Cloud Native Computing Foundation / Kubernetes Community Days Bengaluru 2021

Kubernetes Community Days Bengaluru'21

To begin with we all know that Kubernetes is dominating the container orchestration market nowadays. Enterprise organizations across nearly all verticals, including those with strong security requirements, such as financial services, healthcare, government, and telecommunications, are deploying production applications to Kubernetes clusters.

While this rapid adoption of Kubernetes shows just how disruptive these technologies have been, they have also led to new security problems. Their widespread popularity and many organizations without proper security measures in place have made Kubernetes infra the perfect target for attackers.
This hand-on Security workshop teaches the attack techniques on prime targets of the cluster and basics of Kubernetes Security and secure configuration of the numerous moving parts within the Kubernetes cluster that must be properly hardened.

Kubernetes Community Days Bengaluru'21

It's day 2. Kubernetes is running. You have your deployments and services set. Now how do you migrate the data store? Let's journey together on this code-focused tour through ConfigMaps, Secrets, Persistent Volumes, Persistent Volume Claims, and StatefulSets. We'll craft and launch a strategy to care for your users' data in this new container world. You can power your business on Kubernetes: stateless or stateful.

Kubernetes Community Days Bengaluru'21

Knowing what is going on in your environment is an essential part of staying on top of security issues. But how do you capture relevant metrics and visualize them? One widely-used tool for that job is the Elastic Stack, formerly known as the ELK stack. This workshop shows how to ingest relevant metrics from your network and hosts and visualize them to find suspicious patterns and behaviors quickly.

We'll be building the Kubernetes platform to ingest various security sources.

Slides: https://drive.google.com/file/d/1oYuL1IXhpV954o2CmhsT6TOXo8TM3ZnB/view?usp=sharing

Kubernetes Community Days Bengaluru'21

This talk will cover my role as a student developer and LFX mentee for ChaosMesh project, how the community is evolving and beginner-friendly. I hope to inspire and appeal audience to join and contribute to projects under CNCF.

Slides: https://docs.google.com/presentation/d/14UNKMM9HkLhjjPhqhUASMqvs6OW-LYyLQQ4ubBmBfi0/edit?usp=sharing

Kubernetes Community Days Bengaluru'21

Tired of recurring production outages that nobody benefits from? You aren't alone! Introduced as a tool to test the resiliency of its infrastructure in 2011 by Netflix, Chaos Engineering is one of the top 5 technologies to watch out for in 2021 per CNCF. This talk covers all the important aspects of Chaos Engineering from a Cloud Native perspective & will focus on LitmusChaos, an open source framework helping orchestrate Chaos on Kubernetes. Towards better cementing of concepts, we shall also have a live demo of the tool in action.

Slides: https://drive.google.com/file/d/1gbFu9kGC-I8L8nLxF45DySur1mYRXC15/view?usp=sharing

Kubernetes Community Days Bengaluru'21

We interact with the operating system kernel in many different ways, by reading from the file system, opening a device file, issuing system calls, or sending a packet over the network interface. Each time the kernel does this on behalf of user space, it checks if the user has permission to call that action by checking privileges. Kernel privilege escalation is a process of obtaining additional permissions by exploiting a weakness in kernel code. In this talk we’ll explore what kernel privilege exploits are, look at an example in practice, and then show the different ways in which containers and Kubernetes can help to reduce the impact of these kinds of exploits.

Slides: https://docs.google.com/presentation/d/1cEUuzSfIkhMFCpgSV02xDkNHqLp066DokYnfu_rclYs/edit?usp=sharing

Kubernetes Community Days Bengaluru'21

In 1.20 release Kubernetes has announced that it is going to deprecate docker as a container runtime. It is very convenient to debug containers running on Kubernetes nodes with docker!!. We are all going miss docker in Kubernetes. In this demo we will simply learn to use other container runtimes tools like crictl, ctr and nerdctl. We will use containerd as a container runtime and learn how to run containers, load images, debug k8s node containers, interacting with the Kubernetes CRI interface using the above mentioned container runtime tools.

Slides: https://drive.google.com/file/d/1m7bnJfuD6YkETxSfgwmZ38SX0xZVz5gZ/view

Kubernetes Community Days Bengaluru'21

Serverless & FaaS framework allow engineers to focus on creating value by writing code and not having to understand all underlying details. FaaS on Kubernetes is still in its nascent stage and evolving fast. Fission is a serverless framework for Kubernetes which is simple and fast. Fission is portable and works on Kubernetes - so you can deploy anywhere from cloud to on premise. This workshop will get you ready to use Fission and give you enough of a starting point to contribute.

Kubernetes Community Days Bengaluru'21

The key to understanding a lot of the "why's" of Kubernetes is to understand the concept of what imperative systems are, what declarative systems are, how they differ and how Kubernetes enables a declarative and extensible model through something known as the controller pattern. You will gain an intuitive, yet deep understanding of what these concepts of 'Imperative Systems' and 'Declarative Systems' are, followed by how Kubernetes employs some of these concepts to enable extensibility and self-healing capabilities.

Slides: https://drive.google.com/file/d/1-eSW_mLpcD9azY9PSDILC73EUyf_2I8F/view?usp=sharing

Kubernetes Community Days Bengaluru'21

Kubernetes has been growing by leaps and bounds over time. In this talk, you will hear about the big picture of how Kubernetes offers a fresh Cloud-Native perspective for Infrastructure and Applications. You will learn about the ecosystem and community being built in the Kubernetes and larger CNCF. You will also get to know about what the community is planning for the upcoming release 1.22 and future plans that we are cooking up. There are quite a few experiments and proof of concepts we are building that will shape the future to come. We will celebrate the work of folks from India who are diligently working in the community as well.

Slides: https://drive.google.com/file/d/1TM4e2_lRZQtvKT-ZGJKqKb1Gw-JRRnS0/view?usp=sharing

Kubernetes Community Days Bengaluru'21

Your Kubernetes app is down. Your users start ranting on Twitter. Your boss is standing right behind you. What do you do? This talk walks you through a live debugging session without panicking: - What do your health checks say? - Where does your monitoring point you? - Can you get more details from your application's traces? - Is there anything helpful in the logs? - What the heck is even deployed? We are using the Elastic Stack in this demo with a special focus on its Kubernetes integration with metadata enrichment and autodiscovery in combination with APM / tracing, metrics, logs, and health checks.

Kubernetes Community Days Bengaluru'21

Crossplane is a Kubernetes add-on to represent infrastructure resources as Kubernetes custom resources. This talk shall show how Crossplane can be used to manage infrastructure and build your own control plane on top of that.

Slides: https://docs.google.com/presentation/d/1I63qMMYTXt6ragvo5QMFLeDpw4W3YnUMpj2En7H7jsk/edit?usp=sharing

Kubernetes Community Days Bengaluru'21

We will see how to leverage Azure Kubernetes Service (AKS) Addons and its benefits. These addons are simple to use and easy to activate. One can enable these addons at the time of cluster creation or enable them at the existing cluster. We will cover some of the popular addons like Application Gateway Ingress Controller (AGIC), Open Service Mesh (OSM), Monitoring, Virtual node (based on virtual Kubelet) etc.

Kubernetes Community Days Bengaluru'21

There are many moving parts within the Kubernetes cluster that must be properly secured. The aim of the presentation is to demonstrate the kind of attacks that are possible due to misconfigurations. In particular, through the use of multiple examples, Vasanth will explain scenarios such as how misconfigured cluster privileges can lead to backdooring cloud environments, avoid detection by manipulating logging controls and access sensitive information and trade secrets due to IAM, pod security policy, and webhook misconfigurations. The presentation will also include the demonstration of the tool, Kubestriker which is designed to perform automatic checks and scans to detect various misconfigurations and mitigate such consequences.

Kubernetes Community Days Bengaluru'21

The field of system observability has been greatly enhanced by the application of eBPF. eBPF generates data at critical points in the execution of a system and that data is used for observation via software like Sysdig and Cilium. I propose to utilize the data generated for system state clustering. This is an application of machine learning to the above data to understand if the system is behaving properly or not. The amalgamation of machine learning and system data generation in real-time would open the doors to a plethora of applications like system state prediction, preventive replacement of system components aided by ML. This talk will take the attendees through an idea of how this could be done.

Slides: https://drive.google.com/file/d/1NsSUZGAtRnllU7RoAzLjh6_TOcmiFr50/view?usp=sharing

Kubernetes Community Days Bengaluru'21

While many people write operators, very few understand how the Kubernetes API actually works and what goes on behind the scenes. Part of the difficulty in understanding controllers and the API -- and implementing them -- is that the tasks are broken up and performed at many different times by different pieces of code. One of the strengths of this talk is to integrate the pieces and reveal the relationships between far-flung interfaces and methods. This session is targeted especially at: - people using the Kubernetes APIs with client-go and other related frameworks - people extending Kubernetes with APIs using aggregated API servers or CustomResourceDefinitions

Slides: http://bit.ly/kcdblr-api-internals-slides

Kubernetes Community Days Bengaluru'21

In order to run Kubernetes and run applications in a cloud provider, operators must manage a fleet of cloud resources in addition to the cluster. These cloud resources include VPC, S3 Buckets, Security Groups, Private Links, NACL's, and VPC Peering and must be managed seamlessly to maximize the teams' productivity and provide visibility for troubleshooting, auditability, and security. This talk will walk through successfully implementing a GitOps model to manage the lifecycle of cloud resources using ArgoCD. You will learn how to integrate a custom configurator other than kustomize/Helm into ArgoCD and use custom Kubernetes controllers to manage cloud resources. We will also describe how using a GitOps model improved productivity, reducing the time taken to create cluster from one cluster per week to 50 clusters per hour while also providing visibility into resource creation, audibility, and security.

Kubernetes Community Days Bengaluru'21

Kubernetes allows a lot. After discovering its features, it’s easy to think it can magically transform your application deployment process into a painless no-event. For Hello World applications, that is the case. Unfortunately, not many of us do deploy such applications day-to-day because we need to handle state. Though it would be much easier to have stateless apps, and despite our best efforts in this direction, the state is found in (at least) two places: sessions and databases. You need to think about keeping the state while stopping and starting application nodes. In this demo, I’ll show how to update a Spring Boot app deployed on a Kubernetes cluster with a non-trivial database schema change with the help of Hazelcast, while keeping the service up during the entire update process.

Slides: https://www.slideshare.net/nfrankel/zerodowntime-deployment-on-kubernetes-with-hazelcast

Kubernetes Community Days Bengaluru'21

Kyverno is a Kubernetes-native policy engine that helps you define policies using Kubernetes compliant manifests. Kyverno uses the Kubernetes admission webhook to validate, mutate, and generate Kubernetes resources. Using Kyverno, a central platform team can define policies and ensure the configurations are compliant with their security and best practices standards. The best thing about Kyverno is it does not require learning a new programming language to define a policy. Creating and operating a policy is really easy! Attendees will learn how Kyverno works and how they can use it to secure workloads on their cluster using Kyverno.

The workshop will give you an overview of the Kubernetes community and how folks interested to contribute can start their journey. The attendees will learn about the structure of the community, the communication guidelines and how they can get involved in their areas of interest.

A walkthrough of the Kubernetes codebase will provide attendees a bird’s eye view of how the code is organized. We will then introduce the automation and tooling which helps Kubernetes contributors throughout their journey.

We will complete the workshop with a hands-on session where attendees will themselves file changes to the code.

Content : https://github.com/kubernetes-sigs/contributor-playground/tree/master/india/kcd-blr-2021#resources