Kubernetes Security

•

4 likes•1,033 views

This document discusses how to secure a Kubernetes platform. It covers setting up authentication and authorization using RBAC and certificates. It also discusses implementing network policies and pod security policies to restrict traffic and resources. Additional topics include integrating Vault for secrets management and using admission controllers and auditing to intercept and modify API requests for security purposes.

Kubernetes Security
How to secure your Kubernetes platform
Johannes M. Scheuermann
Karlsruhe, 09.12.2017

Johannes M. Scheuermann
IT Engineering & Operations @ inovex
〉 Software-Defined Datacentres
〉 Infrastructure as Code
〉 Cloud technologies
〉 High Availability & Scalability
〉 Want‘s a Z-Frame
〉 @johscheuer
2

• Security Cake
• Authentication and Authorisation
• Network Policies
• Pod Security Policies
• Admission Controller
• Vault Integration
Security Kubernetes

Security Cake
HW HW HW HW
OS OS OS OS
Platform
Container Container Container Container
Base Base Base Base
App App App App

• Secure all components with certificates
• Only talk over TLS
• Disable the insecure port (even on localhost)
• Disable anonymous authentication
• Or at least restrict it to uncritical resources
• Since 1.7 Kubernetes supports an Audit Log
Focus on the Platform

• RBAC (Role Based Access Control)
• ABAC (Attribute Based Access Control)
• WebHook
• Certificates
• Token (JWT à https://jwt.io)
Authentication and Authorisation

RBAC (example)
(Cluster)
Role
Subject
(Cluster)Rolebinding

• Since 1.6
• Ingress policies
• Egress policies (1.8)
• Network segmentation (distributed firewall)
• CNI plugin must support it
Network Policies

• DENY all traffic to an application
• LIMIT traffic to an application
• DENY all non-whitelisted traffic in a namespace
• DENY all traffic from other namespaces
• ALLOW traffic from other namespaces
• ALLOW traffic from external clients
Network Policies (example)

• Needs to be explicitly activated
• Let you define what’s allowed
• There must be a default policy
• Activating “runAsNonRoot” will break many things
• Only activate if needed (multi-tenant)
• Can be combined with RBAC
Pod Security Policies

• Volumes
• RunAsUser
• AllowedCapabilities
• Privileged
• HostNetwork / HostPorts
• readOnlyRootFilesystem
Pod Security Policies (example)

• Intercepts request to the Kubernetes API
• (Can) Perform modifications
• Many default controllers exists
• You can also write your own
Admission Controller(s)

• DenyEscalatingExec
• ImagePolicyWebhook
• NodeRestriction
• PodSecurityPolicy
• SecurityContextDeny
• ServiceAccount
Admission Controller (example)

Vault Integration (CA)
Vault
Node
Master
1.) Auth (AppRoleID)
2.) Issue certificate
Policies
etcd

• Since 0.9 Kubernetes auth backend
• Solves only the challenge of authentication
• Secret must be fetched
• Sidecare/init container
• Integrates with ServiceAccounts
Vault Integration (secret store)

• Open artifact metadata API
• Pluggable (multiple providers)
• ACL for the metadata
• Query-ability
• Integrates with Kubernetes
Grafeas

• Service Mesh
• Policy Enforcement (L4/L7)
• Integrated CA
• Transparent TLS
• Routing
• Language/Platform agnostic
Istio

• Many possibilities to make your cluster more secure
• Each with it’s benefits and drawbacks
• Generally à Security means (hard) work
• Depends on your Use Case what to use
• Play around with and get a feeling (in a playground)
Conclusions

• https://kubernetes.io/docs/admin/admission-
controllers
• https://kubernetes.io/docs/concepts/policy/pod-
security-policy
• https://kubernetes.io/docs/concepts/services-
networking/network-policies
Further reading

• https://grafeas.io
• https://istio.io
• https://ahmet.im/blog/kubernetes-network-policy
• https://github.com/kubernetes/examples/tree/master/
staging/podsecuritypolicy/rbac
Further reading

Johannes M. Scheuermann
inovex GmbH
Johannes.scheuermann@inovex.de
CC BY-NC-ND inovex.de +JohannesScheuermann
github.com/johscheu
er
@johscheuer youtube.com/inovexGmb
H

Get these visually appealing Kubernetes Concepts And Architecture PowerPoint Presentation Slides to discuss the process of operating containerized applications. You can display the need for containers by the company with the help of an open-source architecture PPT slideshow. The architecture of containers can be demonstrated with the help of a visually appealing PPT slideshow. The reasons for opting for Kubernetes by an organization can be explained to your teammates with the help of containers PowerPoint infographics. Highlight the roadmap for installing Kubernetes in the organization by using content-ready PPT slides. Take the assistance of visually appealing PPT templates to depict the major advantages of Kubernetes such as improving productivity, the stability of application run, and many more. After that, display 30 60 90 days plan to implement Kubernetes in the organization. Display the key components of Kubernetes with the help of a diagram using this professionally designed cluster architecture PPT layouts. Describe the functionality of each components of Kubernetes. Hence, download Kubernetes architecture PPT slides to easily and efficiently manage the clusters. https://bit.ly/34DWa7x

Kubernetes Introduction

Martin Danielsson

CKA Certified Kubernetes Administrator Notes

Adnan Rashid

Introduction to openshift

MamathaBusi

Kubernetes Application Deployment with Helm - A beginner Guide!

Krishna-Kumar

Kubernetes - introduction

Sparkbit

Deploy 22 microservices from scratch in 30 mins with GitOps

Opsta

OpenShift 4 installation

Robert Bohne

Kubernetes and container security

Volodymyr Shynkar

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

An Introduction to Kubernetes

Imesh Gunaratne

Traditional virtualization technologies have been used by cloud infrastructure providers for many years in providing isolated environments for hosting applications. These technologies make use of full-blown operating system images for creating virtual machines (VMs). According to this architecture, each VM needs its own guest operating system to run application processes. More recently, with the introduction of the Docker project, the Linux Container (LXC) virtualization technology became popular and attracted the attention. Unlike VMs, containers do not need a dedicated guest operating system for providing OS-level isolation, rather they can provide the same level of isolation on top of a single operating system instance. An enterprise application may need to run a server cluster to handle high request volumes. Running an entire server cluster on Docker containers, on a single Docker host could introduce the risk of single point of failure. Google started a project called Kubernetes to solve this problem. Kubernetes provides a cluster of Docker hosts for managing Docker containers in a clustered environment. It provides an API on top of Docker API for managing docker containers on multiple Docker hosts with many more features.

(Draft) Kubernetes - A Comprehensive Overview

Bob Killen

K8s security best practices

Sharon Vendrov

Helm - Application deployment management for Kubernetes

Alexei Ledenev

Introduction to helm

Jeeva Chelladhurai

Introduction to Kubernetes Workshop

Bob Killen

Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift

DevOps.com

Administrators and developers are increasingly seeking ways to improve application time to market and improve maintainability. Containers and Red Hat® OpenShift® have quickly become the de facto solution for agile development and application deployment. Red Hat Training has developed a course that provides the gateway to container adoption by understanding the potential of DevOps using a container-based architecture. Orchestrating a container-based architecture with Kubernetes and Red Hat® OpenShift® improves application reliability and scalability, decreases developer overhead, and facilitates continuous integration and continuous deployment. In this webinar, our expert will cover: An overview of container and OpenShift architecture. How to manage containers and container images. Deploying containerized applications with Red Hat OpenShift. An outline of Red Hat OpenShift training offerings.

Ingress overview

Harshal Shah

Kubernetes Architecture and Introduction

Stefan Schimanski

Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...

Vietnam Open Infrastructure User Group

Spa Secure Coding Guide

Geoffrey Vandiest

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Vault

dawnlua

What's hot

Kubernetes Introduction

Peng Xiao

Kubernetes Concepts And Architecture Powerpoint Presentation Slides

SlideTeam

Kubernetes Introduction

Martin Danielsson

CKA Certified Kubernetes Administrator Notes

Adnan Rashid

Introduction to openshift

MamathaBusi

Kubernetes Application Deployment with Helm - A beginner Guide!

Krishna-Kumar

Kubernetes - introduction

Sparkbit

Deploy 22 microservices from scratch in 30 mins with GitOps

Opsta

OpenShift 4 installation

Robert Bohne

Kubernetes and container security

Volodymyr Shynkar

An Introduction to Kubernetes

Imesh Gunaratne

(Draft) Kubernetes - A Comprehensive Overview

Bob Killen

K8s security best practices

Sharon Vendrov

Helm - Application deployment management for Kubernetes

Alexei Ledenev

Introduction to helm

Jeeva Chelladhurai

Introduction to Kubernetes Workshop

Bob Killen

Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift

DevOps.com

Ingress overview

Harshal Shah

Kubernetes Architecture and Introduction

Stefan Schimanski

Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...

Vietnam Open Infrastructure User Group

What's hot (20)

Kubernetes Introduction

Kubernetes Concepts And Architecture Powerpoint Presentation Slides

Kubernetes Introduction

CKA Certified Kubernetes Administrator Notes

Introduction to openshift

Kubernetes Application Deployment with Helm - A beginner Guide!

Kubernetes - introduction

Deploy 22 microservices from scratch in 30 mins with GitOps

OpenShift 4 installation

Kubernetes and container security

An Introduction to Kubernetes

(Draft) Kubernetes - A Comprehensive Overview

K8s security best practices

Helm - Application deployment management for Kubernetes

Introduction to helm

Introduction to Kubernetes Workshop

Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift

Ingress overview

Kubernetes Architecture and Introduction

Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...

Similar to Kubernetes Security

Spa Secure Coding Guide

Geoffrey Vandiest

Vault

dawnlua

Securing Microservices using Play and Akka HTTP

Rafal Gancarz

Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures. This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.

Kubernetes Security

Karthik Gaekwad

Architecting for Microservices Part 2

Elana Krasner

You can find the first part of this presentation here: https://www.slideshare.net/secret/pAvK8Qd9f07oa This presentation takes a deep dive into how the Million Song Library, a microservices-based application, was built using the Netflix Stack, Cassandra and Datastax. To learn more about Million Song Library and its components visit the project on GitHub: https://github.com/kenzanlabs/million-song-library Lea

DCSF19 Container Security: Theory & Practice at Netflix

Docker, Inc.

Michael Wardrop, Netflix Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads. As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.

Centralizing Kubernetes and Container Operations

Kublr

While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into an existing enterprise infrastructure. These meetup slides go over what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc., and how to set up reliable clusters and multi-master configuration without a load balancer. It also outlines how these components should be combined into an operations-friendly enterprise Kubernetes management platform with centralized monitoring and log collection, identity and access management, backup and disaster recovery, and infrastructure management capabilities.  This presentation will show real-world open source projects use cases to implement an ops-friendly environment. Check out this and more webinars in our BrightTalk channel: https://goo.gl/QPE5rZ

Améliorer OpenStack avec les technologies Intel

Odinot Stanislas

Dans ce document vous trouverez les dernières améliorations faites sur OpenStack et comment certaines technologies Intel dopent la performance et la sécurité de l'environnement Cloud. Quelques exemple avec : Comment créer des "pool" de VM sécurisées avec possibilité de géo tagging (technologies Intel présentent dans les serveurs HP, DELL, IBM… + Folsom, Nova, Horizon, Open Attestation) Comment doper la sécurité du nouveau module de gestion des clés d'OpenStack (technologies Intel + Barbican) Comment benchmarker le stockage object Swift avec COSBench (qui supporte maintenant Ceph, S3 et Amplidata) Auteurs: Girish Gopal - Strategic Planning, Intel Corporation Malini Bhandaru - Security Architect, Intel Corporation

How we scale DroneCi on demand

Patrick Jahns

We are sharing our process of migrating to the container based DroneCI platform and our lessons learned when scaling it up for an active open source project like ownCloud. Our journey started with a static legacy CI system, which was gradually replaced with, at first, a static DroneCI infrastructure. Over the course of half a year, we further more migrated to a cloud provider in order to dynamically scale the CI system based on the build volume. The lessons learned during this journey, were transformed and contributed to the DroneCI project and resulted in the DroneCI autoscaler - which allows for automatic scaling of infrastructure resources with common cloud providers.

Kubernetes – An open platform for container orchestration

inovex GmbH

Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness

Toni de la Fuente

Deploying Kubernetes without scaring off your security team - KubeCon 2017

Major Hayden

Attacking and Defending Kubernetes - Nithin Jois

OWASP Hacker Thursday

Application portability with kubernetes

Oleg Chunikhin

5 Ways to Secure Your Containers for Docker and Beyond

Black Duck by Synopsys

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

A Survey of Container Security in 2016: A Security Update on Container Platforms

Salman Baset

Intelligent Cloud Conference 2018 - Building secure cloud applications with A...

Tom Kerkhove

Developing Solutions for Azure - Best Practices

Fisnik Doko

Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...

Amazon Web Services

Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...

Lucas Jellema

Similar to Kubernetes Security (20)

Spa Secure Coding Guide

Vault

Securing Microservices using Play and Akka HTTP

Kubernetes Security

Architecting for Microservices Part 2

DCSF19 Container Security: Theory & Practice at Netflix

Centralizing Kubernetes and Container Operations

Améliorer OpenStack avec les technologies Intel

How we scale DroneCi on demand

Kubernetes – An open platform for container orchestration

Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness

Deploying Kubernetes without scaring off your security team - KubeCon 2017

Attacking and Defending Kubernetes - Nithin Jois

Application portability with kubernetes

5 Ways to Secure Your Containers for Docker and Beyond

A Survey of Container Security in 2016: A Security Update on Container Platforms

Intelligent Cloud Conference 2018 - Building secure cloud applications with A...

Developing Solutions for Azure - Best Practices

Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...

Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...

More from inovex GmbH

lldb – Debugger auf Abwegen

inovex GmbH

lldb kann mehr als nur einfache Breakpoints oder po. In dem Vortrag zeigt Oliver Bayer, wie sich mit Hilfe von lldb Programmcode zur Ausführungszeit manipulieren lässt, ohne das hierfür der Sourcecode anzupassen ist. Sei es, damit Test- oder Debugcode nicht in die produktiv App gelangt, oder weil der Sourcecode für einen Teil der App nicht vorliegt. Event: macoun, 04.10.2019 Speaker: Oliver Bayer, inovex Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Are you sure about that?! Uncertainty Quantification in AI

inovex GmbH

With the advent of Deep Learning (DL), the field of AI made a giant leap forward and it is nowadays applied in many industrial use-cases. Especially critical systems like autonomous driving, require that DL methods not only produce a prediction but also state the certainty about the prediction in order to assess risks and failure. In my talk, I will give an introduction to different kinds of uncertainty, i.e. epistemic and aleatoric. To have a baseline for comparison, the classical method of Gaussian Processes for regression problems is presented. I then elaborate on different DL methods for uncertainty quantification like Quantile Regression, Monte-Carlo Dropout, and Deep Ensembles. The talk is concluded with a comparison of these techniques to Gaussian Processes and the current state of the art. Speaker: Dr. Florian Wilhelm, Simon Bachstein, inovex Event: PyCon/PyData Berlin 2019 Datum: 10.10.2019 Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Why natural language is next step in the AI evolution

inovex GmbH

In 2010 ImageNet finally ended the AI winter and gave machines the sense of sight. Within the following years dramatic improvements in tasks such as image classification and object detection lead to innovations like face ID and autonomous driving. Recently, similar developments happened in the field of natural language. Using Attention mechanism and transformers tasks such as question answering and text summarization reached new benchmarks. This talk will not only explain those, but point out how Transfer Learning and open source models such as Google Bert will open the field to new innovations in AI. Speaker: Nico Kreiling, inovex Event: AIxIA, 01.10.2019 Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

WWDC 2019 Recap

inovex GmbH

Die Worldwide Developers Conference (WWDC) ist eine von Apple jährlich durchgeführte Konferenz für Software-Entwickler (MacOS, iOS und WatchOS). Um die WWDC 2019 nochmal Revue passieren zu lassen, wurde beim Mobile Development Karlsruhe Meetup zu einer offenen Diskussionsrunde eingeladen. Die Slides fassen die für inovexler Philipp interessantesten Neuigkeiten der WWDC2019 zusammen und dienten beim Meetup als Diskussionsgrundlage. Event: 9. Mobile Development Meetup (WWDC Edition) Speaker: Philipp Wallrich, inovex Datum: 17.06.2019 Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Network Policies

inovex GmbH

Trust is good, control is better – A short story about Network Policies. Abstract: Probably everybody who uses Kubernetes in a productive environment with multiple users possibly has looked at policies. Often the operators of the cluster(s) just trust the policies but in some cases it might be useful to control if the policies actually have taken action and often there are just to many Policies in the cluster setup to manually test them all (and obviously you don’t want to do this). Testing the effectiveness of the Network Policies can be done in different approaches. In this talk we will show you the benefits and drawbacks of different approaches and what solution we finally chose. Also we will show you some other tools and how they complement our solution. As a takeaway you will get an overview of different testing strategies for policies, as well as understanding challenges in testing policies in general and the Kubernetes ecosystem. Event: ContainerDays 2019 Datum: 26.06.2019 Speaker: Johannes M. Scheuermann, Maximilian Bischoff (beide inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Interpretable Machine Learning

inovex GmbH

Interpretierbarkeit von ML-Modellen hat die Zielsetzung, die Ursachen einer Prognose offenzulegen und eine daraus abgeleitete Entscheidung für einen Menschen nachvollziehbar zu erklären. Durch die Nachvollziehbarkeit von Prognosen lässt sich beispielsweise sicherstellen, dass deren Herleitung konsistent zum Domänenwissen eines Experten ist. Auch ein unfairer Bias lässt sich durch die Erklärung aussagekräftiger Beispiele identifizieren. Prognosemodelle lassen sich grob in intrinsisch interpretierbare Modelle und nicht-interpretierbare (auch Blackbox-) Modelle unterscheiden. Intrinsisch interpretierbare Modelle sind dafür bekannt, dass sie für einen Menschen leicht nachvollziehbar sind. Ein typisches Beispiel für ein solches Modell ist der Entscheidungsbaum, dessen regelbasierter Entscheidungsprozess intuitiv und leicht zugänglich ist. Im Gegensatz dazu gelten Neuronale Netze als Blackbox-Modelle, deren Prognosen durch die komplexe Netzstruktur schwer nachvollziehbar sind. In diesem Talk erläuterte Marcel Spitzer das Konzept von Interpretierbarkeit im Kontext von Machine Learning und stellte gängige Verfahren zur Interpretation von Modellen vor. Besonderen Fokus legte er dabei auf modellunabhängige Verfahren, die sich auch auf prognosestarke Blackbox-Modelle anwenden lassen. Event: M3 Minds Mastering Machines Speaker: Marcel Spitzer Blog-Artikel: https://www.inovex.de/blog/machine-learning-interpretability/ Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Jenkins X – CI/CD in wolkigen Umgebungen

inovex GmbH

Das Ökosystem rund um Kubernetes wächst täglich. Insbesondere cloud-native Continuous-Deployment-Strategien stehen Hoch im Kurs und werden in diversen Open-Source-Projekten vorangetrieben. In einer Reihe von Evalutionen nimmt inovex diese Tools genauer unter die Lupe - den Anfang macht Jenkins X. Jenkins X wurde im März 2018 veröffentlicht. Das Konzept hinter dem Tool ist primär, bestehende Teillösungen (Helm, Skaffold, Prow, Tekton) einzusetzen, um sie abstrahiert in ein Kommandozeilen-Interface zu packen. Der Vortrag beschreibt sowohl die klassische Architektur als auch den "Severless"-Ansatz. Des weiteren werden das Kommandozeilen-Tool "jx", der allgemeine Entwicklungs-Workflow sowie diverse Features vorgestellt. Bei unseren Tests im Rahmen der Evaluation sind uns einige Stolpersteine aufgefallen. Es sind vor allem die vielen eingesetzten Dritt-Tools, die den Betrieb und den Upkeep eines mit Jenkins X erstellten Clusters verkomplizieren. Als Fazit stellen wir Jenkins X im Mai 2019 ein "befriedigend" aus und beobachten gespannt, wie sich das Tool in den kommmenden Monaten und Jahren weiterentwickeln wird. Event: Talk4Nerds, 29.04.2019 Speaker: Simon Kienzler, Johannes M. Scheuermann (beide inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

AI auf Edge-Geraeten

inovex GmbH

Neben dem großen Machine-Learning-Trend in der Cloud zeichnet sich zunehmend die Tendenz ab, bestimmte Aufgaben direkt auf Edge-Geräten auszuführen. Wir erkunden die Vorteile von Auswertungen direkt an der Quelle der Daten und die damit verbundenen Herausforderungen. Denn die Rechenleistung der Cloud steht uns hier leider nicht zur Verfügung. Zur Lösung stehen uns verschiedene Hardwareoptionen wie CPUs, GPUs, FPGAs oder spezielle ASICs und Frameworks zur Verfügung, die wir am Beispiel von einem Convolutional Neural Network evaluieren. Dabei gibt es praktische Tipps und Erfahrungen aus realen Projekten sowie anschauliche Demos auf verschiedenen Hardwareplattformen. Vorkenntnisse: Vorkenntnisse über tiefe neuronale Netze sind von Vorteil. Lernziele: - Verständnis über die Vorteile von AI auf Edge-Geräten und den damit verbundenen Herausforderungen. - Wissen über die verschiedenen Hard- und Softwarelösungen erlangen, um diese in eigenen Projekten einzusetzen. Event: building IoT, 03.04.2019 Speaker: Dominik Helleberg, inovex Mehr Tech-Vorträge: inovex.de/vortraege Mehr Blog-Artikel: inovex.de/blog

Prometheus on Kubernetes

inovex GmbH

Der Talk auf der Konferenz „Talk4Nerds“ der R+V Versicherung bot eine Einführung in Prometheus als Monitoring-Lösung. Dabei ging inovexler Christoph auf die Anforderungen an ein modernes Monitoring Tool ein, wie Prometheus diesen Anforderungen entspricht und warum es zum defacto Standard im Kubernetes-Umfeld geworden ist. Abschließen beleuchtete Christoph die Non-Goals und wie man diese mit zusätzlichen Tools dennoch erreichen kann. Speaker: Christoph Petrausch (inovex) Event: Talk4Nerds Datum: 29.04.2019 Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Deep Learning for Recommender Systems

inovex GmbH

Recommender systems support the decision making processes of customers with personalized suggestions. These widely used systems influence the daily life of almost everyone across domains like ecommerce, social media, and entertainment. However, the efficient generation of relevant recommendations in large-scale systems is a very complex task. In order to provide personalization, engines and algorithms need to capture users’ varying tastes and find mostly nonlinear dependencies between them and a multitude of items. Enormous data sparsity and ambitious real-time requirements further complicate this challenge. At the same time, deep learning has been proven to solve complex tasks like object or speech recognition where traditional machine learning failed or showed mediocre performance. Join Marcel Kurovski to explore a use case for vehicle recommendations at mobile.de, Germany’s biggest online vehicle market. Marcel shares a novel regularization technique for the optimization criterion and evaluates it against various baselines. To achieve high scalability, he combines this method with strategies for efficient candidate generation based on user and item embeddings—providing a holistic solution for candidate generation and ranking. The proposed approach outperforms collaborative filtering and hybrid collaborative-content-based filtering by 73% and 143% for MAP@5. It also scales well for millions of items and users returning recommendations in tens of milliseconds. Event: O'Reilly Artificial Intelligence Conference, New York, 18.04.2019 Speaker: Marcel Kurovski, inovex GmbH Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Azure IoT Edge

inovex GmbH

In seinem Meetup Talk berichtete Maximilian von den aktuellen Problemen von Cloud Computing – insbesondere im Internet of Things – und wie diese durch Edge Computing mitigiert werden können. Er erklärte, wie eine generische Edge-Computing-Architektur aussehen kann und zeigte Anwendungsfälle, von denen manche auch schon in existierenden Produkten umgesetzt sind. Im Anschluss stellte er Azure IoT Edge vor und erläuterte, wie es das bestehende IoT Framework von Microsoft erweitert sowie die Grundkonzepte, die IoT Edge bereitstellt. Auch die Probleme in dem noch jungen Produkt wurden angesprochen, aber auch die Vorteile und Features, die es liefert. In der gemeinsamen Demo mit Eli haben dann beide Speaker die technischen Details von Azure IoT Edge gezeigt und demonstriert, beispielsweise wie Code automatisiert von einer CI/CD-Pipeline in Azure DevOps auf ein IoT-Gerät deployed werden kann. Event: inovex Meetup, 12.03.& 19.03.2019 Speaker: Maximilian Bischoff, inovex Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Representation Learning von Zeitreihen

inovex GmbH

Es liegt in der Natur des Menschen das Unvorhersehbare vorherzusagen: Wetter, Aktienkurse, Krankheitsverläufe, die Reaktion eines Menschen. Neueste Deep Learning Ansätze sind in der Lage solche sequentielle Sachverhalte immer genauer zu prognostizieren, setzen aber auch immer größere Datenmengen und Rechenleistungen voraus, die sowohl in Forschung als auch in der Praxis häufig nicht vorliegen. Wie kann man gute Ergebnisse erreichen, wenn nur wenig Daten vorliegen? Marisa Mohr stellte in ihrem Vortrag einen neuen und vielversprechenden informationstheoretischen Ansatz zum Feature Learning von sequentiellen Daten vor, der potenziell auch mit wenigen Daten auskommt. Dabei ging es speziell um ordinale Muster in Zeitreihen, wie sie beispielsweise als Veränderung von Emotionen im Gesprächsverlauf zu finden sind. Eine solche Entwicklung ist für Menschen in der Regel leicht zu erkennen. Chatbots hingegen können nicht intuitiv auf solche Emotionsverläufe reagieren, sondern müssen entsprechend programmiert werden. Details: Deep-Learning-Ansätze wie LSTMs, RNNs oder TCNs haben sich im Umgang mit sequentiellen Daten bewährt. Neuronale Netzwerke sind tief im technischen Sinn, weil sie mehrere (verborgene) Schichten besitzen, aber nicht weil sie ein tiefes Verständnis von Problemen entwickeln. In diesem Vortrag stellte Marisa einen symbolischen informationstheoretischen Ansatz des Representation Learnings von Zeitreihen vor und damit eine Möglichkeit, konzeptionelle Schichten zu konstruieren. Die Idee hinter der sogenannten Permutationsentropie besteht darin, anstelle der Werte einer Zeitreihe die Ordnungsrelation zwischen den Werten zu betrachten, und so auf das natürliche Auf und Ab des zugrundeliegenden dynamischen Systems zurückzugreifen. Event: inovex Meetup: Das Unvorhersehbare vorhersagen: Zeitreihen und Chatbots, 26.03.2019 Speakerin: Marisa Mohr (inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Talk to me – Chatbots und digitale Assistenten

inovex GmbH

Menschliche Kommunikation folgt zwar einer ganzen Reihe von Regeln, diese lassen sich aber schwer formalisieren. Nicht zuletzt deshalb, weil in unseren Interaktionen immer auch eine Fülle von Welt- und implizitem Kontextwissen eine Rolle spielt. Rein regelbasierte Chatbots sind daher nicht nur äußert komplex in der Programmierung, sondern stoßen in vielen Anwendungsbereichen schnell an ihre Grenzen. In diesem Vortrag gab Anna Weißhaar einen Überblick über die aktuellen Lösungen und Herausforderungen im Bereich digitale Assistenten. Der Fokus lag dabei auf Ansätzen, die Chatbots „chatty“ machen, sie also möglichst adäquat auf im Voraus unbekannte Nutzereingaben reagieren zu lassen. Event: inovex Meetup: Das Unvorhersehbare vorhersagen: Zeitreihen und Chatbots, 26.03.2019 Speaker: Anna Weißhaar (inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Künstlich intelligent?

inovex GmbH

Nicht zuletzt durch die medienwirksame Erfolge des maschinellen Lernens durch DeepMind, OpenAI und Kollegen ist Künstliche Intelligenz im Moment wieder in aller Munde. Einerseits locken zahlreiche neue, vorher undenkbare Anwendungen wie die automatische Diagnose von Krankheiten, autonome Fahrzeuge und Drohnen, oder die automatische Übersetzung gesprochener Wörter. Andererseits warnen mahnenden Stimmen wird vor dem zunehmendem Einflussnahme der „Algorithmen“ auf fast alle Bereiche unseres Lebens sowie vor unerwünschten Folgen von sich verselbstständigenden Computern gewarnt. Einige träumen von – oder fürchten sich vor – der vermeintlich unausweichlichen Singularität, an der sich nichts weniger als das Schicksal der gesamten Menschheit entscheiden wird. Doch was verbirgt sich hinter dem Begriff Künstliche Intelligenz? Je nachdem, wen man fragt, erhält man unterschiedliche, bisweilen gegensätzliche Antworten. Dieser Vortrag stellt einige dieser Antworten vor und versucht sie (nicht nur) anhand von Beispielen aus Forschung und Anwendung einzuordnen. Event: Business Analytics Day, 07.03.2019 Speaker: Dr. Matthias Richter, Dr. Stefan Igel (inovex) Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Dev + Ops = Go

inovex GmbH

In den letzten drei Jahren haben wir die Infrastruktur der Fernseh-Plattform waipu.tv gebaut. Dabei haben wir angefangen Tools für den Betrieb in Golang zu schreiben. Aus einigen der Tools wurden Core-Services, die auch die Last einer Fußball-WM-Übertragung locker wegstecken. Wir wollen euch zeigen, wie wir mit der selben Tool-Chain (Golang & Co) Betriebs-Probleme lösen und kritische Business-Applikationen entwickeln. Klassisch DevOps oder Golden Hammer? Speaker: Christoph Petrausch, Igor Lankin (beide inovex) Event: DevOpsConference, 04.12.2018 Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

Das Android Open Source Project

inovex GmbH

Das Android Open Source Project, kurz AOSP, ist das Betriebssystem, das auf den meisten heutigen und wahrscheinlich auch auf deinem Smartphone läuft. Es ist die Basis für das Android-App-Universum und wird von Millionen Nutzern und Entwicklern auf der Welt verwendet. Wegen der offenen Verfügbarkeit des Source Codes ist es auch die Basis für bekannte Custom ROMs wie LineageOS. Der erste Teil des Talks gab eine Übersicht über die Architektur des Betriebssystems, das App-Ökosystem, den Hardware Abstraction Layer (HAL), die Sicherheitskonzepte und einige neue Betriebssystementwicklungen wie Project Treble in Android 8.0. Der zweite Teil des Talks gab einen Einblick in den Quellcode und die Struktur des AOSP: Wie lädt man sich den Source Code herunter, wie baut man das AOSP für unterstützte Geräte und wie kann man die eigenen ROMs auf ein Smartphone flashen? Zum Spaß wurde auch noch in einige Implementierungsdetails von Android-App-API-Funktionen geblickt, die man als App Developer schon aufgerufen hat. Speaker: Stefan Lengfeld, inovex Event: inovex Meetup Köln, 23.10.2018 Mehr Tech-Vorträge: www.inovex.de/vortraege Mehr Tech-Artikel: www.inovex.de/blog

Machine Learning Interpretability

inovex GmbH

Interpretable Machine Learning describes the process of revealing causes of predictions and explaining a derived decision in a way that is understandable to humans. The ability to understand the causes that lead to a certain prediction enables data scientists to ensure that the model is consistent to the domain knowledge of an expert. Furthermore, interpretability is critical to obtain trust in a model and to be able to tackle problems like unfair biases or discrimination against particular subgroups. This talk covers an introduction to the concept of interpretability and an overview of popular interpretability techniques. Speaker: Marcel Spitzer, inovex Event: Kaggle Munich Meetup, 20.11.2018 Mehr Tech-Vorträge: www.inovex.de/vortraege Mehr Tech-Artikel: www.inovex.de/blog

Performance evaluation of GANs in a semisupervised OCR use case

inovex GmbH

Online vehicle marketplaces are embracing artificial intelligence to ease the process of selling a vehicle on their platform. The tedious work of copying information from the vehicle registration document into some web form can be automated with the help of smart text-spotting systems, in which the seller takes a picture of the document, and the necessary information is extracted automatically. Florian Wilhelm details the components of a text-spotting system, including the subtasks of object detection and optical character recognition (OCR). Florian elaborates on the challenges of OCR in documents with various distortions and artifacts, which rule out off-the-shelf products for this task. After offering an overview of semisupervised learning based on generative adversarial networks (GANs), Florian evaluates the performance gains of this method compared to supervised learning. More specifically, for a varying amount of labeled data, he compares the accuracy of a convolution neural network (CNN) to a GANthat uses additional unlabeled data during the training phase, showing that GANs significantly outperform classical CNNs in use cases with a lack of labeled data. What you'll learn: Understand how semisupervised learning with GANs works Explore beneficial semisupervised methods based on GANs for use cases with a limited amount of labeled data Gain insight into an interesting OCR use case of an online vehicle marketplace Event: O'Reilly Artificial Intelligence Conference, London, 11.10.2018 Speaker: Dr. Florian Wilhelm Mehr Tech-Vorträge: www.inovex.de/vortraege Mehr Tech-Artikel: www.inovex.de/blog

People & Products – Lessons learned from the daily IT madness

inovex GmbH

IT im 21. Jahrhundert – What a time to be alive! Es gibt einen (unüberschaubaren) Zoo an Methoden und Produkten die uns so viel Freude an der Arbeit bereiten! Sie sind modern, weil sie neu sind. Sie fordern unser Können heraus, weil sie komplex sind. Sie lösen einige Probleme, die wir vorher nicht hatten. Jeder will sie verwenden, weil Google, Netflix & Co. sie propagieren und Hand auf’s Herz: Will nicht jeder gerne so arbeiten wie Google, Netflix & Co.? Aber macht das wirklich Sinn? In diesem Vortrag blicken wir auf diverse Erkenntnisse aus dem Einsatz agiler Produktentwicklung, DevOps, Continuous Integration/Delivery, Infrastructure as Code, Immutable Infrastructure (bspw. Docker/Kubernetes), Application Logging und Service Monitoring. Learning Goals: - Wir müssen den Einsatz von Methoden und Tools an die Menschen ausrichten, die sie (weiter-)entwickeln und benutzen sollen. - Manchmal lösen wir mit neuen Tools Probleme, die wir vorher nicht hatten. - Die Suche nach einfachen Lösungen für komplexe Probleme ist essentiell, aber nicht immer einfach. Event: Continuous Lifecycle, 15.11.2018 Speaker: Arnold Bechtoldt Mehr Tech-Vorträge: www.inovex.de/vortraege Mehr Tech-Artikel: www.inovex.de/blog

Infrastructure as (real) Code – Manage your K8s resources with Pulumi

inovex GmbH

Pulumi (pulumi.io) offers an open source platform to create/manage and deploy your infrastructure in realy programming languages like JavaScript/TypeScript, Go and Python. As Cloud platforms the major 3 cloud providers are supported and additionally you can also use Pulumi with OpenStack and Kubernetes to deploy your applications in the cloud. In this talk we will take a look how Pulumi is different to traditional solutions like Terraform or the Cloud Provider specific solutions (e.g. CloudFormation). The main focus will be on deploying your services on top of Kubernetes. The talk will contain a little theory part about Pulumi, the rest of the talk is more focused on demos and practical parts. One focus of the talk is the difference of Pulumi to kubectl and helm (or to be precise how they complement each other. As a takeaway of this talk you should understand the basics of Pulumi and know what are the differences to the traditional deployment tools. Event: CNCF Meetup Hamburg & Stuttgart, 29.10.2018 & 07.11.2018 Speaker: Johannes M. Scheuermann, inovex Mehr Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/ Mehr Tech-Artikel: https://www.inovex.de/blog/

More from inovex GmbH (20)

lldb – Debugger auf Abwegen

Are you sure about that?! Uncertainty Quantification in AI

Why natural language is next step in the AI evolution

WWDC 2019 Recap

Network Policies

Interpretable Machine Learning

Jenkins X – CI/CD in wolkigen Umgebungen

AI auf Edge-Geraeten

Prometheus on Kubernetes

Deep Learning for Recommender Systems

Azure IoT Edge

Representation Learning von Zeitreihen

Talk to me – Chatbots und digitale Assistenten

Künstlich intelligent?

Dev + Ops = Go

Das Android Open Source Project

Machine Learning Interpretability

Performance evaluation of GANs in a semisupervised OCR use case

People & Products – Lessons learned from the daily IT madness

Infrastructure as (real) Code – Manage your K8s resources with Pulumi

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Recently uploaded (20)