Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)

•

0 likes•64 views

The document discusses making a Kubernetes cluster safer for DevOps by removing unnecessary access and privileges. It covers securing the cluster kernel, implementing fine-grained role-based access control (RBAC), enforcing workload configurations with pod security policies, limiting resource consumption with quotas, and customizing Kubernetes through operators and admission webhooks. The overall message is that combining these techniques can help produce a Kubernetes cluster where namespaces are properly isolated and access is restricted.

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Taking the scissors away
Make your K8S cluster safe for DevOps

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Well, safer at least

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Topics
Scissors, scissors everywhere
Securing the cluster kernel
RBAC, the pains and gains
Enforcing workload configuration
No one likes hoarders

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://commons.wikimedia.org/wiki/File:Kookie_Studio_Mixer.JPG

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Root vs. non-root
86% of images in Docker Hub use root
Root is root
Userns remap not available in K8S

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Capabilities
Fine grained permission checks
Lot of default caps
Privileged == all caps

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/jdickert/1270880225

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=19565850

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Securing cluster kernel
Use benchmark tools
Lock all doors by default
Auth complexity

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Things to watch out
Auth configured properly
Everything has proper TLS
No exposed APIs
...

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC
Who can do what?
Super fine grained
Scoped

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC - Pains
Fine grained controls
Sea of YAML
What can I do?

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC - Helpers
RBAC Manager
kubectl-who-can

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
No root allowed

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Pod Security Policy
Control for Pod security aspects
An Admission Controller
Enforcer
Can also set some defaults

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
PSP - Pains
Easy to cap your cluster
Enforced policy selected via RBAC
When did you last create a pod?

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/71622328@N08/36359861566

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Resource Quota
Limit aggregate resource consumption
Scoped per namespace
YAAC - YetAnotherAdmissionController

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Limits on
CPU
MEM
Storage
Object counts

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Secure cluster kernel
Auth
RBAC
ALL components secured

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Namespaces FTW, ensure:
Resource Quotas
PSP setup properly
Network Policies
LimitRanges

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Customize K8S
Custom operators
Operator SDK
Custom admission webhooks

www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Operator Framework
Operator running in the cluster
Reacts to changes of specific objects
Can setup ”adjacent” resources
Namespace created à configure it

Everyone has been told not to run with scissors. Doing so makes one highly exposed to serious damage. Both containers and Kubernetes define a bajillion different toggles how to configure the applications. Rather than using all the proper toggles, developers often run things in containers and in Kubernetes just using the plain defaults. That leaves many capabilities lurking in the applications that just wait to be exploited. This session is highly inspired by Liz Rice’s talk at KubeCon EU 2018, “Running with scissors”. My session will focus on a different angle: how to take the scissors away from the developers so that they do not harm themselves. In this talk, we’ll look at some of the concepts of forcing security of the application workloads both from conceptual and practical points of view. We’ll look at things like security policies, resource quotas, and pod security contexts. We’ll also discuss what they mean for the applications developers are pushing to the Kubernetes cluster.

Recap of de code 2019

Kyohei Mizumoto

Lean and agile software because or despite rising complexity by Yves Caseau

Institut Lean France

At the Lean Digital Summit 2019, Yves Caseau, Group CIO of Michelin talked about software factories and how to leverage lean and agile practices to cope with uncertainty and complexity. It turns out that rising complexity is also making the mindset change to « agile laissez-faire » more difficult. He explained how Lean roots help to anchor the continuous learning and software craftsmanship ambition into corporate governance for large organizations. More Lean digital stories on www.lean-digital-summit.com

Containers in a Kubernetes World

plarsen67

KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights

Krishna-Kumar

Kubernetes on AWS => EKS || CNCF Meetup Zurich, Feb 2019

Gerd König

At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions. Link: https://www.sonatype.com/uk/2019-devsecops-leadership-forum-london

You got database in my cloud!

Liz Frost

End to-end ml pipelines with beam, flink, tensor flow, and hopsworks (beam su...

Theofilos Kakantousis

Apache Beam is a key technology for building scalable End-to-End ML pipelines, as it is the data preparation and model analysis engine for TensorFlow Extended (TFX), a framework for horizontally scalable Machine Learning (ML) pipelines based on TensorFlow. In this talk, we present TFX on Hopsworks, a fully open-source platform for running TFX pipelines on any cloud or on-premise. Hopsworks is a project-based multi-tenant platform for both data parallel programming and horizontally scalable machine learning pipelines. Hopsworks supports Apache Flink as a runner for Beam jobs and TFX pipelines are supported through Airflow support in Hopsworks. We will demonstrate how to build a ML pipeline with TFX, Beam’s Python API and the Flink Runner by using Jupyter notebooks, explain how security is transparently enabled with short-lived TLS certificates, and go through all the pipeline steps, from Data Validation, to Transformation, Model training with TensorFlow, Model Analysis, Model Serving and Monitoring with Kubernetes. To the best of our knowledge, Hopsworks is the first fully open-source on-premise platform that supports both TFX pipelines and Apache Beam.

Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...

sangam biradar

2019.02 Eclipse Foundation and Eclipse IoT presentation at Eclipse IoT Day Gr...

Gaël Blondelle

Cloud native computing and open source

Cheryl Hung

Argo Workflows 3.0, a detailed look at what’s new from the Argo Team

LibbySchulze

Docker opens the Doors for IoT

Dieter Reuter

KubeCon + CloudNativeCon China 2018 Recap

cyberblack28 Ichikawa

Kubernetes - 7 lessons learned from 7 data centers in 7 months

Michael Tougeron

Learn from the rapid journey that Adobe Advertising Cloud took to reach a multi-cloud/multi-region deployment and the lessons learned along the way. Mike will cover 7 challenging scenarios with StatefulSets, GitOps, autoscaling for machine learning and auto-remediation. Go behind the scenes of the wins & failures to see how the engineering and platform teams prevented the derailing of their Kubernetes journey. From developing with spot instances in dev to multi-cloud in production, the cloud platform team has dealt with an interesting set of challenges. As Mike will show, even challenging requirements can lead to successful deployments.

KubeCon CloudNativeCon 2016 Seattle - a report

Krishna-Kumar

Native Spark Executors on Kubernetes: Diving into the Data Lake - Chicago Clo...

Mariano Gonzalez

Everybody wants to do big data on a data lake! However, implementing it and maintaining the infrastructure necessary to explore it, such as Spark, has been a historically challenging endeavor. Kubernetes is the tool of choice for cloud orchestration, and Spark continues to be the de facto framework for most data wrangling tasks. We’ve previously tried different data lake architectures, and suffered from the pain that Hadoop carries with it. Finally, we decided to bring the best from the cloud and big data worlds together, and walk you through a session on how to set an endless data lake powered with native Spark executors on Kubernetes

Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...

Fasten Project

Software engineers reuse code to reduce development and maintenance costs but how safe is it to use open source software (OSS)? By using OSS and dependencies to external libraries they can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. The aim of the FASTEN project (a European Union’s H2020 research and innovation programme led by TU Delft) is to address this situation, by developing an intelligent software package management system that will enhance robustness and security in software ecosystems. Our team in Endocode AG is part of the FASTEN project with our FOSS toolchain Quartermaster, which detects license compliance on softwares.

Orchestrating Microservices

Mauricio (Salaboy) Salatino

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...

DevDay.org

Kubernetes Operability Tooling (GOTO Chicago 2019)

bridgetkromhout

K8sfor dev parisoss-summit-microsoft-5-decembre-short

Gabriel Bechara

Kubernetes for Developers - 7 lessons learned from 7 data centers in 7 months...

Michael Tougeron

Kubecon seattle 2018 recap - Application Deployment aspects

Krishna-Kumar

Introduction to Pygame (Lecture 7 Python Game Development)

abdulrafaychaudhry

GlobusWorld 2024 Opening Keynote session

Globus

Similar to Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)

쿠버네티스를 이용한 기능 브랜치별 테스트 서버 만들기 (GitOps CI/CD)

충섭 김

Enabling shift-left for 12k banking developers from scratch and without break...

Ernesto Bethencourt

You got database in my cloud!

Liz Frost

End to-end ml pipelines with beam, flink, tensor flow, and hopsworks (beam su...

Theofilos Kakantousis

Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...

sangam biradar

2019.02 Eclipse Foundation and Eclipse IoT presentation at Eclipse IoT Day Gr...

Gaël Blondelle

Cloud native computing and open source

Cheryl Hung

Argo Workflows 3.0, a detailed look at what’s new from the Argo Team

LibbySchulze

Docker opens the Doors for IoT

Dieter Reuter

KubeCon + CloudNativeCon China 2018 Recap

cyberblack28 Ichikawa

Kubernetes - 7 lessons learned from 7 data centers in 7 months

Michael Tougeron

KubeCon CloudNativeCon 2016 Seattle - a report

Krishna-Kumar

Native Spark Executors on Kubernetes: Diving into the Data Lake - Chicago Clo...

Mariano Gonzalez

Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...

Fasten Project

Orchestrating Microservices

Mauricio (Salaboy) Salatino

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...

DevDay.org

Kubernetes Operability Tooling (GOTO Chicago 2019)

bridgetkromhout

K8sfor dev parisoss-summit-microsoft-5-decembre-short

Gabriel Bechara

Kubernetes for Developers - 7 lessons learned from 7 data centers in 7 months...

Michael Tougeron

Kubecon seattle 2018 recap - Application Deployment aspects

Krishna-Kumar

Similar to Taking the scissors away - Make K8S safe(er) for DevOps (shorter version) (20)

쿠버네티스를 이용한 기능 브랜치별 테스트 서버 만들기 (GitOps CI/CD)

Enabling shift-left for 12k banking developers from scratch and without break...

You got database in my cloud!

End to-end ml pipelines with beam, flink, tensor flow, and hopsworks (beam su...

Rabncher Meetup India , Lightweight Kubernetes Development with K3s, k3os and...

2019.02 Eclipse Foundation and Eclipse IoT presentation at Eclipse IoT Day Gr...

Cloud native computing and open source

Argo Workflows 3.0, a detailed look at what’s new from the Argo Team

Docker opens the Doors for IoT

KubeCon + CloudNativeCon China 2018 Recap

Kubernetes - 7 lessons learned from 7 data centers in 7 months

KubeCon CloudNativeCon 2016 Seattle - a report

Native Spark Executors on Kubernetes: Diving into the Data Lake - Chicago Clo...

Fasten and Quartermaster presentation at FOSSCOMM, October 2019 in Lamia, Gre...

Orchestrating Microservices

[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...

Kubernetes Operability Tooling (GOTO Chicago 2019)

K8sfor dev parisoss-summit-microsoft-5-decembre-short

Kubernetes for Developers - 7 lessons learned from 7 data centers in 7 months...

Kubecon seattle 2018 recap - Application Deployment aspects

Recently uploaded

Introduction to Pygame (Lecture 7 Python Game Development)

abdulrafaychaudhry

GlobusWorld 2024 Opening Keynote session

Globus

Vitthal Shirke Java Microservices Resume.pdf

Vitthal Shirke

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Natan Silnitsky

In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey. Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience. Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system. Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.

GraphSummit Paris - The art of the possible with Graph Technology

Neo4j

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

Utilocate

Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly. The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus

COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.

Launch Your Streaming Platforms in Minutes

Roshan Dwivedi

The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown: Pros of Speedy Streaming Platform Launch Services: No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge. Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker. All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations. Things to Consider: Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions. Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option. Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options). Examples of Services for Launching Streaming Platforms: Muvi [muvi com] Uscreen [usencreen tv] Alternatives to Consider: Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited. Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform. Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

AMB-Review

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos https://www.amb-review.com/tubetrivia-ai Exclusive Features: AI-Powered Questions, Wide Range of Categories, Adaptive Difficulty, User-Friendly Interface, Multiplayer Mode, Regular Updates. #TubeTriviaAI #QuizVideoMagic #ViralQuizVideos #AIQuizGenerator #EngageExciteExplode #MarketingRevolution #BoostYourTraffic #SocialMediaSuccess #AIContentCreation #UnlimitedTraffic

Globus Compute Introduction - GlobusWorld 2024

Globus

Enterprise Software Development with No Code Solutions.pptx

QuickwayInfoSystems3

In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process. This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.

How to Position Your Globus Data Portal for Success Ten Good Practices

Globus

Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.

Globus Connect Server Deep Dive - GlobusWorld 2024

Globus

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

How Recreation Management Software Can Streamline Your Operations.pptx

wottaspaceseo

Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.

Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx

ShamsuddeenMuhammadA

Orion Context Broker introduction 20240604

Fermin Galan

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

Globus

JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Shahin Sheidaei

Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.

Understanding Globus Data Transfers with NetSage

Globus

NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?

Recently uploaded (20)

Introduction to Pygame (Lecture 7 Python Game Development)

GlobusWorld 2024 Opening Keynote session

Vitthal Shirke Java Microservices Resume.pdf

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

GraphSummit Paris - The art of the possible with Graph Technology

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Launch Your Streaming Platforms in Minutes

Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf

Globus Compute Introduction - GlobusWorld 2024

Enterprise Software Development with No Code Solutions.pptx

How to Position Your Globus Data Portal for Success Ten Good Practices

Globus Connect Server Deep Dive - GlobusWorld 2024

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

How Recreation Management Software Can Streamline Your Operations.pptx

Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx

Orion Context Broker introduction 20240604

Providing Globus Services to Users of JASMIN for Environmental Data Analysis

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Understanding Globus Data Transfers with NetSage

Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)

1. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Taking the scissors away Make your K8S cluster safe for DevOps

2. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Well, safer at least

3. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Topics Scissors, scissors everywhere Securing the cluster kernel RBAC, the pains and gains Enforcing workload configuration No one likes hoarders

4. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

5. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://commons.wikimedia.org/wiki/File:Kookie_Studio_Mixer.JPG

6. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Root vs. non-root 86% of images in Docker Hub use root Root is root Userns remap not available in K8S

7. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Capabilities Fine grained permission checks Lot of default caps Privileged == all caps

8. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

9. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/jdickert/1270880225

10. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=19565850

11. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Securing cluster kernel Use benchmark tools Lock all doors by default Auth complexity

12. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Things to watch out Auth configured properly Everything has proper TLS No exposed APIs ...

13. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps RBAC Who can do what? Super fine grained Scoped

14. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

15. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps RBAC - Pains Fine grained controls Sea of YAML What can I do?

16. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps RBAC - Helpers RBAC Manager kubectl-who-can

17. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps No root allowed

18. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Pod Security Policy Control for Pod security aspects An Admission Controller Enforcer Can also set some defaults

19. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

20. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps PSP - Pains Easy to cap your cluster Enforced policy selected via RBAC When did you last create a pod?

21. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

22. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/71622328@N08/36359861566

23. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Resource Quota Limit aggregate resource consumption Scoped per namespace YAAC - YetAnotherAdmissionController

24. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Limits on CPU MEM Storage Object counts

25. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

26. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

27. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Putting all this together

28. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Secure cluster kernel Auth RBAC ALL components secured

29. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Namespaces FTW, ensure: Resource Quotas PSP setup properly Network Policies LimitRanges

30. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Customize K8S Custom operators Operator SDK Custom admission webhooks

31. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Operator Framework Operator running in the cluster Reacts to changes of specific objects Can setup ”adjacent” resources Namespace created à configure it

32. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps Thank you!

Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)

Recommended

Recommended

More Related Content

Similar to Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)

Similar to Taking the scissors away - Make K8S safe(er) for DevOps (shorter version) (20)

Recently uploaded

Recently uploaded (20)

Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)