Secure Multi-Tenant GitOps Application & Infrastructure Rollouts At Adobe

Adobe built a secure multi-tenant GitOps application deployment solution using Argo and Crossplane to provision cloud resources consistently and across all teams.

• Adobe faced challenges with infrastructure provisioning and lacked visibility, observability, and auditability into infrastructure resources provisioned by individual teams
• Adobe leveraged Argo and Crossplane to build a scalable GitOps-based application deployment solution and broker the provisioning of cloud resources consistently and across all teams
• Adobe and Amazon designed a layered isolation mechanism for tenant teams on top of existing shared Kubernetes clusters via a mix of technologies such as OPA Gatekeeper, ServiceAccount boundaries, IAM roles, etc.
• The solution solved the non-negotiable requirements of security and multi-tenancy, which are hard to achieve natively with Crossplane and Argo
• The new solution improved the developer experience and reduced the mean time to resolution when encountering issues or outages

Adobe encountered challenges with infrastructure provisioning and lacked visibility, observability, and auditability into infrastructure resources provisioned by individual teams. To solve these challenges, Adobe leveraged Argo and Crossplane to build a scalable GitOps-based application deployment solution and broker the provisioning of cloud resources consistently and across all teams. Adobe and Amazon designed a layered isolation mechanism for tenant teams on top of existing shared Kubernetes clusters via a mix of technologies such as OPA Gatekeeper, ServiceAccount boundaries, IAM roles, etc. The solution solved the non-negotiable requirements of security and multi-tenancy, which are hard to achieve natively with Crossplane and Argo. The new solution improved the developer experience and reduced the mean time to resolution when encountering issues or outages.

Securing a multi-tenant deployment for an enterprise is very challenging. Adobe built a scalable GitOps based application deployment solution for their individual teams using Argo projects. However, due to a lack of a standard solution for infrastructure automation across teams, enabling secure multi-tenant rollouts was a challenge. Adobe leveraged Crossplane in tandem with Argo to broker the provisioning of cloud resources consistently and across all teams. With this solution, Adobe and Amazon designed a layered isolation mechanism for tenant teams on top of existing shared Kubernetes clusters via a mix of technologies such as OPA Gatekeeper, ServiceAccount boundaries, IAM roles etc. This solved the non-negotiable requirements of security and multi-tenancy, which are hard to achieve natively with Crossplane and Argo. Interested? Join Adobe and Amazon engineers to hear their vision, architecture, challenges, solutions, and key takeaways.