Sort by:  

Authors: Roland Kool, Ricardo Rocha, Piotr Szczesniak, Christian Huening, Rania Mohamed

tldr - powered by Generative AI

The challenges of securing and governing communication between services running in multiple clusters or different infrastructure can be addressed through the use of service mesh and gateway API solutions in a distributed, heterogeneous environment.
  • The shift from data centers on premises to cloud and multi-cloud and hybrid environment has created new challenges in securing and governing communication between services
  • Service mesh and gateway API solutions provide a way to address these challenges by offering a shared trust anchor, identity framework, and policies for selective communication
  • Examples of service mesh solutions include Linker D and Istio, while Kubernetes Gateway API offers a portable solution for multi-cluster communication
Authors: Barun Acharya

Containers and Orchestrators are being rapidly adopted worldwide due to the advantages they provide but so has risen the cyber attacks on the same. With the rise in recent zero days there’s an ever more demanding need to enforce security in containers.Even with Static Analyzers in place which scan for known vulnerabilities, a new vulnerability can pop up anytime or you can be compromised at runtime which may end up in losses. We should try to reduce the attack surface as much as possible to reduce these unknown unknowns.This talk will be about how can one choose to be a minimalist about their workloads right from choosing the right node images to reducing dependencies in our containers and finally restricting minimizing risks at runtime. We will explore about Optimized Operating Systems, RBAC, Docker Slim, Network Policies, Security Context and tooling around Mandatory Access Control and how they can help you out on your path to become minimalist with your workloads to secure them.
Authors: Kirti Apte, Steve Watkins

tldr - powered by Generative AI

The presentation discusses the use of open source tools and templates to create a supply chain for DevOps workflows, with a focus on security and compliance.
  • The presentation demonstrates a live demo of a basic GitOps workflow using open source tools such as Flux CD, Tecton, and K-PAX.
  • The use of templates allows for flexibility in tool selection and easy swapping of tools.
  • Security and compliance are embedded into the supply chain through signing images, scanning for vulnerabilities, and generating S-bombs for auditing purposes.
  • The centralized metadata store allows for easy querying of results and sharing with developers and auditors.
Authors: Arnaud Meukam, Davanum Srinivas, Benjamin Elder

In this session the SIG k8s Infra leads/TLs will provide an introduction to the SIG and an overview of how to contribute. They will share the work done over the past year and an introduction to the infrastructure used by the community. The session will conclude with Q&A.
Authors: Chris Hein, Eric Ernst

tldr - powered by Generative AI

The presentation discusses the use of Kata containers for stronger workload isolation in a multi-tenant environment.
  • Multi-tenancy in a single interface can pose security risks
  • Options for stronger isolation include sandboxed runtimes like Kata containers
  • Kata containers use a virtual machine monitor to launch a minimally configured virtual machine for each container
  • Networking is simplified with a v eth dropped into a network name space
  • Per-tenant iptable rules are synced to the tenant control plane for added security
Conference:  ContainerCon 2022
Authors: Shai Almog

tldr - powered by Generative AI

The presentation discusses the challenges of debugging in a Kubernetes environment and introduces Cube City or Debug and Cogito as solutions.
  • Debugging in a Kubernetes environment is challenging due to multiple layers of abstraction and the bare bone container problem.
  • Cube City or Debug and Cogito are solutions to these challenges.
  • Cube City or Debug allows for inspection of a pod even if it has crashed or is a bare bone image.
  • Cogito is an open source project that includes a set of opinionated curated platform-specific tools for debugging with Cube City or Debug.
  • Anecdote: The presentation provides a demo of using Cube City or Debug to increase logging levels and connect to an ephemeral container with the Busybox image.
  • Tags: Kubernetes, debugging, Cube City or Debug, Cogito, ephemeral container, bare bone container problem.
Authors: Alexander Jung

tldr - powered by Generative AI

KubeKraft is a novel runtime that allows for running VMs with Kubernetes natively, without any container overhead. It aims to achieve higher cluster utilization while maintaining performance and security.
  • Virtualization strategies such as containers have gained immense popularity thanks to orchestration frameworks such as Kubernetes.
  • Typical deployments with Kubernetes involve four degrees of virtualization and indirection, which can be difficult to debug and add performance penalties.
  • KubeKraft introduces unikernels into the ecosystem and allows for running VMs with Kubernetes natively, without any container overhead.
  • KubeKraft's architecture is presented, along with its integration with Kubernetes and performance results.
  • Using a Unikraft NGINX unikernel, KubeKraft results in 2x the throughput of an official Docker NGINX image.