logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Christie Warwick, Priya Wadhwa
2023-04-19

tldr - powered by Generative AI

The presentation discusses the use of Salsa standards and Tecton in threat modeling and securing CI/CD systems on Kubernetes.
  • Salsa sets standards for build system execution to ensure trustworthiness
  • Threat modeling for build system on Kubernetes identifies additional threats and ways to mitigate them
  • Tecton can do more to verify image provenance and address volume isolation
  • Spire can be used to catch tampering with Tecton CRDs
  • Trusted resources in Tecton ensure execution of intended tasks and pipelines
Authors: Michael Lieberman, Parth Patel
2022-10-26

There are multiple tools out in the ecosystem trying to deal with parts of the software supply chain threat but what does an end-to-end solution look like? The OpenSSF - FRSCA is an implementation of the CNCF best practices that aims to protect the build system, secure ingestion and enforce policy in the production environment to minimize the attack vectors associated with software supply chain. With the integration of Tekton Pipelines/Chains, Sigstore, SPIFFE/SPIRE, and Kyverno, we can create a holistic approach that can meet SLSA Level 3 from beginning to end. Utilizing CUE, admission controller and short-lived certificates, we can cryptographically and based on policy protect the cluster. Building off binary authorization, FRSCA can validate the signature and attestation to authorize until the next release cycle. FRSCA aims to be an implementable architecture that the open source community and end-user organizations can utilize to ingest and produce SLSA compliant artifacts.
Conference:  ContainerCon 2022
Authors: Corby Page, Cora Iberkleid
2022-06-23

The Kubernetes ecosystem has a rich set of solutions for various stages of CI/CD. Tools like Flux, Tekton, kpack, Knative, ArgoCD, and more help create a modern path to production. And yet, teams and organizations that adopt these tools struggle with complex, DIY snowflake pipelines. The challenge can be creating and maintaining imperative scripts; orchestrating the flow of information between tools; driving reusability; adopting GitOps practices; and enabling proper separation of concerns. Cartographer is an exciting OSS project that elegantly addresses these challenges, providing the backbone for a modern application platform built on Kubernetes. Rooted in the concept of event-driven supply chain choreography, it enables composable, reusable roadmaps to drive source code to production. It provides an abstraction layer that facilitates the adoption and integration of existing and emerging CI/CD tools, while clearly delineating developer and operator ownership. It complements the existing ecosystem, filling an important gap to ease use, maintenance, and scalability. In this tutorial, you will learn how to create secure end-to-end workflows, sustainably and at scale. You will gain working knowledge of Cartographer that you can apply to your own application deployments.
Authors: Brandon Lum, Parth Patel
2022-06-21

tldr - powered by Generative AI

The presentation discusses the challenges of locking down Providence metadata fields in Tecton and proposes a solution using Spiffy Inspire for strong attestation and verification.
  • Tecton users have direct access to objects and metadata fields, making it difficult to lock down Providence metadata fields
  • Kubernetes cluster classes are managed by different entities, making it challenging to restrict access to metadata fields
  • The Task Run object becomes a main attack point for malicious actors
  • The proposed solution involves creating a trusted computing base and restricting access to metadata fields
  • Spiffy Inspire provides strong attestation and verification for the trusted computing base
  • Future work includes extending the solution to other custom resources and validating artifacts passed between tasks
Authors: Christie Warwick (Wilson), Kirsten Garrison, Adam Kaplan
2021-10-15

KEPs, TEPs, SHIPs - why are contributors asked to fill these out? Many open source projects adopt enhancement proposal (EP) processes to guide new feature development. These documents can be lengthy, and contributors can be reluctant to write designs up front before their code is accepted. There is great value in writing these documents and sharing them with fellow developers. How can a project adopt an EP process without intimidating new contributors? Can these principles be used with proprietary code, or small projects?In this panel discussion, maintainers from Kubernetes, Tekton, and Shipwright will discuss the ins and outs of their enhancement processes, and how up front design discussions have improved the quality of their code. The panel will explore the history behind their processes, how they work, and how they have evolved over time. Panelists will also share how they make their EP processes effective and engaging. After the discussion you may add EPs to your own projects!
Authors: Alex Collins, Jason Hall
2021-10-14

tldr - powered by Generative AI

The presentation discusses the challenges of using custom resources in Kubernetes and offers mitigations for avoiding resource proliferation and destabilizing etcd.
  • Custom resources are essential for Kubernetes extensibility but can lead to resource proliferation and destabilization of etcd.
  • Mitigations for these issues include avoiding unnecessary updates, batching updates, and avoiding duplicating information across objects.
  • Using jobs when only pods are needed can also lead to resource duplication and increased QPS.
  • The speaker offers anecdotal evidence of these issues and suggests attending the Intuit or Argo booths for further discussion.