Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.
Kubernetes is more or less one of the biggest players when it comes to Container orchestration. Since Kubernetes 1.7 RBAC (Role Based Access Control) is the default for the authorisation of actions in you cluster. There are many other components, like Pod Security Policies, Network Policies, Admisstion Controllers, that allows you to secure your Kubernetes cluster.
In this talk I will show you how these things can work together and which problem these components try to solve. Also I will show you an overview how other tools like Vault can fit into the Kubernetes ecosystem to make you platform more secure.
Event: DevFest Karlsruhe, 09.12.2017
Speaker: Johannes M. Scheuermann
Weitere Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/
Weitere Tech-Artikel: https://www.inovex.de/blog/
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Container Security Deep Dive & Kubernetes Aqua Security
Container Security Deep Dive & Kubernetes by Tsvi Korren, Director of Technical Services at Aqua.
Container security best practices and implications in a Kubernetes environment. Tsvi will cover security for your containerized applications from development, through build, ship, and run, and as a result, how to make your entire Kubernetes deployment more secure.
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.
Kubernetes is more or less one of the biggest players when it comes to Container orchestration. Since Kubernetes 1.7 RBAC (Role Based Access Control) is the default for the authorisation of actions in you cluster. There are many other components, like Pod Security Policies, Network Policies, Admisstion Controllers, that allows you to secure your Kubernetes cluster.
In this talk I will show you how these things can work together and which problem these components try to solve. Also I will show you an overview how other tools like Vault can fit into the Kubernetes ecosystem to make you platform more secure.
Event: DevFest Karlsruhe, 09.12.2017
Speaker: Johannes M. Scheuermann
Weitere Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/
Weitere Tech-Artikel: https://www.inovex.de/blog/
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Container Security Deep Dive & Kubernetes Aqua Security
Container Security Deep Dive & Kubernetes by Tsvi Korren, Director of Technical Services at Aqua.
Container security best practices and implications in a Kubernetes environment. Tsvi will cover security for your containerized applications from development, through build, ship, and run, and as a result, how to make your entire Kubernetes deployment more secure.
Security best practices for kubernetes deploymentMichael Cherny
Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls.
Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/
What is Google Cloud Good For at DevFestInspire 2021Robert John
My presentation at DevFestLagos on "What is Google Cloud Good For". It's an overview of the Google Cloud Platform for those unfamiliar with it. You can watch the session here: https://www.youtube.com/watch?v=wi-p8fqFLrU
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.
Keeping your Kubernetes Cluster SecureGene Gotimer
Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Containers are everywhere these days. Many of us are containerizing our applications to take advantage of the ease of a single artifact, but what can we do to make deploying these containers to a fleet of servers easier? Kubernetes is arguably the most popular container orchestration system to date. Kubernetes was born out of a decade of research at Google and has seen success; by itself as a fantastic way to orchestrate containers across multiple machines and as a component in other platforms.
This talk will begin with the anatomy and setup of a Kubernetes cluster. We'll demonstrate (live) taking a container containing a simple web service and launch our application into a small Kubernetes cluster. Next we'll perform a rolling update to deploy a new container version with zero downtime. Also, we'll check out some cool debugging features Kubernetes provides over the course of our demo.
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
Docker for any type of workload and any IT InfrastructureDocker, Inc.
This presentation discusses the different types of workloads typical enterprises are required to run, which use cases exist for containerizing them and how leading-edge workload orchestration can be used to deploy, run and manage the containerized workloads or various types or scale-out infrastructures, such as on-premise clusters, public clouds or hybrid clouds.
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
Jean Rouge - Sr. Software Engineer, Docker
David Yu - Product Manager, Docker
Docker Enterprise is an enterprise container platform for developers and IT admins building and managing container applications. The platform includes integrated orchestration (Swarm and Kubernetes), advanced private image registry, and centralized admin console to secure, troubleshoot, and manage containerized applications. This talk will focus on the Docker Enterprise platform's technical architecture, key features and use cases it is designed to support. Key areas covered in this session: -Latest features and enhancements -Security and Compliance - how to ensure oversight and validate applications for different compliance regulations -Operational Insight - how to identify and troubleshoot issues in your container environment -Integrated Technology - the technologies are supported and can be run with Docker Enterprise -Policy-based Automation - how to scale container environments through automated policies.
Cloud native applications are popular these days – applications that run in the cloud reliably und scale almost arbitrarily. They follow three key principles: They are built and composed as microservices, they are packaged and distributed in containers and the containers are executed dynamically in the cloud. In this hands-on session we will show how to build, package and deploy cloud native Java EE applications on top of DC/OS - fully automated with Gradle using cloud native infrastructure like Consul, Fabio, Hystrix and Prometheus. And for the fun of it we will be using an off-the-shelf DJ pad, programmed with nothing else than the Java Sound API, to demonstrate the core concepts and to visualize and remote control DC/OS.
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
This deck covers top 3 reasons why Google Kubernetes engine is best suited to run containerized workloads. The reasons covered are Security, Observability and Maturity.
Security best practices for kubernetes deploymentMichael Cherny
Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls.
Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/
What is Google Cloud Good For at DevFestInspire 2021Robert John
My presentation at DevFestLagos on "What is Google Cloud Good For". It's an overview of the Google Cloud Platform for those unfamiliar with it. You can watch the session here: https://www.youtube.com/watch?v=wi-p8fqFLrU
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.
Keeping your Kubernetes Cluster SecureGene Gotimer
Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Containers are everywhere these days. Many of us are containerizing our applications to take advantage of the ease of a single artifact, but what can we do to make deploying these containers to a fleet of servers easier? Kubernetes is arguably the most popular container orchestration system to date. Kubernetes was born out of a decade of research at Google and has seen success; by itself as a fantastic way to orchestrate containers across multiple machines and as a component in other platforms.
This talk will begin with the anatomy and setup of a Kubernetes cluster. We'll demonstrate (live) taking a container containing a simple web service and launch our application into a small Kubernetes cluster. Next we'll perform a rolling update to deploy a new container version with zero downtime. Also, we'll check out some cool debugging features Kubernetes provides over the course of our demo.
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
Docker for any type of workload and any IT InfrastructureDocker, Inc.
This presentation discusses the different types of workloads typical enterprises are required to run, which use cases exist for containerizing them and how leading-edge workload orchestration can be used to deploy, run and manage the containerized workloads or various types or scale-out infrastructures, such as on-premise clusters, public clouds or hybrid clouds.
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
Jean Rouge - Sr. Software Engineer, Docker
David Yu - Product Manager, Docker
Docker Enterprise is an enterprise container platform for developers and IT admins building and managing container applications. The platform includes integrated orchestration (Swarm and Kubernetes), advanced private image registry, and centralized admin console to secure, troubleshoot, and manage containerized applications. This talk will focus on the Docker Enterprise platform's technical architecture, key features and use cases it is designed to support. Key areas covered in this session: -Latest features and enhancements -Security and Compliance - how to ensure oversight and validate applications for different compliance regulations -Operational Insight - how to identify and troubleshoot issues in your container environment -Integrated Technology - the technologies are supported and can be run with Docker Enterprise -Policy-based Automation - how to scale container environments through automated policies.
Cloud native applications are popular these days – applications that run in the cloud reliably und scale almost arbitrarily. They follow three key principles: They are built and composed as microservices, they are packaged and distributed in containers and the containers are executed dynamically in the cloud. In this hands-on session we will show how to build, package and deploy cloud native Java EE applications on top of DC/OS - fully automated with Gradle using cloud native infrastructure like Consul, Fabio, Hystrix and Prometheus. And for the fun of it we will be using an off-the-shelf DJ pad, programmed with nothing else than the Java Sound API, to demonstrate the core concepts and to visualize and remote control DC/OS.
This presentation covers the basics of dockers, its security related features and how certain misconfigurations can be used to escape from container to host
présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
This deck covers top 3 reasons why Google Kubernetes engine is best suited to run containerized workloads. The reasons covered are Security, Observability and Maturity.
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
Kubernetes is trendy. There are tons of presentations on how companies saved lots of money by migrating to Kubernetes. Kubernetes is mostly advertised as a cloud service, but there are companies that can't or don't want to migrate their services to the cloud. For them there are solutions to set up Kubernetes on premise. Before you decide to visit that land, I must warn you: there are demons waiting for you, demons that nobody speaks about in public...
Cloud-Native Operations with Kubernetes and CI/CDVMware Tanzu
Operations practices have historically lagged behind development. Agile and Extreme Programming have become common practice for development teams. In the last decade, the DevOps and SRE movements have brought these concepts to operations, borrowing heavily from Lean principles such as Kanban and Value Stream Mapping. So, how does all of this play out if we’re using Kubernetes?
In this class, Paul Czarkowski, Principal Technologist at Pivotal, will explain how Kubernetes enables a new cloud-native way of operating software. Attend to learn:
● what cloud-native operations are;
● how to build a cloud-native CI/CD stack; and
● how to deploy and upgrade an application from source to production on Kubernetes.
Presenter:
Paul Czarkowski, Principal Technologist, Pivotal Software
One of the best practices from a security point of view is to introduce the management of the certificates that we are going to use to support protocols such as SSL / TLS. In this talk we will explain cert-manager and his implementation in K8s as a native Kubernetes certificate management controller that allows us to manage connection certificates and secure communications through SSL/TLS protocols. Later I will explain the main functionalities and advantages that cert-manager provides, for example it allows us to validate that the certificates we are using in different environments are correct. Finally, some use cases are studied in which to use cert-manager and the integration with other services such as Let's Encrypt or HashiCorp Vault.
Sydney based cloud consultancy Cloudten's Richard Tomkinson shows how masterless Puppet can be used in concert with AWS's services including Lambda to automate server builds and manage code deployments
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
*Introduction to security strategies in K8s environments
*Pod Security Admission(PSA) vs Open Policy Agent (OPA)
*Combination of different security strategies together
*Access to resources in privileged and non-privileged mode
Kubernetes is designed to be an extensible system. But what is the vision for Kubernetes Extensibility? Do you know the difference between webhooks and cloud providers, or between CRI, CSI, and CNI? In this talk we will explore what extension points exist, how they have evolved, and how to use them to make the system do new and interesting things. We’ll give our vision for how they will probably evolve in the future, and talk about the sorts of things we expect the broader Kubernetes ecosystem to build with them.
Containers deployments in Kubernetes clusters create both familiar and new security challenges. Given the ephemeral nature of containers, the speed and agility goals of microservices architecture, a preliminary detection of potential risks, and early discovery of viable threats yield the best security outcomes.
Successfully addressing the Kubernetes security challenges requires integrating security into each phase of the container lifecycle: build, deploy, and run.
This webinar will throw light on how to:
* Stay on top of ongoing Kubernetes hygiene by hardening your nodes, employing best practices
* Implement role-based access control of users
* Manage Kubernetes Secrets
* Thwart an attack, with a live demo
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Incredibly powerful and flexible, Kubernetes role-based access control (RBAC) is an essential tool to effectively manage production clusters. Yet many Ops and DevOps engineers are still facing barriers to efficiently use it at scale. These include a steep learning curve, YAML-based configuration, lack of standardized best practices, and the general complexity of this functionality at large -- it truly can be somewhat overwhelming.
During this meetup Oleg, CTO at Kublr, will discuss Kubernetes RBAC concepts and objects. He'll explore different use cases ranging from simple permission management for in-cluster application accounts to integrations with external identity providers for SSO and enterprise user access management.
Leveraging the Kublr Platform, Oleg will demonstrate how it simplifies the management of access and RBAC rules in a cloud native environment while staying vendor-independent and compatible with any Kubernetes distribution.
Build Your Own CaaS (Container as a Service)HungWei Chiu
In this slide, I introduce the kubernetes and show an example what is CaaS and what it can provides.
Besides, I also introduce how to setup a continuous integration and continuous deployment for the CaaS platform.
The slide deck was used during the Azure user group meet up on 16th August 2018. It is part of Hands on Lab for learning Azure Kubernetes Service. The talk demonstrated usage of Minikube to test Kubernetes manifest files using a single node cluster. The features covered as part of hands on demo included Namespaces, Pods, Deployment, Service, StatefulSets.
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Presented by Drew Malone, Staff Solutions Engineer Tanzu Federal VMware at Kubernetes Community Days, Washington DC, September 14, 2022
What do US Government Users Say About Kubernetes?
● Complex to manage Day Two Operations
● Disconnected Environments from Day One
● Need capability both in the cloud and at the edge (various meanings)
● Developer Experience is Lacking because of the complexity
● Ton of Hype about Kubernetes but Commanders and CIO’s want outcomes
● Everyone talks about installing and securing Kubernetes, but rarely do we see Developers pushing apps to production on kubernetes
Standing up Airgapped Kubernetes is Hard
Securing, Operating and Pushing Code to k8s is even Harder
Similar to DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security (20)
DevOpsDaysRiga 2017: Mark Smalley - Kill DevOpsDevOpsDays Riga
A fast-moving, outside-in talk that 'sells' the value of DevOps to business executives, finds the weakest link in the value stream and explores the often troubled relationship between IT people and normal people (the business).
There is much hype around DevOps, so what are we actually talking about? DevOps improved Agile by speeding up deployment (and more). But how do you 'sell' DevOps to business executives who don't understand IT?
No business value is realized until the users actually use the systems well. This is often the weakest link in the IT value chain, so you need to extend your scope.
Collaboration is difficult and collaboration between business and IT even more so. What kind of behaviour is effective? Learn from workshop results from practitioners in 11 countries.
But why "Kill DevOps"? This refers to an ancient Zen saying about a monk’s journey towards enlightenment and awakening. If you think that you’ve found Buddha, think again, because you never will. It’s the same with DevOps: it’s about continuous experimentation and learning.
DevOpsDaysRiga 2018: Serhat Can - The Rocky Path to Migrating Production Appl...DevOpsDays Riga
Our journey to Serverless started a year and a half ago and we have learned a lot. We still are, maybe a bit tired than we started but we still are… This will be a short version of OpsGenie’s journey to Serverless. I’m planning to share our experience of using AWS Lambda with Java on production.
DevOpsDays Ignite karaoke, where a volunteer, in this case, Uldis, comes on stage and gives a 5 minutes presentation about a topic that has just been proposed by attendees (Serverless) with 20 random slides, that he has not seen before.
DevOpsDaysRiga 2018: Anton Babenko - What you see is what you get… for AWS in...DevOpsDays Riga
Get your AWS infrastructure implemented as code automatically from the visual diagram (cloudcraft.co)! Want to know how to do it? Anton Babenko, a long time developer, CTO, and tech-lead, will show you just in 5 minutes during his Ignite Talk @ DevOpsDays Riga event.
DevOpsDaysRiga 2018: Juris Puce - GDPR and other security regulation imposed ...DevOpsDays Riga
How and what effects does the GDPR have on software development? What kind of specific requirements does the security regulatory frameworks impose and different ways to try to solve them. Would there be a need for extensive redesign of existing systems and in which areas? Find out more by Juris Pūce. He has an experience in running software development teams in both standardised software development scenarios, as well as in implementations of DeepLearning, AI and Machine Vision solutions.
Burnout often has been seen as an indicator of success and working hard, when it’s actually harming the growth of our developer communities and teams. Heather Wilde will talk about burnout culture. She is CTO of ROCeteer, personal and professional growth expert, executive coach, author, and speaker. As a founding employee of Evernote, she oversaw the company’s growth from thousands to 100,000,000 customers. Wilde’s writing as a columnist for Inc and Forbes spans social media, entrepreneurialism, startups, leadership, fundraising, and diversity issues.
DevOpsDaysRiga 2018: Philipp Krenn - Building Distributed Systems in Distribu...DevOpsDays Riga
"Building distributed systems is notoriously hard … building a distributed team even more so. At Elastic — the company behind the open source tools Elasticsearch, Kibana, Beats, and Logstash — everything is distributed; both the company and all our products. I will tell you how we do it," promises Philipp Krenn from Vienna, Austria. He is part of the infrastructure team and a developer advocate at Elastic.
DevOpsDaysRiga 2018: Antonio Pigna - Put the brAIn into your DevOps workflowDevOpsDays Riga
Artificial Intelligence (AI) becomes more and more an element of differentiation to manage the increasing complexity of information. What steps you should do to get your infrastructure AI ready? The presentation will focus on the opportunities of using AI to make DevOps ecosystem efficient. Presentation is going to be lead by Antonio Pigna, Automation Architect @ Accenture, based in Naples, Italy.
DevOpsDaysRiga 2018: Christina Aldan - Fearing the Robot OverlordsDevOpsDays Riga
We fear robot overlords as we do vampires, werewolves, and other baddies that go bump in the night. We worry that their intelligence will take our jobs, our livelihood, our freedom, and enslave us to their bidding; or at least that’s how it happens in the movies. This talk addresses our relationship with computers as tools and how we should allow computers to do the work, so people can do the innovating. Talk by Christina Aldan, TEDx speaker, trainer, and digital advertising consultant whose boutique agency, LG Designs, offers businesses brand consulting and creative content for everyday media.
DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...DevOpsDays Riga
In early 2018 Nassim Nicholas Taleb, one of the foremost thinkers of our time, published a new book: Skin in the game. About hidden asymmetries in daily life. Jan de Vries translates this book towards DevOps, as he did before with Taleb’s book Antifragile. It explains why some concepts work and others don’t. It’s like turning on the light in your DevOps environment. And it helps you to improve your (IT) organisation in the right direction. This talk contains practical tips and tricks that can be applied instantly.
DevOpsDaysRiga 2018: Ken Mugrage - DevOps and DevOpsDays - Where it started, ...DevOpsDays Riga
The term DevOps was created for DevOpsDays in 2009. Since that time, the term has grown into a worldwide phenomenon. Ken Mugrage, one of the current global organizers for DevOpsDays, will talk about the history of DevOps - where it is today, and where it’s going. He has more than 25 years of experience in the IT industry, spending the last 9 at ThoughtWorks. Ken has been focused on Continuous Delivery and DevOps for most of the past decade working with organizations all over the world ranging from startups to Fortune 50 companies.
Link: https://www.devopsdays.org/events/2018-riga/program/ken-mugrage-talk-1
DevOpsDaysRiga 2018: Matty Stratton - How Do You Infect Your Organization Wit...DevOpsDays Riga
Richard Dawkins described memes as being a form of cultural propagation, which is a way for people to transmit social memories and cultural ideas to each other. Not unlike the way that DNA and life will spread from location to location, a meme idea will also travel from mind to mind.
Getting your organization to take a step back and look at how ops affects people (awareness of alert fatigue, burnout risk, proactive/reactive approaches) can be a tough challenge.
In this talk, I will discuss how the very DNA of an organization can evolve through the use of actionable communications from all levels - management, strategy, and practitioners. The “virus” of humane ops will infect your organization, providing a more sustainable approach to on-call, incident resolution, post-mortems, and more. There also will be copious references to the Neal Stephenson classic novel, Snow Crash.
After this talk, you will have ideas of practical approaches to effect change in your organization, regardless of your level of influence. While not every group will use the same “viruses”, you will take away a good understanding of where to get started as Patient Zero.
DevOpsDaysRiga 2018: Eric Skoglund, Lars Albertsson - Kubernetes as data plat...DevOpsDays Riga
"Bonnier News is the largest news organisation in Sweden, publishing Dagens Nyheter and Expressen, two of the country’s largest newspapers. When we needed to build a new data processing platform that could accommodate the needs of many different, competing brands, we turned to Openshift and Kubernetes. In this presentation, we will describe the architectural tradeoffs and choices we made, and how we have been able to deploy data flows at a high rate by focusing on technical simplicity." Lars Albertsson is an independent consultant for Bonnier News as well as Spotify, several startups and banks. He will talk together with Eric Skoglund, the product owner of Bonnier News’s data platform project.
DevOpsDaysRiga 2018: Jon Hall - DevOps in the enterprise: how "swarming" can ...DevOpsDays Riga
As DevOps becomes increasingly established in enterprises, and its outputs become widely adopted, DevOps practitioners increasingly find themselves absorbed into traditional, large scale IT support structures. Often this means becoming “tier 3” in a multi-layered support structure. The shortcomings of this structure make it the antithesis of DevOps: the siloed nature of tiered support creates work-in-progress queues. Cross-functional collaboration is limited, communication is disjointed, and knowledge sharing is difficult. In this presentation we will discuss Swarming: an alternative methodology now emerging in forward-looking enterprises, which sets out to dismantle the tiered approach, replacing it with a dynamic, lean, and cross-functional methodology which is a much better fit for DevOps.
DevOpsDaysRiga 2018: Stas Zvinyatskovsky - Transformation: how big can you dr...DevOpsDays Riga
Can we produce a blueprint for a transformation? This presentation will cover several distinct approaches that companies take to achieve transformation. Each approach utilizes different levers and comes with its own advantages, tradeoffs, costs, risks, and outcomes. Find out more at DevOpsDays Riga 2018 event by Stas Zvinyatskovsky, Managing Director @ Accenture.
DevOpsDaysRiga 2018: Joep Piscaer - Reducing inertia with Public Cloud and Op...DevOpsDays Riga
"I have a strategy to solve the DevOps transitional challenge. It is called reducing inertia that can be seen on daily basis in finances, team behavior and tech stacks. Reducing the friction in these areas is key to successfully move to the DevOps way of work. For me, ‘inertia’ is a good way of making value flow visible and I’ve been using it as the principle underlying my work. This approach can be applied especially successfully in more complex environments, such as enterprises."
Joep Piscaer is a technologist with team building skills. He likes all things infrastructure (cloud, storage, virtualization), but really shines when it comes to DevOps and Infra-as-Code. Currently, Joep is building the Jumbo Tech Campus. It is the second biggest supermarket in the Netherlands and the fastest growing online supermarket there.
SysAdmins are obsolete, we need more DevOps engineers! Or do we?
In this talk, the author will give several use cases from his personal experience helping organizations to implement DevOps initiatives and automation of software delivery and testing.
Why technology X is not what you need right now
Why ignoring skills that are already present in the team may be a huge risk
Why everything-as-code is an effective approach
Why not investing in team member education may be very destructive
Why not having time is a bad excuse for not automating
Why process improvement effects may not be observable immediately
Why cost of automation sometimes is higher than the time invested in writing the scripts
DevOpsDaysRiga 2018: Thiago de Faria - Chaos while deploying ML and making su...DevOpsDays Riga
AI is such a buzzword, with its futuristic implementations and sophisticated machine learning algorithms (Hello, Deep learning!). We are using ML when we need external data to reach a working product because it would be impossible to solve it with the regular for/if/loops. What are the next steps? Moreover, what about Test, Release and Deployment? We always value data and call our organizations “data-driven”, but now the impact is even bigger. If you are using a ML component, misused/dirty/problematic data will affect not your internal reports as before… but your application deployment and quality of service. Let’s hear discuss some AI implementations stories (its advantages/problems) finding common mistakes and future challenges for such a hyped theme.
DevOpsDaysRiga 2018: Anton Arhipov - Build pipelines with TeamCityDevOpsDays Riga
Build engineering is fun, especially with the awesome choice of tools we have today! In this showcase I’m building a build pipeline with TeamCity. You are going to learn why build pipelines are useful (yes, not only for the sake of eye candy!), and how the CI server can optimise when properly configured.
In this talk I’m going to start with the simple scenarios and gradually introduce the complexity: scaling the project by adding constraints and requirements. This will result in changing the build process and revealing the tips & tricks alongside.
DevOpsDaysRiga 2018: Neil Crawford - Trunk based development, continuous depl...DevOpsDays Riga
Practices of trunk based development and continuous deployment have helped our six vertical slice product delivery teams be able to work together on a single product (and codebase) while maintaining rapid iteration and experimentation. With this talk I hope to inspire more teams to try these practices.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
11. What this Kubernetes talk is about
● Common Pwns
● Hardening the Control Plane
● Securing Workloads and Networks
● Hard and Soft Multi Tenancy
● Continuous Security
26. Minimum Viable Security
TLS Everywhere
Note that some components and installation methods may enable local
ports over HTTP and administrators should familiarize themselves with the
settings of each component to identify potentially unsecured traffic.
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#use-transpo
rt-level-security-tls-for-all-api-traffic
27. Bootstrapping TLS
Kubernetes the Hard Way
● https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/doc
s/04-certificate-authority.md
Kubelet TLS Bootstrap (still beta, stable v1.11?)
● https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/
● https://github.com/kubernetes/features/issues/43
31. External Auth to API Server (e.g. via kubectl)
● https://thenewstack.io/kubernetes-single-sign-one-less-identity/
● https://github.com/coreos/dex - OpenID Connect Identity (OIDC) and OAuth
2.0 provider with pluggable connectors
● https://github.com/negz/kuberos - OIDC authentication helper for kubectl (also
https://cloud.google.com/community/tutorials/kubernetes-auth-openid-rbac)
● https://github.com/micahhausler/k8s-oidc-helper - helper tool for
authenticating to Kubernetes using Google's OpenID Connect
45. kubesec.io - example insecure pod
{
"score": -30,
"scoring": {
"critical": [{
"selector": "containers[] .securityContext .privileged == true",
"reason": "Privileged containers can allow almost completely unrestricted host access"
}],
"advise": [{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege"
}, {
"selector": "containers[] .securityContext .capabilities .drop",
"reason": "Reducing kernel capabilities available to a container limits its attack surface",
"href": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
},
...
46. PodSecurityPolicies
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false # Required to prevent escalations to root.
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
...
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot' # Require the container to run without root privileges.
...
https://gist.github.com/tallclair/11981031b6bfa829bb1fb9dcb7e026b0
47. Resource Linting
● https://kubesec.io/ - calculate “risk” of Kubernetes resource YAML by use of
security features
● https://github.com/garethr/kubetest - unit tests for your Kubernetes
configurations
52. ServiceAccounts
“We recommend you create and use a minimally privileged service account to
run your Kubernetes Engine Cluster”
https://cloudplatform.googleblog.com/2017/11/precious-cargo-securing-containers-
with-Kubernetes-Engine-18.html
57. Admission Controllers: DenyEscalatingExec
deny exec and attach commands to
pods that run with escalated privileges
that allow host access
(privileged, access to host IPC/PID namespaces)
60. Admission Controllers: NodeRestriction
limits the Node and Pod objects a kubelet can modify
kubelets must use credentials in the system:nodes group,
with a username in the form system:node:<nodeName>
n.b. Node Authorizer authorization mode required
https://kubernetes.io/docs/admin/authorization/node/
62. Admission Controllers: NodeRestriction
--authorization-mode=Node
A kubelet can not:
● alter the state of resources of any Pod it does not manage
● access Secrets, ConfigMaps or Persistent Volumes / PVCs, unless they are
bound to a Pod managed by itself
● alter the state of any Node but the one it is running on
https://kubernetes.io/docs/admin/authorization/node/
63. Admission Controllers: PodSecurityPolicy
determines if it should be admitted based on the requested
security context and available Pod Security Policies
https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac
68. --experimental-encryption-provider-config
● Secrets and configmaps are encrypted at rest with ‘aescbc’
○ If ‘aesgcm’ encryption is used, encryption keys should be rotated frequently
● Secure connection is set between apiserver and etcd
● Only apiserver user can read / edit EncryptionConfig file
https://www.twistlock.com/2017/08/02/kubernetes-secrets-encryption/
Secrets and Configmaps
69. Secrets and Configmaps
● https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
● Secure Secret management for Kubernetes (with gpg, Google Cloud KMS
and AWS KMS backends) - https://github.com/shyiko/kubesec
● Encryption at rest KMS integration -
https://github.com/kubernetes/features/issues/460
● https://medium.com/@mtreacher/using-aws-kms-for-application-secrets-in-ku
bernetes-149ffb6b4073
● Sealed Secrets - a Kubernetes controller and tool for one-way encrypted
Secrets https://github.com/bitnami-labs/sealed-secrets
70. TokenRequest API (v1.10 alpha)
The TokenRequest API enables creation of tokens that:
● aren't persisted in the Secrets API
● targeted for specific audiences (such as external secret stores)
● have configurable expiries
● bindable to specific pods.
71. Compliance Scanning
● https://github.com/nccgroup/kube-auto-analyzer - review Kubernetes installations against the
CIS Kubernetes 1.8 Benchmark
● https://github.com/aquasecurity/kube-bench - test versions of Kubernetes (1.6, 1.7 and 1.8)
against CIS Kubernetes 1.0.0, 1.1.0 and 1.2.0
● https://github.com/heptio/sonobuoy - running a set of Kubernetes conformance tests in an
accessible and non-destructive manner
● https://github.com/bgeesaman/sonobuoy-plugin-bulkhead - kube-bench for sonobouy
● https://github.com/bgeesaman/kubeatf - spin up, test, and destroy Kubernetes clusters in a
human and CI/CD friendly way
72. Image Scanning
● https://github.com/coreos/clair
● https://github.com/arminc/clair-local-scan
● https://github.com/optiopay/klar - integration of Clair and Docker Registry
● https://github.com/banyanops/collector
● https://github.com/anchore/anchore-engine
87. netassert - cloud native network testing
k8s: # used for Kubernetes pods
deployment: # only deployments currently supported
test-frontend: # pod name, defaults to `default` namespace
test-microservice: 80 # `test-microservice` is the DNS name of the target service
test-database: -80 # should not be able to access port 80 of `test-database`
new-namespace:test-microservice: # `new-namespace` is the namespace name
test-database.new-namespace: 80 # longer DNS names can be used for other namespaces
test-frontend.default: 80
default:test-database:
test-frontend.default.svc.cluster.local: 80 # full DNS names can be used
test-microservice.default.svc.cluster.local: -80
control-plane.io: 443 # we can check remote services too
https://github.com/controlplaneio/netassert
92. Secure Hosts
● Minimal attack surface
○ CoreOS (RIP), forked as FlatCar Linux- https://coreos.com/ and https://kinvolk.io/
○ Red Hat Atomic - https://www.redhat.com/en/resources/enterprise-linux-atomic-host-datasheet
○ Ubuntu Core -https://www.ubuntu.com/core
○ Container-Optimized OS from Google - https://cloud.google.com/container-optimized-os/docs/
● Security extensions enabled, configured, and monitored
● Immutable infrastructure
● Group nodes by type, usage, and security level
93. No Routes To:
● cadvisor
● heapster
● kubelet
● kubernetes dashboard
● etcd
94. Proxy to Metadata APIs
● https://github.com/jtblin/kube2iam - provides different AWS IAM roles for pods
running on Kubernetes
● https://github.com/uswitch/kiam - allows cluster users to associate IAM roles
to Pods
● https://github.com/heptio/authenticator - allow AWS IAM credentials to
authenticate to a Kubernetes cluster
● https://github.com/GoogleCloudPlatform/k8s-metadata-proxy - a simple proxy
for serving concealed metadata to container workloads
96. MULTI TENANCY: Soft
● Isolate by namespace
○ don't forget the default networkpolicy and podsecuritypolicy
○ assign limits to the namespace with LimitRanges
https://kubernetes.io/docs/tasks/administer-cluster/memory-default-namespace/
● Separate dev/test from production
● Image scanning
○ private registry and build artefacts/supply chain
97. MULTI TENANCY: Soft
● Policed, scanned, compliant base images
○ minimal attack surface
○ FROM scratch if possible
● Deploy admission controllers, pod security policies, etc
● Everything as code
○ https://www.weave.works/blog/gitops-operations-by-pull-request
99. MULTI TENANCY: Hard
● All users untrusted, potentially malicious
○ comfortable running code from multiple third parties, with the potential for malice that implies,
in the same cluster
● Only co-tenant along your existing security boundaries
● Segregate logically by application type, security level, and/or physically by
project/account
● Separate node pools for different tenants
100. Container Runtimes
● runc - CLI tool for spawning and running containers according to the OCI
specification https://github.com/opencontainers/runc
● cri-o - Open Container Initiative-based implementation of Kubernetes
Container Runtime Interface https://github.com/kubernetes-incubator/cri-o
● Kata Containers - hardware virtualized containers https://katacontainers.io/
● VirtualKubelet - a Kubernetes kubelet implementation
https://github.com/virtual-kubelet/virtual-kubelet
● LXC/LXD, rkt, systemd-nspawn -
https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html
101. MULTI TENANCY: Hard
● this may not look a lot like hard multitenancy?
○ it's still running a centralised control plane
● run kubedns in a sidecar to restrict DNS leakage
● mixed vm and container workload
○ Dan Walsh nailed it
○ "glasshouse VMs"
● Defence in depth
● Remote logging
108. Docker
● https://www.youtube.com/watch?v=7mzbIOtcIaQ - Jessie Frazelle’s History of
Containers keynote
● https://github.com/openSUSE/umoci - a complete manipulation tool for OCI
images
● https://github.com/projectatomic/skopeo - work with remote images registries
to retrieve information and images, and sign content
● https://contained.af - Docker/Kubernetes CTF
(https://github.com/jessfraz/contained.af)
111. Continuous Infra Security
● The system can continually self-validate
● Test pipelines are more robust
● Highly skilled penetration testers are free to focus on the
“high-hanging fruit”
112.
113. Conclusion
● The brave new world of Kubernetes increases
attack surface and potential for misconfiguration
● Lots of new security primitives are landing
● The only way to iterate quickly is: supported by a
test suite
● Security testing keeps you young