KubeHuddle 2023

Kubernetes is slowly seeming like that buzzword that gets thrown around, with many not knowing what the open-source container orchestration platform does. There are components, APIs, nodes, pods, containers, deployments, services, and much more — is it really necessary to understand them all to get started? What could be the best learning strategy for a beginner in cloud-native? Join this talk to learn the history and concepts of Kubernetes and figure out how to use it properly and efficiently. You will hear stories of my learning journey, challenges I faced, followed by a quick demo where you'll start understanding the value that Kubernetes brings to the table. As Kubernetes becomes easier to use, we will see a thriving ecosystem emerge.

As a woman in tech who has dealt with misogyny and discrimination in this male-dominated field, Diana decided to share her learnings on how both men and women can navigate this slowly diversifying industry. The talk goes over some real-life DMs and her own experiences, including an analysis of dealing with unsupportive men and women, scenarios that often go unnoticed. If your ego is too big to attend this talk, this is probably the perfect talk for you!

Every single one of us has encountered data in our everyday life as a consumer and most likely in our professional roles in IT. The spoiler alert is a large majority of that data doesn't matter and if lost will not cause any issues however some of that data is going to be so important, without it there is no need to keep the lights on! In this session, we will walk through some of the areas specifically to Cloud-Native that we have to consider when it comes to hosting, serving and protecting our data so that the above bad scenario does not happen or at least when it does we can get back up and running as fast as possible. Specifically, we will focus on Kubernetes and data management in any Kubernetes distribution and then we will specifically look at the data services available within Kubernetes and how Application Consistency is still very much needed here as it was in Physical, Virtual and Cloud-based environments.

An episode of imposter syndrome is frequently triggered by a new achievement, such as a new job or acquiring new skills. Positive thoughts about whether the success was well-earned can emerge and develop into worries about your competence instead of feelings of delight and self-congratulation. We'll look at how empathy can be a powerful tool in preventing imposter syndrome by encouraging a sense of community and understanding among team members; fostering a culture of empathy by recognising and appreciating the contributions of all team members, promoting the importance of seeking feedback and the role of empathy in giving constructive criticism. Lastly, the role of mentorship in fostering empathy and how it can help mitigate imposter syndrome. This talk is aimed at individuals looking to navigate imposter syndrome in their tech careers as well as managers and leaders who want to develop a more compassionate work environment that supports people.

Kubernetes continues to be the standard for managing containerized applications at scale - but its complexity and steep learning curve make it difficult for many organizations to fully embrace and exploit its capabilities. This has brought up the need for companies to develop user-centric tools that help to make it more accessible and easier to adopt, so you don’t necessarily need to know the ins-and-outs of Kubernetes to use Kubernetes. This presentation will provide an overview of some of these tools and how they are changing the way teams deploy and manage applications in Kubernetes, as well as what the future of cloud-native holds based on current trends. Whether you are a DevOps professional or just starting to explore container orchestration, this presentation will provide valuable insights into the current state of Kubernetes and the tools that are making it more accessible for all of us.

Where's the best place to store your secrets? On a cloud provider's secret management service of course. But, I want to use standard Kubernetes secrets in my cluster, is there a way to sync my secrets from the cloud provider to my cluster? I'm glad you asked. The External Secret Operator is the best way to do exactly that. I'll tell you how it was started where it is right now, and I'll do a little demo that will blow your mind! 🤯

Make no mistake, data protection is just as relevant when it comes to Kubernetes workloads as it was for legacy ones. However, just backing you data up is often not enough. Being able to restore and application that is broken defeats the purpose of backing it up in the first place. In many cases we need to leverage Application Aware Backups in order to make certain that our deployments can be restored with full functional integrity. This is especially true of databases. In this session I will explain what is App aware and why we need it. I will then leverage Kasten by Veeam to backup using application aware methodology to backup a database and perform a restore. Instructions will be provided to attendees so that they can also lean how to keep their applications properly protected.

The FinOps Reckoning: Navigating Financial Management in a Cloud-Native World" presentation focuses on the challenges of managing finances in a cloud-native environment. With the rise of technologies like containers and microservices, many organizations face a complicated technical landscape, rising cloud expenses, and a lack of visibility. As more workloads are migrated, organizations must effectively manage their expenses and comprehend their business value. There are various approaches and tools that can assist organizations in comprehending their cloud native costs and implementing strategies to avoid unnecessary costs. The presentation emphasizes the need for a new approach to financial management using FinOps.Org practices in a cloud-native world and offers practical guidance for navigating this rapidly evolving landscape.

Learn how to configure ArgoCD to make it production ready and how to scale to thousands of resources across of hundreds of Kubernetes Clusters. I will give an overview on the benchmark results of pushing ArgoCD to the limit as a member of the new SIG Scalability what are the settings to tune and monitor the performance of your ArgoCD when running on a managed Kubernetes like AWS EKS.

We spend all day thinking about our technical systems, but we often neglect the needs of our human systems. Ana and Julie will walk attendees through the principles of system reliability and how to not only apply them to their systems but their personal life to prevent burnout and enjoy their weekends more. In this talk, attendees will learn how to apply incident response and blameless practices into their everyday activities. Attendees will also walk away knowing how to build reliable socio-technical systems and some tips to apply them to the workplace.

When an app isn't running, it's not interesting. It’s just bits on disk. However, once we start that application, all bets are off. Millions of system calls are made, thousands of network connections. We need to keep that running app safe, but it’s like trying to skateboard on a runaway train.

Over the last 2 years, we have held CKA study groups, bootcamps, and mentoring sessions with our peers, with some success. Our peers are typically engineers with networking backgrounds. This talk discusses the benefits, what has worked, what hasn't, and how we plan to continue.

Up or down the network stack? Kernel space or userland? How about a side order of sidecars? Would you like eBPF with that? The Cilium project began life concerned about enforcing policies at the CNI level, while Linkerd2 and Istio provided policy enforcement by way of sidecar injection. Now Cilium and Linkerd2 have added support for Layer 7 policies, while Istio has introduced a sidecarless model that pushes some of their policy enforcement out of the pod and back onto the node. And everyone is adding a pinch of eBPF for good measure! This talk will briefly summarize these technologies, explore recent changes in popular cloud native networking solutions, compare their implementations, and highlight the trade offs.

As the technology industry has evolved, the way we build applications has become more complex. We now require many moving parts to develop, test, and deploy our applications within our organizations. Developers like doing things themselves, and prefer not having to rely on a team to provision things for them. It is often time-consuming, and they often find themselves wishing that they could do it themselves, or they find themselves trying to do it themselves and skipping security requirements. This is why it’s super exciting to see a movement toward self-serve provisioning coming from platform engineering teams. One of the main themes in platform engineering is to codify all the things. While these teams have already typically automated provisioning tasks, they often find themselves in a position whereby they are flooded with user provisioning requests from ticketing systems, which are often manually fulfilled. This bottleneck becomes a huge waste of everyone’s time. It’s a waste of developers’ time because they are blocked as they wait around for the request to be fulfilled. It’s a waste of the platform engineer’s time, as they could be using that time to improve things such as system reliability. In this talk, Adriana and Ana discuss the importance of self-service provisioning tooling to help bring order and peace of mind to developers and platform engineers alike!

Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He'll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.

Argo CD can operate as a control plane or a cluster service when managing multiple clusters. Should you use one instance to manage multiple clusters or install an instance in each one? The difference may seem subtle, but in practice, this choice can have serious security implications, affect the developer experience, and make it a pain to scale. In this talk, Nicholas Morey discusses the trade-offs between the different architectures. Your situation and users' needs play an important role in determining the best approach. New users looking to adopt Argo CD can prepare themselves for the architecture choices required. While existing users will benefit from looking at their situation to determine whether they currently face limitations of a previous choice in architecture.

Implementing zero trust is currently a hot security topic, but can be challenging for platform teams who may not know exactly where to start. In this talk, we will explore the fundamentals of zero trust security and how to apply these principles with Kubernetes Network Policies. We will start by discussing strategies that leverage metrics and network observability to help platform teams identify and write the rules and policies necessary to secure applications. We will then discuss how security teams can help enforce minimum standards to ensure that applications apply Zero Trust policies throughout their lifecycle. By the end, we will gain a clear understanding of how security teams and platform teams can work together to implement Zero Trust security.

Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.

Support for SPIRE (SPIFFE Runtime Environment), a production-ready implementation of SPIFFE, was introduced to Istio in 1.14. Thanks to Envoy's SDS API, SPIRE can be configured as a source for issuing Istio workload identities. In addition to issuing strongly attested identities through a combination of different attestation mechanisms, SPIRE can also be integrated with existing PKIs, and allow the federation of different trust domains. These features offer support for diverse workload and node attestation options by using attributes from both the workloads and the nodes to create more granular identities compared to the traditional trust domain, Kubernetes namespace, and service account combination. To bring traditional VM workloads to the Istio service mesh, one must use Kubernetes concepts of namespaces and service accounts outside Kubernetes. With SPIRE, we can create identities based on the actual attributes of the VM workloads and the infrastructure they run on. Granular identities, extensibility in the form of plugins, and the ability to integrate with existing PKIs make SPIRE a powerful tool. In this talk, we’ll introduce the building blocks of SPIRE and look at several scenarios on how to integrate SPIRE into your multi-cluster and VM workload scenarios.

Look at the clouds, you can see a bright shining light, is it the sun? No, it is WebAssembly! Yes, this talk is all about Cloud Native WebAssembly. The talk covers the humble beginning of Assembly in the Web, to make itself one of the versatile technologies, now being used in the web, the edge, and of course the cloud. The Cloud Native Computing Foundation (CNCF) is a proponent of WebAssembly in cloud-native infrastructure. It hosts several WebAssembly-related projects and initiatives. The talk covers the current landscape of WebAssembly in the cloud-native world, and the various projects and initiatives being undertaken from applications in service mesh to boosting performance in cloud-native edge use-cases. The audience will benefit from learning about the various areas where web assembly has revolutionized the Cloud-native ecosystem and how they can get involved in the various project.

Who has not once said the phrase: I sucks I don't know anything I feel like an impostor I don't feel legitimate to do this or do that Some people are convinced that they do not deserve their success, despite the efforts they make to succeed. They often convince themselves that their success is not linked to their work, their personal accomplishment, but simply to luck or the work of others. In fact, they live permanently with a feeling of deception and constantly fear that someone will unmask them from one day to another. Despite my stuttering, I am a speaker, a mentor, a conference organizer and very invested in women in tech and tech communities. In this talk, we will see what the impostor syndrome is, how it is reflected on a daily basis and we will see that it is not inevitable, on the contrary, that there are tips and tricks for the fight, overcome and improve. And I will also tell you several anecdotes that happened to me, which were very hard and which made me who I am today.

How do pipelines communicate with Kubernetes clusters securely? Starting in 1.24 ServiceAccounts no longer had long lived tokens generated by default. While there are workarounds, this was done for some very important reasons. This session will walk you through different approaches for securely accessing your clusters from external systems and pipelines, wether on-prem or cloud managed, leveraging components you are likely already have or can deploy easily. You'll have pipelines that are easy to run, deploy, and will make your security team happy!

The whole idea of DevOps was about how we could work together better. But we broke down silos, and instead built new walls. The concept of zero trust has been widely applied to network security, however, it’s not really a great way to think about our teams. This talk will explore how to foster a culture of trust in organizations, with a focus on outcomes. Leaders and individuals alike play a critical role in establishing and maintaining trust, which is crucial for the success of any team. One key aspect of building a culture of trust is facilitating and growing psychological safety within the team. This means creating an environment where individuals feel comfortable expressing their opinions, ideas, and concerns without fear of negative consequences. Moreover, trust is necessary for proper practices of Site Reliability Engineering (SRE) and DevOps, but often organizations lack the right setup to allow for it. This talk will feature practices inspired from the field of Resilience Engineering as well as proven DevOps approaches, with a focus on how leaders and individuals can create an environment where trust is valued, encouraged, and fostered. Attendees will take away insights and actionable tips to bring back to their teams to create a more resilient and effective organization.

With rapid increase in adoption of Kubernetes the number of workloads deployed across the enterprise is increasing exponentially. This has led to looking at security with a completely new focus. - What does it to mean when someone says "we need to secure our workloads"? - How does an organization ensure that every workload deployed in a cluster has its own identity and that identity is used for mutually authenticating to other workloads? - How can these workloads be tied to organization's security policies that are managed by the PKI team? - How can security team build an enterprise security posture that adheres to the compliance models defined within the enterprise? This talk will give security professionals the ability to define a set a services that can be easily adopted by the platform teams that operate and run Kubernetes. Specifically, this talk will walk through how to setup workloads deployed in a cluster to utilize organization's CA (Certificate Authority) infrastructure to sign workloads using cert-manager and utilize SPIFFE as a standard way to issue SPIFFE SVIDS.

Service Mesh technologies are tools that enhance the micro-services deployments by adding monitoring, security, and resiliency, often operating on top of Kubernetes and using a sidecar model where a proxy is deployed within each pod to add these cross-cutting concerns, though recently, we are seeing a new challenger to the sidecar approach emerging, the sidecarless approach based on the revolutionary eBPF technology that is pushing the boundaries further and enabling the service mesh features (like monitoring) at the network layer. In the following session we will build a service graph in Grafana to track the interactions between multiple Kubernetes services, using metrics generated by an eBPF program created using an open source project called Bumblebee.

Software supply chains continue to be put in the spotlight. Kubernetes workloads have been increasing exponentially and the trustworthiness of these workloads is becoming even more important. There are risks to running untrusted container images as well as having little visibility on how container images were built. Current container image signing tools, such as Sigstore cosign have limited enterprise key management support, and there are no ways to prevent developers from generating local software or even leverage unapproved keys from external key storage providers (e.g. AWS KMS). Sigscan was developed to address the need from the InfoSec teams to have visibility over the identities used to sign container images and artifacts that are stored in OCI registries. In particular sigscan identifies any image tags that were signed using Sigstore/cosign or NotaryV2, and provides a summary report of the associated code signing certificate identities.

Did you know that you can write Kubernetes deployments without using any YAML? No way, you say? After all, we were taught that YAML is the only way to write Kubernetes manifests. Well, my friend, what if I tell you that there are alternatives? What if I tell you, that you can write your Kubernetes manifests in a programming language you're already familiar with? In this talk, I will demonstrate several alternatives to YAML for writing your Kubernetes deployments. We will discuss the pros and cons of each alternative and how the use of development principles like DRY, KISS, and YAGNI can help you write better Kubernetes deployments.

eBPF is a technology that allows for efficient and flexible kernel-level instrumentation, making it a powerful tool for tracing, monitoring, and securing applications running in modern cloud native environments. In this session, we will dive deep into the benefits of eBPF for these use cases, and show how these approaches differ from the common Linux instrumentation. We will cover: 1. An introduction to eBPF and its capabilities, including its role in cloud native applications. 2. Using eBPF for observability use-cases like dynamic tracing, real-time monitoring, and profiling. 3. How eBPF can be used in networking including features such as network monitoring, load balancing, and packet filtering. 4. eBPF’s security applications, for example intrusion detection, and policy enforcement. 5. A discussion of real-world use cases, including how eBPF is used in Kubernetes, Cilium, Tetragon and other popular cloud native tools.