Incredibly powerful and flexible, Kubernetes role-based access control (RBAC) is an essential tool to effectively manage production clusters. Yet many Ops and DevOps engineers are still facing barriers to efficiently use it at scale. These include a steep learning curve, YAML-based configuration, lack of standardized best practices, and the general complexity of this functionality at large -- it truly can be somewhat overwhelming.
During this meetup Oleg, CTO at Kublr, will discuss Kubernetes RBAC concepts and objects. He'll explore different use cases ranging from simple permission management for in-cluster application accounts to integrations with external identity providers for SSO and enterprise user access management.
Leveraging the Kublr Platform, Oleg will demonstrate how it simplifies the management of access and RBAC rules in a cloud native environment while staying vendor-independent and compatible with any Kubernetes distribution.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
Kubernetes can run application containers on clusters of physical or virtual machines.
It can also do much more than that.
Kubernetes satisfies a number of common needs of applications running in production, such as co-locating helper processes, mounting storage systems, distributing secrets, application health checking, replicating application instances, horizontal auto-scaling, load balancing, rolling updates, and resource monitoring.
However, even though Kubernetes provides a lot of functionality, there are always new scenarios that would benefit from new features. Ad hoc orchestration that is acceptable initially often requires robust automation at scale. Application-specific workflows can be streamlined to accelerate developer velocity.
This is why Kubernetes was also designed to serve as a platform for building an ecosystem of components and tools to make it easier to deploy, scale, and manage applications. The Kubernetes control plane is built upon the same APIs that are available to developers and users, implementing resilient control loops that continuously drive the current state towards the desired state. This design has enabled Apache Stratos and a number of other Platform as a Service and Continuous Integration and Deployment systems to build atop Kubernetes.
This presentation introduces Kubernetes’s core primitives, shows how some of its better known features are built on them, and introduces some of the new capabilities that are being added.
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
Kubernetes can run application containers on clusters of physical or virtual machines.
It can also do much more than that.
Kubernetes satisfies a number of common needs of applications running in production, such as co-locating helper processes, mounting storage systems, distributing secrets, application health checking, replicating application instances, horizontal auto-scaling, load balancing, rolling updates, and resource monitoring.
However, even though Kubernetes provides a lot of functionality, there are always new scenarios that would benefit from new features. Ad hoc orchestration that is acceptable initially often requires robust automation at scale. Application-specific workflows can be streamlined to accelerate developer velocity.
This is why Kubernetes was also designed to serve as a platform for building an ecosystem of components and tools to make it easier to deploy, scale, and manage applications. The Kubernetes control plane is built upon the same APIs that are available to developers and users, implementing resilient control loops that continuously drive the current state towards the desired state. This design has enabled Apache Stratos and a number of other Platform as a Service and Continuous Integration and Deployment systems to build atop Kubernetes.
This presentation introduces Kubernetes’s core primitives, shows how some of its better known features are built on them, and introduces some of the new capabilities that are being added.
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
This presentation covers how app deployment model evolved from bare metal servers to Kubernetes World.
In addition to theoretical information, you will find free KATACODA workshops url to perform practices to understand the details of the each topics.
Cluster-as-code. The Many Ways towards KubernetesQAware GmbH
iSAQB Software Architecture Gathering – Digital 2022, November 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Kubernetes is the de-facto standard when it comes to container orchestration. But why is there is no established, standard and uniform way to spin-up and manage a single or even a whole farm of Kubernetes clusters yet? Instead, a whole bunch of different and mostly incompatible ways towards Kubernetes exist today. Each with its own pros and cons in regards to ease of use, flexibility and many other requirements. In this session we will have a closer look at the different available options to create, manage and operate Kubernetes clusters at scale.
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 80+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are Open Source and can be applied to most Kubernetes deployments.
An Operator is an application that encodes the domain knowledge of the application and extends the Kubernetes API through custom resources. They enable users to create, configure, and manage their applications. Operators have been around for a while now, and that has allowed for patterns and best practices to be developed.
In this talk, Lili will explain what operators are in the context of Kubernetes and present the different tools out there to create and maintain operators over time. She will end by demoing the building of an operator from scratch, and also using the helper tools available out there.
An in depth overview of Kubernetes and it's various components.
NOTE: This is a fixed version of a previous presentation (a draft was uploaded with some errors)
This presentation will introduce you to Container, Docker, Kubernetes, and Google Kubernetes Engine (GKE) with a live demo. This also explains Kubernetes basic concepts such as Pod, Deployment, Service, Ingress, and Rolling Update.
See the recorded session on Facebook live here (min 46.49):
https://www.facebook.com/gdgcloudkl/videos/1013942759041907
There's also recorded session on Youtube here (min 46.49):
https://www.youtube.com/watch?v=ht0ynVjkDcI
GDG Cloud KL July Webinar on July 12, 2020
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
This presentation covers how app deployment model evolved from bare metal servers to Kubernetes World.
In addition to theoretical information, you will find free KATACODA workshops url to perform practices to understand the details of the each topics.
Cluster-as-code. The Many Ways towards KubernetesQAware GmbH
iSAQB Software Architecture Gathering – Digital 2022, November 2022, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect bei QAware).
== Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! ==
Kubernetes is the de-facto standard when it comes to container orchestration. But why is there is no established, standard and uniform way to spin-up and manage a single or even a whole farm of Kubernetes clusters yet? Instead, a whole bunch of different and mostly incompatible ways towards Kubernetes exist today. Each with its own pros and cons in regards to ease of use, flexibility and many other requirements. In this session we will have a closer look at the different available options to create, manage and operate Kubernetes clusters at scale.
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 80+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are Open Source and can be applied to most Kubernetes deployments.
An Operator is an application that encodes the domain knowledge of the application and extends the Kubernetes API through custom resources. They enable users to create, configure, and manage their applications. Operators have been around for a while now, and that has allowed for patterns and best practices to be developed.
In this talk, Lili will explain what operators are in the context of Kubernetes and present the different tools out there to create and maintain operators over time. She will end by demoing the building of an operator from scratch, and also using the helper tools available out there.
An in depth overview of Kubernetes and it's various components.
NOTE: This is a fixed version of a previous presentation (a draft was uploaded with some errors)
This presentation will introduce you to Container, Docker, Kubernetes, and Google Kubernetes Engine (GKE) with a live demo. This also explains Kubernetes basic concepts such as Pod, Deployment, Service, Ingress, and Rolling Update.
See the recorded session on Facebook live here (min 46.49):
https://www.facebook.com/gdgcloudkl/videos/1013942759041907
There's also recorded session on Youtube here (min 46.49):
https://www.youtube.com/watch?v=ht0ynVjkDcI
GDG Cloud KL July Webinar on July 12, 2020
A basic introductory slide set on Kubernetes: What does Kubernetes do, what does Kubernetes not do, which terms are used (Containers, Pods, Services, Replica Sets, Deployments, etc...) and how basic interaction with a Kubernetes cluster is done.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
This presentation explains the basics of Kubernetes ingress traffic management functionality, and how it can be used to simplify managing applications across different environments - in the cloud or on premise.
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
All the troubles you get into when setting up a production ready Kubernetes c...Jimmy Lu
Have you ever try to set up a Kubernetes cluster manually by your own? It may be a small dish to you to set one up on your laptop. However, things are getting harder and harder once you have more nodes to handle, not to mention you also want security, monitoring, auto-scaling, and federated cluster enabled in the production environments. With more features added, the situation gets even worse and more complicated. We developers in Linker Networks had put in a tremendous amount of time in investigating on how to set up Kubernetes clusters efficiently. We designed and built our own tools to automate and facilitate such the painful processes. In this talk, I'll go through all the details and pitfalls in setting up a production ready cluster. Hopefully, the experience I shared could keep you out of these troubles, saving your precious time.
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Kubernetes is fast becoming the operating system for the Cloud and brings a ubiquity that has the potential for massive benefits for technology organizations. Applications/Microservices are moved to orchestration tools like Kubernetes to leverage features like horizontal autoscaling, fault tolerance, CICD, and more. Apache Solr is an open-source search engine platform built on an Apache Lucene library. It offers Apache Lucene's search capabilities in a user-friendly way. Lucidworks runs over a thousand distributed-mode Apache Solr Clusters spread across several machines for a plethora of use-cases around Search and Analytics. The traffic demands a massive scale which creates scenarios of in-depth micro-management like operating systems upgrade, scaling cluster dynamically, etc, affecting the overall search experience. This talk is focussed on the journey taken by Lucidworks on addressing scaling clusters horizontally and vertically, on the basis of query traffic load, data ingestion throughput or any other relevant metrics by extending capabilities of Kubernetes and Apache Solr to achieve true physical and logical autoscaling, satisfying modern era SLAs and infrastructure cost. The talk concludes with how the solution adopted opens up the future scope of fine-grained scaling of search clusters.
Event driven workloads on Kubernetes with KEDANilesh Gule
Slide deck of the presentation done at the Pune User Group on 27th February 2021. Demonstrate how Kubernetes based event driven autoscaling (KEDA) can be used with RabbitMQ as the event source.
Slide deck related to the Microsoft Reactor Benagluru event on September 1 2021.
https://www.meetup.com/en-AU/microsoft-reactor-bengaluru/events/280353882
During the session following topics were covered
- Scaling options in Kubernetes including HPA, Cluster Autoscaler, Manual scaling
- Need for Kubernetes based Event Driven Autoscaling (KEDA)
- Live demos of Producer and Consumer for RabbitMQ queue
- KEDA Architecture
- KEDA scalers and event sources
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Scaling .net containers with event driven workloadsNilesh Gule
Slide deck related to the talk presented at Surati Tech Talks 2022 event on 10th January 2022. Demonstrates the power of Kubernetes along with Kubernetes-based Event Driven Autoscaing (KEDA) project to support event driven workloads. Microsft Azure is used as the cloud platform with managed Azure Kubernetes Service (AKS) as target environment
This document is a presentation from OpenStack Summit Sydney. It describes how to easily install OpenStack on Kubernetes. It explains Kubernetes and OpenStack-Helm.
Kubernetes in Hybrid Environments with SubmarinerKublr
Submariner enables direct networking between Pods and Services in different Kubernetes clusters, either on-premises or in the cloud.
As Kubernetes gains adoption, teams are finding they must deploy and manage multiple clusters to facilitate features like geo-redundancy, scale, and fault isolation for their applications. With Submariner, your applications and services can span multiple cloud providers, data centers, and regions.
Submariner is completely open source, and designed to be network plugin (CNI) agnostic.
Submariner Provides: cross-cluster L3 connectivity using encrypted VPN tunnels; service Discovery across clusters; subctl, a friendly deployment tool; support for interconnecting clusters with overlapping CIDRs
Container runtime and tooling has matured since Docker brought it to the mainstream a decade ago. There are multiple options for building and running containers available to the developers and system administrators. Oleg Chunikhin, CTO at Kublr, will provide a review and analysis of the popular options.
Container runtime and tooling has matured since Docker brought it to the mainstream a decade ago. There are multiple options for building and running containers available to the developers and system administrators. Oleg Chunikhin, CTO at Kublr, will provide a review and analysis of the popular options.
Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services. It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.
Rook uses the power of the Kubernetes platform to deliver its services via a Kubernetes Operator for each storage provider.
Oleg Chunikhin, Co-Founder and CTO @ Kublr.com, will present an introduction to storage management on k8s using Rook and Ceph.
Hybrid architecture solutions with kubernetes and the cloud native stackKublr
This presentation provides an overview of how Kubernetes capabilities can be used to simplify use of hybrid infrastructure rather than complicate it. It covers the general challenges posed by hybrid multi-site architectures, including provisioning and operations, ingress traffic management, network connectivity, and distributed data management. The presentation reviews using AWS and Azure as examples how each of these challenges can be addressed with Kubernetes and various Kubernetes controllers used as an infrastructure abstraction layer.
An application path to production does not end with a deployment, even if you are using Kubernetes (K8s) as your application deployment platform. Reliable BCDR (backup and disaster recovery) plan and framework is a must for any production-ready system.
This presentation accompanies meetups and webinars in which Oleg Chunikhin, CTO at Kublr, shows how Velero BCDR framework works and demonstrates how it can be used to backup and recover realistic applications running on Kubernetes in different clouds and environments.
What is covered:
- general notions of Kubernetes applications BCDR
- Velero BCDR framework
- demo Velero BCDR for stateful applications running on AWS and Azure clouds
- demo Velero BCDR using Strimzi / Kafka cluster and ArgoCD CI/CD manager as example application
Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice.
We will cover:
• Persistent data abstractions in K8s: persistent volumes (PV) and their attributes
• PV specifics in different clouds
• Using PV in K8s: persistent volume claims (PVC) and storage classes (SC)
• Automatic volume provisioning
• Persistence and scheduling interrelationships
• Practical examples
Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.
Portable CI/CD Environment as Code with Kubernetes, Kublr and JenkinsKublr
How to establish Kubernetes as your infrastructure for a truly cloud native environment for optimal productivity and cost.
Using Kublr for infrastructure as code approach for fast, reliable and inexpensive production-ready DevOps environment setup bringing together a combination of technologies - Kubernetes; AWS Mixed Instance Policies, Spot Instances and availability zones; AWS EFS; Nexus and Jenkins.
Best practices based on open source tools such as Nexus and Jenkins.
How to tackle build process dilemmas and difficulties including managing dependencies, hermetic builds and build scripts.
Kubernetes 101: Intro to Kubernetes namespaces, workloads, and architecture
In this webinar Oleg, CTO at Kublr, will explain the basics of Kubernetes, a powerful and flexible
open-source container orchestration system: what it is, how it works, and the main entities
Kubernetes users work with.
Containers are taking over the IT world, and while building and running them locally is simple,
running them in production on a distributed infrastructure is much more involved.
Oleg will show how Kubernetes can help orchestrating containers across multiple compute
nodes and clouds.
We will cover:
- distributed container orchestration
- architecture of Kubernetes clusters
- important Kubernetes objects: namespaces, pods, services
- overview controllers: deployment, daemonset, stateful set
Kubernetes pods / container scheduling 201 - pod and node affinity and anti-affinity, node selectors, taints and tolerations, persistent volumes constraints, scheduler configuration and custom scheduler development and more.
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Kublr
In a microservices world, applications consist of dozens, hundreds, or even thousands of components. Manually deploying and verifying deployment quality in production is virtually impossible. Kubernetes, which natively supports rolling updates, enables blue-green application deployments with Spinnaker. However, the gradual rollout is a feature that doesn’t come out-of-the-box but can be achieved by adding Istio and Prometheus to the equation.
During this meetup, Slava will discuss canary release implementations on Kubernetes with Spinnaker, Istio, and Prometheus. He’ll examine the role of each tool in the process and how they are all connected. During a demo, he will demonstrate a successful and failed canary release, and how these tools enable IT teams, to properly roll out changes to their customer base without any downtime.
How to Run Kubernetes in Restrictive EnvironmentsKublr
Meeting the Needs of Enterprise Governance and Security Installing
Kubernetes is easy. Ensuring it complies with your organization’s enterprise governance and security requirements isn’t.
During this webinar, Oleg will explain how to use Kubernetes while meeting enterprise requirements. In this technically-focused talk, he’ll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs.
The presentation will include basic requirements for audit, security, authentication, authorization, integration with existing identity management, logging, and monitoring.
Because on-premise Kubernetes deployments don’t come without their challenges, Oleg will cover the limitations of a bare-metal installation, interactions with vSphere’s API, achieving HA, reliability and disaster recovery, as well as handling OS upgrades, security patches, and Kubernetes upgrades. He’ll close with a quick outlook of what’s next, including infrastructure as code, immutable infrastructure, and GitOps.
Building Portable Applications with KubernetesKublr
Containers and Kubernetes enable code portability across on-premise VMs, bare metal, or multiple clouds. However, many developers may include configuration and application definitions that constrain or even eliminate application portability.
We'll outline best practices for “configuration as code” in a Kubernetes environment. He'll demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be leveraged to abstract from the infrastructure.
How Self-Healing Nodes and Infrastructure Management Impact ReliabilityKublr
Self-healing does not equal self-healing. There are multiple layers to it, whether a self-healing infrastructure, cluster, pods, or Kubernetes. Kubernetes itself ensures self-healing pods. But how do you ensure your applications, whose reliability depends on every single layer, are truly reliable?
This presentation covers the different self-healing layers, what Kubernetes does and doesn't do (at least not by default), and what you should look out for to ensure true reliable applications. Hint: infrastructure provisioning plays a key role.
While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into existing enterprise infrastructure. This is especially true for environments where security and governance requirements are so strict as to come into conflict with the cloud-native reference architectures.
This deck will outline a plan that leverages Kubernetes as an infrastructure abstraction (hint: there is a lot more to it than just container orchestration!). Such an approach allows enterprises to untie themselves from infrastructure provider-specific technology stack and free development to use whichever tool fits their use case best. But how do you implement open source cloud-native technologies while meeting enterprise security and governance requirements? We’ll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs; what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc.
Centralizing Kubernetes Management in Restrictive EnvironmentsKublr
While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into existing enterprise infrastructure.
This is especially true for environments where security and governance requirements are so strict as to come into conflict with the cloud-native reference architectures.
During his presentation, Oleg will outline a plan that leverages open source cloud-native technologies while meeting enterprise security and governance requirements. He’ll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs; what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc.
The presentation will cover basic requirements for audit, security, authentication, authorization, integration with existing identity management, logging, and monitoring. Additionally, the audience will learn whether cloud-hosted Kubernetes cover these requirements, how to integrate a compliant Kubernetes installation with their existing cloud infrastructure, the limitations of a bare-metal installation, interactions with vSphere’s API, achieving HA, reliability and disaster recovery, as well as handling OS upgrades, security patches, and Kubernetes upgrades.
Kubernetes in Highly Restrictive EnvironmentsKublr
Installing Kubernetes is easy. Ensuring it complies with your organization’s enterprise governance and security requirements isn’t.
How do you use the technologies while meeting enterprise security requirements? We'll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs.
This deck includes basic requirements for audit, security, authentication, authorization, integration with existing identity broker, logging, and monitoring. Additionally, we'll go into whether cloud-hosted Kubernetes cover these requirements, how to integrate a compliant Kubernetes installation with their existing cloud infrastructure and how to handle cross-team communication (network/compute/storage/security).
Since on-premise Kubernetes deployments have their challenges, limitations of a bare-metal installation, interactions with vSphere’s API, achieving HA, reliability and disaster recovery, as well as handling OS upgrades, security patches, and Kubernetes upgrades are also considered.
From a skunk-works project to running the entire enterprise
While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into an existing enterprise infrastructure.
In this meetup, Chris, CTO at Tigera, and Oleg, CTO at Kublr, discussed the evolution of your Kubernetes cluster - from a skunk-works project to running the entire enterprise.
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusKublr
In a microservices world, applications consist of dozens, hundreds, or even thousands of components. Manually deploying and verifying deployment quality in production is virtually impossible. Kubernetes, which natively supports rolling updates, enables blue-green application deployments with Spinnaker. However, gradual rollouts is a feature that doesn't come out-of-the-box but can be achieved by adding Istio and Prometheus to the equation.
During this meetup, Slava Koltovich, CEO of Kublr, and Oleg Atamanenko, Senior Software Architect, discussed canary release implementations on Kubernetes with Spinnaker, Istio, and Prometheus. They examined the role of each tool in the process and how they are all connected. During a demo, they demonstrated a successful and a failed canary release, and how these tools enable IT teams to properly roll out changes to their customer base without any downtime.
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
7. Kubernetes Access Control
• Who can do what with which resource
• Authentication
• Authorization
• RBAC
• Use-cases and gotchas
@olgch; @kublr
8. Who Can Do What in a Cluster
Three groups
Connected through access control
@olgch; @kublr
Subjects
User
Group
Service account
Resources
Pods
Nodes
ConfigMaps
Secrets
Deployments
…
Operations
list
get
create
update
delete
watch
patch
get
post
put
delete
9. Kubernetes API Request Attributes
• Authentication
• User – the user string
• Group – the list of group names
• Extra – a map of arbitrary keys
• API – non-resource or API resource flag
• API resource request
• API request verb – lowercased resource verb
• Namespace – the namespace
• API group - The API Group being accessed
• Resource – the resource ID
• Subresource – the sub-resource
• Non-resource request
• HTTP request verb – lowercased HTTP method
• Request path – non-resource request path.
Verbs
• Common API resource request :
get, list, watch,
create, update, patch,
delete, deletecollection
• Special API resource request:
use (PodSecurityPolicy),
bind, escalate (Role, ClusterRole),
impersonate (User, Group, SA),
userextras
• HTTP request verbs:
get, head, post, put,
patch, delete
@olgch; @kublr
10. Kubernetes API Client, Tools
• Any HTTP client
• curl – good for experiments
• kubectl – Kubernetes CLI
• jq – honorable mention – JSON visualization and processing
@olgch; @kublr
Client Kubernetes API
HTTP Request
12. Authentication: Mechanisms
Mechanism Secret Source Usage
X509 Client Certs CSR generated externally and
signed with the cluster CA key
Enterprise CA / PKI
Via Kubernetes API
CertificateSigningRequest
Kubernetes cluster admin
Bearer token Bootstrap token Internal use
Node authentication token Internal use
Static token file Insecure
ServiceAccount token Pods, containers, applications, users
OIDC token Users
HTTP Basic auth Static password file Insecure
Auth proxy N/A (trust proxy) Integration
Impersonate N/A (trust account) Integration and administration
13. Authentication: X509 Client Cert, PKI
Client Kubernetes API
3. HTTPS/TLS handshake with client cert
4. Request
Admin
1. client.csr 2. client.crt
client.key k8s-api-server-client-ca.key
k8s-api-server-client-ca.crt
--client-ca-file=k8s-api-server-client-ca.key
k8s-api-server-client-ca.key
Admin (issuer) must has access to
the server CA private key
@olgch; @kublr
14. Authentication: X509 Client Cert, PKI Example
• User: generate user private key (if not exist)
• User: generate user CSR
• Admin: sign user client cert
• User: use with kubectl via options or kubeconfig
openssl genrsa -out user1.key 2048
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1/O=group2"
openssl x509 -req -in user1.csr -CA cluster-ca.crt -CAkey cluster-ca.key
-set_serial 101 -extensions client -days 365 -outform PEM -out user1.crt
kubectl --client-key=user1.key --client-certificate=user1.crt get nodes
kubectl config set-credentials user1 --client-key user1.key --client-certificate user1.crt --embed-certs
kubectl config set-context user1 --cluster demo-rbac --user user1
kubectl --context=user1 get nodes
kubectl config use-context user1
kubectl config get-contexts
kubectl get nodes
@olgch; @kublr
16. Authentication: X509 Client Cert, K8S CSR
• User: generate user CSR
• Admin: use Kubernetes API server to sign the CSR
• User: use with kubectl via options or kubeconfig
openssl req -new -key user2.key -out user2.csr -subj "/CN=user2/O=group1/O=group2"
kubectl apply -f - <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user2
spec:
request: $(cat user2.csr | base64 | tr -d 'n')
usages: ['digital signature', 'key encipherment',
'client auth']
EOF
kubectl certificate approve user2
kubectl certificate deny user2
kubectl get csr user2 –o jsonpath='{.status.certificate}' |
base64 --decode > user2.crt
kubectl --client-key=user2.key --client-certificate=user2.crt get nodes
kubectl config set-credentials user2 --client-key user2.key --client-certificate user2.crt --embed-certs
kubectl config set-context user2 --cluster demo-rbac --user user2
@olgch; @kublr
17. Authentication: Service Account
Client Kubernetes API
1. create service account
2. get service account token
3. Request (token in Authorization header)
@olgch; @kublr
18. Authentication: Service Account, Example
• Create service account
• Get service account token
• Send request
kubectl create serviceaccount sa1
kubectl "--token=${SA_TOKEN}" get nodes
kubectl config set-credentials sa1 "--token=${SA_TOKEN}"
kubectl config set-context sa1 --cluster demo-rbac --user sa1
kubectl get –o yaml sa sa1
SA_SECRET="$(kubectl get sa sa1 -o jsonpath='{.secrets[0].name}')"
kubectl get -o yaml secret "${SA_SECRET}"
SA_TOKEN="$(kubectl get secret "${SA_SECRET}" -o jsonpath='{.data.token}' | base64 -d)"
@olgch; @kublr
19. Authentication: OIDC
Client Kubernetes API
3. Request with the token
1. auth / refresh token
2. Tokens
--oidc-client-id=kubernetes
--oidc-groups-claim=user_groups
--oidc-issuer-url=https://idp.example.com
--oidc-username-claim=preferred_username
OIDC IdP
4. Verify token
@olgch; @kublr
20. Authentication: OIDC, Demo
Kublr uses Keycloak by default
• Multiple “realms”
• OIDC, SAML, LDAP, AD, Kerberos support
• User federation and Identity Broker support
Demo
• “demo-app” realm
• “kubernetes” OIDC client
• “demo-rbac” Kublr cluster with OIDC auth configured for the client
spec:
master:
kublrAgentConfig:
kublr:
kube_api_server_flag:
oidc_client_id: '--oidc-client-id=kubernetes'
oidc_groups_claim: '--oidc-groups-claim=user_groups'
oidc_issuer_url: '--oidc-issuer-url=https://***'
oidc_username_claim: '--oidc-username-claim=preferred_username'
@olgch; @kublr
28. Authorization: WebHook
Client Kubernetes API
1. Request
--authorization-webhook-config-file=auth-cfg.yaml
Authorization
Service
2. Verify
Config file in kubeconfig format
@olgch; @kublr
29. Authorization: RBAC
Three groups
Connected through RBAC
@olgch; @kublr
Subjects
User
Group
Service Account
Resources
Pods
Nodes
ConfigMaps
Secrets
Deployments
…
Operations
list
get
create
update
delete
watch
patch
get
post
put
delete
30. Roles and ClusterRoles
• Roles and ClusterRoles define a set of
allowed actions on resources
• Role is namespaced
• Cannot include non-namespaces
resources or non-resource URLs
@olgch; @kublr
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: role1
rules:
- apiGroups: ['*']
resources: ['nodes', 'pods', 'pods/log']
verbs: ['get', 'list']
- apiGroups: ['*']
resources: ['configmaps']
resourceNames: ['my-configmap']
verbs: ['get', 'list']
35. Built-in ClusterRoles
Role Access Can do
cluster-admin Full access to all cluster resources Anything in the cluster
admin Full access to all namespace resources Anything in a namespace
edit Full access to all namespace resources
except Role, RoleBinding,
LocalSubjectAccessReviews
Anything in a namespace except granting and
checking access
view RO access to all namespace resources
except sensitive ones
View and list non-sensitive objects in a
namespace
@olgch; @kublr
36. Use-cases
• Start with build-in roles
•Cluster admin
•Namespace admin
•Namespace developer
•Namespace read-only user
• Define new roles as needed
• Beware of “gotchas”
@olgch; @kublr
37. “Gotchas”
• Privilege escalation via pod creation
• Non-namespaced objects
• CRD, PriorityClass, PodSecurityPolicy
• Often needed for development, especially in advanced DevOps / SRE culture
• As a result, developers need self-service dev cluster management capabilities
• Role and role binding conventions
• Name
• Role bindings – one per subject, one per role, or mixed
@olgch; @kublr
38. Next steps
• PodSecurityPolicy
• NetworkPolicy
• Limits and Quotas
• Admission Controllers
• Dynamic admission control
• Dynamic policies, OPA
@olgch; @kublr
39. Kubernetes API Groups and Objects
API Group API Obects
rbac.authorization.k8s.io/v1 ClusterRole
Role
ClusterRoleBinding
RoleBinding
authentication.k8s.io/v1 TokenReview
admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
ValidatingWebhookConfiguration
authorization.k8s.io/v1 LocalSubjectAccessReview
SelfSubjectAccessReview
SelfSubjectRulesReview
SubjectAccessReview
certificates.k8s.io/v1beta1 CertificateSigningRequest
policy/v1beta1 PodSecurityPolicy
@olgch; @kublr