SlideShare a Scribd company logo

The Messy Underlay Dilemma - automating PKI at Defragcon

rhirschfeld
rhirschfeld
rhirschfeldFounder/CEO at RackN

Deep discussion of why IT infrastructure is hard to automate with very specific examples building and rotating an internal PKI infrastructure.

The Messy Underlay Dilemma - automating PKI at Defragcon

1 of 19
Download to read offline
The Messy
Underlay Dilemma
Lessons Learned Securing K8s
Rob Hirschfeld, @zehicle
Hang on tight!
We’re going deep.
To automated live
encryption key rotation
Is Operating
Kubernetes
HARD?
DF
No.
But underlay is hard.
From http://www.slideshare.net/rhirschfeld/
Containers, Orchestration and Security, Oh My!
Underlay vs Overlay
Platform
Overlay
Infrastructure
Underlay
Ready State
0
Ready
Prerequisites
1
Prereq
Cluster API &
Control Services
2
Control
Worker Nodes
3
Nodes
Cluster Add-ons
4
Add-Ons
User Applications
5
Apps
Application
Overlay
Underlay = Crust
Overlay = Filling
App = Topping
Underlay components are the
operational integrations and
prerequisites that go into building a
system to before we can install a
platform.
Why is Underlay Hard?
It’s Sequential, Multi-node & Environment Specific
Unlike development environments, production cannot overlook integration points
HA/LB PKI DNS SDN IPAM BMC RAID BIOS
Highly Available &
Load Balanced
Public Key
Infrastructure
Domain Name
Servers
Software Defined
Networks
IP Address
Management
Out of Band
Management
Drive Arrays Firmware
Even in cloud only deployments, these critical components for production platforms
and applications require a level of different systems thinking.
Strong underlay builds an IT foundation.
Platform &
Infrastructure
Underlay
Ready State
0
Ready
Prerequisites
1
Prereq
Cluster API &
Control Services
2
Control
Worker Nodes
3
Nodes
Cluster Add-ons
4
Add-Ons
User Applications
5
Apps
Application
Overlay
DevOps Is Struggling
Developers don’t want do this
infrastructure specific stuff
Companies are turning to
containers and application
platforms (like Kubernetes) to
abstract the messy underlay.
While platforms hide complexity
from developers, the issues still
need to be addressed by Ops.
Ad

Recommended

Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)rhirschfeld
 
Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)rhirschfeld
 
Containers and Kubernetes
Containers and KubernetesContainers and Kubernetes
Containers and KubernetesAltoros
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
State of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryState of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryRandy Bias
 
Running and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackRunning and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackVictor Palma
 
KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016Apcera
 

More Related Content

What's hot

Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and DockerAndrew Kennedy
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoEmma Gordon
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...Josef Adersberger
 
berne.*tesday1
berne.*tesday1berne.*tesday1
berne.*tesday1Anne Starr
 
Architecting for Continuous Delivery
Architecting for Continuous DeliveryArchitecting for Continuous Delivery
Architecting for Continuous DeliveryMohammad Bilal Wahla
 
Driving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckDriving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckSlideTeam
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro servicesSpyros Lambrinidis
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
Using Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudUsing Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudAndrew Kennedy
 
Why kubernetes matters
Why kubernetes mattersWhy kubernetes matters
Why kubernetes mattersPlatform9
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahDocker, Inc.
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native worldLibbySchulze
 
SpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSASpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSAOracle Korea
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformPacket
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads Carlos Andrés García
 
nete.*@kursday2
nete.*@kursday2nete.*@kursday2
nete.*@kursday2Anne Starr
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
 

What's hot (20)

Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 
berne.*tesday1
berne.*tesday1berne.*tesday1
berne.*tesday1
 
Architecting for Continuous Delivery
Architecting for Continuous DeliveryArchitecting for Continuous Delivery
Architecting for Continuous Delivery
 
Driving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckDriving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete Deck
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro services
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
Using Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudUsing Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the Cloud
 
Why kubernetes matters
Why kubernetes mattersWhy kubernetes matters
Why kubernetes matters
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native world
 
SpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSASpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSA
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads
 
nete.*@kursday2
nete.*@kursday2nete.*@kursday2
nete.*@kursday2
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
 

Viewers also liked

Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017rhirschfeld
 
Functional Ops - the cake is a lie
Functional Ops - the cake is a lieFunctional Ops - the cake is a lie
Functional Ops - the cake is a lierhirschfeld
 
Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!rhirschfeld
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with DockerPatrick Chanezon
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Viewers also liked (14)

Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017
 
Functional Ops - the cake is a lie
Functional Ops - the cake is a lieFunctional Ops - the cake is a lie
Functional Ops - the cake is a lie
 
Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with Docker
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Similar to The Messy Underlay Dilemma - automating PKI at Defragcon

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29MysoreMuleSoftMeetup
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Oracle Developers
 
Puppet devops wdec
Puppet devops wdecPuppet devops wdec
Puppet devops wdecWojciech Dec
 
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE
 
Running Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudRunning Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudDataWorks Summit
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Explore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsExplore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsCA Technologies
 
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesBest Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesMarkus Michalewicz
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PROIDEA
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCloudIDSummit
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupYashrajNayak4
 

Similar to The Messy Underlay Dilemma - automating PKI at Defragcon (20)

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.
 
Puppet devops wdec
Puppet devops wdecPuppet devops wdec
Puppet devops wdec
 
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
 
Running Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudRunning Enterprise Workloads in the Cloud
Running Enterprise Workloads in the Cloud
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Explore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsExplore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration Topics
 
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesBest Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Dmz aa aioug
Dmz aa aiougDmz aa aioug
Dmz aa aioug
 
Dmz aa aioug
Dmz aa aiougDmz aa aioug
Dmz aa aioug
 
Architecting Multi-Org Solutions
Architecting Multi-Org SolutionsArchitecting Multi-Org Solutions
Architecting Multi-Org Solutions
 
PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
 

More from rhirschfeld

What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?rhirschfeld
 
RackN Physical Layer Automation Innovation
RackN Physical Layer Automation InnovationRackN Physical Layer Automation Innovation
RackN Physical Layer Automation Innovationrhirschfeld
 
Kubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch KubernetesKubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch Kubernetesrhirschfeld
 
#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmtrhirschfeld
 
Immutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWImmutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWrhirschfeld
 
Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]rhirschfeld
 
Interop ITX Kubernetes Presentation
Interop ITX Kubernetes PresentationInterop ITX Kubernetes Presentation
Interop ITX Kubernetes Presentationrhirschfeld
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)rhirschfeld
 
SRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native PresoSRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native Presorhirschfeld
 
The developer rebellion against infrastructure
The developer rebellion against infrastructureThe developer rebellion against infrastructure
The developer rebellion against infrastructurerhirschfeld
 
IBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open SourceIBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open Sourcerhirschfeld
 
Gluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container InfrastructureGluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container Infrastructurerhirschfeld
 
OpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid InfrastructureOpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid Infrastructurerhirschfeld
 
OpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit:  Operating Hybrid InfrastructureOpenServerSummit:  Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid Infrastructurerhirschfeld
 
Git & dev ops come together, right now!
Git & dev ops come together, right now!Git & dev ops come together, right now!
Git & dev ops come together, right now!rhirschfeld
 
Apply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gapApply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gaprhirschfeld
 
Tokyo DefCore Presentation
Tokyo DefCore PresentationTokyo DefCore Presentation
Tokyo DefCore Presentationrhirschfeld
 
Containers all the way down
Containers all the way downContainers all the way down
Containers all the way downrhirschfeld
 
Kubernetes in 15 minutes
Kubernetes in 15 minutesKubernetes in 15 minutes
Kubernetes in 15 minutesrhirschfeld
 
Community DefCore Presentation
Community DefCore PresentationCommunity DefCore Presentation
Community DefCore Presentationrhirschfeld
 

More from rhirschfeld (20)

What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?
 
RackN Physical Layer Automation Innovation
RackN Physical Layer Automation InnovationRackN Physical Layer Automation Innovation
RackN Physical Layer Automation Innovation
 
Kubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch KubernetesKubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch Kubernetes
 
#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt
 
Immutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWImmutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEW
 
Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]
 
Interop ITX Kubernetes Presentation
Interop ITX Kubernetes PresentationInterop ITX Kubernetes Presentation
Interop ITX Kubernetes Presentation
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)
 
SRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native PresoSRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native Preso
 
The developer rebellion against infrastructure
The developer rebellion against infrastructureThe developer rebellion against infrastructure
The developer rebellion against infrastructure
 
IBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open SourceIBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open Source
 
Gluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container InfrastructureGluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container Infrastructure
 
OpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid InfrastructureOpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid Infrastructure
 
OpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit:  Operating Hybrid InfrastructureOpenServerSummit:  Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid Infrastructure
 
Git & dev ops come together, right now!
Git & dev ops come together, right now!Git & dev ops come together, right now!
Git & dev ops come together, right now!
 
Apply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gapApply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gap
 
Tokyo DefCore Presentation
Tokyo DefCore PresentationTokyo DefCore Presentation
Tokyo DefCore Presentation
 
Containers all the way down
Containers all the way downContainers all the way down
Containers all the way down
 
Kubernetes in 15 minutes
Kubernetes in 15 minutesKubernetes in 15 minutes
Kubernetes in 15 minutes
 
Community DefCore Presentation
Community DefCore PresentationCommunity DefCore Presentation
Community DefCore Presentation
 

Recently uploaded

Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchainhackersuli
 
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxRiteshsahu101
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 

Recently uploaded (12)

Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain
 
B1 Evaluation.docx
B1 Evaluation.docxB1 Evaluation.docx
B1 Evaluation.docx
 
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
Riesgos online
Riesgos onlineRiesgos online
Riesgos online
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

The Messy Underlay Dilemma - automating PKI at Defragcon

  • 1. The Messy Underlay Dilemma Lessons Learned Securing K8s Rob Hirschfeld, @zehicle
  • 2. Hang on tight! We’re going deep. To automated live encryption key rotation
  • 3. Is Operating Kubernetes HARD? DF No. But underlay is hard. From http://www.slideshare.net/rhirschfeld/ Containers, Orchestration and Security, Oh My!
  • 4. Underlay vs Overlay Platform Overlay Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay Underlay = Crust Overlay = Filling App = Topping Underlay components are the operational integrations and prerequisites that go into building a system to before we can install a platform.
  • 5. Why is Underlay Hard? It’s Sequential, Multi-node & Environment Specific Unlike development environments, production cannot overlook integration points HA/LB PKI DNS SDN IPAM BMC RAID BIOS Highly Available & Load Balanced Public Key Infrastructure Domain Name Servers Software Defined Networks IP Address Management Out of Band Management Drive Arrays Firmware Even in cloud only deployments, these critical components for production platforms and applications require a level of different systems thinking. Strong underlay builds an IT foundation.
  • 6. Platform & Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay DevOps Is Struggling Developers don’t want do this infrastructure specific stuff Companies are turning to containers and application platforms (like Kubernetes) to abstract the messy underlay. While platforms hide complexity from developers, the issues still need to be addressed by Ops.
  • 7. What makes underlay hard? Let’s look at Internal PKI
  • 8. Protection via Tunnel Level Security (TLS) This is pretty complex stuff…. At a very basic level: 1. Send public key to client 2. Client encrypts token with public key 3. Client returns encrypted package 4. Server decrypts token with private key 5. Server uses token to encrypt tunnel Server Private Key Client Public 1 2 Token 4 Token 3 5 T L S
  • 9. Trusted 3rd Party Trust Anchor Trust Chain of Trust in Public Key Infrastructure (PKI) PKI is doing something amazing! It establishes asynchronous trust By relying on strong encryption And Trust Anchors. Server Private Key Cert Auth Client Public T L S Digital Signature Root
  • 10. Half of all Internet Traffic is encrypted! HTTPS > 50% That’s great for public traffic where trust is anchored / embedded into clients What about the internal traffic? We want a “narrow trust domain” so there’s no embedded trust mechanism and we maintain full control. We also want to protect both sides. Public End Points East-West Traffic North-SouthTraffic Back End Services End User Clients
  • 11. Server Client TrustTrust Shared Root in Public Key Infrastructure (PKI) Self-signing keys is not considered secure. Internal PKI uses a shared root strategy The private root of the CA must not be known to in the trust relationship. Members of the Trust Domain rely on the CA to verify membership and identity. External Trust Anchors are not desirable because we want an exclusive Trust Domain. Private Key Public T L S D. SigRoot Private Key D. Sig Public Root Site CA
  • 12. Master Node 1 Worker Nodes Worker Nodes Master Node 2+ “Narrow” Trust Domain Limits Shared Roots etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User! Illustration from Slideshare Rob Hirschfeld
  • 13. Master Node 1 Root Worker Nodes Worker Nodes Master Node 2+ RootRoot Root Shared Roots Create Trust Zones etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User!
  • 14. Services Files 1 2 Config App How do we automate this? Mix of Service and Configuration 1. Run a Root CA Service 2. Create a unique Root 3. Generate Key Pair Certificate for Server 4. Generate Digital Signature with Public Key for Client(s) 5. Configure Server with Certificate 6. Configure Client with Signature Private Key Digital Sig Public Site CA Root Server Certificate Client Certificate 3 4 5 6 Public
  • 15. Old Root New Root Root Rotation protects Trust Zone - Do it daily?! By design, root rotation breaks cluster communications! Like an in-place upgrade, rotation can break APIs. We need to change the keys without breaking communication between components. Previous Cluster Member Cluster Trust Zone Old New New New Old New
  • 16. Step 1: Root Rotation without Downtime Relies on Client to using support multiple digital signatures for the server. Create a new root and propagate new certificates in the cluster. Update the client configurations to use either signature. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old Old New New
  • 17. Step 2: Root Rotation without Downtime Ensure all the desired clients have new signature. Replace the server private key with the new value. Old keys will no longer work. In a daily rotation, leave both old and new signatures in place. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old New New New
  • 18. Happily, this is a repeatable pattern for underlay automation.