TMCnet Feature
August 09, 2022

Securing GitOps Environments with Azure Arc

What is Azure Arc?

Azure Arc provides tools that deliver a consistent and centralized management and governance experience for multi-cloud, on-premises, and hybrid cloud environments. It lets you project existing on-premises and non-Azure resources into Azure Resource Manager so you can manage the entire environment.

You can leverage Azure Arc to centrally manage Kubernetes clusters alongside virtual machines (VMs) and databases from multiple sources, using Azure services and management functionality across various locations. You can leverage this service to gradually adopt DevOps to support your new cloud native patterns while maintaining traditional ITOps as needed.

What is GitOps?

GitOps is a set of practices for managing infrastructure and application configurations using the open source version control system Git. GitOps uses Git as a single source of information for declarative configuration of infrastructure and applications.

GitOps automatically manages the configuration and deployment of your infrastructure using Git pull requests. Git repositories contain the entire system state, so you can easily view and audit changes to system state, and instantly detect configuration drift.

Designed as a process for developers, GitOps empowers teams to manage their infrastructure using the same tools and processes used to develop software. Another advantage of GitOps is that it allows each time to choose their tools—it is possible to implement GitOps with a range of DevOps tools and technologies.

Securing CI/CD and GitOps with Azure Arc

Kubernetes is a cloud-native platform and requires a cloud-native approach to deployment and operations. GitOps lets you declare the desired state of an application in the form of files stored in a Git repository. These files can be, for example, Kubernetes YAML manifests or Helm Charts. They can describe any type of Kubernetes object needed to run your applications—such as Deployments, Services, and ConfigMaps.

Kubernetes operators, known as GitOps agents, run within clusters and constantly adjust the state of each cluster to the desired state declared in the Git repository. This operator pulls a file from a Git repository and applies the desired state to the cluster. In addition, the operator continuously ensures that the cluster remains in the desired state.

Implementing GitOps with a Kubernetes-enabled Azure Arc cluster allows you to:

  • Improve overall visibility into Kubernetes cluster health and configuration.
  • Get an audit and version history of all changes to your cluster, showing exactly who made changes, when, and why.
  • Automatically correct configuration drift that may occur in the cluster.
  • Roll back a Kubernetes configuration to a previous version using Git revert or the Git rollback commands.
  • Easily re-create a cluster in case of disaster, because all configurations required to stand up the cluster are stored in Git.
  • Improve security by reducing the number of service accounts required to have deployment privileges on the cluster and creating complete separation between CI and CI environments.
  • Implement a fully automated continuous deployment pipeline for Kubernetes.

Governance and Security Best Practices For Azure Arc

When implementing Azure Arc to secure your GitOps environment, there are a few things you should be aware of. Azure Arc does not operate on its own, but as part of the entire Microsoft (News - Alert) security ecosystem.

Azure Policy, Microsoft Defender 365, and Microsoft Defender for Cloud are cloud-native tools that let you automate protection, control, reporting, alerting, and remediation actions at scale. Combined with Azure Arc-enabled Kubernetes, this helps extend governance policies and security checks to any Kubernetes cluster, on-premises or in a multi-cloud environment.

The following diagram shows a conceptual reference architecture that describes the security, compliance, and governance design areas of Kubernetes for Azure Arc.

Here are key security best practices for integrating Azure Arc into your governance and security model:

  • Proxy configuration—use the principle of least privilege when defining policies for provisioning Kubernetes agents for Azure Arc and onboarding service principals. Consider using automation for bulk registration.
  • Agent management—Azure Arc-enabled Kubernetes agents can manage clusters in Azure, which plays an important role in hybrid operations. Implement a solution to track proxy connection status. You need to define a procedure for upgrading the Azure Arc-enabled Kubernetes agent.
  • Role-Based Access Control (RBAC)—define administrative, operational, and developer roles within the organization responsible for the day-to-day operation of the hybrid cluster. Map each team to tasks and responsibilities to determine Azure Role Based Access Control (RBAC) roles, Kubernetes ClusterRoleBindings and RoleBinding.
  • Secret and certificate management—protect secrets and certificates by using Azure Key Vault and deploying to an Azure Arc-enabled kubernetes cluster via Container Storage Interface (CSI (News - Alert)).
  • Resident data—consider in which Azure region you will provision your Azure Arc-enabled Kubernetes cluster. Understand the data collected from your resources and plan accordingly based on your organization's data residency requirements.
  • Enable and secure GitOps configuration—GitOps configuration is an important tool for enforcing desired system health and tracking compliance of Arc-enabled Kubernetes clusters. If you are using a GitOps configuration, consider using appropriate networking and access controls to secure access to your source control system.
  • Policy management and reporting—define a governance plan for your hybrid Kubernetes cluster. Define Azure policies that audit and enforce your organizational standards across clusters.
  • Threat protection and cloud security posture management—implement threat protection, automatic detection of security misconfigurations, and compliance monitoring. Protect your hybrid workloads from threats with Azure Intelligence, and enable Microsoft Defender for Containers to create a security baseline for monitoring, posture management, and threat protection.
  • Improve the observability and security of microservices—implementing a service mesh facilitates authentication, authorization, security, and visibility into microservices-based applications. Kubernetes for Azure Arc provides an Open Services Mesh (OSM) extension.


GitOps is a promising work pattern, but can sometimes be complex to implement. In this article, I explained the basics of GitOps and showed how Azure Arc can help you secure GitOps-based Kubernetes environments in the cloud. Azure Arc provides end-to-end security and governance solutions for Kubernetes clusters running on-premises and in the Azure cloud.

I hope this will be useful as you roll out a GitOps process for your enterprise Kubernetes environments.

» More TMCnet Feature Articles


» More TMCnet Feature Articles