KubeHuddle

You’ve probably heard all the benefits of GitOps practices, but even most trivial challenges are going unanswered in vendor demos and keynotes. Things like how I promote between environments, how can I handle infrastructure, what if I already got infrastructure that is managed by others like networking… Deploying to Kubernetes with GitOps is quite mature, though you’ll need additional services like databases, clusters. You’ll find that if you’d use Cluster API, Crossplane, AWS Controllers for Kubernetes it might solve your issue until it doesn’t integrate as you’d imagine. During this presentation I’ll go through some of the challenges we faced during rewriting LastPass’ full deployment model, solving end-to-end automation for real-life while writing less YAML files by moving towards Infrastructure as Software.

OpenFeature is an open standard for feature flag management, created to support a robust feature flag ecosystem using cloud native technologies. OpenFeature provides a unified API and SDK, and a developer-first, cloud-native implementation, with extensibility for open source and commercial offerings.

MicroK8s went from a part-time project to an Open-source success story available on every Ubuntu server in the world. However, behind its meteoric rise in usage, we struggled to balance the needs of end-users, the challenges of competition and In this talk we’ll talk about how it took us time to realise the power of community, to build a way to enable them to help guide our roadmap and to truly recognise the power of crowdsourcing engineering through open source.

This session will discuss how Skyscanner's Production Platform tribe designed a new, resilient architecture to allow Skyscanner's engineers to deliver new features to travelers on a reliable multi-tenant platform. We'll discuss what inspired the design choices, where trade-offs had to be made, the challenges faced, and the successes along the way. This will include how this architecture enabled Skyscanner to perform multiple cluster upgrades and migrations without service owners even noticing, as well as more day-to-day cluster tasks like component upgrades in a safe and scalable manner.

This session will introduce troubleshoot.sh, an open source project that helps diagnose common issues that could impact the successful deployment and operation of a Kubernetes cluster. We'll talk about how to use out-of-the-box tools, plus show you how to write your own custom collectors and analysers. Together these components should help identify issues before you install and once you are up and running.

Host: Amanda Brock, CEO, OpenUK Andrew Martin, Control Plane Founder and CEO and OpenUK CISO Liz Rice, Chief Open Source Officer, Isovalent and OpenUK Director Thomas Meadows, Solutions Engineer, Jetstack

A strategic scene setting of open source and how it got to its premier status in the software market today, an update from OpenUK's State of Open : The UK in 2022 report, and a strategic view on curation, stewardship and the future of open source in the enterprise and public sector as it becomes our critical national infrastructure.

In a live evocation of the recent O’Reilly title Hacking Kubernetes (Martin, Hausenblas, 2021), this ultimate guide to threat-driven Kubernetes defence threat models and details how to attack and defend your precious clusters from nefarious adversaries. This broad and detailed appraisal of end-to-end cluster security teaches you how to attack and defend against a range of historical and current CVEs, misconfigurations, and advanced threats: - See the historical relevance of CVEs and demonstrations of attacks against your containers, pods, supply chain, network, storage, policy, and wider organisation - Understand when to use next-generation runtimes like gVisor, firecracker, and Kata Containers - Delve into workload identity and advanced runtime hardening - Consider the trust boundaries in soft- and hard-multitenant systems to appraise and limit the effects of compromise - Learn to navigate the choppy waters of advanced Kubernetes security

Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way! Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise! To attend this workshop, you will need a laptop (or tablet if so inclined) as well as a basic understanding of how to interact with Linux from a terminal (e.g. ls, cd, cat, grep). You will be given access to a cluster and it's up to you if you'd like to run this alone or as part of a team.

Host: Amanda Brock, CEO, OpenUK Andrew Martin, Control Plane Founder and CEO and OpenUK CISO Liz Rice, Chief Open Source Officer, Isovalent and OpenUK Director Thomas Meadows, Solutions Engineer, Jetstack

Kubernetes RBAC goes as far as whether a user can or cannot create new Kubernetes resources. However, it does not provide any capabilities for having more granular control on what resources can be created and what properties they might have. Validation webhooks fix that problem. They allow the user to define custom logic that looks at the resource being created/edited and, based on their properties, to allow or deny the operation. Gatekeeper is an implementation of a validation webhook that uses Open Policy Agent and allows you to define policies via the Rego language. These policies are applied to the Kube API server and live in Kubernetes as first-class citizens. This presentation will describe what validating webhooks are, how they work and how OPA and Gatekeeper leverage this functionality to protect your Kubernetes cluster. We will also dive into Rego and write our custom OPA policies.

Envoy Proxy is a foundational layer for many of the innovations propelling the Kubernetes community, including service meshes and cloud-native API gateways. But many engineers understand it only as a black box, hidden by simplifying levels of abstraction. The purpose of this workshop is to provide a hands-on workshop that will bridge those gaps in Envoy's understanding. Participants will explore first principles regarding Envoy architecture, filter chains, and a day-in-the-life of a request.

This session will detail the trials and tribulations of starting with a few lines of code to fix a problem, to ending up with a project that underpins millions of Kubernetes clusters. From angering end users by implementing what seemed at the time "a good idea" to being dragged in-front of a legal team, it isn’t all plain sailing. However through this talk the attendees will hopefully learn the joys of being part of Open Source, the elation of a community that comes to contribute and the realisation that it was worth it in the end!

In this talk, I'm exploring how someone can use eBPF to get insights about the communications happening in a Kubernetes cluster. I write an eBPF program and then use the BumbleBee (https://github.com/solo-io/bumblebee) open source project to build and deploy it. This program gathers information about all the network communications happening in the cluster and publish the corresponding metrics that I store on Prometheus. I then deploy a service gets the metrics and correlate them with the Pod and Service IP addresses to build a graph displaying all the communications.

eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. BumbleBee (https://github.com/solo-io/bumblebee) is a new Open Source project which helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs. In this workshop, we're introducing eBPF and the different ways to create eBPF programs. Then, attendees are creating their first eBPF program using BCC and libbpf to have a better understanding of the main concepts. Finally, they are going through several labs to build and deploy an eBPF program with BumbleBee. They also deploy Prometheus and a web application on Kubernetes to display all the communications happening in the Kubernetes cluster.

Kubernetes, Kubernetes everywhere. Without any doubt, the adoption and usage of Kubernetes skyrocketed through the entire IT world. From tech-savvy startups, working on their next unicorn product, to conservative insurance companies increasing productivity and reducing time to market. It's hard to not see all the benefits Kubernetes creates to IT organization. So it was a matter of time, that our very own business gave us the task: Bring Kubernetes to our production facilities, and start with the Kaufland meat processing factories. In this talk, I want to share our one-year-long journey to accomplish this mission. Sharing all the mistakes and the successes we made during this huge project. From learnings about all the security and compliance requirements when working in the industrial area to enabling the platform and application teams. Of course, we will talk about all the technics we used like GitOps, Infrastructure as Code, Policy as Code and so on. In short: k8s & meat, it's not always as tender as we thought it would.

CI/CD is what gets your code from your laptop to your Kubernetes. If that is not the case, this talk is not for you. What if I told you that you've been holding CI/CD wrong all this time? If you can't run it locally, need to wait more than 5 minutes to see if a change works, and get goose bumps when someone on your team mentions migrating CI/CD, you're holding it wrong. After decades thinking about this problem, this is what holding it right means to me. Kubernetes is a small piece of the puzzle, and contrary to what many think, it should not be used to solve all problems. I learned this from someone else, and also... Join me if you are curious to see where this goes.

This session will discuss how Skyscanner's Production Platform tribe designed a new, resilient architecture to allow Skyscanner's engineers to deliver new features to travelers on a reliable multi-tenant platform. We'll discuss what inspired the design choices, where trade-offs had to be made, the challenges faced, and the successes along the way. This will include how this architecture enabled Skyscanner to perform multiple cluster upgrades and migrations without service owners even noticing, as well as more day-to-day cluster tasks like component upgrades in a safe and scalable manner.

The [CrowdSec](https://github.com/crowdsecurity/crowdsec/) project aims at providing a crowdsourced approach to common infrastructure defense problems, by distributing free & open-source software allowing you to protect yourself and share information about malevolent actors. CrowdSec could be perceived as a modern form of Fail2ban, though for Cloud and container-based infrastructure as well and capable of taking way more advanced decisions a lot faster. Mainly, it’s using a decoupled and distributed approach (detect here, remedy there) and an inference engine that leverages leaky buckets, YAML & Grok patterns to identify aggressive behaviors. It acquires signals from various data sources like files, syslogd, journald, AWS Cloudwatch and Kinesis, Docker logs and Windows Event Log, normalizes them, enriches them to apply heuristics and triggers a bouncer to deal with the threat, if need be. Since it’s written in Go, it’s compatible with almost any environment, fast in execution and ressource conservative. The endgame is the Reputation engine though. If you want to partake in the network to benefit from its findings, CrowdSec captures all aggression signals (timestamp, IP, behavior) and sends them for curation. That way, it establishes a reliable IP blacklist that is constantly redistributed to the network members, in order to achieve a form of Digital Herd Immunity. An IP caught aggressing WordPress sites will quickly be banned by all members using CrowdSec that subscribed to the WordPress defense collection. In that way, we share the IPs that are relevant to your technical context. While Crowdsec is in charge of the detection, the reaction is performed by "bouncers" that aim to be deployable at any level of the applicative / infrastructure stack : * via nftables/iptables/pf based on an IP set * via Nginx lua plugin * via Traefik middleware * on Cloudflare via our bouncer that integrates with Cloudflare API * Or GCP/AWS/Azure firewall, slack or scripting, notifications, etc. .. or in many other ways. Over time the possibilities will increase as the application design basically supports anything. This approach, combined with a declarative configuration and a stateless behavior, will make it an ideal candidate to enhance the security of modern stacks (containers, kubernetes, serverless and more generally automatically deployed infrastructures). Furthermore, we intend to create and share the most accurate database of malevolent actors as possible, under the form of a real-time IP reputation system, accessible through API. Whenever an attack is locally blocked/detected by Crowdsec, the "meta" information of the attack is shared amongst participants (source ip, date and triggered scenario) for redistribution to network members. We are committed to building a strong community, with all that it implies : * [a public hub](https://hub.crowdsec.net) to find, share and amend parsers, scenarios and blockers * permissive open-source license to stay business friendly * and overall a strong commitment to transparency and community-first mentality, by tooling and behavior The microservice architecture is the most significant security challenge in a Kubernetes cluster. Every application you deploy opens a new potential entry for attackers, increasing the attack surface. In this talk, we'll present the Crowdsec project and see how we can protect a kubernetes cluster using Crowdsec and the power of the Crowd.

In large organizations, securing cloud infrastructure around Kubernetes is hard. Application developers, who’ve already had to learn Kubernetes, shouldn’t need to become IAC SMEs to operate their applications' backend cloud infrastructure. Alternatively, using infrastructure teams to service requests and centralize control doesn’t scale with an increasing number of users and use cases. In this talk, Rowan and Henry will demonstrate how infrastructure teams can use policy engines to secure an emerging model that uses Kubernetes hosted cloud controllers (Crossplane, ACK, config-connector) to provision infrastructure. This model enables application teams to self serve, whilst preventing the launch of insecure infrastructure. To ease adoption of the model, Rowan and Henry will open source policies and templates to enforce controls aligned with the CIS benchmarks and to simplify the developer experience by setting secure defaults and dynamically generating supporting cloud resources.

I've always loved Minecraft, and I've always loved playing it with my friends. Being the one with a home server, I setup my own Minecraft server. Soon I wanted to manage it with Kubernetes like the rest of my applications, and wanted to automate common tasks like backups and upgrades. So I made an operator. This talk will cover the how of making an operator for a 'legacy' application that is not designed to be cloud-native, and why you might want to do it. The operator is open source at https://github.com/jameslaverack/minecraft-operator. The operator and the talk are not endorsed by Mojang Studios or Microsoft in any way.

JJ will walk you through deploying a simple python application to Kubernetes/OpenShift. We’ll start from the ground up, then get a complete automated build. The goal is to enable your developers to focus on code, not the infrastructure! It’s a chance to see the power of OpenShift and why taking the time to learn cloud-native development can get you the velocity you need.

eBPF is hard. There are more and more docs and blogs, but the learning curve seems to be really steep. Where could you possibly start to play around with this new technology? In this talk, I will briefly introduce the (e)BPF landscape, then show you one of the easiest way to get started with eBPF. We will explore existing tools, and see what it takes to drop them into a Kubernetes cluster, and learn how can you expose their output as Prometheus metrics with only a few keystrokes.

There have been scenarios in which companies struggle to understand where they spend their cloud budget. For example, distinguishing between projects, teams, and applications with infrastructure services utilising them. Starting with why cost monitoring is essential, in this session, we'll learn about some of the best practices for monitoring your Kubernetes costs to maximise efficiency and reduce spending across teams, followed by some of the approaches we have seen organisations follow. Cost allocation can be complex in Kubernetes; hence, we'll also discuss what cost allocation models should be used. Such a set of best practices can reduce cloud spend and increase awareness within one's organisation.

Being an open-source enthusiast, Kunal believes that diversity in the workplace and participation from people hailing from different cultures is necessary as well as instrumental for the growth of the IT sector. It exposes one to the multitude of values and principles that people from varying ethnicities hold. Meeting people from around the world teaches people to respect opposing perspectives and opinions, and ingrains in them respect for their peers. He finds passion in teaching and has taught thousands of students both online and in-person. He is the founder of Community Classroom, an organisation focussed on providing training & mentorship, free of cost. He also started the Official Cloud Native Student Community group joined by thousands of students, focussed on getting more young people involved in the Cloud Native world. These platforms are utilised by conducting hands-on workshops, events, podcasts, and sharing about opportunities in the field. The talk is going to be focussed around what defines a community, and figuring out what are the community's shared struggles. It’s also important to know what is the mission of your community and what members look to get out of it. Communication is key and we’ll also talk about how to future proof your community. Regarding diversity and inclusion, it’s important to know who might be excluded from accessing your community activities in their current form. We’ll also discuss about what are some of the negative scenarios which might happen while running activities for your community which will make them less inclusive to marginalised groups. Following up with designing for your community's needs, and last but not least, having a Code of Conduct. Attendees will learn about: How to start a new community and make it inclusive from the beginning. How to scale communities to under-representative groups How to deal with conflicts and take care of your audience’s needs.

The delta between Kubernetes and a developer friendly PaaS is where the next layer of value is being created today. Many products are racing to fill the void that is called Kubernetes developer experience. This is also the place where things get opinionated, a requirement for reliable end to end workflows. In this talk you will learn about Gimlet.io's approach on how Kubernetes UIs can be quick to use, and safe at the same time. In this talk you will see how you can create a developer platform - with the usual components Cert-Manager, Nginx Ingress etc - and deploy on it with only clicking on a dashboard. You will also see that behind the curtains, all Gimlet does is writing yamls into a git repository. ClickOps.. over GitOps.

Secrets. Security best-practices mandate that they stay away from the code—or else! And that’s what we did for a long time. But as CI/CD practices evolved, for a myriad of reasons, we now want to ship the code, the environment, and the secrets, all in one lump. So, we can’t hide the secrets anymore… unless? Tools like HashiCorp Vault attempt to address this by managing secrets outside the delivery chain. Great! But you can’t use those inside local dev environments, so… When that’s precisely what you need to do, then what? In this talk, Lian will show the audience how to manage secrets the GitOps way, so you can maintain security best-practices while also being able to use them in your local environment for development. Sound like magic? That’s because it is. After this talk, the audience will be able to understand secret management solutions that work seamlessly in a variety of environments.

MoneyBank Inc. is a fintech enterprise that recently made the jump to K8s and GitOps to cope with the shift of demands from cranking out features towards stability and scalability. Yet, even with a fully automated CICD and shiny new microservices, features still take weeks to be released. As teams keep waiting on each other, frustrations, resentment, and mistrust grow. MoneyBank’s situation is typical for organizations with enterprise processes and startup mindsets. When faced with problems, the urge is often to move fast and automate them away. However, the cultural and regulatory structures to support these changes are not in the scope of said automation. One more piece is missing to address the needs of non-technical stakeholders within the ever-changing CICD landscape. In this talk, we will attempt to automate the non-automatable with ReleaseOps: GitOps for the people.

eBPF allows us to build custom programs that run directly within the kernel. This talk explores how eBPF enables observability, security and connectivity tools that no longer need to rely on the sidecar model, and shows how Cilium now supports both sidecar-based and sidecarless Service Mesh. Along the way this talk will clarify some container and kernel concepts so that attendees can leave with a mental model for the pros and cons of sidecar-based or sidecarless approaches.

Host: Amanda Brock, CEO, OpenUK Andrew Martin, Control Plane Founder and CEO and OpenUK CISO Liz Rice, Chief Open Source Officer, Isovalent and OpenUK Director Thomas Meadows, Solutions Engineer, Jetstack

During this session, Mahé will demonstrate a simple scenario of a multi-tenant attack in a Kubernetes cluster. He will explain the risks, see how to prevent this kind of attack and show how kdigger can speed up the discovery process of the environment. kdigger, short for "Kubernetes digger", is a context discovery and container assessment tool for Kubernetes penetration testing. This tool is a compilation of various plugins to facilitate pentesting Kubernetes from inside a pod. On top of discovering a new tool, this presentation will give you an idea of how pentesters generally try to pivot in typical Kubernetes clusters.

Since introduced in Kubernetes v1.9, webhooks have been a key feature, making up one of the cornerstones of Kubernetes extensibility. When used right, they can allow operators to have much more control over their clusters and with tooling like Kyverno and Gatekeeper it’s easier than ever to leverage their full power. But, when misused, things can get very, very messy. So how do we ensure our webhooks are full of wonders and not woes? By taking a look at the history of webhooks in Kubernetes, the driving force behind their adoption and through several horror stories of webhooks gone wrong, we can develop a set of best practices and guidelines to follow to ensure our webhooks stay full of wonder without the woes.

The world of DragonBall has many teachings that we can apply to our life as developers, SREs and DevOps engineers. In this fun and fast-paced talk we'll learn how the Z Warriors were ahead of their time and how they fully embrace the engineer mindset.

I sit here and reflect back to 2008 when my supervisor suggested I look into the CCNA and Network+. My world changed from plugging a cable into a switch to setting up BGP peers, to configuring Load Balancers for High Availability. Network Engineering has evolved and from my eyes, has been entirely reimagined, retaining the foundations of networking. As I've slowly pivoted to the world of Cloud Native technologies and DevOps, a lot of my previous Network Engineering skills have translated to today's approach to microservices architecture. FOLLOW THE PACKETS I SAY! What does Networking mean for consumers of Kubernetes and Containers? What does K8S and containers mean Network Engineers? What does that transformation for a Network Engineer look like? In this restrospective talk, I share my journey of Network Engineering from the late 2000s to one in 2022 surrounded by the world distributed systems, observability, the deeper need for security/identity and what our traffic tells us. My hope is to inspire others to transform their network engineering career.

How many times have you heard the phrase "chop wood and carry water"? What about "look at the good first issues" or "triage the issues queue"? Or even "go out there and make yourself known to the community"? Open Source project members throw around these phrases as if they are the panacea to becoming a contributor, then a committer, and finally a maintainer. However, it is not that easy. These phrases can only help if you know what they mean! Demystifying this path to leadership in Open Source is imperative to the industry because we can’t grow on a path to continuous learning if we aren’t welcoming the next generation of contributors to our projects with clear and inclusive language. So here are some better questions to ask yourself when approaching a new Open Source project: What can I do if the first issues queue doesn’t contain any issues to work on? How do I introduce myself to the community? What if I can't find anything on the issue queue that makes sense? What contributions are needed most by this community? How do I climb the community role ladder toward leadership? People need guidance and support when climbing the mountain from the valley of becoming a new contributor to the zenith of maintainership. It is not always just as simple as following the community contributor guidelines. In this presentation I cover tips and trick on how to conquer that journey. Through practical examples of how I became a Helm maintainer, I hope that more people will realize it is within their grasp to become maintainers in Open Source projects. And the reality is that these projects NEED you too.

Inspired by some of the research done by the Linkerd team and by suggestions from the Linkerd community, Linkerd maintainer Matei David will present a few ways of ensuring that when deploying jobs, sidecar containers terminate successfully when the main container finishes. Since the early days of Kubernetes, the sidecar container design pattern represents an easy and intuitive way to enhance the main container in a pod. The pattern has seen increased usage and adoption in production environments and serves a variety of platform-agnostic use cases such as collecting metrics and proxying traffic. Sidecar containers work well with most Kubernetes primitives, such as deployments, but they fall short when used in job objects. For service meshes or metric collectors, sidecars need to run continuously, blocking jobs from completing even after the main container has finished its work.

Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He'll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.

The ability to deploy code and version code has been a de facto requirement and a reason we have CI/CD pipelines for our application development, but with Kubernetes in particular we are seeing a closer tie between code and data. In particular, code being deployed can affect and change your data, for that reason, we need to consider protecting that data as part of our Continuous Development pipelines, In this session, we will focus on how we can incorporate backup actions into your pipeline to ensure that any code changes will start by creating a restore point be it a snapshot or an export to another external repository. We will then as part of a demo incorporate a failure scenario into the environment pipeline to simulate how a configmap can manipulate data to cause data loss. Then we need a way to bring the data back!

Monzo has been running a single self-hosted Kubernetes cluster per-environment for years, and we decided to migrate to a managed Kubernetes service. This talk is all about the challenges and perils of doing a high stakes, real world, zero downtime Kubernetes migration at scale 🤓 We’ll talk about the constraints and challenges, including: - the complexity, diversity and quantity of the systems running on the cluster - downtime having real human impact with someone potentially not being able to pay for food or make a rent payment - the sheer number of different services and teams to interact with which meant that we had to adopt an automated process that was fully transparent to other engineers We’ll dive into some of the technical details that allowed us to migrate within these constraints, and our plans for rearchitecting our platform to make future upgrades and migrations easier. Takeaways will include: - How Kubernetes makes infrastructure migrations more manageable - Actionable learnings about doing migrations at scale in general

A deep dive into how EBPF pairs with kubernetes to provide real time, low overhead tracing. This will focus on what ebpf is, how it fits into the kubernetes ecosystem and how tools like pixie can take tie it all together

It’s the year 2022, an exciting time for the tech industry. Globally, software organizations and internet companies are delivering more and more software, at a rate and scale that we’ve never faced before. This unprecedented demand has created new challenges for us all, which have been hurting our organizations when creating continuous delivery solutions. The great thing about these new challenges is that they’ve sparked new and amazing innovations in the CI/CD industry. In this Paul Dragoonis talks about the following: New innovations in the CI/CD, Cloud Native, and open source communities are being developed. Where these innovations are taking the world of continuous delivery. What to expect, from the CD community, later this year, and into the future

In modern organizations, event-driven architecture combined with FaaS has become more popular because they address some of the challenges of building distributed systems. As these organisations grow, they switch to Kubernetes to scale and manage more services. With the switch to Kubernetes, you want to provide a seamless experience for building and deploying services on Kubernetes. That begs the question, how do I build event-driven serverless applications in Kubernetes? This workshop will teach you how to build such applications with Kubernetes. You're going to develop an e-commerce serverless API. By the end of this course, you will have learned how to work with Knative and Cloud Events, manage the functions using a monorepo, and implement a continuous deployment pipeline.

Intangible “trust” is required to secure our systems: we need it to bootstrap infrastructure, secure the software supply chain, run workloads, and reassure our customers of their privacy. But how do we establish and secure this "trust" in a dynamic cloud-native system? The advent of hardware-based attestation and certificate authentication gives us new hope. But this brave new dawn has been just over the horizon for the last few years, and new technologies have emerged to champion the identification of our workloads. In this talk we: * Demystify the nebulous concept of Workload Identity * Define the importance of autonomous identity generation in a Zero Trust Architecture * Demonstrate practical examples of bootstrapping and using Workload Identity * Introduce existing and emerging technologies that enable you to anchor Workload Identity to a Hardware Root of Trust

In large organizations, securing cloud infrastructure around Kubernetes is hard. Application developers, who’ve already had to learn Kubernetes, shouldn’t need to become IAC SMEs to operate their applications' backend cloud infrastructure. Alternatively, using infrastructure teams to service requests and centralize control doesn’t scale with an increasing number of users and use cases. In this talk, Rowan and Henry will demonstrate how infrastructure teams can use policy engines to secure an emerging model that uses Kubernetes hosted cloud controllers (Crossplane, ACK, config-connector) to provision infrastructure. This model enables application teams to self serve, whilst preventing the launch of insecure infrastructure. To ease adoption of the model, Rowan and Henry will open source policies and templates to enforce controls aligned with the CIS benchmarks and to simplify the developer experience by setting secure defaults and dynamically generating supporting cloud resources.

The [CrowdSec](https://github.com/crowdsecurity/crowdsec/) project aims at providing a crowdsourced approach to common infrastructure defense problems, by distributing free & open-source software allowing you to protect yourself and share information about malevolent actors. CrowdSec could be perceived as a modern form of Fail2ban, though for Cloud and container-based infrastructure as well and capable of taking way more advanced decisions a lot faster. Mainly, it’s using a decoupled and distributed approach (detect here, remedy there) and an inference engine that leverages leaky buckets, YAML & Grok patterns to identify aggressive behaviors. It acquires signals from various data sources like files, syslogd, journald, AWS Cloudwatch and Kinesis, Docker logs and Windows Event Log, normalizes them, enriches them to apply heuristics and triggers a bouncer to deal with the threat, if need be. Since it’s written in Go, it’s compatible with almost any environment, fast in execution and ressource conservative. The endgame is the Reputation engine though. If you want to partake in the network to benefit from its findings, CrowdSec captures all aggression signals (timestamp, IP, behavior) and sends them for curation. That way, it establishes a reliable IP blacklist that is constantly redistributed to the network members, in order to achieve a form of Digital Herd Immunity. An IP caught aggressing WordPress sites will quickly be banned by all members using CrowdSec that subscribed to the WordPress defense collection. In that way, we share the IPs that are relevant to your technical context. While Crowdsec is in charge of the detection, the reaction is performed by "bouncers" that aim to be deployable at any level of the applicative / infrastructure stack : * via nftables/iptables/pf based on an IP set * via Nginx lua plugin * via Traefik middleware * on Cloudflare via our bouncer that integrates with Cloudflare API * Or GCP/AWS/Azure firewall, slack or scripting, notifications, etc. .. or in many other ways. Over time the possibilities will increase as the application design basically supports anything. This approach, combined with a declarative configuration and a stateless behavior, will make it an ideal candidate to enhance the security of modern stacks (containers, kubernetes, serverless and more generally automatically deployed infrastructures). Furthermore, we intend to create and share the most accurate database of malevolent actors as possible, under the form of a real-time IP reputation system, accessible through API. Whenever an attack is locally blocked/detected by Crowdsec, the "meta" information of the attack is shared amongst participants (source ip, date and triggered scenario) for redistribution to network members. We are committed to building a strong community, with all that it implies : * [a public hub](https://hub.crowdsec.net) to find, share and amend parsers, scenarios and blockers * permissive open-source license to stay business friendly * and overall a strong commitment to transparency and community-first mentality, by tooling and behavior The microservice architecture is the most significant security challenge in a Kubernetes cluster. Every application you deploy opens a new potential entry for attackers, increasing the attack surface. In this talk, we'll present the Crowdsec project and see how we can protect a kubernetes cluster using Crowdsec and the power of the Crowd.

Helm is a truly excellent ecosystem and is rightly valued by the world over for giving full customisation of deployments. For open-source projects with a finite number of support engineers, full customisation is not always something that is desirable. Sometimes, you need to provide opinionated guide rails for people in order to provide effective support for your product. This session will focus on the reasons why Gitpod has deprecated its Helm charts and switched to a custom-built Installer. Simon will explore some of the benefits and pitfalls experienced and how the community reacted to such a seismic change. He will also answer the question - "would he do it again?"

Monzo has been running a single self-hosted Kubernetes cluster per-environment for years, and we decided to migrate to a managed Kubernetes service. This talk is all about the challenges and perils of doing a high stakes, real world, zero downtime Kubernetes migration at scale 🤓 We’ll talk about the constraints and challenges, including: - the complexity, diversity and quantity of the systems running on the cluster - downtime having real human impact with someone potentially not being able to pay for food or make a rent payment - the sheer number of different services and teams to interact with which meant that we had to adopt an automated process that was fully transparent to other engineers We’ll dive into some of the technical details that allowed us to migrate within these constraints, and our plans for rearchitecting our platform to make future upgrades and migrations easier. Takeaways will include: - How Kubernetes makes infrastructure migrations more manageable - Actionable learnings about doing migrations at scale in general

Host: Amanda Brock, CEO, OpenUK Andrew Martin, Control Plane Founder and CEO and OpenUK CISO Liz Rice, Chief Open Source Officer, Isovalent and OpenUK Director Thomas Meadows, Solutions Engineer, Jetstack

You are likely already using GitOps for your applications, but not for everything else. You are likely not using Argo CD, Flux, Rancher Fleet, or similar tools to manage the state of your infrastructure and services. Why is that? If GitOps is a great solution for apps, isn't it safe to assume that it would be equally beneficial for anything else? What is missing? The problem is that most of the commonly used GitOps tools are managing Kubernetes resources which, traditionally, do not deal with infrastructure and Cloud services. That's what we need to change. We need to expand Kubernetes with custom resources that can manage anything, no matter whether that's AWS, Azure, Google Cloud, GitHub, Elastic, DataDog, or any other Cloud service. If we do that, we might convert Kubernetes API into a universal API. We might convert the Kubernetes control plane into a universal control plane. If we do that, we will get end-to-end GitOps through which everything is always in sync and where all we have to do is push changes to Git repositories. All we need to make that happen is Crossplane (an open-source project donated to CNCF), combined with Argo CD, Flux, or Rancher Fleet. Let's see it in action.