Why do you need another API to handle external traffic when you have the stable Kubernetes Ingress API and dozens of implementations? What problems of the Ingress API does the new Gateway API solve? Does this mean the end of the Ingress API?
In this short talk, Navendu will answer these questions by exploring how Gateway APIs evolved and solved the shortcomings of the Ingress API with hands-on examples.
Attendees will learn about the new Gateway API and how they can implement feature-rich, extensible, vendor-neutral gateways to their Kubernetes clusters.
Artificial intelligence (AI) has revolutionized the way we interact with technology and has become an integral part of modern applications. The OpenAI API provides developers with powerful AI capabilities, allowing them to build advanced AI applications with ease.
However, as the usage of AI grows, so does the need for scalable, performant, and secure API integrations. This is where API Management comes in. API Management provides advanced features for managing and scaling API integrations.
In this talk, we will explore the benefits of integrating an open-source Apache APISIX API Gateway with the OpenAI API and how you can use Apache APISIX to create a more scalable, performant, and secure AI integration. From proxy caching to security features, we will cover everything you need to know to get started with Apache APISIX and OpenAI API integration. Whether you're an AI developer or a DevOps professional, this session is your complete guide to creating a powerful and cost-effective AI integration.
Networking microservices in the last decade has typically involved recipes usually involves some bespoke combination of Kubernetes service abstractions, kernel NAT rules, load balancers, mesh designs, vpn tunnels and federation management together with numerous intermediate gateways and sidecars. The downside: fragility at scale, brittle microservice infrastructure and significant operational complexity.
What if there was a simpler way? That scales from very small to massively large deployments? That can be built into the platform natively? You will want to grab a front row seat for this demo, but on the way in, be sure to wipe your mind clean of historical baggage!
Ephemeral containers are an amazing recent feature in Kubernetes with great potential. We will explore that potential by running a live debugger session alongside an application pod and debug it remotely.
When AWS released Firecracker in 2018, developers thought the potential was going to be limitless. Four years later, the project is much more mature and can even be integrated into Kubernetes, but when should you use it?
This talk covers the fundamentals of a Linux Operating System, and how isolation varies with legacy VMs, containers and microVMs.
You’ll learn how to integrate with Firecracker directly, or with existing cloud native looks like containerd, CNI and the OCI image spec.
There’ll be a live demo of microVMs in a real application developed by OpenFaaS, and a lab in a GitHub repo you can explore on your own after the talk.
Sometimes we make mistakes unintentionally while, at other times, bad actors try to exploit our systems. No matter the reason, misconfigurations can lead to security breaches, data loss, or even bring the whole system down. We may never be able to prevent all of these, but we can certainly minimize the risk by applying policies to infrastructure, services, and applications. The primary weapon in this fight is Policy-as-Code tools combined with Internal Developer Platforms.
In this talk, we'll build an Internal Developer Platform (IDP) and combine it with policies. As a result, we will not only enable developers to define and manage their applications and infrastructure, but we will also ensure that they are "doing the right thing" by guiding them with policies.
We'll use Crossplane to build an IDP that will allow developers to define their infrastructure and applications. We'll also use Validating Admission Policy to define policies that will guide them to define the resources they need, help them avoid making mistakes, and ensure that even malicious actors won't be able to exploit the system.
"To build or not to build?" is the question you have to ask yourself often if you work on the Infrastructure team. When Chronosphere was just 1.5 years old, we decided to build our own deployment system. Two years after making this decision, I would like to share with you why we did it, how we did it, and the lessons we've learned along the way.
Kubernetes secrets are a necessity to the majority of Kubernetes users. Most applications require secrets. A Kubernetes secret stores sensitive data, such as passwords, OAuth tokens, and SSH keys. Securing these assets and ensuring there integrity is vital. How do admins safely and reliably manage these secrets? Which options are currently available in and outside of Kubernetes? How do you avoid storing the same secret multiple time across different environments? Join our talk to learn which methods are available to safely secure your Kubernetes secrets in a production environment. Simon will demonstrate various ways of storing and accessing secrets in and outside of a Kubernetes cluster. We will also cover how to sync external secrets to multiple Kubernetes clusters.
We've been using GitOps for the last three years to operate our internal managed K8s service, coming with logging, monitoring, policy enforcement, telco specific networking components and more.
Join us to learn about how we started, scaled, failed and repeated, as our environments got more heterogeneous, numerous and complex.
We will show you our first approach using just flux and directories, go into details how we outgrew it and what our pain points were.
We then settled on another design, using flux and kustomize overlays, only to outgrow that due to the heterogeneity of our environment.
We will then show you what we settled upon: versioned artifacts that contain all configuration and version details, why we think its the right fit for us but also some remaining problems. We will also show you how you can replicate our approach in your environment, if you think it might also work for you.
Have you heard of SLSA, or SBOM or the new fuzzy word in the street “Software Supply Chain Security'' before ? Maybe yes if you are avide reader of some tech publications out-there. But what does this all mean really ? Or rather should you care ? Well the answer is it depends. In this talk the speaker will attempt to clarify these words, what they mean and present a state of the security world with tools and methodologies people and organizations are implementing to ensure software is secured from dev to production.
eBPF allows for getting in-depth insights from Linux system. Inspektor Gadget provides built-in "gadgets" (eBPF programs) and the plumbing for distributing, running and collecting data from eBPF programs on Linux hosts and Kubernetes clusters. It has recently gained needed votes to become a CNCF sandbox project.
In this presentation, I'll demonstrate how to run built-in gadgets, deploy and use custom eBPF programs, and use Inspektor Gadget's new bpftrace-based DSL to script data collection. We'll cover several troubleshooting scenarios with various gadgets and also show how to use Inspektor Gadget to export metrics to Prometheus.
We will see examples on how to use skaffold ( https://skaffold.dev ) to:
- Continuously deploy your application on a test local Kubernetes cluster while you code it in your editor
- Manage your image builds for different environments
- Deploy across different lifecycle stages (qa, staging, prod, ..) with the proper configurations
OpenTelemetry is the most active CNCF project after Kubernetes. The project is progressing at an immense pace on many fronts. The core project is expanding beyond the “three pillars” into new signals, such as continuous profiling, and beyond backend into client side telemetry and real user monitoring, as well as work on eBPF more. It can be difficult to keep track of all these updates.
If you liked Horovits’s KubeCon talk last year on OpenTelemetry, you won’t want to miss this sequel. In this talk Horovits will go over some of the notable project updates you should keep an eye on, to help navigate the many updates. He will also provide useful guidance on how to get started with OpenTelemetry in a pragmatic fashion according to your organization’s needs.
Securing your applications with a defense in depth architecture and gaining visibility in your application behavior are the two key requirements to be successful in any modern cloud native deployment.
While service meshes like Istio provide these capabilities via a user space proxy mechanism it's not always feasible to inject sidecars proxies for all your applications. On the other hand Kernel technologies like eBPF when used in a CNI like Cilium provides security and metrics transparently but lacks the richness of information and policy capabilities provided by a layer 7 proxy with strong identities.
In this session, I will present how we can leverage capabilities provided by both these technologies and achieve better security and observability ensuring all your applications can have uniform policy and visibility irrespective of whether they are in the mesh or not or if they are running as a container in Kubernetes or long running VM where making privileged changes are often not possible.
No developer wants to be part of the morning news due to a security breach, but most application developers would rather write great code and ship cool new features than patch security issues. Thankfully, with simple best practices, developers can significantly reduce the attack surface of their containers before shipping them to production. At Slim.AI, we analyzed hundreds of container images accounting for billions of pulls annually to better understand the risks facing developers today. This talk provides highlights of our investigation and simple steps developers can take to address security issues in their containers BEFORE they get to production.
There’s no place like production. Any idea, any code change will not deliver value until it reaches production. How can we go there fast and securely? A path to production includes all the activities to deliver a new idea to the software users.
The first challenge will be to provide application developers with a compelling experience that enhances the inner development loop, improves their productivity, and reduces their cognitive load. You’ll see how to design such an experience using Backstage, Buildpacks, and Knative.
The second challenge will be establishing secure and reusable CI/CD pipelines while ensuring a clear separation of concerns. You’ll see how to do that by building on top of the inner loop and adding Tekton, Trivy, and Argo CD. Application operators and security engineers will be responsible for those pipelines and the supply chain, taking care of all the activities for building, testing, securing, configuring, and ultimately deploying workloads.
The third challenge will be to offer paved paths to production as a coherent service via a platform based on different tools from the cloud native ecosystem. You’ll learn about the concept of golden paths enabled by Backstage and see how to implement them using Cartographer, a framework to build paths to production.
Kubernetes clusters, managed or self hosted, are increasingly dynamic, with their properties changing to accommodate more/less compute power, or to just adhere to new generic requirements. The Kubernetes Scheduler evolved to give more granular options of scheduling decisions to users with specific requirements, however, after a pod is placed, those properties or requirements can change at scale.
Descheduler is a complementary sig-scheduling sponsored component. It provides the ability to evict pods which are no longer satisfying original scheduling decisions, allowing your Kube-Scheduler to reposition them in a more suitable place.
In this talk we are going to give an introduction to this project. What are the current strategies/plugins available for you to customize its behavior and how you can keep the pods in your clusters in the right place all the time, even with dynamic changes to it. In the second half of the talk we are going to show you a demo of it in action and provide you with the means of creating your own descheduling/balancing strategies, tailored to your own needs.
This presentation will provide an in-depth overview of Kyverno and its capabilities for improving supply chain security. We will discuss the common challenges faced by organizations when it comes to securing their supply chain, and how Kyverno can help to address these challenges. We will explore Kyverno's features and benefits, which enable organizations to stay ahead of potential risks and respond quickly and effectively to security incidents.
The presentation Prateek will share some of our real-world experiences working with Kyverno and demonstrate how it can help organizations to achieve regulatory compliance and protect against data breaches. Prateek will also cover how Kyverno integrates with existing security tools and systems, ensuring a seamless and efficient security management process.
This presentation is aimed at organizations looking to enhance their supply chain security and reduce the risk of cyber attacks. Attendees will gain a comprehensive understanding of Kyverno's capabilities and how it can help to secure their supply chain.
“Zero trust shifts the focus from trying to identify what is bad and stopping it, to identifying what is good and only allowing it”
With the increase cloud native adoption we have seen a huge spike in supply chain attacks, 0-day vulnerabilities, sophisticated backdoor violations and other novel security exploitation techniques.
The solution to these could be achieved using runtime security to enforce least-permissive security posture.
This talk will be a deep dive into the Zero-trust and runtime-security concepts. It will address some available kernel and user-space based approaches, some failed runtime approaches and a viable runtime security method.
We will also look at some of the recent supply chain attacks and how they could have been avoided with the Zero-trust security model.
Deploying a kubernetes cluster is an easy task, managing and debugging is a harder one.
Let's see what it means when you have to deploy hundreds of clusters at once, probably deployed on several cloud providers simultaneously. Managing all of them even with gitops tooling can really be challenging.
I built this hands-on to walk you through the cluster-api project, help you learning what are the benefits but more importantly how you can leverage its ease of use and powerful features.
While other solutions exist to deploy and manage at large scale, we'll also explore why the cluster-api is definitely the GoTo solution.
Prepare yourself to dig in, and discover throughout several realworld use-cases I've prepared for you, how really easy it is to use kubernetes primitive to manage your clusters at large scale.
Implementing mTLS today typically requires multiple abstractions, layers and configuration complexity. Imagine reducing the many steps and configuration artifacts to enable mutual TLS into a single step. Without node-based proxies, sidecars, or additional control planes to manage these and associated complexity. Oh, and reduce latency by a third.
The session will introduce how this can be enabled with a demo of automated mTLS with identity and security policy management and associated observability for cloud-native services. Integration with legacy abstractions and control planes will also be illustrated for coexistence with previously deployed apps and infrastructure.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Every single Kubernetes cluster brings a plethora of credentials: server certificates, client certificates, ServiceAccount tokens, static tokens, etcd encryption keys, etc. But how do you manage them in a secure way?
Security best practices suggest using short-lived credentials wherever possible and frequently rotating static credentials everywhere else. What does this look like in practice when managing an entire fleet of clusters?
This talk puts together the puzzle pieces and presents how one can leverage Kubernetes primitives to securely handle all involved credentials in practice. It summarizes learnings that both cluster administrators and application developers can adopt to provide minimal-ops and disruption-free credentials management in Kubernetes.
Would you ask a gardener to fix your leaking toilet? Probably not. Then, why would you ask a data scientist to fix a crashing kubernetes pod? Or why would you ask your developers to understand the internals of the PyTorch framework?
Data science is hard enough without also needing to know about Kubernete. Kubernetes application development is hard enough too without having to do data science! Learn about why you can build a platform on Kubernetes that hides Kubernetes complexities from data science users and data science complexities from application developers.
Salman & Mauricio will take you through the painful lessons that were learnt while building such a platform and the struggles faced by data scientists in cloud native hyperspace. Ending with a demo of how they integrated Kubeflow, KFServing, ArgoCD, Crossplane, Dapr and Knative to build an effective platform!
“Costs are only relevant for the management, not for us developers.”
“We are using autoscalers, our environment is optimized enough.”
“Everything you need to know is on the cloud bill.“
Does that sound familiar? Anyone working on the topic of cloud cost efficiency has heard those statements at some point. Cloud cost is not a popular topic among engineers -not least because in most organizations, cloud cost management and related topics happen in far off departments.
The problem with these statements is that they are wrong. Above all, Cloud cost optimization is the combination of a well-thought-out architecture and the right configuration of workloads. In fact, cost and usage optimization within enterprises only thrive when IT Engineers, Business and Finance work collaboratively. Cost management is an essential part of the technical set-up and operations.
Manuela and Vanessa put an end to the most widespread prejudices about cloud costs in this talk and explain why autoscaling alone is not enough.
In an open source environment, how do you get your competitors to work with you and not against you? How do you collaborate with said competitors? And how do you contribute to the project while ensuring the voice of its end users is heard?
While many cloud-native projects bring together contributors from competing businesses, OpenTelemetry is notable because its meteoric growth has been fueled by a spirit of agreeable collaboration among competitors. Each company in the space contributes code, education, and event organizing towards a common goal of increasing adoption of and improvement to the project.
Join our panel talk to learn how to balance competing business and project interests, design guardrails around community structures to ensure shared values, and how these can be applied to working on your open source projects and within your organization.
Did you ever try to deploy something and your infrastructure was not ready? Did you ever face the problem that your application was technically in a perfect state after deployment but terribly slow for your end users? In this talk, we will show you how we extended existing Kubernetes mechanisms to do readiness checks on a workload but also on an application level to check if the infrastructure is in a good state before deploying your app. After this talk, you will also have an idea of how our new Lifecycle Toolkit gives you additional insights into your deployment process and how you can implement mechanisms to sleep well while your application gets delivered
WebAssembly (Wasm) has a misleading name, and an undeserved reputation for leaving real-world applications just out of reach. Turns out, it's come a long way in the server-side ecosystem, and it works great alongside Kubernetes! The not-so-new technology WebAssembly is a platform-agnostic bytecode that produces tiny binaries that run at near-native speed. The benefit of a platform-agnostic technology is that it works just as well outside of containers as it does inside containers, so it can be used for completely greenfield projects or integrate right alongside Kubernetes. This demo heavy talk will start with an overview of Wasm, what it's good for, and what it isn't good for. We will then dive straight into demoing the strengths of Wasm using wasmCloud, a CNCF sandbox application runtime. This demo will span multiple Kubernetes clusters in the cloud and extend outside of Kubernetes to show why this technology is perfect for solving the problems many applications face today.
Multi-cluster topologies are a key part of Kubernetes, and organisations gain many benefits using multiple clusters, such as increased scale, bespoke APIs, and blast radius reduction. However, multi-cluster deployments also increase complexity, and we’ve seen that teams creating internal platforms wrestle with fleet management in the multi-cluster world.
This talk will examine how we use open-source technologies to create an internal platform API that deploys to multiple Kubernetes clusters. We will create a bespoke API and map the high-level API to low-level resources across clusters. We will also cover how to avoid the trap of treating many clusters like one cluster, and how to leverage the benefits of multiple clusters. The talk will include a demo of how we use our open-source framework Kratix with GitOps technology to deliver the platform.
Proxy-wasm is a standard that can be used to extend the features of proxies like Envoy to do things that can't be solved with pure configuration. The standard is rather young and has some very rough edges, both in the SDKs as well as languages and getting it loaded in a running Istio setup. In this talk, John talks about the experience going from nothing to a production setup and all the mistakes and faults that were discovered along the way (so you don't have to make them).
Systems thinking has been a hot button topic inside and outside the tech industry, as it promises a straightforward and structured approach to make sense of the world and its complexities. By looking at systems in terms of elements and their relationships, Systems Thinkers can understand and predict behaviors, as well as affect long-lasting change.
Understanding that tech organizations, dev teams and their individual members are themselves systems, following their own purposes and structures, can help us better support developers in their goals.
In this talk, we will learn about the basics and mechanisms that inform systems thinking. We will look at examples from the real world to understand why systems behave the way they do and how we can enable change. Finally, we will adapt what we learned to development organizations and discuss how systems thinking can help us improve developer efficiency and happiness.
Have you ever handled the constant and automated deployment and promotion of your applications on Kubernetes cluster? If you have, you probably realised quickly that enforcing certain simple norms will make things move much more smoothly. Maybe all of your services have a well-defined deployment process, but developers forget to put it up from time to time. You have far more power than you realise. This talk will provide a better and easy understanding on perfectly deploying your applications with the help of Argo CD. It will help you in achieving a higher level of control and consistency in your Kubernetes deployment process, while also providing a streamlined, efficient, and dependable solution for GitOps deployment, making it a valuable tool for organisations seeking to adopt this strategy for infrastructure and application management.
As a long time Kubernetes user, it can be real confusing what all of this hype around WebAssembly (Wasm) means for the future. Join Taylor, a long-time Kubernetes community member and contributor, as he talks about Wasm; how and why it should be used; and what you can do to experiment with it. This talk will be focused on concrete strengths and weaknesses of both Kubernetes and Wasm, with a practical (and live!) demonstration of how they can be used to alongside one another. Using the CNCF sandbox project wasmCloud, Taylor will show how Wasm can be used as a complement to Kubernetes to solve many of the pain points of running applications today. To finish, Taylor will provide some practical advice on how you can try things out and get involved!
Kubernetes has changed everything and has become a standard for software development and orchestration. But by making life for software engineers easier, Kubernetes had a severe impact on observability and monitoring systems. The talk will explain the consequences of Kubernetes popularity for various monitoring systems, the price of flexibility it provides, and how any software becomes more and more complex with time.
GitOps is increasingly becoming a popular way of delivering applications to Kubernetes clusters because of the benefits it offers such as declarative and version-controlled infrastructure configuration as well as continuous reconciliation.
With a handful of Kubernetes clusters, and the same team maintaining both application development and delivery, a static association between infrastructure Git repos and specific target clusters works well. However, when infrastructure scales to accommodate business needs, enterprises end up with a few dozens to hundreds of Kubernetes clusters. Also the need to incorporate a reliable separation-of-concerns mechanism between the application development and platform teams becomes important. In such environments, static associations do not work anymore, and a dynamic way to associate your infrastructure repos to Kubernetes clusters becomes critical to business.
In this talk, we show how to augment your team’s GitOps pipeline with a multi-cluster, multi-cloud scheduler to achieve both static and dynamic placement of workloads. We illustrate, through a number of demos, how to provide a great developer experience by separating concerns of infrastructure-choice between application development and platform engineering teams.
This talk will go over the hard obstacles we face when going through breaking API changes in ESO API. What are the available CRD versioning patterns? What are the tradeoffs we had to take? What are important aspects to consider when designing CRD versioning?
Kubernetes Operators are becoming the de facto way to create applications that need to interact with a Kubernetes Cluster. When it comes to the lifecycle of this operator, inevitably a breaking change in the API version for the CRDs will happen. Attendees will get an overview on how to design, test and deliver long-term maintainable operators.
External Secrets Operator is a community endeavor that emerged from different open source projects that all tried to solve one problem: pull secrets from a secret management API into Kubernetes. We joined our efforts in 2020 to find a common denominator across projects to build the best solution to that problem and even go beyond that.
Today, we've built a vendor-neutral community around the project and provide a consistent custom resource API across different cloud vendors and secret management APIs.
Internet native tech companies have long understood that first-class infrastructure, platforms, and a great developer experience are essential to achieve business outcomes at scale. But, instead, growing companies and established enterprises face conflicts in making the appropriate investment and, as a result, struggle to scale their engineering teams and processes.
In this talk, we will look at the role of internal developer platforms and platform engineering teams, what are their signature competencies and superpowers. You will get to understand which metrics reflect their success, deep dive into how to build these platforms and best practices to be applied. You should leave this talk with the wish to grow your own internal developer platform and platform engineering team.
Over the past 5 years Hannah has seen teams succeed, struggle and fail to launch development platforms on Kubernetes. The worst of these platforms are burning time, burning money and burning out their engineers. Having seen what works and doesn’t work in the real world it’s clear that Product Management is needed for these Platforms to deliver value and delight developers.
Platform as a Product is becoming mainstream for organisations investing in their developer experience. Whether you’re a Product Manager or Engineer, this talk will give you a cheat sheet for the most important product practices you need to know when bringing a product mindset to platform engineering.
Come and see in a 5 minutes demo, how quickly and easily you can get started building intricate authorization logic for your application with fine control over it. Broken access control is the topmost security risk and your application might need access control based on detailed logic. With the stakes being high, join Abel as he demonstrates a seamless way to manage authorization that can scale with your product and not bottleneck your performance. He will demonstrate an application that manages access based on organizational hierarchy for various stakeholders.
Kubernetes API is one of the integral components that runs in the Kubernetes control plane. All external and most of the internal requests have to go via the API. It is usually represented in diagrams as one block. This talk will show how the API is made up of several smaller components. This talk will explain how the request goes through Authentication, Autorisation, Mutation & Validation before it is persisten in Kubernetes.