Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Intermediate [clear filter]
Tuesday, December 5
 

1:00pm

Container Troubleshooting with Sysdig Open Source

Registration: Add this training on your KubeCon + CloudNativeCon North America conference registration here. If you are already registered for KubeCon + CloudNativeCon North America 2017, modify your registration to add the training or email us at events {at} cncf {dot} io.

About: Join us for a 4-hour use-case driven training session on container visibility, troubleshooting and run-time security monitoring with the Sysdig open source tools (Sysdig and Falco) and learn how containers work under the hood.

Agenda:

  • Visibility and troubleshooting (~1 hour)
    • Learn how to debug a 502 error on a containerized LB with HPproxy, a Python webapp that crashes after working for 5 minutes or finding where you configured the wrong credentials in a microservices app.
  • Analyzing performance and bottlenecks (~1 hour)
    • Compare the performance of different web servers running in containers, use system call tracing to find the bottleneck in your application or learn how to use spectograms (flame graphs) to visualize system call performance. 
  • Debugging Kubernetes (~1 hour)
    • Dive into Kubernetes internals using reverse engineering: Why is that Kubernetes service valid but doesn't work? How does service resolution work? How does Kubernetes instruct Docker Engine?
  • Security run-time monitoring and forensics (~1 hour)
    • Last but not least, all these previous lessons can also be applied for security. Not only with forensics on an attack attempt, but Sysdig Falco can alert on containers with anomalous behaviour as well.

Speakers
avatar for Jorge Salamero Sanz

Jorge Salamero Sanz

Technical Marketing Manager, Sysdig
Jorge enjoys monitoring all the things, from his Docker containers and Kubernetes clusters to writing sensors plugins for DIY IoT projects with Raspberry PI and ESP8266. Currently he is part of the Sysdig team, and in the past was one of the promoters of HumanOps and a Debian developer... Read More →


Tuesday December 5, 2017 1:00pm - 5:00pm
Meeting Room 10B, Level 3

5:01pm

Lightning Talk: Building Scalable Test Infrastructure with Kubernetes [I] - Allan Schiebold, Codefresh
In this talk I'll quickly cover how we build scalable test infrastructure with Kubernetes. I'll cover common practices, and present some new ways to approach them.

Speakers
avatar for Allan Schiebold

Allan Schiebold

Solution Architect, Codefresh
Allan was born and raised in the suburbs of Detroit, MI. He started building personal computers at the young age of twelve, learned programming in high school with Visual Basic and JavaScript and continued on to earn his bachelors in Computer Science from the University of Michigan... Read More →


Tuesday December 5, 2017 5:01pm - 5:06pm
Ballroom A, Level 1

5:30pm

Lightning Talk: How Kubernetes is Helpful for Accelerating Machine Learning Research and Engineering [I] - Hitoshi Mitake, NTT Labs
In this lightning talk, the presenter shares his experience on helping machine learning research and engineering with kubernetes. k8s is not only a tool for managing microservices but also helpful for executing batch jobs like learning phase of deep learning frameworks and stateful services that provides data for the learning tasks. The presenter and his collaborators has been building and managing k8s cluster for TensorFlow learning tasks and HDFS as its learning data source. In addition, thanks to the pluggable scheduler architecture of k8s, their custom scheduler enshorts execution the learning tasks effecitvely and hides usage of network equipments and complex heterogeneous computational devices (e.g. GPUs) from researchers.

Speakers
avatar for Hitoshi Mitake

Hitoshi Mitake

Research Engineer, NTT Labs.
Hitoshi Mitake is a software engineer working for NTT Laboratories. He has been working on distributed storage systems for 5 years. His recent activities includes developing etcd, especially auth related stuff, as one of the maintainers. He is also working on techniques of effectively... Read More →



Tuesday December 5, 2017 5:30pm - 5:35pm
Ballroom A, Level 1

7:00pm

Lightning Talk: CRI Proxy: Solving the Chicken-and-Egg Problem of Running a CRI Implementation as a DaemonSet [I] - Piotr Skamruk, Mirantis
CRI allows for special-purpose CRI implementations such as Virtlet, which makes it possible to run VMs as if they were containers. Still, deployment of these CRI implementations may bring us back to pre-container days, because we run into problems with additional required software such as libvirt, the need to configure the operating system on the node in different ways, and so on. We can also have problems with upgrading the CRI implementation apps, because unlike other components, they require special treatment. It would be nice if we could use the deployment power of k8s to install these apps on some of the nodes.
Further complicating matters is the fact that if your CRI doesn't support Docker images, and is too different from Docker, you need to install Kubernetes components such as kube-proxy and a CNI plugin in a special way, meaning that you have to prepare special-purpose CRI nodes in a very special way.
Even if you just want to create a quick demo of your CRI that runs on Kubernetes clusters deployed using a popular tool such as kubeadm, you may need to tweak the node config just a bit to make this happen.

DaemonSet seems like it might be the right choice for a CRI implementation, but here we run into the chicken-and-egg problem, as a CRI implementation is required to be running on the node in order to run any pods there.
Enter CRI Proxy. CRI requests that deal with plain pods are handled by the primary CRI implementation (such as docker-shim), while requests that are marked in special way (using pod annotations and image name conventions) get directed to the special-purpose CRI implementation. This way, the deployment headache almost goes away - all you have to do is install CRI Proxy on the node, and the proxy has minimal dependencies. For demo installations, the proxy provides “bootstrap” mode, which automagically installs CRI Proxy on clusters installed with kubeadm, and possibly some other cluster setup tools, too.

(If we have time, I may also say a few words about hyper’s approach; they have something like CRI proxy built into their CRI implementation, which solves problem of running k8s components on the node, though it doesn’t help much with deployment problem.)

Speakers
avatar for Piotr Skamruk

Piotr Skamruk

Software Engineer, Travelping
Piotr is a long-time GNU/Linux and Forth language enthusiast, sys administrator and sys developer. He has worked on kernel sources, backend apps and even on frontends in a wide variety of languages. At Intel he did the kvm flavor for CoreOS RKT, enabling it to run containers on VMs... Read More →



Tuesday December 5, 2017 7:00pm - 7:05pm
Ballroom A, Level 1
 
Wednesday, December 6
 

11:10am

Container Runtime and Image Format Standards - What it Means to be “OCI-Certified” [I] - Jeff Borek, IBM & Stephen Walli, Microsoft
With the proliferation and rapid growth of container-based solutions over the past few years— including container-based solutions from almost all major IT vendors, cloud providers, and emerging start-ups—the industry needed a standard on which to support container image formats and runtimes while also ensuring interoperability and neutrality. The Open Container Initiative (OCI) was launched with the goal of developing common, minimal, open standards and specifications around container technology without the fear of lock-in. OCI has recently issued v1.0 of its container image format and runtime specifications, which enable a consistent and stable platform for running containerized applications.

The next phase in ensuring broad adoption of common container image format and runtime specifications is the OCI Certification program, which will be launching soon. This session will provide an overview and goals of the program, factors to consider if becoming OCI-certified makes sense for your container project, how to get your container project OCI-certified, and how you might be able to gain interoperability benefits from OCI-certified solutions. This session will also include a demo of the OCI Image validator being run against container images from container image registries from multiple vendors.

Speakers
avatar for Jeffrey Borek

Jeffrey Borek

WW Program Director, IBM
Jeffrey Borek is a senior technology and communications professional with over twenty years of leadership and technical experience in the Software, Telecommunications, and Information Technology industries. He is currently the leader of the OSPO at IBM, and works in the Open Technologies... Read More →
avatar for Stephen Walli

Stephen Walli

Principal Program Manager, Microsoft
Stephen is a principal program manager in the Azure Office of the CTO at Microsoft. He is the governing board chair for the Confidential Computing Consortium. Prior to Microsoft, he has been a distinguished technologist (HPE), technical executive, a founder, a consultant, a writer... Read More →



Wednesday December 6, 2017 11:10am - 11:45am
Ballroom B, Level 1

11:10am

Using Containers for Continuous Integration and Continuous Delivery [I] - Carlos Sanchez, CloudBees
Building and testing is a great use case for containers, both due to the dynamic and isolation aspects, but it increases complexity when scaling to multiple nodes and clusters.

Jenkins is an example of an application that can take advantage of Kubernetes technology to run Continuous Integration and Continuous Delivery workloads. Jenkins and Kubernetes can be integrated to transparently use on demand containers to run build agents and jobs, and isolate job execution. It also supports CI/CD-as-code using Jenkins Pipelines and automated deployments to Kubernetes clusters. The presentation will allow a better understanding of how to use Jenkins on Kubernetes for container based, totally dynamic, large scale CI and CD.

Speakers
avatar for Carlos Sanchez

Carlos Sanchez

Senior Cloud Engineer, Adobe
Carlos Sanchez specializes in software automation, from build tools to Continuous Delivery and Progressive Delivery. Involved in Open Source for over 15 years, he is the author of the Jenkins Kubernetes plugin and a member of the Apache Software Foundation amongst other open source... Read More →



Wednesday December 6, 2017 11:10am - 11:45am
Meeting Room 9AB, Level 3

11:10am

Unified Monitoring of Containers and Microservices [I] - Nishant Sahay, Wipro Limited
Microservices are become critical for enterprise strategy towards simplifying their IT landscape. For a successful journey of microservice adoption, Container management, DevOps and Monitoring play an important role. Managing microservices in large-scale deployments are fraught with many unique challenges for enterprise IT.

Following are some of the key metrics of microservice monitoring which will enable the enterprises to manage their container platforms better:

1. Collecting logs, metrics from containers
2. Monitoring application running inside the container
3. Distributed tracing and the time taken by each service call.
4. Storage, analysis of collected metrics, logs
5. Performing RCA and anomaly detection on the collected logs and metrics

This session would explain how to harness the power of Zipkin with the intelligence of Spark ecosystem and the flexibility of ELK+ Beats to create a unified monitoring solution. Key features of this solution are – utilization of distributed tracing, infrastructure metrics to manage containers. All this is done through visualization, correlation and predictive monitoring

Speakers
avatar for Nishant Sahay

Nishant Sahay

Senior Architect, Wipro Limited
Nishant Sahay is a senior architect in the Open Source COE lab at Wipro, where he is responsible for research and solution development in the area of machine learning and deep learning. Nishant has extensive experience in data analysis, design, and visualization. He has written articles... Read More →



Wednesday December 6, 2017 11:10am - 11:45am
Ballroom C, Level 1

11:10am

Establishing Container Trust at Scale [I] - Tim Mackey, Black Duck Software
Quantifying risks in a container image is a critical aspect of production deployments. With orchestration clusters supporting thousands of nodes, any risk assessment solution must work at production scale. Once a trusted image is deemed vulnerable, application risk increases, but which applications are impacted, and how far has trust been broken? Trust is established through best practices including the use of trusted image registries, static code analysis, fuzzing, strong perimeter defenses and deployment controls. Unfortunately, this trust model omits information flow.
Malicious actors succeed when applications are most vulnerable. When devising action plans in response to security disclosures, defenders must quickly assess both the impact and scope of the disclosure. This time to remediation requires accurate and actionable vulnerability assessments as applications are created, deployed and scaled. Enhancing security information flow accelerates risk mitigation at production scale.

Speakers
avatar for Tim Mackey

Tim Mackey

Senior Technical Evangelist, Black Duck by Synopsys
Tim Mackey is a technology evangelist for Black Duck Software specializing in the secure deployment of applications using virtualization, cloud and container technologies. Prior to joining Black Duck, Tim was most recently the community manager for XenServer and was part of the Citrix... Read More →



Wednesday December 6, 2017 11:10am - 11:45am
Meeting Room 6AB, Level 3

11:10am

When the Going Gets Tough, Get TUF Going! [I] - David Lawrence & Ashwini Oruganti, Docker
Software distribution and packaging systems are rapidly becoming the weak link in the software lifecycle. In this talk we will look at the security landscape of existing software update systems and signing strategies. We will then introduce The Update Framework (TUF), a new signing framework that looks to address many of the challenges found in existing systems and more.

TUF provides protections against data tampering, rollbacks, key compromise, and other more esoteric attacks. We will investigate how it achieves these protections and show you how to start using it today.

While TUF is a general signing framework, we will also address use cases specific to the Cloud Native Ecosystem. These include how to use TUF signing to de-privilege cluster managers and attach metadata to images and containers in a decentralized manner which can be leveraged for policy management.

Speakers
DL

David Lawrence

Senior Security Engineer, Docker
Lay security developer that has learned a lot of mistakes the hard way. David started off building authentication systems, moved on to encrypted cloud storage for a few years, and is now working on the Security Team at Docker, presently focused on securing software distribution
AO

Ashwini Oruganti

Ashwini is a Security Engineer at Docker and an open source developer. She is the author of pyca/tls, a pure-python TLS 1.2 implementation with opinionated and secure APIs. In the past, she has worked on Twisted - an asynchronous event-driven networking framework, and Hippy - a PHP... Read More →


Wednesday December 6, 2017 11:10am - 11:45pm
Meeting Room 5ABC, Level 3

11:55am

Embedding the Containerd Runtime for Fun and Profit [I] - Phil Estes, IBM
The containerd project, one of the youngest in CNCF, is purpose-built to be an embeddable container runtime expected for use within higher layer container systems like the Docker engine and the Kubernetes orchestrator. Of course, the intent is that it will be used and embedded within a variety of software systems and has been designed for easy consumption via a gRPC API and client library.

In this talk we'll walk through a straightforward example of building up a container "client" written in Go, using today's containerd client library and API. Similar to how the Kubernetes CRI uses the containerd endpoints or how the Docker engine's libcontainerd operates, our small client will have access to all the same capabilities of container lifecycle management and registry interactions provided by containerd.

To finish our tour of building a fully functioning containerd client, we will pair our new sample application with LinuxKit and the Moby tool project. Using these tools, we'll build a simple virtual machine that embeds containerd and our sample client to test interesting aspects of containerd's capabilities in our own customized Linux OS image.

Speakers
avatar for Phil Estes

Phil Estes

Distinguished Engineer & CTO, Container Architecture Strategy, IBM
Phil is a Distinguished Engineer in the office of the CTO for IBM Cloud, guiding IBM's strategy around containers and Linux. Phil is a founding maintainer of the CNCF containerd runtime project, and participates in the Open Container Initiative (OCI) as a member of the Technical Oversight... Read More →


Wednesday December 6, 2017 11:55am - 12:30pm
Ballroom B, Level 1

11:55am

Next Generation Services at Indeed Using gRPC [I] - Jaye Pitzeruse, Indeed.com
At Indeed, we use an internal framework for interprocess communication called Boxcar. Boxcar was developed in 2010 and provides built-in advantages when used with Indeed’s infrastructure. This framework was originally built as a proof of concept and only targeted Java as a supported language. Due to this limitation, it has not scaled with Indeed’s growth and adoption of more and more languages. Recently, Indeed has started to experiment with gRPC as a replacement for the framework. In this talk, we’ll describe our existing service infrastructure and the changes we made in order to support gRPC. We’ll also discuss the strategy we used to migrate existing Boxcar services over to using gRPC. Finally, we’ll compare benchmarks between Boxcar and the new gRPC-based system. Other technologies mentioned in the talk: linkerd for load balancing, opentracing.

Speakers
avatar for Mya Pitzeruse

Mya Pitzeruse

Senior Software Engineer, Indeed.com
Senior Software Engineer working out of Indeed's Austin tech office for the last 4 years. Today, I own the distributed services framework that drives many of the systems at Indeed. I also work with our Services Infrastructure Group to expand our service capabilities. Such capabilities... Read More →



Wednesday December 6, 2017 11:55am - 12:30pm
Meeting Room 10AB, Level 3

11:55am

Istio: Weaving the Service Mesh [I] - Shriram Rajagopalan, IBM & Louis Ryan, Google
With the rapid adoption of microservices new tools are needed to load-balance, route, secure and monitor the traffic that flows between them. Istio provides a common networking, security, policy and telemetry substrate for services that we call a ‘Service-Mesh’. Come learn how the service-mesh helps with the transition to microservices, to empower operations teams, to adopt security best-practices and much more. We’ll also cover the state of the project, where it’s headed and how you can get involved.

Speakers
avatar for Shriram Rajagopalan

Shriram Rajagopalan

Unprincipled Engineer, Tetrate
Shriram Rajagopalan is one of the founding engineers behind the Istio service mesh project, and an early contributor to Envoy. He currently maintains the networking subsystem within Istio. Prior to working on Istio/Envoy, he worked on the Xen hypervisor, the Linux kernel, network... Read More →
avatar for Louis Ryan

Louis Ryan

Principal Software Engineer, Google
Louis Ryan is a Principal Engineer at Google working on APIs and microservices. Prior to working on Istio he co-authored the GRPC spec and ran the infrastructure that supports Googles consumer facing APIs.


Wednesday December 6, 2017 11:55am - 12:30pm
Ballroom A, Level 1

11:55am

How We Built a Framework at Twitter to Solve Service Ownership & Improve Infrastructure Utilization at Scale [I] - Vinu Charanya, Twitter
Twitter is powered by thousands of microservices that run on our internal Cloud platform which consists of a suite of multi-tenant platform services that offer Compute, Storage, Messaging, Monitoring, etc as a service. These platforms have thousands of tenants and run atop hundreds of thousands of servers, across on-prem & the public cloud. The scale & diversity in multi-tenant infrastructure services makes it extremely difficult to effectively forecast capacity, compute resource utilization & cost and drive efficiency.

In this talk, I would like to share how my team is building a system (Kite - A unified service manager) to help define, model, provision, meter & charge infrastructure resources. The infrastructure resources include primitive bare metal servers / VMs on the public cloud and abstract resources offered by multi-tenant services such as our Compute platform (powered by Apache Aurora/Mesos), Storage (Manhattan for key/val, Cache, RDBMS), Observability. Along with how we solved this problem, I also intend to share a few case-studies on how we were able to use this data to better plan capacity & drive a cultural change in engineering that helped improve overall resource utilization & drive significant savings in infrastructure spend.

Speakers
VC

Vinu Charanya

Senior Software Engineer, Twitter
Vinu Charanya is a Senior Software Engineer at Twitter where she works in the Compute Platform building Twitter’s internal cloud infrastructure management platform. She is also a core team member of Women who code, a non-profit organization dedicated to inspiring women to excel... Read More →


Wednesday December 6, 2017 11:55am - 12:30pm
Meeting Room 6AB, Level 3

11:55am

The Power of Application Intent Analysis for Container Security [I] - John Morello, Twistlock
As containers gain mainstream momentum and cloud-native applications surge, practices such as DevOps culture, continuous delivery, cloud development and containerization require a reinvention of security. The threats targeting organizations only continue to increase in severity and frequency, and even simple attacks can cause considerable damage. Cloud-native development is a vital evolution for security in the enterprise, as it equips organizations with the same tools and processes that modern fast-moving organizations rely on.

Cloud-native needs to be considered a new culture, not just a technological shift, when it comes to IT. This is because cloud-native changes the processes of DevOps, which requires automated security processes and application awareness. With cloud-native culture, security needs to be truly application aware and based upon developer intent. Using application intent analysis, developers have a new way of looking at applications, specifically containerized apps. They can produce produce a more predictable and secure container environment that can be effectively enforced.

The unique nature of container technology allows the developer intent-based security model to capitalize on the following pillars:

1. Containers are declarative. When a developer writes the code, he/she does not just write the code, he/she writes a manifest that describes how this code should work and how it should interact with its environment. While the developer does not provide you with a real security manifest, you can translate the extra information that you have and try to create a security profile. With containers, you have a Docker file, you might have a pod, and you might have an application group if you’re running on top of mesosphere. There is a lot of information in the system that you could use in order to understand what is supposed to happen.

2. Containers are predictable. When you look at containers, they contain less specific logic and more common building blocks because containers are typically made out of downloadable layers that someone else created.

3. Containers are immutable. In the past, it was hard to understand if something happening with the application was really an attack or not. But in the case of containers, whenever you patch a container or change its real intent, it should not happen in real time. What happens is the developer changes things and then he/she pushes in a new version. He patches the OS or adds new functionality and then pushes in a new container and scratches the old one. This gives you a lot of power from a security standpoint because, for the first time ever, if you see a polymorphic change in the behavior of the application (if it starts behaving differently) that means it’s either a configuration drift or a real attack.

By leveraging these three pillars -- declarative nature, predictability and immutability -- there’s a powerful opportunity to use whitelisting, for example, to approve known good processes. In combination with application intent analysis, enforcement measures help support the intent-based security model and preserve the original intent of the application.

Speakers
avatar for John Morello

John Morello

CTO, Twistlock
In his day to day role as CTO of Twistlock, John Morello blends his CISO pedigree with a prescient view of the future of enterprise cloud technologies. Instead of seeing containers and cloud infrastructure as inherently less secure, John viewed the unique technology of containers... Read More →



Wednesday December 6, 2017 11:55am - 12:30pm
Meeting Room 5ABC, Level 3

2:00pm

Pinterest's Journey from VMs to Containers [I] - Michael Benedict, Pinterest
Pinterest helps you discover and do what you love. A visual discovery engine at heart, Pinterest guides you through a billion possibilities to quickly discover & get inspired to do something. With over 150MM MAUs across the globe contributing & combing through a billion pins, Pinterest's Infrastructure is built to cater to this scale with very unique requirements -- Today, I'll be talking about how a company operating on the public cloud on VMs since its inception decided to move to containers.

This talk will primarily focus on four things:
1. Pinterest Infrastructure Overview (Offline Compute / Online Serving)
Pinterest was born on AWS. As of today, we operate tens and thousands of instances and process tens and hundreds of PBs of data. Data is the cornerstone of our business where freshness & relevance is key. We will deep dive into our processing & serving stack.

2. VMs vs. Containers - The Pros and Cons
In this section, we will cover the challenges along four key pillars:
a. Developer Velocity - We will discuss the overall job lifecycle workflow i.e build, setup, deploy, operations when using VMs or Containers.
b. Service Reliability - Constraints around resource isolation and standardization across health checks.
c. Infrastructure Governance - Attribution of resources both on utilization & Spend, Quotas
d. Efficiency - Specifically around auto scaling -- our learnings from using ASGs at scale & how this impacts VM vs. Container from an efficiency & operations perspective.

3. Move to Containers
Here we will discuss the use of Docker at Pinterest and more importantly the steps we took around evaluating various orchestration systems. I'll share the various dimensions we evaluated and our learnings when running on a public cloud environment. For ex, docker integration, scheduling, networking, community, stateful support, big data support, security support

4. Vision of the Compute Platform at Pinterest
Finally we will close out with the larger vision (next 18 months) for the Compute Platform at Pinterest.

Speakers
avatar for Micheal Benedict

Micheal Benedict

Head of Engineering Productivity, Pinterest
Micheal Benedict heads the Engineering Productivity organization at Pinterest that is responsible for languages strategy, source code management, build systems & CI/CD platform. Previously, Micheal led products for the Compute Platform at Twitter. Micheal holds a master's degree in... Read More →


Wednesday December 6, 2017 2:00pm - 2:35pm
Meeting Room 8ABC, Level 3

2:00pm

Continuous Delivery with Kubernetes at Box [I] - Greg Lyons, Box
Deploying and managing applications with Kubernetes can be challenging. Organizing configuration across multiple environments, rolling out changes incrementally, safely killing or rolling back failed deployments - these are just a few difficulties that organizations face when running containers in production.

At Box, we've dealt with these issues and more, at the scale of thousands of servers across multiple data centers and public cloud providers. In this talk, we'll share how we set up a continuous delivery pipeline with Jenkins, Docker, Artifactory, and Kubernetes to test, build, and release our software rapidly and reliably. We'll discuss how our pipeline reduces time to ship to production, provides greater visibility into the deployment process, and empowers our engineers to deploy quality code with confidence.

Speakers
GL

Greg Lyons

Software Engineer, Box
Greg is a software engineer at Box, where he works on tooling for running microservices with Kubernetes. He built and open-sourced kube-applier, a containerized service for deploying Kubernetes apps with declarative configuration.


Wednesday December 6, 2017 2:00pm - 2:35pm
Ballroom A, Level 1

2:00pm

Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments [I] - Evan Gilman, Scytale
Modern infrastructure patterns like microservices, container orchestration, and hybrid/multi-cloud deployments have turned conventional models for datacenter authentication and security on their heads. In the face of highly dynamic compute and network resources, a new challenge has risen: how to authenticate and secure service-to-service traffic in this brave new world? Enter the problem known as service identity.

Getting service identity right is surprisingly hard, with requirements extending well beyond simple secret management. What kind of credentials to settle on, how to rotate them, how to automatically (and securely) bootstrap them... and even more importantly, how to make sure a wide variety of external systems can authenticate them appropriately? These questions represent only a subset of the points that must be solved for.

In this talk, we introduce both SPIFFE and SPIRE - a new open source project designed to solve exactly these problems. SPIRE, backed by the SPIFFE open standard, performs seamless node and workload attestation across various platforms, and automatically issue short-lived certificates based on those attestations in a controlled manner. Even better, these certificates work across organizational boundaries and heterogeneous environments thanks to SPIFFE, which introduces a standardized identity format and validation methodology for X.509 certificates.

Speakers
avatar for Evan Gilman

Evan Gilman

Engineer, Scytale
Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →


Wednesday December 6, 2017 2:00pm - 2:35pm
Meeting Room 5ABC, Level 3

2:45pm

Building Specialized Container-Based Systems with Moby: A Few Use Cases [I] - Patrick Chanezon, Docker
Moby is an open source project providing a "LEGO set" of dozens of components, the framework to assemble them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
One of these assemblies is Docker CE, an open source product that lets you build, ship, and run containers.

This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios.
We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary.
Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.

Speakers
avatar for Patrick Chanezon

Patrick Chanezon

Chief Developer Advocate, Docker
As the Chief Developer Advocate for Docker, Patrick Chanezon helps drive the direction of the company’s open source projects, acting as an advocate for the developer community to assure that their requirements and issues are addressed in the Docker platform. From 2013 to 2015, he... Read More →


Wednesday December 6, 2017 2:45pm - 3:20pm
Ballroom B, Level 1

2:45pm

Microservices, Service Mesh, and CI/CD Pipelines: Making It All Work Together [I] - Brian Redmond, Microsoft
Microservices come with many advantages for massively scaling applications. With that comes many challenges around service communication and application updates. It is pretty simple to do blue/green deployment and canary releases with a basic web site. But what about thousands of microservices? How can we have blue/green deployments at the service level while still allowing for efficient communication? This is one of the areas where service mesh technology is a huge benefit in Kubernetes.

In this session, I will show how to use common CI/CD tooling such as Spinnaker or Jenkins to drive microservices deployments with Kubernetes. I will show how service mesh technologies such as istio and linkerd ease the ability to efficiently deliver and test microservices in Kubernetes. All without substantial changes for the microservice developer. Additionally, I will provide comparisons of the wide variety of tools available in this area.

The overall goal of this demo heavy session is to show the value of these technologies working together to ease the delivery of cloud native applications.

Speakers
avatar for Brian Redmond

Brian Redmond

Cloud Architect, Microsoft
I am a Cloud Architect on the Azure Global Black Belt team at Microsoft. I focus on containers, microservices, and cloud native applications in the Azure cloud platform. I have been working in technology for over 20 years and have a mixed background from application development to... Read More →



Wednesday December 6, 2017 2:45pm - 3:20pm
Ballroom A, Level 1

2:45pm

Distributed Workflows for Microservices-Style Applications [I] - Yun Qin, Nirmata
Microservices-style architectures solve several problems but also introduce new complexities. With Microservices, a best practice is to keep services isolated and loosely coupled. However, in the real world, it is not uncommon to encounter business logic which requires coordination across multiple business functions i,e. microservices.

The distributed workflow pattern addresses this problem. In this presentation we will describe the distributed workflow pattern and its use cases. We will then look at various implementations of this pattern, such as Netflix Conductor, AWS Simple Workflow Service and NirmataOSS Workflow.

We will end by showing a demonstration of a distributed workflow, running on a Kubernetes cluster and show how workflow managers can leverage Kubernetes features like Horizontal Pod Autoscaling.

Speakers
avatar for YUN QIN

YUN QIN

Software Engineer, Nirmata
Yun is a software enginner in Nirmata, a company deliverring integrated solutions for multi-cloud application management. Yun has extensive experience in distributed system application development and operations. Prior to joining Nirmata, Yun worked as a senior network engineer at... Read More →



Wednesday December 6, 2017 2:45pm - 3:20pm
Meeting Room 10AB, Level 3

2:45pm

Kubernetes, Metadata and You [I] - Liz Rice, Aqua Security & Gareth Rushgrove, Puppet
The combination of CI/CD tools and Kubernetes means we can set up a pipeline for deploying code changes as they happen, triggering a container image build and a rolling update to pull the new image. But what about changes that are about the application and how it should run, rather than the code itself?

This talk will explore tools and approaches for managing application metadata alongside the application code. We will look at:

- The importance of metadata to managing modern Cloud Native systems
- Built-in metadata capabilities in Kubernetes like ConfigMaps, Annotations and Labels
- Ways of making a deployment self-describing as part of a CI/CD workflow
- Using metadata to make the life of Kubernetes operators easier
- Examples of open source tools (like Manifesto, Lumogon and Skopeo) which work with Kubernetes ecosystem metadata

Speakers
avatar for Liz Rice

Liz Rice

Vice President, Open Source Engineering, Aqua Security
Liz Rice is VP Open Source Engineering at cloud native security specialists Aqua Security. She also chairs the CNCF's Technical Oversight Committee, and was Co-Chair of KubeCon + CloudNativeCon in 2018. She has a wealth of software engineering experience working on network protocols... Read More →
avatar for Gareth Rushgrove

Gareth Rushgrove

Director Product Management, Snyk
Gareth works remotely from Cambridge, UK, helping to build interesting tools for people to better manage infrastructure and applications. He currently works at Snyk, working on developer-first security tooling. He has previously worked for the UK Government Digital Service focused... Read More →


Wednesday December 6, 2017 2:45pm - 3:20pm
Meeting Room 6AB, Level 3

2:45pm

IAM on Hybrid Cloud: Next Generation Security Model to Create an Interoperable Cloud [I] - Jeyappragash JJ & Kamil Pawlowski, padme.io

Those developing and operating modern software infrastructure face a myriad of complexity when trying to secure it.  While environments like amazon have vastly simplified the supply chain associated with brining up new physical and virtual infrastructure or services, complexity around managing access to and between these services has grown, and continues to expand.  The proliferation of configurations, management tools, and management schemes that exists in the modern datacenter has exploded when dealing with multi-cloud, hybrid (cloud + dc), or legacy systems.

Complexity is the enemy of security.  This heterogeneity is its embodiment. Having many different ways to configure access policies on different cloud providers or with different vendors, makes it impossible to understand whom has access to what in any given infrastructure.  Without this visibility it is impossible to have intelligibility, and hence security.  

Worse, today developers and operators must exist in and support a highly dynamic service environment.  That is to say existing services must evolve to support new functionality, and new services must be rapidly brought on line to support features in a highly competitive business environment.  The miasma of different configuration schemes creates a great deal of friction against this, and impedes security because it is difficult to holistically understand the impact of changes (let alone make them rapidly).  Security must be able to accommodate this temporality.

In this talk we introduce PADME as an architecture for policy admission aimed at solving these problems in a distributed environment.  PADME operates by normalizing access policy information across underlying clouds and system.  It allows policies to be operated up as known fixed building blocks in order to establish end to end security.  Finally, it attacks the problem of policy distribution in a distributed environment so that assertions can be made about the security of a system over time, and in the face of CAP theorem issues.


Speakers
avatar for JJ Jeyappragash

JJ Jeyappragash

tetrate.io
Jeyappragash previously built the team and lead the technical roadmap for Twitter's Cloud Infrastructure Management Platform. This platform helps developers manage their services and provides detailed visibility to the infrastructure and the services that use the infrastructures... Read More →
KP

Kamil Pawlowski

Kamil Pawlowski (Software Engineer) has worked on everything from mobile to high scale/availability systems, network protocols to web stacks. His experience includes early stage startups, large companies, and stages in between. He is presently building services infrastructure for... Read More →


Wednesday December 6, 2017 2:45pm - 3:20pm
Meeting Room 5ABC, Level 3

2:45pm

Microservices Patterns with NGINX Proxy in an Istio Services Mesh [I] - A.J. Hunyady, NGINX Inc
Building a cloud native application is only half the battle; running it reliably is the other half.

NGINX, the leading provider of ingress controller functionality in Kubernetes environments, has partnered with Istio to enhance Sidecar proxy capabilities in the Istio' Services Mesh architecture.

A service mesh is highly dependent on the strength of the proxy, and NGINX is the most powerful service proxy in the market. It offers a small footprint high performance engine with advance load balancing algorithms, caching, SSL termination, API gateway, extensibility through broad range of third-party modules, sciptability with Lau and nginScript and various security features with granular access control.

Microservices also require a Web Server to be deployed side-by-side with the service proxy. While optional, deploying NGINX as Web Server technology provides additional benefits in performance, manageability, security and the overall monitoring of the Application.

NGINX is already used by more than half of the top 100,000 websites and this talk will describe how NGINX in Istio environments is a natural extension of this technology.

Our demo will show a sample application running in a Kubernetes/Istio/NGINX environment and we will answer questions from the audience.

Speakers
AH

A.J. Hunyady

Product Managemenet, NGINX
A.J. Is a technology enthusiast and a Silicon Valley veteran. He founded Zokets where he developed software for managing containerized services in highly dynamic environments. A.J. is now at NGINX, where he leads innovations in new product development.


Wednesday December 6, 2017 2:45pm - 3:20pm
Meeting Room 9C, Level 3

3:40pm

Expand Your Spinnaker Pipeline to the Desktop [I] - Sean Korten, Kenzan
Commit, build, test, push, build, test, deploy, test, promote, test, repeat. You can already use Kubernetes as the common platform for your entire lifecycle, but wouldn’t it be cool to use one tool to manage it? Spinnaker is a multi-cloud CI/CD platform that works well with Kubernetes on many cloud providers. In this talk we will discuss how to turn your workstation running minikube into another cloud provider in your cloud based production Spinnaker and add it to your CI/CD pipeline.

Speakers
avatar for Sean Korten

Sean Korten

Director of Engineering, Kenzan
Sean is a Lead Platform/DevOps Engineer with Kenzan, a professional services company that provides customized end-to-end solutions to a diverse group of clients. Since joining Kenzan he has contributed to the Spinnaker OSS project and helped implement it internally and with multiple... Read More →



Wednesday December 6, 2017 3:40pm - 4:15pm
Meeting Room 9AB, Level 3

3:40pm

Modifying gRPC Services Over Time [I] - Eric Anderson, Google
Services grow and stretch over time to accommodate features, bugs, and basic maintenance. Learn how gRPC services can change while managing existing clients.

Speakers
avatar for Eric Anderson

Eric Anderson

Staff Software Engineer, Google
Eric Anderson is the tech lead of gRPC Java as a Staff Software Engineer at Google. He contributed to the gRPC wire protocol and is experienced with HTTP/2. Previously, he developed the Connectors v4 framework for the Google Search Appliance. Prior to Google, Eric maintained data-driven... Read More →



Wednesday December 6, 2017 3:40pm - 4:15pm
Meeting Room 10AB, Level 3

3:40pm

How Netflix Is Solving Authorization Across Their Cloud [I] - Manish Mehta & Torin Sandall, Netflix
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.

In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).

This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.

Speakers
avatar for Manish Mehta

Manish Mehta

Senior Security Software Engineer, Netflix
Manish Mehta is Senior Security Software Engineer at Netflix, Los Gatos, CA. He has designed and developed solutions around secure bootstrapping, authentication (service and user), and authorization for cloud-native infrastructure. His professional interests and expertise are cyber... Read More →
avatar for Torin Sandall

Torin Sandall

Software Engineer, Styra
Torin Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin... Read More →



Wednesday December 6, 2017 3:40pm - 4:15pm
Ballroom A, Level 1

3:40pm

Fluentd and Distributed Logging [I] - Masahiro Nakagawa, Treasure Data
In container era, logging is very important because applications are distributed. This session talks about why Fluentd is needed and how fluentd resolves the distributed logging problem by flexible and robust ways.

Speakers
MN

Masahiro Nakagawa

Principal Engineer, Arm Treasure Data
Fluentd maintainer



Wednesday December 6, 2017 3:40pm - 4:15pm
Ballroom C, Level 1

3:40pm

Queueing Theory, In Practice: Performance Modelling in Cloud-Native Territory [I] - Eben Freeman, Honeycomb.io
Kubernetes and similar cloud-native infrastructure make it easier than ever to adjust a service's capacity based on variable demand. In practice, it's still hard to take observed metrics, and translate them into quantitative predictions about what will happen to service performance as load changes. Resource limits are often chosen by guesstimation, and teams are likely to find themselves reacting to slowdowns and bottlenecks, rather than anticipating them.

Queueing theory can help, by treating large-scale software systems as mathematical models. But it's not easy to translate between real-world systems and textbook models. This talk will cover practical techniques for turning operational data into actionable predictions. We'll show how to use results from queueing theory to develop a model of system performance. We'll discuss what data to gather in production to better inform its predictions -- for example, why it's important to capture the shape of a latency distribution, and not just a few percentiles. We'll also talk about some of the limitations and pitfalls of performance modelling.

Speakers
EF

Eben Freeman

Engineer, Honeycomb.io
Now largely reformed after stints studying theoretical math and living as an itinerant rock climber, Eben is fascinated by tools that help humans better understand the systems they create. He works as an engineer at Honeycomb.io.



Wednesday December 6, 2017 3:40pm - 4:15pm
Meeting Room 6AB, Level 3

3:40pm

Building an Edge Computing Platform for Network Services Using Cloud Native Technology [I] - Stephen Wong & Vikram Dham, Huawei Technologies, Inc.
Edge computing have become increasingly important due to the demands of latency sensitive applications and explosion of data from end user devices in cases such as Internet of Things (IoT). One common intelligent edge deployment is the buildout of mini data centers on network edge that are centrally managed and operated by the cloud. Unlike traditional data centers, these mini data centers are constrained by limited resources and minimal operational supervision, and as such they impose challenges on traditional data center infrastructure including network services, here defined as L3-7 network services such as packet gateway and application firewall. These services usually are implemented with the need for heavy manual configurations and complex provisioning, which are particularly ill-fitted to deploy at the edge.

In this session we will discuss how we built a new edge computing platform for network services that can achieve auto provisioning, dynamic service deployments and updates, and high resiliency. By running componentized network services in containers orchestrated by Kubernetes, and utilizing projects such as gRPC, linkerd, and fluentd, as well as making use of cloud native related projects including etcd and IOvisor, this platform essentially treats network services as cloud native applications, and thereby able to achieve the associated benefits. We will show a demo of the platform as part of the presentation.

Speakers
SW

Stephen Wong

Senior Architect, Huawei Technologies, Inc.
Stephen Wong has had 20 years of software development experience in the networking industry. Currently he is a software architect at FutureWei Technologies, the US Research Center of Huawei Technologies. His focus at FutureWei is to advance the field of Network Function Virtualization... Read More →



Wednesday December 6, 2017 3:40pm - 4:15pm
Meeting Room 9C, Level 3

4:25pm

Building Better Containers: A Survey of Container Build Tools [I] - Michael Ducy, Chef
If you stick to the “industry standard” method of building containers (Dockerfiles), it’s easy to build containers that contain libraries, tools, binaries, and more that you don’t need. One survey showed that over 75% of containers contain a full Operating Systems. So how can you build containers that only contain the bits you require to run a particular application, and nothing more. This talk will cover various tools in the open source community that provide better methods for building containers, no matter the underlying container runtime. We will explore Bazel (along with Distroless), Smith (from Oracle), and Habitat (from Chef), and we will cover the benefits and drawbacks of each method. A short demo of each tool will be included.

Speakers
avatar for Michael Ducy

Michael Ducy

Director of Community & Evangelism, Sysdig
Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef where we held a variety of roles helping customers and community members leverage Chef’s... Read More →



Wednesday December 6, 2017 4:25pm - 5:00pm
Ballroom B, Level 1

4:25pm

“If you Don’t Monitor your Infrastructure, you Don’t Own it!” Regain Control Thanks to Prometheus [I] - Etienne Coutaud & Guillaume Lefevre, OCTO Technology
In the French FedEx company we used Prometheus to monitor the infrastructure. It hosts a CQRS Architecture composed with Kafka, Spark, Cassandra, ElasticSearch, and microservices APIs in scala.

This presentation is about using Prometheus in production, you will see why we choosed Prometheus, how we integrated it, configured it and what kind of insights we extracted from the whole infrastructure.

In addition, you will see how Prometheus changed our way of working, how we implemented self-healing based on Prometheus, how we configured systemd to trigger AlertManager API, integration with slack and other cool stuffs.

Some demonstrations will be performed in addition of the presentation.

Speakers
avatar for Etienne Coutaud

Etienne Coutaud

DevOps Engineer, OCTO Technology
Etienne Coutaud is a French DevOps Engineer working in OCTO Technology for 2 years in Paris. Etienne worked of the implementation on Openshift in production for the health insurance agency. Currently working for the French Fedex he participated on the cloud infrastructure automation... Read More →
avatar for Guillaume Lefevre

Guillaume Lefevre

Guillaume Lefevre is a French DevOps Engineer at OCTO Technology for a year now. He worked in the networking field for various company before moving to DevOps. Currently working for the French Fedex he participated on the cloud infrastructure automation, continuous integration and... Read More →


slides pdf

Wednesday December 6, 2017 4:25pm - 5:00pm
Ballroom C, Level 1
 
Thursday, December 7
 

9:45am

Keynote: Pushing the Limits of Kubernetes with Game of Thrones - Zihao Yu & Illya Chekrygin, HBO
Do you want to know what it is like to run 15,000 pods in production? Are you interested in seeing how Kubernetes stands up to the record-breaking viewership and a login rate that is beyond belief on Game of Thrones Season 7 premiere? Come and see things we have done for the Game of Thrones preparation. We will talk about how we provision Kubernetes clusters on AWS, and how we monitor them and microservices that are running on the clusters.

In this talk, we will also go over how HBO Go went from deploying and running microservices on virtual machines in AWS EC2 to running the very same services inside the Kubernetes clusters. We were able to dramatically increase the productivity of our engineering teams and efficiency of resource utilization in the process. It wasn’t always a smooth ride and it wasn’t a one shot deal. Instead, it was a long and at times challenging journey starting from operating a reliable, production-ready Kubernetes cluster in AWS, advancing to gradually deploying select services into Kubernetes clusters, load testing them, and running them in parallel to our current EC2 installations, and finally going live. Come and learn some helpful tips and mistakes we made along the way, which could help your organization embrace the Kubernetes world.

Speakers
avatar for Illya Chekrygin

Illya Chekrygin

Sr Staff Engineer, HBO
Illya has been working on Kubernetes adoption at HBO, which includes cluster provisioning, maintenance, telemetry and service migration. He also drove the containerization of HBO's core streaming services and CI/CD integration for their traditional EC2 deployments. Prior to HBO, Illya... Read More →
avatar for Zihao Yu

Zihao Yu

Sr Staff Engineer, HBO
Zihao Yu is a Senior Staff Engineer at HBO, helping HBO GO backend services deploy faster and more reliably. He has contributed to the design and development of several iterations of cloud infrastructure and CICD pipelines for deploying microservices at HBO. He is currently working... Read More →



Thursday December 7, 2017 9:45am - 10:05am
Exhibit Hall 3, Level 1

11:10am

Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down [I] - Carson Anderson, DOMO
Understanding Kubernetes as a whole can be daunting. With so many different components working together it can be hard to know how the pieces work together or where new products and features fit in. I will start at the highest level and then peel off the layers one at time to explain how some of the "magic" happens. Over the course of the presentation I will break Kubernetes into the following layers:

"Kubernetes for the End User": A quick summary on some of the core components of Kubernetes: Namespaces, Deployments, Pods, Services, and Ingress Rules. At this layer the user just needs to understand the promises made by Kubernetes, not necessarily the way it keeps them. This layer primarily serves to establish a typical cluster workload. The resources defined here will be used when explaining all of the deeper layers.

"Kubernetes for the Cluster Admin": This Layer peels away some of the cluster "Magic". I will cover how the service account, default tokens, ReplicaSet and Pods from the previous layer got created by the kube-controller-manager. I will also explain how the kube-scheduler decided which node the workload should run on and how that decision could have been influenced by fields in the pod spec. This section will touch on the core concepts of Ingress controllers, Admission Controllers, scheduling, and core controller loops.

"Kubernetes for the Cloud Admin": This layer covers Kubernetes at an infrastructure level. Core concepts covered are: Horizontal Scaling, Load Balancing, high availability for masters and nodes, node management, and fault-tolerance levels. Here is also where I set the stage for the network layer that is covered next.

"Kubernetes for the Network Admin": Now we dig deeper into the network infrastructure. Explaining how pods and services work together, how your network traffic figures out where to go, and how it gets there. This section covers the concepts of East-West and North-South load balancing. The goal is to provide an basic understanding of the network promises made by Kubernetes and how you might replace them with other software and services.

"Kubernetes for the Linux Admin": A discussion of Kubernetes at the OS layer. This layer digs into the processes and configuration of the base OS. This includes pluggable container engines ex: Docker vs. Rkt, logging, CNI, metric gathering and volume mounting.

"Kubernetes for the Power-User": Time permitting, the final section will put all of the previous ones together to show how a next-generation application might be deployed on top of Kubernetes and take advantage of the more advanced features.

Speakers
avatar for Carson Anderson

Carson Anderson

Sr. Systems Admin, DOMO
I've been working as a Sys Admin 8 years. I have been focused on Docker, Kubernetes, and container infrastructure at scale for the last 2 years.Previous Presentations: * Kubernetes Deconstructed - https://vimeo.com/245778144/4d1d597c5e * Dynamic Kubernetes - http://dynamic-kubernetes.carson-anderson.com... Read More →



Thursday December 7, 2017 11:10am - 11:45am
Meeting Room 19AB, Level 4

11:10am

Deploying Kubernetes Without Scaring Off Your Security Team [I] - Paul CzarkowskI, Pivotal & Major Hayden, Rackspace
subtitle: "The Major Hayden Center For Kubernauts Who Can't Security Good And Wanna Learn To Do Other Stuff Good Too"

One of the larger roadblocks we face in the enterprise when trying to adopt new technologies is getting the security and compliance teams onboard.

Tools like kubicorn and kubeadm are likely the foundation on which Kubernetes deployments will be performed in the future as they help simplify the deployment and operations of Kubernetes a very complex distributed system.

However concerns about security and compliance, which are not as yet addressed by those tools, may act as inhibitors and road blocks to using these them and thus Kubernetes in the enterprise.

Thankfully the techniques and tools for deploying Enterprise Linux distributions, securing them, and ensuring compliance already exist and can be very easily combined with kubernetes.

In this talk we’ll expand upon these enterprise requirements and use cases and show how we can use existing Ansible tooling to deploy kubernetes on bare metal or the cloud, monitor it with common enterprise monitoring tools, secure it with a 2fa SSH bastion, and ensure [DISA STIG] compliance.

Speakers
avatar for Paul Czarkowski

Paul Czarkowski

Principal Technologist, Pivotal Software
Paul Czarkowski is a recovering Systems Administrator who has run infrastructure for longer than he cares to admit. After cutting his teeth in the ISP and Gaming industries Paul changed his focus to using (and contributing to) Open Source Software to improve the Operability of complex... Read More →
avatar for Major Hayden

Major Hayden

Principal Software Engineer, Red Hat
Major Hayden is a principal software engineer at Red Hat and he is the technical lead for the Continuous Kernel Integration (CKI) project. He spends most of his day wrestling with kernel tests on various architectures using GitLab, Python, and OpenShift. He maintains a technical blog... Read More →



Thursday December 7, 2017 11:10am - 11:45am
Meeting Room 12AB, Level 4

11:55am

Building GPU-Accelerated Workflows with TensorFlow and Kubernetes [I] - Daniel Whitenack, Pachyderm
GPUs are critical to some artificial intelligence workflows. In particular, workflows that utilize TensorFlow, or other deep learning frameworks, need GPUs to efficiently train models on image data. These same workflows typically also involve mutli-stage data pre-processing and post-processing. Thus, a unified framework is needed for scheduling multi-stage workflows, managing data, and offloading certain workloads to GPUs.

In this talk, we will introduce a stack of open source tooling, built around Kubernetes, that is powering these types of GPU-accelerated workflows in production. We will do a live demonstration of a GPU enabled pipeline, illustrating how easy it is to trigger, update, and manage multi-node, accelerated machine learning at scale. The pipeline will be fully containerized, will be deployed on Kubernetes via Pachyderm, and will utilize TensorFlow for model training and inference.

Speakers
avatar for Daniel Whitenack

Daniel Whitenack

Lead Data Scientist and Advocate, Pachyderm
Daniel Whitenack (@dwhitena) is a Ph.D. trained data scientist working with Pachyderm (@pachydermIO). Daniel develops innovative, distributed data pipelines which include predictive models, data visualizations, statistical analyses, and more. He has spoken at conferences around the... Read More →



Thursday December 7, 2017 11:55am - 12:30pm
Meeting Room 9C, Level 3

11:55am

Kubernetes Feature Prototyping with External Controllers and Custom Resource Definitions [I] - Tomas Smetana, Red Hat
Getting patch into Kubernetes might be difficult. Getting a new feature into Kubernetes is... even more interesting experience. When working on the persistent volume snapshotting feature we realized that the straightest path might not lead us where we wanted, Our original idea of adding few API objects and a controller become more complicated when we presented it to the community. So we took a small detour by creating the feature out-of-tree first.

In the talk I will describe the journey of the volume snapshotting feature, how do the external controllers work, what are Custom Resource Definitions and how to add features to Kubernetes without changing its code base.

Speakers
TS

Tomas Smetana

Engineering Manager, Red Hat
Tomas is a an Engineering manager in Red Hat. He is an Open Source enthusiast who used to work on various userspace Linux components contributing to several FOSS projects. For the past one year he is active in the Kubernetes Storage SIG.



Thursday December 7, 2017 11:55am - 12:30pm
Meeting Room 6AB, Level 3

11:55am

Building Helm Charts From the Ground Up: An Introduction to Kubernetes [I] - Amy Chen, Heptio
Learn the basics of Kubernetes from the perspective of creating a Helm Chart from scratch!

The Kubernetes cluster will be launched from Rancher, an open source container management software. At the end of this workshop, you will have a functional understanding of pods, services, deployments, Helm, Rancher, and more!


Why learn Kubernetes with Helm Charts?
Much of today's beginner educational content for Kubernetes uses the Kubernetes CLI tool. This can make it hard to visualize the relationship between each command and debug your cluster. Learning how to incrementally build Helm Charts provides a bigger picture of your cluster and is more reproducible.

Why is Rancher cool?
Rancher makes it easy to configure, deploy and manage Kubernetes, on any infrastructure!

I'm in, what are we doing?
- Gain a high level understanding of key Kubernetes concepts accompanied with a lot of diagrams
- Gain an understanding of Rancher's open source container management platform
- Incrementally build a Nginx Helm Chart
- Deploy Nginx from a Kubernetes cluster managed by Rancher

Speakers
avatar for Amy Chen

Amy Chen

Systems Software Engineer, VMware
Amy Chen (VMware) is a systems software engineer at VMware who joined through the Heptio acquisition. She is passionate about Kubernetes, Go, containers, and distributed systems. In her free time, she also runs a Youtube channel (https://www.youtube.com/AmyCodes) that discusses software... Read More →


Thursday December 7, 2017 11:55am - 12:30pm
Ballroom A, Level 1

11:55am

Managing and Running Multiple Kubernetes Clusters in Hybrid Setups [I] - Sebastian Scheele, Loodse & Simon Pearce, SysEleven
As hosting provider, SysEleven, runs and manages multiple Kubernetes clusters for various customers on different platforms. In this talk, we will give you a breakdown on how we run one single Google-like container engine for various clouds and also for bare metal. Moreover, we show how we provide high-availability clusters by running Kubernetes on Kubernetes.

Speakers
avatar for Simon Pearce

Simon Pearce

System Architect, SysEleven
Simon Pearce is a System Architect at SysEleven in Berlin Germany since 2013. He has over 15 years of experience in the web hosting industry. With a focus on building distributed systems on public and private clouds. He is responsible for the kubernetes service team at SysEleven... Read More →
avatar for Sebastian Scheele

Sebastian Scheele

CEO, Loodse
Sebastian Scheele is the CEO and co-founder of Loodse. Loodse is an enterprise software platform company that enables enterprises and service providers to deliver automated multi-cloud operations. Loodse Kubermatic, an enterprise Kubernetes management platform, automates thousands... Read More →



Thursday December 7, 2017 11:55am - 12:30pm
Meeting Room 8ABC, Level 3

11:55am

Kubernetes on AWS: Practices & Opinions [I] - Arun Gupta, Amazon Web Services & Raffaele di Fazio, Zalando
A lot of progress has been made on how to bootstrap a cluster since Kubernetes' first commit. It is now only a matter of minutes to go from zero to a running cluster on Amazon Web Services. There are still many fundamental topics to take a simple setup to something that can be run in production in a large enterprise and it is easy to get confused by the number of options and customizations.
In this talk we will show both common practices for running Kubernetes on AWS and an opinionated view of those. Specifically, we will cover options and recommendations on how to install and manage clusters, configure high availability, perform rolling upgrades and handle disaster recovery, as well as continuous integration and deployment of applications, logging, and security.
At the same time, we will explain how those topics are addressed at Zalando, Europe's leading fashion platform, based upon their experience of operating tens of Kubernetes clusters in production on AWS.

Speakers
avatar for Raffaele Di Fazio

Raffaele Di Fazio

Software Engineer, Zalando SE
Raffaele works with the Zalando's Platform Engineering team in Berlin since 2015. There he is working on container technologies, currently focusing on Kubernetes and cluster orchestration. Over the years, Raffaele developed a genuine passion for simplicity and the Golang language... Read More →
avatar for Arun Gupta

Arun Gupta

Principal Technologist, AWS
Arun Gupta is a Principal Technologist at Amazon Web Services. He is responsible for the Cloud Native Computing Foundation (CNCF) strategy within AWS, and participates at CNCF Board and technical meetings actively. He works with different teams at Amazon to help define their open... Read More →



Thursday December 7, 2017 11:55am - 12:30pm
Ballroom C, Level 1

11:55am

Preventing Attacks at Scale [I] - Dino Dai Zovi, Capsule8

Security hardening for containers, clusters, and operating systems is a very important part of setting up infrastructure and always "Plan A". The world of "Plan A" defends the importance of making sure your cluster is set up securly. Dino comes from the world of "Plan B" and will focus on detecting when security boundaries have been breached. This is necessary for environments where you don't have ability to ensure base OS is fully patched, etc.

Step into the world of Linux kernel features such as seccomp, eBPF, kprobes and Kubernetes tunable security features and learn how to detect and defend against attacks at scale.


Speakers
DD

Dino Dai Zovi

CTO, Capsule8
Dino Dai Zovi is the Co-Founder and CTO at Capsule8. Dino is also a regular speaker at information security conferences having presented his independent research at conferences around the world including DEF CON, Black Hat, and CanSecWest. He is a co-author of the books "The iOS Hacker's... Read More →



Thursday December 7, 2017 11:55am - 12:55pm
Meeting Room 12AB, Level 4

2:00pm

Testing Distributed Software on Kubernetes with PowerfulSeal [I] - Mikolaj Pawlikowski, Bloomberg
When it's about distributed systems, testing is hard. But it's more fun when you have a Seal.

Come and meet PowerfulSeal, a simple solution to introduce some chaos to your systems.

PowerfulSeal understands Kubernetes and lets you:
- write simple yaml policies to describe scenarios of destruction
- target specific pods and deployments (k8s integration)
- target specific nodes and take them up and down
- discover things in interactive mode with awesome auto-complete

Don't wait for your software to break, break it yourself, and fix it before it's too late!

Speakers
MP

Mikolaj Pawlikowski

Software Engineer Project Lead, Bloomberg
Mikolaj Pawlikowski previously built 2 startups, worked as a freelance consultant and collaborated on open source projects like Cozy Cloud. He has been evangelizing containers and their orchestration tirelessly at Bloomberg. In his free time he's researching productivity and happ... Read More →


Thursday December 7, 2017 2:00pm - 2:35pm
Meeting Room 10AB, Level 3

2:00pm

''Hot Dogs or Not" - At Scale with Kubernetes [I] - Vish Kannan & David Aronchick, Google
Kubernetes promises to be a multi workload platform. This talk will explore how Kubernetes can be easily leveraged to build a complete Deep Learning pipelines starting all the way from data ingestion/aggregation, pre-processing, ML training, and serving with the mighty Kubernetes APIs. This talk will use Tensorflow and other other ML frameworks to highlight the value that Kubernetes brings to Machine Learning. Along the way, key infrastructure features introduced to abstract and handle hardware accelerators which make Machine Learning possible will also be presented.

Speakers
avatar for David Aronchick

David Aronchick

Head of OSS Machine Learning, Microsoft
David leads Open Source Machine Learning Strategy at Azure. This means he spends most of his time helping humans to convince machines to be smarter. He is only moderately successful at this. Previously, he led product management for Kubernetes, launched Google Kubernetes Engine and... Read More →
VK

Vishnu Kannan

Software Engineer, Google Inc
Vishnu Kannan is a Senior Software Engineer at Google. Vishnu received his Masters in ECE from Georgia Tech. He has been a systems engineer ever since he graduated. He hacked on the Linux Kernel for a couple of years at Cisco. He then worked on Borg at Google. He is currently an... Read More →


Thursday December 7, 2017 2:00pm - 2:35pm
Meeting Room 9C, Level 3

2:00pm

Extending the Kubernetes API: What the Docs Don't Tell You [I] - James Munnelly, Jetstack
At the heart of Kubernetes is its API. Whilst on the surface it may appear relatively simple to use, under the hood is a beast of complex conversions, codecs and generators. In this talk, I'll show you how the Kubernetes maintainers have created their own tooling to make this process easy when contributing to core, and how you can use this to build your own custom controllers, operators and API servers. I'll then demonstrate this technique with a pager extension to Kubernetes.

Speakers
avatar for James Munnelly

James Munnelly

Solutions Engineer, Jetstack
James is a Solutions Engineer at Jetstack, which involves helping customers bend and break Kubernetes to their will. He helps maintain a number of extensions to Kubernetes, including cert-manager (a Kubernetes native x509 certificates platform), kubernetes-sigs/kind (Kubernetes-in-Docker... Read More →



Thursday December 7, 2017 2:00pm - 2:35pm
Meeting Room 6AB, Level 3

2:00pm

Scaling to 5000+ Unique K8s Deployments, How We Did It [I] - Nicole Hubbard, WP Engine
Most organizations only need to run a couple deployments of their application in Kubernetes. In these situations, deploying onto Kubernetes clusters is relatively straightforward. What happens when you need to simultaneously deploy 5,000 unique instance of your application to different Kubernetes clusters at different providers worldwide?

Over the last year, we have worked to move over 60,000 of our customers' unique workloads from virtual machines onto Kubernetes. I will share our experiences on how to automate and simplify managing unique Kubernetes workloads at scale.

Speakers
avatar for Nicole Hubbard

Nicole Hubbard

Architect, WP Engine
Nicole Hubbard is an Architect at WP Engine where she focuses on building container based infrastructure, automation and helping teams deploy their applications.



Thursday December 7, 2017 2:00pm - 2:35pm
Ballroom B, Level 1

2:00pm

Certifik8s: All You Need to Know About Certificates in Kubernetes [I] - Alexander Brand, Apprenda
Certificates are an integral part of a secure Kubernetes cluster deployment. They are mainly used to secure the Kubernetes API server using TLS, but certificates (and keys) are also used for other cluster functions such as client authentication, encryption of secrets, TLS bootstrapping, and the generation of service account tokens.

Certificates pose interesting challenges to cluster operators. What does the certificate setup look like in an ideal scenario? How long should certificates be valid for? When nearing expiration dates, how can certificates be rotated to ensure the cluster remains operational? These challenges must be understood when it comes to deploying and operating a Kubernetes cluster.

After this talk, you should have a better understanding of:
- How each cluster component uses certificates for secure communications
- How certificates can be used for authentication, including service account tokens
- How the Kubelet TLS bootstrapping process works
- How to plan, generate and deploy the certificates required for a secure cluster
- How to rotate certificates that are nearing their expiration date

Speakers
avatar for Alexander Brand

Alexander Brand

Senior Systems Analyst, Apprenda
Alex works on the Kismatic Enterprise Toolkit at Apprenda, making the deployment of production Kubernetes clusters easier. He has been involved with Kubernetes and related projects since early 2016. Before Apprenda, Alex attended Queen's University in Canada, where he majored in Biomedical... Read More →



Thursday December 7, 2017 2:00pm - 2:35pm
Meeting Room 12AB, Level 4

2:45pm

Developing Locally with Kubernetes [I] - Ryan Jarvinen, Independent
This talk will cover several common local development scenarios, and will review the major tradeoffs found when adopting minikube, minishift, draft, and other popular tools for enabling local development of distributed web solutions.

Learn how using Kubernetes locally can help your web teams deliver solutions faster and more reliably.

Speakers
avatar for Ryan Jarvinen

Ryan Jarvinen

Developer Advocate, Red Hat
Ryan Jarvinen is a Developer Advocate and Open Source Evangelist focusing on improving developer experience in the container community. He lives in Oakland, California and is passionate about open source, open standards, open government, and digital rights. You can reach him as "RyanJ... Read More →



Thursday December 7, 2017 2:45pm - 3:20pm
Meeting Room 10AB, Level 3

2:45pm

Vault and Secret Management in Kubernetes [I] - Armon Dadgar, HashiCorp
Secret data is everywhere, from database credentials, TLS certificates, API tokens, to encryption keys. Manageing secrets is a difficult challenge, but HashiCorp Vault provides an answer. In this talk, we discuss the challenges in secret management, provide an overview of Vault, and discuss how Vault and Kubernetes can be integrated. Integrating Vault solves the basic secret management challenge of securely distributing credentials, but also gives applications running Kubernetes access to features like dynamic secrets which are generated on demand and cryptographic offload to securely manage data in transit and at rest.

Speakers
avatar for Armon Dadgar

Armon Dadgar

CTO, HashiCorp
Armon (@armon) has a passion for distributed systems and their application to real-world problems. He is a founder and CTO of HashiCorp, where he brings distributed systems into the world of DevOps tooling. He has worked on Nomad, Vault, Terraform, Consul, and Serf at HashiCorp, and... Read More →



Thursday December 7, 2017 2:45pm - 3:20pm
Ballroom A, Level 1

2:45pm

The Elements of Kubernetes - Foundational Concepts for Apps Running on Kubernetes [I] - Aaron Schlesinger, Microsoft Azure
“The Elements of Style” is one of the most important and foundational guidelines on how to write well. It has effectively summarized, in a list of seminal guidelines, how to harness the power of the English language to write high quality prose of almost any kind.

In computing, we have similar guides for various technologies. Python offers “The Zen Of Python”, Ruby has “The Rails Doctrine”, and so on...

One of the powers these documents wield is that they help serve as a “north star” that guides an entire community toward the same goals.

I believe we need a similar guide for Kubernetes. It would describe how app developers and operators should think about and use the features in Kubernetes to build and deploy reliable, stable apps. Armed with such a guide, we could all hope to better understand the “essence” of Kubernetes in pursuit of building better cloud native apps.

We don’t have anything like this today, but many in the Kubernetes community have strong, detailed opinions for what should go in this guide. Much of it is tribal knowledge or scattered in blog posts.

In this talk, I’ll try to bring many of these opinions together and lay out an “Elements of Kubernetes” guide for app developers and operators alike. I’ll do so by relating each “element” to stories and details I’ve seen in the community that reveal what makes a good Kubernetes and cloud native app.

Speakers
avatar for Aaron Schlesinger

Aaron Schlesinger

Cloud Developer Advocate, Microsoft
Aaron is a developer advocate at Microsoft Azure and a core maintainer of the Athens Project. He is an emeritus core maintainer and chair of the Kubernetes SIG-Service-Catalog and a contributor to various other projects in the Kubernetes community. He enjoys distilling his wide ranging... Read More →



Thursday December 7, 2017 2:45pm - 3:20pm
Meeting Room 19AB, Level 4

3:50pm

Helm Chart Patterns [I] - Vic Iglesias, Google
You will learn about the patterns and best practices we have learned from reviewing and maintaining the charts in the public Helm Charts repo. You will learn how to make your charts reproducible, scalable, flexible, configurable, and composable.

Speakers
avatar for Vic Iglesias

Vic Iglesias

Solutions Architect, Google
Vic Iglesias is a Staff Solutions Architect at Google with years of experience in both on-premise and in-cloud workload deployment, orchestration and management. He is a maintainer of the Kubernetes Charts repo and focuses on helping customers adopt Container Engine reliably, securely... Read More →


Thursday December 7, 2017 3:50pm - 4:25pm
Ballroom A, Level 1

3:50pm

Running MySQL on Kubernetes [I] - Patrick Galbraith, Consultant
MySQL is the world's most popular open source database and there are a number of ways to run it on Kubernetes. This talk will cover each type of MySQL deployment strategy starting from a simple MySQL pod, to a asynchronous replicated master-slave, synchronous Galera cluster, and on to a Vitess clustering system which allows for horizontal scaling of MySQL and innately has built-in sharding, explaining how each is deployed, what features are available, and what type of application they lend themselves to.


Speakers
avatar for Patrick Galbraith

Patrick Galbraith

Principal Platform Engineer, Oracle
Patrick Galbraith has been involved in MySQL, Linux, and other Open Source (OSS) projects back to the early days of Slackware. He has worked broad spectrum of companies and in a wide array of roles throughout his career, including Slashdot, MySQL, Blue Gecko, Hewlett-Packard, and... Read More →



Thursday December 7, 2017 3:50pm - 4:25pm
Meeting Room 9C, Level 3

3:50pm

Compliance and Identity Management in Kubernetes [I] - Marc Boorshtein, Tremolo Security, Inc.
Compliance with what? Depends on your industry. As k8s continues to expand into regulated enterprises such as government, health care and financials deployments will need to understand how managing users and their access relates to compliance obligations. This session will focus on how identity management can be approached for solving this issue. How do you onboard users? Authorize their access to a namespace? Offboard them? Is there a need to differentiate between a privileged user and an unprivileged user? I'll go beyond the technical implementation in k8s and tie it to specific compliance requirements in FISMA and demo how solving the compliance issue can also improve the usability and security of your k8s deployment. This talk will follow a similar form to https://www.tremolosecurity.com/openshift-compliance-and-identity-management/ but specifically on k8s.

Speakers
avatar for Marc Boorshtein

Marc Boorshtein

CTO, Tremolo Security, Inc.
Marc has nearly fifteen years of identity and access management experience as a software engineer, product developer, and consultant. He is experienced building, deploying, and managing identity systems from most major vendors across numerous industries as well as working with security... Read More →



Thursday December 7, 2017 3:50pm - 4:25pm
Meeting Room 12AB, Level 4

3:50pm

Pontoon: An Enterprise Grade Serverless Framework Using Kubernetes – As Used in VMware Cloud Services [I] - Kumar Gaurav & Mageshwaran Rajendran, VMware
In VMware Cloud services, we perform both batch and real-time computations based on periodic schedules and on-demand events, using our in-house developed serverless framework called Pontoon. This provides better utilization of resources and enables our service developers to write serverless functions with simple declarations.
Kubernetes provides Jobs and Deployments as design constructs to handle such needs, while other frameworks like IronIO Functions, Fabric8, et al aim to solve end-to-end use case . However, we had to extend on top of Kubernetes Jobs & Deployments to define the packaging and I/O interactions of the function, implement a priority queue for execution, and provide declarative retry policy while ensuring high availability. A developer 'writes' a function supporting common EAI patterns for start time parameterized variables, and defines it's packaging and scheduling using a yaml file. The framework then packages it as a Container alongwith an 'observer' container in a pod, 'registers' it with the scheduler while ensuring choice of 'warm' vs on-demand requisite replicas of the pod, and then through a 'Scalar' manages the execution and life cycle of job, while logging and tracing failures/success.
This framework is in use over months in VMware Cloud services and we are now open sourcing it.

Speakers
avatar for Kumar Gaurav

Kumar Gaurav

Director R&D, VMware
Kumar Gaurav is working on the first set of services under VMware Cloud Services umbrella, a SaaS offering. He is a veteran in VMware, having built many cloud management products over 9 years and holds dozens of US patents, and few academic publications in Container space. He is the... Read More →
avatar for Mageshwaran Rajendran

Mageshwaran Rajendran

Staff Developer, VMware
Mageshwaran Rajendran is a lead designer and co-architect of Cost Insight- one of the service under VMware Cloud Services SaaS offering. He has earlier built big data based batch & real-time data pipelines handling TB’s data for financial institution and distributed applications... Read More →



Thursday December 7, 2017 3:50pm - 4:25pm
Meeting Room 9AB, Level 3

4:35pm

Developer Tooling for Kubernetes Configuration [I] - Gareth Rushgrove, Puppet
Writing Kubernetes YAML files provides a simple starting point for most users of Kubernetes. Mainly through the power of copy and paste we all get our first examples working. But as usage of Kubernetes grows, spanning teams and time, we build up a lot of those YAML files. Many people reach for templating, or look at higher-level tooling like Helm packages next. But catching errors is still mainly a manual process of running the resulting configuration against a working Kubernetes cluster.

In this talk we’ll look at what’s missing in this workflow, looking for inspiration from developer tooling from other languages and frameworks. In particular we’ll consider:

* Ways of providing feedback about invalid configuration in our text editors
* Validating configuration against the Kubernetes types, especially useful when generating that configuration from templates
* Checking Kubernetes configuration is valid for different versions of Kubernetes
* What unit testing our Kubernetes configuration looks like
* How to integrate all of this together into a continuous integration based workflow

We’ll show examples using straight YAML files, templating and higher-level tooling like Helm and Jsonnet. The talk will also cover the benefits of a standard development environment, especially for new users, and provide tips for those getting started and more experienced users. The audience should come away with ideas for making there Kubernetes experience more efficient and more developer friendly.

Speakers
avatar for Gareth Rushgrove

Gareth Rushgrove

Director Product Management, Snyk
Gareth works remotely from Cambridge, UK, helping to build interesting tools for people to better manage infrastructure and applications. He currently works at Snyk, working on developer-first security tooling. He has previously worked for the UK Government Digital Service focused... Read More →


Thursday December 7, 2017 4:35pm - 5:10pm
Meeting Room 10AB, Level 3

4:35pm

Accelerating Humanitarian Relief with Kubernetes [I] - Erik Schlegel & Christoph Schittko, Microsoft
How can UN humanitarian aid field experts use social media to gain insight, understand trends and track key humanitarian issues? Through a collaboration with Microsoft and UN OCHA, Project Fortis was created to accelerate the surveillance around humanitarian disasters and health epidemics around the world.

This talk discusses the architecture of a high-available native spark pipeline running across multiple Kubernetes clusters to support Fortis customers.

Speakers
avatar for Christoph Schittko

Christoph Schittko

Principal Software Development Engineer, Microsoft
Christoph Schittko is an engineer with Microsoft working with customers on innovative solutions in the areas of containerization and AI. He's been working with Microsoft customers on building cloud solutions since Azure was called "Red Dog". He’s recently been a contributor to... Read More →
ES

Erik Schlegel

Senior Engineer, Microsoft
Erik is an open source engineer at Microsoft, and based in the Austin area. He's one of the original contributors to the React Native Universal Windows Platform (UWP). Erik leads the engineering effort of Project Fortis, an open source data gathering / surveillance insight platform... Read More →



Thursday December 7, 2017 4:35pm - 5:10pm
Meeting Room 9C, Level 3

4:35pm

Extending Kubernetes: Our Journey & Roadmap [I] - Daniel Smith & Eric Tune, Google
What is the vision for Kubernetes Extensibility? Do you know the difference between initializers, cloud providers, and the CRI? In this talk we will describe how extension points in Kubernetes have evolved and go over the options today, and what they let you do. As we go over the extension points, we’ll give our vision for how they will evolve in the future, and talk about the sorts of things we expect the broader Kubernetes ecosystem to build out of them.

Speakers
avatar for Daniel Smith

Daniel Smith

Staff Software Engineer, Google
Daniel has been working on Kubernetes since before it was open sourced, and is still one of the top contributors overall today. Currently, he is co-TL of the Kubernetes API Machinery SIG, and TL of the corresponding Google team. Before Kubernetes, Daniel worked on Google’s borg... Read More →
avatar for Eric Tune

Eric Tune

Senior Staff Software Engineer, Google
Eric is a Senior Staff Software Engineer at Google, where he is an overall lead technical lead on Google Container Engine (GKE). He started contributing to Kubernetes in 2014. Before Kubernetes, he worked on Google's Borg project, and was a co-author of the Borg paper.



Thursday December 7, 2017 4:35pm - 5:10pm
Meeting Room 6AB, Level 3

4:35pm

The Architecture of a Multi-Cloud Environment with Kubernetes [I] - Brian Redbeard, CoreOS
Kubernetes is an orchestration platform that enables running distributed systems, which are designed with the philosophy of spreading wide to best prepare for outages. This is achieved by deploying your cloud applications at least across multiple hosts, and at best across multiple cloud vendors. Getting Kubernetes configured to run across multiple cloud environments, including on-premises, hybrid deployments, is a tricky undertaking. Hybrid deployments are a feature many organizations want to implement for a variety of reasons, including security over their data, reliability, and more.

Brian Redbeard, chief architect at CoreOS, will discuss the importance of using open source tools to prevent cloud vendors from locking their users into their walled gardens, and will explore the challenges of making Tectonic, CoreOS’s Kubernetes implementation, able to run on multiple cloud platforms.

Speakers
BR

Brian Redbeard

Chief Architect, CoreOS
Brian Harrington, also known as Redbeard, is chief architect at CoreOS. He is developer, hacker, and technical writer in the areas of open-source development and systems administration. His time spent in both defensive and offensive computing have combined with his readings of classical... Read More →



Thursday December 7, 2017 4:35pm - 5:10pm
Ballroom A, Level 1

4:35pm

101 Ways to Crash Your Cluster [I] - Marius Grigoriu & Emmanuel Gomez, Nordstrom
Running a kubernetes cluster requires operating many components. One must be good at running and scaling etcd, multiple control plane components, a monitoring system, a logging pipeline, Docker, rkt, and Linux itself. And this list isn't even close to being complete. With such a long list of technologies comes the potential to make a mistake that brings the whole cluster down. Come hear war stories from the Nordstrom's Kubernetes cluster admins. Each is a true story of how the cluster melted down, how they recovered, and what they did to prevent it from happening again. Don't let any of these happen to you...

Speakers
avatar for Emmanuel Gomez

Emmanuel Gomez

Principal Engineer, Nordstrom
Emmanuel initiated and served as tech lead on the Kubernetes platform efforts at Nordstrom for the last three years. He was working with and advocating for containers before the Kubernetes 1.0 release and has continuously (and tirelessly) developed, operated, educated, and led containerization... Read More →
avatar for Marius Grigoriu

Marius Grigoriu

Sr Manager, Nordstrom
Marius Grigoriu leads the teams responsible for all of the major tools along the software delivery pipeline: issue tracking, version control, continuous integration and deployment, and production through the use of Kubernetes. His focus is to help teams ship high quality systems on... Read More →



Thursday December 7, 2017 4:35pm - 5:10pm
Ballroom B, Level 1

4:35pm

Multi-Tenancy Support & Security Modeling with RBAC and Namespaces [I] - Fred Vong & Michael Y. Chen, VMware
As container technologies mature, Kubernetes is clearly gaining momentum with developers as a means to deploy their distributed applications. As more applications and clusters are deployed by more developers, multi-tenancy and isolation become concerns not only for the app developer, but also for the cluster admins. In this talk, we will discuss the various cluster security models available today, and how to use namespaces to provide tenant isolation. We will also demonstrate how to use Kubernetes’ Role Based Access Control (RBAC) feature as means of enforcing a multi-tenant security model. By assigning roles and role bindings and creating namespaces, we can implement restrictions on resource consumption and provide tenant isolation throughout the cluster. We’ll also demonstrate how the RBAC feature provides granularity of access control that can be adjusted to suit varying requirements—from granting full access to users or groups to a cluster to only granting access to specific resources within a namespace. Following the discussion of how to build a security model with namespaces and RBAC, this talk will also feature a live demonstration of RBAC and namespaces in action to illustrate the concepts and show how both admins and developers are affected by the model.

Speakers
avatar for Michael Chen

Michael Chen

Senior Manager, VMware
avatar for Fred Vong

Fred Vong

Staff Engineer, VMware
Fred Vong is passionate about the cloud and data center automation technologies. Currently, he is actively working on both OpenStack and container orchestration area in VMware. He believes deployment of whole software stack should be as simple as clicking a button.



Thursday December 7, 2017 4:35pm - 5:10pm
Meeting Room 12AB, Level 4
 
Friday, December 8
 

11:10am

CNI, CRI, and OCI - Oh My! [I] - Elsie Phillips & Paul Burt, CoreOS
If you work with containers, it’s easy to get lost in the emerging standards and foundations. You might have questions like:
What is OCI? What happened to appc? Do I need to do anything to take advantage? Don’t we already have container runtimes? So, why do we need CRI? Similarly, what’s the use of CNI with all of the container networking solutions already out there?

Our aim is to answer all of these questions, and showcase places you can find (and use!) each of them. We’ll discuss how these specs affect you when using Kubernetes or other container orchestrated projects. Kubernetes will serve as a handy vehicle for some short, live demos. We’ll explore how each standard is improving our lives today, and what kinds of innovation they open up for the future.

Speakers
avatar for Paul Burt

Paul Burt

Community + Product Marketing, CoreOS
Paul Burt is a Community Manager at CoreOS. He’s upvoting your /r/kubernetes threads and answering your #coreos questions on freeNode. Paul has a knack for and demystifying infrastructure, and making gnarly, complex topics approachable. He enjoys home brewing beer, reading independent... Read More →
EP

Elsie Phillips

Community Manager, CoreOS
Elsie herds the CoreOS Community and Co-Leads the Kubernetes Contributor Experience SIG. She's a northwest native who got her start in open source working at the Oregon State University Open Source Lab. In her free time she throws wild one woman dance parties and makes a mean vegan... Read More →



Friday December 8, 2017 11:10am - 11:45am
Meeting Room 19AB, Level 4

11:10am

Hybrid Cloud Powered by Kubernetes [I] - Aparna Sinha, Eric Brewer & Matthew DeLio, Google
Open Source Software (OSS) is great because it gives us freedom. OSS users by nature want to roll their own on premises, and use best-of-breed services in public clouds an without lock-in. Fortunately, Kubernetes runs everywhere so developers and operators don't need to learn new technologies to run hybrid and multi-cloud applications.

In this talk, we will demonstrate the use of two new extensibility features in Kubernetes to connect legacy on-premises applications and managed public cloud services with services running on Kubernetes in both places, creating an environment where users can have the best of all worlds. We will show the type of use cases this technology enables using examples from Google's cloud platform.

Speakers
avatar for Eric Brewer

Eric Brewer

VP Infrastructure, Google
Eric joined Google in 2011 and leads the company’s compute infrastructure design, including Google Cloud Platform.  He focuses on all aspects of Internet-based systems including cloud computing, scalability, containers, and storage. As a researcher, he has led projects on scalable... Read More →
MD

Matthew DeLio

Product Manager, Google
Matthew DeLio is product manager at Google for Kubernetes multi-cluster, networking, and storage. He's also the PM SIG representative for storage. Prior to product management, Matthew was a software engineer at Google and has worked on search and platforms. He holds and MBA from the... Read More →
avatar for Aparna Sinha

Aparna Sinha

Group Product Manager for Kubernetes, Google
Aparna Sinha leads the product team for Kubernetes at Google. Her work is focused on transforming the way we work through technology innovation. Before Kubernetes, Aparna worked on the Android platform at Google. Prior to that she was Director of Product at NetApp where she led storage... Read More →


Friday December 8, 2017 11:10am - 11:45am
Meeting Room 8ABC, Level 3

11:10am

Modern Big Data Pipelines over Kubernetes [I] - Eliran Bivas, Iguazio
Big data used to be synonymous with Hadoop, but our ecosystem has evolved over time with new database, streaming and machine learning solutions which don’t necessarily benefit from the Hadoop deployment model of Map/Reduce, YARN and HDFS. These solutions require a generic cluster scheduling layer to host multiple workloads such as Kafka, Spark and TensorFlow, alongside databases such as Cassandra, Elasticsearch and cloud-based storage.

Eliran Bivas is a senior big data architect with years of hands-on experience working on both big data and cloud native solutions. Eliran will go over a common solution framework to create cloud native end-to-end analytics applications. It involves using Kubernetes as an alternative to Yarn, running Spark, Presto, machine learning frameworks (TensorFlow, Python and Spark ML kits) and serverless functions coupled with local and cloud-based storage. The session will showcase customer use-cases from IoT, automotive, cloud SaaS and finance. It will also include a live solution demo which demonstrates the benefits of using big data and analytics over a cloud native architecture, eliminating the existing challenges of complexity and moving towards a continuous integration and development architecture for big data.

Speakers
avatar for Eliran Bivas

Eliran Bivas

Senior Big Data Architect, iguazio
Eliran Bivas is a senior big data architect at iguazio and a self-proclaimed tech junkie with a passion for innovation. Eliran is skilled with object-oriented design and development, having worked extensively on cloud native environments. He has broad experience developing with cloud... Read More →



Friday December 8, 2017 11:10am - 11:45am
Meeting Room 9C, Level 3

11:10am

You Have Stateful Apps - What if Kubernetes Would Also Run Your Storage? - Annette Clewett & Sudhir Prasad, Red Hat
Kubernetes supports Stateful Applications by connecting to your existing storage. But what if you don’t have any? Or the storage capabilities differs between your environments? Wouldn’t it be nice if Kubernetes itself would be able provide storage services without any external dependency from Day1?

gluster-kubernetes is an umbrella project, currently being submitted for inclusion in CNCF, tying together various open source technologies to do just this. It takes the concept of “container-native storage” literally and orchestrates containerized GlusterFS, a scalable, software-defined storage solution to provide object storage, file storage and block storage for your applications. In this session you will learn about the components in play and how they make Kubernetes provide Persistent Storage and S3 Object Storage that scales with the cluster and runs everywhere.

Speakers
avatar for Annette Clewett

Annette Clewett

Principal Architect, Red Hat
Red Hat Storage Architect with broad knowledge across a spectrum of technologies – network, storage, virtual, and platform. Have successfully delivered countless studies that improved end-user experience and created a more efficient and available infrastructure. Current projects... Read More →
avatar for Sudhir Prasad

Sudhir Prasad

Product Management Director, Red Hat
Sudhir drives Container Native Storage and Container Ready Storage Red Hat portfolio for Kubernetes. Before joining Red Hat, Sudhir led Product Management and Strategy at Violin Memory and led Manageability product portfolio for automation & orchestration at NetApp. Before moving... Read More →



Friday December 8, 2017 11:10am - 11:45am
Ballroom A, Level 1

11:10am

Moving from Mesos to Kubernetes Without Anyone Noticing [I] - Anubhav Mishra, Hootsuite
At Hootsuite, we’ve been using Mesos and Marathon as our microservices platform for over two years but last year, we made the decision to bet on Kubernetes as its replacement. Eight months later, a small team of three operations engineers had migrated our first microservice from Mesos to Kubernetes. All without developers making any code changes. This was possible by architecting our applications with the proper set of abstractions. Fast-forward three months later and we have almost 20 microservices running on Kubernetes in production.

In this session, we’ll do a live demo of migrating a service from Mesos to Kubernetes, just like how we did it at Hootsuite! We will cover why architecting your infrastructure with the “right” abstractions helps you do these huge migrations with ease and how Kubernetes already contains these abstractions. We will explore how having a service mesh helps routing between two platforms while doing the migration. Also, how a mature CI/CD pipeline can help you deploy to two platforms with ease. To conclude we will explore the differences in running a service in Mesos and Kubernetes.

Speakers
avatar for Anubhav Mishra

Anubhav Mishra

Developer Advocate, HashiCorp
Anubhav Mishra is a Developer Advocate at HashiCorp. He previously worked at Hootsuite. At Hootsuite he was focused on building cloud infrastructure and distributed systems. His work spans developers and operators. He helped create the next generation microservice delivery platform... Read More →



Friday December 8, 2017 11:10am - 11:45am
Ballroom B, Level 1

11:10am

IoK: Istio-on-Kubernetes Deep Dive [I] - Daneyon Hansen, Cisco
Running microservices at scale is not easy. Istio is an open platform to connect, manage, and secure microservices. Did I mention that Istio runs on Kubernetes? During the talk I will cover the following content:
- Istio Introduction
- Istio Key Concepts- Traffic Management, Auth, Policy, etc.
- Istio Demonstration
- Istio-on-Kubernetes Roadmap
- Q&A

Speakers
avatar for Daneyon Hansen

Daneyon Hansen

Principal Software Engineer, Cisco
Daneyon is a software engineer at Cisco responsible for developing distributed applications. As part of the Cloud CTO Office, Daneyon focuses on contributing to emerging cloud computing technologies such as Kubernetes, Istio and others.



Friday December 8, 2017 11:10am - 11:45am
Meeting Room 9AB, Level 3

11:55am

Istio: Sailing to a Secure Services Mesh [I] - Spike Curtis, Tigera & Dan Berg, IBM
Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. In this presentation we describe the security features of the Istio service mesh: how it helps you secure service-to-service communication across clouds without application code changes, provide robust identity and strong authentication, and enforce powerful authorization policies for your applications. We discuss the current project status and look ahead to the roadmap for security features.

Speakers
avatar for Daniel Berg

Daniel Berg

Distinguished Engineer, IBM
Daniel is an IBM Distinguished Engineer responsible for the container and service mesh technical strategy within IBM Cloud. He has direct responsibility for the technical architecture and delivery of the IBM Cloud Kubernetes Service providing managed Kubernetes clusters worldwide... Read More →
avatar for Spike Curtis

Spike Curtis

Senior Software Engineer, Tigera
Spike Curtis is a software developer at Tigera. He co-leads the Istio Security Working Group and is a contributing author of SPIFFE specifications.  He is also a core developer for Calico.



Friday December 8, 2017 11:55am - 12:30pm
Ballroom A, Level 1

11:55am

Kubernetes in the Datacenter: Squarespace’s Journey Towards Self-Service Infrastructure [I] - Kevin Lynch, Squarespace
As Squarespace’s engineering organization evolved, microservices became an obvious solution to quickly deliver new features and improve infrastructure reliability. We encountered significant challenges in our transition to a microservice-based architecture. Each new service increased the operations burden to provision and maintain a growing fleet of servers, frequently slowing the process of adding new services and scaling existing services in our datacenters.

I’ll discuss how we used Kubernetes to containerize our microservice ecosystem and solve those challenges. To effectively work with ephemeral Kubernetes pods, we replaced Graphite with Prometheus and Sensu with AlertManager to monitor service health rather than individual instances. We discovered massive performance issues containerizing our Java services and worked around JVM complexities. To ease our transition from virtualization to containerization, services running inside and outside of Kubernetes must seamlessly discover each other with Consul and communicate with each other. Thanks to Calico, BGP, and our Leaf-Spine Layer 3 network topology, we efficiently route pod network traffic with the rest of our network.

Speakers
avatar for Kevin Lynch

Kevin Lynch

Squarespace, Squarespace
Kevin Lynch is a Staff Engineer on the Infrastructure Engineering team at Squarespace. He focuses his efforts on eliminating the complexities of datacenters with the help of automation. He received his BSc and MSc degrees in Computer Science from Drexel University. During his time... Read More →



Friday December 8, 2017 11:55am - 12:30pm
Ballroom B, Level 1

11:55am

UDP in K8S: Signed, Sealed, but Delivered? [I] - Amanpreet Singh, Crowdfire
This talk is based on my personal experience working with Kubernetes in production. I will talk about the UDP failures we encountered in production, how we found out the root cause, how we mitigated and fixed the bug in kube-proxy. This will help the members of the audience who are - either planning to, or already using Kubernetes - to better understand the Kubernetes networking design and debug any issues they face.

Speakers
avatar for Amanpreet Singh

Amanpreet Singh

Site Reliability Engineer, Indeed
Amanpreet is an engineer at Indeed & moonlights as a crowd entertainer. He’s an Open Source enthusiast who loves Go & can eat-drink-sleep Kubernetes. He gained extensive knowledge of Kubernetes and other cloud-native technology while handling the migration and continuous improvement... Read More →



Friday December 8, 2017 11:55am - 12:30pm
Ballroom C, Level 1

11:55am

Enforcing Bespoke Policies in Kubernetes [I] - Torin Sandall, Styra
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.

In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.

Speakers
avatar for Torin Sandall

Torin Sandall

Software Engineer, Styra
Torin Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin... Read More →



Friday December 8, 2017 11:55am - 12:30pm
Meeting Room 12AB, Level 4

2:00pm

Cost-effective Compute Clusters with Spot and Pre-emptible Instances [I] - Bich Le & Arun Sriraman, Platform9
Kubernetes and Spot/Pre-emptible Instances (SPIs) are arguably a match made in heaven. Traditionally, the uncertainty of SPIs (they can be terminated at any time due to price fluctuations) have made managing them tricky, and restricted them to specific workloads and use cases.

Kubernetes, in contrast, not only handles node failure very well, it has trained developers and architects to design applications to tolerate and even embrace failure. The prospect of Kubernetes abstracting the complexities of SPIs is now a reality, enabling applications to take advantage of low-cost compute across different clouds and possibly vendors.

The purpose of this talk is to educate the audience on strategies for making the most out of this powerful combination. Specifically, we will discuss these topics:

1. What are spot bidding strategies, and what is their cost vs. predictability trade-off?
2. What class of Kubernetes applications would benefit the most from SPIs?
3. Available Kubernetes mechanisms (e.g taints/tolerations, affinity, availability zones) for placing applications based on their tolerance with SPIs
3. Implementation strategies (e.g. blending multiple autoscaling groups to satisfy both SPI-optimized applications vs. applications that are more mission-critical or stateful)
4. What out-of-the box solutions exist, either free or commercial?
5. How to take abstract away clouds from different regions and vendors, allowing workloads to always take advantage of the best available pricing?

The talk concludes with real-world test results involving multiple use cases and configurations, giving the audience an idea of the potential cost savings and trade-offs (if any) of combining Kubernetes and SPIs.

Speakers
avatar for Bich Le

Bich Le

Chief Architect, Platform9
Co-founder of Platform9 and veteran of VMware. Career in virtualization, cloud management and containerization.
avatar for Arun Sriraman

Arun Sriraman

Software Engineer, Platform9 Systems Inc.
At Platform9 Systems I work on everything networking with deeper focus on Kubernetes and Openstack. Architecting, designing and writing code to solve interesting problems gets me on and recently I've been dabbling with the internals of container technology. Before Platform9, I've... Read More →



Friday December 8, 2017 2:00pm - 2:35pm
Meeting Room 8ABC, Level 3

2:00pm

Disaster Recovery for your Kubernetes Clusters [I] - Andy Goldstein & Steve Kriss, Heptio
It’s 3am. Your pager is beeping. Your Kubernetes cluster is down. Don’t panic - we’ve got you covered. In this talk, we’ll describe a variety of disaster scenarios you may encounter. We’ll arm you with the knowledge you need to overcome them. Whether you’re a systems administrator, application developer, or end user, after this talk you’ll walk away with a thorough understanding of Kubernetes disaster recovery, including:

A disaster recovery overview
- Strategies for Kubernetes
- Comparisons to federation and high availability
- Which components to back up vs recreating from scratch

How to minimize your time to recovery
- Automate cluster creation and infrastructure configuration
- Back up and quickly restore your cluster applications, workloads, and persistent volumes using tools such as Heptio Ark

How to handle specific disaster scenarios
- Losing nodes
- Recovering from bad configuration updates
- Cloud provider outages

Speakers
avatar for Andy Goldstein

Andy Goldstein

Staff Systems Engineer, VMware
Andy Goldstein is an engineer at Heptio where he works on tooling to make operating Kubernetes clusters easier, such as Ark, a disaster recovery tool for backing up and restoring Kubernetes workloads and persistent data. He is also a contributor to Kubernetes. Prior to his current... Read More →
SK

Steve Kriss

Steve Kriss is a systems engineer at Heptio working on building tools and products to help Kubernetes users be successful, and has been a contributor to upstream Kubernetes as well as a member of the Kubernetes release team in the past. Steve recently relocated to Seattle from New... Read More →



Friday December 8, 2017 2:00pm - 2:35pm
Ballroom A, Level 1

2:00pm

Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec
While Kubernetes offers new and exciting ways to deploy and scale container-based workloads in production, many organizations may not be aware of the security risks inherent in the out-of-the-box state of most Kubernetes installations and the common practices for deploying workloads that could lead to unintentional compromise. Join Brad Geesaman, the Cyber Skills Development team lead at Symantec, on an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection.

The hardening measures taken in response to the attacks demonstrated will include guidelines for improving configurations installed by common deployment tools, securing the sources of containers, implementing firewall and networking plugin policies, isolating workloads with namespaces and labels, controlling container security contexts, better handling of secrets and environment variables, limiting API server access, examining audit logs for malicious attack patterns, and more.

Speakers
avatar for Brad Geesaman

Brad Geesaman

Kubernetes Security Consultant, Darkbit
Brad is an Independent Security Consultant helping clients improve the security of their Kubernetes clusters in cloud-native environments. Although he spent several years as a penetration tester, his real passion is educating others on the security risks inherent in complex infrastructure... Read More →



Friday December 8, 2017 2:00pm - 2:35pm
Meeting Room 12AB, Level 4

2:00pm

Block Volumes Support in Kubernetes [I] - Mitsuhiro Tanino, Hitachi Data Systems
Storage is an essential part of any computing systems. In current Kubernetes, user can utilize storage volume with filesystem in a container but can't be utilized volume without filesystem called raw block volume.

By adding a feature to enable raw block storage directly, for example, user can use the raw block volume for database applications such as MariaDB and this improves I/O performance.

In this session, I will explain current activity and feature plan of Block Volumes Support in Kubernetes.

Speakers
avatar for Mitsuhiro Tanino

Mitsuhiro Tanino

Principal Software Engineer, Hitachi Data Systems
Mitsuhiro Tanino is a software engineer who has been working for Hitachi since 2004 and a principal software engineer Hitachi Data systems since 2014. He has experience about development of virtual machine manager for heterogeneous cloud systems and RAS features for KVM virtual environments... Read More →



Friday December 8, 2017 2:00pm - 2:35pm
Meeting Room 6AB, Level 3

2:45pm

Self-Hosted Kubernetes: How and Why [I] - Diego Pontoriero, CoreOS
How Kubernetes is deployed and managed has changed since the first release of the project. From configuration management systems and unit files to deploying Kubernetes using Kubernetes, a lot has changed. Self-hosted Kubernetes has many benefits as a deployment option, and this talk will highlight those benefits, as well as explain the history and nuances of making self-hosted Kubernetes possible.

In this talk I will describe what self-hosted Kubernetes means, why it exists, how it came into existence, and what you need to know if you're running a self-hosted cluster. Many tools now deploy self-hosted clusters including bootkube and kubeadm, so knowledge of how this works can be very important for anybody running a Kubernetes cluster.

What are the benefits of self-hosting? How does it work? What do I need to know if I'm administering a self-hosted cluster?

All those questions and more will be discussed in detail in this talk. In addition, I will discuss how various projects and products take advantage of the many benefits of self-hosting, such as Tectonic.

Speakers
avatar for Diego Pontoriero

Diego Pontoriero

CoreOS
Diego Pontoriero is a Software Engineer on the Tectonic team at CoreOS, where he works on software that deploys, manages, and upgrades self-hosted Kubernetes clusters. Prior to CoreOS Diego worked at Google building a video-based learning platform, a mobile phone carrier, and a petabyte-scale... Read More →



Friday December 8, 2017 2:45pm - 3:20pm
Meeting Room 8ABC, Level 3

2:45pm

Democratizing Machine Learning on Kubernetes [I] - Joy Qiao & Lachlan Evenson, Microsoft
One of the largest challenges facing the machine learning community today is understanding how to build a platform to run common open-source machine learning libraries such as Tensorflow. Both Joy and Lachie are both passionate about making machine learning accessible to the masses using Kubernetes. In this session they'll share how to deploy a distributed Tensorflow training cluster complete with GPU scheduling on Kubernetes. We’ll also share how distributed Tensorflow training works, various options for distributed training, and when to choose what option. We’ll also share some best practices on using distributed Tensorflow on top of Kubernetes, based on our latest performance tests performed on public cloud providers. All work presented in this session will be accessible via a public Github repository.

Speakers
avatar for Lachlan Evenson

Lachlan Evenson

Principal Program Manager - Azure Container Compute, Microsoft
Lachlan is a Principal Program Manager on the Container Compute team at Azure. He has spent the last few years working with Kubernetes and enabling Cloud Native journeys. Lachie serves as a Cloud Native ambassador and TOC contributor, and has deep operational knowledge of many Cloud... Read More →
avatar for Joy Qiao

Joy Qiao

Senior Solution Architect - AI and Research Group, Microsoft
Joy Qiao is a senior solution architect in the AI & Research Group at Microsoft, where she is responsible for driving end-to-end AI/ML solutions on Azure among the partner eco-system. Joy has over 15 years of IT industry experience including 11 years at Microsoft working as technical... Read More →



Friday December 8, 2017 2:45pm - 3:20pm
Meeting Room 9C, Level 3

2:45pm

Persistent Storage with Kubernetes in Production - Which Solution and Why? [I] - Cheryl Hung, StorageOS
Persistent storage often seems like a confusing plethora of options, from local volumes, NFS, distributed storage like Ceph, cloud storage such as AWS’s EBS and S3, to volume plugins with Docker and Kubernetes integration. This talk compares and contrasts the most popular solutions, and lays out the eight principles for cloud native storage.

Speakers
avatar for Cheryl Hung

Cheryl Hung

Product manager, StorageOS
Cheryl is an ex-Google software engineer with a passion for developer tools, experience and community. She founded the Cloud Native London meetup and codes, writes and speaks about containers, storage and cloud computing.



Friday December 8, 2017 2:45pm - 3:20pm
Ballroom A, Level 1

2:45pm

Securing Shopify's PaaS on GKE [I] - Jonathan Pulsifer, Shopify
Shopify has leveraged Kubernetes through Google Container Engine (GKE) to build its new cloud platform. This PaaS is currently serving the majority of the company's internal tools as well as business-critical production workloads. Moving to Kubernetes and a public cloud is no easy task, especially for a security team.

Unfortunately for us, a hosted solution does not offer all the features we've come to love in Kubernetes including NetworkPolicies, PodSecurityPolicies, and admission controllers among others. Given this, the security team has created a number of Kubernetes controllers and other cloud platform solutions to maintain an effective security posture on our new platform.

In this talk we'll introduce our cloud platform, explore the tools we've created to bridge the security gaps, detail the struggles we've encountered using Google Cloud Platform and GKE, and discuss our growing pains with Kubernetes multi-tenancy. Attendees will gain an understanding of the current state of Kubernetes security controls on GKE, a familiarity with some of the products available on Google Cloud Platform, and insight on how to integrate security controls into their development pipelines.

Speakers
avatar for Jonathan Pulsifer

Jonathan Pulsifer

Infrastructure Security Engineer, Shopify
Jonathan is a Senior Security Engineer at Shopify working on securing their new platform using Kubernetes on GKE. Previously, he was a SANS mentor, network defense instructor, and a team lead at the Canadian Forces Network Operations Centre in Ottawa. Find Jonathan on Twitter @Jo... Read More →



Friday December 8, 2017 2:45pm - 3:20pm
Meeting Room 12AB, Level 4

2:45pm

Providing Containerized Cinder Services to Baremetal Kubernetes Clusters [I] - John Griffith, NetApp & Huamin Chen, Red Hat
Kubernetes deployments running on OpenStack clusters require a full OpenStack: Keystone, Nova, and Cinder services.

This talk presents a more pervasive and simplified deployment architecture by integrating Containerized standalone Cinder services with baremetal Kubernetes. Cinder services offer many storage features that are still missing in Kubernetes. Cinder is supported by many storage vendors, with over 70 storage drivers in its repository. A Containerized standalone Cinder service makes these features and extensive storage products available to Kubernetes cluster.

Key to this architecture is a Kubernetes volume provisioner that provisions Cinder volumes and transparently converts Cinder volumes to Kubernetes supported storage types, such as iSCSI, Fibre Channel, NFS, or Ceph RBD.

Based on the these technologies, the new architecture enables enterprise customers to deploy Container services in a dedicated cluster and consume advanced storage features.

Speakers
avatar for Huamin Chen

Huamin Chen

Principal Software Engineer, Red Hat
Dr. Huamin Chen is a passionate developer at Red Hat' CTO office. He is one of the founding member of Kubernetes SIG Storage, member of Ceph, Knative, and Rook. He previously spoke at KubeCon, OpenStack Summits, and other technical conferences.
avatar for John Griffith

John Griffith

Principal Software Engineer, NetApp
John Griffith, Principal Software Engineer at SolidFire now a part of NetApp, helped to create the Cinder project in OpenStack. Primary responsibilities are upstream contributions to cloud related open source technologies. Currently active in Kubernetes Storage SIG, CNCF CSI project... Read More →



Friday December 8, 2017 2:45pm - 3:20pm
Meeting Room 6AB, Level 3

3:40pm

kubectl apply, and The Dark Art of Declarative Object Management [I] - Aaron Levy, CoreOS
kubectl apply is a powerful and commonly used command meant for declaratively managing your applications. However, even if you are using this command today, you may still be surprised by how it functions. In this talk we will go over the inner-workings of the kubectl apply command, and discuss patterns for successfully managing your applications using declarative object management techniques.

We will cover areas such as the interplay between imperative commands (set, scale, edit, etc.) and declarative object management. The different types of patch strategies, and how object merges are calculated. As well as pros/cons of the various approaches, and some subtle gotchas you might run into.

When you leave this talk it will make sense when you describe that your application is managed as a declarative base, with replicas driven imperatively, by an autoscaler that is declaratively configured. In other words, Kubernetes magic.

Speakers
AL

Aaron Levy

OpenShift Engineering, Red Hat
Aaron Levy is a software engineer at CoreOS, working on all things Kubernetes. He is also the lead maintainer of Bootkube, a kubernetes-incubator project that enables launching self-hosted kubernetes clusters.



Friday December 8, 2017 3:40pm - 4:15pm
Ballroom A, Level 1

3:40pm

Kube-native Postgres [I] - Josh Berkus, RedHat
Database systems remain the last frontier for Kubernetes, and at the Patroni Project we're working on conquering it. Having fully automated PostgreSQL clusters using Patroni, the project is now working on making Patroni more "Kubernetes native", so that SQL databases can be seen simply as a PostgreSQL resource.

In this talk, we will explain and demonstrate the current projects integrating Patroni PostgreSQL with Kubernetes, including:

* Patroni Operator, using the CoreOS Operator pattern
* Kube-native Patroni, which uses the Kubernetes controller instead of its own management

These works in progress will both acquaint attendees with tools they can use for their own high-availability database architectures, and explore some areas where Kubernetes could improve to support database systems better.

Speakers
avatar for Josh Berkus

Josh Berkus

Kubernetes Community Manager, Red Hat
Josh Berkus contributes to Kubernetes for Red Hat, working on contributor experience, multicluster, releases, and all of Red Hat's many Kubernetes-related projects. He lives in Portland, OR, USA.


Friday December 8, 2017 3:40pm - 4:15pm
Meeting Room 9C, Level 3

3:40pm

Enable your Microservices with Advanced Resiliency and Fault Tolerance Leveraging Istio [I] - Animesh Singh & Tommy Li, IBM
Building and packaging microservices is one part of the story. Given a highly salable and distributed microservices deployment is going to face failures at different layers, how do we make these microservices resilient and fault tolerant? How do we enforce policy decisions such as fine-grained access control and rate limits? How do we enabled timeouts/retries, health checks etc? Even though some language specific frameworks address these issues, the implementation is often framework or language specific.

If the underlying framework or language changes, the resiliency features need to be reimplemented or ported over. And in some cases, applications also have the responsibility of implementing the code and configuration required for resiliency and fault tolerance. A Service-mesh architecture attempts to solve these issues by extracting the common resiliency features needed by a microservice framework away from the applications and frameworks and into the platform itself. Istio provides an easy way to create this service mesh.

In this talk we will discuss how to build, deploy, connect your Java microservices leveraging Istio service mesh. We then show how to configure and use circuit breakers, timeouts/retries, rate limits and other advanced resiliency features from Istio without changing the application code.

Speakers
avatar for Tommy Li

Tommy Li

Software Developer, IBM
Tommy Li is a software developer in IBM focusing on Cloud, Kubernetes, and Machine Learning. He is one of the Fabric for Deep Learning’s main contributors and worked on various developer code patterns on Kubernetes, Microservice, and deep learning application to provide use cases... Read More →
avatar for Animesh Singh

Animesh Singh

Chief Architect and Program Director, IBM
Animesh Singh is a Program Director and Chief Architect for the IBM Watson and Cloud Open Source Platform, where he leads machine learning and deep learning initiatives on IBM Cloud and works with communities and customers to design and implement deep learning, machine learning, and... Read More →


Friday December 8, 2017 3:40pm - 4:15pm
Meeting Room 9AB, Level 3

3:40pm

Kubernetes Ingress Controller with Apache Traffic Server [I] - Mrunmayi Dhume, Oath (Yahoo) & Suresh Visvanathan, Yahoo!
Today, the Oath Media Brands and Products container platform is serving critical application workloads like Yahoo Sports and Yahoo Finance at a large scale using Kubernetes as the orchestration framework.

For a platform at this scale, it is critical to have a powerful and flexible ingress routing layer (controller) that is able to handle the dynamic behavior of container based applications, such as auto-scaling, frequently changing pod IP addresses, self-serve onboarding and cluster-aware routing. This L7 routing layer must be quick to react to changes on the cluster without affecting its routing capabilities and impacting the in-flight requests. In a multi-tenant system it is even more vital that a single application deployment does not cause an impact to user traffic or hinder the release velocity of other tenants.

We developed an ingress controller based on Apache Traffic Server that satisfies the requirements stated above, while remaining scalable and easy to integrate with both Kubernetes and the Oath ecosystem. In this talk/presentation, we will elaborate on the architecture of the ingress controller, the performance metrics we’ve achieved, and the key learnings from supporting such a critical infrastructure component.

Speakers
MD

Mrunmayi Dhume

Senior Software Engineer, Verizon Media (Yahoo Inc)
Mrunmayi Dhume is a Senior Software Engineer in the Core Infrastructure team at Oath Media Brands and Products. She was involved early on in the introduction of Kubernetes in the organization and took a leadership role in designing and implementing the ingress routing layer components... Read More →
avatar for Suresh Visvanathan

Suresh Visvanathan

Sr Architect, Oath(Yahoo)
Suresh Visvanathan, Sr Architect, has over 13 years of experience in IT and Software. Suresh’s current responsibilities include the architecture, vision, strategy and design of cloud platform as-a-service (PaaS). Suresh has been architecting solutions and building products around... Read More →



Friday December 8, 2017 3:40pm - 4:15pm
Ballroom C, Level 1

3:40pm

Real Security for Services on Kubernetes [I] - Eric Wang & Yun Zhang, Databricks
We all love the ease-of-use Kubernetes provides to engineers to deploy and manage their services. But before you can start running production code and dealing with customer data, you need to ensure that everyone's favorite features are in place: audit logs and access control. (And the crowd goes wild!)

At Databricks, we know that the best way to do security is to make sure the simplest way to do something is the secure one. In this talk, we introduce a system called Genie which uses time-boxed TLS certificates to authorize engineers to talk to certain namespaces within Kubernetes. Additionally, we will discuss how we extended this framework to allow for continuous deployment/continuous integration without weakening our security story!

Speakers
avatar for Eric Wang

Eric Wang

Software Engineer, Databricks
Eric is a software engineer on the Cloud team at Databricks. Before that, he worked at Cisco Meraki, developing core features for the time-series database Little Table. At Databricks, Eric and his colleagues on the Cloud team work on infrastructure to enable engineers to rapidly deliver... Read More →
avatar for Yun Zhang

Yun Zhang

Software Engineer, Databricks
Yun is a software engineer of the Cloud team at Databricks. He is experienced in building highly-available cloud infrastructure for data processing engines like Apache Spark and Amazon Redshift.



Friday December 8, 2017 3:40pm - 4:15pm
Meeting Room 12AB, Level 4

3:40pm

Economics of using Local Storage Attached to VMs on Cloud Providers [I] - Pavel Snagovsky, Quantum
Public cloud storage resource offerings aren't always optimal to run Cloud Native applications. This talk explores several storage options comparing costs, performance, resilience, features and interfaces of file, block and object storage for Cloud Native applications in AWS. EBS vs Instance store for Kubernetes nodes are compared for different scenarios. This talk also covers pros and cons of leveraging object store using resources already provisioned as oppose s3.

Speakers
avatar for Pavel Snagovsky

Pavel Snagovsky

Senior Developer, Rackspace
Pavel Snagovsky is a Software Engineer at Quantum Corporation, contributing to several projects advancing storage evolution, including rook.io. Previously worked in Operations at Ticketmaster, Limelight Networks, Yellowpages and other companies.



Friday December 8, 2017 3:40pm - 4:15pm
Meeting Room 6AB, Level 3

4:25pm

Using Kubo to Manage your Kubernetes Clusters [I] - Oleksandr Slynko & Brendan Nolan, Pivotal
Kubo is an OSS project developed jointly by Pivotal and Google. It provides an uniform way to instantiate, deploy, and manage highly available vanilla Kubernetes clusters using BOSH - on GCE, vSphere, AWS, Openstack and Azure.

Using BOSH and Kubo to manage Kubernetes gives self healing, easily upgradeable clusters with managed secrets rotation. Cluster creation is simplified to the point where clusters can be created and destroyed for use in development or sandbox environments.

In this presentation, Brendan and Oleksandr will demonstrate deployment across multiple IAASes, cluster healing, cluster upgrade and cluster creation.

Speakers
avatar for Brendan Nolan

Brendan Nolan

Principal Software Engineer, Pivotal.io
avatar for Oleksandr Slynko

Oleksandr Slynko

Eirininaut, Pivotal
Oleksandr is Staff Software Engineer at Pivotal and works on project Eirini. Before that Oleksnadr worked on Cloud Foundry Container Runtime and related projects for more than two years. Oleksandr has a background in automation and working on high available cloud solutions.



Friday December 8, 2017 4:25pm - 5:00pm
Meeting Room 8ABC, Level 3

4:25pm

Don’t Hassle Me, I’m Stateful - Jeff Bornemann & Michael Surbey, Red Hat
Stateless, cloud-ready applications are the future for many enterprise users, but what do you do about legacy monoliths, and existing vendor applications? New StatefulSet features within Kubernetes allow developers and administrators to work with these types of applications, and still reap the many rewards of a containerized platform. This session will explore some of these features by deploying a full MongoDB cluster on-top of OpenShift.

Speakers
avatar for Jeff Bornemann

Jeff Bornemann

Senior Consultant, Red Hat
Jeff has been developing software for Fortune 500 companies for many years, including contributions to multiple OSS projects. Jeff works with Red Hat's OpenShift platform, helping to bring container adoption to Red Hat customers.
avatar for Michael Surbey

Michael Surbey

Solutions Architect, Red Hat, Inc.
With a background in development, design, and management of enterprise IT-driven solutions, Mike enjoys helping U.S. public sector customers, contributors, and partners create better a citizen experience the open source way.



Friday December 8, 2017 4:25pm - 5:00pm
Meeting Room 9C, Level 3

4:25pm

What Happens When Something Goes Wrong? On Kubernetes Reliability [I] - Marek Grabowski & Tina Zhang, Google
One of the best features of the Kubernetes is that it can automatically recover from various failures and keep your application working despite unfavorable circumstances. There are moments when this works like magic and operators won't even notice something was going on. Sadly, sometimes automation fails.

In this talk we're going to describe various policies and mechanisms that are implemented in the system designed to keep user applications and cluster in general running. We'll talk both about things that will happen automatically and those that users need to configure.

Speakers
avatar for Marek Grabowski

Marek Grabowski

Site Reliability Engineer, Google
Marek is a Software Engineer turned Site Reliability Engineer late 2017. Currently he focuses on reliability of Kubernetes clusters. Since 2013 he has been working on Google’s Technical Infrastructure, where early 2015 he joined Kubernetes engineering team. In Kubernetes his main... Read More →
avatar for Tina Zhang

Tina Zhang

Site Reliability Engineer, Google
Tina joined the Google as a Site Reliability Engineer for GKE in March 2017 and has primarily been working on delivering High Availability Masters in GKE, bringing GKE to more cloud regions and improving monitoring and alerting for the system. Prior to this, she had a previous life... Read More →



Friday December 8, 2017 4:25pm - 5:00pm
Ballroom A, Level 1

4:25pm

The Oregon Trail to Kubernetes [I] - Joshua Roppo, Lytics
Can a small team operating 2000 CPUs, escape the glorified bash infighting of Configuration Management to homestead the scalable compute plains of Kubernetes? A journey of transitioning from Google’s Compute Engine to the blessed Container Engine.

The route we chose diverged from the never ending landscape of single purpose YAML tutorials and retreading Configuration Management tools with templating. Instead, we chose a mountain pass of defining Kubernetes Resources as Go code for compiled type checking, composability, validation, and potential for extension. The case study of a small team breaking trail through ecosystems of application design, schedule paradigms, deprecation dysentery, and holding legacy together with bailing wire. A retrospective of value added versus time wasted on the path to great opportunities on Kubernetes.

Talk Overview: Lytics Stack and overview(whoami) Loading the Wagon: Design and decision considerations(Read the Borg Paper) Deprecation Dysentery: Wait wait don’t use that. Mirages of disappointment: Systems which couldn’t make it to Kubernetes. Compute Resource Hunting Massacre: Avoiding compute underuse; taking advantage of scheduler. Handyman’s Corner: The bailing wire and zip-tie Kubernetes tools and services built to keep the broken axle(legacy systems) intact through the journey. Blizzards of the Kubernetes: from a user’s perspective who can’t follow every SIG; surviving the avalanche of ecosystem changes. Cascadia found: the wins, plans to rebuild what was abandoned, and breathing the free air. Next: Sim City

Speakers
avatar for Joshua Roppo

Joshua Roppo

Infrastructure Engineer, X
Platform Operations Engineer with a preference to write code over Bash. Managing operational decisions and transitions at Lytics for three years where we turn raw user and event data into actionable personalization APIs for marketing. Pedantic gopher who enjoys the challenges of... Read More →



Friday December 8, 2017 4:25pm - 5:00pm
Ballroom B, Level 1

4:25pm

Istio’s Mixer: Policy Enforcement with Custom Adapters [I] - Limin Wang, Google & Torin Sandall, Styra
The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting.

In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent.

This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.

Speakers
avatar for Torin Sandall

Torin Sandall

Software Engineer, Styra
Torin Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin... Read More →
LW

Limin Wang

Staff Software Engineer, Google
Limin Wang is a software engineer at Google. She is a technical lead of the Istio Security project. Before joining Google, she was a senior software engineer at VMware. Limin holds a PhD degree in Computer Science from Michigan State University.



Friday December 8, 2017 4:25pm - 5:00pm
Meeting Room 9AB, Level 3

4:25pm

From Screen to Pods: Bootstrapping a Cloud Agnostic System using Kubernetes [I] - Patrick McQuighan, Algorithmia
Today, Algorithmia runs multiple Kubernetes clusters each with CPU and GPU nodes, 100s of pods, and 10,000s of containers created daily. We can create a copy of our entire stack in a variety of cloud environments in about an hour. Twelve months ago, Algorithmia was limited to AWS and reliant on an enterprise product for deployment management. In that time, we learned how to ensure a highly-available setup in multiple environments, handled networking issues between old applications and pod-based applications, discovered many quirks with cloud components (such as AWS ELB), learned what wrong assumptions we held about the cloud, and migrated our live production services to run within Kubernetes. We also learned the limits of Kubernetes and when to control components on our own. Ultimately, we reduced the number of servers needed to run our full stack, simplified the process of adding services, reduced dependency on particular cloud services, and have a hardened way to deploy our platform.

In this talk I’ll cover why we moved to Kubernetes to build our enterprise product, the benefits it entailed, difficulties we encountered with Kubernetes, containers, cloud providers, and what we’re most excited about in the future of Kubernetes.

Speakers
avatar for Patrick McQuighan

Patrick McQuighan

Senior Software Engineer, Algorithmia
Patrick joined Algorithmia in December 2015 and has focused on improving system performance and creating the Enterprise AI Layer Enterprise product, an ML deployment and management system that runs on multiple cloud providers and on-prem infrastructures. Previously, Patrick worked... Read More →



Friday December 8, 2017 4:25pm - 5:00pm
Meeting Room 19AB, Level 4