"DevSecOps in Practice with VMware Tanzu" highlights the Automated Secure Container Build System via Tanzu Build Service, which automates secure image creation. The book also details secure supply chain integration, automated vulnerability patching, and curated open-source content for enhanced security. Access the book and its content through
DevSecOps in Practice with VMware Tanzu: A Definitive Guide (PDF Companion) In the modern era of cloud-native transformation, speed is the currency of business. However, for many enterprises, the rush to Kubernetes has introduced a dangerous gap: security . Traditional security models (periodic scans, manual approvals, network perimeter firewalls) simply cannot keep pace with containers that live for seconds. Enter DevSecOps —the practice of integrating security decisions into the development pipeline rather than wrapping them around it. When combined with VMware Tanzu , organizations gain a platform that bakes security into the Continuous Integration/Continuous Delivery (CI/CD) fabric. This article serves as a high-level summary and companion guide to the comprehensive "DevSecOps in Practice with VMware Tanzu" PDF . We will break down the architectural patterns, pipeline automation, policy governance, and supply chain security required to run DevSecOps at scale.
Part 1: Why DevSecOps Fails on Traditional Kubernetes Before diving into the Tanzu-specific features, it is critical to understand the problem. A standard Kubernetes distribution (e.g., vanilla upstream K8s) provides the engine but not the guardrails. The three common failure points are:
Image Sprawl: Developers pull base images from public registries (Docker Hub) that contain known Common Vulnerabilities and Exposures (CVEs). Without automated scanning, these vulnerabilities reach production. Network Permissiveness: Default Kubernetes allows all pod-to-pod communication. A single compromised front-end pod can laterally move to a database pod. Shift-Left Theater: Teams add a SAST (Static Application Security Testing) tool to Jenkins, but developers ignore the 400+ false positives to meet deployment deadlines. devsecops in practice with vmware tanzu pdf
The Solution: VMware Tanzu does not magically fix culture, but it provides the structural enforcement via policy-as-code and software supply chain controls to make DevSecOps practical.
Part 2: The Core Pillars of Tanzu DevSecOps The "DevSecOps in Practice with VMware Tanzu" PDF organizes its content around four operational pillars. Understanding these is essential before downloading the full guide. Pillar 1: Secure Supply Chain (Tanzu Supply Chain) The most significant shift in modern DevSecOps is moving from artifact storage to artifact attestation . Tanzu Application Platform (TAP) uses Cartographer to create reproducible supply chains.
How it works: When a developer commits code to Git, the supply chain automatically triggers: However, for many enterprises, the rush to Kubernetes
Source Scanning (Grype or Snyk). Base Image Update (Rebasing to a patched OS layer). SBOM Generation (Software Bill of Materials). Signature (Cosign from Sigstore).
Why it matters: The PDF contains a specific workflow showing how Tanzu prevents "dependency confusion" attacks by enforcing that only images signed by an internal Notary server can be promoted to staging.
Pillar 2: Policy as Code (Open Policy Agent & Kyverno) Kubernetes admission controllers are the police force of your cluster. The PDF details how to implement Rego policies via Tanzu’s integration with Open Policy Agent (OPA) Gatekeeper. Example Policy from the PDF: Reject any Pod that does not have a securityContext limiting allowPrivilegeEscalation: false . Without this, a developer could inadvertently run a container as root. With Tanzu, the Cluster API enforces this policy at kubectl apply time, rejecting the deployment instantly with a clear error message. Pillar 3: Runtime Security (Falco & Tanzu Observability) Shift-left is necessary but insufficient. Zero-day exploits require runtime defense. VMware Tanzu includes integrations with Falco (the CNCF runtime security project). The PDF showcases a "detect and defend" playbook: When combined with VMware Tanzu , organizations gain
Detection: Falco detects a shell spawned inside a container (e.g., kubectl exec -it bash in production). Response: Tanzu Observability triggers a webhook. Remediation: A pre-signed ClusterRole automatically labels the node as "quarantined," stopping egress traffic.
Pillar 4: Multi-Tenancy & RBAC Misconfigured Role-Based Access Control (RBAC) is the leading cause of cluster breaches. The PDF provides a "Space" model using Tanzu Mission Control (TMC) .