KubeCon + CloudNativeCon North America 2017

The six largest public cloud providers -- AWS, Microsoft, Google Cloud, IBM Cloud, Alibaba Cloud and Oracle -- are all now major backers of CNCF and Kubernetes. This is a chance to hear their perspective on investments they are making into Kubernetes and other CNCF technologies. How are they using these technologies internally? What changes are they making in their offerings to better suit cloud native enterprises? What is their perspective on the future of container runtimes? How do they deal with customers that need a hybrid cloud solution? Is the infrastructure layer becoming commoditized? What is their ability to differentiate in value added services at the higher layers? What projects should CNCF bring in to help fill out its stack?

With the rapid adoption of microservices new tools are needed to load-balance, route, secure and monitor the traffic that flows between them. Istio provides a common networking, security, policy and telemetry substrate for services that we call a ‘Service-Mesh’. Come learn how the service-mesh helps with the transition to microservices, to empower operations teams, to adopt security best-practices and much more. We’ll also cover the state of the project, where it’s headed and how you can get involved.

Deploying and managing applications with Kubernetes can be challenging. Organizing configuration across multiple environments, rolling out changes incrementally, safely killing or rolling back failed deployments - these are just a few difficulties that organizations face when running containers in production.

At Box, we've dealt with these issues and more, at the scale of thousands of servers across multiple data centers and public cloud providers. In this talk, we'll share how we set up a continuous delivery pipeline with Jenkins, Docker, Artifactory, and Kubernetes to test, build, and release our software rapidly and reliably. We'll discuss how our pipeline reduces time to ship to production, provides greater visibility into the deployment process, and empowers our engineers to deploy quality code with confidence.

Microservices come with many advantages for massively scaling applications. With that comes many challenges around service communication and application updates. It is pretty simple to do blue/green deployment and canary releases with a basic web site. But what about thousands of microservices? How can we have blue/green deployments at the service level while still allowing for efficient communication? This is one of the areas where service mesh technology is a huge benefit in Kubernetes.

In this session, I will show how to use common CI/CD tooling such as Spinnaker or Jenkins to drive microservices deployments with Kubernetes. I will show how service mesh technologies such as istio and linkerd ease the ability to efficiently deliver and test microservices in Kubernetes. All without substantial changes for the microservice developer. Additionally, I will provide comparisons of the wide variety of tools available in this area.

The overall goal of this demo heavy session is to show the value of these technologies working together to ease the delivery of cloud native applications.

Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.

In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).

This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.

Running applications on Kubernetes can provide a lot of benefits: more dev speed, lower ops costs, and a higher elasticity & resiliency in production. Kubernetes is the place to be for cloud native apps. But what to do if you’ve no shiny new cloud native apps but a whole bunch of JEE legacy systems? No chance to leverage the advantages of Kubernetes? Yes you can!

We’re facing the challenge of migrating hundreds of JEE legacy applications of a major German insurance company onto a Kubernetes cluster within one year. We're now close to the finish line and it worked pretty well so far.

The talk will be about the lessons we've learned - the best practices and pitfalls we've discovered along our way. We'll provide our answers to life, the universe and a cloud native journey like:
- What technical constraints of Kubernetes can be obstacles for applications and how to tackle these?
- How to architect a landscape of hundreds of containerized applications with their surrounding infrastructure like DBs MQs and IAM and heavy requirements on security?
- How to industrialize and govern the migration process?
- How to leverage the possibilities of a cloud native platform like Kubernetes without challenging the tight timeline?

At KubeCon EU, in Berlin, I got up on stage and stated that "Kubernetes Sucks (but all software sucks)". While we still have work to do, in the past several months the community has done great work to solve a whole host of issues to make Kubernetes “suck less.” In this talk I will outline the ways that the community has made this happen both in the core project and in the wider ecosystem.

Things are still developing, but here are the areas that I want to highlight. Hopefully we'll have talks on many of these so that I can highlight where and when folks can find out more. I won't be able to cover everything happening in the ecosystem but I can hint at the diversity and commitment to solving these issues.

* *Simpler application description.* As a community we are continuing to build more tcapable and simpler tools for describing applications through projects like ksonnet, OpenCompose, Kompose, and Helm.
* *Serverless platforms.* Through “function as a service” like systems we can abstract much of the nitty gritty around getting code packaged and running. In addition, scaling can be easy and automatic as code is run only when needed.
* *Simpler cluster install and admin.* kubeadm and how it is becoming a common toolkit. Similar work is ongoing to explore the idea of standardizing the description of a cluster at the infrastructure level through projects like Kubicorn. In addition, new APIs, such as the certificates API, are key building blocks for getting secure clusters up and running.
* *Curated development experiences.* Systems like Draft help to automate the build/launch/update cycle for development workflows. Others are also exploring ways to connect developers to clusters.
* *Making Kubernetes boring.* Kubernetes is maturing as a platform. As that happens, things in the "nucleus" are slowing down. In the past 6 months we've seen a concerted effort to encourage new features to be built with extensibility mechanisms as much as possible. This allows those projects to move fast while enabling exploration of the problem space.
* *Conformance.* Another key enabler for widespread Kubernetes adoption is conformance. There has been a wide set of folks involved in describing what should get to be called "Kubernetes". Tools like Sonobuoy point the direction to making this be an automated process that anyone can run against any cluster.
* *Observability.* Prometheus continues to be the go-to OSS solution for monitoring in the Kubernetes world. In additions, systems like linkerd and Istio/envoy enable introspection at the microservice mesh level.

We still have many challenges. Many of these are going to take long concerted efforts to fix. We are trapped, in some ways, by our promise of backward compatibility. It is often better to live with something annoying than to force breaking changes on our user base.

*Call to action:* Great job community! But the job isn't done. Let's keep working hard to bring Kubernetes to a larger and larger set of users and environments.

Learn the basics of Kubernetes from the perspective of creating a Helm Chart from scratch!

The Kubernetes cluster will be launched from Rancher, an open source container management software. At the end of this workshop, you will have a functional understanding of pods, services, deployments, Helm, Rancher, and more!


Why learn Kubernetes with Helm Charts?
Much of today's beginner educational content for Kubernetes uses the Kubernetes CLI tool. This can make it hard to visualize the relationship between each command and debug your cluster. Learning how to incrementally build Helm Charts provides a bigger picture of your cluster and is more reproducible.

Why is Rancher cool?
Rancher makes it easy to configure, deploy and manage Kubernetes, on any infrastructure!

I'm in, what are we doing?
- Gain a high level understanding of key Kubernetes concepts accompanied with a lot of diagrams
- Gain an understanding of Rancher's open source container management platform
- Incrementally build a Nginx Helm Chart
- Deploy Nginx from a Kubernetes cluster managed by Rancher

Kubernetes has historically released a full fledged distribution - everything you need. As the project gets more modular, that will become more complicated. This talk will explore the problems we face with this, and some ways can solve them, considering other analogous OSS ecosystems.

The Technical Oversight Committee (TOC) provides technical leadership to the cloud native community. The CNCF will host a public TOC meeting, inviting the community to discuss the project roadmap for 2018, the upcoming TOC Election Schedule for 2018, along with holding an open Q&A for the community with TOC members. The agenda deck can be viewed here. 

Secret data is everywhere, from database credentials, TLS certificates, API tokens, to encryption keys. Manageing secrets is a difficult challenge, but HashiCorp Vault provides an answer. In this talk, we discuss the challenges in secret management, provide an overview of Vault, and discuss how Vault and Kubernetes can be integrated. Integrating Vault solves the basic secret management challenge of securely distributing credentials, but also gives applications running Kubernetes access to features like dynamic secrets which are generated on demand and cryptographic offload to securely manage data in transit and at rest.

You will learn about the patterns and best practices we have learned from reviewing and maintaining the charts in the public Helm Charts repo. You will learn how to make your charts reproducible, scalable, flexible, configurable, and composable.

Kubernetes is an orchestration platform that enables running distributed systems, which are designed with the philosophy of spreading wide to best prepare for outages. This is achieved by deploying your cloud applications at least across multiple hosts, and at best across multiple cloud vendors. Getting Kubernetes configured to run across multiple cloud environments, including on-premises, hybrid deployments, is a tricky undertaking. Hybrid deployments are a feature many organizations want to implement for a variety of reasons, including security over their data, reliability, and more.

Brian Redbeard, chief architect at CoreOS, will discuss the importance of using open source tools to prevent cloud vendors from locking their users into their walled gardens, and will explore the challenges of making Tectonic, CoreOS’s Kubernetes implementation, able to run on multiple cloud platforms.

Kubernetes supports Stateful Applications by connecting to your existing storage. But what if you don’t have any? Or the storage capabilities differs between your environments? Wouldn’t it be nice if Kubernetes itself would be able provide storage services without any external dependency from Day1?

gluster-kubernetes is an umbrella project, currently being submitted for inclusion in CNCF, tying together various open source technologies to do just this. It takes the concept of “container-native storage” literally and orchestrates containerized GlusterFS, a scalable, software-defined storage solution to provide object storage, file storage and block storage for your applications. In this session you will learn about the components in play and how they make Kubernetes provide Persistent Storage and S3 Object Storage that scales with the cluster and runs everywhere.

Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. In this presentation we describe the security features of the Istio service mesh: how it helps you secure service-to-service communication across clouds without application code changes, provide robust identity and strong authentication, and enforce powerful authorization policies for your applications. We discuss the current project status and look ahead to the roadmap for security features.

It’s 3am. Your pager is beeping. Your Kubernetes cluster is down. Don’t panic - we’ve got you covered. In this talk, we’ll describe a variety of disaster scenarios you may encounter. We’ll arm you with the knowledge you need to overcome them. Whether you’re a systems administrator, application developer, or end user, after this talk you’ll walk away with a thorough understanding of Kubernetes disaster recovery, including:

A disaster recovery overview
- Strategies for Kubernetes
- Comparisons to federation and high availability
- Which components to back up vs recreating from scratch

How to minimize your time to recovery
- Automate cluster creation and infrastructure configuration
- Back up and quickly restore your cluster applications, workloads, and persistent volumes using tools such as Heptio Ark

How to handle specific disaster scenarios
- Losing nodes
- Recovering from bad configuration updates
- Cloud provider outages

Persistent storage often seems like a confusing plethora of options, from local volumes, NFS, distributed storage like Ceph, cloud storage such as AWS’s EBS and S3, to volume plugins with Docker and Kubernetes integration. This talk compares and contrasts the most popular solutions, and lays out the eight principles for cloud native storage.

kubectl apply is a powerful and commonly used command meant for declaratively managing your applications. However, even if you are using this command today, you may still be surprised by how it functions. In this talk we will go over the inner-workings of the kubectl apply command, and discuss patterns for successfully managing your applications using declarative object management techniques.

We will cover areas such as the interplay between imperative commands (set, scale, edit, etc.) and declarative object management. The different types of patch strategies, and how object merges are calculated. As well as pros/cons of the various approaches, and some subtle gotchas you might run into.

When you leave this talk it will make sense when you describe that your application is managed as a declarative base, with replicas driven imperatively, by an autoscaler that is declaratively configured. In other words, Kubernetes magic.

One of the best features of the Kubernetes is that it can automatically recover from various failures and keep your application working despite unfavorable circumstances. There are moments when this works like magic and operators won't even notice something was going on. Sadly, sometimes automation fails.

In this talk we're going to describe various policies and mechanisms that are implemented in the system designed to keep user applications and cluster in general running. We'll talk both about things that will happen automatically and those that users need to configure.