The opening session of CLoud Native Rejekts NA 2019

Come learn about some of the gotchas and deep internals you'll have to deal with when extending or building on top of Kubernetes. Using some of the Helm code as a backdrop, this talk will dive into the nitty gritty details of checking the status of various workload API objects, complex patching needs, validation, and more!

How to dynamically provision Kubernetes Local PV by OpenEBS, with managing the life cycle of block devices for Local PVs

The Kubernetes security audit turned up some bugs in Kubernetes, but did you know it also includes important security advice for end users? Find out about the security recommendations from the audit and learn how you can apply them in your apps today.

Nodeless Kubernetes solutions like virtual-kubelet and virtual-cri (with cri-proxy) eliminate the need for configuring cluster capacity management and maintenance woes associated with pet worker nodes. This talks goes over two ways to implement nodeless architecture, lists pros and cons associated with the two approaches, and demonstrates how Horizontal Pod Autoscaler and Vertical Pod Autoscaler enable agile autoscaling in Nodeless world.

This session will introduce Flatcar Container Linux, the secure operating system for running containers at scale, based on the pioneering work of CoreOS. We cover the origins, current status, and roadmap of the Flatcar project, and will demonstrate a seamless upgrade from CoreOS Container Linux.

Running geo-distributed clusters on Kubernetes presents no shortage of challenges: it complicates networking and service discovery; it mandates the use of stateful sets and persistent volumes; and it requires cleverness to navigate node pools and firewalls. Here's what we learned along the way.

Since its origins at CoreOS and flowering at Red Hat, the Operator pattern has seen lots of explication and promotion -- rightly so. It's a pattern for extending Kubernetes, built from key Kubernetes components and concepts. But it's not right for every application in every case. This talk will help developers make informed choices about when they do, and when they don't, need to extend Kubernetes to get the features their app needs.

Witness Cody Hill, Field CTO at Packet and former Director of Technology at Platform9. Combining his love for both companies into a seamless managed Kubernetes offering on world class Baremetal as a Service! Learn how to use Platform9 Managed Kubernetes as well as Packet’s Baremetal Cloud. And see a fully automated deployment of both of these together! And we’ll wrap up with a Q&A

Kubernetes already has many properties of a primitive service mesh. Can we make the system better by leaning into this idea?

The Istio service mesh promises to solve or ease many of the pain points around scaling and securing microservice architectures by giving key tools to make your Kubernetes cluster deployments play nice with each other, but getting some applications to play nice with Istio can be its own major challenge. For those considering Istio or who want to be on the lookout for pitfalls when starting adoption, this talk will highlight possible roadblocks to your move to Istio and offer both short-term workarounds and long-term fixes to reduce headaches and make sure you can get the most out of Istio at any stage.

This talk introduces Lokomotive Kubernetes: an open source kubernetes distribution inspired by CoreOS Tectonic and built to run on Flatcar Container Linux, filling the gap between secure, cutting-edge and production-grade clusters.

Learn how Ansible can help developers quickly ramp up to build Operators to automate and manage the life cycle of complex Kubernetes applications.

As cloud native software continues to grow and mature, code bases become larger and more complicated. What used to be simple build workflows with some Makefiles, now spans across multiple repositories and registries and CI/CD systems. As a Kubernetes developer, jumping through hoops to test your code change on remote clusters can be frustrating. The commands to learn, the build scripts to debug, the clusters policies to remember and the builds wait times are all nuisances which distract from development and don’t help with the delivery progress. In this talk, Ivan and Dan will share some lessons learned on identifying development workflow bottlenecks, and how we utilize Tilt to streamline the Linkerd development workflow, where Tilt makes “getting started” boring and the developers will feel “right at home” both when writing code on their laptops as well as remotely in the cloud.

On production databases, the data patterns keep changing as the time progresses. CI pipelines need to have access to the latest data or closer to the latest data for effective testing. As Enterprises and FinTechs start to use Kubernetes and microservices-based architecture, their DevOps teams would like to solve two challenges that are well known in the pre-Kubernetes era. The first challenge is to automate the data lifecycle between production and testing. The second challenge is to give developers instantaneous access to the failed environment when the CI pipeline fails. Solving these two challenges in the Kubernetes space will make the DevOps more productive in enterprises.

In this practical tutorial of auto DevOps, we demonstrate the construction of GitLab based CI pipeline and show the best practices for the data life cycle management through the use of cloud-native technologies.

There are numerous reasons why you may not have incoming network access (ingress) to your Kubernetes cluster. You may be behind carrier-grade NAT, sitting in a coffee shop, working on a client’s site, or just not quite sure how you’d benefit from it. IPv6 is one way this problem will be addressed in the future, but the dream has not yet arrived..

Incoming data is important for local dev/test and for the edge, which is why closed-source tooling like Ngrok is so popular amongst developers. You can integrate systems and share your local endpoints with others.

In this session Alex will demonstrate a new Kubernetes Operator built on the Open Source inlets project that means that any private or dev cluster can get a public IP and incoming network access - from the Internet or another private network.

So whether you’re running code in Docker, Minikube, KinD, k3s, or with kubeadm on bare-metal, come to see a live demo of the inlets-operator turning LoadBalancer IPs from “Pending” to real IPv4 addresses.

https://inlets.dev/

Do you know how to inspect Kubernetes TLS when it's broken and identify what the problem is? Maybe not as well as you think -- but you're in good company: even experienced admins often don't know the basics. Let's fix that.

Kubernetes objects and configuration management can be tedious and prone to human error. And as deployments grow they tend to suffer from configuration drift.. This presentation will show how in house developers have used Kustomize with MayaData Director to manage configuration issues and then present a quick demo showing how Kustomize makes it easy to manage, generate and compose Kubernetes object YAMLs in a declarative fashion.

Powerful cloud native technologies are emerging and proliferating to address the needs of modern apps and their users' expectations. Things is, many require writing Go code and expertise with the internals of K8s or lots of static YAML. We can and need to do better. We need to find ways to make these powerful technologies easier to deploy and more inclusive to a broader range of technologists.

This talk will explain the typical problems faced when solving this and show an answer to this frequently asked question. For this talk I will use metalLB and Contour as examples and a demo on packet.com

What if you could have your Helm charts directly updated and hosted on Github pages after each new commit?

Wayne will show the audience how they can use the features of Octant to identify Kubernetes workloads that are having problems and how they can use Octant to fix their workloads.

This session will demonstrate how Ansible along with its built-in templating and k8s module can be used for rapid, repeatable and consistent deployments to any Kubernetes cluster.

In this talk, Chandan will present his observations on using local PV in production for saving ElasticSearch Data. While Local PV has a big disclaimer to be used with applications that can support data management, Local PV is the performant storage solution that is available today.

As we get lured into its performance, we have to watch out for some of the common disasters that can hit really hard - if left unchecked. Chandan will list the different challenges or shortcomings of the Local PV along with the available Open Source solutions and tools to address them.
For example, data protection can be achieved via Restic or Velero.

You have finally split your big monolith into microservices built on top of Kubernetes!

Now what? How do you validate a more complex application? And how do you make it scale?

Instead of having one CI/CD pipeline, you have multiple. And as the number of microservices increases so does the number of pipelines. Managing pipelines for microservice applications can quickly get out of hand, especially when you try to reuse common pipeline parts between different applications.

In this talk, we will see how you can create CI/CD pipelines designed specifically for microservices and how you can reuse the same pipeline across different applications.

In this talk we are going to see how in Cloud Native environments we have the common issue of having tools to instrument and comprehend the application behaviour at kernel level. To try to solve this problem I'll try to illustrate my opinions on how I used eBPF and eBPF based tools that are both the kernel and Kubernetes aware. In other words, Cloud Native.

The Kubernetes API is amazing and we are not only going to break it down and show you how to wield this mighty weapon, we are going to do it while building a video game, live, on-stage. As a matter of fact, you get to play along! The speaker in this session wanted to create a game and learn the kubernetes api. He thought this was out of his reach until he met the Javascript Phaser Game Engine and the Kubernetes API. In this session, Grant Shipley will walk you through the code he wrote to create a retro style Wild West shooter that manipulates Kubernetes resources as part of the game. This session will leave the slides at the door and will focus on code and live demos. At the end of this session, you should have enough knowledge to gamify Kubernetes or to at least automate it for real-world use cases.

Benchmarking system performance in a repeatable, reproducible way can be a difficult task, both technologically as well as philosophically - doubly so for as complex a system as a service mesh. However, the cost of adding new technology to a stack can be critical in making a decision about adoption - and repeated, reproducible benchmarks can help the service mesh communities to meet, and improve on, their respective quality bar. This talk benefits the ecosystem by not only characterizing the cost of various service mesh implementations in numeric terms, but also by describing what “cost” means in this context, and by introducing an open source framework for running these tests that can be used by anyone in the world to reproduce results.

Containers have become the modern packaging format, regardless of the host they're run on. You may be building your own images, or consuming images from ISVs. While containers have a focused subset of their VM ancestors, containers still have layers of the OS, runtimes and other components that are susceptible to vulnerabilities that must be remediated. Have you considered how you'll patch these deployments? Will you patch the running containers, as you patch VMs, hoping the software continues to run, as you continually patch the same deployed image?
We'll examine leveraging your build and deployment pipelines to automatically patch, test and deploy updates, during and long after you've moved onto another project. OS & Framework Patching can be an extension of what you're already doing today.

We will provide a comprehensive overview of how we’ve built a large scale, fully open sourced edge cloud platform. It maps the technology to real use cases and grows the community collaboration around realistic deployments. It will show real operational data at scale from one of the largest retailers in the world. The audience will see not only the k8s deployment but app orchestration across thousands of k8s clusters.

For most people outside IT departments, understanding how to pronounce Kubernetes is the first step of many steps towards understanding why they should support the transition to Cloud-Native Technologies. This talk seeks to present Kubernetes and cloud-native to non-coders outside the IT department and help them understand how supporting its adoption will benefit them.

The talk begins with an overview of what Cloud-Native is, proceeds to a non-technical explanation of Kubernetes using housing as a metaphor, and finishes with key benefits to non-IT departments when adopting Kubernetes. Audience members will learn how to explain and advocate for Kubernetes at an organisational level.

OpenEBS is an open source CNCF Sanbox project trying to address persistent storage problems in a 100% container native way not just by rubbing some bacon on It.

If, as they say, Kubernetes is the new OS...then what is the new shell?

Function-as-a-service (FaaS)-style programming and serverless platforms increase productivity, enabling you to focus on application code, with the platform taking care of how to deploy, configure, run, and scale the code. They do however require you to adopt a new programming model, creating generic handlers or actions that lack the expressive APIs that you get from frameworks. Options like Knative not make it possible to make existing server frameworks run "serverless" on Kubernetes - and to go further to enable you to create FaaS applications that are deployed onto pre-configured servers that are pre-configured with liveness, readiness, and observeabiltty.

In this session you'll learn about the methodology by which that can be achieved, and see a live demo of a Functions based application being built and deployed on a serverless server-framework.

In the classic animated series Voltron, five heroes unite to form a giant superrobot to defend the universe from evil. Just like Voltron, the power of each individual CNCF project lies in its unique strengths -- that when combined with other projects, create mega-powerful infrastructure.

This talk will explore the role the client, server, and cluster CA certificates play in a cluster and the ramifications of their expiration. We'll look at a cluster whose certificates have expired and what lead to that scenario. Finally, we'll look at techniques to avoid certificate expiration and how to recover an inoperable cluster.

Custom Resource Definitions (CRDs) make it easy for you to add new types of primitives that can be managed by the internal control loop of Kubernetes. In this presentation, Chris Hein will provide an in-depth look at how he has been using CRDs to model external services and some of the benefits and pitfalls of using this style. We'll begin by diving into what CRDs are and how they can be used. Why he choose to model cloud resources using CRDs as opposed to Service Catalog. Continuing into a review of what it's like to build using the control loop and we'll end by discussing golang & Kubernetes code generation and how you can speed up your development by using these tools.

YAML has taken over our lives. From defining how our applications are deployed and tested to ordering pizza. There is a whole ecosystem of tooling that addresses the need of customizing your YAML for specific circumstances. With several to choose from, how do you know which one is right for your use case? This talk will cover key YAML customisation tools aimed for use with Kubernetes, and break down which are suited for particular use cases, and which are not suited for others.

The talk will include practical examples of several tools such as:
- Jk
- Helm
- Pulumi

Whether you are new to Kubernetes, or are currently using some of these tools, this talk should bring fresh ideas for managing Kubernetes configuration.

Containers are a great way to deploy and isolate application resources but they can fall short when it comes to security isolation. How do you improve the security of a container while maintaining the flexible and dynamic resource usage of a container? There are many options for sandbox containers but which is right for you?

In this talk I will explore sandbox runtimes in depth with a focus on use-cases and challenges on their implementation and maintenance. I will dive into the container security model, the use cases for sandbox pods. I will discuss various approaches and their tradeoffs before diving into the architecture of gVisor, how it differs from virtual machine based sandboxes, and how we are working to make running untrusted code feel more like the containers you know and love. Finally, I will bring it all together with a demo of best practices for using gVisor to run untrusted user code in a Kubernetes cluster.

Disaster management is a mission-critical function that most startups today don’t plan for. Recent disruption in Cloud providers demonstrates that no infrastructure can avoid the inevitable downtimes caused by the catastrophe. All infrastructures should have fail-safe measures to ensure “nothing” is lost in the event of service disruption. This proposal demonstrates a simple system for ensuring entire Kubernetes clusters can be replicated on-demand. The use-cases are many and obvious including data security, cost optimization and reducing the downtime of workloads.

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. It will be used by cluster operator to segment resources based on organization policies and enforce access control based on security requirements. In this talk, we will introduce what is network policy and network plugins, then we will show how to enforce network policy to protect a demo application, finally we show step by step examples how to bypass the network policy in the following scenarios: Abuse of privileges, insecure host mounts and misconfiguration of kubelet. Attendees should come away with the idea of securing kubernetes cluster in holistic way.

Kubernetes Operators are the next phase of the journey towards automating complex applications in containers. Many Operators that exist today handle initial deployment, but they don’t provide automation for tasks like binary upgrades, configuration updates, and failure recovery. Implementing a production-grade controller for a complex workload typically requires thousands of lines of code and many months of development. The Kudo project ( https://kudo.dev ) provides a framework to enable automated creation of operators for Kubernetes, in most cases just using YAML. In this talk I’ll introduce the Kudo project, and demo the creation of a Kubernetes operator using Kudo.

The closing session of Cloud Native Rejekts 2019