Program

Luc Perkins,

Developer Advocate

CNCF

VM (Vicky) Brasseur,

Director of Open Source Strategy

Juniper Networks

A well-grounded cloud: Exploring the foundations of Cloud Native

Cloud native is now the default architecture for new and evolving software. While the approach has earned its way to the top of the heap, merit isn't the only factor that lead to its success. In this talk I'll explore the foundation that's given cloud native the solid base from which to reach for the skies.

Morgan Martinet,

Enterprise Architect

Ville de Montréal

Marc Khouzam,

Solutions Architect

Cloud infrastructure at Ville de Montréal

Software development life cycle of montreal.ca

We will do a presentation summarizing the architecture put in place for the City of Montreal in order to develop it’s microservices in NodeJS and executing them in Kubernetes.

We will describe how we used Jenkins and developed our own DSL to simplify adoption and operations.

We will also demonstrate all the steps taken: from the creation of a new API project to deploying in production, including monitoring and logging.

We will conclude with an overview of the challenges we faced and the processes implemented in order to improve.

Raymond Maika,

Engineering Team Lead

CENGN

Moh Ahmed,

Cloud Infrastructure Engineer

CENGN

Using Rook to Manage Kubernetes Storage with Ceph

This presentation will introduce the Rook project within CNCF and set the context around the problem that it addresses. Through the use of the operator pattern, the Rook operator will be discussed to understand how a storage cluster can be configured and managed through it. Rook started with Ceph as its only storage backend but over the course of its development, many new backends have been introduced. For the purpose of this presentation, the focus will be on the Ceph backend and how Rook makes it easy to upgrade the operator and the backend independently of each other to give administrators control over their environment. The use cases for Rook-Ceph will vary depending on the Kubernetes cluster and its purpose. However, as end users of Rook-Ceph, the shared filesystem that Ceph provides allows for the scalability of different services by running multiple pods with the same mounting point. If there's no need for Read Write Many capabilities, Rook-Ceph also provides block and/or object storage interfaces to pods. By the time of the presentation, Rook 1.0 would have been released and with it comes the Ceph CSI driver implementation which will also be highlighted. Finally, a running Rook-Ceph cluster will be shown and the Ceph cluster will be upgraded to a new release to pick up fixes and new features demonstrating independence between the operator and its storage backends.

Erin Schnabel,

Senior Technical Staff Member

IBM

Ozzy Osborne,

Software Developer

IBM

What is cloud native anyway

Cloud-native applications and microservice architectures are growing in popularity every day. The 12-Factor methodology provides a baseline definition for cloud native applications made from stateless, replaceable processes. Netflix OSS shared libraries helped with the implementation of smart, fault tolerant endpoints that handled service discovery and load balancing. Kubernetes moves some of that responsibility into the infrastructure, and Istio (based on the Envoy proxy from Lyft) moves even more out of the application into a service mesh. So what is a cloud-native application now? What does a service endpoint need to do, and what should it delegate? In this session, we'll explore this changing landscape, including some disruptive newcomers shaking everything up.

Don Bowman,

Founder

Agilicus

Defense in Depth: Securing your new Kubernete cluster from the challenges that lurk within

The abstraction layers of 'container' and 'helm' etc often make people not think about the security issues. I run 'helm install X' or 'docker build'. That in turn imports many things which get delivered into my environment.

Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about 'Defense in Depth': assuming that bad things are already in, and the steps we take to harden the environment.

  • service mesh
  • logging
  • network policy
  • reduction in privilege (de-root, de-privilege)
  • rbac, roles
  • understanding the upstream risk, quantifying, controlling
  • read-only filesystems
  • distroless

And I'll show a simple check list of activities you can do during your DevOps cycle that won't change your cost (much).

I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.

Viktor Gamov,

Developer Advocate

Confluent

Streams must flow: developing fault-tolerant stream processing application with Kafka Streams and Kubernetes.

All things change constantly, and we need to get on board with streams! Moreover, dealing with constantly changing data at low latency is pretty hard. It doesn’t need to be that way. Kafka Streams, Apache Kafka’s stream processing library, allows developers to build sophisticated stateful stream processing applications which you can deploy in an environment of your choice. Kafka Streams is not only scalable but fully elastic allowing for dynamic scale-in and scale-out as the library handles state migration transparently in the background. By running Kafka Streams applications on Kubernetes, you can use Kubernetes powerful control plane to standardize and simplify the application management—from deployment to dynamic scaling. In this talk, Viktor explains the essentials of dynamic scaling and state migration in Kafka Streams. You will see a live demo of how a Kafka Streams application can run in a Docker container and the dynamic scaling of an application running in Kubernetes.

Karthik Prabhakar,

Senior Director

Solution Architecture at Tigera

Identity, AuthN and AuthZ for Zero Trust Workload Security

Workload identity, authentication and authorization are foundational to a comprehensive security posture for cloud-native microservices. This session will walk through the state of the union in how these can be enabled within Kubernetes and a service mesh.

Furthermore, deployments have evolved from isolated Kubernetes islands towards interconnected services that also encompass public cloud services. We will share a few emerging patterns learned from operationalizing this spanning Kubernetes, Istio Citadel, Envoy and Calico.

Of course, together with a couple of demos to illustrate how these can be linked together to enable zero-trust security.

James Munelly

JetStack

Cert-manager: using Kubernetes as an automated x509 management platform

Cert-manager has long been known as the tool to secure your websites using Let's Encrypt TLS certificates. But did you know it can be used for much more than that?

This talk teaches the audience about advanced PKI management with cert-manager, and how it can be used from development to production to secure your applications.

Automating rotation and management makes it possible to enable TLS across your entire application and infrastructure stack consistently, with confidence.

We'll walk through how to utilise Issuers and Certificates as building blocks for complex PKIs to secure:

  • User applications
  • Ingresses
  • Kubernetes system components and webhooks
  • External systems

There will also be a run-through of the roadmap for the project, and how we intend to reach the 1.0 milestone at last!

By the end of this talk, you'll have an understanding of how the project works, reusing PKI manifests between environments for consistency and how to utilise managed certificates in a wide variety of applications.

Syed Ahmed,

Cloud Software Architect

CloudOps

The Containerization of Machine Learning

Machine learning (ML) is a method of data analysis for identifying patterns and predicting future probabilities. It is part of research on artificial intelligence (AI). By inputting data with predetermined answers into mathematical models, computers can train themselves to predict future unknown sets of inputs. This is a talk and demo on Kubeflow: a composable, portable, and scalable ML stack built on top of Kubernetes.

Nicolas Seigneur,

CTO

IDSTACKs

Compliance and Security in a Cloud Native World

Cloud Native technology has taken the world by storm. It changed the way we deploy applications and provided us the tools to iterate faster than ever. This new velocity and agility provides multiple challenges to security teams, but it also provides new opportunities for DevOps teams. To embrace the full power of this new paradigm while providing a high level of security and most importantly, without slowing us down, we require a new approach to security and compliance.

Join us to learn how IDStacks’ DevSecOps implements security in depth and leverages various tools such as Comply, Jira, Hashicorp Vault and Twistlock to provide a highly secure platform that can achieve compliance objectives while embracing Containers, Kubernetes and Cloud Native platforms.

We will provide a complete overview of our security posture that covers key topics of Cloud Native Security such as vulnerability scanning, image admission, compliance, patching strategy, CI/CD integration, network security, intrusion detection and runtime protection.