From 21213f789b24e432bbd9061d53b798092fbeea5a Mon Sep 17 00:00:00 2001 From: Rasheed Amir Date: Mon, 9 Dec 2024 11:27:42 +0100 Subject: [PATCH] add us and update compliance (#353) * add us and update compliance * Add videos links * minor updates * update video links * further compliance updates * fix linting issues * fix vale feedback * fix more vale feedback * vale feedback * bump vale * fix vale feedback --------- Co-authored-by: osama.ahmedkhan96@gmail.com --- .vale.ini | 2 +- Dockerfile | 2 +- content/for-cisos-dpos/backup.md | 11 ++ content/for-cisos-dpos/bsi-it-grundschutz.md | 8 +- content/for-cisos-dpos/cis.md | 35 ++++ content/for-cisos-dpos/dora.md | 22 +++ content/for-cisos-dpos/gdpr-eu.md | 4 + content/for-cisos-dpos/hipaa.md | 33 ++++ content/for-cisos-dpos/iso27k1.md | 4 + content/for-cisos-dpos/nist-sp-800-171.md | 4 + content/for-cisos-dpos/overview.md | 27 ++- content/for-cisos-dpos/soc2-type2.md | 46 +++++ content/for-developers/user-stories.md | 169 ++++++++++++++++++ content/managed-addons/opentelemetry/.gitkeep | 0 .../managed-addons/opentelemetry/overview.md | 9 + content/managed-addons/overview.md | 9 +- content/managed-addons/tracing/.gitkeep | 0 content/managed-addons/tracing/overview.md | 11 ++ theme_override/mkdocs.yml | 25 ++- 19 files changed, 401 insertions(+), 20 deletions(-) create mode 100644 content/for-cisos-dpos/backup.md create mode 100644 content/for-cisos-dpos/cis.md create mode 100644 content/for-cisos-dpos/dora.md create mode 100644 content/for-cisos-dpos/hipaa.md create mode 100644 content/for-cisos-dpos/soc2-type2.md create mode 100644 content/for-developers/user-stories.md create mode 100644 content/managed-addons/opentelemetry/.gitkeep create mode 100644 content/managed-addons/opentelemetry/overview.md create mode 100644 content/managed-addons/tracing/.gitkeep create mode 100644 content/managed-addons/tracing/overview.md diff --git a/.vale.ini b/.vale.ini index d9d012e5..b753dba6 100644 --- a/.vale.ini +++ b/.vale.ini @@ -1,7 +1,7 @@ StylesPath = styles MinAlertLevel = warning -Packages = https://github.com/stakater/vale-package/releases/download/v0.0.43/Stakater.zip +Packages = https://github.com/stakater/vale-package/releases/download/v0.0.44/Stakater.zip Vocab = Stakater # Only check MarkDown files diff --git a/Dockerfile b/Dockerfile index 5173480c..6303fc28 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3.13 as builder -RUN pip3 install mkdocs-mermaid2-plugin mkdocs-table-reader-plugin mkdocs-include-markdown-plugin +RUN pip3 install mkdocs-mermaid2-plugin mkdocs-table-reader-plugin mkdocs-include-markdown-plugin mkdocs-video # set workdir RUN mkdir -p $HOME/application diff --git a/content/for-cisos-dpos/backup.md b/content/for-cisos-dpos/backup.md new file mode 100644 index 00000000..2d21e02c --- /dev/null +++ b/content/for-cisos-dpos/backup.md @@ -0,0 +1,11 @@ +# Backup Strategy + +The **3-2-1-1-0 Backup Rule** is a modern extension of the traditional backup strategy designed to ensure data protection and recovery. Here's what it stands for: + +- **3 Copies of Your Data**: Keep three copies of your data: the primary data and two backups. This ensures redundancy. +- **2 Different Storage Types**: Store backups on at least two different types of media (e.g., disk and tape, or local and cloud) to avoid single points of failure. +- **1 Offsite Backup**: Keep one backup copy offsite, such as in a remote data center or a cloud service, to protect against local disasters. +- **1 Immutable Backup**: Have at least one backup that is immutable or air-gapped, ensuring it cannot be modified or deleted (e.g., WORM storage or offline backups). +- **0 Errors After Backup Verification**: Regularly verify and test backups to ensure they are error-free and can be restored when needed. + +This rule provides a comprehensive approach to safeguarding against data loss due to hardware failure, natural disasters, cyberattacks, or human error. diff --git a/content/for-cisos-dpos/bsi-it-grundschutz.md b/content/for-cisos-dpos/bsi-it-grundschutz.md index b2392e20..8652343e 100644 --- a/content/for-cisos-dpos/bsi-it-grundschutz.md +++ b/content/for-cisos-dpos/bsi-it-grundschutz.md @@ -1,11 +1,15 @@ # BSI IT-Grundschutz Controls +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + The BSI IT-Grundschutz framework, a German standard for IT security, defines systematic methodologies and controls for safeguarding IT systems. With Stakater App Agility Platform (SAAP) built on Red Hat OpenShift, organizations can effectively implement these controls for Kubernetes-based workloads. -- Total applicable modules in BSI IT-Grundchutz: 2 +- **Total applicable modules in BSI IT-Grundchutz**: 2 - SYS.1.6 - Containerization: 10 Controls - APP.4.4 - Kubernetes: 21 Controls -- Total applicable controls in BSI IT-Grundchutz: 31 +- **Total applicable controls in BSI IT-Grundchutz**: 31 ## Controls Addressed by SAAP diff --git a/content/for-cisos-dpos/cis.md b/content/for-cisos-dpos/cis.md new file mode 100644 index 00000000..8765e65c --- /dev/null +++ b/content/for-cisos-dpos/cis.md @@ -0,0 +1,35 @@ +# CIS Benchmarks + +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + +The CIS Kubernetes Benchmark provides over **120 recommendations** for securing Kubernetes environments, addressing critical areas such as access control, data protection, and cluster configuration. SAAP plays a pivotal role in enabling compliance with these recommendations by leveraging Kubernetes features and advanced security configurations. + +- **Total Recommendations in CIS Kubernetes Benchmark**: 120+ +- **Key Areas Covered**: Control Plane Security, Worker Node Security, Network Security, Data Protection, and Pod Security. + +## Recommendations Addressed by SAAP + +- **Fully Applicable Recommendations**: SAAP enables compliance with 70–80 recommendations through Kubernetes-native features and configurations. Key examples include: + + - **Control Plane Security**: + - Enforcing Role-Based Access Control (RBAC) to restrict unauthorized access. + - Securing API server communication with TLS encryption. + - **Node Security**: + - Disabling anonymous Kubelet access (--anonymous-auth=false). + - Restricting workload communications with NetworkPolicies. + - **Data Protection**: + - Encrypting Secrets in etcd using Kubernetes encryption providers. + - **Pod Security Standards (PSS)**: + - Ensuring workloads run with non-root users and minimal privileges. + +- **Partially Applicable Recommendations**: SAAP supports an additional 30–40 recommendations through configurable features and organization-specific configurations. For example: + + - **Audit Logging**: SAAP enables centralized logging and monitoring but requires the organization to actively review and act on the logs. + - **Runtime Security**: Provides mechanisms to monitor workloads but relies on organization-defined actions for runtime behavior validation. + - **Container Image Security**: Enforces trusted container image policies but depends on organizational processes to ensure compliance with image signing and verification standards. + +SAAP directly or partially addresses over **100 recommendations** from the CIS Kubernetes Benchmark, making it a comprehensive solution for securing Kubernetes workloads. By focusing on technical enforcement, automation, and integration, SAAP simplifies the path to compliance, reducing the operational burden for organizations. + +This robust support makes SAAP an essential platform for adopting and maintaining secure Kubernetes environments, ensuring alignment with CIS best practices while enabling scalability, operational efficiency, and enhanced security. diff --git a/content/for-cisos-dpos/dora.md b/content/for-cisos-dpos/dora.md new file mode 100644 index 00000000..9ef019b5 --- /dev/null +++ b/content/for-cisos-dpos/dora.md @@ -0,0 +1,22 @@ +# DORA + +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + +DORA (Digital Operational Resilience Act) is a European Union regulation designed to ensure the resilience of financial entities against operational disruptions and cyber threats. SAAP plays a critical role in enabling compliance with DORA by leveraging Kubernetes features and configurations to address its requirements. + +- **Total Articles in DORA**: 5 +- **Key Provisions in DORA**: Multiple detailed requirements across areas such as ICT risk management, incident response, and third-party risk management. + +## Provisions Addressed by SAAP + +SAAP facilitates the implementation of critical provisions enforceable through Kubernetes configurations and features. These include: + +- **ICT Risk Management Framework**: Leveraging Kubernetes features such as Pod Security Standards (PSS), Role-Based Access Control (RBAC), and audit logging to establish a robust ICT risk management framework. +- **Incident Response and Recovery**: Providing monitoring, logging, and disaster recovery capabilities using Kubernetes-native and compatible solutions for observability and backup. +- **Operational Resilience Testing**: Supporting resilience testing through tools and practices that align with chaos engineering principles and load testing methodologies. +- **Third-Party Risk Management**: Enforcing network isolation with Kubernetes NetworkPolicies and validating compliance through policy enforcement mechanisms. +- **Information Sharing**: Enabling secure data exchange via encryption, secure storage practices, and secrets management within Kubernetes. + +SAAP addresses a substantial number of DORA provisions, empowering financial entities to align their Kubernetes-based workloads with regulatory requirements. By focusing on technical measures and leveraging Kubernetes capabilities, SAAP simplifies the path to operational resilience and compliance. diff --git a/content/for-cisos-dpos/gdpr-eu.md b/content/for-cisos-dpos/gdpr-eu.md index a9933eee..51619e66 100644 --- a/content/for-cisos-dpos/gdpr-eu.md +++ b/content/for-cisos-dpos/gdpr-eu.md @@ -1,5 +1,9 @@ # GDPR (Regulation (EU) 2016/679) +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + ## Shared Responsibility Model The shared responsibility model outlines how GDPR compliance is a shared obligation between Stakater and its customers, with clearly defined roles: diff --git a/content/for-cisos-dpos/hipaa.md b/content/for-cisos-dpos/hipaa.md new file mode 100644 index 00000000..ea96fde5 --- /dev/null +++ b/content/for-cisos-dpos/hipaa.md @@ -0,0 +1,33 @@ +# HIPAA + +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + +HIPAA (Health Insurance Portability and Accountability Act) establishes safeguards for the protection of electronic Protected Health Information (ePHI). SAAP (Stakater App Agility Platform) enables technical compliance with HIPAA’s Security Rule by leveraging Kubernetes features and integrations to enforce technical safeguards. + +- **Total Safeguards in HIPAA Security Rule**: 3 (Administrative, Physical, Technical) +- **Technical Safeguard Provisions Addressed by SAAP**: 5 + +## Safeguards Addressed by SAAP + +- **Directly Applicable Safeguards**: SAAP enables the direct implementation of safeguards for secure Kubernetes-based workloads. These include: + + - **Access Control (164.312(a)(1))**: Managing access through role-based policies and workload isolation. + - **Audit Controls (164.312(b))**: Recording and monitoring access through centralized logging and immutable storage. + - **Transmission Security (164.312(e)(1))**: Protecting data during transmission using encryption and communication isolation. + +- **Partially Applicable Safeguards**: Some safeguards are partially addressed, requiring additional integrations or organizational policies: + + - **Integrity (164.312(c)(1))**: Validating workloads and enabling backup solutions for critical data. + - **Person or Entity Authentication (164.312(d))**: Strengthening access verification through layered authentication and granular permissions. + +SAAP directly addresses key technical safeguards within the HIPAA Security Rule by leveraging Kubernetes’ native features and best practices. It enables healthcare organizations to secure their Kubernetes-based workloads, simplify compliance efforts, and protect sensitive ePHI data. While SAAP primarily focuses on technical safeguards, compliance with administrative and physical safeguards requires broader organizational policies and processes. + +By integrating SAAP’s capabilities into their infrastructure, organizations can: + +- Implement strong access control mechanisms to protect sensitive information. +- Facilitate monitoring and auditing of system activities to ensure compliance. +- Protect the integrity and confidentiality of ePHI both at rest and in transit. + +SAAP enables organizations to align with HIPAA regulations while streamlining the management of modern cloud-native environments. diff --git a/content/for-cisos-dpos/iso27k1.md b/content/for-cisos-dpos/iso27k1.md index 54d64825..96e55846 100644 --- a/content/for-cisos-dpos/iso27k1.md +++ b/content/for-cisos-dpos/iso27k1.md @@ -1,5 +1,9 @@ # ISO 27001 Controls +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + ISO 27001, an international standard for information security, includes 14 domains and 114 controls aimed at protecting information assets. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads. - Total Domains in ISO 27001: 14 diff --git a/content/for-cisos-dpos/nist-sp-800-171.md b/content/for-cisos-dpos/nist-sp-800-171.md index fe4b780e..5005ffa4 100644 --- a/content/for-cisos-dpos/nist-sp-800-171.md +++ b/content/for-cisos-dpos/nist-sp-800-171.md @@ -1,5 +1,9 @@ # NIST SP 800-171 Controls +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + NIST SP 800-171, a cybersecurity standard developed by the National Institute of Standards and Technology (NIST), provides 14 families of controls and 110 requirements to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads. - Total Families in NIST SP 800-171: 14 diff --git a/content/for-cisos-dpos/overview.md b/content/for-cisos-dpos/overview.md index da36270c..cbf98489 100644 --- a/content/for-cisos-dpos/overview.md +++ b/content/for-cisos-dpos/overview.md @@ -1,15 +1,30 @@ # CISOs and DPOs Guide Overview -At Stakater, compliance is not just a checkbox; it is a cornerstone of our philosophy. We understand the critical role that Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) play in safeguarding organizational integrity and building trust. With our Risk and Compliance as Code (RCaC) approach, we embed compliance practices directly into the infrastructure and workflows, ensuring that compliance becomes an automated, continuous process. +At Stakater, compliance is not just a checkbox; it is a cornerstone of our philosophy. We understand the critical role that Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) play in safeguarding organizational integrity and building trust. With our **Risk and Compliance as Code (RCaC)** approach, we embed compliance practices directly into the infrastructure and workflows, ensuring that compliance becomes an automated, continuous process. Through the Stakater App Agility Platform (SAAP), we provide our customers with the tools and capabilities necessary to achieve and maintain compliance effortlessly. Whether it’s adhering to GDPR, NIST, ISO 27001, BSI IT-Grundschutz or other industry standards, SAAP empowers your teams with automated checks, auditable policies, and streamlined workflows to mitigate risks and stay compliant at all times. By leveraging our platform, organizations can focus on innovation and growth while ensuring that regulatory requirements are consistently met. -To explore specific compliance frameworks and how SAAP addresses them, please refer to the detailed resources linked below: +To explore specific compliance frameworks and how SAAP addresses them, it is essential to understand that these frameworks can be broadly divided into two major categories: -- [GDPR](gdpr-eu.md) -- [ISO270001](iso27k1.md) -- [NIST SP 800 171](nist-sp-800-171.md) -- [BSI IT-Grundschutz](bsi-it-grundschutz.md) +## 1. General Frameworks + +These frameworks are widely applicable across industries and focus on providing high-level best practices for security, privacy, and risk management. They serve as foundational guidelines for building secure and compliant environments. SAAP supports measures aligned with frameworks such as: + +- **International Organization for Standardization (ISO) 27000 Series**, which outlines best practices for Information Security Management - [ISO270001](iso27k1.md) +- **National Institute of Standards and Technology (NIST) SP 800-171**, focused on strengthening cybersecurity - [NIST SP 800 171](nist-sp-800-171.md) +- **General Data Protection Regulation (GDPR)**, which governs data privacy and protection in the European Union - [GDPR](gdpr-eu.md) +- **BSI IT-Grundschutz**, a comprehensive framework developed by the German Federal Office for Information Security (BSI) to ensure robust information security management - [BSI IT-Grundschutz](bsi-it-grundschutz.md) +- **Center for Internet Security (CIS) Benchmarks**, which provide globally recognized secure configuration guidelines for systems and applications - [CIS Benchmarks](cis.md) +- **SOC 2 Type 2**, is a framework which evaluates the operational effectiveness of an organization’s security, availability, processing integrity, confidentiality, and privacy controls over a defined period - [SOC 2 Type 2](soc2-type2.md) + +## 2. Industry-Specific Standards + +These standards focus on addressing the unique compliance, security, and operational requirements of specific industries. SAAP incorporates relevant measures that can be applied to help organizations meet compliance requirements in areas such as: + +- Patient data protection - [HIPAA](hipaa.md) +- Operational resilience in financial services - [DORA)](dora.md) + +SAAP provides a comprehensive approach to compliance by aligning with both industry-specific standards and general frameworks. The platform is designed to address these requirements efficiently, ensuring your organization remains secure and compliant. ## Disclaimer diff --git a/content/for-cisos-dpos/soc2-type2.md b/content/for-cisos-dpos/soc2-type2.md new file mode 100644 index 00000000..7917b3ce --- /dev/null +++ b/content/for-cisos-dpos/soc2-type2.md @@ -0,0 +1,46 @@ +# SOC 2 Type 2 (Security & Confidentiality) Controls + +!!! danger "Disclaimer" + + It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed. + +SOC 2 Type 2, a critical standard for service organizations, evaluates the effectiveness of controls over a period of time across five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. SAAP (Stakater App Agility Platform) supports organizations in meeting SOC 2 Type 2 requirements through its robust Kubernetes-native capabilities. + +- **Total Trust Service Criteria (TSC)**: 5 +- **Total SOC 2 Controls**: Varies by organization and auditor-defined scope; mapped to TSC. + +## Controls Addressed by SAAP + +- **Directly Applicable Controls** +SAAP enables the implementation of critical controls required for SOC 2 compliance through Kubernetes features, policies, and integrations. These controls span: + - **Security (TSC 1)**: + - **Access Control**: Enforces fine-grained Role-Based Access Control (RBAC) and network policies to restrict unauthorized access. + - **Logging and Monitoring**: Implements centralized logging and real-time alerting with tools like Prometheus and Grafana. + - **Change Management**: Ensures controlled deployments via GitOps and validates configurations with admission controllers. + - **Availability (TSC 2):** + - **Resilience and Redundancy**: Supports pod replication, auto-scaling, and disaster recovery tools for backup/restore. + - **Fault Tolerance**: Configures readiness and liveness probes, ensuring high availability of workloads. + - **Monitoring Uptime**: Provides SLA monitoring using Kubernetes-native observability tools. + - **Processing Integrity (TSC 3)**: + - **Error Detection**: Facilitates real-time error detection through logging and alert systems. + - **Controlled Operations**: Aligns CI/CD pipelines with secure and validated release mechanisms. + - **Confidentiality (TSC 4)**: + - **Data Encryption**: Secures data at rest (e.g., etcd encryption) and in transit (e.g., TLS for communication). + - **Secrets Management**: Manages sensitive data using encrypted Kubernetes Secrets with KMS integration. + - **Network Security**: Ensures inter-service communication is protected through service meshes like Istio. + - **Privacy (TSC 5)**: + - **Access Restrictions**: Supports namespace-based multi-tenancy and granular RBAC policies for workload isolation. + - **Policy Enforcement**: Aligns Kubernetes policies with privacy frameworks via tools like OPA/Gatekeeper. +- **Partially Applicable Controls** +SAAP offers flexibility to address additional controls through configuration and integration, supporting broader compliance efforts. Examples include: + - **Information Governance**: Aligns technical policies with overarching organizational governance frameworks, ensuring consistency across the environment. + - **Third-Party Assurance**: Validates compliance of external dependencies and enforces controls for secure integration with external systems. + - **Incident Management**: Provides mechanisms to integrate with organizational incident response workflows for timely detection, reporting, and remediation. + +SAAP addresses approximately 40–60 controls associated with SOC 2 Type 2, depending on the specific scope and operational requirements of the organization. It achieves this by: + +- Enabling seamless enforcement of security and compliance controls through technical measures. +- Streamlining operational processes to align with SOC 2 principles. +- Supporting continuous monitoring, reporting, and auditing to demonstrate compliance effectively. + +By focusing on core technical enforcement and operational resilience, SAAP equips organizations with the tools necessary to achieve SOC 2 Type 2 compliance in a modern, scalable environment. diff --git a/content/for-developers/user-stories.md b/content/for-developers/user-stories.md new file mode 100644 index 00000000..ce432c5c --- /dev/null +++ b/content/for-developers/user-stories.md @@ -0,0 +1,169 @@ +# User Stories + +## User Story # 1 + +As a developer, I want a robust and full-featured remote development environment, so I can iterate quickly and confidently commit functional, tested, and high-quality code + +![type:video](https://www.youtube.com/embed/qokw8tuFLt8) + +Tags: tilt, local development, inner loop, sandbox namespace + +## User Story # 2 + +As a developer, I want to automatically create preview environments for my pull requests so that I can receive fast feedback before changes are merged into the main branch + +![type:video](https://www.youtube.com/embed/ZOCZAJItUzY) + +Tags: preview environments, feature environments, Tronador + +## User Story # 3 + +As a developer, I want to monitor my application’s resource consumption (such as CPU and memory usage) so that I can fine-tune its performance. + +![type:video](https://www.youtube.com/embed/HapJ03wCSkE) + +Tags: Prometheus, OpenShift console, monitoring + +## User Story # 4 + +As a developer, I want a pipeline-as-code solution that allows the team to define and manage the entire DevOps CI/CD pipeline so that we can store pipeline configurations in source control, version them, and test them independently. + +![type:video](https://www.youtube.com/embed/PdZbu0eU_SI) + +Tags: Tekton, ArgoCD, outer loop, CI/CD, pipeline-as-code, PAC, devops + +## User Story # 5 + +As a developer, I want environments (such as devtest, stage, and prod) to be stored as code in Git, so the desired state is defined declaratively and Git tooling can be used as the UI. + +![type:video](https://www.youtube.com/embed/0CEO2Dsf-bE) + +Tags: ArgoCD, GitOps, outer loop + +## User Story # 6 + +As a developer, I want to easily package applications as Helm charts using a leader application chart approach, so I can manage complex dependencies and simplify the deployment, upgrade, and rollback processes for my application. + +![type:video](https://www.youtube.com/embed/_yK_5c_sB_A) + +Tags: helm, outer loop, leader chart, GitOps, ArgoCD + +## User Story # 7 + +As a developer, I want to define secrets using Vault and have them securely injected into the cluster, so I can manage sensitive information easily and ensure my application’s security within the SAAP environment. + +![type:video](https://www.youtube.com/embed/I17DU8sHQN8) + +Tags: secrets management, Vault, OpenBao, Reloader + +## User Story # 8 + +As a developer, I want a semantically versioned Docker image to be automatically built and pushed to an artifact store, so I can ensure consistent and reliable deployment of my application across different environments. + +![type:video](https://www.youtube.com/embed/WAHbeuuAxSI) + +Tags: artifact store, nexus, tagging, docker image, helm chart + +## User Story # 9 + +As a developer, I want a semantically versioned Helm chart to be built and pushed to a Docker registry, so I can manage and deploy my Kubernetes applications with a clear versioning strategy. + +![type:video](https://www.youtube.com/embed/Nd7WP0f0Ktk) + +Tags: docker registry, helm chart, artifact store, nexus + +## User Story # 10 + +As a developer, I want my application to be automatically released to the first development environment when I merge to the main branch, so I can quickly roll out changes and validate them. + +![type:video](https://www.youtube.com/embed/VFvKg_owX2U) + +Tags: GitOps, ArgoCD, outer loop + +## User Story # 11 + +As a developer, I want to see my application logs in real-time, so I can quickly troubleshoot issues and monitor the application’s performance for better stability and reliability. + +![type:video](https://www.youtube.com/embed/zqAFPuu1ABQ) + +Tags: logging, Loki, Vector + +## User Story # 12 + +As a developer, I want a unified dashboard to easily find all applications and tools available on the platform, so I can browse, discover, and navigate to different tools from one place. + +![type:video](https://www.youtube.com/embed/IEHVfPRXKyg) + +Tags: OpenShift console, dashboard, Forecastle + +## User Story # 13 + +As a developer, I want to inspect code quality and perform a security analysis, so that I can quickly get an overview of the application’s code health. + +![type:video](https://www.youtube.com/embed/fhGHZDctlgU) + +Tags: SonarQube, outer loop + +## User Story # 14 + +As a developer, I want to view historical (14 days) metrics related to my applications, such as CPU usage, memory consumption, and response times, so that I can analyze their performance over time, identify trends, and optimize resource allocation and application behavior accordingly. + +![type:video](https://www.youtube.com/embed/qokw8tuFLt8) + +Tags: Prometheus, application monitoring + +## User Story # 15 + +As a developer, I want to use the OpenShift Console to easily scale resources up or down, so I can optimize performance and cost based on demand. + +![type:video](https://www.youtube.com/embed/aoCD2zI_Cww) + +Tags: sre, OpenShift Console, scale up, scale down + +## User Story # 16 + +As a developer I want end to end automation and dynamic loading of application configuration so configuration changes are treated as any other deployment. + +![type:video](https://www.youtube.com/embed/HIhlOWgX4-8) + +Tags: Reloader + +## User Story # 17 + +As a developer, I want to configure ServiceMonitor objects to collect application-specific metrics, such as response time and the number of reviews, alongside standard metrics, so I can gain deeper insights into my application’s performance and make more informed optimizations. + +![type:video](https://www.youtube.com/embed/FobNiJxLzc0) + +Tags: application monitoring, service monitor, Prometheus + +## User Story # 18 + +As a developer, I want to configure alert conditions and manage notifications, so I can receive timely alerts for critical application events. + +![type:video](https://www.youtube.com/embed/MwHhRHmkNjA) + +Tags: monitoring, alerting, Prometheus, alert manager + +## User Story # 19 + +As a developer, I want to receive downtime notification when application isn’t reachable, so I can quickly take action to restore service availability and minimize downtime. + +![type:video](https://www.youtube.com/embed/3ZBeGaawxuI) + +Tags: ingress monitor controller, Prometheus + +## User Story # 20 + +As a developer, I want to build and deploy custom Grafana dashboards for my application, so I can visualize custom metrics and gain deeper insights into its performance. + +![type:video](https://www.youtube.com/embed/dE2sQ75Q8oI) + +Tags: Grafana, application monitoring, Prometheus + +## User Story # 21 + +As a developer, I want to enable backups for my applications using Velero, so that in the event of cluster issues or data loss, I can easily restore my apps and minimize downtime. + +![type:video](https://www.youtube.com/embed/dyPm4-49DOk) + +Tags: backup restore, Velero diff --git a/content/managed-addons/opentelemetry/.gitkeep b/content/managed-addons/opentelemetry/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/content/managed-addons/opentelemetry/overview.md b/content/managed-addons/opentelemetry/overview.md new file mode 100644 index 00000000..10feae01 --- /dev/null +++ b/content/managed-addons/opentelemetry/overview.md @@ -0,0 +1,9 @@ +# Overview + +[OpenTelemetry](https://opentelemetry.io/) is a powerful observability framework that enables the collection, processing, and export of telemetry data (logs, metrics, and traces) from distributed applications. In SAAP, OpenTelemetry is integrated to help teams gain deep insights into their applications' performance and behavior across Kubernetes clusters. + +## Use Cases + +- **Distributed Tracing:** Gain visibility into microservices-based applications to identify bottlenecks and improve performance. +- **Metrics Aggregation:** Monitor resource utilization, application health, and infrastructure performance. +- **Log Enrichment:** Collect and analyze logs alongside metrics and traces for full-stack observability. diff --git a/content/managed-addons/overview.md b/content/managed-addons/overview.md index fecf80c8..3bb1787c 100644 --- a/content/managed-addons/overview.md +++ b/content/managed-addons/overview.md @@ -4,11 +4,14 @@ Here is the list of fully managed addons available on Stakater App Agility Platf Managed AddOn | Description --- | --- -Logging | [Loki and Vector](./logging-stack/overview.md) -Monitoring | [Grafana, Prometheus, Thanos and Alertmanager](./monitoring-stack/overview.md) CI (continuous integration) | [Tekton](./tekton/overview.md) CD (continuous delivery) | [ArgoCD](./argocd/overview.md) +Logging | [Loki and Vector](./logging-stack/overview.md) +Monitoring | [Grafana, Prometheus, Thanos and Alertmanager](./monitoring-stack/overview.md) +Distributed Tracing | [Tempo Stack](./tracing/overview.md) Internal alerting | [Alertmanager](./monitoring-stack/overview.md) +External (downtime) alerting | [Stakater IMC](https://github.com/stakater/IngressMonitorController) +OpenTelemetry | [OpenTelemetry](./opentelemetry/overview.md) Service mesh | [Istio, Kiali and Jaeger](./service-mesh/overview.md) (only one fully managed control plane) Image scanning | [Trivy](https://github.com/aquasecurity/trivy) Backups & Recovery | [Velero](./velero/overview.md) @@ -18,7 +21,6 @@ Artifacts management (Docker, Helm and Package registry) | [Nexus](./nexus/overv Code inspection | [SonarQube](./sonarqube/overview.md) Authorization & Policy Enforcement | [Open Policy Agent, Gatekeeper](./gatekeeper/overview.md) Log alerting | [Stakater Konfigurator](./konfigurator/overview.md) -External (downtime) alerting | [Stakater IMC](https://github.com/stakater/IngressMonitorController), [UptimeRobot](https://uptimerobot.com/) (free tier) Automatic application reload | [Stakater Reloader](./reloader/overview.md) Developer dashboard - Launchpad to discover applications | [Stakater Forecastle](./forecastle/overview.md) Multi-tenancy | [Stakater Multi Tenant Operator](./mto/overview.md) @@ -50,4 +52,3 @@ Automatic cluster rebalancing | [Descheduler](./descheduler/overview.md) Automatic compliance scans | [OpenSCAP](./compliance-operator/overview.md) Infrastructure self-service | [Crossplane](./crossplane/overview.md) Fetch external secrets | [External Secrets Operator](./external-secrets-operator/overview.md) -Intrusion detection | Falco (coming soon) diff --git a/content/managed-addons/tracing/.gitkeep b/content/managed-addons/tracing/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/content/managed-addons/tracing/overview.md b/content/managed-addons/tracing/overview.md new file mode 100644 index 00000000..c6ed7cec --- /dev/null +++ b/content/managed-addons/tracing/overview.md @@ -0,0 +1,11 @@ +# Overview + +Tempo is a distributed tracing backend designed to provide seamless integration for applications running in modern containerized environments like Kubernetes. As part of the SAAP (Stakater App Agility Platform), Tempo enhances observability by offering detailed insights into service-to-service communication, helping teams identify and resolve performance bottlenecks, errors, and latency issues. + +## What is Distributed Tracing? + +Distributed tracing allows developers and operators to track the flow of requests across multiple services in a microservices architecture. It provides: + +- **End-to-end visibility**: Understand how a request flows through your application. +- **Performance monitoring**: Identify slow components or bottlenecks. +- **Root cause analysis**: Pinpoint the source of errors or failures. diff --git a/theme_override/mkdocs.yml b/theme_override/mkdocs.yml index bd096486..5cf516dd 100644 --- a/theme_override/mkdocs.yml +++ b/theme_override/mkdocs.yml @@ -96,6 +96,7 @@ nav: - for-devops-engineers/how-to-guides/use-a-cluster-task-in-pipeline/use-a-clustertask-in-pipeline.md - For Developers: - for-developers/overview.md + - for-developers/user-stories.md - Explanation: - for-developers/explanation/developer-training.md - for-developers/explanation/plan-your-deployment.md @@ -166,12 +167,19 @@ nav: - for-developers/how-to-guides/package-and-push-your-chart/package-and-push-your-chart.md - For CISOs & DPOs: - for-cisos-dpos/overview.md - - for-cisos-dpos/gdpr-eu.md - - for-cisos-dpos/iso27k1.md - - for-cisos-dpos/nist-sp-800-171.md - - for-cisos-dpos/bsi-it-grundschutz.md - - for-cisos-dpos/toms.md - - for-cisos-dpos/subprocessors.md + - General Frameworks: + - for-cisos-dpos/gdpr-eu.md + - for-cisos-dpos/iso27k1.md + - for-cisos-dpos/nist-sp-800-171.md + - for-cisos-dpos/bsi-it-grundschutz.md + - for-cisos-dpos/cis.md + - for-cisos-dpos/soc2-type2.md + - for-cisos-dpos/toms.md + - for-cisos-dpos/subprocessors.md + - Industry-Specific Standards: + - for-cisos-dpos/hipaa.md + - for-cisos-dpos/dora.md + - for-cisos-dpos/backup.md - Managed Addons: - managed-addons/overview.md - Nexus: @@ -301,6 +309,10 @@ nav: - managed-addons/descheduler/overview.md - OpenSCAP: - managed-addons/compliance-operator/overview.md + - Distributed Tracing: + - managed-addons/tracing/overview.md + - OpenTelemetry: + - managed-addons/opentelemetry/overview.md - Legal Documents: - legal-documents/overview.md - legal-documents/fa.md @@ -320,3 +332,4 @@ nav: plugins: - include-markdown + - mkdocs-video