David's KubeCon update #2: KubeCon 2019
David Lebutsch
Director of Engineering IBM Cloud Data Services, IBM Distinguished Engineer, IBM R&D Germany
I had the privilege to attend KubeCon 2019 along with 12000 attendees (wow!). You can find the sessions, recordings and presentations here: https://events19.linuxfoundation.org/events/kubecon-cloudnativecon-north-america-2019/schedule/
I couldn’t attend all sessions, but here are the ones I had on my list, sorted by topics of interest. I hope you find my recommended reading useful, and would appreciate questions and comments.
Open Policy Agent: How many policy engines and stores do you have? My services use vault, IBM IAM, Watson Knowledge Catalog, Service integrated authorization policies (DB2, Postgres, …), etc. etc. and my thought was that consolidation might be a good thing? How do you monitor all these policies and create evidence for compliance? While OPA seemed interesting, many are challenged by the steep learning curve for the rego policy language. Service Mesh and Envoy integration is another topic which received a lot of attention.
· Lightning Talk: CRDs All the Way Down – Using OPA for Complex CRD Validation and Defaulting - Puja Abbassi, Giant Swarm: https://kccncna19.sched.com/event/UafE/lightning-talk-crds-all-the-way-down-using-opa-for-complex-crd-validation-and-defaulting-puja-abbassi-giant-swarm
· OPA Introduction & Community Update - Rita Zhang, Microsoft & Patrick East, Styra: https://kccncna19.sched.com/event/Uahw/opa-introduction-community-update-rita-zhang-microsoft-patrick-east-styra
· Applying Policy Throughout The Application Lifecycle with Open Policy Agent - Gareth Rushgrove, Snyk: https://kccncna19.sched.com/event/UaW8/applying-policy-throughout-the-application-lifecycle-with-open-policy-agent-gareth-rushgrove-snyk
· OPA Deep Dive - Tim Hinrichs & Torin Sandall, Styra: https://kccncna19.sched.com/event/Uafr/opa-deep-dive-tim-hinrichs-torin-sandall-styra
· Kubernetes Policy Enforcement Using OPA At Goldman Sachs - Miguel Uzcategui, Goldman Sachs & Tim Hinrichs, Styra: https://kccncna19.sched.com/event/UaaX/kubernetes-policy-enforcement-using-opa-at-goldman-sachs-miguel-uzcategui-goldman-sachs-tim-hinrichs-styra
· Enforcing Service Mesh Structure using OPA Gatekeeper - Sandeep Parikh, Google: https://kccncna19.sched.com/event/Uac5/enforcing-service-mesh-structure-using-opa-gatekeeper-sandeep-parikh-google
· How Yelp Moved Security From the App to the Mesh with Envoy and OPA - Daniel Popescu, Yelp & Ben Plotnick, Cruise: https://kccncna19.sched.com/event/UaZT/how-yelp-moved-security-from-the-app-to-the-mesh-with-envoy-and-opa-daniel-popescu-yelp-ben-plotnick-cruise
CI/CD: DevSecOps and GitOps were major topics. New projects such as Tekton which is a Kubernetes-native open-source framework got some attention. CI/CD continuous integration and delivery is the production system that developers use to deliver value to production … what could be more important?
· Mario’s Adventures in Tekton Land - Vincent Demeester, Red Hat & Andrea Frittoli, IBM: https://kccncna19.sched.com/event/UabG/marios-adventures-in-tekton-land-vincent-demeester-red-hat-andrea-frittoli-ibm
· Building Reusable DevSecOps Pipelines on a Secure Kubernetes Platform - Steven Terrana, Booz Allen Hamilton & Michael Ducy, Sysdig: https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig
· Argo: Leveling Up Your CD: Unlocking Progressive Delivery on Kubernetes - Daniel Thomson & Jesse Suen, Intuit: https://kccncna19.sched.com/event/Uaaj/leveling-up-your-cd-unlocking-progressive-delivery-on-kubernetes-daniel-thomson-jesse-suen-intuit
· Panel: GitOps User Stories - Tamao Nakahara, Weaveworks; Javeria Khan, Palo Alto Networks; Hubert Chen, Branch; Stefan Prodan, Weaveworks; & Edward Lee, Intuit: https://kccncna19.sched.com/event/UaYh/panel-gitops-user-stories-tamao-nakahara-weaveworks-javeria-khan-palo-alto-networks-hubert-chen-branch-stefan-prodan-weaveworks-edward-lee-intuit
Istio / Envoy / networking: Service Mesh and solving networking challenges between services received a lot of attention at KubeCon. Here are the sessions I found most interesting. Cilium offers interesting capabilities that uses a Linux kernel technology called BPF to provide ways to define and enforce both network-layer and application-layer security policies based on container/pod identity. Intercepting and applying policies to system calls could be interesting for securing legacy workloads written in low level languages.
· Building Reusable DevSecOps Pipelines on a Secure Kubernetes Platform - Steven Terrana, Booz Allen Hamilton & Michael Ducy, Sysdig: https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig: https://kccncna19.sched.com/event/UaZH/how-spotify-migrated-ingress-http-systems-to-envoy-erica-manno-vladimir-shakhov-spotify
· From Brownfield to Greenfield: Istio Service Mesh Journey at Freddie Mac - Shriram Rajagopalan, Tetrate & Lixun Qi, Freddie Mac: https://kccncna19.sched.com/event/UaYb/from-brownfield-to-greenfield-istio-service-mesh-journey-at-freddie-mac-shriram-rajagopalan-tetrate-lixun-qi-freddie-mac
· Liberating Kubernetes From Kube-proxy and Iptables - Martynas Pumputis, Cilium: https://kccncna19.sched.com/event/Uaam/liberating-kubernetes-from-kube-proxy-and-iptables-martynas-pumputis-cilium
· How Yelp Moved Security From the App to the Mesh with Envoy and OPA - Daniel Popescu, Yelp & Ben Plotnick, Cruise: https://kccncna19.sched.com/event/UaZT/how-yelp-moved-security-from-the-app-to-the-mesh-with-envoy-and-opa-daniel-popescu-yelp-ben-plotnick-cruise
Operators and CRD’s: Hot new topic made even more popular by Red Hat. The question is what will we operate using operators and what will we not? Will operators go as far as handling database DDL’s? Would a database administrator even have access to the kube command line, probably not. Operators will be very useful for day 1 deployment and day 2 management of applications, but won’t change how applications are administrated.
· Lightning Talk: CRDs All the Way Down – Using OPA for Complex CRD Validation and Defaulting - Puja Abbassi, Giant Swarm: https://kccncna19.sched.com/event/UafE/lightning-talk-crds-all-the-way-down-using-opa-for-complex-crd-validation-and-defaulting-puja-abbassi-giant-swarm
· Writing a Kubernetes Operator: the Hard Parts - Sebastien Guilloux, Elastic: https://kccncna19.sched.com/event/UaeV/writing-a-kubernetes-operator-the-hard-parts-sebastien-guilloux-elastic
Security: Kubernetes manages container workloads that share the kernel and other components of the host operating system. Any vulnerability in the kernel can jeopardize the security of the other containers as well. That brings back horizontal attack vectors we forgot since the early and insecure days of hypervisors. Add multi-tenant services and the state of vertical attacks, and we have a complex set of new requirements and challenges we need to address.
· Containing the Container: Developer Experience vs Strict Security Posture - Brian Bagdzinski & Sharat Nellutla, Verizon: https://kccncna19.sched.com/event/UaXC/containing-the-container-developer-experience-vs-strict-security-posture-brian-bagdzinski-sharat-nellutla-verizon
· Building Reusable DevSecOps Pipelines on a Secure Kubernetes Platform - Steven Terrana, Booz Allen Hamilton & Michael Ducy, Sysdig: https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig
· CNCF SIG-Security Intro - Sarah Allen, CNCF SIG-Security & Brandon Lum, IBM: https://kccncna19.sched.com/event/Uahe/cncf-sig-security-intro-sarah-allen-cncf-sig-security-brandon-lum-ibm
· The Devil in the Details: Kubernetes’ First Security Assessment - Aaron Small, Google & Jay Beale, InGuardians: https://kccncna19.sched.com/event/Uad0/the-devil-in-the-details-kubernetes-first-security-assessment-aaron-small-google-jay-beale-inguardians
· Hardware-based KMS Plug-in to Protect Secrets in Kubernetes - Raghu Yeluri & Haidong Xia, Intel: https://kccncna19.sched.com/event/UaZ2/hardware-based-kms-plug-in-to-protect-secrets-in-kubernetes-raghu-yeluri-haidong-xia-intel
· Walls Within Walls: What if Your Attacker Knows Parkour? - Tim Allclair & Greg Castle, Google: https://kccncna19.sched.com/event/UaeM/walls-within-walls-what-if-your-attacker-knows-parkour-tim-allclair-greg-castle-google
· Securing Communication Between Meshes and Beyond with SPIFFE Federation - Evan Gilman, Scytale & Oliver Liu, Google: https://kccncna19.sched.com/event/Uacx/securing-communication-between-meshes-and-beyond-with-spiffe-federation-evan-gilman-scytale-oliver-liu-google
· How Kubernetes Components Communicate Securely in Your Cluster - Maya Kaczorowski, Google: https://kccncna19.sched.com/event/UaZE/how-kubernetes-components-communicate-securely-in-your-cluster-maya-kaczorowski-google
Open Telemetry: While most of my services use New Relic APM, I started to learn more about Open Telemetry and Jaeger. Definitely interesting to see what Open Source offers in this space. I anticipate even more activity in the future due to the nature of micro services and complex continuously changing systems.
· Jaeger Intro - Yuri Shkuro, Uber Technologies & Pavol Loffay, Red Hat: https://kccncna19.sched.com/event/Uaiu/jaeger-intro-yuri-shkuro-uber-technologies-pavol-loffay-red-hat
· Jaeger Deep Dive - Yuri Shkuro, Uber Technologies & Pavol Loffay, Red Hat: https://kccncna19.sched.com/event/Uags/jaeger-deep-dive-yuri-shkuro-uber-technologies-pavol-loffay-red-hat
· Beyond Getting Started: Using OpenTelemetry to Its Full Potential - Sergey Kanzhelev, Microsoft & Morgan McLean, Google: https://kccncna19.sched.com/event/UaWN/beyond-getting-started-using-opentelemetry-to-its-full-potential-sergey-kanzhelev-microsoft-morgan-mclean-google
· OpenTelemetry: The First Release, What’s Next, and How to Get Involved - Morgan McLean, Google; Tristan Sloughter, Postmates; Sergey Kanzhelev, Microsoft; & Chris Kleinknecht, Google: https://kccncna19.sched.com/event/Uake/opentelemetry-the-first-release-whats-next-and-how-to-get-involved-morgan-mclean-google-tristan-sloughter-postmates-sergey-kanzhelev-microsoft-chris-kleinknecht-google
Something different …
· Mental Health in Tech - Dr. Jennifer Akullian, Growth Coaching Institute: https://kccncna19.sched.com/event/UdHp/mental-health-in-tech-dr-jennifer-akullian-growth-coaching-institute
· Growth and Design Patterns in the Extensions Ecosystem - Eric Tune, Google: https://kccncna19.sched.com/event/UaYw/growth-and-design-patterns-in-the-extensions-ecosystem-eric-tune-google
· Rook: Cloud-Native Storage Orchestration (Introduction and Deep Dive) - Jared Watts, Upbound; Bassam Tabbara, Upbound; Travis Nielsen, Red Hat; & Alexander Trost, Cloudical: https://kccncna19.sched.com/event/Uakk/rook-cloud-native-storage-orchestration-introduction-and-deep-dive-jared-watts-upbound-bassam-tabbara-upbound-travis-nielsen-red-hat-alexander-trost-cloudical
I had a great time at KubeCon and learned a ton. I would like to thank everybody involved and am looking forward to next years event!
I especially enjoyed meeting with my Partners from Sysdig, New Relic, logdna, Enterprise DB, Segment and Pager Duty
#KubeCon2019 #CNCF #DevSecOps # GitOps #OPA #ServiceMesh #OpenTelemetry #Jaeger #Istio #Envoy #Operators #sysdig #newrelic #logdna #enterprisedb #segment #pagerduty
Thanks David, good documents.
Principal Director at Accenture
5 年Thanks for sharing David!