Devsecops In Practice With Vmware Tanzu Pdf -
Consider a large bank implementing DevSecOps in practice with VMware Tanzu. They had three legacy requirements:
The Tanzu Solution:
Runtime security agents (Falco, Tetragon) use eBPF which consumes CPU.
The fix: The PDF suggests a tiered model: Use high-fidelity eBPF only on sensitive namespaces (e.g., payment); use lightweight metrics-only for dev environments. devsecops in practice with vmware tanzu pdf
# Sample ClusterSupplyChain snippet (Cartographer)
apiVersion: carto.run/v1alpha1
kind: ClusterSupplyChain
metadata:
name: secure-java-chain
spec:
selector:
app-type: spring-boot
stages:
- name: source-provider
templateRef: git-source-template
- name: security-scan
templateRef: grype-scan-template
conditions:
- keyword: "CRITICAL"
operator: "="
value: "0"
- name: image-builder
templateRef: tbs-build-template
- name: image-scan
templateRef: harbor-scan-template
- name: policy-check
templateRef: opa-template
- name: deployer
templateRef: gitops-deploy-template
Traditional Dockerfiles often introduce bloat and vulnerabilities (e.g., latest tags, outdated base images). Tanzu Build Service uses buildpacks (based on Cloud Native Buildpacks).
A typical DevSecOps pipeline using VMware Tanzu includes the following stages: Consider a large bank implementing DevSecOps in practice
| Stage | Tanzu Component | Security Action |
|--------|----------------|------------------|
| Code & Commit | Git (any) + Tanzu CLI | SAST (e.g., Grype, Snyk) |
| Image Build | Tanzu Build Service (kpack + Buildpacks) | Base OS patch management; SBOM generation |
| Image Registry | Harbor (integrated with Tanzu) | Vulnerability scanning; image signing (Cosign/Notary) |
| Supply Chain | Tanzu Supply Chain / Cartographer | Policy validation (OPA/Gatekeeper) |
| Deployment | Tanzu Kubernetes Grid | Network policies; Pod Security Standards |
| Runtime | Tanzu Observability + Tanzu Security | Runtime threat detection; audit logging |
Teams often scan images for vulnerabilities at every commit for every microservice (e.g., 50 services * 100 commits = 5,000 scans/day). Tanzu Solution: Use image caching and base image rebasing. Do not rebuild the entire Python base image for a code change. Scan the base image weekly; scan the application layer only on code change. audit logging |
| Pitfall | Vanilla Kubernetes | VMware Tanzu DevSecOps Solution | | :--- | :--- | :--- | | Secret sprawl | Secrets stored in ConfigMaps (insecure). | Tanzu Secret Management with Vault integration; automatic secret rotation. | | Image drift | Container runtime changes after scan. | Tanzu Build Service rebases images without rebuilding the app. | | Compliance fatigue | Manual checklists (PCI, HIPAA). | Automated compliance dashboards in Tanzu Observability. |