Kubecon Europe 2020 - Day 1

Mis à jour : août 21

For the first day of KubeCon CloudNativeCon Europe 2020 @Sokube (as a Silver Member of the CNCF) we wanted to share some news and feedback of this great event!


Check out other days:

Kubecon Europe 2020 - Day 2

Kubecon Europe 2020 - Day 3

Kubecon Europe 2020 - Day 4


This virtual event is spread over four days including keynotes, lightning talks, conference sessions across 16 tracks, tutorials, and co-located events. It also includes an interactive Sponsor Showcase, attendee collaboration and networking tools...


All sessions will be recorded and available in the CNCF YouTube channel 8 weeks after the conference.


And congratulation to the Kubecon team for the virtual lobby app. It is not easy to represent such an event in a virtual way, well done !




Here are some feedbacks on some sessions, lightning Talk and tutorials we assisted:


Tutorial: Getting Started With Cloud Native Security


By Liz Rice (Vice President, Open Source Engineering, Aqua Security) and Michael Hausenblas (Developer Advocate, Amazon Web Services)


A very interesting tutorial showing how an attacker can exploit a vulnerability: https://tutorial.kubernetes-security.info/ and what are the possible remediations using different approaches and tools.

There are several Kubernetes attack vectors:




They are several ways to secure your Kubernetes cluster and its components:

Scanning

Multiple solutions for vulnerability scanning are available. This workshop uses the open source scanner Trivy.

Where to scan for vulnerabilities:

  • CI/CD: One way to "shift left" security is to include vulnerability scanning as an automatic step in CI/CD. Typically after the docker build you can have a stage that will scan your image.

  • Admission controllers: An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. So in the context of image scanning it can be used to prevent deploying a container image with known vulnerabilities.

  • Live workloads: New vulnerabilities are found all the time so you will need to regularly check if your running images are safe.

In the demo, Starboard was used. It is a tool for running security tools, including Trivy, within your Kubernetes cluster. This is an easy way to create and view scans of the container images used by your running workloads. Example (CLI) :

kubectl starboard init ## Add CRDs
kubectl starboard find vulns kind/name
kubectl get vulns  --show -labels kind/name

Kubernetes cluster configuration

  • The CIS Benchmark: An objective, consensus-driven security guideline for Kubernetes.

  • Kube-bench: is a Go application that implements the CIS Benchmark and checks whether Kubernetes is deployed securely. There are three output states (Pass, Fail, Info) to indicate test results.

Policies

  • Policies are an important tool defining what is or is not allowed in the Kubernetes clusters

  • Principle of least privilege: requires that every module must be able to access only the information and resources that are necessary for its legitimate purpose.

  • Security Context: A security context defines privilege and access control settings for a Pod or Container (like running as privileged user or not, Linux Capabilities, …)

  • Network Policies: A network policy is a specification of how sets of Pods are allowed to communicate with each other and with other network endpoints. NetworkPolicy resources use labels to select Pods and define rules which specify what traffic is allowed to/from the selected Pods

  • OPA: is a general-purpose policy engine that comes with a rule-based policy language called Rego. The goal here is to define and enforce policies like: "Deny any image that doesn’t come from a trusted registry". This project is also based on Admission Controllers Gatekeepers (a CRD based : open-policy-agent/gatekeeper )

GitOps

Using GitOps brings security out of the box:

  • Git being the source of truth, you benefit from RBAC, traceability and auditing.

  • It is based on Pull Requests so it enforces reviewers and communication

  • You don’t apply the change yourself, but rely on a process that applies automatically the desired state of the system.


This tutorial gives a lot of tips and tools how you can deal with security in your kubernetes cluster. Trivy, Kube-bench, Starboard and Gatekeeper are definitely on my list for a deeper look !


Tutorial: Communication Is Key -- Understanding Kubernetes Networking


Jeff Poole (Director, Platform Engineering, Vivint Smart Home)

An interesting tutorial that shows how Kubernetes networking works: korvus81/k8s-net-labs

This tuto deals with:

  • Encapsulation in Networking

  • Docker / Container Networking

  • Node and Pod networking

  • Service addresses

  • IP assignment

  • DNS

  • Network policies

Flannel and Calico are used to test the Kubernetes networking.

If you are curious and want a deeper understanding on how Kubernetes network works then this session is definitely for you !


Help! My Cluster Is On The Internet: Container Security Fundamentals - Samuel Davidson, Google


By Samuel Davidson (Security Engineer, Google Kubernetes Security for Google Cloud)


Summary to Container Security Fundamentals :


Workload Security

Container

  • Assume you will be owned

  • Use a distress base image

  • Easy to rebuild containers

  • Sign your image

Pod

  • Don't use hostPath

  • Don’t use hostNetwork

  • Pay close attention to your pod’s Service Account

Cluster Security

Node

  • Isolate your node from Internet

  • Egress only internet access from private network

Cluster

  • Keep the cluster up to date to avoid bugs and vulnerabilities

  • Ideally the entire cluster is in a private network (VPN, auth-proxy…) and no public IP for any cluster VMs

  • Solution to common needs :

  • Log Devs/bots into the network

  • External load balancer that can forward traffic to nodes if internet users needs access to services/pods

  • Egress only internet access from private network if cluster needs internet accesss

  • Use Secrets


User Security

  • Use RBAC and groups

  • Use a policy agent to protect your cluster (typically a Kubernetes Admission Controller which fine granularly allows/denies based on rules or policies )

A doc where you can find many tips and tricks

Tutorial: Hands-On Intro to Cloud-Native CI/CD with Tekton - Jan Kleinert


By Jan Kleinert (Manager, OpenShift Developer Advocates, Red Hat) and Joel Lord (Developer Advocate, Red Hat)


Hands-on : joellord/handson-tekton


Cloud-Native CI/CD

  • Containers : Built for container apps and run on Kubernetes

  • Serverless : Runs server less with no CI/CD engine to manage and maintain

  • DevOps : Designeds with micro services and distributed teams

Tekton is a Kubernetes native tool which is : Composable, Declarative, Reproducible and CloudNative. It allow you to create CI/CD systems by abstracting away the underlying implementation details.


From Minikube to Production, Never Miss a Step in Getting Your K8s Ready


By Kevin Georges (Engineering Manager, OVHcloud) and Horacio Gonzalez (K8S Engineering Manager, OVHcloud)


A presentation to raise awareness that a minikube or k3s which easily works on local computer is NOT PROD READY !!! Useful if you need to convince someone that Kubernetes setup is not a matter of 3 clicks.


They highlight several points that work without difficulty in a local environment contrary to production environment, like volumes/storage, network, RBAC… and show some common errors that can happen in production (like losing etcd, deleting a volume). It also demonstrated to really secure environment because in Kubernetes by default most of security features are disabled.

Welcome to CloudLand! An Illustrated Intro to the Cloud Native Landscape


By Kaslin Fields (Developer Advocate, Google)


Funny way to introduce the Cloud Native concept. So what is it exactly ? It’s a way to develop an application using advantages offered by Cloud. It’s a flyover for beginners of the different parts that constitute the Cloud Native Landscape: container/registry, containerd, Kubernetes, serverless concept, function as a service, infra as code, observability monitoring/logging, security, data storage…

https://landscape.cncf.io/


Panel: Ask Me Anything About Service Mesh


By Oliver Gould (Linkerd Creator, Buoyant), Daniel Berg (Distinguished Engineer, IBM), Lin Sun (Senior Technical Staff Member, IBM), Sven Mawson (Senior Staff Software Engineer, Google) , Christian Posta (Field CTO, solo.io).


A Q&A session about Service Mesh with lots of insights and tips:

What are Service Mesh advantages ?

  • quickly push changes without changing code

  • centralizing

  • connecting applications and introducing some security points

  • programmatically define rules

When use a Service Mesh ?

  • When you have lot of things that have to communicate with each other


What’s the best Service Mesh implementation ?

  • It depends on your needs but favor the most used in production


What are the common pitfalls to avoid ?

  • DON'T implement business logic in service Mesh


What about latency and resources ?

  • A service Mesh provides a real load balancer compared to kube-proxy with more “intelligence”, it chooses not overloaded pods when it dispatches traffic. Resources management like memory is very weak compared to a proxy coded in an application using springboot, for example.


Some Lightning Talks :


Using SOPS, Kube Secrets and a CD Pipeline For Secure Configuration


Lightning Talk Sessions by Tom Hipwell (Principal Platform Engineer, Bulb)


SOPS is a tool to encrypt only values in a yaml (and not the keys). It uses AWS/Azure/GCP key Management Service (KMS) and a dedicated CLI. Very useful when you don’t want to use a heavier solution like HashiCorp Vault and when you use GitOps (you can securely store the encrypted file alongside your code).


Stayin' Alive: PodDisruptionBudgets for Maintenance and Upgrades


By Matthew Robson (Principal Technical Account Manager, Red Hat)


A PodDisruptionBudget is an application owner created object that defines the minimum of replicas that must be available for an application to cooperate in a stable manner during a voluntary disruption.

When an application is owned by the application team and supported by the operation team, it allows to define the availability requirements and it is respected by the eviction API. It is valid for: Deployment, ReplicationController, StatefulSet and ReplicaSet.


Tutorial: Using BPF in Cloud Native environments


By Marga Manterola (Staff Software Engineer, Kinvolk) and Alban Crequy (CTO, Kinvolk)


Berkley Packet Filter (BPF) are tracing tools that help to debug distributed applications. But debugging inside Kubernetes is not easy. Kubernetes tracing tools like Inspektor Gadget and kubectl-trace ease the debugging distributed applications.

The slides are available here.



CONCLUSION FOR THE FIRST DAY:


Kubecon is very interesting event touching lots of subjects like Security, Networking, CI/CD, Service Mesh and many others topics...

We particularly enjoyed the tutorial on Tekton, a very promising and powerful CI/CD tool. We also appreciated the many sessions around Security in Kubernetes at different levels, it’s always important to keep this important concept in mind.


Keep connected for the second day!


©2020 - SOKUBE SA - GENEVA - SWITZERLAND

linkedin_big.png