Louise Champ | 18 May 2021
We’re back again with another round of highlights from KubeCon + CloudNativeCon Europe 2021. Kenny covered a good mix of talks related to security (which we mused would be hot topic in our KubeCon Europe 2021 pre-roundup) and Kubernetes deep dives last time.
This time we have more of a mixed bag for you - including ingress, Etcd, logging architectures, Tekton, certificate automation, capability management.
Take the worldwide efforts to fight COVID-19, the global race to build the tools needed to fight the pandemic (and add in a sprinkle of app development with a dash of cloud-native architecture), and you get a keynote that’s bound to get attention. This talk in particular discusses Ireland’s efforts to get a contact tracing app off the ground (and the role that the introduction of Google and Apple’s exposure notification system played), and how open source and donating their app to the Linux Foundation Public Health was adopted to build public trust in one of many track and trace systems that strive to simultaneously be comprehensive enough to be fit for purpose, and at the same time protective of privacy and transparent enough to convince the public to use such a system.
With the increasing proliferation of Envoy-based ingress controllers that include advanced L7 functionality, the native Ingress API spec is starting to look long in the tooth. The Gateway API spec is the response to increasingly divergent CRDs for ingress controllers, and bring ingress definition back in house and native.
Although still alpha for now, this talk is definitely worth a watch as advanced ingress controllers like Contor, Istio, Traefik, GKE, Kong and Emissary-Ingress start to support definition using this unified API spec.
Rather than threading new ground, this talk serves to highlight some best practices around running and monitoring Etcd based upon their experience of using a single Etcd cluster to power all of OVHcloud’s customer’s managed Kubernetes clusters(!). While not entirely treading new ground, it’s always good to take on board other’s good practice, such as the Grafana Cloud Hosted Prometheus production outage caused by Etcd.
Members of the Multitenancy Working Group offer up a panel discussion that seeks to start by defining what exactly multi-tenancy and multi-cluster are within the world of Kubernetes, and when and why exactly teams might choose one Kubernetes deployment strategy over the other. Both strategies have their advantages and their trade offs (such as security implementations, compliance, cost, ease of set up, and infra environment), and this talk does a good job of providing an overview of what the major considerations for both strategies are.
Although not every aggregated log analytics system may require this level of scalability, this talk is an interesting watch as it highlights the ceiling which can easily be hit when using Fluentbit and Fluentd to collect Kubernetes-based logs and ship them off to a log analytics system. The problems of increasing throughput, reducing latency as well as cost are addressed as part of the AWS-based cloud-native logging pipelines shown by Intuit.
By their very nature CI/CD pipelines can be difficult to debug; Although individual steps can potentially be troubleshooted locally in isolation, a fully remote series of steps to test, build, validate and deploy applications can incur a penalty in time lost to repeated pipeline executions. A number of CI solutions such as CircleCI provide debugging capability (by allowing job runs with SSH access), and with Tekton becoming more prevalent within the cloud-native CI/CD space (taking a proud spot in the CD Foundation alongside other household names like Jenkins), it’s good to see efforts to make Tekton more user friendly for operators as well as developer end-users. This talk explores current efforts to add support for “breakpoints” in Tekton TaskRuns.
The automation of x509 certificates for Ingress resources to secure Kubernetes ingress traffic is (and should be) part of the bread and butter of a Kubernetes cluster installation. However, TLS for ingress aren’t the only certificates in the game we need to worry about in the world of Kubernetes (she says after being involved in a production Kubernetes cert rotation last week…), and this talk offers up additional ways in which cert-manager automation can be utilised in the context of Kubernetes, including mTLS for workloads in service meshes like Linkerd and Istio, CA and TLS cert injection for validating and mutating webhooks, or external signing for the Kubernetes certificates API.
More of a cautionary tale than a how-to, this talk goes into detail about user namespace remapping (that’s Linux namespaces, not Kubernetes namespaces) and the work currently being done to introduce support for this in Kubernetes. Although supported in OCI container runtimes like runc, the lack of Kubernetes support presents security implications for pods and containers which choose to run privileged workloads; Without user namespace remapping, that privileged container process will also map to a privileged process on the host machine if container isolation is broken.
This last talk provides an introduction to an interesting operator that we can definitely see a use case for. Part of the toolkit for Kubernetes security, seccomp allows the sandboxing of privileges allowed by a process within containers, while AppArmor or SeLinux both provide options for restricting container access to resources. Ordinarily these are primarily managed using annotations applied to workloads, but Security Profiles Operator looks to provide a similar workflow as RBAC in managing categories of profiles that can be applied on a granular basis as needed.
If our blogs have satiated your appetite for the latest developments in this space, then the KubeCon + CloudNativeCon Europe 2021 playlist is now available on the CNCF YouTube channel with, as of time of writing, videos for 225(!) sessions available to watch. We doubt this level of comprehensive coverage will be possible once we return to in-person conferences, but this truly demonstrates the strength and the care that can be felt in the cloud-native technology space towards making the technologies which drive so much of our society better and better.
And that rounds up our KubeCon Europe 2021 coverage - Were there any sessions you enjoyed that we didn’t cover? We’re looking forward to hearing from you!
Additional KubeCon 2021 Blogs: