0.7
virtual-rejekts-2020
Virtual Rejekts 2020
2020-04-01
2020-04-01
1
00:05
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/schedule/
UTC
2020-04-01T07:00:00+00:00
07:00
00:10
Track 1 (UTC)
virtual-rejekts-2020-283-virtual-rejekts-kickoff-india
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/VLUR7J/
false
Virtual Rejekts Kickoff: India
Handover
en
Virtual Rejekts Kickoff. Weill introduce the format, the moderator line-ups and welcome the first speaker.
Prakash MishraSayan Chowdhury
2020-04-01T07:10:00+00:00
07:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-266-connecting-applications-with-operator-backed-services
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ZKQ8MA/
false
Connecting Applications with Operator-backed Services
Talk
en
Demonstrating a more streamlined approach for binding application with services provided by Kubernetes Operators, using our open-source project, service-binding-operator. An improved developer experience on declaring and ensuring binding with infrastructure components.
Cloud-Native Environments like Kubernetes comes with its challenges for binding applications. A service backed by a Kubernetes operator, for example, PostgreSQL instance and a shiny front-end Node.js application...Wouldn't it be really fancy if we could just express the intent to bind to any backing service without actually doing the configuration heavy lifting?
In this talk, we will review how to enable developers to connect their applications with operator-backed services, such as databases, without having to perform manual intervention (secrets, configmaps, etc.). It thereby provides an intuitive approach for the developers to connect their application to an operator backed service. In a nutshell, improved developer experience.
Together with this talk, we would be running through a live demo, to show application and service binding in action, using our open-source Kubernetes Operator, service-binding-operator.
Igor SuttonAvni Sharma
2020-04-01T07:45:00+00:00
07:45
00:30
Track 1 (UTC)
virtual-rejekts-2020-259-elastic-cloud-bursting-with-virtual-kubelet-and-kip
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/TKHL3W/
false
Elastic cloud bursting with Virtual Kubelet and KIP
Talk
en
This talk introduces a brand new open source provider for virtual kubelet called KIP (Kubernetes Cloud Instance Provider). KIP enables Kubernetes control plane to consume cloud agnostic right sized cost optimized compute instance for your Kubernetes pods without having to manually curate and maintain cloud vendor specific pet worker nodes. Cloud bursting demo included!
Tired of hand curating pet worker nodes on each cloud provider? Worried about underutilization of compute on your kubernetes clusters? Wonder if your control plane can ship pods to a different cloud provider? This talk introduces a brand new open source provider for virtual kubelet called KIP (Kubernetes Cloud Instance Provider). KIP enables Kubernetes control plane to consume cloud agnostic right sized cost optimized compute instance for your Kubernetes pods without having to manually curate and maintain cloud vendor specific pet worker nodes. Cloud bursting demo included!
Madhuri Yechuri
2020-04-01T08:20:00+00:00
08:20
00:30
Track 1 (UTC)
virtual-rejekts-2020-292-using-openebs-successfully-for-remote-working-and-to-reduce-costs
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/Q3GJZX/
false
Using OpenEBS successfully for remote working and to reduce costs
Talk
en
We are in difficult times as seen by the form this conference. Remote working is the new normal. While cloud is available as a quick alternate for spinning up the required resources, it could also burn the additional money. In this talk we discuss how OpenEBS can be used to develop stateful applications locally in your home environment or your laptop and move them to cloud or data center only when necessary, thus increasing the productivity of cloud native developers or SREs and also reducing the costs. The target audience are developers or SREs using Kubernetes in their daily lives. We will give a quick introduction of the problem statement of K8S applications from remote working perspective and then go through a detailed solution around it.
Uma Mukkara
2020-04-01T08:50:00+00:00
08:50
00:10
Track 1 (UTC)
virtual-rejekts-2020-284-handover-india-to-berlin
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/YGVZBZ/
false
Handover: India to Berlin
Handover
en
Handover of moderation from the India team to the Berlin team.
Bill MulliganEllen Körbes
2020-04-01T09:00:00+00:00
09:00
00:30
Track 1 (UTC)
virtual-rejekts-2020-280-metal-stack-kubernetes-on-bare-metal
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/8SDMXM/
false
metal-stack - kubernetes on bare metal
Talk
en
metal-stack is a new open source project that lets you produce kubernetes clusters on bare-metal comparable to hyperscalers but on a full open-source stack targeted for on-premise setups.
metal-stack comprises:
- an API to manage bare metal resources (machines, firewalls, switches)
- an implementation of a cloud controller manager for this API
- layer-3-only networking based on BGP and virtual routers which comes handy for cluster network separation, usage of metal-lb as implementation for Service-Type Loadbalancer and Cilium as CNI
You’ll get an intro to metal-stack, the underlying considerations for it and a demo where we create a bare metal cluster with SAP Gardener as cluster manager.
Gerrit SchwerthelmMarkus Fensterer
2020-04-01T09:35:00+00:00
09:35
00:30
Track 1 (UTC)
virtual-rejekts-2020-254-inspektor-gadget-and-traceloop-bpf-debugging-tools-for-kubernetes
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/JKU7PC/
false
Inspektor Gadget and traceloop: BPF debugging tools for Kubernetes
Talk
en
I will present Inspektor Gadget and traceloop, a tracing tool to trace system calls in cgroups or in containers using BPF and overwritable ring buffers.
Many people use the “strace” tool to synchronously trace system calls using ptrace. Traceloop similarly traces system calls but asynchronously in the background, using BPF and tracing per cgroup. I’ll show how it is integrated with Kubernetes via Inspektor Gadget.
Traceloop's traces are recorded in a fast, in-memory, overwritable ring buffer like a flight recorder. As opposed to “strace”, the tracing could be permanently enabled on systemd services or Kubernetes pods and inspected in case of a crash. This is like a always-on “strace in the past”.
Alban Crequy
2020-04-01T10:10:00+00:00
10:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-263-virtual-k8s-application-fleet-management-at-scale
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ELRRKL/
false
Virtual K8s: Application Fleet Management at Scale
Talk
en
The deployment of k8s clusters at the Edge can range in the 1000s. The number of k8s clusters quickly grows into an operational and management problem. This requires a holistic approach to managing clusters and applications. This session introduces a Kubernetes based solution for Application Fleet Management at scale called Virtual K8s (vk8s). The K8s abstraction layer today currently manages each site & device individually. With federated approaches, this is an operational challenge. Instead of managing a large number of clusters, you will learn the concent of cluster digital twin called Virtual k8s. vk8s is k8s API compatible tool that replicates across k8s clusters. You will learn the architectural concepts and challenges in our journey in managing more than 1,000 devices. A live demo of fleet application management across global device deployments will be also shown.
The Edge ecosystem spans across all verticals such as Retail, Manufacturing, Industrial, Robotics, etc. As more organizations begin to move to edge deployments in the number of 1000s using Cloud Native technologies, there are clear deployment, lifecycle management, and operational challenges.
This talk will focus on architectural & technology principles of managing large scale kubernetes application deployments for globally scaled applications. We will use our experience with a large retail customer development used to validate the approach. The solution uses standard k8s APIs, defines new concepts on fleet management leveraging standard techniques for replications controlled by annotations and CRDs.
The learning will benefit both project owners and operators of large scale systems, with a focus on growing existing projects to take into these approaches.
Jakub Pavlik
2020-04-01T10:45:00+00:00
10:45
00:15
Track 1 (UTC)
virtual-rejekts-2020-282-istio-as-a-monolith-why-sometimes-consolidation-is-a-good-thing-and-what-does-it-mean-for-the-users-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/GXQEPP/
false
Istio as a monolith. Why sometimes consolidation is a good thing and what does it mean for the users.
Short Talk
en
In the latest release, Istio consolidated its components into one binary - istiod. In the world of microservices, that's an unusual move but it was definitely a good move. In this talk I will explain why sometimes it's better to be a "monolith" and what does this change mean for users.
Istio moving to a single binary is a great opportunity to talk about differences between a "monolith" and a "single binary microservice". Explain why monolith isn't always a bad thing. On top of that - this moves solves one of the most common "disadvantage" of Istio so I will also explain what does it mean for the users and how does Istio future could look like.
Dawid Ziolkowski
2020-04-01T11:00:00+00:00
11:00
00:10
Track 1 (UTC)
virtual-rejekts-2020-285-handover-berlin-to-amsterdam
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/MT8JWT/
false
Handover: Berlin to Amsterdam
Handover
en
Handover of moderation from the Berlin team to the Amsterdam team.
Lian LiAlessandro Vozza
2020-04-01T11:10:00+00:00
11:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-273-how-to-beat-an-existential-crisis-by-becoming-cloud-native-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/WDTTHP/
false
How to beat an existential crisis by becoming Cloud Native.
Talk
en
Last five years of mass movement to Cloud Native and the last few dramatic months in the shadow of the COVID-19 pandemic are examples of existential crises, former is relatively slow and the latter is almost instant, but both are dramatic in their effect on all the aspects of company existence.
To survive, each business has to adjust it’s technology, organisational structure, financials, and even company culture.
But, if you’re working in an average company from a small startup to a massive enterprise, you would probably experience the following:
- Resistance and use of outdated methods to adjust to a slow existential threat, or
- Dramatic defensive reaction, mostly expressed as a freeze or full cancelation of the majority of innovative projects in case of a fast existential threat
Those responses are most common but rarely the most effective ways to survive and most importantly to turn the crisis into an opportunity.
This talk will not give you direct answers, but instead provide you with mental models, patterns, designs and other tools for creation of an effective and dynamic strategy for dealing with the most complex situation you could ever imagine.
This talk is based on our O'Reilly book - Cloud Native Transformation https://www.amazon.com/Cloud-Native-Transformation-Practical-Innovation/dp/1492048909
Patterns from the book can be found here: https://www.cnpatterns.org/
An important mental model that shows the scope of the story is Cloud Native Maturity Matrix: https://info.container-solutions.com/cloud-maturity-matrix
/media/virtual-rejekts-2020/images/WDTTHP/Screenshot_2020-03-21_at_18.38.53_YU5cm2r.png
Pini Reznik
2020-04-01T11:45:00+00:00
11:45
00:30
Track 1 (UTC)
virtual-rejekts-2020-251-kubernetes-the-fun-way
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/XDGMZR/
false
Kubernetes The Fun Way
Talk
en
Kubernetes the Fun Way is a collection of case studies and demos in which Kubernetes and other cloud-native technologies are explored in unrealistic and (somewhat) ridiculous scenarios. The purpose is to create a fun and inclusive learning environment
Each of the case studies is accompanied by a demo, lessons learned and videos/gifs which are supposed to look fun:
- Running a Kubernetes cluster on Arm64 single board computers in my living room and creating a ceph pool managed by Rook using USB Flash Drives just to run a Wordpress blog;
- Building a Kubernetes operator for drones, attaching worker nodes to the drones, and launching them in the air;
- Using a mobile app to trigger vm shutdowns in order to test the resilience of "cloud-native" applications;
- The fourth one is still under development and will be about creating your own Kubernetes as a Service using Typhoon K8s.
/media/virtual-rejekts-2020/images/XDGMZR/cluster_IxTEWNA.gif
Dan Acristinii
2020-04-01T12:20:00+00:00
12:20
00:30
Track 1 (UTC)
virtual-rejekts-2020-271-platform-endgame-kube-cf
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/RKPBZ8/
false
Platform Endgame - Kube CF
Talk
en
We are building what we think is the ultimate platform. Based on Kubernetes and Cloud Foundry, it's the best of both worlds. IT professionals can manage infrastructure using Kube, while app developers become more productive using the developer-focused UX refined by Cloud Foundry for almost a decade.
Cloud Foundry is trusted by more than half of the Fortune 500 and it has an amazing community of people that are all interested in building the best platform for developers.
We believe Kube CF is a project that can join these two communities. In this talk, we want to show everyone what this platform can do, and how we've built it.
Please find our projects at the links below. Kube CF will be incubated within the Cloud Foundry Foundation in January 2020. https://github.com/SUSE/kubecf https://github.com/cloudfoundry-incubator/cf-operator/
We understand that Cloud Foundry and Kubernetes overlap in a few aspects, but we strongly believe that they don't need to compete. In our view, they are complementary projects, that can serve a wider range of use cases when deployed together.
As mentioned before, both projects have large communities, and with this project we're looking to have them collaborate and come up with solutions that benefit real customers.
Kube CF is not just an idea. Both SUSE and IBM have product offerings that deliver this solution to customers.
We also consider this to be an amazing use-case for Kubernetes. Cloud Foundry is a complex piece of software, and having it run reliably on Kubernetes has been a great effort, which resulted in us implementing native operators with controllers that bridge the gap.
A project like this drives innovation. The operators we've built offer building blocks that can be reused in other contexts: rolling updates with automated canaries and recovery, support for re-usable errands, job output persistence, secret generation, automated reaction on configuration change, support for service routing to active/passive services and configuration discovery and linking.
Mario MannoVlad Iovanov
2020-04-01T12:55:00+00:00
12:55
00:15
Track 1 (UTC)
virtual-rejekts-2020-256-yes-we-need-a-new-dashboard-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/BDP8YE/
false
Yes, we need a new dashboard!
Short Talk
en
Kubernetes is a complex project, and one of the goals of UX and design is to make complex things feel simpler, so using a web dashboard for accessing and managing Kubernetes makes a lot of sense. Fortunately, there are many choices out there for those who want to try out dashboards, unfortunately, those dashboards don't always make things simpler.
In this presentation I will introduce a new dashboard that is being developed from scratch, with the bold goal of becoming one of the reference dashboards for Kubernetes.
Joaquim Rocha
2020-04-01T13:10:00+00:00
13:10
00:10
Track 1 (UTC)
virtual-rejekts-2020-286-handover-amsterdam-to-london
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/NH7CJH/
false
Handover: Amsterdam to London
Handover
en
Handover of moderation from the Amsterdam team to London Team
Mark ColemanCharlotte Godley
2020-04-01T13:20:00+00:00
13:20
00:30
Track 1 (UTC)
virtual-rejekts-2020-264-how-to-train-your-red-team-for-cloud-native-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/CKPRTM/
false
How to Train your Red Team (for Cloud Native)
Talk
en
How do we safely introduce Cloud Native software without opening unexpected security holes? By understanding risk, modelling threats, and attacking our own systems.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production — but is only a clone.
In this highly technical talk we:
- cover the challenges faced introducing Cloud Native to financial organisations
- show the steps taken to threat model Kubernetes
- build and automate attack trees and kill chains for likely (and perversely difficult) compromise scenarios
- demonstrate an open-source Kubernetes CTF platform
Andrew Martin
2020-04-01T13:55:00+00:00
13:55
00:30
Track 1 (UTC)
virtual-rejekts-2020-258-attack-of-the-mutant-tags-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/8TNRXT/
false
Attack of the mutant tags!
Talk
en
In container land, image tags are mutants. Are you using “latest” tag, or per-environment tags like “dev”, “staging”, “prod”, etc.? Then, you might not be aware, but you are already suffering their attack!
In this talk, we will analyze some use cases where mutability of tags could be troublesome, like:
* Race conditions when deploying an image in different cluster nodes.
* Time-of-Check vs Time-of-Use (TOCTOU) security issues that allows an attacker to trick image scanners with admission controllers or OPA Gatekeeper and run unverified images in Kubernetes.
* Garbage collection not reclaiming space in the registry storage.
* Accidental deletion of images using the registry API.
Should tags be always mutable? Immutable? Should we use regular expressions? How can we prevent these security incidents and accidents from happening? Which approach is the best? Join this session to find out!
In this talk we will start explaining the meaning of tag mutation, and how you can end up running the same tag but different images in different environments if you don’t take care.
Then we will focus and make a demo on some race-condition problems with Kubernetes that can lead to security problems, allowing an attacker to bypass an image scan triggered by admission controller.
We will share our experience with Harbor registry, and how lack of knowledge on the internals of the Docker registry and how the API works can lead to misassumptions leading to destruction or corruption of data. For example, in Harbor UI a user can remove an image by tag, but the underlying Docker registry API delete manifest endpoint (https://docs.docker.com/registry/spec/api/#deleting-an-image deletes by digest). So, deleting a tag will result in the deletion of all the tags pointing to the same manifest. Also, users might wonder why the garbage collection is releasing very little space and ignore the fact that due to CA IDs, manifests are preserved in the registry when a tag is mutated. This prevents the old tag layers from being reclaimed by the GC.
Finally, we will see how registries usually allow enabling immutability as a feature and open a debate about tag mutability: should tags be always mutable? Always immutable? Should we use regular expressions? Which approach is the best? Join this session to find out.
Álvaro Iradier
2020-04-01T14:30:00+00:00
14:30
00:30
Track 1 (UTC)
virtual-rejekts-2020-278-calico-networking-with-ebpf
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ZBCDWF/
false
Calico Networking with eBPF
Talk
en
What do you get when you combine Calico’s rich networking and network policy capabilities with the latest eBPF capabilities of the Linux kernel? Join us to find out!
Sometimes referred to as the Linux kernel’s “super power”, eBPF allows you to write mini programs that can be attached to various low-level hooks and executed inside the Linux kernel, for a wide variety of uses including networking, security, and tracing. You’ll see a lot of non-networking projects leveraging eBPF, but for Calico our focus is on networking, and in particular, pushing the networking capabilities of the latest Linux kernel’s to the limit while maintaining Calico’s reputation for simplicity, reliability and scalability.
In this talk you will learn the basics of how eBPF works, how it can be leveraged for networking, and what the benefits (and drawbacks) are for users interested in switching from Linux’s standard networking pipeline to Calico’s new eBPF optimized dataplane.
Shaun Crampton
2020-04-01T15:00:00+00:00
15:00
00:10
Track 1 (UTC)
virtual-rejekts-2020-287-handover-london-to-new-york
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/SL8PYQ/
false
Handover: London to New York
Handover
en
Handover of moderation from the London team to New York team.
Jonathan GoldStephen Augustus
2020-04-01T15:10:00+00:00
15:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-272-using-k8s-bare-metal-5g-to-achieve-autonomous-drone-delivery-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/TDRNTS/
false
Using k8s, Bare Metal, & 5G to achieve autonomous drone delivery!
Talk
en
n this talk, you will learn about the growing Edge computing landscape and the need for low latency 5G networks.
We will be discussing a use case for utilizing drones to make deliveries to warehouses, as well as looking at the technologies used to build an end to end IoT pipeline on Kubernetes that allows you to gather and visualize your fleet in real-time. We will be demonstrating how this data can be utilized to send real-time instructions to drones in cases such as collision avoidance, no-fly zone avoidance, and heavy wind avoidance. All of the code from this talk is 100% open source and can be tested by anyone in attendance.
/media/virtual-rejekts-2020/images/TDRNTS/Screenshot_2020-03-21_at_15.34.53_rL7qEiE.png
Cody Hill
2020-04-01T15:45:00+00:00
15:45
00:30
Track 1 (UTC)
virtual-rejekts-2020-267-what-we-ve-learned-building-a-multi-region-dbaas-on-kubernetes
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/NFECW8/
false
What We’ve Learned Building a Multi-Region DBaaS on Kubernetes
Talk
en
When the engineers at Cockroach Labs started development on a global Database as a Service (DBaaS), they weren’t sure if Kubernetes would be the right choice for the underlying orchestration system. They wanted to harness Kubernetes’s powerful orchestration capabilities, but building a system to run geo-distributed Cockroach clusters on Kubernetes presents unique challenges: First, the clusters must run across multiple regions, complicating networking and service discovery. Second, the clusters must store data, requiring the use of stateful sets and persistent volumes. Third, the system must programmatically create Kubernetes clusters on AWS and GKE, which have different APIs for node pools and firewalls. In this presentation, they share their experience of overcoming these challenges to build a global DBaaS.
We are presenting a unique case study from a Kubernetes user. We will be sharing our team's experience using kubernetes to build a multiregion database as a service. Unique aspects include (a) running a stateful service across multiple regions, (b) heavily using the k8s API to build automation on top of k8s, and (c) offering a service that dynamically allocates k8s clusters on public cloud providers. In particular, (a) could help inform the design of future k8s multiregion networking/federation capabilities.
Josh ImhoffCarlo Salomon Ruiz
2020-04-01T16:20:00+00:00
16:20
00:30
Track 1 (UTC)
virtual-rejekts-2020-277-the-need-for-a-cloud-native-tunnel
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ZJG8CL/
false
The need for a Cloud Native Tunnel
Talk
en
Everything was fine, we were developing applications for the cloud on our local laptops, until we needed to integrate with webhooks. Then things got tricky at work, all known solutions were blocked like cryptic socat commands, SSH, Ngrok, Argo Tunnels and we had no budget for an AWS account.
We needed a Cloud Native Tunnel, but just didn’t know it yet. That’s when “inlets” began as a holiday project, which then went onto score over 5k GitHub stars and dozens of community blog posts.
That was the beginning of 2019, and now we have a whole ecosystem of tooling to support Cloud Native Tunnels directly integrated into Kubernetes via an Operator and CRD, via a CLI which provisions cloud hosts automatically and a new pro edition which is commercially supported and adds automatic TLS.
This talk introduces real-world use-cases from customers such as connecting private hospital radiography scanners to the cloud for up to 10k locations in Switzerland.
We’ll compare and contrast the inlets OSS tooling to various other solutions and with a live demo, we’ll see Minikube’s LoadBalancer turn from “pending” to a real IP from public cloud. We’ll even be able to obtain a LetsEncrypt certificate on our laptop.
This talk is different from the one at San Diego, which introduced a problem around IPv4 addresses running out, and some of the ways tunnels could help us gain IPs again. The recording at San Diego also got corrupted and was lost. This talk provides an overview of the problem and gives developers and ITOps a new, essential tool for their tool belt.
I'll also be giving examples of real-world case-studies and customer interest and adoption.
https://github.com/inlets/
https://blog.alexellis.io/https-inlets-local-endpoints/
Alex Ellis, Founder @ OpenFaaS Ltd, CNCF Ambassador
2020-04-01T16:50:00+00:00
16:50
00:10
Track 1 (UTC)
virtual-rejekts-2020-288-handover-new-york-to-boulder
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/DJHL3Y/
false
Handover: New York to Boulder
Handover
en
Handover of moderation from the New York team to Boulder team.
Kim McMahonChris Kuehl
2020-04-01T17:00:00+00:00
17:00
00:30
Track 1 (UTC)
virtual-rejekts-2020-253-kubernetes-ingress-nginx-security-from-beginner-to-expert
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/LNCSKT/
false
Kubernetes Ingress-Nginx Security from Beginner to Expert
Talk
en
In Kubernetes the Ingress-Nginx Controller is one of the most deployed Ingress Controller. It is the gateway to your applications, the metaphorical door person right outside. Securing it is crucial to the overall Security of your Cloud, yet many times it is not properly configured, leaving it vulnerable to a variety of attacks.
This presentation will go over the various ways of securing your application with the Ingress-Nginx Controller. Examples can be found here: https://gitlab.com/fjdiaz/virtual-rejekts-2020-ingress-nginx-security
This presentation will cover:
- Explaining what ingress is and how it works
- How to configure the ingress controller
- How to enhance ingress security (Basic Auth, Mutual Auth, WAF, etc.)
- How to troubleshoot errors with the ingress controller
/media/virtual-rejekts-2020/images/LNCSKT/tim-evans-Uf-c4u1usFQ-unsplash_YBbcieD.jpg
Fernando Diaz
2020-04-01T17:35:00+00:00
17:35
00:30
Track 1 (UTC)
virtual-rejekts-2020-261-observable-applications-using-opentelemetry
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/T9W3A9/
false
Observable Applications Using OpenTelemetry
Talk
en
OpenTelemetry is a CNCF sandbox project which standardizes application tracing and monitoring across multiple programming languages, protocols, platforms and vendors. In this talk I'll provide a brief introduction to the OpenTelemetry project, explore some of its language libraries, demonstrate how they can be used to make distributed applications observable and look into some of the tricky parts in implementing distributed tracing as well as how they are handled by OpenTelemetry.
Following are the key topics covered in the talk:
- Tracing vs. traditional monitoring and logging
- Distributed tracing: what makes it great and why it is hard
- Introduction to OpenTelemetry
- A look into some of the OpenTelemetry libraries (most likely Go and Python)
- Demo: making a distributed application observable using OpenTelemetry
- Context propagation: what makes it tricky and how it is handled in the OpenTelemetry implementation
/media/virtual-rejekts-2020/images/T9W3A9/opentelemetry-horizontal-color_Ct5zFFM_kqSAKcS.png
Johannes Liebermann
2020-04-01T18:10:00+00:00
18:10
00:15
Track 1 (UTC)
virtual-rejekts-2020-252-the-easy-button-to-kubernetes-networking-with-open-vswitch
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/38GQVE/
false
The Easy Button to Kubernetes Networking with Open vSwitch
Short Talk
en
Networking can be a headache. Troubleshooting Kubernetes network issues often implies using a plethora of tools, running countless tests, and staring at iptables rules.
Open vSwitch, which offers a performant, reliable and feature-rich virtual switch for Linux and Windows, can help alleviate this. Its programmable datapath allows for configuring Pod connectivity, Network Policies, and Cluster IPs using the same match-action logic, thus providing a unified dataplane for K8s networking. It also enables the development of advanced tools that simplify K8s network monitoring and troubleshooting.
This talk will show how OVS programmability and observability can be integrated into K8s clusters by means of a lightweight CNI with a mostly decentralized control plane - project Antrea - implemented by leveraging the K8s and cloud native ecosystems (libraries, tooling, dashboards) as much as possible.
/media/virtual-rejekts-2020/images/38GQVE/antrea_overview.svg_HS9yNum.png
Antonin Bas
2020-04-01T18:30:00+00:00
18:30
00:30
Track 1 (UTC)
virtual-rejekts-2020-279-watching-the-watcher-advanced-integrated-monitoring-with-prometheus-federation
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/V8KREC/
false
Watching the Watcher: Advanced Integrated Monitoring with Prometheus Federation
Talk
en
The name Prometheus is no longer synonymous with "The Messenger of the Gods". It has far greater responsibility in today's cloud native application environments.
This session will cover configuring Prometheus in a production environment with a focus on federating Prometheus deployments together.
Federation is the term that describes using one instance of Prometheus to scrape metrics from another instance, and it's not often talked about. Teams deploying Prometheus may want to use federation for any number of reasons:
- Their existing Prometheus installation is projected to outgrow its current hardware
- To manage performance as the number of samples collected by Prometheus grows
- Integrate a Prometheus deployment from a different application
Each of these topics will be explained and an example of federation will be demonstrated using Linkerd which includes its own Prometheus.
This talk is meant for individuals who are exploring new ways to use cloud native technologies and want to know more about components which are becoming ubiquitous, like Prometheus.
Attendees will learn what Prometheus offers as a time-series data store, as well as what it does not offer.
After the basics of Prometheus are addressed, the talk will go into the anatomy of a Prometheus installation covering architecture and hardware requirements. Next, the talk will cover Prometheus as a component in a distributed application in a production environment, where there may be other instances of Prometheus running.
As a result, attendees will learn how to install and configure a standalone Prometheus as part of a larger distributed application with basic security and redundancy so that it can recover quickly in the event of a catastrophic outage.
Next, attendees will learn how to link (federate) the standalone instance of Prometheus with the instance of Prometheus that is deployed with the Linkerd service mesh.
Finally, the session will discuss alternatives to Prometheus federation using the CNCF project Cortex.
Charles Pretzer
2020-04-01T19:00:00+00:00
19:00
00:10
Track 1 (UTC)
virtual-rejekts-2020-289-handover-boulder-to-seattle
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/9339QZ/
false
Handover: Boulder to Seattle
Handover
en
Handover of moderation from the Boulder team to Seattle team.
Kaslin FieldsMatt Baldwin
2020-04-01T19:10:00+00:00
19:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-260-making-the-business-case-for-devops
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ULC7KL/
false
Making the Business Case for DevOps
Talk
en
The software development loop is, without question, the most critical component of any business and yet it can sometimes be difficult to get everyone to prioritize it. In this talk, we'll look at several case studies from major companies and how they became more competitive and more reliable to beat out competitors.
We'll provide tools to calculate cost savings and investment for investments into DevOps including personnel, CI/CD, monitoring, and more. Everyone cares about DevOps when features can't be delivered or services fail. We'll show you how to avoid the pitfalls of reactive DevOps in 2020. Then, instead of painful retrospectives about the investment that should have been made, you can celebrate what a good job you've done.
Dan Garfield
2020-04-01T19:45:00+00:00
19:45
00:30
Track 1 (UTC)
virtual-rejekts-2020-296-secure-shell-access-without-ssh
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/MY7CVR/
false
Secure Shell Access Without SSH
Talk
en
SSH is a staple of server management. As simple as it is it comes with lots of complications. Open ports, users management, authorized_keys, and bastions are just some of the things you need to consider.
What if there were an easier way? What if you didn't need to open port 22 and you didn't need VPN access? What about auditing shell sessions and current connections?
AWS Systems Manager Session Manager has managed to have the worst product name in the cloud, but it also may be the most useful for securing access to your infrastructure.
SSH is a staple of server management. As simple as it is it comes with lots of complications. Open ports, users management, authorized_keys, and bastions are just some of the things you need to consider.
What if there were an easier way? What if you didn't need to open port 22 and you didn't need VPN access? What about auditing shell sessions and current connections?
AWS Systems Manager Session Manager has managed to have the worst product name in the cloud, but it also may be the most useful for securing access to your infrastructure.
Justin Garrison
2020-04-01T20:20:00+00:00
20:20
00:30
Track 1 (UTC)
virtual-rejekts-2020-295-cluster-api-deep-dive
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/TWB333/
false
Cluster API Deep Dive
Talk
en
During this talk, we'll do a walkthrough of Cluster API (cluster-api.sigs.k8s.io), a project of SIG Cluster Lifecycle. After introducing the project, we'll do a live demo, showing how to quickly create a cluster using Azure, scaling it up, and upgrading it. Finally, we'll leave some time for Q&A and answer any questions viewers might have!
Cecile Robert-MichonVince Prignano
2020-04-01T20:50:00+00:00
20:50
00:10
Track 1 (UTC)
virtual-rejekts-2020-290-handover-seattle-to-san-francisco
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/CN3CTC/
false
Handover: Seattle to San Francisco
Handover
en
Handover of moderation from the Seattle team to San Francisco team.
Tasha DrewKaty Farmer
2020-04-01T21:00:00+00:00
21:00
00:30
Track 1 (UTC)
virtual-rejekts-2020-293-discover-and-secure-your-apis-in-minutes
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/NDUMDV/
false
Discover and Secure your APIs in Minutes
Talk
en
In today’s microservices world, developers are building new microservices or integrating them with other projects or apps. Every time they do this, new microservices have to expose new APIs and existing services need to consume it. As a developer, they also need to think of ways to secure these new APIs so the application’s security can be better enforced.
Leveraging the concepts of distributed tracing and layer 7 application policies, we will demonstrate to viewers a way to discover new APIs and automatically secure them by white-listing via application policies -- all within minutes.
Madhukar Nayakbomman
2020-04-01T21:35:00+00:00
21:35
00:30
Track 1 (UTC)
virtual-rejekts-2020-270-noverlay-networks-for-health-and-wellbeing
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/ZPSXZU/
false
Noverlay Networks for Health and Wellbeing
Talk
en
As Kubernetes multi-cluster deployment scales now start to approach those of large IP internetworks of yesteryear, we see a myriad of network design alternatives mirroring the network design choices from the internets of old.
We will take a tongue-firmly-in-cheek yet factual look through some of the network history books at approaches that worked and those that didn't through the lens of a network engineer who's survived multiple generations of internetwork design.
We will draw parallels from history to what can be applied to the current design primitives for Kubernetes connectivity spanning services/pod networking, Ingress and external load balancing, especially when mingled with sophisticated traffic management at edge sidecar proxies.
- How many load balancers does it take to replace a pod?
- How do these interplay with pods connectivity approaches? Can there be optimizations?
- Is it possible to optimize routing (or addressing) by zone or topology across various abstractions, or does
each successive abstraction get in the way of others?
We'll compare some of the options for these, and contrast with the lessons from network history books.
/media/virtual-rejekts-2020/images/ZPSXZU/noverlay-networks_qp9kGcD_QwUQz29.png
Karthik Prabhakar
2020-04-01T22:10:00+00:00
22:10
00:30
Track 1 (UTC)
virtual-rejekts-2020-268-kubernetes-native-policy-management-with-kyverno-
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/7CGL3P/
false
Kubernetes Native Policy Management with Kyverno!
Talk
en
Kyverno is policy management designed for Kubernetes. With Kyverno, cluster administrators can easily validate, mutate, and generate configurations without the complexity and hassle of another language or external tools. In this talk Jim Bugwadia and Shuting Zhao will discuss why policies are key to managing Kubernetes at scale, show how Kyverno works, and demonstrate using Kyverno to address Kubernetes best practices and security across workloads and clusters.
/media/virtual-rejekts-2020/images/7CGL3P/Kyverno_Word_1280_white_WyiMzvs.png
Shuting ZhaoJim Bugwadia
2020-04-01T22:40:00+00:00
22:40
00:10
Track 1 (UTC)
virtual-rejekts-2020-291-virtual-rejekts-wrapup
https://cfp.cloud-native.rejekts.io/virtual-rejekts-2020/talk/XUFB8A/
false
Virtual Rejekts wrapup
Handover
en
.
Chris KuehlArun Teja Godavarthi