Cloud Native Computing Foundation
VM (Vicky) Brasseur,
Director of Open Source Strategy
A well-grounded cloud: Exploring the foundations of Cloud Native
Cloud native is now the default architecture for new and evolving software. While the approach has earned its way to the top of the heap, merit isn't the only factor that lead to its success. In this talk I'll explore the foundation that's given cloud native the solid base from which to reach for the skies.
Ville de Montréal
Cloud infrastructure at Ville de Montréal
Software development life cycle of montreal.ca
We will do a presentation summarizing the architecture put in place for the City of Montreal in order to develop it’s microservices in NodeJS and executing them in Kubernetes.
We will describe how we used Jenkins and developed our own DSL to simplify adoption and operations.
We will also demonstrate all the steps taken: from the creation of a new API project to deploying in production, including monitoring and logging.
We will conclude with an overview of the challenges we faced and the processes implemented in order to improve.
Engineering Team Lead
Cloud Infrastructure Engineer
Using Rook to Manage Kubernetes Storage with Ceph
This presentation will introduce the Rook project within CNCF and set the context around the problem that it addresses. Through the use of the operator pattern, the Rook operator will be discussed to understand how a storage cluster can be configured and managed through it. Rook started with Ceph as its only storage backend but over the course of its development, many new backends have been introduced. For the purpose of this presentation, the focus will be on the Ceph backend and how Rook makes it easy to upgrade the operator and the backend independently of each other to give administrators control over their environment. The use cases for Rook-Ceph will vary depending on the Kubernetes cluster and its purpose. However, as end users of Rook-Ceph, the shared filesystem that Ceph provides allows for the scalability of different services by running multiple pods with the same mounting point. If there's no need for Read Write Many capabilities, Rook-Ceph also provides block and/or object storage interfaces to pods. By the time of the presentation, Rook 1.0 would have been released and with it comes the Ceph CSI driver implementation which will also be highlighted. Finally, a running Rook-Ceph cluster will be shown and the Ceph cluster will be upgraded to a new release to pick up fixes and new features demonstrating independence between the operator and its storage backends.
Senior Technical Staff Member
What is cloud native anyway
Cloud-native applications and microservice architectures are growing in popularity every day. The 12-Factor methodology provides a baseline definition for cloud native applications made from stateless, replaceable processes. Netflix OSS shared libraries helped with the implementation of smart, fault tolerant endpoints that handled service discovery and load balancing. Kubernetes moves some of that responsibility into the infrastructure, and Istio (based on the Envoy proxy from Lyft) moves even more out of the application into a service mesh. So what is a cloud-native application now? What does a service endpoint need to do, and what should it delegate? In this session, we'll explore this changing landscape, including some disruptive newcomers shaking everything up.
Defense in Depth: Securing your new Kubernete cluster from the challenges that lurk within
The abstraction layers of 'container' and 'helm' etc often make people not think about the security issues. I run 'helm install X' or 'docker build'. That in turn imports many things which get delivered into my environment.
Containers are not a (strong) security barrier. We often think about security as a Boolean (outside bad, inside good). Here I will talk about 'Defense in Depth': assuming that bad things are already in, and the steps we take to harden the environment.
- service mesh
- network policy
- reduction in privilege (de-root, de-privilege)
- rbac, roles
- understanding the upstream risk, quantifying, controlling
- read-only filesystems
And I'll show a simple check list of activities you can do during your DevOps cycle that won't change your cost (much).
I will focus on Kubernetes environment, contrasting Helm (+Tiller) versus Kustomize, but this is applicable to other environments.
Streams must flow: developing fault-tolerant stream processing application with Kafka Streams and Kubernetes.
All things change constantly, and we need to get on board with streams! Moreover, dealing with constantly changing data at low latency is pretty hard. It doesn’t need to be that way. Kafka Streams, Apache Kafka’s stream processing library, allows developers to build sophisticated stateful stream processing applications which you can deploy in an environment of your choice. Kafka Streams is not only scalable but fully elastic allowing for dynamic scale-in and scale-out as the library handles state migration transparently in the background. By running Kafka Streams applications on Kubernetes, you can use Kubernetes powerful control plane to standardize and simplify the application management—from deployment to dynamic scaling. In this talk, Viktor explains the essentials of dynamic scaling and state migration in Kafka Streams. You will see a live demo of how a Kafka Streams application can run in a Docker container and the dynamic scaling of an application running in Kubernetes.
Solution Architecture at Tigera
Identity, AuthN and AuthZ for Zero Trust Workload Security
Workload identity, authentication and authorization are foundational to a comprehensive security posture for cloud-native microservices. This session will walk through the state of the union in how these can be enabled within Kubernetes and a service mesh.
Furthermore, deployments have evolved from isolated Kubernetes islands towards interconnected services that also encompass public cloud services. We will share a few emerging patterns learned from operationalizing this spanning Kubernetes, Istio Citadel, Envoy and Calico.
Of course, together with a couple of demos to illustrate how these can be linked together to enable zero-trust security.
Cert-manager: using Kubernetes as an automated x509 management platform
Cert-manager has long been known as the tool to secure your websites using Let's Encrypt TLS certificates. But did you know it can be used for much more than that?
This talk teaches the audience about advanced PKI management with cert-manager, and how it can be used from development to production to secure your applications.
Automating rotation and management makes it possible to enable TLS across your entire application and infrastructure stack consistently, with confidence.
We'll walk through how to utilise Issuers and Certificates as building blocks for complex PKIs to secure:
- User applications
- Kubernetes system components and webhooks
- External systems
There will also be a run-through of the roadmap for the project, and how we intend to reach the 1.0 milestone at last!
By the end of this talk, you'll have an understanding of how the project works, reusing PKI manifests between environments for consistency and how to utilise managed certificates in a wide variety of applications.