This document discusses Kubernetes application lifecycle management with a focus on patch management. It begins with a reminder about Docker concepts like namespaces, containers, images and layers. It then provides a brief introduction to Kubernetes, discussing pods, services, deployments and replicasets. The document notes that failures can be quickly fixed during development, but patches are less frequent for production applications. It discusses tools for scanning for Common Vulnerabilities and Exposures (CVEs) and automating updates. Finally, it mentions some difficulties encountered with patching and proposed organizational solutions.
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
How to continuously improve security in software development and software operations by proactive collaboration, robust processes and readily available tooling to make sure the "paved path" (the path of least resistance) for developers is the correct/secure/supported path.
Talk held at the Security Chat on Mar 25th 2019 in Zürich, Switzerland
Presentation materials from the webinar I did on 29 April 2020 as part of the Azure Apps Webinar Series. Sharing from our own software development team’s experience, I talked about how to improve and optimize the developer’s experience working in Kubernetes/AKS.
Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
Jean Rouge - Sr. Software Engineer, Docker
David Yu - Product Manager, Docker
Docker Enterprise is an enterprise container platform for developers and IT admins building and managing container applications. The platform includes integrated orchestration (Swarm and Kubernetes), advanced private image registry, and centralized admin console to secure, troubleshoot, and manage containerized applications. This talk will focus on the Docker Enterprise platform's technical architecture, key features and use cases it is designed to support. Key areas covered in this session: -Latest features and enhancements -Security and Compliance - how to ensure oversight and validate applications for different compliance regulations -Operational Insight - how to identify and troubleshoot issues in your container environment -Integrated Technology - the technologies are supported and can be run with Docker Enterprise -Policy-based Automation - how to scale container environments through automated policies.
An application path to production does not end with a deployment, even if you are using Kubernetes (K8s) as your application deployment platform. Reliable BCDR (backup and disaster recovery) plan and framework is a must for any production-ready system.
This presentation accompanies meetups and webinars in which Oleg Chunikhin, CTO at Kublr, shows how Velero BCDR framework works and demonstrates how it can be used to backup and recover realistic applications running on Kubernetes in different clouds and environments.
What is covered:
- general notions of Kubernetes applications BCDR
- Velero BCDR framework
- demo Velero BCDR for stateful applications running on AWS and Azure clouds
- demo Velero BCDR using Strimzi / Kafka cluster and ArgoCD CI/CD manager as example application
DCSF 19 Building Your Development Pipeline Docker, Inc.
Oliver Pomeroy, Docker & Laura Tacho, Cloudbees
Enterprises often want to provide automation and standardisation on top of their container platform, using a pipeline to build and deploy their containerized applications. However this opens up new challenges; Do I have to build a new CI/CD Stack? Can I build my CI/CD pipeline with Kubernetes orchestration? What should my build agents look like? How do I integrate my pipeline into my enterprise container registry? In this session full of examples and how-to's, Olly and Laura will guide you through common situations and decisions related to your pipelines. We'll cover building minimal images, scanning and signing images, and give examples on how to enforce compliance standards and best practices across your teams.
Slides from the talk given to the Startup Berlin Slack Group that demonstrates how TruckIN is implementing its continuous delivery workflow using technologies and open-source tools.
Topics that are covered: Automated Cloud Provisioning (Network, Subnets, VMs, Kubernetes Cluster, Firewall, Disks, Credentials, Private Docker Registry); Configuration Management (Salt Stack), Continuous Integration (Jenkins CI), Continuous Delivery/Deployment (Salt API/Reactor + Kubernetes) to a Google Cloud Kubernetes Cluster, Remote Application Debugging, Managing Google Cloud Kubernetes Cluster, Logging, Monitoring and ChatOps (Slack and operable.io)
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
How to continuously improve security in software development and software operations by proactive collaboration, robust processes and readily available tooling to make sure the "paved path" (the path of least resistance) for developers is the correct/secure/supported path.
Talk held at the Security Chat on Mar 25th 2019 in Zürich, Switzerland
Presentation materials from the webinar I did on 29 April 2020 as part of the Azure Apps Webinar Series. Sharing from our own software development team’s experience, I talked about how to improve and optimize the developer’s experience working in Kubernetes/AKS.
Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
Jean Rouge - Sr. Software Engineer, Docker
David Yu - Product Manager, Docker
Docker Enterprise is an enterprise container platform for developers and IT admins building and managing container applications. The platform includes integrated orchestration (Swarm and Kubernetes), advanced private image registry, and centralized admin console to secure, troubleshoot, and manage containerized applications. This talk will focus on the Docker Enterprise platform's technical architecture, key features and use cases it is designed to support. Key areas covered in this session: -Latest features and enhancements -Security and Compliance - how to ensure oversight and validate applications for different compliance regulations -Operational Insight - how to identify and troubleshoot issues in your container environment -Integrated Technology - the technologies are supported and can be run with Docker Enterprise -Policy-based Automation - how to scale container environments through automated policies.
An application path to production does not end with a deployment, even if you are using Kubernetes (K8s) as your application deployment platform. Reliable BCDR (backup and disaster recovery) plan and framework is a must for any production-ready system.
This presentation accompanies meetups and webinars in which Oleg Chunikhin, CTO at Kublr, shows how Velero BCDR framework works and demonstrates how it can be used to backup and recover realistic applications running on Kubernetes in different clouds and environments.
What is covered:
- general notions of Kubernetes applications BCDR
- Velero BCDR framework
- demo Velero BCDR for stateful applications running on AWS and Azure clouds
- demo Velero BCDR using Strimzi / Kafka cluster and ArgoCD CI/CD manager as example application
DCSF 19 Building Your Development Pipeline Docker, Inc.
Oliver Pomeroy, Docker & Laura Tacho, Cloudbees
Enterprises often want to provide automation and standardisation on top of their container platform, using a pipeline to build and deploy their containerized applications. However this opens up new challenges; Do I have to build a new CI/CD Stack? Can I build my CI/CD pipeline with Kubernetes orchestration? What should my build agents look like? How do I integrate my pipeline into my enterprise container registry? In this session full of examples and how-to's, Olly and Laura will guide you through common situations and decisions related to your pipelines. We'll cover building minimal images, scanning and signing images, and give examples on how to enforce compliance standards and best practices across your teams.
Slides from the talk given to the Startup Berlin Slack Group that demonstrates how TruckIN is implementing its continuous delivery workflow using technologies and open-source tools.
Topics that are covered: Automated Cloud Provisioning (Network, Subnets, VMs, Kubernetes Cluster, Firewall, Disks, Credentials, Private Docker Registry); Configuration Management (Salt Stack), Continuous Integration (Jenkins CI), Continuous Delivery/Deployment (Salt API/Reactor + Kubernetes) to a Google Cloud Kubernetes Cluster, Remote Application Debugging, Managing Google Cloud Kubernetes Cluster, Logging, Monitoring and ChatOps (Slack and operable.io)
Bitnami, Deis, Google and the Kubernetes community have been working on developing Helm, a tool for streamlining the deployment of containerized applications on Kubernetes. Bitnami currently offers a set of Helm packages, known as charts, to make it easy to deploy your favorite open source applications on Kubernetes with a single command. Join our webinar to learn how to quickly get started with Helm:
In this webinar you will learn:
- How to deploy Kubernetes-native applications
- How to manage the lifecycle of applications on Kubernetes using Helm
- The benefits of using Bitnami Helm Charts
- The best practices we've learned while creating and configuring - Bitnami Helm charts
- How to get started with Bitnami Helm Charts
DCEU 18: Desigual Transforms the In-Store Experience with Docker Enterprise C...Docker, Inc.
Mathias Kriegel - IT Operations, Desigual
Joan Anton Sances - Software Architect, Desigual
Desigual, a $1-billion-dollar fashion retailer headquartered in Barcelona, operates over 500 stores worldwide. The company is on a digital transformation journey touching every aspect of the customer experience. In this session, IT Operations and Software Architecture teams, will explain how Desigual built an in-store “assistant shopping” that transformed the customer experience adopting modern architecture models leveraging Docker Enterprise for containerization. In the session, you’ll learn: ● How Desigual is leveraging containers with Docker Enterprise, micro services, API´s, CI/CD and hybrid cloud to create an excellent customer experience. ● How to use a container platform to accelerate time-to-market for new applications. ● How Desigual changed its traditional IT operational model, focusing on bringing a PaaS like model for Developer teams, and what they learned along the way. ● How Dev and Ops teams aligned together in the process. ● How Developer productivity increased by adopting modern architecture models.
Building Developer Pipelines with PKS, Harbor, Clair, and ConcourseVMware Tanzu
SpringOne Platform 2017
Thomas Kraus, VMware; Merlin Glynn, VMware
Today's developer needs to rapidly build and deploy code in a consistent, predictable, and declarative manner. This session will illustrate how companies can leverage PKS, Kubernetes, Harbor, Clair, and Concourse to achieve these goals. The session will provide a solution overview for developing, building, and deploying applications using Container technologies from VMware and Pivotal. A brief review of each of the technologies being discussed will be provided. The session will include a proposed end to end solution leveraging all of these technologies to provide a better developer experience. The session will conclude with a demonstration illustrating a development workflow leveraging these technologies to initially develop and then update an Application running on PKS and Kubernetes.
We are on the cusp of a new era of application development software: instead of bolting on operations as an after-thought to the software development process, Kubernetes promises to bring development and operations together by design.
This presentation was made as closing session for Container Conference 2018 on 03rd August in Bangalore by Anoop Kumar from Docker.
"In this session we will get familiarized with the technical aspects of the Docker EE 2.0 Platform. It will involve a walkthrough of the swarm as well as the relatively newly introduced Kubernetes integrations, how it enables organizational agility, choice and security and the future roadmap of the product suite. We'll finally do a quick demo of the platform and close with a Q&A section."
9 - Making Sense of Containers in the Microsoft CloudKangaroot
Everyone is talking about Containers, but what is this really about what are the benefits of Containers for your customers? You probably think you know, but there is more! And did you know you can run and manage Containers in the Microsoft Cloud? This session will go in to the benefits of Containers for your customers and what Microsoft is offering to facilitate in all your needs. We will touch on technologies like Kubernetes, Docker and we will elaborate on the strong partnerships Microsoft has built with true Open Source companies like Red Hat.
Tales of Training: Scaling CodeLabs with Swarm Mode and Docker-ComposeDocker, Inc.
Why does any "code lab workshop" or live demo are always such a challenge?
A wise sysadmin once told me: “Get your hand dirty with the production to learn”.
So I want to tell you a story of getting hand dirties, by creating a code lab environment considered as production.
This story will show that we can build a reproducible environment for code-labs workshops, by using the Docker “tools”: the Engine, Swarm Mode, Docker-Compose, Moby, LinuxKit.
Following the spirit of “Play With Docker”, but generalized at any service collection, this Codelab toolkit has been used on code-labs workshops of 120+ people.
That path was not a free lunch, but the lessons learned will give you an idea on how a training environment can be efficiently done with Compose and Swarm Mode, by treating it as a “production” platform, tackling the plumbing “youth” limitations for the better of your use case.
As a trainer, I never learned so much than building something to teach people someone else: this the story I want to tell you, the tale of using Docker as a tool of MASSIVE KNOWLEDGE SHARING, which is the root of growing our industry together.
Working with AKS for more then 3 months, I want to share my experience. I discuss benefits of AKS and some issues you might have. K8S is damn close to a silver bullet in regards of the simplicity to work with.
Webinar: End-to-End CI/CD with GitLab and DC/OSMesosphere Inc.
Seven years ago, Apache Mesos was born as a platform to bring the distributed computing capabilities that powered the largest digital companies to the masses. Today, Mesosphere DC/OS technologies power more containers in production than any other software stack in the world, and has emerged as the premier platform for building and elastically scaling data-rich, modern applications and the associated CI/CD infrastructure across any infrastructure, public or private.
GitLab is an end-to-end software development and delivery platform with built-in CI/CD, monitoring, and performance metrics. With a unified experience for every step of the development lifecycle and seamless integration with container schedulers, GitLab provides the most efficient approach to reduce cycle time, increase velocity, and improve software quality.
In this webinar, you will learn how to combine DC/OS and GitLab to easily build a CI/CD infrastructure and build a complete CI/CD pipeline in minutes.
Slides cover:
1. An introduction to Apache Mesos and Mesosphere DC/OS and overview of DC/OS features and capabilities for developing, deploying, and operating containerized applications, microservices and CI/CD
2. An introduction to GitLab
3. How to use DC/OS and GitLab to build a CI/CD solution and go from idea to production
Helm is a tool that streamlines the creation, deployment and management of your Kubernetes-native applications. In this talk, we take a look at how Helm enables you to manage your deployment configurations as code, and demonstrate how it can be used to power your continuous delivery (CI/CD) pipeline.
Francisco Javier Ramírez Urea - IT Architect, Hoplasoftware
Guillaume Morini - SE, Docker
The integration of Kubernetes orchestration into the Docker Enterprise Platform presents deployments with interesting new abstractions for application connectivity. Devs and Ops are often challenged with rationalizing how pod networking (with CNI plugins like Calico or Flannel), Services (via kube-proxy) and Ingress work in concert to enable application connectivity within and outside a cluster. Similarly, given the dynamic and transient nature of containerized microservice workloads, how to leverage scalable and declarative approaches like network policies to express segmentation and security primitives. This session provides an illustrative walkthrough of these core concepts by going through common deployment architectures providing design, operations, and scale considerations based on experience from numerous production deployments. We will discuss Kubernetes publishing methods and deep dive into Ingress Controllers. This session will also showcase how to complement application and operations workflows with policy-driven business, compliance and security controls typically required in enterprise production deployments including going further into limiting traffic to services, session persistence, rewriting, and activating container health checks.
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
Introducing An Architectural Deep Dive With Kubernetes And Containers PowerPoint Presentation Slides. Present the need for the containers in an organization with the help of a readily available PPT slideshow. Discuss container architecture, use cases details to make your presentation elaborative. Showcase the features, architecture, installation roadmap, and the 30-60-90 day plan in Kubernetes with the help of modern-designed PPT infographics. Familiarize your viewers with the various components of Kubernetes with the help of content-ready Kubernetes Docker PPT visuals. Make full use of high-quality icons to make your presentation attention-grabbing and meaningful. Compare and contrast Kubernetes with docker swarm based on various parameters with the help of this attention-grabbing PPT slideshow. Elaborate on Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. Showcase the networking model of Kubernetes, security measures, and the development process with this easy-to-use docker Architecture PowerPoint template. Therefore, hit the download button now to grab this amazing presentation. https://bit.ly/3vtLeFb
By, Pradipta Banerjee
Planning to use Docker and Kubernetes in production for cloud-native apps. Concerned about how to integrate a Kubernetes cluster into your existing infrastructure!! This talk will take you through some of the common challenges when deploying an on-prem Kubernetes cluster and how to address those challenges
Bitnami, Deis, Google and the Kubernetes community have been working on developing Helm, a tool for streamlining the deployment of containerized applications on Kubernetes. Bitnami currently offers a set of Helm packages, known as charts, to make it easy to deploy your favorite open source applications on Kubernetes with a single command. Join our webinar to learn how to quickly get started with Helm:
In this webinar you will learn:
- How to deploy Kubernetes-native applications
- How to manage the lifecycle of applications on Kubernetes using Helm
- The benefits of using Bitnami Helm Charts
- The best practices we've learned while creating and configuring - Bitnami Helm charts
- How to get started with Bitnami Helm Charts
DCEU 18: Desigual Transforms the In-Store Experience with Docker Enterprise C...Docker, Inc.
Mathias Kriegel - IT Operations, Desigual
Joan Anton Sances - Software Architect, Desigual
Desigual, a $1-billion-dollar fashion retailer headquartered in Barcelona, operates over 500 stores worldwide. The company is on a digital transformation journey touching every aspect of the customer experience. In this session, IT Operations and Software Architecture teams, will explain how Desigual built an in-store “assistant shopping” that transformed the customer experience adopting modern architecture models leveraging Docker Enterprise for containerization. In the session, you’ll learn: ● How Desigual is leveraging containers with Docker Enterprise, micro services, API´s, CI/CD and hybrid cloud to create an excellent customer experience. ● How to use a container platform to accelerate time-to-market for new applications. ● How Desigual changed its traditional IT operational model, focusing on bringing a PaaS like model for Developer teams, and what they learned along the way. ● How Dev and Ops teams aligned together in the process. ● How Developer productivity increased by adopting modern architecture models.
Building Developer Pipelines with PKS, Harbor, Clair, and ConcourseVMware Tanzu
SpringOne Platform 2017
Thomas Kraus, VMware; Merlin Glynn, VMware
Today's developer needs to rapidly build and deploy code in a consistent, predictable, and declarative manner. This session will illustrate how companies can leverage PKS, Kubernetes, Harbor, Clair, and Concourse to achieve these goals. The session will provide a solution overview for developing, building, and deploying applications using Container technologies from VMware and Pivotal. A brief review of each of the technologies being discussed will be provided. The session will include a proposed end to end solution leveraging all of these technologies to provide a better developer experience. The session will conclude with a demonstration illustrating a development workflow leveraging these technologies to initially develop and then update an Application running on PKS and Kubernetes.
We are on the cusp of a new era of application development software: instead of bolting on operations as an after-thought to the software development process, Kubernetes promises to bring development and operations together by design.
This presentation was made as closing session for Container Conference 2018 on 03rd August in Bangalore by Anoop Kumar from Docker.
"In this session we will get familiarized with the technical aspects of the Docker EE 2.0 Platform. It will involve a walkthrough of the swarm as well as the relatively newly introduced Kubernetes integrations, how it enables organizational agility, choice and security and the future roadmap of the product suite. We'll finally do a quick demo of the platform and close with a Q&A section."
9 - Making Sense of Containers in the Microsoft CloudKangaroot
Everyone is talking about Containers, but what is this really about what are the benefits of Containers for your customers? You probably think you know, but there is more! And did you know you can run and manage Containers in the Microsoft Cloud? This session will go in to the benefits of Containers for your customers and what Microsoft is offering to facilitate in all your needs. We will touch on technologies like Kubernetes, Docker and we will elaborate on the strong partnerships Microsoft has built with true Open Source companies like Red Hat.
Tales of Training: Scaling CodeLabs with Swarm Mode and Docker-ComposeDocker, Inc.
Why does any "code lab workshop" or live demo are always such a challenge?
A wise sysadmin once told me: “Get your hand dirty with the production to learn”.
So I want to tell you a story of getting hand dirties, by creating a code lab environment considered as production.
This story will show that we can build a reproducible environment for code-labs workshops, by using the Docker “tools”: the Engine, Swarm Mode, Docker-Compose, Moby, LinuxKit.
Following the spirit of “Play With Docker”, but generalized at any service collection, this Codelab toolkit has been used on code-labs workshops of 120+ people.
That path was not a free lunch, but the lessons learned will give you an idea on how a training environment can be efficiently done with Compose and Swarm Mode, by treating it as a “production” platform, tackling the plumbing “youth” limitations for the better of your use case.
As a trainer, I never learned so much than building something to teach people someone else: this the story I want to tell you, the tale of using Docker as a tool of MASSIVE KNOWLEDGE SHARING, which is the root of growing our industry together.
Working with AKS for more then 3 months, I want to share my experience. I discuss benefits of AKS and some issues you might have. K8S is damn close to a silver bullet in regards of the simplicity to work with.
Webinar: End-to-End CI/CD with GitLab and DC/OSMesosphere Inc.
Seven years ago, Apache Mesos was born as a platform to bring the distributed computing capabilities that powered the largest digital companies to the masses. Today, Mesosphere DC/OS technologies power more containers in production than any other software stack in the world, and has emerged as the premier platform for building and elastically scaling data-rich, modern applications and the associated CI/CD infrastructure across any infrastructure, public or private.
GitLab is an end-to-end software development and delivery platform with built-in CI/CD, monitoring, and performance metrics. With a unified experience for every step of the development lifecycle and seamless integration with container schedulers, GitLab provides the most efficient approach to reduce cycle time, increase velocity, and improve software quality.
In this webinar, you will learn how to combine DC/OS and GitLab to easily build a CI/CD infrastructure and build a complete CI/CD pipeline in minutes.
Slides cover:
1. An introduction to Apache Mesos and Mesosphere DC/OS and overview of DC/OS features and capabilities for developing, deploying, and operating containerized applications, microservices and CI/CD
2. An introduction to GitLab
3. How to use DC/OS and GitLab to build a CI/CD solution and go from idea to production
Helm is a tool that streamlines the creation, deployment and management of your Kubernetes-native applications. In this talk, we take a look at how Helm enables you to manage your deployment configurations as code, and demonstrate how it can be used to power your continuous delivery (CI/CD) pipeline.
Francisco Javier Ramírez Urea - IT Architect, Hoplasoftware
Guillaume Morini - SE, Docker
The integration of Kubernetes orchestration into the Docker Enterprise Platform presents deployments with interesting new abstractions for application connectivity. Devs and Ops are often challenged with rationalizing how pod networking (with CNI plugins like Calico or Flannel), Services (via kube-proxy) and Ingress work in concert to enable application connectivity within and outside a cluster. Similarly, given the dynamic and transient nature of containerized microservice workloads, how to leverage scalable and declarative approaches like network policies to express segmentation and security primitives. This session provides an illustrative walkthrough of these core concepts by going through common deployment architectures providing design, operations, and scale considerations based on experience from numerous production deployments. We will discuss Kubernetes publishing methods and deep dive into Ingress Controllers. This session will also showcase how to complement application and operations workflows with policy-driven business, compliance and security controls typically required in enterprise production deployments including going further into limiting traffic to services, session persistence, rewriting, and activating container health checks.
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
Introducing An Architectural Deep Dive With Kubernetes And Containers PowerPoint Presentation Slides. Present the need for the containers in an organization with the help of a readily available PPT slideshow. Discuss container architecture, use cases details to make your presentation elaborative. Showcase the features, architecture, installation roadmap, and the 30-60-90 day plan in Kubernetes with the help of modern-designed PPT infographics. Familiarize your viewers with the various components of Kubernetes with the help of content-ready Kubernetes Docker PPT visuals. Make full use of high-quality icons to make your presentation attention-grabbing and meaningful. Compare and contrast Kubernetes with docker swarm based on various parameters with the help of this attention-grabbing PPT slideshow. Elaborate on Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. Showcase the networking model of Kubernetes, security measures, and the development process with this easy-to-use docker Architecture PowerPoint template. Therefore, hit the download button now to grab this amazing presentation. https://bit.ly/3vtLeFb
By, Pradipta Banerjee
Planning to use Docker and Kubernetes in production for cloud-native apps. Concerned about how to integrate a Kubernetes cluster into your existing infrastructure!! This talk will take you through some of the common challenges when deploying an on-prem Kubernetes cluster and how to address those challenges
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker.
Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
In less than two years Docker went from first line of code to major Open Source project with contributions from all the big names in IT. Everyone is excited, but what's in for me - as a Dev or Ops? In short, Docker makes creating Development, Test and even Production environments an order of magnitude simpler, faster and completely portable across both local and cloud infrastructure. We will start from Docker main concepts: how to create a Linux Container from base images, run your application in it, and version your runtimes as you would with source code, and finish with a concrete example.
Dockerizing Symfony2 application. Why Docker is so cool And what is Docker? And what are Containers? How they works? What are the ecosystem of Docker? And how to dockerize your web application (can be based on Symfony2 framework)?
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
Docker is in all the news and this talk presents you the technology and shows you how to leverage it to build your applications according to the 12 factor application model.
Accelerate your software development with DockerAndrey Hristov
Docker is in all the news and this talk presents you the technology and shows you how to leverage it to build your applications according to the 12 factor application model.
Docker moves very fast, with an edge channel released every month and a stable release every 3 months. Patrick will talk about how Docker introduced Docker EE and a certification program for containers and plugins with Docker CE and EE 17.03 (from March), the announcements from DockerCon (April), and the many new features planned for Docker CE 17.05 in May.
This talk will be about what's new in Docker and what's next on the roadmap
Similar to Dev opsec dockerimage_patch_n_lifecyclemanagement_2019 (20)
Docker … Podman are two close but different tools. What are their differences, what are their commonalities? In this presentation, we propose to present the two tools in order to highlight their differences in design and their specificities, their similarities.
The objective is to allow you to know these tools, from their common roots (Cgroup, namespace,...) to their divergence (socket). From ease of use (Socket) to the hassle (proxy), we will address the strengths and weaknesses of each through our uses of them (build, test,...). We will of course mention our friends the CVEs to feed your thoughts on their security.
On parle des Operator Kubernetes, mais de quoi s’agit-il ? Comment peut-on programmer son cluster Kubernetes et surtout, est-il possible de les écrire en Java ?
C’est ce que nous allons présenter au cours de 3 sessions dont celle-ci est la première. Dans cette session, nous allons présenter les différentes ressources de l’api REST de Kubernetes, les CRD (Custom Resource Definition), la bibliothèque fabric8 kubernetes-client et le projet exemple Hypnos.
par Charles Sabourdin
Il s’agit dans un premier temps de présenter Docker, ses cas d’usage et quelques bonnes pratiques d’utilisation.
Le but est de présenter Docker, son mode de fonctionnement et son écosystème.
Ce qu’il peut apporter et les pièges à éviter
https://github.com/kanedafromparis/prez-fabric8-dmp
Pourquoi, quand vous demandez à mettre en production une application java containérisée avec docker, vos ops font soudain la grimace ? Pourquoi vos containers, qui marchaient si bien sur votre PC, crashent si souvent en production ; et aussi pourquoi la RAM des noeuds se met-elle à swaper autant ?
Ces problèmes nous les avons rencontrés et nous vous proposons de partager ensemble nos découvertes et nos réflexions sur l'utilisation combinée de java et de docker.
Ensemble creusons la RAM, le CPU et les différentes options de gestion de mémoire de la JVM pour obtenir le bon fonctionnement de notre application dans un containeur.
Cette présentation donne une vue d’ensemble et les concepts généraux, permettant d’appréhender OpenShift et de faciliter les premières étales de prises en mains.
On y parle de Pods, de services, de source-to-image, etc.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
1. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
DevSecOps
Container Image :
“Application LifeCycle Management”
sed /sLifeCycle/Patch/g
devoxx.fr
2019/04/17
2. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Abstract
Lors de cette présentation, nous allons dans un premier temps rappeler la
spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du
système de layer et de la différence entre images et instances puis nous
présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation
d’une version CI/CD (développement, préproduction, production) à travers
les tags docker.
Enfin, nous parlerons des différents composants constituant une
application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une
application à travers ses phases de développement, BAU pour mettre en
avant que les failles de sécurité en période de développement sont
rapidement corrigées par de nouvelles releases, mais pas nécessairement
en BAU où les releases sont plus rares. Nous parlerons des diverses
solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et
l’automatisation des mises à jour. Enfin, nous ferons un bref retour
d’expérience pour parler des difficultés rencontrées et des propositions
d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques et
très organisationnel
To Do
Français English
3. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
@kanedafromparis
Charles Sabourdin
Javaiste
Linuxien
Devoxx France
ParisJUG
OpenSource
Architect
Dev/Ops
https://github.com/kanedafromparis/
https://github.com/kanedafromparisfriends
- 180:00
Javaiste
Linuxien
Devoxx France
ParisJUG OpenSource
Architect
Dev/Ops
@jcsirot
https://github.com/jcsirot
Jenkins
Jean-Christophe Sirot
4. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Sommaire
I. Reminder
A. Docker
1. intro
2. isolation
3. layers
B. Kubernetes
1. generic
2. deployment
C. Development pipeline (security focus)
II. Application life cycle
A. Scanning tools
B. Too much technos
III. Proposed solution
A. 1,2,3 Hosting
B. Pitfalls
5. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Docker Engine uses namespaces such as the following on Linux:
● The pid namespace: Process isolation (PID: Process ID).
● The net namespace: Managing network interfaces (NET: Networking).
● The ipc namespace: Managing access to IPC resources (IPC:
InterProcess Communication).
● The mnt namespace: Managing filesystem mount points (MNT: Mount).
● The uts namespace: Isolating kernel and version identifiers. (UTS: Unix
Timesharing System).
Namespaces
Docker uses a technology called namespaces to provide the isolated workspace called the container.
When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace
and its access is limited to that namespace.
I. Reminder : Docker
sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology
https://en.wikipedia.org/wiki/Linux_kernel
6. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Control groups
Docker Engine on Linux also relies on another technology called control groups (cgroups). A cgroup
limits an application to a specific set of resources. Control groups allow Docker Engine to share
available hardware resources to containers and optionally enforce limits and constraints. For
example, you can limit the memory available to a specific container.
Union file systems
Union file systems, or UnionFS, are file systems that operate by creating layers, making them very
lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers.
Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.
Container format
Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a
container format. The default container format is libcontainer. In the future, Docker may support other
container formats by integrating with technologies such as BSD Jails or Solaris Zones.
Isolation
I. Reminder : Docker
sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology
https://en.wikipedia.org/wiki/Cgroups
8. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Union file systems (again)
Union file systems, or UnionFS, are file systems that operate by creating layers,
making them very lightweight and fast. Docker Engine uses UnionFS to provide the
building blocks for containers. Docker Engine can use multiple UnionFS variants,
including AUFS, btrfs, vfs, and DeviceMapper.
Container format
A Docker image is built up from a series of layers. Each layer represents an
instruction in the image’s Dockerfile. Each layer except the very last one is read-only.
Each layer is only a set of differences from the layer before it. The layers are stacked
on top of each other. When you create a new container, you add a new writable layer
on top of the underlying layers. This layer is often called the “container layer”.
All changes made to the running container, such as writing new files, modifying
existing files, and deleting files, are written to this thin writable container layer.
Layers
I. Reminder : Docker
sources : https://docs.docker.com/storage/storagedriver/#images-and-layers
9. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Breadcrumb
Operating System
Toolings / Utils
Language Toolings
Application Toolings
Frameworks / external libs
Application code
Operating System (Docker Image)
I. Reminder : Docker
13. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Docker Images
A recipe or template for creating Docker containers. It includes the steps for
installing and running the necessary software
Docker Container
Like a tiny virtual machine that is created from the instructions found within the
Docker image
Docker Client
Command-line utility or other tool that takes advantage of the Docker API
(docs.docker.com/ reference/api/docker_remote_api) to communicate with a
Docker daemon
Glossary
I. Reminder : Docker
sources : https://docs.docker.com/glossary/
https://dzone.com/refcardz/getting-started-with-docker-1
Docker Host
A physical or virtual machine that is running a Docker daemon and contains cached images as well as runnable containers created from
images
Docker Registry
A repository of Docker images that can be used to create Docker containers. Docker Hub (hub.docker.com) is the most popular social
example of a Docker repository.
14. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Sommaire
I. Reminder
A. Docker
1. intro
2. isolation
3. layers
B. Kubernetes
1. generic
2. deployment
C. Development pipeline (security focus)
II. Application life cycle
A. Scanning tools
B. Too much technos
III. Proposed solution
A. 1,2,3 Hosting
B. Pitfalls
15. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
● Agile application creation and deployment: Increased ease and efficiency
of container image creation compared to VM image use.
● Continuous development, integration, and deployment
● Dev and Ops separation of concerns
● Environmental consistency across development, testing, and production
● Application-centric management: Raises the level of abstraction from
running an OS on virtual hardware to running an application on an OS
using logical resources.
● Loosely coupled, distributed, elastic, liberated micro-services
● Resource isolation: Predictable application performance.
● Resource utilization: High efficiency and density.
Kubernetes is a portable, extensible open-source platform for managing containerized workloads and services, that facilitates both
declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely
available.
Kubernetes
I. Reminder : Kubernetes
sources : https://kubernetes.io/docs/concepts/architecture/cloud-controller/
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
16. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Master
The machine that controls Kubernetes nodes. This is where all task assignments originate.
Node
These machines perform the requested, assigned tasks. The Kubernetes master controls
them.
Pod
A group of one or more containers deployed to a single node. All containers in a pod share an
IP address, IPC, hostname, and other resources. Pods abstract network and storage away
from the underlying container. This lets you move containers around the cluster more easily.
Kubelet
This service runs on nodes and reads the container manifests and ensures the defined
containers are started and running.
Glossary
I. Reminder : Kubernetes
sources : https://www.redhat.com/en/topics/containers/what-is-kubernetes
Replication controller
This controls how many identical copies of a pod should be running somewhere on the cluster.
Service
This decouples work definitions from the pods. Kubernetes service proxies automatically get service requests to the right pod—no matter
where it moves to in the cluster or even if it’s been replaced.
17. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
A container is an instanciate executable isolated
process
A container repository is a library of image.
A Kubernetes Pod (PO) is a group of one or
more containers.
A service (SVC) is named mapping to pod
Object
I. Reminder : Kubernetes
sources : https://github.com/kanedafromparisfriends/icones_ocp_kube
A ReplicatSet (RS) create and maintain the pod
declaration that will instantiate pods replica
(docker images) that will provide services.
A Deployment (Deploy) create the ReplicatSet that
will provide services.
Persistent Volume (PV) is a piece of networked
storage in the cluster.
Persistent Volume Claim (PVC) is a reservation of a
Persistent Volume into a namespace / project
...
18. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
The following are typical use cases for Deployments:
● Create a Deployment to rollout a ReplicaSet. The ReplicaSet creates Pods in the background. Check the status of the rollout to see if
it succeeds or not.
● Declare the new state of the Pods by updating the PodTemplateSpec of the Deployment. A new ReplicaSet is created and the
Deployment manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates
the revision of the Deployment.
Deployment
I. Reminder : Kubernetes
sources : https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
● Rollback to an earlier Deployment revision if the current
state of the Deployment is not stable. Each rollback updates
the revision of the Deployment.
● Scale up the Deployment to facilitate more load.
● Pause the Deployment to apply multiple fixes to its
PodTemplateSpec and then resume it to start a new rollout.
● Use the status of the Deployment as an indicator that a
rollout has stuck.
● Clean up older ReplicaSets that you don’t need anymore.
23. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Application dependency on Kubernetes
I. Reminder : Kubernetes
sources : https://www.infoq.com/articles/kubernetes-effect
24. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Deployments Strategy
I. Reminder : Kubernetes
sources : https://www.infoq.com/articles/kubernetes-effect
25. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Liveness : If the command returns a non-zero value, the kubelet kills the Container and restarts it.
Readiness : A pod with containers reporting that they are not ready does not receive traffic through Kubernetes Services
httpGet:
scheme: <http(s)>
host: <header hostname>
path: <uri>
port: <1 - 65 535 or name>
httpHeaders :
- name : <header name>
value :<header value>
...
exec:
command:
- cat
- /tmp/healthy
...
tcpSocket:
host: <host to test>
port: <1 - 65 535 or name>
Probs
sources : https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#probe-v1-core
26. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
initContainers : List of initialization containers belonging to the pod.
Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and
PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in
which case the handler is aborted.
postStart : PostStart is called immediately after a container is created.
preStop : PreStop is called immediately before a container is terminated.
httpGet:
scheme: <http(s)>
host: <header hostname>
path: <uri>
port: <1 - 65 535 or name>
httpHeaders :
- name : <header name>
value :<header value>
...
exec:
command:
- cat
- /tmp/healthy
...
tcpSocket:
host: <host to test>
port: <1 - 65 535 or name>
initContainers & Container hooks
sources : kubectl explain pods.spec.containers.lifecycle
kubectl explain pods.spec.initContainers
29. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
I. Reminder
A. Docker
1. intro
2. isolation
3. layers
B. Kubernetes
1. generic
2. deployment
C. Development pipeline (security focus)
II. Application life cycle
A. Scanning tools
B. Too much technos
III. Proposed solution
A. 1,2,3 Hosting
B. Pitfalls
Sommaire
30. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
sources : https://github.com/jcsirot/spring-petclinic-microservices
https://github.com/spring-petclinic/spring-petclinic-microservices
https://javaetmoi.com/2018/10/architecture-microservices-avec-spring-cloud/
Notre projet de references :
I. Reminder : Development pipeline
31. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Dev Local
Developper need to develop project on it,s local machine (unit test, debug,
etc…)
Dev on cluster
In order to check some integration issue, Dev can develop into a dedicated
namespace. This namespace can host component and resources identical to
production
CI on cluster
Automated build/test system (Jenkins) catch commit in order to build the future
docker artifact(s) that will be propagated to the QA namespaces
QA on cluster
Automated test are executed on a dedicated namespaces
Staging on cluster (optional)
A referential namespace can be used for load testing, human validation and
pre-visualisation
Production on cluster
A production namespace host the project with the necessary security
constraintes
s/Development/Deployment/g pipeline
I. Reminder : Development pipeline
sources : Containerizing Continuous Delivery in Java by Daniel Bryant
33. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Helm
Helm is a tool for managing Kubernetes packages called charts.
Helm can do the following:
● Create new charts from scratch
● Package charts into chart archive (tgz) files
● Interact with chart repositories where charts are stored
● Install and uninstall charts into an existing Kubernetes cluster
● Manage the release cycle of charts that have been installed
with Helm
I. Reminder : Development pipeline
foo/
Chart.yaml # A YAML file containing
information about the chart
LICENSE # OPTIONAL: A plain text file
containing the license for
the chart
README.md # OPTIONAL: A human-readable
README file
requirements.yaml # OPTIONAL: A YAML file listing
dependencies for the chart
values.yaml # The default configuration
values for this chart
charts/ # A directory containing any
charts upon which this
chart depends.
templates/ # A directory of templates that,
when combined with values,
will generate valid Kubernetes
manifest files.
templates/NOTES.txt # OPTIONAL: A plain text file
containing short usage notes
sources : https://helm.sh/docs/developing_charts/
Chart file Structure
34. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Helm : hook
Hooks allow you, the chart developer, an opportunity to perform
operations at strategic points in a release lifecycle. For example,
consider the lifecycle for a helm install. By default, the lifecycle
looks like this:
1. User runs helm install foo
2. Chart is loaded into Tiller
3. After some verification, Tiller renders the foo templates
4. Tiller loads the resulting resources into Kubernetes
5. Tiller returns the release name (and other data) to the client
6. The client exits
Hook weights can be positive or negative numbers but must be
represented as strings. When Tiller starts the execution cycle of hooks
of a particular kind (ex. the pre-install hooks or post-install hooks, etc.)
it will sort those hooks in ascending order.
I. Reminder : Development pipeline
sources : https://speakerdeck.com/unguiculus/helm-the-better-way-to-deploy-on-kubernetes
https://www.youtube.com/watch?v=3q0R5x6mBZg
pre-install
post-install
pre-delete
post-delete
pre-upgrade
post-upgrade
pre-rollback
post-rollback
crd-install
hoock annotations
apiVersion: batch/v1
kind: Job
metadata:
name: demo-job
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
...
35. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Digression: Tillerless
That's it, tiller uses the same kubeconfig as helm to connect to
your cluster and as you see above you can pass the namespace which
tiller will use to store helm releases. You can have many
namespaces that way and just pass it when tiller starts. And a big
plus not a single tiller instance running in your Kubernetes cluster.
Your user's RBAC rules have to allow to store secrets/configmaps
(tiller's storage) in that namespace and that's it, no more service
accounts and other RBAc rules for your tiller. :)
I. Reminder : Development pipeline
sources : https://rimusz.net/tillerless-helm/
36. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Helm
git clone https://github.com/jcsirot/spring-petclinic-microservices && cd spring-petclinic-microservices
...
sources : https://github.com/jcsirot/spring-petclinic-microservices
37. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
The perfect system of record for all your software parts.
● Manage components, build artifacts, and release candidates in one
central location.
● Understand component security, license, and quality issues.
● Modernize software development with intelligent staging and release
functionality.
● Scale DevOps delivery with high availability and active/active clustering.
● Sleep comfortably with world-class support and training.
Universal support for all your favorite formats and tools.
● Store and distribute Maven/Java, npm, NuGet, RubyGems, Docker, P2,
OBR, APT and YUM and more.
● Manage components from dev through delivery: binaries, containers,
assemblies, and finished goods.
● Awesome support for the Java Virtual Machine (JVM) ecosystem,
including Gradle, Ant, Maven, and Ivy.
● Integrated with popular tools like Eclipse, IntelliJ, Hudson, Jenkins,
Puppet, Chef, Docker, and more.
Registry : Exemple nexus
I. Reminder : Development pipeline
sources : https://www.sonatype.com/nexus-repository-sonatype
39. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
SonarQube® is an automatic code review tool to detect bugs, vulnerabilities and
code smells in your code. It can integrate with your existing workflow to enable
continuous code inspection across your project branches and pull requests.
Continuous Inspection
SonarQube provides the capability to not only show health of an application but
also to highlight issues newly introduced. With a Quality Gate in place, you can
fix the leak and therefore improve code quality systematically.
Detect Tricky Issues
Our code analyzers are equipped with powerful path sensitive dataflow engines
to detect tricky issues such as null-pointers dereferences, logic errors, resource
leaks..
Centralize Quality
One place to provide a shared vision of code quality for developers, tech leads,
managers and executives in charge of a few to a few thousands projects and
also to act as a toll gate for application promotion or release
QA : Exemple SonarQube
I. Reminder : Development pipeline
sources : https://www.sonarqube.org/
41. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Some of ZAP's functionality:
● Man-in-the-middle Proxy
● Traditional and AJAX spiders
● Automated scanner
● Passive scanner
● Forced browsing
● Fuzzer
● Dynamic SSL certificates
● Smartcard and Client Digital Certificates support
● Web sockets support
● Support for a wide range of scripting languages
● Plug-n-Hack support
● Authentication and session support
● Powerful REST based API
● Automatic updating option
● Integrated and growing marketplace of add-ons
QA : Example ZappProxy
I. Reminder : Development pipeline
sources :
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Functionality
42. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Continuous Integration
the practice of frequently integrating one's new or changed code with the existing code repository – should occur frequently enough that
no intervening window remains between commit and build, and such that no errors can arise without developers noticing them and
correcting them immediately.
Notice : Maturity level
I. Reminder : Development pipeline
sources : DevOps with OpenShift by Stefano Picozzi, Mike Hepburn, and Noel O’Connor
https://en.wikipedia.org/wiki/Continuous_delivery, https://en.wikipedia.org/wiki/Continuous_deployment, https://en.wikipedia.org/wiki/Continuous_integration
Continuous delivery (CDE)
A software engineering approach in which teams
produce software in short cycles, ensuring that the
software can be reliably released at any time and,
when releasing the software, doing so manually.
Continuous deployment (CD)
A software engineering approach in which software
functionalities are delivered frequently through
automated deployments.
- 70:00
43. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
DEV
(NS)
Digression: version tag versus purpose tag
I. Reminder : Kubernetes
img:1.2.1
QA
(NS)
STG
(NS)
PROD
(NS)
img:1.2.0 img:1.1.1 img:1.1.1
DEV
(NS)
img:dev
QA
(NS)
STG
(NS)
PROD
(NS)
img:qa img:stg img:prod
imagePullPolicy: Always
44. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
I. Reminder
A. Docker
1. intro
2. isolation
3. layers
B. Kubernetes
1. generic
2. deployment
C. Development pipeline (security focus)
II. Application life cycle
A. Scanning tools
B. Too much technos
III. Proposed solution
A. 1,2,3 Hosting
B. Pitfalls
Sommaire
45. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
sources : https://devops.com.vn/2018/117/
Application lifecycle (example)
II. Application life cycle
46. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Application lifecycle (example)
sources : https://www.lemondeinformatique.fr/actualites/lire-atlassian-fait-pousser-ses-offres-devops-68588.html
II. Application life cycle
47. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
CVE happens
II. Application life cycle
sources : https://www.cvedetails.com/
48. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
CVE happens
II. Application life cycle
sources : https://www.cvedetails.com/
49. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
CVE happens
II. Application life cycle
sources : https://www.cvedetails.com/
50. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Application lifecycle (example)
3 years Lifecycle of a website application (example)
Patch
II. Application life cycle
51. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Application lifecycle
Feature developpement through application configuration or coding is only a phase of the Application life cycle. This phase
can be a big or a small part of the application life.
Several phase are also necessary within the application lifecycle :
- Feature development with testing and validation
This phase can happen several time during the application life.
- Deployment
This phase can happen several time during the application life.
- Security update
This phase can happen several time during the application life.
- Decommission
This phase should only happen once.
The manpower necessary for any of theses phases vary a lot.
Depending of the complexity of the application, the disponibility of
the knowledgeable parties, the level of automatisation
This is why an application need to have a application owner
accountable over the entire application lifecycle.
II. Application life cycle
52. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Scan tools: downstream / upstream
Security tools can give you inside knowledge of your image and
potential security vulnerability
Most are hook on you registry or can have local agent that will
highlight most of you CVE issue.
Usually they scan package (.rpm, .deb, .apk,...) but not tar.gz
and mostly not application library.
II. Application life cycle
They can have various trigger and can set various trigger
- email alert
- automatic rebuild
- block pull
- ...
53. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Docker
Image
Docker Image Docker
Image
Docker
Image
Docker Image Docker Image
Breadcump
Infrastructure
Operating System (Node OS)
Toolings / Utils
Language Toolings
Application Toolings
Frameworks / external libs
Application code
Alpine Base Image
OpenJDK 8
Tomcat Wildfly
App lib
App 2
App 3
Apache httpd 2.4
PHP 7.1 PHP 5.6
Drupal Wordpress
App 1 App 4
Operating System (Docker Image)
Spring|
boot
https://myregistry.or
g/.../App1:x.y
../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y
Docker
Image
kubelet
Detected by most vulnerability
scanner
Often out of scope
II. Application life cycle
- 30:00
58. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Application lifecycle : Scala
Sacla
● sbt
● …
● Play
● Sparks
● ...
II. Application life cycle
59. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
It can rapidly became unmanageable
II. Application life cycle
60. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Sommaire
I. Reminder
A. Docker
1. intro
2. isolation
3. layers
B. Kubernetes
1. generic
2. deployment
C. Development pipeline (security focus)
II. Application life cycle
A. Scanning tools
B. Too much technos
III. Proposed solution
A. 1,2,3 Hosting
B. Pitfalls
61. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Docker
Image
Docker Image Docker
Image
Docker
Image
Docker Image Docker Image
Breadcrumb
Infrastructure
Operating System (Node OS)
Toolings / Utils
Language Toolings
Application Toolings
Frameworks / external libs
Application code
Alpine Base Image
OpenJDK 8
Tomcat Wildfly
App lib
App 2
App 3
Apache httpd 2.4
PHP 7.1 PHP 5.6
Drupal Wordpress
App 1 App 4
Operating System (Docker Image)
Spring|
boot
https://myregistry.or
g/.../App1:x.y
../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y
Docker
Image
kubelet
Usually ops scope
Usually Dev scop
III. Proposed solution
62. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Base image : A transition image destined to process program
code in order to create an application image.
Application image : An image use into kubernetes that
provide the custom service developed by the company. It can
came from a base image or a custom dockerfile.
Proposed vocabulary
Still image : An image used into kubernetes cluster with only
configuration adaptation. A still image is based on non-internal
source code or binaries.
III. Proposed solution
64. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
1,2,3 hosting
III. Proposed solution
1 : Project will use Dockerfile using our base image & still
image proposed and maintain by the host team (ops)
65. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
1,2,3 hosting
1 : Project will use Dockerfile using our base image & still
image proposed and maintain by the host team (ops)
2 : Project will use its own Dockerfile but will be in charge of
maintenance (specially security)
III. Proposed solution
66. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
1,2,3 hosting
1 : Project will use Dockerfile using our base image & still
image proposed and maintain by the host team (ops)
2 : Project will use its own Dockerfile but will be in charge of
maintenance (specially security)
3 : Project will use third parties image (signed image)
III. Proposed solution
67. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
III. Proposed solution
- 10:00
68. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
III. Proposed solution
69. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
● Tooling focus / automation freak
III. Proposed solution
70. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
● Tooling focus / automation freak
● Lack of communication (specially between dev team and hosting team)
III. Proposed solution
71. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
● Tooling focus / automation freak
● Lack of communication (specially between dev team and hosting team)
● Build to Prod (no test)
III. Proposed solution
72. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
● Tooling focus / automation freak
● Lack of communication (specially between dev team and hosting team)
● Build to Prod (no test)
● Too many version, too many variante
III. Proposed solution
73. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Pitfalls
● Absence of a project Owner
● Tooling focus / automation freak
● Lack of communication (specially between dev team and hosting team)
● Build to Prod (no test)
● Too many version, too many variante
● Lack of management support / acceptance in rules enforcement
III. Proposed solution
74. Kubernetes Application Life Cycle
(patch management)
2019/04/17
#DevoxxFR
Thank you
● Questions ?
III. Proposed solution
- 00:00