Hardening automation with Kubespray by Alessio Greggi

•

0 likes•143 views

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Hardening and securing Kubernetes requires expertise and experience. The talk takes an overview of how we contributed to Kubespray enabling cluster hardening, talking about features that have been introduced, the tools that we used to verify the cluster hardenization and our experience with the open-source community.

Technology

$ whoami
Alessio Greggi
Kubernetes Developer @ΔRMO
Full-time tin opener for my 🐱
Avid reader
📚
Open Source contributor
$ cat {twitter,github}.com | uniq
alegrey91

Introduction
●
Clastix
●
Small team
●
Kubernetes Multi-tenancy
●
Kubernetes operators:
– Capsule
– Kamaji

Use Case
●
Little Cloud Providers
●
Protect their infrastructure
●
Hardened solution
●
CIS Benchmarks
●
24/7 technical support

Kubespray Overview
●
Kubernetes-sigs project
●
Deploy a Production Ready Cluster
●
Highly available
●
Supports most popular Linux distributions
●
Ansible Playbook
●
Uses kubeadm under the hood

Contributions (CIS compliance)
●
Support for EventRateLimit (CIS 1.2.9)
●
Keep track of service-account-lookup (CIS 1.2.26)
●
Keep track of streamingConnectionIdleTimeout
(CIS 4.2.5)
●
Keep track of makeIPTablesUtilChains (CIS 4.2.7)
●
Make kubernetes owner parametric (CIS 1.1.19)

Other Contributions
●
Split kube_feature_gates variable
●
Add SeccompDefault admission plugin for kubelet
●
Hardened kubelet Systemd Service
●
Hardening Setup Guide

EventRateLimit
●
Mitigates the problem where the apiserver gets flooded by event requests
●
Limit types:
●
Server
●
Namespace
●
User
●
SourceAndObject
●
Avoid DoS in a Multi-Tenant cluster

streamingConnectionIdleTimeout
●
Defines the maximum time an idle session is permitted prior to disconnect
●
By default is set to 4 hours
●
Ensures that you are protected against DoS attacks
●
Idle connections can be used by unauthorized users
to perform malicious activity to the nodes, pods,
containers, etc.

Split kube_feature_gates variable
●
kube_feature_gates allows you to manage the feature gates in a generic
way for all the components
●
Not all the components need the same configuration
●
Create a dedicated variable for each components

SeccompDefault Admission Plugin
●
Seccomp filter system calls based on a set of defined rules

Kubelet Systemd Service Hardening
●
Systemd v235
●
Isolate systemd services with sandboxing features
●
Analyzes the security settings of service units
(systemd-analyze security)

Kubelet Systemd Service Hardening
●
Provide a variable to enable the service hardening
●
Provide a variable to whitelist allowed IPs
to communicate with kubelet

Validation Tools
●
Kube-Bench
●
Checkov
●
KSOC
●
Kubescape

Thanks for your attention
Keep your cluster safe!

What's hot

https://sched.co/ytpi It has been very hard to use Mac for developing containerized apps. A typical way is to use Docker for Mac, but it is not FLOSS. Another option is to install Docker and/or Kubernetes into VirtualBox, often via minikube, but it doesn't propagate localhost ports, and VirtualBox also doesn't support the ARM architecture. This session will show how to run containerd and k3s on macOS, using Lima and Rancher Desktop. Lima wraps QEMU in a simple CLI, with neat features for container users, such as filesystem sharing and automatic localhost port forwarding, as well as DNS and proxy propagation for enterprise networks. Rancher Desktop wraps Lima with k3s integration and GUI.

[KubeCon EU 2022] Running containerd and k3s on macOS

Akihiro Suda

Introduction to Hyper-V

Mark Wilson

Hypervisor seminar

용환 노

Virtualization Architecture & KVM

Pradeep Kumar

Red Hat OpenStack 17 저자직강+스터디그룹_4주차

Nalee Jang

Kubernetes Architecture

Knoldus Inc.

Linux Crash Dump Capture and Analysis

Paul V. Novarese

cloud computing:Types of virtualization

Dr.Neeraj Kumar Pandey

IBM Power VC

S.info Srl

Qemu

Koganti Ravikumar

Secure container: Kata container and gVisor

Ching-Hsuan Yen

Deep Dive into the Linux Kernel - メモリ管理におけるCompaction機能について

NTT DATA Technology & Innovation

Xen Hypervisor

Susheel Thakur

Turning Virtual Machines Cloud-Native using KubeVirt

Suman Chakraborty

During the last few months of 2011 the Xen Community started an effort to port Xen to ARMv7 with virtualization extensions, using the Cortex A15 processor as reference platform. The new Xen port is exploiting this set of hardware capabilities to run guest VMs in the most efficient way possible while keeping the ARM specific changes to the hypervisor and the Linux kernel to a minimum. Developing the new port we took the chance to remove legacy concepts like PV or HVM guests and only support a single kind of guests that is comparable to "PVH" in the Xen X86 world. Linux 3.7 was the first kernel release to run on Xen on ARM as Dom0 and DomU. Xen 4.3, out in July 2013, is the first hypervisor release to support ARMv7 with virtualization extensions and ARMv8. This talk will explain why ARM virtualization is set to be increasingly relevant for the automotive industry in the coming years. We will go on to describe how Xen exploits the strengths of the hardware to meet the requirements of the industry. We will illustrate the early design choices and we will evaluate whether they were proven successful or a failure.

ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...

The Linux Foundation

In this session we explore the future of new network services and how Universal CPE (uCPE) is used by service providers to combine many separate fixed-function network elements with a single multi-function device. Using virtualized network function software (VNFs) on Universal CPE, providers have a consistent and flexible foundation they can build on to offer new SD-WAN, SIP Trunking, and other services while improving network security with SBC and firewall VNFs.

uCPE and VNFs Explained

Alan Percy

In this session, Nicolas presents a new feature, targeted for CloudStack 4.19, which allows administrators to migrate Instances from a VMware environment (external or connected to CloudStack) and import them into a KVM CloudStack-managed environment. ----------------------------------------- The CloudStack Collaboration Conference 2023 took place on 23-24th November. The conference, arranged by a group of volunteers from the Apache CloudStack Community, took place in the voco hotel, in Porte de Clichy, Paris. It hosted over 350 attendees, with 47 speakers holding technical talks, user stories, new features and integrations presentations and more.

Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue

ShapeBlue

Server virtualization

Kingston Smiler

Kubernetes Application Deployment with Helm - A beginner Guide!

Krishna-Kumar

Virtualization Vs. Containers

actualtechmedia

What's hot (20)

[KubeCon EU 2022] Running containerd and k3s on macOS

Introduction to Hyper-V

Hypervisor seminar

Virtualization Architecture & KVM

Red Hat OpenStack 17 저자직강+스터디그룹_4주차

Kubernetes Architecture

Linux Crash Dump Capture and Analysis

cloud computing:Types of virtualization

IBM Power VC

Qemu

Secure container: Kata container and gVisor

Deep Dive into the Linux Kernel - メモリ管理におけるCompaction機能について

Xen Hypervisor

Turning Virtual Machines Cloud-Native using KubeVirt

ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...

uCPE and VNFs Explained

Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue

Server virtualization

Kubernetes Application Deployment with Helm - A beginner Guide!

Virtualization Vs. Containers

Similar to Hardening automation with Kubespray by Alessio Greggi

ACDKOCHI19 - Turbocharge Developer productivity with platform build on K8S an...

AWS User Group Kochi

Get started with Kubernetes on GKE

Zachary Russell

Container orchestration and microservices world

Karol Chrapek

In this deck, we explore a scalable deployment of WSO2 API Manager with API analytics on Kubernetes. We further discuss how to deploy WSO2 API Manager with Analytics in Google Kubernetes Engine (GKE), autoscaling WSO2 API Manager based on the production load, how to apply WSO2 Update Manager (WUM) updates in a production Kubernetes environment and best practices for deploying WSO2 API Manager in Kubernetes. Watch the On-Demand Webinar - https://wso2.com/library/webinars/2019/06/deploying-wso2-api-manager-in-production-grade-kubernetes/

Deploying WSO2 API Manager in Production-Grade Kubernetes

WSO2

Jean Rouge & David Yu, Docker Kubernetes has taken the technology industry by storm these last few years. It delivers powerful orchestration and container management capabilities that have been leveraged by cloud-scale companies and small startups alike. But for many organizations, the learning curve for Kubernetes can be steep and organizations can't build up their skills fast enough. Luckily Docker has always had a history of making the complex easy - first with Linux containers and now with Kubernetes - both in our Desktop and Enterprise platform. In this session, we'll highlight some of the innovation Docker has added to Kubernetes to simplify configuration and ongoing operations while still providing a fully conformant Kubernetes environment. We'll cover areas like deploying applications on Kubernetes, managing access controls and multi-tenancy, end-to-end security and improved troubleshooting. Demos will highlight key comparisons to show you that you don't have to build it yourself.

DCSF19 How Docker Simplifies Kubernetes for the Masses

Docker, Inc.

Kubernetes Introduction

Eric Gustafson

With the support for Windows containers in Docker Swarm and Kubernetes recently hitting beta, we’re entering a world where Hybrid container environments are no longer a strange sight. Microsoft is now an important player in the container world and for this talk I’d like to spend some time explaining what that means for us in the monitoring space. I’ll show you how to install and configure a Hybrid Kubernetes and Docker Swarm environment. We will setup the opensource Prometheus tooling and the commercial CoScale platform to monitor this unique environment. We’ll take a look at infrastructure monitoring and application monitoring, and the differences between Linux and Windows nodes.

Monitoring hybrid container environments

Samuel Vandamme

Kubernetes & Google Container Engine @ mabl

Joseph Lust

Mattia Gandolfi - Improving utilization and portability with Containers and C...

Codemotion

Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...

Vietnam Open Infrastructure User Group

Using ansible to core os & kubernetes clusters

magicmarkup

Heroku to Kubernetes & Gihub to Gitlab success story

Jérémy Wimsingues

Gitlab ci e kubernetes, build test and deploy your projects like a pro

sparkfabrik

This year’s final set of Kubernetes and Cloud Native meetups just took place. They kicked off in Kitchener-Waterloo on November 29th, and continued in Montreal December 3rd, Ottawa December 4th, Toronto December 5th, and Quebec December 6th. In preparation for the upcoming KubeCon and CloudNativeCon in Seattle, a wide range of open source solutions were discussed and, as always, beer and pizza provided. Ayrat Khayretdinov began each meetup with an update of Kubernetes and the Cloud Native landscape.

Kubernetes and Cloud Native Update Q4 2018

CloudOps2005

Join this info-packed and hands-on workshop where we will cover:  Introduction to Kubernetes & GitOps talk: We'll cover the most popular path that has brought success to many users already - GitOps as a natural evolution of Kubernetes. We'll give an overview of how you can benefit from Kubernetes and GitOps: greater security, reliability, velocity and more. Importantly, we cover definitions and principles standardized by the CNCF's OpenGitOps group and what it means for you.  Get Started with GitOps: You'll have GitOps up and running in about 30 mins using our free and open source tools! We'll give a brief vision of where you want to be with those security, reliability, and velocity benefits, and then we'll support you while go through the getting started steps. During the workshop, you'll also experience in action and see demos for: * an opinionated repo structure to minimize decision fatigue * disaster recovery using GitOps * Helm charts example * Multi-cluster example * all with free and open source tools mostly in the CNCF (eg. Flux and Helm). If you have questions before or after the workshop, talk to us at #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)

Free GitOps Workshop

Weaveworks

If you'd like to watch along with the recording of the webinar, visit: http://bitn.am/2u5bOnA Serverless computing has given back loads of time and money to developers whose focus is to create new, popular and disruptive applications. Without serverless computing, developers would still be spending most of their time on infrastructure rather than building new features to improve their users' experience. With the move to containers and increased market share for Kubernetes, Bitnami has wanted to stay one step ahead by providing a serverless tool that is also Kubernetes-native, ... Kubeless! Kubeless tackles the challenge of integrating cloud services through small logical units. When creating your new project or application on Kubernetes, Kubeless will allow you to focus on creating a great application with a lightweight and flexible infrastructure. In this video, you will watch and learn: -The benefits of serverless computing on Kubernetes - How to link several cloud services together with small, lightweight pieces of code - How to install Kubeless into your GKE cluster - How to deploy Python and Node.js functions with a straightforward CLI call - An introduction to the Kubeless UI and how to write, update, delete, and deploy functions through it

Going Serverless with Kubeless In Google Container Engine (GKE)

Bitnami

4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes

Juraj Hantak

This year's first round of Kubernetes and Cloud Native meetups in Eastern Canada began with an update of the CNCF by Ayrat Khayretdinov, CNCF Ambassador and Solutions Architect at CloudOps. He explained the status of various projects and highlights from KubeCon + CloudNativeCon. To learn the basics of cloud native application modernization, sign up for one of our hands-on, three-day workshops on Docker and Kubernetes at https://www.cloudops.com/workshops/#DockerK8s

Kubernetes and Cloud Native Meetup - March, 2019

CloudOps2005

Kubernetes has been a key component for many companies to reduce technical debt in infrastructure by: • Fostering the Adoption of Docker • Simplifying Container Management • Onboarding Developers On Infrastructure • Unlocking Continuous Integration and Delivery During this meetup we are going to discuss the following topics and share some best practices • What's new with Kubernetes 1.3 • Generate Cluster Configuration using CloudFormation • Deploy Kubernetes Clusters on AWS • Scaling the Cluster • Integrating Ingress with Elastic Load Balancer • Using Internal ELB's as Kubernetes' Service • Using EBS for persistent volumes • Integrating Route53

Running Production-Grade Kubernetes on AWS

DoiT International

Comparison of existing cni plugins for kubernetes

Adam Hamsik

Similar to Hardening automation with Kubespray by Alessio Greggi (20)

ACDKOCHI19 - Turbocharge Developer productivity with platform build on K8S an...

Get started with Kubernetes on GKE

Container orchestration and microservices world

Deploying WSO2 API Manager in Production-Grade Kubernetes

DCSF19 How Docker Simplifies Kubernetes for the Masses

Kubernetes Introduction

Monitoring hybrid container environments

Kubernetes & Google Container Engine @ mabl

Mattia Gandolfi - Improving utilization and portability with Containers and C...

Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...

Using ansible to core os & kubernetes clusters

Heroku to Kubernetes & Gihub to Gitlab success story

Gitlab ci e kubernetes, build test and deploy your projects like a pro

Kubernetes and Cloud Native Update Q4 2018

Free GitOps Workshop

Going Serverless with Kubeless In Google Container Engine (GKE)

4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes

Kubernetes and Cloud Native Meetup - March, 2019

Running Production-Grade Kubernetes on AWS

Comparison of existing cni plugins for kubernetes

More from ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure. Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.) Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere. In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.

Constellation - The first always encrypted Kubernetes by Moritz Eckert

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Nico will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open-source projects based on real-world examples. You’ll learn everything you need to know to build and run secure Kubernetes clusters including: - basics like shift left and container image security - ensure supply chain security - implement Kubernetes policies - introduce Kubernetes network security - rely on Container Runtime Security - many more… Don't miss this session to learn everything you need to know to securely run your Kubernetes-based workloads.

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. The ClusterImageScanner detects images in Kubernetes clusters and provides fast feedback based on security scans. Security scans are for example image lifetime or detection of known vulnerabilities. This talk will give insights into: - The use cases of the ClusterImageScanner - The different scans - The architecture - A live demo The ClusterImageScannerScanner is OpenSource, get it from https://github.com/SDA-SE/cluster-image-scanner/.

Container Security Scanning by Timo Pagel

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. You’ve been hearing a lot about security best practices, but you’re not convinced they can really make a difference? Do you think your resources are safe only because nobody would notice your random IP address? If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

ContainerDay Security 2023

Container Security Scanning by Timo Pagel

ContainerDay Security 2023

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Cilium is the next generation, eBPF powered open-source Cloud Native Networking solution, providing security, observability, scalability, and superior performance. Cilium is an incubating project under CNCF and the leading CNI for Kubernetes. In this session we will introduce the fundamentals of Cilium Network Policies and the basics of application-aware and Identity-based Security. We will discuss the default-allow and default-deny approaches and visualize the corresponding ingress and egress connections. Using the Network Policy Editor we will be able to demonstrate how a Cilium Network Policy looks like and what they mean on a given Kubernetes cluster. Additionally, we will walk through different examples and demonstrate how application traffic can be observed with Hubble and show how you can use the Network Policy Editor to apply new Cilium Network Policies for your workloads. Finally, we’ll demonstrate how Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement.

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Containers are awesome. The technology finds more and more adaptation in our daily IT lifes. They are fast, agile and shareable. All those postives bring a downsite to it - visibility. Can I trust every container content? Is my container behaving like it should? It's to fast, how can I catch anomalities? We want to tackle those questions in our session and show you what Falco and Sysdig can do for you to win back container visibility without any loss of container benefits.

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn

ContainerDay Security 2023

Constellation - The first always encrypted Kubernetes by Moritz Eckert

ContainerDay Security 2023

Cloud Hacking Scenarios by Michał Brygidyn

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Kubernetes has become the de facto standard for container orchestration, and it is being widely adopted by organizations of all sizes. However, as with any complex system, there are a number of security challenges that need to be addressed in order to properly secure a Kubernetes deployment. In his talk, Koray will first show you some security problem areas in Kubernetes and then give an overview of various security tools such as image screening and auditing. You will learn how to run Kubernetes clusters securely and how to proactively counteract security challenges.

Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay

ContainerDay Security 2023

More from ContainerDay Security 2023 (11)

Constellation - The first always encrypted Kubernetes by Moritz Eckert

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

Container Security Scanning by Timo Pagel

Cloud Hacking Scenarios by Michał Brygidyn Mar. 10, 2023 • 0 likes •

Container Security Scanning by Timo Pagel

How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn

Constellation - The first always encrypted Kubernetes by Moritz Eckert

Cloud Hacking Scenarios by Michał Brygidyn

Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay

Recently uploaded

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

DBX First Quarter 2024 Investor Presentation

Dropbox

The integration landscape is changing rapidly with the introduction of technologies like GraphQL, gRPC, stream processing, iPaaS, and platformless. However, not all existing applications and industries can keep up with these new technologies. Certain industries, like manufacturing, logistics, and finance, still rely on well-established EDI-based message formats. Some applications use XML or CSV with file-based communications, while others have strict on premises deployment requirements. This talk focuses on how Ballerina's built-in integration capabilities can bridge the gap between "old" and "new" technologies, modernizing enterprise applications without disrupting business operations.

Modernizing Legacy Systems Using Ballerina

WSO2

In today's digital world, trust is key to customer relationships, but keeping it is a huge challenge. Customers are well-informed and empowered, quick to change brands if their trust is broken, even if it costs them more. This puts a lot of pressure on organizations to handle trust and safety issues with great care and transparency. The challenge, however, is real. Fragmented solutions have left privacy, legal, and security teams in a perpetual cycle of catch-up, struggling to update privacy notices, manage customer data rights, and answer lengthy security questionnaires—all while trying to prove ROI to the business. It's a thankless job, filled with repetition, tedious tasks, and constant interdepartmental coordination. Combine this with fast regulatory changes and the quick evolution of AI, and it becomes overwhelming. Join this webinar to learn more about TrustArc's new innovative solution Trust Center, the only unified, no-code online hub for trust and safety information built for privacy, security, compliance, and legal teams. Trust Center streamlines your path to compliance, shortens the pre-sales cycle, and reduces both legal and regulatory risks, saving time, effort, and cost. This webinar will review: - Why companies are building unified Trust Centers for a robust privacy program. - How unified Trust Centers streamline sales cycles, ensure regulatory compliance, and reduce operational bottlenecks. - How compliance, legal, security, GRC, and privacy teams benefit from a unified Trust Center in terms of needs, pains, and outcomes. - How TrustArc Trust Center saves time and work while reducing legal, reputational, and compliance risk by effectively managing policies, notices, terms, and disclosures, and providing real-time updates on subprocessors.

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

TrustArc

Key topics covered: - Understanding the basics of IAM and its significance in the modern enterprise. IAM in a platformless environment - Tackling real-world issues like prioritizing frictionless yet secure user access, securing high-value APIs, integrating to business, compliance, and adapting to cloud native environments with scalable solutions - Practical demonstrations of how WSO2 products can be instrumental in deploying efficient IAM solutions - Preparing for upcoming trends and innovations in identity management

Navigating Identity and Access Management in the Modern Enterprise

WSO2

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Simplifying Mobile A11y Presentation.pptx

MarkSteadman7

Key topics covered: - Real-world examples of Choreo's comprehensive coverage from application design and deployment, security, scaling, and monitoring - Running different types of workloads, such as web applications, APIs, microservices, integrations, and tasks at scale, and wire them together to deliver seamless omnichannel digital experiences - How Choreo improves the developer experience by eliminating repetition, silos, and redundancy through enhanced discoverability and self-serviceability

Choreo: Empowering the Future of Enterprise Software Engineering

WSO2

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Exploring Multimodal Embeddings with Milvus

Zilliz

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Quantum Leap in Next-Generation Computing

WSO2

Recently uploaded (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Platformless Horizons for Digital Adaptability

DBX First Quarter 2024 Investor Presentation

Modernizing Legacy Systems Using Ballerina

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

Navigating Identity and Access Management in the Modern Enterprise

CNIC Information System with Pakdata Cf In Pakistan

Corporate and higher education May webinar.pptx

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Simplifying Mobile A11y Presentation.pptx

Choreo: Empowering the Future of Enterprise Software Engineering

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Six Myths about Ontologies: The Basics of Formal Ontology

Exploring Multimodal Embeddings with Milvus

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Quantum Leap in Next-Generation Computing

Hardening automation with Kubespray by Alessio Greggi

1. Hardening automation with Kubespray 1

2. $ whoami Alessio Greggi Kubernetes Developer @ΔRMO Full-time tin opener for my 🐱 Avid reader 📚 Open Source contributor $ cat {twitter,github}.com | uniq alegrey91

3. Introduction ● Clastix ● Small team ● Kubernetes Multi-tenancy ● Kubernetes operators: – Capsule – Kamaji

4. Use Case ● Little Cloud Providers ● Protect their infrastructure ● Hardened solution ● CIS Benchmarks ● 24/7 technical support

5. Kubespray Overview ● Kubernetes-sigs project ● Deploy a Production Ready Cluster ● Highly available ● Supports most popular Linux distributions ● Ansible Playbook ● Uses kubeadm under the hood

6. Contributions (CIS compliance) ● Support for EventRateLimit (CIS 1.2.9) ● Keep track of service-account-lookup (CIS 1.2.26) ● Keep track of streamingConnectionIdleTimeout (CIS 4.2.5) ● Keep track of makeIPTablesUtilChains (CIS 4.2.7) ● Make kubernetes owner parametric (CIS 1.1.19)

7. Other Contributions ● Split kube_feature_gates variable ● Add SeccompDefault admission plugin for kubelet ● Hardened kubelet Systemd Service ● Hardening Setup Guide

8. EventRateLimit ● Mitigates the problem where the apiserver gets flooded by event requests ● Limit types: ● Server ● Namespace ● User ● SourceAndObject ● Avoid DoS in a Multi-Tenant cluster

9. EventRateLimit ● Friendly interface

10. streamingConnectionIdleTimeout ● Defines the maximum time an idle session is permitted prior to disconnect ● By default is set to 4 hours ● Ensures that you are protected against DoS attacks ● Idle connections can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, etc.

11. Split kube_feature_gates variable ● kube_feature_gates allows you to manage the feature gates in a generic way for all the components ● Not all the components need the same configuration ● Create a dedicated variable for each components

12. SeccompDefault Admission Plugin ● Seccomp filter system calls based on a set of defined rules

13. SeccompDefault Admission Plugin ● Introduced in Kubernets v1.22 ● Sets the default profile from Unconfined to RuntimeDefault ● Uses securityContext to specify the profile

14. SeccompDefault Admission Plugin

15. Kubelet Systemd Service Hardening ● Systemd v235 ● Isolate systemd services with sandboxing features ● Analyzes the security settings of service units (systemd-analyze security)

16. Kubelet Systemd Service Hardening

17. Kubelet Systemd Service Hardening ● Provide a variable to enable the service hardening ● Provide a variable to whitelist allowed IPs to communicate with kubelet

18. Kubelet Systemd Service Hardening

19. Validation Tools ● Kube-Bench ● Checkov ● KSOC ● Kubescape

20. Validation Tools - Kubescape

21. Thanks for your attention Keep your cluster safe!