0.6 cloud-native-rejekts-na-detroit-2022 2022-10-23 2022-10-23 1 00:05 https://cfp.cloud-native.rejekts.io https://cfp.cloud-native.rejekts.io/media/cloud-native-rejekts-na-detroit-2022/img/CNR_Logo_NA22_eC2LHZL.png US/Eastern Main Room Lightning Talk 2022-10-23T09:30:00-04:00 09:30 00:10 Opening comments cloud-native-rejekts-na-detroit-2022-507-opening Sarah NovotnyRalph Squillace en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/ABLPKJ/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/ABLPKJ/feedback/ Main Room Talk 2022-10-23T09:50:00-04:00 09:50 00:30 Within the cloud native ecosystem there are a wide variety of tools tackling authorization. This presentation covers what those tools are and how they relate to each other so that folks can find the right tool for the job. cloud-native-rejekts-na-detroit-2022-474-cloud-native-authorization-landscape Jimmy Zelinskie en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/XJK9WS/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/XJK9WS/feedback/ Main Room Talk 2022-10-23T10:30:00-04:00 10:30 00:30 eBPF is now a well-known technology used for networking, observability and security purposes in the cloud native landscape. There are a lot of different projects like BCC, Cilium, Falco, Pixie and Inspektor Gadget (to mention a few) that use eBPF as its core technology. One question often asked is how much CPU and memory are used by those programs. This is a hard question to answer as eBPF programs run in the kernel context and traditional tools to measure CPU and memory consumption aren’t aware of them. The 5.1 release of Linux introduced a new feature to collect statistics on eBPF programs and bpftool implemented support to show them. However, bpftool is not Kubernetes aware and it doesn’t provide an easy way to sort the output. That’s where the new ebpf top gadget comes in. It uses the same bpftool mechanism to collect information about the eBPF programs and maps from the kernel and provides an interface to show the list of programs and their resource consumption with additional information like the processes that created those programs. The ebpf top gadget also provides a mechanism to sort the output based on different parameters like number of runs, memory used, etc. In this talk, Mauricio will make an introduction of the Inspektor Gadget project and then will show how the ebpf top gadget can be used to measure the resource consumption of eBPF programs from different projects like Falco, Cilium and Inspektor Gadget. cloud-native-rejekts-na-detroit-2022-490-how-to-measure-cpu-and-memory-usage-of-ebpf-programs Mauricio Vasquez Bernal en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/YDJF8N/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/YDJF8N/feedback/ Main Room Talk 2022-10-23T11:10:00-04:00 11:10 00:30 Engineering distributed applications has never been harder. The development process is filled with work that distracts from business logic, such as state persistence, event-handling, and knowledge about orchestrators, schedulers, and cloud providers. What if we create a new POSIX for the cloud? The SpiderLightning Project experiments with capabilities as interfaces that extend WASI to create a new POSIX for the cloud. For example, developers can use a key-value interface to manage application states without requiring provider specific knowledge (e.g., Redis) because the host implements this interface and will be configured with the proper implementation. This creates common distributed application APIs and decouples application development from operational knowledge. cloud-native-rejekts-na-detroit-2022-483-a-new-kind-of-cloud-system-interface-with-webassembly Jiaxiao (Joe) ZhouDanilo (Dan) Chiarlone en Like how Kubernetes and Istio abstract away networking and the lifecycle of distributed applications, SpiderLightning is an experiment to abstract away common distributed application capabilities and offer developers a set of provider-agnostic APIs, which enable developers to write portable applications without directly depending on vendor specific SDKs. Applications can leverage these interfaces to reduce the amount of code written to achieve tasks such as persisting key/values, participating in pub/sub, handling messages from a message queue, and much more. By reducing the code footprint, this experiment also enables application binaries to be much smaller than similar container-based applications. This feature further increases the maintainability and portability of applications to target constrained runtime environments like edge devices. Most critically, we want to facilitate community discussions on building a consensus on cloud-agnostic distributed application profiles. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/EQPDJH/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/EQPDJH/feedback/ Main Room Talk 2022-10-23T11:50:00-04:00 11:50 00:30 Virtual Networks, Container Networks and Software Defined Networking have all added layers of abstraction and complication on what used to be straightforward and very tactile, plug in a cable then watch the packets flow. But the basic protocols and how our systems exchange information largely remain the same. This talk is a back to basics look at how we can remember some basic principles to troubleshoot modern problems. cloud-native-rejekts-na-detroit-2022-455-the-bits-must-flow-net-working-through-the-abstractions Aaron Aldrich en As with all modern computing, the network stack has gotten increasingly abstracted away as we move to cloud services and cloud native infrastructure, but underneath it all, we’re still trying to accomplish the same things as always, get data from one system to another as quickly and efficiently as possible without interruption or eavesdropping. Starting with the classic interview question, “What happens when you try to access a website from your computer?” this talk reviews the modern complexity of the internet and reminds us about how some functional routing, switching and firewall knowledge can help us untangle the modern messes generated by layers of abstraction. We’ll start with some things like, “what about before I even get an IP address” and end up talking about BGP, the routing protocol that runs the internet. You’ll leave with a better understanding of what’s actually happening after you apply your chosen network settings to your cluster or hyperscaler, and a better framework for understanding how your cloud native applications and services are communicating across the web. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/VBZQE9/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/VBZQE9/feedback/ Main Room Talk 2022-10-23T14:20:00-04:00 14:20 00:30 We've all seen it: Conferences fail to provide a diverse line-up, get called out publicly and speakers bail in fear of backlash. But this is just the tip of the iceberg. More often than not, they reveal a failure of leaders to create a diverse and inclusive community in the first place. It’s not enough to have the right boxes checked. Marginalised folks need to also feel safe to share their experiences. A clear set of values, Codes of Conduct, and programs aimed at underrepresented folks, are all tools that can help. Ultimately, however, a community is made up of people, and it is on us to reflect on our behaviour, resist the urge to go for the option that makes us comfortable and do better. In this talk, I want to discuss how we can take action beyond calling people out on Twitter to build something that will truly benefit everyone. cloud-native-rejekts-na-detroit-2022-472-actions-speak-louder-than-words-building-better-communities Lian Li en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/UBKNNF/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/UBKNNF/feedback/ Main Room Talk 2022-10-23T15:00:00-04:00 15:00 00:30 Role-based Access Control (AKA RBAC) is a continuous challenge with the growing complexity of cloud native operations, the sheer number of services involved, as well as the privileges required to manage and maintain complex systems with today's ironclad SLAs. Many modern microservices systems are built upon Kubernetes that has its own unique set of RBAC challenges. In this talk I'll walk through some of the challenges with managing RBAC at scale in Kubernetes operations - from common mistakes (cluster-admin anyone?) and misconfigurations, as well as overly privileged roles including unnecessary access to secrets. Amir, as a Kubernetes RBAC expert will cover all the questions you always wanted to ask and never dared, such as including how to assign access to secrets (both from a technical and organizational perspective), who should be allowed to delete pods, as well as the age-old question of who really should be allowed to have cluster-admin access. We'll wrap up with some hard-earned tips for how to architect RBAC best-practices into your systems, and some good open source tools to manage privileges and access in the long term. cloud-native-rejekts-na-detroit-2022-445-everything-you-want-to-know-about-kubernetes-rbac-and-were-too-afraid-to-ask /media/cloud-native-rejekts-na-detroit-2022/images/RTFC8L/ben_hirschberg_8S8RUL4.jpeg Oshrat Nir en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/RTFC8L/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/RTFC8L/feedback/ Main Room Talk 2022-10-23T15:40:00-04:00 15:40 00:30 Come explore building micro-service APIs using Kubernetes Custom Resources (CRs)! We'll demo a real-life example of such an API, analyze its advantages and disadvantanges relative to typical REST APIs, and provide some guidelines for deciding whether using a CR based API is right for your application. cloud-native-rejekts-na-detroit-2022-433-cr-based-apis-is-it-the-right-approach-for-your-application- Dave Smith-Uchida en In a microservice application, services need to make API calls to one another. Many Kubernetes applications have begun using Custom Resources (CRs) for their APIs. This approach offers many advantages over REST. CRs are declarative in nature, so such APIs are simple to develop and evolve. Controllers for CR based APIs are easier to scale out than REST based API servers. CR APIs are more secure to boot, since they leverage native Kubernetes security features. However, there is a cost to these benefits, chiefly that CRs incur an overhead that may not be acceptable for some applications. How can we decide when it is appropriate to use them? In this talk we explore this mechanism, and go over its advantages and disadvantages versus REST. We will demo a real-life example of a CR based API at work, and measure its performance relative to REST using the open-source tool Kubestr. Finally we will go over some guidelines for deciding whether moving to a CR based API is the right choice for you. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/JWTPDH/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/JWTPDH/feedback/ Main Room Talk 2022-10-23T16:20:00-04:00 16:20 00:30 eBPF allows for introspection of events across entire nodes and is a powerful foundation for collecting data from different workloads on a Kubernetes cluster. This talk will explore step-by-step a cryptocurrency mining attack, showing how it behaves, evolves, and how different stages of the attack can be detected using open source eBPF-based tools. As a demonstration, a live miner barely detectable using traditional userspace tools will be shown on a pod. Using tools like Cilium’s project Tetragon and leveraging eBPF’s kernel-based network and process-level visibility, malicious behaviors such as suspicious processes and unexpected outbound connections are easily identified. As a result, the detected miner will be blocked, and the cluster defended. Attendees will leave with ideas for protecting Kubernetes clusters, as well as an understanding of how eBPF-based tools can operate across an entire Kubernetes cluster without any modification to applications or their configuration. cloud-native-rejekts-na-detroit-2022-506-detecting-cryptocurrency-mining-with-ebpf Tracy P Holmes en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/XX7RLC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/XX7RLC/feedback/ Main Room Talk 2022-10-23T17:00:00-04:00 17:00 00:30 The collection and storage of observability data is critical for day to day operations and long term health of clusters and applications. The increasing volume of this observability data can be leveraged by AI algorithms and data analytics to automate triaging, response, and remediation for common issues, reducing mean time to detection and resolution. To achieve this observability based AIOps system, one must be capable of implementing AI algorithms, set up a combination of logging, monitoring, and tracing backends to store data, and agents for each type of observability data in downstream clusters to ship data to the backend. This complex setup can be challenging to users and this talk will demonstrate how Opni can be leveraged to simplify the setup and management of a fully open source AIOps & observability system. cloud-native-rejekts-na-detroit-2022-493-multi-cluster-observability-and-aiops-with-opni Sanjay Nadhavajhala en There are many open source options for logging, monitoring and tracing. Users must set these up individually to collect all 3 types of observability data. The creation and management of these tools is often challenging and can be simplified. In addition to this, to leverage AIOps users must be knowledable with GPUs as well as machine learning and deep learning algorithms. Opni was created to address these challenges and offer an observability management tool that comes with AIOps baked in. Opni is the first open source AIOps tool that offers easy creation and management of logging, monitoring, and tracing backends. It leverages and extends upstream open source projects including OpenSearch, Cortex, OpenTelemetry and others! false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/CGU3SC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/CGU3SC/feedback/ Main Room Lightning Talk 2022-10-23T17:40:00-04:00 17:40 00:10 We all love this community and having the privilege of working in open source. In this talk I will talk about the key tenants of a positive community and specific things we can do to support developers and the community cloud-native-rejekts-na-detroit-2022-440-creating-a-positive-community /media/cloud-native-rejekts-na-detroit-2022/images/SESCY8/Kim-15_eIbMrzr.jpeg Kim McMahon en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/SESCY8/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/SESCY8/feedback/ Main Room Lightning Talk 2022-10-23T17:55:00-04:00 17:55 00:05 What do you do when faced with the ever-growing and always confusing cloud native landscape? Use visual, interactive analogies from the equally confusing twisty-puzzle landscape! cloud-native-rejekts-na-detroit-2022-484-kubes-and-cubes-puzzling-out-cloud-native-tech Karen Bruner en The number of ways to run Kubernetes keeps growing and growing. It can be hard to follow them all! This tongue-in-cheek talk will help you keep track of all these cluster types by using twisty puzzles (think Rubik's cubes but scarier) to demonstrate the varying complexities and characteristics of different cluster types. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/WDZCXL/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/WDZCXL/feedback/ Main Room Lightning Talk 2022-10-23T18:00:00-04:00 18:00 00:05 The Lego experience is more than just a collection of premium priced bricks in a box. If one looks closer, it's full of guidance for the cloud native developer, including; interoperability, backward compatibility, design, and documentation. This brief rant will highlight ways your project can meet developer expectations, and pitfalls to avoid so your project won't be cast aside like a disappointing toy. cloud-native-rejekts-na-detroit-2022-505-some-assembly-required-infrastructure-lessons-from-lego-k-nex-mario-kart Jeremy Tanner en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/NHSGQQ/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/NHSGQQ/feedback/ Main Room Lightning Talk 2022-10-23T18:05:00-04:00 18:05 00:05 End to end testing in Kubernetes apps is usually done with many lines of bash scripts as this may seem as natural progression from testing Kubernetes apps manually with kubectl. Bash is not well-equipped for such tests because users have to create a lot of boilerplate and wrapper functions to make tests reliable. At the same time, Kubernetes provides excellent client libraries in many programming languages. In this presentation, Paweł will show that taking advantage of the client libraries can improve tests speed and reliability, and as a side effect, shorten a feedback loop for developers. cloud-native-rejekts-na-detroit-2022-464-e2e-testing-of-kube-controllers-the-good-the-bad-and-the-ugly Paweł Bojanowski en Testing Kubernetes controllers or applications which run inside the Kubernetes cluster and use Kubernetes cluster resources can be a challenging task. While unit tests are easy to write and maintain, thanks to rich Kubernetes client libraries available for End-to-End testing, the top layer of The Test Pyramid is a completely different animal. In this presentation, Paweł will talk about how to build end-to-end tests based on manual testing with kubectl and why bash scripts should be reduced to minimum. He will also talk about Elotl’s struggles to keep the end-to-end testing pipeline stable and reliable. He will discuss pros and cons of running tests in local KIND clusters and using clusters provided by the cloud vendors. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/FJEA9J/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/FJEA9J/feedback/ Main Room Lightning Talk 2022-10-23T18:10:00-04:00 18:10 00:05 Log aggregation is one of the cornerstones of observability but setting up a logging stack can be overly complicated. As the number of clusters an operations team are expected to manage explodes a simpler solution is needed. This talk will demonstrate how we can simplify this process and set up a log aggregation platform in 5 minutes. cloud-native-rejekts-na-detroit-2022-492-setting-up-a-logging-stack-in-5-minutes Sanjay Nadhavajhala en Logging systems by their very nature are generalist tools. This means they can cover many use cases but can be unwieldy to configure and maintain. The number of places where Kubernetes clusters are installed and used is rapidly increasing, particularly as the focus on the edge accelerates. A Kubernetes native solution that can easily scale to n clusters is needed. Currently setting up an opensource logging stack is a disjointed process. A central log store needs to be configured and maintained separately from the log aggregation pipeline, often with disparate technologies. This talk demonstrates how these can be integrated into a single unified process. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/NFRSZX/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/NFRSZX/feedback/ Main Room Lightning Talk 2022-10-23T18:15:00-04:00 18:15 00:05 Security like all technology disciplines has its buzzwords. You'll often hear acronyms like SAST, SCA, DAST, and much more…but what does it all really mean? In this talk we will review the many kinds of vulnerability scanning with a focus on Kubernetes security scanning. We'll help you understand what kinds of vulnerabilities you can as well as cannot identify with these tools. We'll review some of the popular open source security scanning tools in the ecosystem, and help you understand where you can use each and what to scan - registries, clusters, CI/CD. This will be demoed through real code examples and scanning scenarios. cloud-native-rejekts-na-detroit-2022-446-demystifying-kubernetes-vulnerability-scanning /media/cloud-native-rejekts-na-detroit-2022/images/CDP33E/ben2_eF7FvF2.jpeg Oshrat Nir en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/CDP33E/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/CDP33E/feedback/ Main Room Lightning Talk 2022-10-23T18:20:00-04:00 18:20 00:05 In this talk we will show you how we speed up [Cortex](https://cortexmetrics.io/) deployments at scale, using zone-aware Kubernetes controllers. Kubernetes allow pods to be spread across different zones through topology constraints but these are not taken into consideration during rollout updates, or on pod disruption budgets. For instance, it's recommended to replicate Cortex's ingesters across different zones for high availability, allowing for the system to continue to work in the event of a zone outage. However, the lack of zone aware deployments support forces Cortex operators to allow just a single container to be updated at once, causing long deployments and impacting the velocity in which nodes can be upgraded. To bypass these limitations, the Amazon Managed Service for Prometheus team released a couple of k8s controllers for zone aware rollouts and disruptions that can be used by any high available quorum-base distributed application, such as Cortex, to improve the velocity of deployments in a safe way. cloud-native-rejekts-na-detroit-2022-480-speed-up-highly-available-deployments-on-kubernetes Mariana Ramos Franco en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/WA3NPU/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/WA3NPU/feedback/ Main Room Lightning Talk 2022-10-23T18:25:00-04:00 18:25 00:05 Cloud Custodian is an open source cloud security, governance, and management tool with powerful integrations with AWS cloud services that allows for quick response times to address a wide array of compliance, governance, and security issues. As public cloud adoption increases across industries, the need to be able to properly secure and govern cloud resources is more important than ever. This session will show how to react quickly to changing security and compliance standards in reaction to security bulletins published by public cloud providers in a serverless and event based process. cloud-native-rejekts-na-detroit-2022-478-the-shifting-sands-of-security-and-compliance-in-the-cloud Sonny Shi en Cloud Custodian and its wide array of tools are used industry wide and provide great value in allowing users to create user defined policies that are powerful, extensible, and incredibly customizable. These policies can react in an event based manner allowing for low overhead and a peace of mind. This session will walk through how to take a security bulletin provided by a public cloud provider and translate it into policy, showing the complete end to end lifecycle of how to react quickly and efficiently. Cloud Custodian supports all three major public clouds, AWS, Azure, and GCP, with alpha support for Kubernetes, allowing users to take advantage of a common vocabulary, tools, and workflow when addressing cloud governance needs across a wide array of use cases. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/LBJ7TD/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/LBJ7TD/feedback/ Side Room Talk 2022-10-23T10:30:00-04:00 10:30 00:30 Deep Learning (DL) models are being successfully applied in a variety of fields. Managing DL inferencing for diverse models presents cost and operational complexity challenges. The resource requirements for serving a DL model depend on its architecture, and its prediction load can vary over time, leading to the need for flexible resource allocation to avoid provisioning for the maximum amount of resources needed at peak load. Using the cloud to allocate resources flexibly adds operational complexity to obtain minimum-cost resources matching model needs from the large and ever-evolving sets of instance types. Selecting minimum-cost cloud resources is particularly important given the high cost of x86+GPU compute instances, which are often used to serve DL models. We describe an approach to efficient DL inferencing on cloud Kubernetes (K8s) cluster resources. The approach combines two kinds of right-sizing. The first is right-sizing the inference resources, using Elotl Luna smart node provisioner to add right-sized compute to cloud K8s clusters when needed and remove it when not. The second is right-sizing the inference compute type, using cloud Ampere A1 Arm compute with the Ampere Optimized AI library, which can provide a price-performance advantage on DL inferencing relative to GPUs and to other CPUs. We show the benefits of the approach using inference workloads running on auto-scaled TorchServe deployments. For cloud K8s clusters from two vendors, we compare the cost and operational complexity of right-sizing against two common non-right-sized approaches. cloud-native-rejekts-na-detroit-2022-448-efficient-deep-learning-inferencing-in-the-cloud-using-kubernetes-with-smart-provisioning-of-arm-nodes Anne Holler en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/ZAYEBL/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/ZAYEBL/feedback/ Side Room Talk 2022-10-23T11:10:00-04:00 11:10 00:30 What do you do when you have one nice PC sitting around but you really need to hack on a multi-node Kubernetes cluster? Build one by installing FreeBSD and using its native bhyve virtualization platform. cloud-native-rejekts-na-detroit-2022-429-fun-with-freebsd-make-your-own-mini-cloud Karen Bruner en The FreeBSD operating system is not yet a first-class citizen in the cloud native ecosystem, but that does not mean it cannot have a role. One example of how FreeBSD can currently play along is by using its native bhyve virtualization to host a Kubernetes cluster on Linux virtual machines. FreeBSD is a stable, elegant, and richly-featured operating system. Bhyve virtualization, built into the kernel, makes it very simple to create and run virtual machines on modern compatible CPUs and network those VMs. This ability makes it a great platform for creating multi-node Linux-based Kubernetes clusters for fun and profit. This talk will briefly cover how amazing FreeBSD is and why you would want to use it. Then it will get down to basics of what it takes to create a few Linux VMs and join them into a full Kubernetes cluster. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/8GP8QM/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/8GP8QM/feedback/ Side Room Talk 2022-10-23T11:50:00-04:00 11:50 00:30 Working in a large team, multi-tenant organization can be hard. There can be sub-teams, sibling teams, different BUs, parallel efforts, clients, tenants and more that all need to both collaborate and be kept separate. In this complex type of environment RBAC, access rules, network policies, and api server load can be difficult to manage. Someone might have already suggested looking into virtual clusters. After looking into how virtual clusters provide isolation that namespaces do not, you may have even decided they are a good fit for your environment. Now that you have a virtual cluster running on a Kubernetes cluster that runs on a virtual machine that runs in a virtual data center where does it all end? In this talk Mike will be using vcluster to layer virtual cluster on top of virtual cluster, diving deeper & deeper into the depths of inception. While api servers explode around us we'll find out how many api servers are dancing on the head of that pin. cloud-native-rejekts-na-detroit-2022-501-api-server-inception-how-many-layers-down-can-a-virtual-cluster-go- Mike Tougeron en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/G7CXVB/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/G7CXVB/feedback/ Side Room Talk 2022-10-23T14:20:00-04:00 14:20 00:30 A lot of interest in virtual Kubernetes clusters and the open source tool vcluster has developed over the last year. vcluster allows platform teams to provide virtual Kubernetes clusters to their users. A virtual cluster appears to be a full-blown Kubernetes cluster to the users, but it runs within a namespace of the host cluster. This allows users to have admin access to the cluster, use multiple namespaces in it, and manage global objects like CRDs. During the last year, many new features have been added to vcluster, and we’ve seen it used for use cases that we hadn’t even imagined. This talk will provide tips and tricks to help teams get more from their virtual clusters and show off some fun things you can do with them. We’ll cover: How to share resources like ingresses from the host cluster, using vcluster’s isolated mode to automatically add network policies and Pod Security Standards to your virtual clusters, pausing and resuming virtual clusters, monitoring and backing up virtual clusters, and writing plugins with the vcluster SDK. We’ll also cover some weirder examples like using vcluster for shadow IT (users don’t need to have elevated privileges in the host cluster to start a virtual cluster) and running a virtual cluster inside a virtual cluster. cloud-native-rejekts-na-detroit-2022-435-virtual-kubernetes-clusters-tips-and-tricks Rich Burroughs en Multi-tenancy in Kubernetes is hard. Teams generally default to either namespace isolation or provisioning tons of clusters, and neither of those solutions is very satisfactory. Virtual Kubernetes clusters allow teams to share clusters while giving users the access they need. Since we open sourced vcluster in April of 2021, we've seen a lot of users embrace the tool and find interesting uses for it. It's very easy to get started with virtual clusters but there's a lot more to do to make them very useful. I'd like to give some tips on using virtual clusters to the community while also throwing out some of the fun and weird ideas we've heard from the community. Note: vcluster isn't currently a CNCF project but it is a CNCF certified Kuberenetes distribution. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/W8S9WQ/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/W8S9WQ/feedback/ Side Room Talk 2022-10-23T15:00:00-04:00 15:00 00:30 Where do you find internal documentation about a legacy microservice? How can I make an API call to the new service deployed by other team? How is the status of my service in the production kubernetes cluster? The frontend team finds the backend service is down on Friday’s evening, how can they trigger a PagerDuty? All these questions can be answered with a unique tool, Backstage. It’s possible to integrate Backstage in any platform or company, increase productivity and start the journey with developer experience. With some documentation already in place and starting from scratch, it's very easy to install Backstage and integrate the minimum capabilities to make the life easier to any company member, starting with developers' life. cloud-native-rejekts-na-detroit-2022-453-building-the-best-internal-developers-portal-with-backstage Guille VigilJavier ParísLukas Gómez en Documentation is part of the natural flow in development and engineering. Following best practices to make the documentation of any project as code, stored somewhere in a repository, should be part of the flow. Having documentation as code made things easier to migrate from one tool to another. Here comes Backstage, as part of the sandbox projects in CNCF. Backstage allows stakeholders to find documentation of any kind and research throw APIs and services with really useful plugins like ArgoCD, Jira, GitHub, Jenkins, PagerDuty, etc. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/Z7GUGX/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/Z7GUGX/feedback/ Side Room Talk 2022-10-23T15:40:00-04:00 15:40 00:30 This talk would cover why there is a need to give developers access to Kubernetes based development environments and Crossplane during development: so they can code and test their changes in an environment as close to production as possible. The talk will highlight the challenges developers face due to a lack of simple infrastructure provisioning workflow how Kubernetes and Crossplane come together to solve that. We will then go over how a simple yet powerful dev workflow can be set up using Crossplane and Kubernetes-based development environments. The talk would cover: - What Kubernetes based development environments are, and how Crossplane provisions infrastructure - Why developers need the combination of the two for being effective when writing cloud-native applications - Demo of setting up a dev workflow using them cloud-native-rejekts-na-detroit-2022-482-using-kubernetes-and-crossplane-together-to-help-developers-code-cloud-native-applications Ramiro BerrellezaViktor Farcic en All developers building cloud-native applications can benefit from being able to replicate the complex production environment during development. This talk would benefit the ecosystem by showing how Kubernetes based development environments combined with Crossplane have the ability to empower developers to do exactly this. Attendees will learn about Kubernetes based development environments and how they make developing cloud-native applications much more simple than traditional ways of development. They will also walk away with a better understanding of how Crossplane works and why it is an effective tool for developers to provision all the production infrastructure during development. This talk aims to solve the problem most developers face these days - not being able to easily replicate their production setup during development. The talk will benefit all cloud-native application developers by showing them how to set up a development workflow using Crossplane, which allows provisioning all the production infrastructure very conveniently during development, and Kubernetes based Remote Development Environments. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/EQVJEG/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/EQVJEG/feedback/ Side Room Talk 2022-10-23T16:20:00-04:00 16:20 00:30 That’s right! The Open Policy Agent has other skills than just securing your clusters. The general-purpose design of the Open Policy Agent has enabled many tools, such as Gatekeeper, to adopt it for their own policy decision needs. This is powerful because it provides end-users with a consistent approach to policy enforcement throughout the cloud native ecosystem. This talk will look at several different tools and techniques that leverage OPA's policy engine and how they can benefit the development, deployment, and security of your applications. We'll explore: - How Regula can evaluate your infrastructure for compliance violations before ever reaching the cloud. - How Conftest can enforce cluster policies in local environments and CI without the need for a cluster. - How Gatekeeper can provide cluster audits and prevent insecure workloads from being deployed. - How Konstraint can automatically generate documentation, constraints, and templates for your policies. - ... and more! By the end of this talk, the audience will have more tools available to them in their toolkit and gain a different perspective on how the Open Policy Agent is used today to make better decisions for tomorrow. cloud-native-rejekts-na-detroit-2022-434-open-policy-agent-can-do-that-the-many-use-cases-of-opa John Reese en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/LXNWGF/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/LXNWGF/feedback/ Side Room Talk 2022-10-23T17:00:00-04:00 17:00 00:30 You’re deploying a project with a Kubernetes service that can be accessed using port-forward or an external IP, by using the load balancer service type. But when it’s time to deploy the project into production, the documentation doesn’t explain how to set up TLS. Now what? Cert-manager to the rescue! Cert-manager makes it easy to generate a TLS certificate, which can be used to enable HTTPS (secure HTTP) access to an application. During this presentation and live demo, Onkar will show attendees how to: Install cert-manager Deploy a certificate issuer using “Let's Encrypt” and a DNS-01 resolver Provision a TLS certificate using cert-manager and the certificate issuer Create DNS records to map a domain name to the application's external IP addresses Deploy an application with the TLS certificate and demo how to access the application using HTTPS on a browser The audience will walk away with a concrete set of steps for deploying their application with TLS, so it can be accessed using HTTPS. cloud-native-rejekts-na-detroit-2022-497-think-certification-management-is-hard-enable-https-access-in-minutes-with-cert-manager Onkar Bhat en We deploy Kubernetes clusters in our CI/CD pipeline on a daily basis. In order to build a cloud native product that’s ready for production environments, the applications we deploy within the clusters must have TLS enabled, so that the product can be tested against them. Generating and renewing certificates typically occurs occasionally, so very few people in an organization possess the necessary expertise. Sometimes a certificate expires right before a product release, and the certificate management/renewal process must be quickly re-learned to unblock the pipeline. Understanding how to use cert-manager will benefit anyone in the Kubernetes community who may face such a challenge. Although cert-manager has been covered in a previous KubeCon presentation, no demos were presented. During this presentation, Onkar will provide an end-to-end demo for a specific use, and take the discussion further by covering the DNS-01 resolver and the creation of DNS records. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/77UXCT/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-na-detroit-2022/talk/77UXCT/feedback/