Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Luboslav Pivarc
2023-04-20
tldr - powered by Generative AI
The presentation discusses the challenges and solutions of running Kubernetes workloads without a root user, with a focus on the Kubevirt project. The speaker emphasizes the importance of security and usability in implementing security features.
- Kubevirt is a Kubernetes extension for running virtual machines alongside containers
- Transitioning to non-root users for pods running virtual machines posed challenges
- Problems with running Kubernetes workloads without a root user are common and can be discouraging
- The principle of least privilege reduces the surface for exploitation and makes it harder for attackers to gain privileges
- Tools like Pod Security Standards and restrictive policies can help enforce security
- The solution to managing categories is to use context-specific mount points with container cell Linux labels
- Security features must be usable and easily adoptable by end users to ensure secure environments
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Felix Hoffmann
2023-04-19
tldr - powered by Generative AI
The presentation discusses resource management in Kubernetes from the perspective of an application developer, highlighting the importance of setting resource requests and limits appropriately to avoid cluster crashes and scheduling issues.
- Resource management in Kubernetes involves setting CPU and memory requests and limits for containers
- Memory limits result in termination of pods when exceeded, while CPU limits can lead to throttling or termination
- Setting appropriate requests and limits is crucial for efficient scheduling and avoiding noisy neighbors
- Developers should be aware of namespace limits and available resources when setting requests and limits
- In general, it is advisable to set memory requests equal to memory limits and avoid setting CPU limits
- Exceptions include cases where consistent workloads or overcommitment of memory are preferred
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Wei Huang, Alex Wang, Kante Yin, Kensei Nakada
2022-10-28
tldr - powered by Generative AI
The presentation discusses the Kubernetes scheduler and its policies for scheduling tasks on nodes. It emphasizes the importance of following priority rules and using labels and tolerations to control policies.
- The Kubernetes scheduler is responsible for assigning tasks to nodes based on priority rules.
- Priority rules should be followed to ensure efficient scheduling.
- Labels and tolerations can be used to control policies and restrictions on nodes.
- The presentation also discusses the development of the scheduler and the importance of collaboration between different groups.
Conference: Cloud Native SecurityCon North America 2022
Authors: Rahul Arvind Jadhav
2022-10-25
For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Andrew Martin
2022-05-20
tldr - powered by Generative AI
The presentation discusses threat-driven defense for Kubernetes and provides a guide on how to attack and defend clusters from various vulnerabilities and attacks.
- Threat modeling and understanding attackers' capabilities is crucial for effective defense
- Attack trees can help visualize potential attack paths and identify necessary controls
- Supply chain attacks are a significant threat to Kubernetes security
- Remote code execution and misconfigured containers are common vulnerabilities to exploit
- Advanced runtime hardening and workload identity are important for cluster security
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Dawn Chen, Derek Carr, Elana Hashman, Sergey Kanzhelev
2021-10-15
Kubernetes SIG Node owns components that control interactions between pods and host resources, including the Kubelet, Container Runtime Interface (CRI), and Node API. SIG Node is responsible for the Pod’s lifecycle from allocation to teardown, to liveness checks and shared resource management. We work with the various container runtimes, kernels, networking, storage, and more; anything a pod touches is SIG Node’s responsibility! In this session, we will begin with an introductory overview of the SIG and what it has worked on in the past. We will then deep dive into ongoing efforts of the SIG, including features targeted for the 1.22 and 1.23 releases and future roadmap. Join this session to learn more about our SIG, and how you might get involved to make Node even better!
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Wei Huang
2021-10-15
tldr - powered by Generative AI
Tips for optimizing Kubernetes scheduling throughput and customization
- Adjust the percentage of nodes to score based on cluster size
- Iterate a few nodes instead of all of them in the default preemption plugin
- Use the prefer nominated node feature to save time in scheduling
- Customize the parallelism parameter to optimize performance
- Model customer resources as extended resources to schedule GPU-intensive workloads
- Use multi-profile scheduling to specify different scheduling policies for different workloads
- Simplify scheduled configuration with a multi-point plugin
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Peter O'Neill
2021-10-15
tldr - powered by Generative AI
The presentation discusses the journey of a network engineer into becoming a K8s developer and the skills and knowledge that transfer between the two roles. It highlights the complexity of Kubernetes and the importance of tools like Telepresence for developing and debugging in the cluster.
- Network engineering involves troubleshooting and following a network path, which transfers to Kubernetes development.
- Cloud-native applications are more complex, with multiple services, load balancers, and connections.
- Troubleshooting in Kubernetes involves identifying which service and connection is causing the issue.
- Telepresence is a useful tool for bridging a laptop's local network to a Kubernetes cluster for easier development and debugging.
- The presentation includes a demo of using Telepresence to access the Kubernetes API and work with pods.
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Kim Schlesinger
2021-10-14
tldr - powered by Generative AI
Alternative ways of visualizing and understanding Kubernetes architecture for early career engineers with limited computing experience
- Create diagrams that show the passage of time to represent Kubernetes clusters
- Use distributed tracing tools as a learning tool to identify errors and understand the system
- Build 3D models of Kubernetes clusters to help people develop a richer mental model of the system