\u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062a\u0636\u0645\u0646 CI\/CD pipeline \u0644\u062f\u064a\u0643 \u0636\u0648\u0627\u0628\u0637 \u0623\u0645\u0646\u064a\u0629 \u0645\u062d\u0643\u0645\u0629 \u2014 commits \u0645\u0648\u0642\u0639\u0629\u060c dependencies \u0645\u062b\u0628\u062a\u0629\u060c \u0641\u062d\u0648\u0635\u0627\u062a SAST\u060c \u062a\u0648\u0642\u064a\u0639 container images \u2014 \u0644\u0643\u0646 \u0643\u0644 \u0630\u0644\u0643 \u0644\u0627 \u0642\u064a\u0645\u0629 \u0644\u0647 \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0646\u0634\u0631 \u0646\u0641\u0633\u0647\u0627 \u0636\u0639\u064a\u0641\u0629. \u0627\u0644\u0646\u0634\u0631 \u0647\u0648 \u0646\u0642\u0637\u0629 \u0627\u0644\u062a\u0642\u0627\u0637\u0639 \u0627\u0644\u062d\u0631\u062c\u0629 \u062d\u064a\u062b \u064a\u0644\u062a\u0642\u064a \u0623\u0645\u0627\u0646 pipeline \u0628\u0623\u0645\u0627\u0646 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u064a\u0645\u0643\u0646 \u0644\u0633\u064a\u0631 \u0639\u0645\u0644 \u0646\u0634\u0631 \u0645\u062e\u062a\u0631\u0642 \u0623\u0646 \u064a\u062a\u062c\u0627\u0648\u0632 \u0643\u0644 \u0636\u0627\u0628\u0637 \u0623\u0645\u0646\u064a \u0628\u0646\u064a\u062a\u0647 \u0641\u064a \u0627\u0644\u0645\u0631\u0627\u062d\u0644 \u0627\u0644\u0633\u0627\u0628\u0642\u0629\u060c \u0648\u064a\u062f\u0641\u0639 \u0628\u0634\u0641\u0631\u0629 \u062e\u0628\u064a\u062b\u0629 \u0645\u0628\u0627\u0634\u0631\u0629 \u0625\u0644\u0649 \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u064a \u064a\u0639\u062a\u0645\u062f \u0639\u0644\u064a\u0647\u0627 \u0639\u0645\u0644\u0627\u0624\u0643.<\/p>\n
\u064a\u063a\u0637\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0643\u064a\u0641\u064a\u0629 \u0628\u0646\u0627\u0621 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0646\u0634\u0631 \u0622\u0645\u0646 \u0645\u0646 \u0627\u0644\u0628\u062f\u0627\u064a\u0629 \u0625\u0644\u0649 \u0627\u0644\u0646\u0647\u0627\u064a\u0629: \u0627\u062e\u062a\u064a\u0627\u0631 \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u060c \u0648\u0641\u0631\u0636 \u0627\u0644\u0628\u0648\u0627\u0628\u0627\u062a \u0648\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a\u060c \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 artifacts \u0639\u0646\u062f \u0627\u0644\u0646\u0634\u0631\u060c \u0648\u0637\u0631\u062d \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u062a\u062f\u0631\u064a\u062c\u064a\u0627\u064b\u060c \u0648\u0627\u0644\u062d\u0641\u0627\u0638 \u0639\u0644\u0649 \u0633\u062c\u0644 \u062a\u062f\u0642\u064a\u0642 \u0643\u0627\u0645\u0644 \u0645\u0646 commit \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n
\u0627\u0644\u0642\u0631\u0627\u0631 \u0627\u0644\u0645\u0639\u0645\u0627\u0631\u064a \u0627\u0644\u0623\u0648\u0644 \u0627\u0644\u0630\u064a \u064a\u0634\u0643\u0644 \u0648\u0636\u0639\u0643 \u0627\u0644\u0623\u0645\u0646\u064a \u0641\u064a \u0627\u0644\u0646\u0634\u0631 \u0647\u0648 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0646\u062a \u062a\u0633\u062a\u062e\u062f\u0645 \u0646\u0645\u0648\u0630\u062c push-based \u0623\u0648 pull-based.<\/p>\n
\u0641\u064a \u0646\u0645\u0648\u0630\u062c push-based \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a\u060c \u064a\u0642\u0648\u0645 CI\/CD pipeline \u0628\u0628\u0646\u0627\u0621 artifact \u062b\u0645 \u064a\u062f\u0641\u0639\u0647 \u0645\u0628\u0627\u0634\u0631\u0629 \u0625\u0644\u0649 \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629. GitHub Actions \u064a\u0646\u0634\u0631 \u0625\u0644\u0649 Kubernetes \u0639\u0628\u0631 \u0647\u0630\u0627 \u0627\u0644\u0646\u0645\u0648\u0630\u062c \u0628\u0633\u064a\u0637 \u0644\u0643\u0646\u0647 \u064a\u062d\u0645\u0644 \u0645\u062e\u0627\u0637\u0631 \u0645\u062a\u0623\u0635\u0644\u0629: runner \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 CI \u0644\u062f\u064a\u0647 \u0648\u0635\u0648\u0644 \u0643\u062a\u0627\u0628\u0629 \u0645\u0628\u0627\u0634\u0631 \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0625\u0630\u0627 \u0627\u062e\u062a\u0631\u0642 \u0645\u0647\u0627\u062c\u0645 pipeline \u2014 \u0645\u0646 \u062e\u0644\u0627\u0644 dependency \u0645\u0633\u0645\u0648\u0645\u060c \u0623\u0648 pull request \u062e\u0628\u064a\u062b\u060c \u0623\u0648 secret \u0645\u0633\u0631\u0648\u0642 \u2014 \u0641\u0625\u0646\u0647 \u064a\u0631\u062b \u0648\u0635\u0648\u0644 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0641\u0648\u0631\u0627\u064b.<\/p>\n \u0641\u064a \u0646\u0645\u0648\u0630\u062c pull-based \u0623\u0648 GitOps\u060c \u064a\u0642\u0648\u0645 controller \u0645\u062e\u0635\u0635 \u064a\u0639\u0645\u0644 \u062f\u0627\u062e\u0644 \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629 \u2014 \u0645\u062b\u0644 Flux<\/strong> \u0623\u0648 ArgoCD<\/strong> \u2014 \u0628\u0645\u0631\u0627\u0642\u0628\u0629 \u0645\u0633\u062a\u0648\u062f\u0639 Git \u0644\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0641\u064a \u0627\u0644\u062d\u0627\u0644\u0629 \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629. \u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u0645 commit \u0644\u0640 manifest \u062c\u062f\u064a\u062f (\u0639\u0627\u062f\u0629\u064b \u0628\u0648\u0627\u0633\u0637\u0629 CI pipeline \u0627\u0644\u0630\u064a \u064a\u062d\u062f\u0651\u062b image tag)\u060c \u064a\u0633\u062d\u0628 controller \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0648\u064a\u0648\u0641\u0642 cluster \u0644\u064a\u0637\u0627\u0628\u0642.<\/p>\n \u0627\u0644\u0645\u064a\u0632\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0643\u0628\u064a\u0631\u0629. \u0644\u0627 \u064a\u062d\u062a\u0627\u062c CI pipeline \u0623\u0628\u062f\u0627\u064b \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0628\u0627\u0634\u0631\u0629 \u0644\u0640 production cluster. \u064a\u0646\u0643\u0645\u0634 \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645 \u0644\u0623\u0646 \u0648\u0643\u064a\u0644 \u0627\u0644\u0646\u0634\u0631 \u064a\u0639\u064a\u0634 \u062f\u0627\u062e\u0644 cluster \u0648\u064a\u0633\u062d\u0628 \u0641\u0642\u0637 \u0645\u0646 \u0645\u0635\u062f\u0631 \u0645\u0639\u0631\u0648\u0641. \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0627\u0646\u062d\u0631\u0627\u0641 \u0645\u062f\u0645\u062c: \u0625\u0630\u0627 \u0639\u062f\u0651\u0644 \u0634\u062e\u0635 \u0645\u0627 \u0645\u0648\u0631\u062f\u0627\u064b \u064a\u062f\u0648\u064a\u0627\u064b\u060c \u064a\u0639\u064a\u062f\u0647 controller \u0644\u064a\u0637\u0627\u0628\u0642 Git.<\/p>\n \u0627\u0644\u062a\u0648\u0635\u064a\u0629:<\/strong> \u0644\u0623\u0639\u0628\u0627\u0621 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u064a\u0629\u060c \u0641\u0636\u0651\u0644 \u0646\u0645\u0648\u0630\u062c GitOps pull-based. \u0627\u062d\u062a\u0641\u0638 \u0628\u0646\u0634\u0631 push-based \u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u062a\u0637\u0648\u064a\u0631 \u0648\u0627\u0644\u062a\u062c\u0647\u064a\u0632 \u062d\u064a\u062b \u062a\u0647\u0645 \u0627\u0644\u0633\u0631\u0639\u0629 \u0623\u0643\u062b\u0631 \u0645\u0646 \u0627\u0644\u062a\u062d\u0643\u0645 \u0627\u0644\u0635\u0627\u0631\u0645 \u0641\u064a \u0627\u0644\u0648\u0635\u0648\u0644. \u062d\u062a\u0649 \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a push-based\u060c \u0637\u0628\u0651\u0642 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0628\u0635\u0631\u0627\u0645\u0629 \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0646\u0634\u0631.<\/p>\n Pipelines \u0627\u0644\u0645\u0624\u062a\u0645\u062a\u0629 \u0633\u0631\u064a\u0639\u0629\u060c \u0644\u0643\u0646 \u0627\u0644\u0646\u0634\u0631 \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0644\u0627 \u064a\u0646\u0628\u063a\u064a \u0623\u0646 \u064a\u062d\u062f\u062b \u062f\u0648\u0646 \u062a\u062d\u0642\u0642 \u0628\u0634\u0631\u064a \u0644\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u062a\u0623\u062b\u064a\u0631. \u062a\u0642\u062f\u0645 \u0628\u0648\u0627\u0628\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0646\u0642\u0627\u0637 \u062a\u0641\u062a\u064a\u0634 \u062a\u062a\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629 \u0635\u0631\u064a\u062d\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u0636\u064a \u0642\u062f\u0645\u0627\u064b \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631.<\/p>\n \u064a\u062f\u0639\u0645 GitHub Actions Environments<\/strong> \u0645\u0639 \u0642\u0648\u0627\u0639\u062f \u062d\u0645\u0627\u064a\u0629. \u064a\u0645\u0643\u0646\u0643 \u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639 \u0648\u0627\u062d\u062f \u0623\u0648 \u0623\u0643\u062b\u0631 \u0644\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0639\u0644\u0649 \u0627\u0644\u0646\u0634\u0631 \u0642\u0628\u0644 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0648\u0638\u064a\u0641\u0629. \u064a\u062a\u0645 \u062a\u0643\u0648\u064a\u0646 \u0630\u0644\u0643 \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u064a\u064f\u0641\u0631\u0636 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0646\u0635\u0629 \u2014 \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0634\u0641\u0631\u0629 pipeline \u062a\u062c\u0627\u0648\u0632\u0647.<\/p>\n \u0645\u0639 \u062a\u0643\u0648\u064a\u0646 \u0628\u064a\u0626\u0629 \u064a\u0642\u062f\u0645 GitLab protected environments<\/strong> \u0627\u0644\u062a\u064a \u062a\u0642\u064a\u0651\u062f \u0623\u064a \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u064a\u0646 \u0623\u0648 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0627\u062a \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0634\u063a\u064a\u0644 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631. \u0628\u0627\u0644\u062f\u0645\u062c \u0645\u0639 \u0627\u0644\u0648\u0638\u0627\u0626\u0641 \u0627\u0644\u064a\u062f\u0648\u064a\u0629\u060c \u064a\u0646\u0634\u0626 \u0647\u0630\u0627 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u0648\u0627\u0641\u0642\u0629 \u0642\u0648\u064a\u0627\u064b.<\/p>\n \u064a\u062a\u0637\u0644\u0628 \u062a\u0648\u062c\u064a\u0647 \u0644\u0644\u0641\u0631\u0642 \u0627\u0644\u062a\u064a \u062a\u0639\u064a\u0634 \u0641\u064a Slack\u060c \u064a\u0648\u0641\u0631 \u062f\u0645\u062c \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0645\u0639 \u0627\u0644\u0645\u062d\u0627\u062f\u062b\u0629 \u0631\u0624\u064a\u0629 \u0648\u0623\u0648\u0642\u0627\u062a \u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0633\u0631\u064a\u0639\u0629. \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 Opsgenie<\/strong> \u0648 PagerDuty<\/strong> \u0623\u0648 \u0631\u0648\u0628\u0648\u062a\u0627\u062a Slack \u0645\u062e\u0635\u0635\u0629 \u064a\u0645\u0643\u0646\u0647\u0627 \u0646\u0634\u0631 \u0637\u0644\u0628 \u0646\u0634\u0631 \u0641\u064a \u0642\u0646\u0627\u0629 \u0648\u0627\u0646\u062a\u0638\u0627\u0631 \u0645\u0633\u062a\u062e\u062f\u0645 \u0645\u062e\u0648\u0651\u0644 \u0644\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0639\u0628\u0631 \u0632\u0631 \u0623\u0648 \u062a\u0641\u0627\u0639\u0644. \u0627\u0644\u0645\u062a\u0637\u0644\u0628 \u0627\u0644\u0623\u0633\u0627\u0633\u064a \u0647\u0648 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0622\u0644\u064a\u0629 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u0648\u0644\u0627 \u064a\u0645\u0643\u0646 \u062a\u0632\u0648\u064a\u0631\u0647\u0627 \u2014 \u0627\u0633\u062a\u062e\u062f\u0645 \u0631\u0645\u0648\u0632 \u062a\u0637\u0628\u064a\u0642 Slack \u0645\u0648\u062b\u0642\u0629 \u0648\u0633\u062c\u0651\u0644 \u0643\u0644 \u0642\u0631\u0627\u0631 \u0645\u0648\u0627\u0641\u0642\u0629.<\/p>\n \u062a\u0648\u0642\u064a\u0639 artifacts \u0623\u062b\u0646\u0627\u0621 \u0645\u0631\u062d\u0644\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0647\u0648 \u0646\u0635\u0641 \u0627\u0644\u0645\u0639\u0627\u062f\u0644\u0629 \u0641\u0642\u0637. \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u062d\u0642\u0642<\/strong> \u0645\u0646 \u062a\u0644\u0643 \u0627\u0644\u062a\u0648\u0627\u0642\u064a\u0639 \u0639\u0646\u062f \u0627\u0644\u0646\u0634\u0631. \u0648\u0625\u0644\u0627\u060c \u064a\u0645\u0643\u0646 \u0644\u0645\u0647\u0627\u062c\u0645 \u062d\u0635\u0644 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 registry \u0627\u0633\u062a\u0628\u062f\u0627\u0644 image \u0645\u0648\u0642\u0639\u0629 \u0628\u0623\u062e\u0631\u0649 \u063a\u064a\u0631 \u0645\u0648\u0642\u0639\u0629 \u0623\u0648 \u0645\u0639\u0627\u062f \u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0628\u0634\u0643\u0644 \u062e\u0628\u064a\u062b.<\/p>\n \u0623\u0636\u0641 \u062e\u0637\u0648\u0629 \u062a\u062d\u0642\u0642 \u0635\u0631\u064a\u062d\u0629 \u0641\u064a deployment pipeline \u062a\u0639\u0645\u0644 \u0642\u0628\u0644 \u0623\u064a \u0623\u0645\u0631 \u0646\u0634\u0631. \u0625\u0630\u0627 \u0641\u0634\u0644 \u0627\u0644\u062a\u062d\u0642\u0642\u060c \u064a\u062c\u0628 \u0623\u0646 \u064a\u062a\u0648\u0642\u0641 pipeline \u0641\u0648\u0631\u0627\u064b.<\/p>\n \u0627\u0644\u062a\u062d\u0642\u0642 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 pipeline \u062c\u064a\u062f\u060c \u0644\u0643\u0646 \u064a\u0645\u0643\u0646 \u062a\u062c\u0627\u0648\u0632\u0647 \u0625\u0630\u0627 \u0646\u0634\u0631 \u0634\u062e\u0635 \u0645\u0627 \u0645\u0628\u0627\u0634\u0631\u0629 \u0625\u0644\u0649 cluster \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Kyverno<\/strong> \u0647\u0648 \u0645\u062d\u0631\u0643 \u0633\u064a\u0627\u0633\u0627\u062a \u0623\u0635\u0644\u064a \u0644\u0640 Kubernetes \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a images \u0648 attestations \u0643\u062c\u0632\u0621 \u0645\u0646 admission webhook:<\/p>\n \u064a\u0648\u0641\u0631 Sigstore Policy Controller<\/strong> (\u0627\u0644\u0645\u0639\u0631\u0648\u0641 \u0633\u0627\u0628\u0642\u0627\u064b \u0628\u0640 cosigned) \u0648\u0638\u0627\u0626\u0641 \u0645\u0645\u0627\u062b\u0644\u0629 \u0648\u064a\u064f\u0635\u0627\u0646 \u0645\u0646 \u0642\u0628\u0644 \u0645\u0634\u0631\u0648\u0639 Sigstore. \u064a\u062a\u0643\u0627\u0645\u0644 \u0628\u0634\u0643\u0644 \u0648\u062b\u064a\u0642 \u0645\u0639 \u0633\u064a\u0631 \u0639\u0645\u0644 keyless signing \u0648\u0647\u0648 \u062e\u064a\u0627\u0631 \u0642\u0648\u064a \u0625\u0630\u0627 \u0648\u062d\u0651\u062f\u062a \u0645\u0624\u0633\u0633\u062a\u0643 \u0639\u0644\u0649 \u0646\u0638\u0627\u0645 Sigstore \u0627\u0644\u0628\u064a\u0626\u064a.<\/p>\n \u0627\u0644\u062c\u0645\u0639 \u0628\u064a\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 pipeline \u0648\u062a\u062d\u0643\u0645 \u0627\u0644\u0642\u0628\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 cluster \u064a\u0646\u0634\u0626 \u062f\u0641\u0627\u0639\u0627\u064b \u0639\u0645\u064a\u0642\u0627\u064b: \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645 \u062a\u062c\u0627\u0648\u0632 \u0637\u0628\u0642\u0629 \u0648\u0627\u062d\u062f\u0629\u060c \u062a\u0644\u062a\u0642\u0637 \u0627\u0644\u0623\u062e\u0631\u0649 artifacts \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647\u0627.<\/p>\n \u0646\u0634\u0631 \u0625\u0635\u062f\u0627\u0631 \u062c\u062f\u064a\u062f \u0644\u0640 100% \u0645\u0646 \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0641\u0648\u0631\u0627\u064b \u064a\u0645\u062b\u0644 \u062e\u0637\u0631\u0627\u064b \u0623\u0645\u0646\u064a\u0627\u064b \u0648\u062e\u0637\u0631\u0627\u064b \u0639\u0644\u0649 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u064a\u0629. \u062a\u062a\u064a\u062d \u0644\u0643 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u0627\u0644\u0637\u0631\u062d \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u2014 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u2014 \u0642\u0628\u0644 \u0623\u0646 \u062a\u0624\u062b\u0631 \u0639\u0644\u0649 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u064a\u0646.<\/p>\n \u064a\u0648\u062c\u0647 \u0646\u0634\u0631 canary \u0646\u0633\u0628\u0629 \u0635\u063a\u064a\u0631\u0629 \u0645\u0646 \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 (\u0645\u062b\u0644\u0627\u064b 5%) \u0625\u0644\u0649 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062c\u062f\u064a\u062f \u0628\u064a\u0646\u0645\u0627 \u062a\u0633\u062a\u0645\u0631 \u0627\u0644\u0623\u063a\u0644\u0628\u064a\u0629 \u0641\u064a \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u0633\u062a\u0642\u0631. \u0625\u0630\u0627 \u062a\u062f\u0647\u0648\u0631\u062a \u0645\u0642\u0627\u064a\u064a\u0633 \u0645\u062b\u0644 \u0645\u0639\u062f\u0644\u0627\u062a \u0627\u0644\u0623\u062e\u0637\u0627\u0621\u060c \u0623\u0648 \u0632\u0645\u0646 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\u060c \u0623\u0648 \u0625\u0634\u0627\u0631\u0627\u062a \u0623\u0645\u0646\u064a\u0629 (\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0635\u0627\u062f\u0631\u0629 \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629\u060c \u062a\u0635\u0639\u064a\u062f\u0627\u062a \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0631\u062a\u0641\u0639\u0629)\u060c \u064a\u062a\u0645 \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0639\u0646 canary \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/p>\n \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 Flagger<\/strong> (\u0644\u0640 Kubernetes) \u0648 AWS App Mesh<\/strong> \u0648 Istio<\/strong> \u062a\u0624\u062a\u0645\u062a \u062a\u062d\u0644\u064a\u0644 canary. \u064a\u0645\u0643\u0646 \u062a\u0643\u0648\u064a\u0646 Flagger\u060c \u0639\u0644\u0649 \u0633\u0628\u064a\u0644 \u0627\u0644\u0645\u062b\u0627\u0644\u060c \u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0645\u0642\u0627\u064a\u064a\u0633 Prometheus \u0645\u062e\u0635\u0635\u0629 \u0648\u0627\u0644\u062a\u0631\u0642\u064a\u0629 \u0623\u0648 \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n \u064a\u062d\u0627\u0641\u0638 \u0646\u0634\u0631 blue-green \u0639\u0644\u0649 \u0628\u064a\u0626\u062a\u064a\u0646 \u0645\u062a\u0637\u0627\u0628\u0642\u062a\u064a\u0646. \u0628\u064a\u0626\u0629 “blue” \u062a\u0634\u063a\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062d\u0627\u0644\u064a\u061b \u0648”green” \u062a\u0634\u063a\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062c\u062f\u064a\u062f. \u064a\u062a\u0645 \u062a\u062d\u0648\u064a\u0644 \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u062f\u0641\u0639\u0629 \u0648\u0627\u062d\u062f\u0629 (\u0639\u0627\u062f\u0629\u064b \u0639\u0628\u0631 load balancer \u0623\u0648 \u062a\u063a\u064a\u064a\u0631 DNS) \u0628\u0639\u062f \u0623\u0646 \u062a\u062c\u062a\u0627\u0632 \u0628\u064a\u0626\u0629 green \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0635\u062d\u0629 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0623\u0645\u0646\u064a. \u0625\u0630\u0627 \u062d\u062f\u062b \u062e\u0637\u0623 \u0645\u0627\u060c \u0641\u0625\u0646 \u0627\u0644\u0639\u0648\u062f\u0629 \u0625\u0644\u0649 blue \u0641\u0648\u0631\u064a\u0629.<\/p>\n \u0627\u0644\u0641\u0627\u0626\u062f\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0647\u064a \u0645\u0633\u0627\u0631 rollback \u0646\u0638\u064a\u0641 \u0648\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0646\u0628\u0624. \u0644\u0627 \u062a\u0648\u062c\u062f \u062d\u0627\u0644\u0629 \u062c\u0632\u0626\u064a\u0629 \u064a\u062c\u0628 \u0627\u0644\u062a\u0641\u0643\u064a\u0631 \u0641\u064a\u0647\u0627\u060c \u0648\u064a\u0628\u0642\u0649 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0633\u0627\u0628\u0642 \u064a\u0639\u0645\u0644 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0637\u0648\u0627\u0644 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0646\u0634\u0631.<\/p>\n \u062a\u0641\u0635\u0644 feature flags \u0628\u064a\u0646 \u0627\u0644\u0646\u0634\u0631 \u0648\u0627\u0644\u0625\u0635\u062f\u0627\u0631. \u064a\u064f\u0646\u0634\u0631 \u0627\u0644\u0643\u0648\u062f \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0644\u0643\u0646\u0647 \u064a\u0628\u0642\u0649 \u063a\u064a\u0631 \u0646\u0634\u0637 \u062e\u0644\u0641 flag. \u0647\u0630\u0627 \u064a\u0645\u0646\u062d \u0641\u0631\u0642 \u0627\u0644\u0623\u0645\u0646 \u0645\u0641\u062a\u0627\u062d \u0625\u064a\u0642\u0627\u0641: \u0625\u0630\u0627 \u0623\u062f\u062e\u0644\u062a \u0645\u064a\u0632\u0629 \u0635\u062f\u0631\u062a \u062d\u062f\u064a\u062b\u0627\u064b \u062b\u063a\u0631\u0629 \u0623\u0648 \u062a\u0635\u0631\u0641\u062a \u0628\u0634\u0643\u0644 \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u060c \u064a\u0645\u0643\u0646 \u062a\u0639\u0637\u064a\u0644\u0647\u0627 \u0641\u0648\u0631\u0627\u064b \u062f\u0648\u0646 rollback \u0643\u0627\u0645\u0644. \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 LaunchDarkly<\/strong> \u0648 Unleash<\/strong> \u0648 OpenFeature<\/strong> \u062a\u0648\u0641\u0631 \u0625\u062f\u0627\u0631\u0629 \u0645\u0631\u0643\u0632\u064a\u0629 \u0644\u0640 flags \u0645\u0639 \u0633\u062c\u0644\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0644\u0645\u0646 \u0628\u062f\u0651\u0644 \u0645\u0627\u0630\u0627 \u0648\u0645\u062a\u0649.<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0636\u0645\u0646 \u0643\u0644 \u062e\u0637\u0629 \u0646\u0634\u0631 \u062e\u0637\u0629 rollback. \u0639\u0646\u062f\u0645\u0627 \u062a\u0633\u0648\u0621 \u0627\u0644\u0623\u0645\u0648\u0631 \u2014 \u0648\u0633\u062a\u0633\u0648\u0621 \u2014 \u0641\u0625\u0646 \u0633\u0631\u0639\u0629 \u0648\u0645\u0648\u062b\u0648\u0642\u064a\u0629 rollback \u062a\u062d\u062f\u062f \u0645\u0628\u0627\u0634\u0631\u0629 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631.<\/p>\n \u064a\u062f\u0639\u0645 Kubernetes \u0623\u0635\u0644\u0627\u064b rollback \u0645\u0646 \u062e\u0644\u0627\u0644 deployment controller. \u0625\u0630\u0627 \u0641\u0634\u0644\u062a pods \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0641\u064a readiness \u0623\u0648 liveness probes\u060c \u064a\u062a\u0648\u0642\u0641 \u0627\u0644\u0637\u0631\u062d \u0648\u064a\u0645\u0643\u0646 \u0639\u0643\u0633\u0647 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n \u0641\u064a \u0646\u0645\u0648\u0630\u062c GitOps\u060c \u064a\u0639\u0646\u064a rollback \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0639\u0646 Git commit \u0627\u0644\u0630\u064a \u0623\u062f\u062e\u0644 \u0627\u0644\u062a\u063a\u064a\u064a\u0631. \u064a\u0643\u062a\u0634\u0641 controller \u0627\u0644\u062a\u0631\u0627\u062c\u0639 \u0648\u064a\u0648\u0641\u0642 cluster \u0625\u0644\u0649 \u0627\u0644\u062d\u0627\u0644\u0629 \u0627\u0644\u0633\u0627\u0628\u0642\u0629. \u0647\u0630\u0627 \u064a\u062d\u0641\u0638 \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0643\u0627\u0645\u0644 \u0641\u064a Git.<\/p>\n \u064a\u0639\u0627\u0645\u0644 \u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0643\u0644 \u0625\u0635\u062f\u0627\u0631 \u0643\u0645\u062b\u064a\u0644 \u062c\u062f\u064a\u062f \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062e\u0644\u0635 \u0645\u0646\u0647. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062a\u062d\u062f\u064a\u062b containers \u0641\u064a \u0645\u0643\u0627\u0646\u0647\u0627\u060c \u062a\u0646\u0634\u0631 \u0645\u062c\u0645\u0648\u0639\u0629 \u062c\u062f\u064a\u062f\u0629 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0645\u0646 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0648\u062a\u0644\u063a\u064a \u0627\u0644\u0642\u062f\u064a\u0645\u0629. \u0647\u0630\u0627 \u064a\u0632\u064a\u0644 \u0627\u0646\u062d\u0631\u0627\u0641 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0648\u064a\u0636\u0645\u0646 \u0623\u0646 \u0645\u0627 \u062a\u0645 \u0627\u062e\u062a\u0628\u0627\u0631\u0647 \u0647\u0648 \u0628\u0627\u0644\u0636\u0628\u0637 \u0645\u0627 \u064a\u0639\u0645\u0644 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0628\u0627\u0644\u062f\u0645\u062c \u0645\u0639 image digests (\u0628\u062f\u0644\u0627\u064b \u0645\u0646 tags \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0645\u062b\u0644 \u0623\u062d\u062f \u0623\u0643\u062b\u0631 \u0627\u0644\u062a\u062d\u0633\u064a\u0646\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u062a\u0623\u062b\u064a\u0631\u0627\u064b \u0627\u0644\u062a\u064a \u064a\u0645\u0643\u0646\u0643 \u0625\u062c\u0631\u0627\u0624\u0647\u0627 \u0647\u0648 \u0636\u0645\u0627\u0646 \u0623\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0644\u0628\u0646\u0627\u0621 artifacts \u0645\u062e\u062a\u0644\u0641\u0629 \u0639\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0644\u0646\u0634\u0631\u0647\u0627. \u0647\u0630\u0627 \u064a\u062d\u062f \u0645\u0646 \u0646\u0637\u0627\u0642 \u0627\u0644\u0636\u0631\u0631 \u0641\u064a \u062d\u0627\u0644\u0629 \u0627\u062e\u062a\u0631\u0627\u0642 \u0623\u064a \u0645\u0646 \u0627\u0644\u0645\u0631\u062d\u0644\u062a\u064a\u0646.<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u064a\u0645\u062a\u0644\u0643 build pipeline \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u062f\u0641\u0639 images \u0625\u0644\u0649 registry \u0648\u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u2014 \u0644\u0643\u0646 \u0628\u062f\u0648\u0646 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0628\u0646\u064a\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0627\u0644\u062a\u062d\u062a\u064a\u0629. \u064a\u062c\u0628 \u0623\u0646 \u064a\u0645\u062a\u0644\u0643 deployment pipeline (\u0623\u0648 GitOps controller) \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u0633\u062d\u0628 images \u0648\u062a\u0637\u0628\u064a\u0642 manifests \u2014 \u0644\u0643\u0646 \u0628\u062f\u0648\u0646 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u0634\u0641\u0631\u0629 \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u0629 \u0623\u0648 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/p>\n \u0639\u0645\u0644\u064a\u0627\u064b\u060c \u064a\u0639\u0646\u064a \u0647\u0630\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 service accounts \u0645\u0646\u0641\u0635\u0644\u0629 \u0623\u0648 IAM roles \u0623\u0648 OIDC claims \u0644\u0643\u0644 \u0645\u0631\u062d\u0644\u0629. \u0639\u0644\u0649 AWS\u060c \u0642\u062f \u064a\u0645\u062a\u0644\u0643 build role \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0644\u0640 ECR push \u0648 KMS signing\u060c \u0628\u064a\u0646\u0645\u0627 \u064a\u0645\u062a\u0644\u0643 deploy role \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0644\u0640 EKS \u0648 Secrets Manager \u0644\u0643\u0646 \u0644\u064a\u0633 ECR push.<\/p>\n \u062e\u0630 \u0627\u0644\u0641\u0635\u0644 \u0623\u0628\u0639\u062f \u0628\u062a\u0634\u063a\u064a\u0644 \u0648\u0638\u0627\u0626\u0641 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0646\u0634\u0631 \u0639\u0644\u0649 runners \u0645\u062e\u062a\u0644\u0641\u0629 \u0641\u0639\u0644\u064a\u0627\u064b. \u0648\u0638\u0627\u0626\u0641 \u0627\u0644\u0628\u0646\u0627\u0621 \u062a\u0639\u0645\u0644 \u0639\u0644\u0649 runners \u0645\u0624\u0642\u062a\u0629 \u0645\u062a\u0639\u062f\u062f\u0629 \u0627\u0644\u0623\u063a\u0631\u0627\u0636. \u0648\u0638\u0627\u0626\u0641 \u0627\u0644\u0646\u0634\u0631 \u062a\u0639\u0645\u0644 \u0639\u0644\u0649 runners \u0645\u062e\u0635\u0635\u0629 \u0648\u0645\u0642\u0648\u0627\u0629 \u062a\u0642\u0639 \u0636\u0645\u0646 \u062d\u062f\u0648\u062f \u0634\u0628\u0643\u0629 \u0623\u0642\u0631\u0628 \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0647\u0630\u0627 \u064a\u0645\u0646\u0639 runner \u0628\u0646\u0627\u0621 \u0645\u062e\u062a\u0631\u0642 \u0645\u0646 \u0627\u0644\u0627\u0646\u062a\u0642\u0627\u0644 \u0625\u0644\u0649 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n \u0644\u0645\u0639\u0627\u0644\u062c\u0629 \u0623\u0639\u0645\u0642 \u0644\u0641\u0635\u0644 \u0627\u0644\u0647\u0648\u064a\u0627\u062a \u0648\u0645\u0628\u0627\u062f\u0626 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0641\u064a CI\/CD\u060c \u0631\u0627\u062c\u0639 \u062f\u0644\u064a\u0644\u0646\u0627 \u062d\u0648\u0644 \u0641\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u0645 \u0648\u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0641\u064a CI\/CD Pipelines<\/a>.<\/p>\n \u0644\u064a\u0633 \u0643\u0644 \u0648\u0642\u062a \u0645\u0646\u0627\u0633\u0628\u0627\u064b \u0644\u0644\u0646\u0634\u0631. \u062a\u062c\u0645\u064a\u062f \u0627\u0644\u0646\u0634\u0631 \u2014 \u0641\u062a\u0631\u0627\u062a \u064a\u064f\u0645\u0646\u0639 \u0641\u064a\u0647\u0627 \u062a\u063a\u064a\u064a\u0631 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u2014 \u064a\u0642\u0644\u0644 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0623\u062b\u0646\u0627\u0621 \u0623\u062d\u062f\u0627\u062b \u062d\u0631\u0643\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u0639\u0627\u0644\u064a\u0629\u060c \u0648\u0627\u0644\u0639\u0637\u0644\u0627\u062a\u060c \u0648\u062a\u062d\u0648\u0644\u0627\u062a \u0627\u0644\u0645\u0646\u0627\u0648\u0628\u0629\u060c \u0623\u0648 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0627\u0644\u0646\u0634\u0637\u0629 \u0644\u0644\u062d\u0648\u0627\u062f\u062b.<\/p>\n \u0646\u0641\u0651\u0630 \u0627\u0644\u062a\u062c\u0645\u064a\u062f \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0646\u0635\u0629\u060c \u0648\u0644\u064a\u0633 \u0641\u0642\u0637 \u0643\u0627\u062a\u0641\u0627\u0642 \u0641\u0631\u064a\u0642. \u064a\u062f\u0639\u0645 GitHub Environments deployment branch policies<\/strong> \u0648 wait timers<\/strong>. \u064a\u0633\u0645\u062d GitLab \u0628\u0640 deploy freezes<\/strong> \u0627\u0644\u0645\u0643\u0648\u0646\u0629 \u0639\u0628\u0631 \u0627\u0644\u0648\u0627\u062c\u0647\u0629 \u0623\u0648 API \u0628\u062c\u062f\u0627\u0648\u0644 \u0628\u0646\u0645\u0637 cron. \u0644\u0633\u064a\u0631 \u0639\u0645\u0644 Kubernetes\u060c \u064a\u0645\u0643\u0646\u0643 \u0641\u0631\u0636 \u0627\u0644\u062a\u062c\u0645\u064a\u062f \u0628\u0633\u064a\u0627\u0633\u0629 OPA\/Gatekeeper \u0623\u0648 Kyverno \u062a\u0631\u0641\u0636 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u062e\u0644\u0627\u0644 \u0646\u0648\u0627\u0641\u0630 \u0632\u0645\u0646\u064a\u0629 \u0645\u062d\u062f\u062f\u0629.<\/p>\n \u0648\u062b\u0651\u0642 \u0639\u0645\u0644\u064a\u0629 \u0627\u0633\u062a\u062b\u0646\u0627\u0621 \u0644\u062a\u0635\u062d\u064a\u062d\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0637\u0627\u0631\u0626\u0629 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0627\u062c \u0644\u0644\u0646\u0634\u0631 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u062c\u0645\u064a\u062f\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0645\u0646 \u064a\u0645\u0643\u0646\u0647 \u062a\u0641\u0648\u064a\u0636 \u0627\u0644\u0627\u0633\u062a\u062b\u0646\u0627\u0621 \u0648\u0643\u064a\u0641 \u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644\u0647.<\/p>\n \u064a\u0646\u062a\u062c \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0622\u0645\u0646 \u0633\u062c\u0644 \u062a\u062f\u0642\u064a\u0642 \u0643\u0627\u0645\u0644 \u0648\u0645\u0642\u0627\u0648\u0645 \u0644\u0644\u062a\u0644\u0627\u0639\u0628. \u0644\u0643\u0644 \u0646\u0634\u0631 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u0625\u062c\u0627\u0628\u0629: \u0645\u0627\u0630\u0627<\/em> \u062a\u0645 \u0646\u0634\u0631\u0647\u061f \u0645\u0646<\/em> \u0648\u0627\u0641\u0642 \u0639\u0644\u064a\u0647\u061f \u0623\u064a<\/em> pipeline \u0628\u0646\u0627\u0647\u061f \u0623\u064a<\/em> commit \u064a\u0631\u062c\u0639 \u0625\u0644\u064a\u0647\u061f<\/p>\n \u064a\u0633\u062c\u0644 AWS CloudTrail<\/strong> \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a API \u0625\u0644\u0649 EKS \u0648 ECS \u0648 Lambda\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0645\u0646 \u0628\u062f\u0623 \u0627\u0644\u0646\u0634\u0631 \u0648\u0645\u0646 \u0623\u064a \u0645\u0635\u062f\u0631. \u062a\u0648\u0641\u0631 GCP Audit Logs<\/strong> \u062a\u063a\u0637\u064a\u0629 \u0645\u0645\u0627\u062b\u0644\u0629 \u0644\u0640 GKE \u0648 Cloud Run. \u062a\u0623\u0643\u062f \u0645\u0646 \u0625\u0631\u0633\u0627\u0644 \u0647\u0630\u0647 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0625\u0644\u0649 \u0645\u062e\u0632\u0646 \u0633\u062c\u0644\u0627\u062a \u0645\u0631\u0643\u0632\u064a \u063a\u064a\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 (\u0645\u062b\u0644 S3 bucket \u0645\u062e\u0635\u0635 \u0645\u0639 object lock \u0623\u0648 SIEM) \u062d\u064a\u062b \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u0627\u062e\u062a\u0631\u0642 \u0628\u064a\u0626\u0629 \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647\u0627.<\/p>\n \u0623\u0636\u0641 \u062a\u0639\u0644\u064a\u0642\u0627\u062a \u062a\u0648\u0636\u064a\u062d\u064a\u0629 \u0644\u0645\u0648\u0627\u0631\u062f Kubernetes \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0644\u0644\u0646\u0634\u0631 \u062d\u062a\u0649 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062a\u062a\u0628\u0639 \u0645\u0646 pod \u0642\u064a\u062f \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0625\u0644\u0649 \u0627\u0644\u0645\u0635\u062f\u0631 \u0628\u0627\u0644\u0636\u0628\u0637:<\/p>\n \u0641\u064a GitHub Actions\u060c \u0645\u0631\u0651\u0631 \u0647\u0630\u0647 \u0627\u0644\u0642\u064a\u0645 \u0639\u0628\u0631 deployment workflow:<\/p>\n \u0644\u0627 \u064a\u0646\u062a\u0647\u064a \u0627\u0644\u0646\u0634\u0631 \u0639\u0646\u062f\u0645\u0627 \u064a\u0639\u0645\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062c\u062f\u064a\u062f. \u062a\u063a\u0644\u0642 \u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0628\u0639\u062f \u0627\u0644\u0646\u0634\u0631 \u062d\u0644\u0642\u0629 \u0627\u0644\u062a\u063a\u0630\u064a\u0629 \u0627\u0644\u0631\u0627\u062c\u0639\u0629 \u0648\u062a\u0644\u062a\u0642\u0637 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u0627\u0644\u062a\u064a \u0641\u0627\u062a\u062a\u0647\u0627 \u0641\u062d\u0648\u0635\u0627\u062a \u0645\u0627 \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631.<\/p>\n \u062d\u062f\u062f \u0645\u0642\u0627\u064a\u064a\u0633 \u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u0633\u0644\u0648\u0643 \u0627\u0644\u062a\u0637\u0628\u064a\u0642 \u0627\u0644\u0637\u0628\u064a\u0639\u064a: \u0645\u0639\u062f\u0644\u0627\u062a \u0627\u0644\u0637\u0644\u0628\u0627\u062a\u060c \u0648\u0645\u0639\u062f\u0644\u0627\u062a \u0627\u0644\u0623\u062e\u0637\u0627\u0621\u060c \u0648\u0645\u0626\u0648\u064a\u0627\u062a \u0632\u0645\u0646 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\u060c \u0648\u0627\u0633\u062a\u062e\u062f\u0627\u0645 CPU\/\u0627\u0644\u0630\u0627\u0643\u0631\u0629\u060c \u0648\u0623\u0646\u0645\u0627\u0637 \u0627\u062a\u0635\u0627\u0644 \u0627\u0644\u0634\u0628\u0643\u0629. \u0628\u0639\u062f \u0643\u0644 \u0646\u0634\u0631\u060c \u0642\u0627\u0631\u0646 \u0627\u0644\u0645\u0642\u0627\u064a\u064a\u0633 \u0627\u0644\u062d\u0627\u0644\u064a\u0629 \u0628\u0627\u0644\u0623\u0633\u0627\u0633. \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 Prometheus + Alertmanager<\/strong> \u0648 Datadog<\/strong> \u0648 Grafana Alerting<\/strong> \u064a\u0645\u0643\u0646\u0647\u0627 \u0625\u0637\u0644\u0627\u0642 \u062a\u0646\u0628\u064a\u0647\u0627\u062a \u0639\u0646\u062f\u0645\u0627 \u062a\u0646\u062d\u0631\u0641 \u0645\u0642\u0627\u064a\u064a\u0633 \u0645\u0627 \u0628\u0639\u062f \u0627\u0644\u0646\u0634\u0631 \u0639\u0646 \u0627\u0644\u0639\u062a\u0628\u0627\u062a.<\/p>\n \u0645\u0646 \u0645\u0646\u0638\u0648\u0631 \u0623\u0645\u0646\u064a\u060c \u0627\u0646\u062a\u0628\u0647 \u0628\u0634\u0643\u0644 \u062e\u0627\u0635 \u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0627\u0644\u0635\u0627\u062f\u0631\u0629 \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629\u060c \u0648\u0627\u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0627\u0644\u0645\u0646\u0634\u0623\u0629 \u062f\u0627\u062e\u0644 containers\u060c \u0648\u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0631\u062a\u0641\u0639\u0629\u060c \u0648\u0627\u0644\u0632\u064a\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0641\u0627\u062c\u0626\u0629 \u0641\u064a \u0641\u0634\u0644 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629. \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0634\u064a\u0631 \u0647\u0630\u0647 \u0625\u0644\u0649 \u0623\u0646 artifact \u0645\u062e\u062a\u0631\u0642 \u0645\u0631\u0651 \u0639\u0628\u0631 pipeline.<\/p>\n \u0645\u0642\u0627\u064a\u064a\u0633 DORA \u0627\u0644\u0623\u0631\u0628\u0639\u0629 \u2014 \u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0646\u0634\u0631\u060c \u0648\u0632\u0645\u0646 \u0627\u0644\u062a\u0633\u0644\u064a\u0645 \u0644\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a\u060c \u0648\u0645\u0639\u062f\u0644 \u0641\u0634\u0644 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u060c \u0648\u0645\u062a\u0648\u0633\u0637 \u0648\u0642\u062a \u0627\u0644\u0627\u0633\u062a\u0631\u062f\u0627\u062f \u2014 \u062a\u064f\u0633\u062a\u062e\u062f\u0645 \u0639\u0627\u062f\u0629\u064b \u0644\u0642\u064a\u0627\u0633 \u0623\u062f\u0627\u0621 DevOps. \u0648\u0647\u064a \u0628\u0646\u0641\u0633 \u0627\u0644\u0642\u064a\u0645\u0629 \u0644\u0644\u0623\u0645\u0646:<\/p>\n \u062a\u062a\u0628\u0639 \u0647\u0630\u0647 \u0627\u0644\u0645\u0642\u0627\u064a\u064a\u0633 \u0644\u0643\u0644 \u0628\u064a\u0626\u0629 \u0648\u0627\u0631\u0628\u0637\u0647\u0627 \u0628\u0627\u0644\u0623\u062d\u062f\u0627\u062b \u0627\u0644\u0623\u0645\u0646\u064a\u0629. \u0625\u0630\u0627 \u0627\u0631\u062a\u0641\u0639 \u0645\u0639\u062f\u0644 \u0641\u0634\u0644 \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0628\u0639\u062f \u062a\u0628\u0646\u064a \u0646\u0645\u0637 \u0646\u0634\u0631 \u062c\u062f\u064a\u062f\u060c \u062d\u0642\u0642 \u0642\u0628\u0644 \u0623\u0646 \u064a\u0635\u0628\u062d \u0645\u0633\u0624\u0648\u0644\u064a\u0629 \u0623\u0645\u0646\u064a\u0629.<\/p>\n \u0625\u0644\u064a\u0643 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0643\u0627\u0645\u0644 \u064a\u062a\u0636\u0645\u0646 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a \u0627\u0644\u0645\u0630\u0643\u0648\u0631\u0629 \u0623\u0639\u0644\u0627\u0647 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 artifacts\u060c \u0648\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u0628\u064a\u0626\u0627\u062a\u060c \u0648\u062a\u062a\u0628\u0639 \u0627\u0644\u0646\u0634\u0631\u060c \u0648 rollback \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a:<\/p>\n \u0648 pipeline GitLab CI \u0627\u0644\u0645\u0643\u0627\u0641\u0626 \u0628\u0636\u0648\u0627\u0628\u0637 \u0645\u0645\u0627\u062b\u0644\u0629:<\/p>\n \u062a\u062a\u0637\u0644\u0628 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0622\u0645\u0646 \u062f\u0641\u0627\u0639\u0627\u064b \u0639\u0645\u064a\u0642\u0627\u064b \u0639\u0628\u0631 \u0643\u0644 \u0645\u0631\u062d\u0644\u0629: \u0627\u062e\u062a\u064a\u0627\u0631 \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u060c \u0648\u0641\u0631\u0636 \u0627\u0644\u0628\u0648\u0627\u0628\u0627\u062a \u0648\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a\u060c \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 artifacts \u0639\u0646\u062f \u062d\u062f\u0648\u062f cluster\u060c \u0648\u0637\u0631\u062d \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u062a\u062f\u0631\u064a\u062c\u064a\u0627\u064b\u060c \u0648\u0627\u0644\u062d\u0641\u0627\u0638 \u0639\u0644\u0649 \u0645\u0633\u0627\u0631\u0627\u062a rollback \u0646\u0638\u064a\u0641\u0629\u060c \u0648\u0641\u0635\u0644 \u0647\u0648\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0646\u0634\u0631\u060c \u0648\u0627\u062d\u062a\u0631\u0627\u0645 \u0646\u0648\u0627\u0641\u0630 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u060c \u0648\u062a\u0633\u062c\u064a\u0644 \u0643\u0644 \u0634\u064a\u0621. \u0644\u0627 \u064a\u0643\u0641\u064a \u0636\u0627\u0628\u0637 \u0648\u0627\u062d\u062f \u0628\u0645\u0641\u0631\u062f\u0647. \u0627\u0644\u062c\u0645\u0639 \u0628\u064a\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 pipeline\u060c \u0648\u0625\u0646\u0641\u0627\u0630 admission-controller\u060c \u0648\u0627\u0644\u0637\u0631\u062d \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a\u060c \u0648\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0634\u0627\u0645\u0644 \u064a\u0646\u0634\u0626 \u0639\u0645\u0644\u064a\u0629 \u0646\u0634\u0631 \u0633\u0631\u064a\u0639\u0629 \u0648\u0622\u0645\u0646\u0629 \u0641\u064a \u0622\u0646 \u0648\u0627\u062d\u062f.<\/p>\n \u062a\u0627\u0628\u0639 \u0628\u0646\u0627\u0621 \u0645\u0639\u0631\u0641\u062a\u0643 \u0628\u0640 CI\/CD \u0627\u0644\u0622\u0645\u0646 \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629:<\/p>\n \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062a\u0636\u0645\u0646 CI\/CD pipeline \u0644\u062f\u064a\u0643 \u0636\u0648\u0627\u0628\u0637 \u0623\u0645\u0646\u064a\u0629 \u0645\u062d\u0643\u0645\u0629 \u2014 commits \u0645\u0648\u0642\u0639\u0629\u060c dependencies \u0645\u062b\u0628\u062a\u0629\u060c \u0641\u062d\u0648\u0635\u0627\u062a SAST\u060c \u062a\u0648\u0642\u064a\u0639 container images \u2014 \u0644\u0643\u0646 \u0643\u0644 \u0630\u0644\u0643 \u0644\u0627 \u0642\u064a\u0645\u0629 \u0644\u0647 \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0646\u0634\u0631 \u0646\u0641\u0633\u0647\u0627 \u0636\u0639\u064a\u0641\u0629. \u0627\u0644\u0646\u0634\u0631 \u0647\u0648 \u0646\u0642\u0637\u0629 \u0627\u0644\u062a\u0642\u0627\u0637\u0639 \u0627\u0644\u062d\u0631\u062c\u0629 \u062d\u064a\u062b \u064a\u0644\u062a\u0642\u064a \u0623\u0645\u0627\u0646 pipeline \u0628\u0623\u0645\u0627\u0646 \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,28],"tags":[],"post_folder":[],"class_list":["post-789","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-pipeline-hardening"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=789"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/789\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=789"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}kubectl apply<\/code>\u060c \u0623\u0648 \u0648\u0638\u064a\u0641\u0629 GitLab CI \u062a\u0646\u0641\u0630 helm upgrade<\/code> \u0639\u0644\u0649 cluster. \u064a\u062d\u062a\u0641\u0638 pipeline \u0646\u0641\u0633\u0647 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n\u0627\u0644\u0646\u0634\u0631 Pull-Based (GitOps)<\/h3>\n
\u0628\u0648\u0627\u0628\u0627\u062a \u0627\u0644\u0646\u0634\u0631: \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0627\u0644\u064a\u062f\u0648\u064a\u0629 \u0648\u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629<\/h2>\n
GitHub Environments \u0648\u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0648\u0646 \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0648\u0646<\/h3>\n
# .github\/workflows\/deploy.yml\njobs:\n deploy-production:\n runs-on: ubuntu-latest\n environment:\n name: production\n url: https:\/\/app.example.com\n steps:\n - name: Checkout\n uses: actions\/checkout@v4\n\n - name: Verify artifact signature\n run: |\n cosign verify \\\n --key cosign.pub \\\n ghcr.io\/myorg\/myapp:${{ github.sha }}\n\n - name: Deploy to production\n run: |\n helm upgrade --install myapp .\/chart \\\n --set image.tag=${{ github.sha }} \\\n --namespace production\n<\/code><\/pre>\nproduction<\/code> \u0644\u062a\u062a\u0637\u0644\u0628 \u0645\u0631\u0627\u062c\u0639\u064a\u0646\u060c \u0633\u062a\u062a\u0648\u0642\u0641 \u0647\u0630\u0647 \u0627\u0644\u0648\u0638\u064a\u0641\u0629 \u0648\u062a\u0646\u062a\u0638\u0631 \u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0629 \u0642\u0628\u0644 \u062a\u0646\u0641\u064a\u0630 \u0623\u064a \u062e\u0637\u0648\u0627\u062a. \u064a\u0631\u0649 \u0627\u0644\u0645\u064f\u0648\u0627\u0641\u0642 \u0628\u0627\u0644\u0636\u0628\u0637 \u0623\u064a commit \u0648\u062a\u0634\u063a\u064a\u0644 workflow \u0623\u0637\u0644\u0642 \u0627\u0644\u0646\u0634\u0631.<\/p>\nGitLab Protected Environments<\/h3>\n
# .gitlab-ci.yml\ndeploy_production:\n stage: deploy\n environment:\n name: production\n url: https:\/\/app.example.com\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n when: manual\n script:\n - cosign verify --key cosign.pub $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA\n - helm upgrade --install myapp .\/chart\n --set image.tag=$CI_COMMIT_SHA\n --namespace production\n resource_group: production\n<\/code><\/pre>\nwhen: manual<\/code> \u0645\u0646 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0646\u0642\u0631 \u0639\u0644\u0649 “Play” \u0641\u064a \u0648\u0627\u062c\u0647\u0629 GitLab. \u064a\u0636\u0645\u0646 resource_group<\/code> \u062a\u0634\u063a\u064a\u0644 \u0646\u0634\u0631 \u0648\u0627\u062d\u062f \u0641\u0642\u0637 \u0641\u064a \u0643\u0644 \u0645\u0631\u0629\u060c \u0645\u0645\u0627 \u064a\u0645\u0646\u0639 \u062d\u0627\u0644\u0627\u062a \u0627\u0644\u062a\u0633\u0627\u0628\u0642.<\/p>\n\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u0627\u062a \u0639\u0628\u0631 Slack \u0648 ChatOps<\/h3>\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 Artifacts \u0639\u0646\u062f \u0627\u0644\u0646\u0634\u0631<\/h2>\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0640 Cosign \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631<\/h3>\n
# Verify the image signature before deploying\ncosign verify \\\n --certificate-identity \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/build.yml@refs\/heads\/main\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...\n\n# Verify SLSA provenance\ncosign verify-attestation \\\n --type slsaprovenance \\\n --certificate-identity \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@refs\/tags\/v1.9.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...\n<\/code><\/pre>\nAdmission Controllers: Kyverno \u0648 Sigstore Policy Controller<\/h3>\n
kubectl<\/code>. \u062a\u0641\u0631\u0636 admission controllers<\/strong> \u0627\u0644\u062a\u062d\u0642\u0642 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 Kubernetes API server \u2014 \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0623\u064a image \u063a\u064a\u0631 \u0645\u0648\u0642\u0639\u0629 \u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 cluster \u0628\u063a\u0636 \u0627\u0644\u0646\u0638\u0631 \u0639\u0646 \u0643\u064a\u0641\u064a\u0629 \u062a\u0642\u062f\u064a\u0645\u0647\u0627.<\/p>\napiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: require-signed-images\nspec:\n validationFailureAction: Enforce\n background: false\n rules:\n - name: verify-signature\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"ghcr.io\/myorg\/*\"\n attestors:\n - entries:\n - keyless:\n subject: \"https:\/\/github.com\/myorg\/*\"\n issuer: \"https:\/\/token.actions.githubusercontent.com\"\n attestations:\n - type: https:\/\/slsa.dev\/provenance\/v1\n conditions:\n - all:\n - key: \"{{ builder.id }}\"\n operator: Equals\n value: \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@refs\/tags\/v1.9.0\"\n<\/code><\/pre>\n\u0627\u0644\u0637\u0631\u062d \u0627\u0644\u062a\u062f\u0631\u064a\u062c\u064a: Canary \u0648 Blue-Green \u0648 Feature Flags<\/h2>\n
\u0646\u0634\u0631 Canary<\/h3>\n
apiVersion: flagger.app\/v1beta1\nkind: Canary\nmetadata:\n name: myapp\n namespace: production\nspec:\n targetRef:\n apiVersion: apps\/v1\n kind: Deployment\n name: myapp\n progressDeadlineSeconds: 600\n service:\n port: 8080\n analysis:\n interval: 1m\n threshold: 5\n maxWeight: 50\n stepWeight: 10\n metrics:\n - name: request-success-rate\n thresholdRange:\n min: 99\n interval: 1m\n - name: request-duration\n thresholdRange:\n max: 500\n interval: 1m\n<\/code><\/pre>\n\u0646\u0634\u0631 Blue-Green<\/h3>\n
Feature Flags \u0643\u0636\u0648\u0627\u0628\u0637 \u0623\u0645\u0646\u064a\u0629<\/h3>\n
\u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a Rollback<\/h2>\n
Rollback \u062a\u0644\u0642\u0627\u0626\u064a \u0639\u0646\u062f \u0641\u0634\u0644 Health Check<\/h3>\n
# Check rollout status and rollback if needed\nkubectl rollout status deployment\/myapp --namespace production --timeout=300s\nif [ $? -ne 0 ]; then\n echo \"Rollout failed, initiating rollback\"\n kubectl rollout undo deployment\/myapp --namespace production\n exit 1\nfi\n<\/code><\/pre>\n\u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 (Immutable Deployments)<\/h3>\n
latest<\/code>)\u060c \u064a\u0636\u0645\u0646 \u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0625\u0639\u0627\u062f\u0629 \u0625\u0646\u062a\u0627\u062c \u062b\u0646\u0627\u0626\u064a\u0629.<\/p>\n\u0641\u0635\u0644 \u0647\u0648\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0646\u0634\u0631<\/h2>\n
\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062e\u062a\u0644\u0641\u0629<\/h3>\n
Runners \u0645\u062e\u062a\u0644\u0641\u0629<\/h3>\n
\u062a\u062c\u0645\u064a\u062f \u0627\u0644\u0646\u0634\u0631 \u0648\u0646\u0648\u0627\u0641\u0630 \u0627\u0644\u062a\u063a\u064a\u064a\u0631<\/h2>\n
# Kyverno policy to enforce deployment freeze\napiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: deployment-freeze\nspec:\n validationFailureAction: Enforce\n background: false\n rules:\n - name: block-deployments-during-freeze\n match:\n any:\n - resources:\n kinds:\n - Deployment\n namespaces:\n - production\n preconditions:\n all:\n - key: \"{{ time_now() }}\"\n operator: GreaterThan\n value: \"2026-03-27T00:00:00Z\" # Freeze start\n - key: \"{{ time_now() }}\"\n operator: LessThan\n value: \"2026-03-30T00:00:00Z\" # Freeze end\n validate:\n message: \"Production deployments are frozen until March 30. Contact platform-team for emergency exceptions.\"\n deny: {}\n<\/code><\/pre>\n\u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642: \u0631\u0628\u0637 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0628\u0640 Commits \u0648\u0627\u0644\u0645\u0648\u0627\u0641\u0642\u064a\u0646 \u0648\u062a\u0634\u063a\u064a\u0644\u0627\u062a Pipeline<\/h2>\n
\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0646\u0635\u0629<\/h3>\n
\u0627\u0644\u062a\u062a\u0628\u0639 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 Pipeline<\/h3>\n
# Include in your Helm chart or Kustomize overlay\nmetadata:\n labels:\n app.kubernetes.io\/version: \"{{ .Values.image.tag }}\"\n annotations:\n deploy.example.com\/commit-sha: \"{{ .Values.commitSha }}\"\n deploy.example.com\/pipeline-url: \"{{ .Values.pipelineUrl }}\"\n deploy.example.com\/approved-by: \"{{ .Values.approvedBy }}\"\n deploy.example.com\/deployed-at: \"{{ now | date \\\"2006-01-02T15:04:05Z\\\" }}\"\n<\/code><\/pre>\n- name: Deploy with traceability\n run: |\n helm upgrade --install myapp .\/chart \\\n --set image.tag=${{ github.sha }} \\\n --set commitSha=${{ github.sha }} \\\n --set pipelineUrl=\"https:\/\/github.com\/${{ github.repository }}\/actions\/runs\/${{ github.run_id }}\" \\\n --set approvedBy=\"${{ github.actor }}\" \\\n --namespace production\n<\/code><\/pre>\n\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0628\u0639\u062f \u0627\u0644\u0646\u0634\u0631<\/h2>\n
\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0634\u0630\u0648\u0630<\/h3>\n
\u0645\u0642\u0627\u064a\u064a\u0633 DORA \u0644\u0644\u0623\u0645\u0646<\/h3>\n
\n
\u062a\u062c\u0645\u064a\u0639 \u0643\u0644 \u0634\u064a\u0621: Pipeline \u0646\u0634\u0631 \u0622\u0645\u0646 \u0645\u062a\u0643\u0627\u0645\u0644<\/h2>\n
# .github\/workflows\/secure-deploy.yml\nname: Secure Deployment\n\non:\n workflow_run:\n workflows: [\"Build and Sign\"]\n types: [completed]\n branches: [main]\n\njobs:\n verify-and-deploy:\n runs-on: ubuntu-latest\n if: ${{ github.event.workflow_run.conclusion == 'success' }}\n environment:\n name: production\n url: https:\/\/app.example.com\n permissions:\n id-token: write\n contents: read\n steps:\n - name: Checkout manifests\n uses: actions\/checkout@v4\n\n - name: Install cosign\n uses: sigstore\/cosign-installer@v3\n\n - name: Verify image signature (keyless)\n run: |\n IMAGE=\"ghcr.io\/myorg\/myapp@${{ github.event.workflow_run.head_sha }}\"\n cosign verify \\\n --certificate-identity \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/build.yml@refs\/heads\/main\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n \"$IMAGE\"\n\n - name: Verify SLSA provenance\n run: |\n IMAGE=\"ghcr.io\/myorg\/myapp@${{ github.event.workflow_run.head_sha }}\"\n cosign verify-attestation \\\n --type slsaprovenance \\\n --certificate-identity \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@refs\/tags\/v1.9.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n \"$IMAGE\"\n\n - name: Configure AWS credentials (deploy role)\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/deploy-production\n aws-region: us-east-1\n\n - name: Deploy to EKS\n run: |\n aws eks update-kubeconfig --name production-cluster\n helm upgrade --install myapp .\/chart \\\n --set image.tag=${{ github.event.workflow_run.head_sha }} \\\n --set commitSha=${{ github.event.workflow_run.head_sha }} \\\n --set pipelineUrl=\"https:\/\/github.com\/${{ github.repository }}\/actions\/runs\/${{ github.run_id }}\" \\\n --set approvedBy=\"${{ github.actor }}\" \\\n --namespace production \\\n --wait --timeout 300s\n\n - name: Verify rollout\n run: |\n kubectl rollout status deployment\/myapp \\\n --namespace production --timeout=300s\n\n - name: Rollback on failure\n if: failure()\n run: |\n echo \"Deployment failed \u2014 initiating rollback\"\n kubectl rollout undo deployment\/myapp --namespace production\n echo \"::error::Deployment rolled back due to failure\"\n<\/code><\/pre>\n# .gitlab-ci.yml\nstages:\n - verify\n - deploy\n - validate\n\nverify_artifact:\n stage: verify\n image: bitnami\/cosign:latest\n script:\n - cosign verify\n --certificate-identity \"https:\/\/gitlab.com\/myorg\/myapp\/\/.gitlab-ci.yml@refs\/heads\/main\"\n --certificate-oidc-issuer \"https:\/\/gitlab.com\"\n $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n\ndeploy_production:\n stage: deploy\n environment:\n name: production\n url: https:\/\/app.example.com\n resource_group: production\n needs: [verify_artifact]\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n when: manual\n script:\n - aws eks update-kubeconfig --name production-cluster\n - helm upgrade --install myapp .\/chart\n --set image.tag=$CI_COMMIT_SHA\n --set commitSha=$CI_COMMIT_SHA\n --set pipelineUrl=$CI_PIPELINE_URL\n --set approvedBy=$GITLAB_USER_LOGIN\n --namespace production\n --wait --timeout 300s\n\nvalidate_deployment:\n stage: validate\n needs: [deploy_production]\n script:\n - kubectl rollout status deployment\/myapp --namespace production --timeout=300s\n after_script:\n - |\n if [ \"$CI_JOB_STATUS\" == \"failed\" ]; then\n echo \"Rolling back deployment\"\n kubectl rollout undo deployment\/myapp --namespace production\n fi\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n<\/code><\/pre>\n\u0627\u0644\u0645\u0644\u062e\u0635 \u0648\u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629<\/h2>\n
\n