Kenny | 13 May 2021
KubeCon + CloudNativeCon Europe 2021 has come to a close, and at this point needs little introduction. Much as we’re all looking forward to the return of in-person conferences, there were some cracking virtual talks this year! There’s so many that we’re still catching up on, and we’ll be publishing a second part to this blog next week. We’ll also be updating our posts with the VOD links to these talks, at the very moment that CNCF releases them to the public. Now we’re handing over to Kenny, for his personal highlights and recommendations…
As I navigated through the various KubeCon sessions; watching them in no particular order. I noticed that different sessions often shared a common theme (or topic), but at a different technical level or a different point in the journey. I’d like to share and categorise the sessions that I watched, enjoyed and found useful.
I’ll split the talks into two sections. In the first section, I’ll start with the talks that I believe may help someone gain a better understanding of the inner workings of different sections of Kubernetes. The second section will go over the security-related sessions followed by the CSI volumes sessions that are related to security.
The speakers of this session very successfully used Dogs and Doggy Daycares to explain how the various Kubernetes components work together to schedule an app onto a node within a Kubernetes cluster whilst explaining how resource requests and limits work and diving deep down to the CRI and OCI runtimes.
Session 1 explained the journey of an individual pod in a Kubernetes cluster, but what about multiple tenants deploying multiple pods in a Kubernetes cluster?
This session goes over the differences between a single-tenant Kubernetes cluster vs a multi-tenant Kubernetes cluster and provides useful information for building, designing or figuring out how a Kubernetes platform can and should be used.
I think it’s important to know how to break a Kubernetes cluster with networking. This session happens to go over the basic Kubernetes networking concepts before teaching us how things can be broken.
This session goes over distributed tracing and events in Kubernetes. I think the demo, in particular, showcases how beneficial visualising Kubernetes activities can be for learning what Kubernetes is doing and the explanation of the object ownership chain will come in handy for future troubleshooting.
Session 1 mentions that a developer makes a request to the Kubernetes API when deploying an app. The speaker of this session goes through the journey of an API request in Kubernetes close to the beginning of the session.
The rest of the session justifies the intermediate (mid-level experience) tag. Going over the various use cases for sidecar containers (i.e. another container running alongside the main app container inside the same pod), a solution to automatically inject generic sidecar containers with admission webhooks and how they continue to maintain, test and develop the solution.
When it comes to security, a possible first step is learning about the security regulations. This session focuses on the European GDPR; going over possible technical challenges and recommendations for handling these regulations in a cloud-native setting.
The speaker of this session provides insight into how an attacker can compromise a Kubernetes cluster, whilst hiding their activities and how a security team can implement measures to detect detection evasion with Falco.
Session 8 provides additional information around detecting Kubernetes attacks in real-time and advocates for a pre-data and post-data paradigm using data to continuously measure that hardening and security configurations can handle real-world threats detectable by the observability tools within a Kubernetes cluster.
This session could also be put under the Fundamental Kube Talks section since the speaker goes over the basics of Persistent Volumes, Persistent Volume Claims and how an attack might try to get access to the data. In addition, the speaker covers Kubernetes’s inherent security models and recommendations for configurations that should be applied for increased protection.
This session showcases a demo of a sig-auth subproject called Secrets Store CSI Driver; showing how it can be used to mount and rotate sensitive secrets externally stored outside of a Kubernetes cluster.
That’s all for now — but hopefully it will be a good starting point to help you decide what KubeCon sessions to watch. Let us know below if you feel we missed anything, though with more interesting sessions to come in part 2 of this post we may well be covering it imminently.
Additional KubeCon 2021 Blogs: