This document discusses securing Docker image registries for production use. It covers authentication, authorization, and audit logging. For authentication, it describes using passwords, certificates, or other methods to identify users. Authorization controls what actions users can take. Audit logging records activity for security and troubleshooting. The document demonstrates these concepts using Docker Registry and an authentication server, and shows how Kubernetes can integrate with authentication as well.
Cloud Native Programing with Docker and KubernetesBallerina
Docker and Kubernetes are key elements of modern cloud native deployment automations. After building your microservices, common practice is to create docker images and YAML files to automate the deployment with Docker and Kubernetes. Writing these YAMLs and Dockerfile descriptors are painful and error prone.
Ballerina is a new cloud native programing language that understands the architecture around it; the compiler is environment aware and microservices deploy directly onto Docker and Kubernetes.
This presentation explores Ballerina's deployment automation capabilities.
OSGi ist im Java Enterprise Bereich angekommen. In immer mehr Projekten möchte man OSGi mit komfortablen Tools "schmerzlos" einführen. PAX Construct und PAX Runner vereinfachen die Entwicklung von OSGi Bundles mit Hilfe von einigen Kommandozeilen-Scripts und Maven. PAX Exam ist ein Ansatz Integrations-Tests in einer laufenden OSGi Plattform durchzuführen und auszuwerten.
Dieser Vortrag bietet Einblick wie man mit PAX Bundles erstellt, ausführt und auch testet. Was PAX ausserdem zu bieten hat lernen sie in einem Überblick über die weiteren Projekte.
Cloud Native Programing with Docker and KubernetesBallerina
Docker and Kubernetes are key elements of modern cloud native deployment automations. After building your microservices, common practice is to create docker images and YAML files to automate the deployment with Docker and Kubernetes. Writing these YAMLs and Dockerfile descriptors are painful and error prone.
Ballerina is a new cloud native programing language that understands the architecture around it; the compiler is environment aware and microservices deploy directly onto Docker and Kubernetes.
This presentation explores Ballerina's deployment automation capabilities.
OSGi ist im Java Enterprise Bereich angekommen. In immer mehr Projekten möchte man OSGi mit komfortablen Tools "schmerzlos" einführen. PAX Construct und PAX Runner vereinfachen die Entwicklung von OSGi Bundles mit Hilfe von einigen Kommandozeilen-Scripts und Maven. PAX Exam ist ein Ansatz Integrations-Tests in einer laufenden OSGi Plattform durchzuführen und auszuwerten.
Dieser Vortrag bietet Einblick wie man mit PAX Bundles erstellt, ausführt und auch testet. Was PAX ausserdem zu bieten hat lernen sie in einem Überblick über die weiteren Projekte.
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Dockerpczarkowski
Building a framework for developing and maintaining chef cookbooks with automated testing and code review using opensource tools. I will walk through setting up Drone.IO (docker based CI) and hooking it up with Github ( regular or enterprise ), securing it behind an Oauth proxy, and configuring appropriate git hooks to automate testing process. I will then show how to use tools such as meez, guard, chefspec, testkitchen to shorten the feedback loop on errors to merely a few seconds, as well as some workflow ideas for gating and merging changes in github for Chef Cookbooks with multiple contributors.
Redmine+Git+GitLab+Jenkinsを総合的に利用した少人数チームでのプロジェクト管理とそのフローについて
English version: http://www.slideshare.net/cakeyoshida/best-practices-of-project-management-for-small-teams
How to Become a Thought Leader in Your NicheLeslie Samuel
Are bloggers thought leaders? Here are some tips on how you can become one. Provide great value, put awesome content out there on a regular basis, and help others.
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...Marc Müller
Container Technologien erfreuen sich grosser Beliebtheit und sind mittlerweile auch im Microsoft Entwicklerumfeld angekommen. Visual Studio als Entwicklungswerkzeug bietet neu eine direkte Docker Unterstützung und mit Asp.NET Core respektive .NET Core ist auch die Kompatibilität mit Linux-basierten Docker Containern gegeben. Erfahren Sie in diesem Vortrag, wie sie mit Visual Studio und TFS eine Docker-basierte Build und Release Automatisierung implementieren und betreiben. Mit Azure Container Services haben wir einen skalierbare und ausfallsicheren Cluster zur Verfügung, welcher sich optimal in unsere Release-Pipeline integriert.
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
Adding Identity Management and Access Control to your AppFIWARE
Adding Identity Management and Access Control to your App presentation, by Alvaro Alonso & Cyril Dangerville.
Security Chapter. 1st FIWARE Summit, Málaga Dec. 13-15, 2016.
Why write two add-ons when you can write one and deploy it to both Server and Cloud? Charles Gutjahr from ThinkTilt shares how they brought their Connect add-on to different clouds. Learn how he packaged the add-on in a Docker container to offer it behind the firewall. Hear about the implications for installation, data storage, security, and functionality. By the end of the talk, you'll be able to decide whether Dockerization is the right choice for your add-on.
Charles Gutjahr, Co-Founder and Technology Architect, ThinkTilt
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Dockerpczarkowski
Building a framework for developing and maintaining chef cookbooks with automated testing and code review using opensource tools. I will walk through setting up Drone.IO (docker based CI) and hooking it up with Github ( regular or enterprise ), securing it behind an Oauth proxy, and configuring appropriate git hooks to automate testing process. I will then show how to use tools such as meez, guard, chefspec, testkitchen to shorten the feedback loop on errors to merely a few seconds, as well as some workflow ideas for gating and merging changes in github for Chef Cookbooks with multiple contributors.
Redmine+Git+GitLab+Jenkinsを総合的に利用した少人数チームでのプロジェクト管理とそのフローについて
English version: http://www.slideshare.net/cakeyoshida/best-practices-of-project-management-for-small-teams
How to Become a Thought Leader in Your NicheLeslie Samuel
Are bloggers thought leaders? Here are some tips on how you can become one. Provide great value, put awesome content out there on a regular basis, and help others.
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...Marc Müller
Container Technologien erfreuen sich grosser Beliebtheit und sind mittlerweile auch im Microsoft Entwicklerumfeld angekommen. Visual Studio als Entwicklungswerkzeug bietet neu eine direkte Docker Unterstützung und mit Asp.NET Core respektive .NET Core ist auch die Kompatibilität mit Linux-basierten Docker Containern gegeben. Erfahren Sie in diesem Vortrag, wie sie mit Visual Studio und TFS eine Docker-basierte Build und Release Automatisierung implementieren und betreiben. Mit Azure Container Services haben wir einen skalierbare und ausfallsicheren Cluster zur Verfügung, welcher sich optimal in unsere Release-Pipeline integriert.
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
Adding Identity Management and Access Control to your AppFIWARE
Adding Identity Management and Access Control to your App presentation, by Alvaro Alonso & Cyril Dangerville.
Security Chapter. 1st FIWARE Summit, Málaga Dec. 13-15, 2016.
Why write two add-ons when you can write one and deploy it to both Server and Cloud? Charles Gutjahr from ThinkTilt shares how they brought their Connect add-on to different clouds. Learn how he packaged the add-on in a Docker container to offer it behind the firewall. Hear about the implications for installation, data storage, security, and functionality. By the end of the talk, you'll be able to decide whether Dockerization is the right choice for your add-on.
Charles Gutjahr, Co-Founder and Technology Architect, ThinkTilt
Why your next serverless project should use AWS AppSyncYan Cui
In this webinar, Yan Cui and Lumigo Software Engineer Guy Moses will discuss some of the power of GraphQL and AppSync and why AppSync + Lambda + DynamoDB should be your stack of choice in 2021 and beyond!
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
This talk is an update of container security in 2016. It describes the security measures that containers provide, shows how containers provide security measures out of box that are prone to configuration errors when running applications directly on host, and finally lists the ongoing in container security in the community.
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...DynamicInfraDays
Slides from Nathan Valentine & Shannon Williams' talk "From Hello World to Real World: Building a Production Container Environment for 2017" at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#realworld
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...DynamicInfraDays
Slides from Rodric Rabbah & Philippe Suter's talk "OpenWhisk: A Serverless Computing Platform" at ContainerDays NYC 2016: dynamicinfradays.org/events/2016-nyc/programme.html#openwhisk
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...DynamicInfraDays
Slides from Vinod Jayaraman's talk "State of the Persistence Art: Present Best Practices and Future Goals for Container Storage in Production" at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#storage
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...DynamicInfraDays
Slides from the workshop "Observability and Manageability in a Container Environment", led by Tim Gross, at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#observability
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
Slides from Jeff Mitchell's talk "The Secure Introduction Problem: Getting Secrets Into Containers" at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#secrets
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...DynamicInfraDays
Slides from Rob Bagby's talk "Containers in Azure: Understanding the Microsoft Container Ecosystem" at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#azure
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...DynamicInfraDays
Slides from the workshop "Introduction to Application Automation with Habitat", led by Julian Dunn, at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#habitat
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
Slides from Borja Burgos' talk "Docker For the Developer" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#dockerdev
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
Slides from Jeff Mitchell's talk "Hiding in Plain Sight: Managing Secrets in a Container Environment" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#secrets
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...DynamicInfraDays
Slides from Tim Gross's talk "Autopilot: Running Real-world Applications in Containers" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#autopilot
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...DynamicInfraDays
Slides from Darren Shepherd's talk "Container Orchestration Compared: Kubernetes and Docker Compose, Machine & Swarm" at ContainerDays NYC 2015: http://dynamicinfradays.org/events/2015-nyc/programme.html#orchestration
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...DynamicInfraDays
Slides from Matt Butcher's talk "What It Really Takes to Build a Container Platform" at ContainerDays NYC 2015: http://dynamicinfradays.org/events/2015-nyc/programme.html#platform
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...DynamicInfraDays
Slides from John Downs's talk "How Yodle Cleaned Up the Mess Using Containers and Microservices" at ContainerDays NYC 2015: http://dynamicinfradays.org/events/2015-nyc/programme.html#yodle
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...DynamicInfraDays
Slides from Patrick Mizer & Steve Woodruff's talk "Easing Your Way Into Docker: Lessons From a Journey to Production" at ContainerDays NYC 2015: http://dynamicinfradays.org/events/2015-nyc/programme.html#sparefoot
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...DynamicInfraDays
Slides from Barak Michener's talk "CoreOS: Building the Layers of the Scalable Cluster for Containers" at ContainerDays Boston 2015: http://dynamicinfradays.org/events/2015-boston/programme.html#layers
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)DynamicInfraDays
Slides from Nick Gauthier's talk "Continuous Delivery with Containers" at ContainerDays Boston 2015: http://dynamicinfradays.org/events/2015-boston/programme.html#cdwithcontainers
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...DynamicInfraDays
Slides from Jeff Victor & Kir Kolyshkin's talk "A Brief History of Containers" at ContainerDays Boston 2015: http://dynamicinfradays.org/events/2015-boston/programme.html#briefhist
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
3. Image Registry Security
November 16, 2016
Why do we need registry security?
Malicious changes
Inadvertent changes
Developer pushes to production image
Production team A pushes to Production team B image
Naming standards
hub.example.com/databese:1.0
hub.example.com/my_quick_hack:0.1
6. Why Authentication?
November 16, 2016
Hard to do authorization without authentication
Makes audit logs more useful
Image X pushed Oct 31, 2016
Image X pushed by Jane Doe Oct 31, 2016
7. Authentication Choices
November 16, 2016
Lots of choices
Password
SSL cert
Kerberos
Fingerprint
Physical token
Many organizations often have unusual or custom authentication needs
8. Image Registry Choices
November 16, 2016
Docker Registry (open source)
Docker Trusted Registry
CoreOS Quay Enterprise
JFrog Artifactory
Notable for allowing you to front it with Apache httpd or nginx for authentication
You can use any authentication scheme supported by httpd or nginx
9. Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
Registry redirects daemon to auth
service
Daemon authenticates to auth service
with password or OAuth2 token, gets a
bearer token
Daemon uses bearer token to
authenticate to registry
Registry trusts bearer tokens from auth
service based on public/private key pair
that you configure
10. Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
Registry redirects daemon to auth
service
Daemon authenticates to auth service
with password or OAuth2 token, gets a
bearer token
Daemon uses bearer token to
authenticate to registry
Registry trusts bearer tokens from auth
service based on public/private key pair
that you configure
11. Auth Service Choices
November 16, 2016
https://github.com/docker/distribution/tree/master/contrib/token-server
https://github.com/cesanta/docker_auth
https://github.com/opendns/registry-oauth-server
https://github.com/SUSE/Portus
GitLab Container Registry
12. Authentication Demo
November 16, 2016
Demonstrate authentication with Docker Registry, Docker Engine
(Client/Daemon), and https://github.com/opendns/registry-oauth-server
Proprietary and Confidential – Not for Redistribution
13. Docker Client and Registry Authentication
November 16, 2016
Docker daemon asks Docker client for username, password to authenticate to registry
auth server
https://docs.docker.com/engine/reference/commandline/login/
docker login
Password stored, unencrypted, in $HOME/.docker/config.json
Credentials store
Configured in config.json: {"credsStore": “mycredstore"}
Docker runs docker-credential-mycredstore
Must be in your PATH
Can be abused to fetch a password on the fly
14. Credentials Store Demo
November 16, 2016
Demonstrate using a credentials store to fetch a password
Proprietary and Confidential – Not for Redistribution
16. Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
17. Docker Registry Authorization
November 16, 2016
Redirect from registry to auth service includes info about requested operation:
Actions: push, pull, *
Auth server lists allowed actions in the token it returns
WWW-Authenticate: Bearer
realm="https://auth.example.com/token",
service="registry.example.com",
scope="repository:samalba/my-app:pull,push"
18. Authorization Demo
November 16, 2016
Demonstrate allowing or blocking actions based on the scope parameter
sent to the auth server
Proprietary and Confidential – Not for Redistribution
20. Why Audit Logging?
November 16, 2016
Who pushed the last change to image A?
When was image B last changed?
21. Docker Registry Audit Logging
November 16, 2016
Registry server logs: docker logs registry
Registry notifications
https://docs.docker.com/registry/notifications/
Webhook notifications to external service
Registry sends JSON blob of details
You can extract the interesting bits and save them
22. Audit Logging Demo
November 16, 2016
Demonstrate configuring the registry to send notifications to our server
Proprietary and Confidential – Not for Redistribution
23. Kubernetes and Registry Authentication
November 16, 2016
http://kubernetes.io/docs/user-guide/images/
kubelet acts as Docker client for pulling images
So, same choices as previously mentioned for the Docker client:
docker login, password in /root/.docker/config.json
credential manager, configured in config.json
Or user can provide their own image registry “password” as image pull secret
in their pod manifest
kubelet creates a one-off config.json in this case
24. The End
November 16, 2016
Me:
@jason_heiss
This talk: slides and demo code
https://github.com/twosigma/docker-repo-auth-demo
Work:
Two Sigma Investments
https://www.twosigma.com/
We’re hiring!