Constellation - The first always encrypted Kubernetes by Moritz Eckert

•

0 likes•6 views

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure. Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.) Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere. In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.

Technology

Constellation - The first always
encrypted Kubernetes

2
Your app
Cloud
admin
Datacenter
employee
Cloud
How to protect against Infrastructure
based threats?
Other tenant
Foreign
government
Hacker

4
Your app
Cloud
admin
Datacenter
employee
Cloud
How to protect against Infrastructure
based threats?
Other tenant
Foreign
government
Hacker

5
Your app
Cloud
admin
Datacenter
employee
Cloud
Confidential computing protects with
runtime encryption & remote attestation
Other tenant
Foreign
government
Hacker

6
Confidential VMs
Intel TDX, ARM CCA
Defining properties
AMD SEV
🏝 Isolation
🏃‍♀️ Runtime memory-encryption
📃 Remote attestation
🔒 Sealing of state
…
Hypervisor
Hardware
App
Guest OS
Host OS

7
Where is Confidential Computing available?

8
Who is using it?
Banking, financial
services & insurance
Telecom, Edge & IoT
Gov. & public sector
Healthcare & life
science
Manufacturing
Retail

9
Level 1
Protect keys
Level 2
Protect single containers/apps
Level 3
Protect entire deployments
The different flavors of confidential computing

10
Node B
Node A
Storage
Confidential
context #1
Confidential
context #2
Cloud
DevOps
engineer
From a Confidential VM…

11
Node B
Node A
Storage
DevOps
engineer
Cloud
Confidential
context
Attestation
… to a Confidential Cluster

12
Node B
Node A
Storage
Cloud
DevOps
engineer
Constellation Nodes
Confidential VM

13
Unified Kernel Image
Bootloader
Constellation Nodes
…
Firmware
Bootstrapper
k8s
State Disk rootFS
Pod …

14
On prem
Manually managed
Fully managed
Automatically managed by CSP
Join
Update OS
Scale
Update K8s
Cluster management strategies
Join
Update OS
Scale
Update K8s
Admin in control CSP in control

15
In cluster
Autonomously managed
Join
Update OS
Scale
Update K8s
… meeting in the middle
Admin & cluster in control
Confidential
context

16
Constellation Services
JoinService KeyService
Node
Operator
…

17
Autonomous Join
New node
New node
Join Service
Join Service
aTLS handshake
Request to Join
JoinToken, …

18
Node B
Node A
Storage
Cloud
DevOps
engineer
Current status…
Attestation

20
Encryption in transit
• Wireguard VPN between Nodes
• Strict-mode preventing any
leaked packages due to only
eventually consistent state
• Blog post coming soon on
blog.cilium.io

21
Encryption at rest: Kubernetes cluster state
✓ Storing etcd on encrypted and integrity protected disks
▪ Recovery:
✓ Automatically if at least one etcd node is healthy
▪ Manually via CLI in case of a disaster

22
Encryption at rest: Volumes
Problem: Backend-encryption not enough – need in-cluster encryption
▪ CSI plugins for encrypted block storage (Azure Disk , Google PD)
▪ Encrypted RWX File and Blob storage based on Rook/Ceph

23
Node B
Node A
Storage
DevOps
engineer
Cloud
Attestation
… bringing it all together

24
constellation config generate <cloud>
constellation create
constellation init
kubectl [scale anything!]
Demo

26
Container
Container +
Cloud
storage
DevOps
engineer
The first always encrypted Kubernetes

27
Protection against infrastructure based threats
Status quo
Datacenter
employee
BIOS &
Firmware
Host OS Hypervisor Cloud admin Guest OS Application
Software and insiders with potential access to data.
You don’t have to trust the cloud provider and cloud admins anymore.
BIOS &
Firmware
Host OS Hypervisor Cloud admin Guest OS Application
Datacenter
employee
Workload
Infrastructure / cloud provider
Workload
Infrastructure / cloud provider

29
Thanks!
▪ Check it out on GitHub:
https://github.com/edgelesssys/constellation
▪ Get in touch via @m1ghtymo
▪ Or join us @ https://discord.gg/rH8QTH56JN
Learn more
CLI demo
Features,
benchmarks, etc.
App demos:

Similar to Constellation - The first always encrypted Kubernetes by Moritz Eckert

OpenEBS Technical Workshop - KubeCon San Diego 2019

MayaData Inc

BASTA! 2017, Mainz: Talk von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware). Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen.

Cloud-native .NET Microservices mit Kubernetes

QAware GmbH

Link to the full talk: https://youtu.be/GbBMX83EqZI https://go.dok.community/slack https://dok.community ABSTRACT OF THE TALK More and more we see stateful workloads pop up in Kubernetes clusters. These workloads generate data that is unique and is ephemeral. During this talk we will discuss the challenges of stateful workloads and how you can successfully protect BIO Working over a decade in IT as a technical expert for Veeam Software. Specializing in backup for the modern hybrid cloud. Passion for scripting and programming. Husband of Lena, father of Lev. KEY TAKE-AWAYS FROM THE TALK Data backup of Kubernetes. DR for Kubernetes

Dok Talks #140 - Data protection of stateful environment

DoKC

Container security within Cisco Container Platform

Sanjeev Rampal

Kubernetes 101 for_penetration_testers_-_null_mumbai

n|u - The Open Security Community

Cloud orchestration risks

Glib Pakharenko

Docker on a laptop is easy, but Docker in the cloud is hard. What makes that transition so hard, and what can we do about it? How does this challenge affect the hosting infrastructure and application design? Casey will share lessons learned so far and further questions uncovered in Joyent’s work to build support for Docker in public and private cloud environments. See also http://www.meetup.com/Docker-San-Diego/events/221128898/ and http://www.meetup.com/Docker-Orange-County/events/221129001/

Docker San Diego 2015-03-25

Casey Bisson

Cloud native applications are popular these days. They promise superior reliability and almost arbitrary scalability. They follow three key principles: they are built and composed as microservices. They are packaged and distributed in containers. The containers are executed dynamically in the cloud. But which technology is best to build this kind of application? This talk will be your guidebook. In this hands-on session, we will briefly introduce the core concepts and some key technologies of the cloud native stack and then show how to build, package, containerize, compose and orchestrate a cloud native showcase application on top of a cluster operating system such as Kubernetes or OpenShift. Throughout the session we will be using an off-the-shelf MIDI controller to visualize the concepts and to remote control the cluster. Container Days 2017 conference. @ConDaysEU #CDS17 #qaware #CloudNativeNerd @LeanderReimer

A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17

Mario-Leander Reimer

Container Days 2017, Hamburg: Vortrag von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware). Abstract: Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud Native Stack. In dieser Session stellen wir die wichtigsten Konzepte und Schlüsseltechnologien vor und bringen dann eine Spring-Cloud-basierte Beispielanwendung schrittweise auf Kubernetes und DC/OS zum Laufen. Dabei diskutieren wir verschiedene praktikable Architekturalternativen.

A hitchhiker‘s guide to the cloud native stack

QAware GmbH

Container Security Mmanagement

Suresh Thivanka Rupasinghe

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1KjxPiO. Josh Bregman explores some of the unique security challenges created by both the development workflow and application runtime, explains why and how the current approaches in SecDevOps 1.0 are insufficient, and how SecDevOps 2.0 techniques including Software Defined Firewalls (SDF) provide a promising path forward for all parties involved. Filmed at qconnewyork.com. Josh Bregman is Information Security Architect and Executive Vice President for Technical Sales at Conjur Inc.

Here Be Dragons: Security Maps of the Container New World

C4Media

VMworld 2014: The Software-Defined Datacenter, VMs, and Containers

VMworld

Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"

LogeekNightUkraine

Conference: .NET Fest 2019 Location: Kyiv, Ukraine Abstract: You must have noticed how Docker and containers is playing a more and more important part in .NET development. Docker support is everywhere, so it should be easy to build solutions based on container technology, right? But, it takes a bit more to architect and create a .NET solution that use Docker at its core. Many questions arise: How do you design a solution architecture that fits well with containers? Would I use .NET or .NET Core? What is a proper way to migrate to such an architecture? What changes in the .NET implementation from pre-Docker solutions with micro-services? Where do container orchestrators fit in and how do I build and deploy my solutions on a Docker container cluster, such as Azure Kubernetes Service? These and many other questions will be answered in this session. You will learn how to design and architect your .NET solutions and get a flying start to create, build and run Docker-based containerized applications.

Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019

Alex Thissen

Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

Amazon Web Services

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

Amazon Web Services

Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...

Patrick Chanezon

20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes

IBM France Lab

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

Similar to Constellation - The first always encrypted Kubernetes by Moritz Eckert (20)

OpenEBS Technical Workshop - KubeCon San Diego 2019

Cloud-native .NET Microservices mit Kubernetes

Dok Talks #140 - Data protection of stateful environment

Container security within Cisco Container Platform

Kubernetes 101 for_penetration_testers_-_null_mumbai

Cloud orchestration risks

Docker San Diego 2015-03-25

A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17

A hitchhiker‘s guide to the cloud native stack

Container Security Mmanagement

Here Be Dragons: Security Maps of the Container New World

VMworld 2014: The Software-Defined Datacenter, VMs, and Containers

Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"

Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...

20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes

Secure Application Development in the Age of Continuous Delivery

More from ContainerDay Security 2023

Constellation - The first always encrypted Kubernetes by Moritz Eckert

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Nico will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open-source projects based on real-world examples. You’ll learn everything you need to know to build and run secure Kubernetes clusters including: - basics like shift left and container image security - ensure supply chain security - implement Kubernetes policies - introduce Kubernetes network security - rely on Container Runtime Security - many more… Don't miss this session to learn everything you need to know to securely run your Kubernetes-based workloads.

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. The ClusterImageScanner detects images in Kubernetes clusters and provides fast feedback based on security scans. Security scans are for example image lifetime or detection of known vulnerabilities. This talk will give insights into: - The use cases of the ClusterImageScanner - The different scans - The architecture - A live demo The ClusterImageScannerScanner is OpenSource, get it from https://github.com/SDA-SE/cluster-image-scanner/.

Container Security Scanning by Timo Pagel

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. You’ve been hearing a lot about security best practices, but you’re not convinced they can really make a difference? Do you think your resources are safe only because nobody would notice your random IP address? If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

ContainerDay Security 2023

Container Security Scanning by Timo Pagel

ContainerDay Security 2023

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

ContainerDay Security 2023

Hardening automation with Kubespray by Alessio Greggi

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Cilium is the next generation, eBPF powered open-source Cloud Native Networking solution, providing security, observability, scalability, and superior performance. Cilium is an incubating project under CNCF and the leading CNI for Kubernetes. In this session we will introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security. We will discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections. Using the Network Policy Editor we will be able to demonstrate how a Cilium Network Policy looks like and what they mean on a given Kubernetes cluster. Additionally, we will walk through different examples and demonstrate how application traffic can be observed with Hubble and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads. Finally, we’ll demonstrate how Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement.

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Containers are awesome. The technology finds more and more adaptation in our daily IT lifes. They are fast, agile and shareable. All those postives bring a downsite to it - visibility. Can I trust every container content? Is my container behaving like it should? It's to fast, how can I catch anomalities? We want to tackle those questions in our session and show you what Falco and Sysdig can do for you to win back container visibility without any loss of container benefits.

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn

ContainerDay Security 2023

Cloud Hacking Scenarios by Michał Brygidyn

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Kubernetes has become the de facto standard for container orchestration, and it is being widely adopted by organizations of all sizes. However, as with any complex system, there are a number of security challenges that need to be addressed in order to properly secure a Kubernetes deployment. In his talk, Koray will first show you some security problem areas in Kubernetes and then give an overview of various security tools such as image screening and auditing. You will learn how to run Kubernetes clusters securely and how to proactively counteract security challenges.

Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay

ContainerDay Security 2023

More from ContainerDay Security 2023 (11)

Constellation - The first always encrypted Kubernetes by Moritz Eckert

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

Container Security Scanning by Timo Pagel

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

Container Security Scanning by Timo Pagel

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

Hardening automation with Kubespray by Alessio Greggi

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn

Cloud Hacking Scenarios by Michał Brygidyn

Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...

FIDO Alliance

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

Overview of Hyperledger Foundation

Hyperleger Tokyo Meetup

Here comes another enlightening document that dives into the thrilling world of breaking BitLocker, Windows' attempt at full disk encryption. This analysis will walk you through the myriad of creative hacks, from the classic cold boot attacks—because who doesn't love freezing their computer to steal some data—to exploiting those oh-so-reliable TPM chips that might as well have a "hack me" sign on them. We'll also cover some software vulnerabilities, because Microsoft just wouldn't be the same without a few of those sprinkled in for good measure. And let's not forget about intercepting those elusive decryption keys; it's like a digital treasure hunt! So, whether you're a security expert, a forensic analyst, or just a curious cat in the world of cybersecurity, enjoy the read, and maybe keep that data backed up somewhere safe, yeah? ------- This document provides a comprehensive analysis of the method demonstrated in the video "Breaking Bitlocker - Bypassing the Windows Disk Encryption" where the author showcases a low-cost hardware attack capable of bypassing BitLocker encryption. The analysis will cover various aspects of the attack, including the technical approach, the use of a Trusted Platform Module (TPM) chip, and the implications for security practices. The analysis provides a high-quality summary of the demonstrated attack, ensuring that security professionals and specialists from different fields can understand the potential risks and necessary countermeasures. The document is particularly useful for cybersecurity experts, IT professionals, and organizations that rely on BitLocker for data protection and to highlight the need for ongoing security assessments and the potential for similar vulnerabilities in other encryption systems.

Microsoft BitLocker Bypass Attack Method.pdf

Overkill Security

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Because observability is such a broad topic – and often something we learn on the job – it can feel like there’s too much to learn at once. But you don’t have to tackle everything and can start with the basics and build from there! Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. No matter what tooling is in place, there are still observability fundamentals that developers should know. That’s why I’ve put together a primer on the different telemetry types, when to use them, how to understand the data journey, and what to look for in time series graphs.

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Paige Cruz

Microsoft CSP Briefing Pre-Engagement - Questionnaire

Exakis Nelite

Generative AI refers to a class of machine learning algorithms that are designed to generate new data samples that are similar to those in the training data. Unlike traditional AI models that are trained to recognize patterns and make predictions, generative AI models have the ability to create entirely new data based on the patterns they have learned. This is achieved through techniques such as generative adversarial networks (GANs), variational autoencoders (VAEs), and transformer architectures, among others.

Generative AI Use Cases and Applications.pdf

alexjohnson7307

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

Welcome to this session on UiPath Manufacturing and AI. In this session, we will discuss the importance UiPath plays with technology in the manufacturing and we will do an overview of AI and Document Understanding. Please join us to hear from UiPath and Community experts on why you might consider leveraging UiPath in manufacturing. Topics covered Community team overview The importance of UiPath technology for manufacturing UiPath AI and Document Understanding overview What is Document Understanding? DU Process Studio Template Components of DU Framework Q&A Speakers: Sebastian Seutter, Senior Industry Practice Director, UiPath, Inc. Priya Darshini, UiPath MVP RPA Solutions Architect Dzmitry Belanovski, Account Executive, UiPath, Inc.

UiPath manufacturing technology benefits and AI overview

DianaGray10

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

Paolo Missier

Explore the latest trends and insights on JavaScript usage with Pixlogix's informative blog. Discover key statistics and facts about JavaScript's role in web development, its popularity among developers, and its impact on modern websites. Stay updated with the evolving landscape of JavaScript frameworks and libraries, and learn how they're shaping the future of web development. Gain valuable insights to enhance your JavaScript skills and stay ahead in the digital realm.

JavaScript Usage Statistics 2024 - The Ultimate Guide

Pixlogix Infotech

Portal Kombat : extension du réseau de propagande russe

中央社

How to Check GPS Location with a Live Tracker in Pakistan

danishmna97

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

Join me in this session where I'll share our journey of building a fully serverless application that flawlessly managed check-ins for an event with a staggering 80 thousand registrations. We'll dive into three key strategies that made this possible. Firstly, by harnessing DynamoDB global tables, we ensured global service availability and data replication across regions, boosting performance and disaster recovery. Next, we'll explore how we seamlessly integrated real-time updates into the app using Appsync subscriptions, making the experience dynamic and engaging for users. Finally, I'll discuss how provisioned concurrency not only improved performance but also kept costs in check, highlighting the cost-effectiveness of serverless architectures. Through these strategies and the inherent scalability of serverless technology, our application effortlessly handled massive user loads without manual intervention. This session is a real world example to the power and efficiency of modern cloud-based solutions in enabling seamless scalability and robust performance with Serverless

How we scaled to 80K users by doing nothing!.pdf

Srushith Repakula

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

MasterG

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

2024 May Patch Tuesday

Ivanti

Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf

AnubhavMangla3

Event-Driven Architecture Masterclass: Challenges in Stream Processing

ScyllaDB

Recently uploaded (20)

Hyatt driving innovation and exceptional customer experiences with FIDO passw...

Design and Development of a Provenance Capture Platform for Data Science

Overview of Hyperledger Foundation

Microsoft BitLocker Bypass Attack Method.pdf

The Zero-ETL Approach: Enhancing Data Agility and Insight

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Microsoft CSP Briefing Pre-Engagement - Questionnaire

Generative AI Use Cases and Applications.pdf

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

UiPath manufacturing technology benefits and AI overview

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

JavaScript Usage Statistics 2024 - The Ultimate Guide

Portal Kombat : extension du réseau de propagande russe

How to Check GPS Location with a Live Tracker in Pakistan

AI in Action: Real World Use Cases by Anitaraj

How we scaled to 80K users by doing nothing!.pdf

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

2024 May Patch Tuesday

Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf

Event-Driven Architecture Masterclass: Challenges in Stream Processing

Constellation - The first always encrypted Kubernetes by Moritz Eckert

1. Constellation - The first always encrypted Kubernetes

2. 2 Your app Cloud admin Datacenter employee Cloud How to protect against Infrastructure based threats? Other tenant Foreign government Hacker

3. 3 Infrastructure based threats

4. 4 Your app Cloud admin Datacenter employee Cloud How to protect against Infrastructure based threats? Other tenant Foreign government Hacker

5. 5 Your app Cloud admin Datacenter employee Cloud Confidential computing protects with runtime encryption & remote attestation Other tenant Foreign government Hacker

6. 6 Confidential VMs Intel TDX, ARM CCA Defining properties AMD SEV 🏝 Isolation 🏃‍♀️ Runtime memory-encryption 📃 Remote attestation 🔒 Sealing of state … Hypervisor Hardware App Guest OS Host OS

7. 7 Where is Confidential Computing available?

8. 8 Who is using it? Banking, financial services & insurance Telecom, Edge & IoT Gov. & public sector Healthcare & life science Manufacturing Retail

9. 9 Level 1 Protect keys Level 2 Protect single containers/apps Level 3 Protect entire deployments The different flavors of confidential computing

10. 10 Node B Node A Storage Confidential context #1 Confidential context #2 Cloud DevOps engineer From a Confidential VM…

11. 11 Node B Node A Storage DevOps engineer Cloud Confidential context Attestation … to a Confidential Cluster

12. 12 Node B Node A Storage Cloud DevOps engineer Constellation Nodes Confidential VM

13. 13 Unified Kernel Image Bootloader Constellation Nodes … Firmware Bootstrapper k8s State Disk rootFS Pod …

14. 14 On prem Manually managed Fully managed Automatically managed by CSP Join Update OS Scale Update K8s Cluster management strategies Join Update OS Scale Update K8s Admin in control CSP in control

15. 15 In cluster Autonomously managed Join Update OS Scale Update K8s … meeting in the middle Admin & cluster in control Confidential context

16. 16 Constellation Services JoinService KeyService Node Operator …

17. 17 Autonomous Join New node New node Join Service Join Service aTLS handshake Request to Join JoinToken, …

18. 18 Node B Node A Storage Cloud DevOps engineer Current status… Attestation

19. 19 Encryption in transit

20. 20 Encryption in transit • Wireguard VPN between Nodes • Strict-mode preventing any leaked packages due to only eventually consistent state • Blog post coming soon on blog.cilium.io

21. 21 Encryption at rest: Kubernetes cluster state ✓ Storing etcd on encrypted and integrity protected disks ▪ Recovery: ✓ Automatically if at least one etcd node is healthy ▪ Manually via CLI in case of a disaster

22. 22 Encryption at rest: Volumes Problem: Backend-encryption not enough – need in-cluster encryption ▪ CSI plugins for encrypted block storage (Azure Disk , Google PD) ▪ Encrypted RWX File and Blob storage based on Rook/Ceph

23. 23 Node B Node A Storage DevOps engineer Cloud Attestation … bringing it all together

24. 24 constellation config generate <cloud> constellation create constellation init kubectl [scale anything!] Demo

25. Conclusion

26. 26 Container Container + Cloud storage DevOps engineer The first always encrypted Kubernetes

27. 27 Protection against infrastructure based threats Status quo Datacenter employee BIOS & Firmware Host OS Hypervisor Cloud admin Guest OS Application Software and insiders with potential access to data. You don’t have to trust the cloud provider and cloud admins anymore. BIOS & Firmware Host OS Hypervisor Cloud admin Guest OS Application Datacenter employee Workload Infrastructure / cloud provider Workload Infrastructure / cloud provider

28. 28 Learn more

29. 29 Thanks! ▪ Check it out on GitHub: https://github.com/edgelesssys/constellation ▪ Get in touch via @m1ghtymo ▪ Or join us @ https://discord.gg/rH8QTH56JN Learn more CLI demo Features, benchmarks, etc. App demos:

Constellation - The first always encrypted Kubernetes by Moritz Eckert

Recommended

Recommended

More Related Content

Similar to Constellation - The first always encrypted Kubernetes by Moritz Eckert

Similar to Constellation - The first always encrypted Kubernetes by Moritz Eckert (20)

More from ContainerDay Security 2023

More from ContainerDay Security 2023 (11)

Recently uploaded

Recently uploaded (20)

Constellation - The first always encrypted Kubernetes by Moritz Eckert