Cloud Native Virtual Summit featuring Kubernetes, April 2020,
talk by Alex Krause (@alex0ptr, Software Engineer at QAware)
== Please download slides if blurred! ==
Abstract: Microservices distribute the complexity of applications into smaller processes and infrastructure. In conclusion policies for encyrption, cost labelling or access control become decentralized too. The already complex components of a cloud-native application, such as container orchestration, IaaS components and CI/CD pipelines, complicate the technically uniform definition of these guidelines further.
OPA (Open Policy Agent) is a CNCF tool to define and check policies. What makes opa special is the easy integration into cloud-native environments in combination with rego, a universal logical programming language which allows defining policies across technology boundaries. This technical presentation is an introduction into OPA and demonstrates typical use-cases.
This presentation has been presented at the "Vienna DevOps & Security Meetup" in 2021.
It discusses the state of monitoring, what Opentelemetry is and why should you care about it.
Concepts and basics are discussed and presented in a full example extracting traces, metrics and logs.
Demo: https://github.com/secustor/opentelemetry-meetup
This talk is an introduction to quantum cryptography and cryptanalysis: the physics and mathematics behind how quantum computers provide unique opportunities and threats to traditional cryptographic systems. We will review the basics behind quantum mechanics and quantum computers, why quantum computers pose a unique threat to cryptographic systems and what secure infrastructure systems must do to protect secrets in a post-quantum world.
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
TUTORIAL: Digital Forensics and Incident Response in the Cloud
Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering.
In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints.
These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as:
What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards?
Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy?
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
TUTORIAL: Digital Forensics and Incident Response in the Cloud
Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering.
In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints.
These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as:
What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards?
Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy?
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
This presentation has been presented at the "Vienna DevOps & Security Meetup" in 2021.
It discusses the state of monitoring, what Opentelemetry is and why should you care about it.
Concepts and basics are discussed and presented in a full example extracting traces, metrics and logs.
Demo: https://github.com/secustor/opentelemetry-meetup
This talk is an introduction to quantum cryptography and cryptanalysis: the physics and mathematics behind how quantum computers provide unique opportunities and threats to traditional cryptographic systems. We will review the basics behind quantum mechanics and quantum computers, why quantum computers pose a unique threat to cryptographic systems and what secure infrastructure systems must do to protect secrets in a post-quantum world.
Fine-grained Authorization in a Containerized WorldAshutosh Narkar
Talk from Open Source Summit San Diego 2019, showing how the Open Policy Agent can help to enforce fine-grained security policies in a Kubernetes cluster through Admission Control.
TUTORIAL: Digital Forensics and Incident Response in the Cloud
Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering.
In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints.
These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as:
What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards?
Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy?
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
TUTORIAL: Digital Forensics and Incident Response in the Cloud
Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering.
In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints.
These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as:
What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards?
Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy?
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
This workshop was given at the NZITF conference 2018 in Wellington. The workshop covers Velociraptor, a modern DFIR endpoint monitoring and response tool.
Dans ce document vous trouverez les dernières améliorations faites sur OpenStack et comment certaines technologies Intel dopent la performance et la sécurité de l'environnement Cloud. Quelques exemple avec :
Comment créer des "pool" de VM sécurisées avec possibilité de géo tagging (technologies Intel présentent dans les serveurs HP, DELL, IBM… + Folsom, Nova, Horizon, Open Attestation)
Comment doper la sécurité du nouveau module de gestion des clés d'OpenStack (technologies Intel + Barbican)
Comment benchmarker le stockage object Swift avec COSBench (qui supporte maintenant Ceph, S3 et Amplidata)
Auteurs:
Girish Gopal - Strategic Planning, Intel Corporation
Malini Bhandaru - Security Architect, Intel Corporation
Slides from "Managing Secrets at scale" at Velocity EU 2015
Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented
Securing and Automating Kubernetes with KyvernoSaim Safder
Kyverno is a CNCF Sandbox Project Created by Nirmata.
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.
In this session Shuting Zhao and Jim Bugwadia, both of whom are Kyverno maintainers will provide an overview of Kyverno and describe how you can get started with using it.
More than 87% of websites are SSL-encrypted and organizations can have thousands of certificates in production. A more flexible approach to managing certificates is needed. In this webinar we cover how to load certificates dynamically and additional newly released features. https://attendee.gotowebinar.com/register/521167809778215683
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
On demand version can be accessed at https://www.nginx.com/resources/webinars/mra-ama-part-7-circuit-breaker-pattern/
The circuit breaker pattern is an emerging standard for use in app development and deployment, particularly with microservices apps. Popular architectures such as Istio and linkerd use the circuit breaker pattern for resiliency. This pattern is an important component in what can become fully resilient, “self-healing” application architectures.
In this webinar, we describe the use of the circuit breaker pattern with NGINX Plus, which has specific features that support the use of this pattern, and in the NGINX Microservices Reference Architecture. Attendees of the live webinar will have the opportunity to ask questions.
Handling GDPR with Apache Kafka: How to Comply Without Freaking Out? (David J...confluent
Do you wonder how to cope with the right to be forgotten? Do you wonder how to only process the events of individuals who have given their consent for processing their data? Do you wonder how to protect PII data of your users? Or do you wonder how to implement these across all your heterogeneous languages, clients and processing frameworks without having to re-implement all your streaming services? This talk is for you!
In this talk, we will answer these questions and show you
1) how transparent end-to-end encryption can be implemented on top of Apache Kafka;
2) how crypto-shredding can be used to forget individuals; and
3) how record based access control can be implemented on top of Apache Kafka.
Above all, we will show how this can be done without touching any applications by using an out-of-process architecture (Ã la service-mesh).
Webhooks do's and dont's: what we learned after integrating +100 APIs - Giuli...Codemotion
Le applicazioni moderne sono sempre più orientate ad essere una composizione di API e ad avere un architettura serverless, per questo motivo chi sviluppa API non può limitarsi ad esporre i più comuni endpoint REST. I Webhook non possono mancare in un' API moderna ma non c'è nulla nella letteratura delle API HTTP che si avvicini ad un formato standard per la loro progettazione dando vita alle implementazioni più disparate. Dopo aver integrato oltre 100 API con Stamplay vi raccontiamo quali sono i pro e i contro delle scelte progettuali che si fanno nello sviluppo di Webhook.
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
FIWARE Wednesday Webinar - Short Term History within Smart Systems (2nd April 2020)
Corresponding webinar recording: https://youtu.be/fX_YAc7G4Dk
This webinar will show how to utilise times series components and monitor and display trends within FIWARE applications.
Chapter: Core Context
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
CNCF Webinar - How to Gain Insights from Istio by leveraging CNCF projectsNeeraj Poddar
Istio integrates with a rich set of tools that can add tracing, telemetry, logging and other functionalities to your microservices environment. This session will focus on how a myriad of tools, including several CNCF projects, work collectively to deliver the full functionality of Istio.
This presentation covers:
1) How Grafana and Prometheus make makes it easy for your entire team to understand what’s going on with your microservices.
2) How Jaeger can be most effectively used for tracing to get to root cause analysis.
3) How Cortex delivers long-term storage for Prometheus telemetry data, how horizontal scalability and cloud-native storage provides virtually infinite data retention, and how Cortex can solve multi-tenant Prometheus challenges.
Test rate limits in dry-run mode and monitor NGINX Plus using advanced metrics with NGINX Plus R19.
On-Demand Link:
https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r19/
Watch this webinar to learn:
- How to monitor your NGINX Plus ecosystem with fine-grained insights using advanced metrics
- About dynamically blacklisting IP address ranges in the key-value Store
- How to apply different bandwidth limits based on attributes of incoming traffic
- About testing rate limits in dry-run mode
The adoption of container native and cloud native development practices presents new operational challenges. Today’s microservice environments are polyglot, distributed, container-based, highly-scalable, and ephemeral. To understand your system, you need to be able to follow the life of a request across numerous components distributed in multiple environments. Without the proper tools it can feel impossible to determine a root cause of an issue. This requires a new approach to operations. We will review a series of open source observability tools for logging, monitoring, and tracing to help developers achieve operational excellence for running container-based workloads.
APIs: Intelligent Routing, Security, & ManagementNGINX, Inc.
Kevin Jones, Global Consulting Engineer from NGINX San Francisco, preseentation about how to accelerate your journey to microservices with a modernised full API lifecycle management solution. Learn how to cut costs, improve performance, and reduce load on API endpoints. This presentation, covers:
All elements of full lifecycle management including API creation, securing your backend infrastructure, managing traffic, and ongoing monitoring.
Innovative architecture that doesn't involve additional microgateways to process API calls
Differentiated pricing model that does not penalize API adoption
Hyperledger Fabric Technical Deep Dive 20190618Arnaud Le Hors
Slides presented at the Hyperledger Fabric workshop in Barecelona on July 10th, 2019.
This introduces blockchain for business and describes in details the Hyperledger Fabric design principles, overall architecture, its components, and the transaction flow.
Designing an API for the Internet of ThingsKevin Swiber
In the near future, everything will be connected: cities, enterprises, human beings, and more. This reality is just over the horizon, and it brings one of the largest challenges in building distributed systems. Today, developers often look to RESTful Web APIs to solve these problems. Are current trends in API design really prepared to handle the demands of the future? What’s missing from the equation? Learn new patterns for modeling Web APIs using state machines, hypermedia, and reactive streams to meet tomorrow’s challenges and make a solid attempt at standing the test of time.
Security practitioners are challenged by Amazon S3 to maintain a balance between the advantages of cloud storage and the necessary caution.
Unfortunately, S3 access control is nice to set and hard to maintain:
The access permissions schema via “policies”, is very flexible. During implementation time the developer knows the rather technical JSON syntax.
When permissions have to be reviewed the auditor needs know-how of specific details of policies written in JSON syntax, and their respective locations in the AWS console.
Adding to the complexity is access control with ACLs.
by Anton Shmagin, Partner Solutions Architect, AWS
Learn how to get started using Amazon FreeRTOS, IoT operating system for microcontrollers, in this IoT Day workshop. AWS has partnered with Espressif to bring you the hands-on experience of programming the Amazon FreeRTOS qualified development kit, ESP32-DevKitC. You'll go through the steps of configuring Amazon FreeRTOS source code examples, compiling, and flashing to the ESP32-DevKitC. Then you'll use AWS cloud services like AWS IoT Core to build and operate a connected microcontroller-based device.
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
This workshop was given at the NZITF conference 2018 in Wellington. The workshop covers Velociraptor, a modern DFIR endpoint monitoring and response tool.
Dans ce document vous trouverez les dernières améliorations faites sur OpenStack et comment certaines technologies Intel dopent la performance et la sécurité de l'environnement Cloud. Quelques exemple avec :
Comment créer des "pool" de VM sécurisées avec possibilité de géo tagging (technologies Intel présentent dans les serveurs HP, DELL, IBM… + Folsom, Nova, Horizon, Open Attestation)
Comment doper la sécurité du nouveau module de gestion des clés d'OpenStack (technologies Intel + Barbican)
Comment benchmarker le stockage object Swift avec COSBench (qui supporte maintenant Ceph, S3 et Amplidata)
Auteurs:
Girish Gopal - Strategic Planning, Intel Corporation
Malini Bhandaru - Security Architect, Intel Corporation
Slides from "Managing Secrets at scale" at Velocity EU 2015
Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented
Securing and Automating Kubernetes with KyvernoSaim Safder
Kyverno is a CNCF Sandbox Project Created by Nirmata.
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline.
In this session Shuting Zhao and Jim Bugwadia, both of whom are Kyverno maintainers will provide an overview of Kyverno and describe how you can get started with using it.
More than 87% of websites are SSL-encrypted and organizations can have thousands of certificates in production. A more flexible approach to managing certificates is needed. In this webinar we cover how to load certificates dynamically and additional newly released features. https://attendee.gotowebinar.com/register/521167809778215683
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
On demand version can be accessed at https://www.nginx.com/resources/webinars/mra-ama-part-7-circuit-breaker-pattern/
The circuit breaker pattern is an emerging standard for use in app development and deployment, particularly with microservices apps. Popular architectures such as Istio and linkerd use the circuit breaker pattern for resiliency. This pattern is an important component in what can become fully resilient, “self-healing” application architectures.
In this webinar, we describe the use of the circuit breaker pattern with NGINX Plus, which has specific features that support the use of this pattern, and in the NGINX Microservices Reference Architecture. Attendees of the live webinar will have the opportunity to ask questions.
Handling GDPR with Apache Kafka: How to Comply Without Freaking Out? (David J...confluent
Do you wonder how to cope with the right to be forgotten? Do you wonder how to only process the events of individuals who have given their consent for processing their data? Do you wonder how to protect PII data of your users? Or do you wonder how to implement these across all your heterogeneous languages, clients and processing frameworks without having to re-implement all your streaming services? This talk is for you!
In this talk, we will answer these questions and show you
1) how transparent end-to-end encryption can be implemented on top of Apache Kafka;
2) how crypto-shredding can be used to forget individuals; and
3) how record based access control can be implemented on top of Apache Kafka.
Above all, we will show how this can be done without touching any applications by using an out-of-process architecture (Ã la service-mesh).
Webhooks do's and dont's: what we learned after integrating +100 APIs - Giuli...Codemotion
Le applicazioni moderne sono sempre più orientate ad essere una composizione di API e ad avere un architettura serverless, per questo motivo chi sviluppa API non può limitarsi ad esporre i più comuni endpoint REST. I Webhook non possono mancare in un' API moderna ma non c'è nulla nella letteratura delle API HTTP che si avvicini ad un formato standard per la loro progettazione dando vita alle implementazioni più disparate. Dopo aver integrato oltre 100 API con Stamplay vi raccontiamo quali sono i pro e i contro delle scelte progettuali che si fanno nello sviluppo di Webhook.
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
FIWARE Wednesday Webinar - Short Term History within Smart Systems (2nd April 2020)
Corresponding webinar recording: https://youtu.be/fX_YAc7G4Dk
This webinar will show how to utilise times series components and monitor and display trends within FIWARE applications.
Chapter: Core Context
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
CNCF Webinar - How to Gain Insights from Istio by leveraging CNCF projectsNeeraj Poddar
Istio integrates with a rich set of tools that can add tracing, telemetry, logging and other functionalities to your microservices environment. This session will focus on how a myriad of tools, including several CNCF projects, work collectively to deliver the full functionality of Istio.
This presentation covers:
1) How Grafana and Prometheus make makes it easy for your entire team to understand what’s going on with your microservices.
2) How Jaeger can be most effectively used for tracing to get to root cause analysis.
3) How Cortex delivers long-term storage for Prometheus telemetry data, how horizontal scalability and cloud-native storage provides virtually infinite data retention, and how Cortex can solve multi-tenant Prometheus challenges.
Test rate limits in dry-run mode and monitor NGINX Plus using advanced metrics with NGINX Plus R19.
On-Demand Link:
https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r19/
Watch this webinar to learn:
- How to monitor your NGINX Plus ecosystem with fine-grained insights using advanced metrics
- About dynamically blacklisting IP address ranges in the key-value Store
- How to apply different bandwidth limits based on attributes of incoming traffic
- About testing rate limits in dry-run mode
The adoption of container native and cloud native development practices presents new operational challenges. Today’s microservice environments are polyglot, distributed, container-based, highly-scalable, and ephemeral. To understand your system, you need to be able to follow the life of a request across numerous components distributed in multiple environments. Without the proper tools it can feel impossible to determine a root cause of an issue. This requires a new approach to operations. We will review a series of open source observability tools for logging, monitoring, and tracing to help developers achieve operational excellence for running container-based workloads.
APIs: Intelligent Routing, Security, & ManagementNGINX, Inc.
Kevin Jones, Global Consulting Engineer from NGINX San Francisco, preseentation about how to accelerate your journey to microservices with a modernised full API lifecycle management solution. Learn how to cut costs, improve performance, and reduce load on API endpoints. This presentation, covers:
All elements of full lifecycle management including API creation, securing your backend infrastructure, managing traffic, and ongoing monitoring.
Innovative architecture that doesn't involve additional microgateways to process API calls
Differentiated pricing model that does not penalize API adoption
Hyperledger Fabric Technical Deep Dive 20190618Arnaud Le Hors
Slides presented at the Hyperledger Fabric workshop in Barecelona on July 10th, 2019.
This introduces blockchain for business and describes in details the Hyperledger Fabric design principles, overall architecture, its components, and the transaction flow.
Designing an API for the Internet of ThingsKevin Swiber
In the near future, everything will be connected: cities, enterprises, human beings, and more. This reality is just over the horizon, and it brings one of the largest challenges in building distributed systems. Today, developers often look to RESTful Web APIs to solve these problems. Are current trends in API design really prepared to handle the demands of the future? What’s missing from the equation? Learn new patterns for modeling Web APIs using state machines, hypermedia, and reactive streams to meet tomorrow’s challenges and make a solid attempt at standing the test of time.
Security practitioners are challenged by Amazon S3 to maintain a balance between the advantages of cloud storage and the necessary caution.
Unfortunately, S3 access control is nice to set and hard to maintain:
The access permissions schema via “policies”, is very flexible. During implementation time the developer knows the rather technical JSON syntax.
When permissions have to be reviewed the auditor needs know-how of specific details of policies written in JSON syntax, and their respective locations in the AWS console.
Adding to the complexity is access control with ACLs.
by Anton Shmagin, Partner Solutions Architect, AWS
Learn how to get started using Amazon FreeRTOS, IoT operating system for microcontrollers, in this IoT Day workshop. AWS has partnered with Espressif to bring you the hands-on experience of programming the Amazon FreeRTOS qualified development kit, ESP32-DevKitC. You'll go through the steps of configuring Amazon FreeRTOS source code examples, compiling, and flashing to the ESP32-DevKitC. Then you'll use AWS cloud services like AWS IoT Core to build and operate a connected microcontroller-based device.
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
Speaker 1: Rod Soto
Speaker 2: Jose Hernandez
This presentation shows how to use Splunk to provide the analyst with a comprehensive vision of AWS/GCP/Azure security posture. Presenters will outline how to ingest the audit data provided by open source tool Cloud Security Suite into Splunk to analyze cloud vulnerability, harden multi-cloud deployments and visualize multi-cloud threat surface. Presenters will also demonstrate use cases based on Splunk knowledge objects (Tables, Dashboards, Alerts, Field extractions, Lookups, etc), in order to take advantage of the information provided by various supporting tools like Scout2 and G-Scout projects for cloud API auditing.
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
In this talk Rod Soto and I propose a common set of categories use to audit the security posture of multiple cloud providers. Then we proceed to show how we have implemented the security checks using cs-suite using ELK and Splunk.
This session will focus on the practicals of building a fully-functional stack of container cluster tools, with different options for stacking those tools from the OS-up.
We’ve all seen examples of common technologies stacks, like the good ol’ LAMP and MEAN stacks for apps, but what about lower-level infrastructure? And can we get it without cloud vendor lock in please? Oh and pure containers and infrastructure-as-code too?
With Docker, sure thing! This session will cover:
Which OS/Distro and Kernel to use
VM’s or Bare Metal
Recommended Swarm architectures
Tool stacks for “pure open source”, “cloud-service based”, and “Docker EE” scenarios
Demos of these tools working together including InfraKit, Docker, Swarm, Flow-Proxy, ELK, Prometheus, REX-Ray, and more.
Building your production tech stack for docker container platformDocker, Inc.
This session will focus on the practicals of building a fully-functional stack of container cluster tools, with different options for stacking those tools from the OS-up.
We’ve all seen examples of common technologies stacks, like the good ol’ LAMP and MEAN stacks for apps, but what about lower-level infrastructure? And can we get it without cloud vendor lock in please? Oh and pure containers and infrastructure-as-code too?
With Docker, sure thing! This session will cover:
Which OS/Distro and Kernel to use
VM’s or Bare Metal
Recommended Swarm architectures
Tool stacks for “pure open source”, “cloud-service based”, and “Docker EE” scenarios
Demos of these tools working together including InfraKit, Docker, Swarm, Flow-Proxy, ELK, Prometheus, REX-Ray, and more.
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...Amazon Web Services
Help our Mythical Mysfits find their forever homes! Our Mythical stack is aging and needs to be revamped ASAP. Join this workshop to get hands-on experience with Docker as you containerize the Mythical monolithic application, start breaking it apart into microservices, and deploy it using AWS Fargate. This is a foundational workshop on containers. No Docker experience required. Basic AWS experience recommended. For more advanced workshops in this series, consider CON321 and CON322.
Observability for Modern Applications (CON306-R1) - AWS re:Invent 2018Amazon Web Services
In modern, microservices-based applications, it’s critical to have end-to-end observability of each microservice and the communications between them in order to quickly identify and debug issues. In this session, we cover the techniques and tools to achieve consistent, full-application observability, including monitoring, tracing, logging, and service mesh.
DCEU 18: Building Your Swarm Tech Stack for the Docker Container PlatformDocker, Inc.
This session will focus on the practicals of building a fully-functional stack of container cluster tools, with different options for stacking those tools from the OS-up. We’ve all seen examples of common technologies stacks, like the good ol’ LAMP and MEAN stacks for applications, but what about lower-level infrastructure? And can we get it without cloud vendor lock in please? Oh and pure containers and infrastructure-as-code too? With Docker, sure thing! This session will cover: Which OS/Distro and Kernel to use VM’s or Bare Metal Recommended Swarm architectures Tool stacks for “pure open source”, “cloud-service based”, and “Docker Enteprise” scenarios Demos of these tools working together including InfraKit, Docker Engine, Swarm, Flow-Proxy, ELK, Prometheus, REX-Ray, and more.
Presented at DockerCon 2018 EU, I go through using Docker and the Swarm Orchestrator (a simpler Kuberentes) to stack different tools up from the base OS to a full-featured production server cluster. Also, Sci-Fi. The Video to this deck will be at https://www.bretfisher.com/docker once they are posted.
by Brad Dispensa, Sr. Solutions Architect, AWS
Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200
Cloud Native Night, April 2018, Mainz: Workshop led by Jörg Schad (@joerg_schad, Technical Community Lead / Developer at Mesosphere)
Join our Meetup: https://www.meetup.com/de-DE/Cloud-Native-Night/
PLEASE NOTE:
During this workshop, Jörg showed many demos and the audience could participate on their laptops. Unfortunately, we can't provide these demos. Nevertheless, Jörg's slides give a deep dive into the topic.
DETAILS ABOUT THE WORKSHOP:
Kubernetes has been one of the topics in 2017 and will probably remain so in 2018. In this hands-on technical workshop you will learn how best to deploy, operate and scale Kubernetes clusters from one to hundreds of nodes using DC/OS. You will learn how to integrate and run Kubernetes alongside traditional applications and fast data services of your choice (e.g. Apache Cassandra, Apache Kafka, Apache Spark, TensorFlow and more) on any infrastructure.
This workshop best suits operators focussed on keeping their apps and services up and running in production and developers focussed on quickly delivering internal and customer facing apps into production.
You will learn how to:
- Introduction to Kubernetes and DC/OS (including the differences between both)
- Deploy Kubernetes on DC/OS in a secure, highly available, and fault-tolerant manner
- Solve operational challenges of running a large/multiple Kubernetes cluster
- One-click deploy big data stateful and stateless services alongside a Kubernetes cluster
Hosting scalable applications on Amazon S3 and making them globally availiable via Amazon Cloudfront has never been easier, in this presentation we'll dig into getting more insights from your static hosted website by logging CloudFront to S3 and then using the power and scale of Lambda to push those logs into Amazon Elasticsearch Service for deep analysis.
Similar to Cloud Compliance with Open Policy Agent (20)
Mit ChatGPT Dinosaurier besiegen - Möglichkeiten und Grenzen von LLM für die ...QAware GmbH
Generative AI for Developers, 27.05.2024, Bonn (Martin Binder, Lead IT Consultant bei QAware)
Die kritische Infrastruktur wird nach wie vor von Dinosauriersystemen aus dem letzten Jahrtausend getragen. Die Ablösung dieser Altsysteme ist ein drängendes Problem der Digitalisierung in Deutschland. In meinem Projekt musste ich in wenigen Wochen ein 30 Jahre altes System auf Basis von IBM iSeries (AS/400) mit RPG-Code analysieren. Überraschenderweise kannte ChatGPT die RGP-Referenz von IBM. Mithilfe von ChatGPT konnte ich mich schnell einarbeiten und so ein brauchbares Arbeitsverständnis des Systems erreichen. Aber wo Licht ist, ist auch Schatten: ChatGPT hat kein Kontextverständnis, ist unvollständig und neigt zu Fehlschlüssen. Als Vorgeschmack hier der Powermove: ChatGPT nach jeder Antwort grundsätzlich danach fragen, was es falsch gemacht hat. Du wirst überrascht sein!
50 Shades of K8s Autoscaling #JavaLand24.pdfQAware GmbH
JavaLand 2024, April 2024, Mario-Leander Reimer
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Abstract:
Elasticity and unlimited scalability are the holy grail for any cloud-native application. Now you might think: “That’s easy!!! I just run my containers on a Kubernetes cluster and I am done.” But is it really that simple?
Turns out it’s not! Your application as well as your cloud infrastructure and K8s cluster need to address and support these non-functional requirements.
This session will have a detailed and also practical look at the different ways of autoscaling in Kubernetes. We will give an overview of the technical foundations and prerequisites, and then showcase several frameworks and technologies that can be used to flexibly autoscale your cluster and your cloud-native workloads.
Make Agile Great - PM-Erfahrungen aus zwei virtuellen internationalen SAFe-Pr...QAware GmbH
GPM Regionalgruppe Chemnitz (Patrick Albert)
Wegen ihres Umfangs und Komplexität sind größere SAFe-Programme bereits in Präsenz hinsichtlich ihres Managements und ihrer Steuerung anspruchsvoll. Aufgrund von COVID19 jedoch war eine Verlegung in den virtuellen Raum im beschriebenen Praxisfall unausweichlich. Das Management hatte hierbei sicherzustellen, dass die Programmziele trotz des verminderten Kontaktes allen beteiligten Teams dauerhaft klar und präsent sind und dass die in den Teams umgesetzten Funktionen außerdem den genannten Programmzielen dienen.
Besonders wichtig ist dieses Alignment im Rahmen der regelmäßigen PI-Plannings, in welchen alle Teams gleichzeitig die jeweils kommenden Iterationen planen und dabei auch teamübergreifende Abhängigkeiten zuverlässig berücksichtigen müssen.
Es werden Erfolgsfaktoren für den virtuellen Einsatz von SAFe herausgearbeitet und beleuchtet.
Fully-managed Cloud-native Databases: The path to indefinite scale @ CNN MainzQAware GmbH
When it comes to the question: "Where do we actually store our application data?", we are spoilt for choice, especially when it comes to the major cloud providers.
The simple and often completely valid answer is still the classic relational database! It is very suitable for many areas of application, as the technology is tried and tested and can cover a very broad spectrum. It is therefore not surprising that all major cloud providers offer this as a "managed service".
For some years now, however, there have also been so-called cloud-native databases that have been specially developed for the requirements of the cloud. The big promise: "Infinite scalability"
In a large customer project, we have been using such a database productively for over 4 years with Azure CosmosDB. The presentation will deal with the following questions, among others
What does "upscalability" mean in practice ?
What do you have to pay attention to when designing?
What are the actual limits?
What other special features do I get?
When do I need a cloud-native database?
But that's not all! We also look beyond Azure to the other two major cloud providers: AWS and Google Cloud. With DynamoDB and Datastore/Firestore, they have similar products on offer.
Down the Ivory Tower towards Agile ArchitectureQAware GmbH
iSAQB Software Architecture Gathering – Digital 2023, November 2023
Architecture for agile projects must be defined and described differently, as well as continuously developed and evolved. Not all decisions are made at once, nor are they all known right from the start of the project. This sessions presents various useful and lightweight methods, tools and team topologies that can be applied in (large) agile projects to avoid uncontrolled growth and architectural erosion but without acting from the ivory tower and thus suffocating team autonomy.
"Mixed" Scrum-Teams – Die richtige Mischung macht's!QAware GmbH
IT-Tage 2023, Frankfurt am Main (Patrick Albert)
Die Rollen und insbesondere deren Zuständigkeiten sind in Scrum recht klar geregelt: Der Product Owner sorgt für das "Was", der Scrum Master für das "Wie" und die Developer für die eigentliche Umsetzung. Solange es sich dabei um ein internes Projekt mit einem komplett internen Team handelt, sind damit bereits die zentralen Fragen beantwortet. Ein wenig differenzierter zu betrachten sind allerdings Teams mit mehreren Parteien wie etwa beim Einsatz von Dienstleistern. Muss etwa zwingend der Kunde den Product Owner stellen oder kann dieser auch auf der Seite des Dienstleisters stehen? Falls alle Developer vom gleichen Dienstleister bereitgestellt werden, würde diese Konstellation sicherlich einige Kommunikationswege verkürzen. Allerdings hat ein Product Owner auf der Seite eines Dienstleisters sicher nicht die gleichen Verbindungen zu den Stakeholdern (Nutzer, Geldgeber, ...) des Produkts wie ein interner Product Owner – wie also könnte er ihre Anforderungen dann gut vor dem Team vertreten? Ähnliche Fragen stellen sich auch für den Scrum Master und das Development-Team. In den meisten Fällen gibt es für verschiedene Konstellationen jeweils Vor- und Nachteile – und zwar sowohl für den Kunden als auch für den Dienstleister. Wichtig bei der Entscheidung für eine dieser Konstellationen ist außerdem die Art des Projekts, der Kreis der Stakeholder, das zur Verfügung stehende Budget, der Zeitrahmen und noch einiges mehr.
Dieser Vortrag beleuchtet verschiedene dieser Varianten und zeigt Vorteile, Nachteile und Risiken auf.
Make Developers Fly: Principles for Platform EngineeringQAware GmbH
Make Developers Fly – Helping developers to build better applications
Cloud Native Night, Mainz, November 2023, Alex Krause
Platform Engineering is the next stage of DevOps and accelerates software developers even more to build applications faster and bring products rapidly to the customers. In this meetup, we show you the key principles of platform engineering, as we experienced them in our projects, and additionally show you a better way to manage your internal software platforms.
PRINCIPLES FOR PLATFORM ENGINEERING, Alex Krause
How do we help our developers to fly instead of crashing miserablely? The answer is Platform Engineering, a discipline for building internal developer platforms (IDPs) to simplify software delivery for product teams. In this talk, you'll learn how Platform Engineering evolved from the DevOps movement and what principles and best practices make for a good implementation. Finally, we'll take a look at reference architectures that can support your platform.
Der Tod der Testpyramide? – Frontend-Testing mit PlaywrightQAware GmbH
Codineers Rosenheim Meetup, 2. November 2023 (Dominik Haas, QAware)
Wer kennt es nicht: Langsame, instabile und wartungsintensive Tests von Frontends und die Schmerzen damit.
Aber in den letzten Jahren und Monaten hat sich hier viel getan und Playwright ist der vielversprechende neue Stern der Web-Automatisierung.
Ich werde in meinem Talk über das Testen von Frontends sprechen und speziell auf Playwright als spannendes Werkzeug eingehen.
Neben der praktischen Einführung möchte ich auch mit Euch über Best Practices sprechen und einen Versuch wagen die Testpyramide zu töten (oder sie zumindest etwas zu beschädigen).
Sie kennen doch bestimmt das "Gesetz des Instruments": Wer als Werkzeug nur ein modernes Frontend-Framework hat, löst jedes Problem mit einer Single Page-Applikation. So oder so ähnlich, nur halt mit Hammer und Nagel lautet es, beschreibt jedoch ganz gut die aktuelle Situation der JavaScript-Welt. Auf nahezu jede Anforderung wird mit einer aufgeblähten, clientseitig gerenderten SPA geantwortet. Doch ist es schön langsam an der Zeit, dass wir uns fragen sollten: Ist das wirklich alles? Und die Antwort lautet ziemlich sicher "Nein". Doch genau diesem Thema widmen wir uns und werfen einen Blick auf die Alternativen und da gibt es viele.
Im React-Ökosystem findet aktuell ein kleiner Umbruch statt. Mit Server Side Rendering, Static Site Generation, Server Components und Frameworks wie Next verschiebt sich ein Teil der Arbeit in Richtung Server. Dieser Trend ist auch bei Vue, Svelte und Angular zu beobachten. Und genau das ist es, was die sogenannten Meta-Frameworks ausmacht. Uns als EntwicklerInnen gibt das mehr Flexibilität, um auf Anforderungen reagieren zu können. Sie müssen nicht mehr den kompletten Quellcode zum Client übertragen, haben bessere Caching-Möglichkeiten und auch die Suchmaschinen sind Ihnen dankbar.
Dieser Vortrag gibt Ihnen einen Überblick über die wichtigsten Features von Meta-Frameworks und wo und vor allem wie sie gewinnbringend eingesetzt werden können.
Digital Future Congress (DFC) 2023, September 2023, München, Andreas Zitzelsberger (Business Unit Director bei QAware)
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Alt-Systeme in die Cloud migrieren – mit sechs Leitplanken geht das effizient und sicher. Neu: Künstliche Intelligenz kann jetzt zum Turbo werden! Wir nutzen KI bei der Cloud-Migration und zeigen in diesem Vortrag, was geht und was nicht.
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...QAware GmbH
MedTech Stars, Webkonferenz, September 2023, Josef Adersberger (CEO bei QAware)
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Der Vortrag „Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die Seele verkaufen oder Himmel auf Erden?“ erkundet das wachsende Bedürfnis und die Herausforderungen, medizinische Anwendungen in die Cloud zu migrieren.
Bei den entsprechenden Anwendungen stellt laut einer Umfrage der Datenschutz für 82% der Anwendungen die größte Herausforderung dar, um den Schritt in die Cloud zu machen. Trotzdem wächst der Druck, diesen Schritt zu vollziehen, aufgrund des Innovations- und Digitalisierungsbedarfs, der durch gesetzliche Initiativen wie das Krankenhaus-Zukunftsgesetz, gestiegene Patientenerwartungen und den immer klareren medizinischen Impact der Digitalisierung angetrieben wird.
Die zentrale Frage, die in diesem Vortrag erörtert wird, ist, wie man hochregulierte Anwendungen schrittweise in die Cloud migrieren kann. Hierzu werden wir einen Ansatz vorstellen und anhand von exemplarischen Anwendungen demonstrieren, wie eine solche Migration erfolgreich durchgeführt werden kann. Abschließend fassen wir den Vortrag mit fünf leitenden Prinzipien zusammen, die bei der Migration von stark regulierten Anwendungen in die Cloud beachtet werden sollten. Diese Prinzipien bieten einen nützlichen Leitfaden für Unternehmen und Institutionen, die den Umzug ihrer Anwendungen in die Cloud erwägen, und sollen dazu beitragen, die Herausforderungen der Cloud-Migration in diesem hochregulierten Bereich erfolgreich zu bewältigen.
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
SAA 2023 | Software Architecture Alliance, September 2023, München, Mario-Leander Reimer (@LeanderReimer, CTO bei QAware)
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Die Cloud hat bereits heute einen größeren CO2-Fußabdruck als die Luftfahrtindustrie, mit steigender Digitalisierung und Cloudifizierung wird sich dieser Trend fortsetzen, wenn wir nichts dagegen unternehmen. Viele Kubernetes-basierte Installationen sind gemessen am eigentlich benötigten Ressourcen Bedarf stark überdimensioniert und tragen so unnötig zur globalen Erwärmung bei. Wie sieht die Energiebilanz Ihres Clusters und Workloads aus?
In diesem Vortrag zeigen wir Ansätze und Technologien, die dabei helfen K8s-Cluster grün(er) zu machen. Zunächst braucht es Transparenz: Wie sieht die Energiebilanz des Clusters und seiner Workloads aus? Erst danach lassen sich diese gezielt auf ihre Energiesparsamkeit hin optimieren. Und das ist gar nicht so schwer, also packen wir es an!
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.QAware GmbH
SAA 2023 | Software Architecture Alliance, September 2023, München, Ildikó Tárkányi (Senior Software Engineer bei QAware)
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Der Traum von den unendlichen Weiten der Daten ist schnell ausgeträumt, wenn wir unsere APIs nicht im Griff haben. Dabei ist es egal, ob wir uns APIs zwischen unseren Services, zwischen Frontend und Backend oder zu Fremdsystemen anschauen - APIs sind ein fundamentaler Bestandteil unserer Softwarearchitektur und ohne Testautomatisierung geht gar nichts.
Schlecht geschriebene Integrationstests mit selbst erfundenen Testfällen für unsere APIs können richtig nerven: Wir rufen die APIs auf und hoffen, dass genau das zurückkommt, was wir erwarten.
Das geht auch anders: Wir werfen einen Blick auf andere Testansätze, bewerten, welche Aspekte diese jeweils testen und schauen zum Beispiel auf:
• Contract Based Testing
• Black Box Testing der OpenAPI Specs
• Trace-basiertes Testing
Kubernetes with Cilium in AWS - Experience Report!QAware GmbH
Cloud Native Night, Munich, September 2023, Bernhard Schaidhammer
=== Please download slides if blurred! ===
Cilium is a powerful tool for network policies and also encryption between the Kubernetes nodes. Cilium hooks deep into Kubernetes in the network stack as an plugin and can even replace the AWS CNI Plugin. This talk will share our project experiences.
Topics involve:
- Network Policies
- Encryption
- Hubble (Observability)
- Installation
- CLI Usage (Hubble / Cilium)
Container Days 2023, September 2023, Hamburg, Mario-Leander Reimer (@LeanderReimer, CTO @QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Elasticity and unlimited scalability are the holy grail for any cloud-native application. Now you might think: “That’s easy!!! I just run my containers on a Kubernetes cluster and I am done.” But is it really that simple?
Turns out it’s not! Your application as well as your cloud infrastructure and K8s cluster need to address and support these non-functional requirements.
This session will have a detailed and also practical look at the different ways of autoscaling in Kubernetes. We will give an overview of the technical foundations and prerequisites, and then showcase several frameworks and technologies that can be used to flexibly autoscale your cluster and your cloud-native workloads.
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
Heise DevSec 2023, September 2023, Karlsruhe, Mario-Leander Reimer (@LeanderReimer, CTO @QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Continuous Delivery ist allgegenwärtig. Wirklich? Viele Teams straucheln immer noch dabei, regelmäßig gut getestete und vor allem sichere Software auszuliefern. Immer mit der gleichen, guten alten Ausrede: die nicht-funktionalen Tests seien zu aufwändig und zu teuer umzusetzen. Doch genau das Gegenteil ist der Fall!
In diesem Vortrag gehen wir kurz auf die aktuellen Bedrohungen und die Bedeutung früher und regelmäßiger Sicherheitstests von APIs ein. Anschließend zeigen wir, wie einfach es ist, diese Tests kontinuierlich und asynchron mit OWASP ZAP und Testkube gegen REST- und GraphQL-APIs direkt auf einem Kubernetes-Cluster auszuführen; immer dann wenn sich die API und der Service ändern.
Service Mesh Pain & Gain. Experiences from a client project.QAware GmbH
Cloud Native Night, Mainz, September 2023, Markus Zimmermann
=== Please download slides if blurred! ===
The topic of service mesh is still present at every major DevOps conference and is the subject of controversial discussions.
A service mesh comes with the promise of implementing cross-functional requirements of microservices such as observability or secure communication without changes within the services. The operational effort and the integration of the services within the service mesh should also be problem-free.
But do the common service mesh implementations keep these promises? In a client project we have gained experience with Linkerd and can say: we did not achieve the benefits without pain. We want to share these experiences and what you can take away for your next project!
WeAreDevelopers World Congress 2023, July 2023, Mario-Leander Reimer
=== Please download slides if blurred! ===
Elasticity and unlimited scalability are the holy grail for any cloud-native application. Now you might think: “That’s easy!!! I just run my containers on a Kubernetes cluster and I am done.” But is it really that simple?
Turns out it’s not! Your application as well as your cloud infrastructure and K8s cluster need to address and support these non-functional requirements.
This session will have a detailed and also practical look at the different ways of autoscaling in Kubernetes.
We will give an overview of the technical foundations and prerequisites, and then showcase several frameworks and technologies that can be used to flexibly autoscale your cluster and your cloud-native workloads.
Blue turns green! Approaches and technologies for sustainable K8s clusters.QAware GmbH
Kubernetes Community Days Munich 2023, Juli 2023, Mario-Leander Reimer
The cloud already has a larger CO2 footprint than the worldwide aviation industry. With increasing digitalization and cloudification this trend will continue if we don't do anything about it. Many Kubernetes installations are greatly oversized in terms of the resources actually required and thus contribute unnecessarily to global warming. What is the energy balance of your cluster and its workloads?
In this session we will discuss approaches and technologies that help to make K8s clusters green(er). First of all, transparency is needed: what is the energy balance of the cluster and its workloads? Only then we can start to optimize for better energy efficiency. And it's not that difficult, so let's get started!
Per Anhalter zu Cloud Nativen API GatewaysQAware GmbH
Mastering Kubernetes 2023, Juli 2023, Sonja Wegner
Gute APIs sind das Herzstück erfolgreicher digitaler Produkte und Cloud-nativer Anwendungen. Doch schlecht verwaltete APIs werden schnell zum Albtraum. Damit es kein böses Erwachen gibt, setzen wir auf API Gateways: Diese sind etabliert und bekannt und helfen uns bei der Verwaltung der APIs. Sie regeln unter anderem Traffic Management, Rollout-Szenarien, Versionierung, Zugriffskontrolle und Diagnostizierbarkeit.
In diesem Vortrag werden wir das Cloud-native API-Gateway-Ökosystem näher betrachten: Gloo, KrakenD, Kong, Envoy et al. Aber welches davon ist das Richtige für den Einsatz im nächsten Projekt? Lasst es uns herausfinden!
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
As Europe's leading economic powerhouse and the fourth-largest hashtag#economy globally, Germany stands at the forefront of innovation and industrial might. Renowned for its precision engineering and high-tech sectors, Germany's economic structure is heavily supported by a robust service industry, accounting for approximately 68% of its GDP. This economic clout and strategic geopolitical stance position Germany as a focal point in the global cyber threat landscape.
In the face of escalating global tensions, particularly those emanating from geopolitical disputes with nations like hashtag#Russia and hashtag#China, hashtag#Germany has witnessed a significant uptick in targeted cyber operations. Our analysis indicates a marked increase in hashtag#cyberattack sophistication aimed at critical infrastructure and key industrial sectors. These attacks range from ransomware campaigns to hashtag#AdvancedPersistentThreats (hashtag#APTs), threatening national security and business integrity.
🔑 Key findings include:
🔍 Increased frequency and complexity of cyber threats.
🔍 Escalation of state-sponsored and criminally motivated cyber operations.
🔍 Active dark web exchanges of malicious tools and tactics.
Our comprehensive report delves into these challenges, using a blend of open-source and proprietary data collection techniques. By monitoring activity on critical networks and analyzing attack patterns, our team provides a detailed overview of the threats facing German entities.
This report aims to equip stakeholders across public and private sectors with the knowledge to enhance their defensive strategies, reduce exposure to cyber risks, and reinforce Germany's resilience against cyber threats.
Opendatabay - Open Data Marketplace.pptxOpendatabay
Opendatabay.com unlocks the power of data for everyone. Open Data Marketplace fosters a collaborative hub for data enthusiasts to explore, share, and contribute to a vast collection of datasets.
First ever open hub for data enthusiasts to collaborate and innovate. A platform to explore, share, and contribute to a vast collection of datasets. Through robust quality control and innovative technologies like blockchain verification, opendatabay ensures the authenticity and reliability of datasets, empowering users to make data-driven decisions with confidence. Leverage cutting-edge AI technologies to enhance the data exploration, analysis, and discovery experience.
From intelligent search and recommendations to automated data productisation and quotation, Opendatabay AI-driven features streamline the data workflow. Finding the data you need shouldn't be a complex. Opendatabay simplifies the data acquisition process with an intuitive interface and robust search tools. Effortlessly explore, discover, and access the data you need, allowing you to focus on extracting valuable insights. Opendatabay breaks new ground with a dedicated, AI-generated, synthetic datasets.
Leverage these privacy-preserving datasets for training and testing AI models without compromising sensitive information. Opendatabay prioritizes transparency by providing detailed metadata, provenance information, and usage guidelines for each dataset, ensuring users have a comprehensive understanding of the data they're working with. By leveraging a powerful combination of distributed ledger technology and rigorous third-party audits Opendatabay ensures the authenticity and reliability of every dataset. Security is at the core of Opendatabay. Marketplace implements stringent security measures, including encryption, access controls, and regular vulnerability assessments, to safeguard your data and protect your privacy.
3. Policy
@alex0ptr
“Users should only access data
of their own teams/projects.”
// TODOCompliance
“Security First. Least Privilege,
where possible.”
Governance
4. @alex0ptr
May this action be allowed?
Who or what can perform a certain action?
Are there violations?
5. Infrastructure
Machines Network DNS RDBMSStorage
Application Platform
Container
Orchestration
Container
Images
CD-
Pipeline
Applications
User Management
Configuration
HTTP APIs + UIs
Code
Continuous
Integration
Code
Artifacts
Version
Control
Logs
Secret
Store
API
Gateways
Metrics
Backups
@alex0ptr
💫 Life of the YAML-Engineer
7. (1) Many components, which (2) use different concepts,
protocols, and configuration languages, with(3) strong coupling
to the concrete implementation.
The Problems ✔
@alex0ptr
10. @alex0ptr
Open Policy Agent
‣ Policy Engine
‣ universal
‣ lightweight
‣ de-coupled
‣ easy to integrate“Policy-based control for cloud native
environments”
11. @alex0ptr
OPA: Rego
‣ inheritance: datalog
‣ declarative, logic
‣ made for Policies
‣ and structured data
“Use Rego for defining policy that is easy
to read and write.”
20. @alex0ptr
“Write tests against structured
configuration data […]”
‣ CLI wrapper for OPA
‣ shift-left for Policies
‣ YAML/JSON, HCL(2), INI,
TOML, Dockerfile
‣ go-getter support
Conftest
🎉