KubeHuddle 2023

Kubernetes is slowly seeming like that buzzword that gets thrown around, with many not knowing what the open-source container orchestration platform does. There are components, APIs, nodes, pods, containers, deployments, services, and much more — is it really necessary to understand them all to get started? What could be the best learning strategy for a beginner in cloud-native? Join this talk to learn the history and concepts of Kubernetes and figure out how to use it properly and efficiently. You will hear stories of my learning journey, challenges I faced, followed by a quick demo where you'll start understanding the value that Kubernetes brings to the table. As Kubernetes becomes easier to use, we will see a thriving ecosystem emerge.

As a woman in tech who has dealt with misogyny and discrimination in this male-dominated field, Diana decided to share her learnings on how both men and women can navigate this slowly diversifying industry. The talk goes over some real-life DMs and her own experiences, including an analysis of dealing with unsupportive men and women, scenarios that often go unnoticed. If your ego is too big to attend this talk, this is probably the perfect talk for you!

In the mystical realm of cloud native and in particular Kubernetes, managing large amounts of data is an enchanted endeavor. Cloud-native data management techniques offer unparalleled scalability, flexibility, and cost-effectiveness to those who possess the magic to wield them. In this session, we will journey through the fantastic features of cloud-native data management, including the secrets of persistent volumes, the power of the Container Storage Interface (CSI), and the alchemy of volume snapshots. We will explore how these magical techniques can be used to build robust and scalable data management systems that will enchant your business. We will also navigate the challenges of mastering the arcane arts of cloud-native data management and reveal spells for overcoming them. By the end of this session, you will have mastered the secrets of cloud-native data management and be equipped with the magic to implement it in your own enchanted realm.

Systems thinking has been a hot button topic inside and outside the tech industry, as it promises a straightforward and structured approach to make sense of the world and its complexities. By looking at systems in terms of elements and their relationships, Systems Thinkers can understand and predict behaviors, as well as affect long-lasting change. Understanding that tech organizations, dev teams and their individual members are themselves systems, following their own purposes and structures, can help us better support developers in their goals. In this talk, we will learn about the basics and mechanisms that inform systems thinking. We will look at examples from the real world to understand why systems behave the way they do and how we can enable change. Finally, we will adapt what we learned to development organizations and discuss how systems thinking can help us improve developer efficiency and happiness.

The Cloud-Native & GitOps communities have given us great tools. Never before have we as practitioners enjoyed so many mature APIs and open interfaces. Gluing things together is truly getting easier! However, tools only serve our goals. What is our organization striving to achieve and uphold? What are the team habits and interpersonal interactions that help us get there? Is there research on this? What should we consider as we figure out how to work with each other? Adopting Kubernetes won't fix your people and process problems. If we want to avoid pain as a community of practitioners, we need to be thinking beyond ourselves and our keyboards. We need to remember the hard-won lessons that have been learned before us with the DevOps movement. If you are feeling this pain -- if you are struggling to get to or reap the benefits of a platform -- if your path to production has gotten worse, this talk is for you. Come learn how to evaluate your platform efforts, teams, and organizations in their cloud-native transformation.

Make no mistake, data protection is just as relevant when it comes to Kubernetes workloads as it was for legacy ones. However, just backing you data up is often not enough. Being able to restore and application that is broken defeats the purpose of backing it up in the first place. In many cases we need to leverage Application Aware Backups in order to make certain that our deployments can be restored with full functional integrity. This is especially true of databases. In this session I will explain what is App aware and why we need it. I will then leverage Kasten by Veeam to backup using application aware methodology to backup a database and perform a restore. Instructions will be provided to attendees so that they can also lean how to keep their applications properly protected.

Where's the best place to store your secrets? On a cloud provider's secret management service of course. But, I want to use standard Kubernetes secrets in my cluster, is there a way to sync my secrets from the cloud provider to my cluster? I'm glad you asked. The External Secret Operator is the best way to do exactly that. I'll tell you how it was started where it is right now, and I'll do a little demo that will blow your mind! 🤯

Learn how to configure ArgoCD to make it production ready and how to scale to thousands of resources across of hundreds of Kubernetes Clusters. I will give an overview on the benchmark results of pushing ArgoCD to the limit as a member of the new SIG Scalability what are the settings to tune and monitor the performance of your ArgoCD when running on a managed Kubernetes like AWS EKS.

Is your idea of fun sitting in front of a camera, live streaming to the internet, debugging and fixing a broken Kubernetes cluster? Doubtful. What if these Kubernetes clusters were intentionally broken by members of the Kubernetes community, tasked with making your chances of fixing said clusters as slim as possible? Join us today to learn the key methods, tools, and takeaways David has learnt fixing over 50 Kubernetes, live on his series: Klustered.

When an app isn't running, it's not interesting. It’s just bits on disk. However, once we start that application, all bets are off. Millions of system calls are made, thousands of network connections. We need to keep that running app safe, but it’s like trying to skateboard on a runaway train.

Over the last 2 years, we have held CKA study groups, bootcamps, and mentoring sessions with our peers, with some success. Our peers are typically engineers with networking backgrounds. This talk discusses the benefits, what has worked, what hasn't, and how we plan to continue.

Up or down the network stack? Kernel space or userland? How about a side order of sidecars? Would you like eBPF with that? The Cilium project began life concerned about enforcing policies at the CNI level, while Linkerd2 and Istio provided policy enforcement by way of sidecar injection. Now Cilium and Linkerd2 have added support for Layer 7 policies, while Istio has introduced a sidecarless model that pushes some of their policy enforcement out of the pod and back onto the node. And everyone is adding a pinch of eBPF for good measure! This talk will briefly summarize these technologies, explore recent changes in popular cloud native networking solutions, compare their implementations, and highlight the trade offs.

As the technology industry has evolved, the way we build applications has become more complex. We now require many moving parts to develop, test, and deploy our applications within our organizations. Developers like doing things themselves, and prefer not having to rely on a team to provision things for them. It is often time-consuming, and they often find themselves wishing that they could do it themselves, or they find themselves trying to do it themselves and skipping security requirements. This is why it’s super exciting to see a movement toward self-serve provisioning coming from platform engineering teams. One of the main themes in platform engineering is to codify all the things. While these teams have already typically automated provisioning tasks, they often find themselves in a position whereby they are flooded with user provisioning requests from ticketing systems, which are often manually fulfilled. This bottleneck becomes a huge waste of everyone’s time. It’s a waste of developers’ time because they are blocked as they wait around for the request to be fulfilled. It’s a waste of the platform engineer’s time, as they could be using that time to improve things such as system reliability. In this talk, Adriana and Ana discuss the importance of self-service provisioning tooling to help bring order and peace of mind to developers and platform engineers alike!

Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He'll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.

Remember that time when you had to rapid-fire commit three fixes to a broken CI Pipeline? Me too. In this session I show a better way: CI pipelines as code. Write CI logic with your favorite language instead of CI yaml. CI pipelines as code brings testability, readability, and even portability to CI!

One of the biggest barriers to Kubernetes adoption is a lack of training. Based on that feedback, Kasten by Veeam created KubeCampus, a free platform for learning Kubernetes! The platform contains over 15 labs covering everything from networking fundamentals to observability; and is continually updated with new content. Kubernetes Learning Day provides a chance for you to learn elements of Kubernetes directly from the people who created these labs. The day is split into two parts: One for rookies and one for pros, though anyone is welcome to join them both. The rookie session is for those who want to understand Kubernetes networking fundamentals, including Kubernetes services, microservices and load balancing. In the pro session, you'll apply Kubernetes troubleshooting skills in a real-world situation in which an application is not available. You will be required to troubleshoot and fix the issue and will be able to access the GUI upon completion.

Implementing zero trust is currently a hot security topic, but can be challenging for platform teams who may not know exactly where to start. In this talk, we will explore the fundamentals of zero trust security and how to apply these principles with Kubernetes Network Policies. We will start by discussing strategies that leverage metrics and network observability to help platform teams identify and write the rules and policies necessary to secure applications. We will then discuss how security teams can help enforce minimum standards to ensure that applications apply Zero Trust policies throughout their lifecycle. By the end, we will gain a clear understanding of how security teams and platform teams can work together to implement Zero Trust security.

Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.

Support for SPIRE (SPIFFE Runtime Environment), a production-ready implementation of SPIFFE, was introduced to Istio in 1.14. Thanks to Envoy's SDS API, SPIRE can be configured as a source for issuing Istio workload identities. In addition to issuing strongly attested identities through a combination of different attestation mechanisms, SPIRE can also be integrated with existing PKIs, and allow the federation of different trust domains. These features offer support for diverse workload and node attestation options by using attributes from both the workloads and the nodes to create more granular identities compared to the traditional trust domain, Kubernetes namespace, and service account combination. To bring traditional VM workloads to the Istio service mesh, one must use Kubernetes concepts of namespaces and service accounts outside Kubernetes. With SPIRE, we can create identities based on the actual attributes of the VM workloads and the infrastructure they run on. Granular identities, extensibility in the form of plugins, and the ability to integrate with existing PKIs make SPIRE a powerful tool. In this talk, we’ll introduce the building blocks of SPIRE and look at several scenarios on how to integrate SPIRE into your multi-cluster and VM workload scenarios.

Look at the clouds, you can see a bright shining light, is it the sun? No, it is WebAssembly! Yes, this talk is all about Cloud Native WebAssembly. The talk covers the humble beginning of Assembly in the Web, to make itself one of the versatile technologies, now being used in the web, the edge, and of course the cloud. The Cloud Native Computing Foundation (CNCF) is a proponent of WebAssembly in cloud-native infrastructure. It hosts several WebAssembly-related projects and initiatives. The talk covers the current landscape of WebAssembly in the cloud-native world, and the various projects and initiatives being undertaken from applications in service mesh to boosting performance in cloud-native edge use-cases. The audience will benefit from learning about the various areas where web assembly has revolutionized the Cloud-native ecosystem and how they can get involved in the various project.

Who has not once said the phrase: I sucks I don't know anything I feel like an impostor I don't feel legitimate to do this or do that Some people are convinced that they do not deserve their success, despite the efforts they make to succeed. They often convince themselves that their success is not linked to their work, their personal accomplishment, but simply to luck or the work of others. In fact, they live permanently with a feeling of deception and constantly fear that someone will unmask them from one day to another. Despite my stuttering, I am a speaker, a mentor, a conference organizer and very invested in women in tech and tech communities. In this talk, we will see what the impostor syndrome is, how it is reflected on a daily basis and we will see that it is not inevitable, on the contrary, that there are tips and tricks for the fight, overcome and improve. And I will also tell you several anecdotes that happened to me, which were very hard and which made me who I am today.

How do pipelines communicate with Kubernetes clusters securely? Starting in 1.24 ServiceAccounts no longer had long lived tokens generated by default. While there are workarounds, this was done for some very important reasons. This session will walk you through different approaches for securely accessing your clusters from external systems and pipelines, wether on-prem or cloud managed, leveraging components you are likely already have or can deploy easily. You'll have pipelines that are easy to run, deploy, and will make your security team happy!

The whole idea of DevOps was about how we could work together better. But we broke down silos, and instead built new walls. The concept of zero trust has been widely applied to network security, however, it’s not really a great way to think about our teams. This talk will explore how to foster a culture of trust in organizations, with a focus on outcomes. Leaders and individuals alike play a critical role in establishing and maintaining trust, which is crucial for the success of any team. One key aspect of building a culture of trust is facilitating and growing psychological safety within the team. This means creating an environment where individuals feel comfortable expressing their opinions, ideas, and concerns without fear of negative consequences. Moreover, trust is necessary for proper practices of Site Reliability Engineering (SRE) and DevOps, but often organizations lack the right setup to allow for it. This talk will feature practices inspired from the field of Resilience Engineering as well as proven DevOps approaches, with a focus on how leaders and individuals can create an environment where trust is valued, encouraged, and fostered. Attendees will take away insights and actionable tips to bring back to their teams to create a more resilient and effective organization.

With rapid increase in adoption of Kubernetes the number of workloads deployed across the enterprise is increasing exponentially. This has led to looking at security with a completely new focus. - What does it to mean when someone says "we need to secure our workloads"? - How does an organization ensure that every workload deployed in a cluster has its own identity and that identity is used for mutually authenticating to other workloads? - How can these workloads be tied to organization's security policies that are managed by the PKI team? - How can security team build an enterprise security posture that adheres to the compliance models defined within the enterprise? This talk will give security professionals the ability to define a set a services that can be easily adopted by the platform teams that operate and run Kubernetes. Specifically, this talk will walk through how to setup workloads deployed in a cluster to utilize organization's CA (Certificate Authority) infrastructure to sign workloads using cert-manager and utilize SPIFFE as a standard way to issue SPIFFE SVIDS.

Did you know that you can write Kubernetes deployments without using any YAML? No way, you say? After all, we were taught that YAML is the only way to write Kubernetes manifests. Well, my friend, what if I tell you that there are alternatives? What if I tell you, that you can write your Kubernetes manifests in a programming language you're already familiar with? In this talk, I will demonstrate several alternatives to YAML for writing your Kubernetes deployments. We will discuss the pros and cons of each alternative and how the use of development principles like DRY, KISS, and YAGNI can help you write better Kubernetes deployments.

Software supply chains continue to be put in the spotlight. Kubernetes workloads have been increasing exponentially and the trustworthiness of these workloads is becoming even more important. There are risks to running untrusted container images as well as having little visibility on how container images were built. Current container image signing tools, such as Sigstore cosign have limited enterprise key management support, and there are no ways to prevent developers from generating local software or even leverage unapproved keys from external key storage providers (e.g. AWS KMS). Sigscan was developed to address the need from the InfoSec teams to have visibility over the identities used to sign container images and artifacts that are stored in OCI registries. In particular sigscan identifies any image tags that were signed using Sigstore/cosign or NotaryV2, and provides a summary report of the associated code signing certificate identities.

Service Mesh technologies are tools that enhance the micro-services deployments by adding monitoring, security, and resiliency, often operating on top of Kubernetes and using a sidecar model where a proxy is deployed within each pod to add these cross-cutting concerns, though recently, we are seeing a new challenger to the sidecar approach emerging, the sidecarless approach based on the revolutionary eBPF technology that is pushing the boundaries further and enabling the service mesh features (like monitoring) at the network layer. In the following session we will build a service graph in Grafana to track the interactions between multiple Kubernetes services, using metrics generated by an eBPF program created using an open source project called Bumblebee.

eBPF is a technology that allows for efficient and flexible kernel-level instrumentation, making it a powerful tool for tracing, monitoring, and securing applications running in modern cloud native environments. In this session, we will dive deep into the benefits of eBPF for these use cases, and show how these approaches differ from the common Linux instrumentation. We will cover: 1. An introduction to eBPF and its capabilities, including its role in cloud native applications. 2. Using eBPF for observability use-cases like dynamic tracing, real-time monitoring, and profiling. 3. How eBPF can be used in networking including features such as network monitoring, load balancing, and packet filtering. 4. eBPF’s security applications, for example intrusion detection, and policy enforcement. 5. A discussion of real-world use cases, including how eBPF is used in Kubernetes, Cilium, Tetragon and other popular cloud native tools.

Let’s talk about that person that just couldn’t take a hint—you know who I’m talking about. They send you an SMS to hang out, and you don’t get around to responding, but that doesn’t stop them from texting again, and again, and again… Now, this may be bad for your dating life, but it may not be that bad for your DevOps practices. Let’s look at how you could set up automated SMS messages for failures in your DevOps pipeline to raise the alarm when needed and keep messaging until acknowledged or resolved. In this talk, Diana and Peter will show a DevOps pipeline that violates an operating policy. This operating policy—enforced by Open Policy Agent—will trigger an API call to an SMS provider to kick off a sequence of SMS alerts until we acknowledge and fix the issue. While we are NOT encouraging you to respond to your crazy ex, Diana and Peter hope this parallel will help you improve your CI/CD pipeline.

The FinOps Reckoning: Navigating Financial Management in a Cloud-Native World" presentation focuses on the challenges of managing finances in a cloud-native environment. With the rise of technologies like containers and microservices, many organizations face a complicated technical landscape, rising cloud expenses, and a lack of visibility. As more workloads are migrated, organizations must effectively manage their expenses and comprehend their business value. There are various approaches and tools that can assist organizations in comprehending their cloud native costs and implementing strategies to avoid unnecessary costs. The presentation emphasizes the need for a new approach to financial management using FinOps.Org practices in a cloud-native world and offers practical guidance for navigating this rapidly evolving landscape.

Deployment is **hard**. Enforcing policy on how the resources can be deployed is even harder. In this workshop, Dewan Ahmed (Aiven) and Peter ONeill (Styra) will leverage two popular open-source tools, [Terraform](https://terraform.io/) and [Open Policy Agent](https://www.openpolicyagent.org/), to show you step-by-step how to enforce fine-grained control on large-scale deployments across environments for data-related services. Breakdown of the workshop: * Module 0: Pre-requisites and setup * Module 1: A quick overview of Terraform and deploying a single service using Terraform * Module 2: An overview of Open Policy Agent and how it works * Module 3: - Creating multiple data services across development and production environments using Terraform - Using Open Policy Agent to enforce policies that limit cloud costs and regions where resources can be created * Module 4: - Ensuring that the policies were followed - Cleaning up the resources At the end of this workshop, you'll have a fairly good understanding of both tools (Terraform and Open Policy Agent). You'll be able to use a general-purpose policy engine to enforce policies on resource creation. Lastly, you will know these policies might apply across the stack in your own organization when dealing with large-scale deployment across development and production environments.

It is no secret that Kubernetes, in particular app dev, is extremely complex, cumbersome and intimidating even for those who work with it on a daily basis. Now, imagine being a developer who is new to Kubernetes and needs to push their applications to a Kubernetes service. Unless devs start embracing tool chains/platforms (not involving a paradigm shift) that make it easier, the inner loop will seem complex and a tough nut to crack. In this session based around https://github.com/ragsns/workshop-intro-quarkus-cassandra, we will build a ToDo app with an opinionated inner loop using open source tools such as Jib, gitpod, Quarkus, Lens, etc. that involves only making slight adjustments to existing tool chains that developers are already comfortable with. These tools offer a great developer experience especially on Kubernetes and attendees can follow along as long as they have access to a browser. The session will start from scratch and you will learn how to hook up the Quarkus app to AstraDB, containerize it and end up packaging it as a native app, all from gitpod - a cloud-based IDE and deploying it with Lens. After attending this session/workshop you will better understand the challenges of inner loop development on Kubernetes and how to mitigate them without making a complete paradigm shift. You’ll Learn: How to work with Kubernetes as an app developer Creating a simplified inner loop that you can adopt for daily use Most importantly, no need to master kubectl :-)

Istio is the most widely used service mesh platform in the world for large-scale production deployments. In September 2022, Google and Solo.io announced the release of the Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It slashes operational complexity and enables incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. Injected sidecars can be replaced by two new components. First is a node-level zero-trust tunnel (ztunnel) that provides mTLS and Layer-4 capabilities. A service-account-level proxy called a waypoint leverages Envoy to deliver Layer-7 capabilities. This talk will help you understand both the why and how of Istio Ambient Mesh. It includes a demo showcasing the new capabilities, including onboarding new services without sidecars and mixing Ambient with traditional sidecar-injected services. It will also provide pointers to further no-cost educational opportunities and user certification options.

"How do I debug this?" is the all too common question asked by folks who are new to operating Istio in production. It turns out that this is a trick question! The question we really need to ask when a piece of infrastructure is misbehaving is "How is this SUPPOSED to work?". Once we know that, we will know everything we need to debug it. In this exercise participants will investigate multiple broken configuration scenarios, diagnose and analyze root causes, and perform remediation in a live lab environment. Experienced Istio users will learn new debugging tricks, and Istio novices will get a crash course in traffic management.

Studies consistently show that diverse teams solve problems more effectively, yet software development teams frequently lack diversity. Thankfully, the tech industry is talking more about DEI (diversity, equity, and inclusion), understanding why these things are important, and making changes to include more people. In this interactive panel, KubeHuddle speakers will share their firsthand experiences with DEI in the DevOps and Kubernetes worlds and talk about how it has impacted their teams and our industry positively.