KubeCon San Diego Recap
KubeCon San Diego Recap
KubeCon had a great turnout this year with 12,000 attendees that filled the San Diego Convention center. Three things stood out to me: Security, Network, and Community.
The community was a big theme at this event and in many of the keynotes. From David’s talk about non-code ways to contribute to CNCF’s projects. Kelsey Hightower’s keynote on how we could never have done this as an individual or a single company. Not to mention, Tim Hockin’s point of Co-op-petition between Google, Microsoft, and others; Project over Company.
There were several co-located events at KubeCon:
I attended sessions from both KubeSec and AWS Container days at the start of the week. Security was a big part of KubeCon with KubeSec and CloudNative Security Day being collocated events this year. At KubeSec Liz Rice, from Aquasec, discussed the OODA loop, Observe, orientate, decide, act, this presentation of the week set the tone for him. By building security into the pipeline, teams can respond faster to incidents and secure your infrastructure and applications at an accelerated rate as well. At each phase of the pipeline, security can be added.
Build
- Image scanning
- Secure app code
Deploy
- Image policies
- Admission control
Run
- Network policies
- Runtime protection
The Cloud Native Security Day focused on how the state of containerized and cloud-native ecosystem, including sessions around Kubernetes’ first third-party security assessment, exploiting Kubernetes in its default configuration. There were also sessions about using Open Policy Agent for automating policy-based compliance as well as leveraging serverless & machine learning for alerting administrators of potential attacks. The recordings from the Cloud Native Security Day can be seen on this YouTube playlist.
At the AWS event, we learned all about the Container ecosystem inside AWS, updates to EKS, and some announcements ahead of Re:Invent. There was an AWS App Mesh workshop and Kubeflow workshop. If you want to try out the App Mesh workshop, here is the link to it. The biggest update is the release of managed nodes for EKS. AWS can now manage your entire cluster lifecycle for your team if desired. If you want to learn more about it here is the release blog post about it. The EKS team also has its container roadmap available on GitHub at https://github.com/aws/containers-roadmap
Announcements
- AWS EKS managed nodes
- Microsoft open enclave confidential compute
- Microsoft Open Enclave SDK
- https://azure.microsoft.com/en-us/solutions/confidential-compute/
- https://confidentialcomputing.io/
- Hubble from Cilium: https://cilium.io/blog/2019/11/19/announcing-hubble/
- Helm v3 going GA
- Buoyant Announces Dive, a SaaS Control Plane for Kubernetes
- GitOps Engine = AWS + Intuit + Weaveworks + Argo Flux
Let me know what announcements at KubeCon you were most excited about!
Tools we learned about:
- Tracee from aquasec - Open source application for tracing and stopping security issues in your cluster.
- Linode Kubernetes engine - Linode Managed Kubernetes offering.
- D2iq Kommander - Centrally govern Kubernetes clusters.
- OPA - Open Policy Agent. Here is an introduction from Rita Zhang, Microsoft & Patrick East, Styra about OPA.
- Conftest - Tool for “shifting security left”, building on top of OPA. Here is a good introduction by Garett Rushgrove from Snyk
- Cortex - Horizontally scalable, highly-available multi-tenant Prometheus
- Falco - Opensource runtime protection from sysdig utilizing ePBF.
One of the biggest takeaways is that there is more than one way to contribute to Kubernetes or other CNCF projects:
- Project Management
- Technical Writing
- Bug Reporting
- Community Education
- Release Teams
- Advocacy
- Marketing/Communications
The best way to get started is to speak directly to maintainers. Click on this link to learn more about getting involved.
Project updates:
- Vitess - Vitess is a cluster MySQL solution that has moved to a graduated state in the CNCF.
- Helm 3 - Helm 3 comes with the removal of Tiller and other updates to the project.
- SIG Network UPdates - IPv4/IPv6 dual-stack update, why endpoints slices, service typologies, among other things, lots of movement in Sig Network.
- OPA 0.15.1 released - WebAssembly compilation of Rego templates!
Sessions:
10 Weird ways to blow up your Kubernetes - AirBnB engineers gave us their lessons learned when running k8. There are a lot of growing pains when managing your clusters. This talk is a great way to understand some issues that may arise when managing Kubernetes.
If you’re interested, there is even a site for deep dives into Kubernetes missteps https://k8s.af/ . A favorite is when a Spotify engineer deleted a production cluster!
Understanding and Troubleshooting the eBPF Datapath in Cilium - Nathan Sweet, a software engineer from DigitalOcean talked about how DO uses Cilium for the CNI in their Kubernetes Managed service. Slides Here. He gives a great illustration of the Architecture of eBPF below.
There was a great talk conducted held by Greg Castle and Tim Allclair on attacks and potential mitigations for when an attacker successfully compromises a container and is able to break out of it: Walls Within Walls: What if Your Attacker Knows Parkour? It is well worth the time.
There was a lot to take in at KubeCon 2019. From sessions, meeting vendors and most importantly meeting others in the community. KubeCon is certainly the conference to go to learn about what is going in all the CNCF projects.
I hope to see you at the next one.
The entire playlist of Sessions at Kubernetes
Photos from the KubeCon CloudNativeCon
Other awesome posts as well: