Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Luboslav Pivarc
2023-04-20
tldr - powered by Generative AI
The presentation discusses the challenges and solutions of running Kubernetes workloads without a root user, with a focus on the Kubevirt project. The speaker emphasizes the importance of security and usability in implementing security features.
- Kubevirt is a Kubernetes extension for running virtual machines alongside containers
- Transitioning to non-root users for pods running virtual machines posed challenges
- Problems with running Kubernetes workloads without a root user are common and can be discouraging
- The principle of least privilege reduces the surface for exploitation and makes it harder for attackers to gain privileges
- Tools like Pod Security Standards and restrictive policies can help enforce security
- The solution to managing categories is to use context-specific mount points with container cell Linux labels
- Security features must be usable and easily adoptable by end users to ensure secure environments
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Rodrigo Campos Catelin, Marga Manterola
2023-04-20
tldr - powered by Generative AI
The presentation discusses the benefits and challenges of using Kubernetes for Cloud Native applications.
- Kubernetes can automate tasks and make applications more resilient
- Automatic health checking and load balancing are important features of Kubernetes
- Kubernetes is a complex abstraction layer that requires learning and debugging
- Deploying applications as Kubernetes deployments involves writing YAML files that specify desired state
- Connecting backend and frontend pods in Kubernetes requires service objects
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Alexander Jung
2022-10-27
tldr - powered by Generative AI
Unikraft is an open-source library operating system that enables the construction of ultra-lightweight VMs quickly, easily and without time-consuming developer effort. These VM images are tailored to the application itself and have high-performance, low resource usage and a small attack surface. The talk compares Unikraft with existing runtimes for the cloud and demonstrates how it can be used with Kubernetes today.
- Existing runtimes for the cloud rely on traditional kernel stacks and hypervisors, which negatively impact security and performance.
- Unikraft is an open-source library operating system that enables the construction of ultra-lightweight VMs quickly, easily and without time-consuming developer effort.
- Unikraft VM images are tailored to the application itself and have high-performance, low resource usage and a small attack surface.
- Unikraft can be used with Kubernetes today.
- Unikraft supports major cloud vendors such as AWS and GCP.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Michael Henriksen
2022-10-26
KubeVirt makes it possible to run traditional Virtual Machine workloads in a Kubernetes cluster. Since VMs are typically stateful and not as homogeneous as containerized applications, additional care must be given to ensure that VM state is properly initialized, managed, and protected. We will explore how the KubeVirt storage layer bridges the gap between QEMU/KVM Virtual Machines and K8s storage primitives to provide a feature-rich API that manages data for the entire lifecycle of a VM. We will discuss how new VMs can be created with pre-populated disks based on “golden images” and how running Virtual Machines can be safely snapshotted/restored. Disaster Recovery workflows are enabled by the VirtualMachineExport API as well as integration with Velero. Future initiatives, such as Volume Populator support will also be discussed. You will come away with enough of a high level understanding of the KubeVirt storage APIs and architecture to make meaningful contributions.
Conference: Linux Security Summit Europe 2022
Authors: Jeremy Powell
2022-09-15
tldr - powered by Generative AI
The presentation discusses attestation in a confidential computing environment and the threats around misconfiguring the platform and guest on its launch. It covers platform measurements, guest measurements, authenticity of attestation reports, and connecting the dots between different components.
- Attestation is necessary to delegate security decisions to a remote relying party
- The trusted computing base for a guest running an SP starts at the hardware root of trust
- The TCB version is reported in the attestation report for the identity of the mutable firmware
- Guest measurements include image, metadata, and runtime environment
- Authenticity of attestation reports can be determined by comparing the report ID of the migration agent
- Connecting the dots between different components involves chaining trust from a small kernel bootloader to the rest of the system
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Brandon Wagner, Nick Tran
2022-05-19
Kubernetes (k8s) has enabled applications to be mostly agnostic to the underlying VM infrastructure it is running on. Many clusters can benefit from the cost savings of utilizing spare VM capacity offerings commonly called Spot. In this session, we will discuss some of the best practices for utilizing spot capacity within a k8s cluster and some of the tools that will make your life easier managing the underlying VM infrastructure.Click here to view captioning/translation in the MeetingPlay platform!