-Check for significantly faster scan times while maintaining comparable detection accuracy.
Multi-stage Docker builds using Chainguard base images, which provide a minimal attack surface with significantly reduced vulnerability exposure compared to standard base images.
Comprehensive security analysis of the final deployable artifact, scanning all image layers for vulnerabilities before release.
Generates an SBOM documenting all components, libraries, dependencies, and licenses included in the application for supply chain security and compliance.
Verified and security-scanned images are tagged and pushed to the container registry for deployment.
Pipeline automatically updates Kubernetes manifests with the new image tag and commits changes to the manifests repository, triggering the GitOps deployment workflow.
Custom GitHub Actions composite action delivers contextual alerts to Slack with relevant links and data for rapid response.
Git serves as the single source of truth for the entire system's desired state. ArgoCD continuously monitors the manifests repository and automatically synchronizes cluster state.
Doing:
- Continuous Monitoring
- State Comparison
- Automatic Synchronization
- Drift Detection
Comprehensive platform observability using industry-standard cloud-native tools:
- Scrapes metrics from application services, databases, and infrastructure components
- Prometheus Adapter exposes custom application metrics to HPA for app-aware autoscaling decisions
- ServiceMonitor CRDs enable automatic discovery of backend, frontend, and database endpoints
Processes alerts triggered by Prometheus rule evaluations based on defined metric thresholds and delivers notifications to Slack channels for immediate team awareness.
- Loki aggregates logs from all containers and services across the cluster
- Promtail agents collect and ship logs from Kubernetes pods to Loki
- Enables correlation between metric anomalies and log events for faster troubleshooting
Grafana serves as the central observability interface, providing real-time visualization of system health and performance.
Custom dashboards aggregate data from both Prometheus (metrics) and Loki (logs), enabling operators to correlate performance trends with application behavior and SLO tracking.
Kernel-level runtime security monitoring for container behavior anomalies. Detects suspicious activities including privilege escalations, unauthorized file access, unexpected network connections, and malicious process execution.
Security alerts integrate with the monitoring pipeline for centralized incident response.
