KubeCon 2021 Retrospective
KubeCon + CloudNativeCon Europe 2021 has come to a close, and at this point needs little introduction. Much as we’re all looking forward to the return of in-person conferences, there were some cracking virtual talks this year! There’s so many that we’re still catching up on, and we’ll be publishing a second part to this blog next week. We’ll also be updating our posts with the VOD links to these talks, at the very moment that CNCF releases them to the public. Now we’re handing over to Kenny, for his personal highlights and recommendations…
As I navigated through the various KubeCon sessions; watching them in no particular order. I noticed that different sessions often shared a common theme (or topic), but at a different technical level or a different point in the journey. I’d like to share and categorise the sessions that I watched, enjoyed and found useful.
I’ll split the talks into two sections. In the first section, I’ll start with the talks that I believe may help someone gain a better understanding of the inner workings of different sections of Kubernetes. The second section will go over the security-related sessions followed by the CSI volumes sessions that are related to security.
Fundamental Kubernetes Talks
Session 1: Resource Requests and Limits Under the Hood: The Journey of a Pod Spec | Kohei Ota, Hewlett Packard Enterprise & Kaslin Fields, Google
The speakers of this session very successfully used Dogs and Doggy Daycares to explain how the various Kubernetes components work together to schedule an app onto a node within a Kubernetes cluster whilst explaining how resource requests and limits work and diving deep down to the CRI and OCI runtimes.
Session 2: Understanding Isolation Levels in the Kubernetes Landscape | Jiaqi Liu, University of Chicago
Session 1 explained the journey of an individual pod in a Kubernetes cluster, but what about multiple tenants deploying multiple pods in a Kubernetes cluster?
This session goes over the differences between a single-tenant Kubernetes cluster vs a multi-tenant Kubernetes cluster and provides useful information for building, designing or figuring out how a Kubernetes platform can and should be used.
Session 3: How to Break your Kubernetes Cluster with Networking
| Thomas Graf, Isovalent
I think it’s important to know how to break a Kubernetes cluster with networking. This session happens to go over the basic Kubernetes networking concepts before teaching us how things can be broken.
Session 4: Traces from Events: A New Way to Visualise Kubernetes Activities | Bryan Boreham, Weaveworks
This session goes over distributed tracing and events in Kubernetes. I think the demo, in particular, showcases how beneficial visualising Kubernetes activities can be for learning what Kubernetes is doing and the explanation of the object ownership chain will come in handy for future troubleshooting.
Session 5: Operationalizing Kubernetes Sidecars in Production at Salesforce | Mayank Kumar, Salesforce
Session 1 mentions that a developer makes a request to the Kubernetes API when deploying an app. The speaker of this session goes through the journey of an API request in Kubernetes close to the beginning of the session.
The rest of the session justifies the intermediate (mid-level experience) tag. Going over the various use cases for sidecar containers (i.e. another container running alongside the main app container inside the same pod), a solution to automatically inject generic sidecar containers with admission webhooks and how they continue to maintain, test and develop the solution.
Security and CSI Volumes
Session 6: Compliance Beyond Security: a Cloud Native GDPR Implementation Experience | Johan Tordsson, Elastisys AB
When it comes to security, a possible first step is learning about the security regulations. This session focuses on the European GDPR; going over possible technical challenges and recommendations for handling these regulations in a cloud-native setting.
Session 7: The Art of Hiding Yourself | Lorenzo Fontana, Sysdig
The speaker of this session provides insight into how an attacker can compromise a Kubernetes cluster, whilst hiding their activities and how a security team can implement measures to detect detection evasion with Falco.
Session 8: Uncovering a Sophisticated Kubernetes Attack in Real-Time | Jed Salazar & Natália Réka Ivánkó, Isovalent
Session 8 provides additional information around detecting Kubernetes attacks in real-time and advocates for a pre-data and post-data paradigm using data to continuously measure that hardening and security configurations can handle real-world threats detectable by the observability tools within a Kubernetes cluster.
Session 9: CSI Volume Attacks – The SRE Strikes Back | Hendrik Land, NetApp
This session could also be put under the Fundamental Kube Talks section since the speaker goes over the basics of Persistent Volumes, Persistent Volume Claims and how an attack might try to get access to the data. In addition, the speaker covers Kubernetes’s inherent security models and recommendations for configurations that should be applied for increased protection.
Session 10: Secrets Store CSI Driver: Keeping Secrets Secret | Anish Ramasekar, Microsoft & Tommy Murphy, Google
This session showcases a demo of a sig-auth subproject called Secrets Store CSI Driver; showing how it can be used to mount and rotate sensitive secrets externally stored outside of a Kubernetes cluster.
DevOps Engineer Final Thoughts
That’s all for now — but hopefully it will be a good starting point to help you decide what KubeCon sessions to watch. Contact us if you feel we missed anything, though with more interesting sessions to come in part 2 of this post we may well be covering it imminently.
Additional KubeCon 2021 Blogs: