1 of 17

Defining Standard Policies for a�Common DevOps Pipeline

Fatih Degirmenci

Principal Developer, Ericsson Software Technology

Co-chair, SIG Interoperability, Continuous Delivery Foundation

2 of 17

Technology Transformation

  • New technologies & methodologies delivering tremendous advances in various industries and increasing the pace of innovation

  • New breed of companies disrupting the status quo and pushing the boundaries thanks to their agility

  • Traditional players are also on their way to embrace the change and transform themselves

3 of 17

Continuous Delivery Ecosystem

  • Continuous Delivery and DevOps are critical for all the players, regardless of their industry, size, and history
  • The communities are exploring and developing new software development and delivery paradigms, methodologies, and technologies

  • However, the explosion in number of tools and technologies is not without its challenges
  • Policy is one of them!

4 of 17

Sample Pipeline

µService Pipeline

SCM

SCM

SCM

Team A

Team B

Team C

µService A

µService B

µService C�Pre-merge Activities

µService A

µService B

µService C�Post-merge Activities

SCM

SCM

SCM

Registry

Americas Rollout

EU Rollout

Static Code Analysis�Unit Test

Build

Dependency Scanning

Build

Smoke Tests

Performance Tests

Security Analysis

Canary Deployment

A/B Testing

5 of 17

Example Checks in Sample Pipeline

µService Pipeline

SCM

SCM

SCM

Team A

Team B

Team C

µService A

µService B

µService C�Pre-merge Activities

µService A

µService B

SCM

SCM

SCM

Registry

Americas Rollout

blocklist

privileges

ports

day/time�date

regulations

?

!

quality checks

EU Rollout

µService C�Post-merge Activities

6 of 17

Considerations

Quality

Security

Regulations

Functionality

Velocity

Innovation

Developer Experience

Business

7 of 17

Notes on Policy

  • Policies are business decisions, clearly defined, documented, and governed
    • Quality
    • Security
    • Rules
    • Regulations

  • Policies must be enforcable, measurable, and auditable

  • Policy driven approach helps ensure the developers
    • prevent defects that could result in costly outcomes and liabilities
    • build security into application in order to safeguard from attacks
    • don’t make trade-offs that potentially endanger reliability and performance
    • gain traceability and auditability

  • Guidelines vs Policies
    • Suggested Behavior vs Expected Behavior

8 of 17

Policy and Technology

Policies are defined by business

Technology deals with the implementation

9 of 17

Policy Driven CI/CD

µService Pipeline

SCM

SCM

SCM

Team A

Team B

Team C

µService A

µService B

µService C�Pre-merge Activities

µService A

µService B

µService C�Post-merge Activities

SCM

SCM

SCM

Registry

Americas Rollout

EU Rollout

Policy Framework

blocklist

privileges

ports

day/timedate

regulations

quality checks

10 of 17

Pipelines with Multiple CI/CD Technologies and Policy

µService Pipeline

SCM

SCM

SCM

Team A

Team B

Team C

µService A

µService B

µService C�Pre-merge Activities

µService A

µService B

µService C�Post-merge Activities

SCM

SCM

SCM

Registry

Americas Rollout

EU Rollout

CI/CD Technology X

CI/CD Technology Y

blocklist

privileges

ports

day/timedate

regulations

quality checks

11 of 17

Interactions with External Systems

µService Pipeline

SCM

SCM

SCM

Team A

Team B

Team C

µService A

µService B

µService C�Pre-merge Activities

µService A

µService B

µService C�Post-merge Activities

SCM

SCM

SCM

Registry

Americas Rollout

EU Rollout

External System

privileges

ports

day/time

regulations

CI/CD Technology X

CI/CD Technology Y

blocklist

quality checks

12 of 17

Challenges with Policy

Culture

Shared Understanding

Terminology

Best Practices

Focus

Technology

Interoperability

Adaptability

Policy Development and Lifecycle

3rd Party Systems

13 of 17

Addressing Challenges Collaboratively

SIG Interoperability

SIG Best Practices

SIG Events

End User Council

14 of 17

CDF SIG Interoperability – Policy Driven CD

15 of 17

Conclusions

  • Policy is critical for all organizations, regardless of
    • size – startup or established
    • industry – finance or telecommunications or health
    • type – highly regulated or not

  • Organizations need to define standardized approach to defining and enforcing policies

  • There are challenges within the ecosystem to that need to be addressed

  • The topic requires broader participation from various communities, projects, and end users

  • CDF provides home for this and similar challenges to be addressed

16 of 17

Links

17 of 17

Thanks!