Virtual Rejekts 2020
Virtual Rejekts Kickoff. Weill introduce the format, the moderator line-ups and welcome the first speaker.
Demonstrating a more streamlined approach for binding application with services provided by Kubernetes Operators, using our open-source project, service-binding-operator. An improved developer experience on declaring and ensuring binding with infrastructure components.
This talk introduces a brand new open source provider for virtual kubelet called KIP (Kubernetes Cloud Instance Provider). KIP enables Kubernetes control plane to consume cloud agnostic right sized cost optimized compute instance for your Kubernetes pods without having to manually curate and maintain cloud vendor specific pet worker nodes. Cloud bursting demo included!
We are in difficult times as seen by the form this conference. Remote working is the new normal. While cloud is available as a quick alternate for spinning up the required resources, it could also burn the additional money. In this talk we discuss how OpenEBS can be used to develop stateful applications locally in your home environment or your laptop and move them to cloud or data center only when necessary, thus increasing the productivity of cloud native developers or SREs and also reducing the costs. The target audience are developers or SREs using Kubernetes in their daily lives. We will give a quick introduction of the problem statement of K8S applications from remote working perspective and then go through a detailed solution around it.
Handover of moderation from the India team to the Berlin team.
metal-stack is a new open source project that lets you produce kubernetes clusters on bare-metal comparable to hyperscalers but on a full open-source stack targeted for on-premise setups.
- an API to manage bare metal resources (machines, firewalls, switches)
- an implementation of a cloud controller manager for this API
- layer-3-only networking based on BGP and virtual routers which comes handy for cluster network separation, usage of metal-lb as implementation for Service-Type Loadbalancer and Cilium as CNI
You’ll get an intro to metal-stack, the underlying considerations for it and a demo where we create a bare metal cluster with SAP Gardener as cluster manager.
I will present Inspektor Gadget and traceloop, a tracing tool to trace system calls in cgroups or in containers using BPF and overwritable ring buffers.
Many people use the “strace” tool to synchronously trace system calls using ptrace. Traceloop similarly traces system calls but asynchronously in the background, using BPF and tracing per cgroup. I’ll show how it is integrated with Kubernetes via Inspektor Gadget.
Traceloop's traces are recorded in a fast, in-memory, overwritable ring buffer like a flight recorder. As opposed to “strace”, the tracing could be permanently enabled on systemd services or Kubernetes pods and inspected in case of a crash. This is like a always-on “strace in the past”.
The deployment of k8s clusters at the Edge can range in the 1000s. The number of k8s clusters quickly grows into an operational and management problem. This requires a holistic approach to managing clusters and applications. This session introduces a Kubernetes based solution for Application Fleet Management at scale called Virtual K8s (vk8s). The K8s abstraction layer today currently manages each site & device individually. With federated approaches, this is an operational challenge. Instead of managing a large number of clusters, you will learn the concent of cluster digital twin called Virtual k8s. vk8s is k8s API compatible tool that replicates across k8s clusters. You will learn the architectural concepts and challenges in our journey in managing more than 1,000 devices. A live demo of fleet application management across global device deployments will be also shown.
In the latest release, Istio consolidated its components into one binary - istiod. In the world of microservices, that's an unusual move but it was definitely a good move. In this talk I will explain why sometimes it's better to be a "monolith" and what does this change mean for users.
Handover of moderation from the Berlin team to the Amsterdam team.
Last five years of mass movement to Cloud Native and the last few dramatic months in the shadow of the COVID-19 pandemic are examples of existential crises, former is relatively slow and the latter is almost instant, but both are dramatic in their effect on all the aspects of company existence.
To survive, each business has to adjust it’s technology, organisational structure, financials, and even company culture.
But, if you’re working in an average company from a small startup to a massive enterprise, you would probably experience the following:
- Resistance and use of outdated methods to adjust to a slow existential threat, or
- Dramatic defensive reaction, mostly expressed as a freeze or full cancelation of the majority of innovative projects in case of a fast existential threat
Those responses are most common but rarely the most effective ways to survive and most importantly to turn the crisis into an opportunity.
This talk will not give you direct answers, but instead provide you with mental models, patterns, designs and other tools for creation of an effective and dynamic strategy for dealing with the most complex situation you could ever imagine.
Kubernetes the Fun Way is a collection of case studies and demos in which Kubernetes and other cloud-native technologies are explored in unrealistic and (somewhat) ridiculous scenarios. The purpose is to create a fun and inclusive learning environment
We are building what we think is the ultimate platform. Based on Kubernetes and Cloud Foundry, it's the best of both worlds. IT professionals can manage infrastructure using Kube, while app developers become more productive using the developer-focused UX refined by Cloud Foundry for almost a decade.
Cloud Foundry is trusted by more than half of the Fortune 500 and it has an amazing community of people that are all interested in building the best platform for developers.
We believe Kube CF is a project that can join these two communities. In this talk, we want to show everyone what this platform can do, and how we've built it.
Please find our projects at the links below. Kube CF will be incubated within the Cloud Foundry Foundation in January 2020. https://github.com/SUSE/kubecf https://github.com/cloudfoundry-incubator/cf-operator/
Kubernetes is a complex project, and one of the goals of UX and design is to make complex things feel simpler, so using a web dashboard for accessing and managing Kubernetes makes a lot of sense. Fortunately, there are many choices out there for those who want to try out dashboards, unfortunately, those dashboards don't always make things simpler.
In this presentation I will introduce a new dashboard that is being developed from scratch, with the bold goal of becoming one of the reference dashboards for Kubernetes.
Handover of moderation from the Amsterdam team to London Team
How do we safely introduce Cloud Native software without opening unexpected security holes? By understanding risk, modelling threats, and attacking our own systems.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production — but is only a clone.
In this highly technical talk we:
- cover the challenges faced introducing Cloud Native to financial organisations
- show the steps taken to threat model Kubernetes
- build and automate attack trees and kill chains for likely (and perversely difficult) compromise scenarios
- demonstrate an open-source Kubernetes CTF platform
In container land, image tags are mutants. Are you using “latest” tag, or per-environment tags like “dev”, “staging”, “prod”, etc.? Then, you might not be aware, but you are already suffering their attack!
In this talk, we will analyze some use cases where mutability of tags could be troublesome, like: * Race conditions when deploying an image in different cluster nodes. * Time-of-Check vs Time-of-Use (TOCTOU) security issues that allows an attacker to trick image scanners with admission controllers or OPA Gatekeeper and run unverified images in Kubernetes. * Garbage collection not reclaiming space in the registry storage. * Accidental deletion of images using the registry API.
Should tags be always mutable? Immutable? Should we use regular expressions? How can we prevent these security incidents and accidents from happening? Which approach is the best? Join this session to find out!
What do you get when you combine Calico’s rich networking and network policy capabilities with the latest eBPF capabilities of the Linux kernel? Join us to find out!
Handover of moderation from the London team to New York team.
n this talk, you will learn about the growing Edge computing landscape and the need for low latency 5G networks.
We will be discussing a use case for utilizing drones to make deliveries to warehouses, as well as looking at the technologies used to build an end to end IoT pipeline on Kubernetes that allows you to gather and visualize your fleet in real-time. We will be demonstrating how this data can be utilized to send real-time instructions to drones in cases such as collision avoidance, no-fly zone avoidance, and heavy wind avoidance. All of the code from this talk is 100% open source and can be tested by anyone in attendance.
When the engineers at Cockroach Labs started development on a global Database as a Service (DBaaS), they weren’t sure if Kubernetes would be the right choice for the underlying orchestration system. They wanted to harness Kubernetes’s powerful orchestration capabilities, but building a system to run geo-distributed Cockroach clusters on Kubernetes presents unique challenges: First, the clusters must run across multiple regions, complicating networking and service discovery. Second, the clusters must store data, requiring the use of stateful sets and persistent volumes. Third, the system must programmatically create Kubernetes clusters on AWS and GKE, which have different APIs for node pools and firewalls. In this presentation, they share their experience of overcoming these challenges to build a global DBaaS.
Everything was fine, we were developing applications for the cloud on our local laptops, until we needed to integrate with webhooks. Then things got tricky at work, all known solutions were blocked like cryptic socat commands, SSH, Ngrok, Argo Tunnels and we had no budget for an AWS account.
We needed a Cloud Native Tunnel, but just didn’t know it yet. That’s when “inlets” began as a holiday project, which then went onto score over 5k GitHub stars and dozens of community blog posts.
That was the beginning of 2019, and now we have a whole ecosystem of tooling to support Cloud Native Tunnels directly integrated into Kubernetes via an Operator and CRD, via a CLI which provisions cloud hosts automatically and a new pro edition which is commercially supported and adds automatic TLS.
This talk introduces real-world use-cases from customers such as connecting private hospital radiography scanners to the cloud for up to 10k locations in Switzerland.
We’ll compare and contrast the inlets OSS tooling to various other solutions and with a live demo, we’ll see Minikube’s LoadBalancer turn from “pending” to a real IP from public cloud. We’ll even be able to obtain a LetsEncrypt certificate on our laptop.
Handover of moderation from the New York team to Boulder team.
In Kubernetes the Ingress-Nginx Controller is one of the most deployed Ingress Controller. It is the gateway to your applications, the metaphorical door person right outside. Securing it is crucial to the overall Security of your Cloud, yet many times it is not properly configured, leaving it vulnerable to a variety of attacks.
This presentation will go over the various ways of securing your application with the Ingress-Nginx Controller. Examples can be found here: https://gitlab.com/fjdiaz/virtual-rejekts-2020-ingress-nginx-security
OpenTelemetry is a CNCF sandbox project which standardizes application tracing and monitoring across multiple programming languages, protocols, platforms and vendors. In this talk I'll provide a brief introduction to the OpenTelemetry project, explore some of its language libraries, demonstrate how they can be used to make distributed applications observable and look into some of the tricky parts in implementing distributed tracing as well as how they are handled by OpenTelemetry.
Networking can be a headache. Troubleshooting Kubernetes network issues often implies using a plethora of tools, running countless tests, and staring at iptables rules.
Open vSwitch, which offers a performant, reliable and feature-rich virtual switch for Linux and Windows, can help alleviate this. Its programmable datapath allows for configuring Pod connectivity, Network Policies, and Cluster IPs using the same match-action logic, thus providing a unified dataplane for K8s networking. It also enables the development of advanced tools that simplify K8s network monitoring and troubleshooting.
This talk will show how OVS programmability and observability can be integrated into K8s clusters by means of a lightweight CNI with a mostly decentralized control plane - project Antrea - implemented by leveraging the K8s and cloud native ecosystems (libraries, tooling, dashboards) as much as possible.
The name Prometheus is no longer synonymous with "The Messenger of the Gods". It has far greater responsibility in today's cloud native application environments.
This session will cover configuring Prometheus in a production environment with a focus on federating Prometheus deployments together.
Federation is the term that describes using one instance of Prometheus to scrape metrics from another instance, and it's not often talked about. Teams deploying Prometheus may want to use federation for any number of reasons:
- Their existing Prometheus installation is projected to outgrow its current hardware
- To manage performance as the number of samples collected by Prometheus grows
- Integrate a Prometheus deployment from a different application
Each of these topics will be explained and an example of federation will be demonstrated using Linkerd which includes its own Prometheus.
Handover of moderation from the Boulder team to Seattle team.
The software development loop is, without question, the most critical component of any business and yet it can sometimes be difficult to get everyone to prioritize it. In this talk, we'll look at several case studies from major companies and how they became more competitive and more reliable to beat out competitors.
SSH is a staple of server management. As simple as it is it comes with lots of complications. Open ports, users management, authorized_keys, and bastions are just some of the things you need to consider.
What if there were an easier way? What if you didn't need to open port 22 and you didn't need VPN access? What about auditing shell sessions and current connections?
AWS Systems Manager Session Manager has managed to have the worst product name in the cloud, but it also may be the most useful for securing access to your infrastructure.
During this talk, we'll do a walkthrough of Cluster API (cluster-api.sigs.k8s.io), a project of SIG Cluster Lifecycle. After introducing the project, we'll do a live demo, showing how to quickly create a cluster using Azure, scaling it up, and upgrading it. Finally, we'll leave some time for Q&A and answer any questions viewers might have!
Handover of moderation from the Seattle team to San Francisco team.
In today’s microservices world, developers are building new microservices or integrating them with other projects or apps. Every time they do this, new microservices have to expose new APIs and existing services need to consume it. As a developer, they also need to think of ways to secure these new APIs so the application’s security can be better enforced.
Leveraging the concepts of distributed tracing and layer 7 application policies, we will demonstrate to viewers a way to discover new APIs and automatically secure them by white-listing via application policies -- all within minutes.
As Kubernetes multi-cluster deployment scales now start to approach those of large IP internetworks of yesteryear, we see a myriad of network design alternatives mirroring the network design choices from the internets of old.
We will take a tongue-firmly-in-cheek yet factual look through some of the network history books at approaches that worked and those that didn't through the lens of a network engineer who's survived multiple generations of internetwork design.
We will draw parallels from history to what can be applied to the current design primitives for Kubernetes connectivity spanning services/pod networking, Ingress and external load balancing, especially when mingled with sophisticated traffic management at edge sidecar proxies.
Kyverno is policy management designed for Kubernetes. With Kyverno, cluster administrators can easily validate, mutate, and generate configurations without the complexity and hassle of another language or external tools. In this talk Jim Bugwadia and Shuting Zhao will discuss why policies are key to managing Kubernetes at scale, show how Kyverno works, and demonstrate using Kyverno to address Kubernetes best practices and security across workloads and clusters.