Operations | Monitoring | ITSM | DevOps | Cloud

June 2021

Observe & Troubleshoot Your Kubernetes Environments with Dynamic Service Graph

Kubernetes workloads are highly dynamic, ephemeral, and are deployed on a distributed and agile infrastructure. Application developers, DevOps teams, and site reliability engineers (SREs) often require better visibility of their different microservices, what their dependencies are, how they are interconnected, and which other clients and applications access them. This makes Kubernetes observability challenges unique.

Applying policy as code in the modern cloud-ready enterprise: Graeme Hay, Morgan Stanley

Join us as we look at the advantages, but also the practical challenges, of applying modern, policy-as-code ("PaC") approaches in a modern cloud-ready enterprise. This talk will show how Morgan Stanley is drawing upon years of experience in its own proprietary implementation of PaC in its approach to embracing today's ideas. We will look at a diverse set of considerations from GitOps as a method to applying PaC in modern software development and deployment to enforcement of best practices and compliance in the Cloud.

The Crossroad of Security & Observability in Kubernetes: A Fireside Chat

Security as an afterthought is no longer an option and must be deeply embedded in the design and implementation of the products that will be running in the cloud. It is increasingly more critical for many security teams to be almost, if not equally, knowledgeable of the emerging and rapidly evolving technology. Join Manish Sampat from Tigera, as explores the topic in detail with Stan Lee from Paypal.

Upgrading DevSecOps with compliance automation - Bryan Langston, Mirantis

Compliance automation is a commonly overlooked area of Kubernetes observability. The question is: how do you automate compliance to a security framework that isn’t well understood by DevSecOps teams to begin with? This lack of understanding contributes to mismanaged compliance efforts and in a worst-case scenario, audit exposures and organizational risk. This talk will walk through an example of how to 1) map compliance controls to specific Kubernetes technical configuration 2) automate the assessment of those controls 3) visualize the assessment results. DevSecOps teams will better understand how to incorporate compliance automation alongside security automation.

Building secure and observable Kubernetes platforms for scaled software delivery

"Companies of various sizes are building their applications on Kubernetes because it provides significant operational benefits like autoscaling, self-healing, extensibility, and declarative deployment style. However, the operational benefits are only a starting point down the path of building a secure and observable platform that enables the continuous delivery of application workloads. This session shows how to build a fully operational platform, leveraging platform-oriented building blocks to address network security and observability.

Exploring intrusion detection techniques in cloud native environments - Garwood Pang, Tigera

As more production workloads migrated to the cloud, the need for Intrusion Detection Systems(IDS) grew to meet compliance and security needs. With the number of workloads in each cluster, IDS needs to be efficient to not take up the shared resources. Techniques such as packet inspection and web application firewalls provide a solid defense against threats and by leveraging the cluster's network control pane, we are able to selectively choose vulnerable workloads and provide an easy way to trace back to the origin of the attack.

Service Mesh, Observability and Beyond - Sheetal Joshi, AWS

Congratulations! You’re now cloud-native with microservices. No more legacy monoliths. However, troubleshooting takes time, debugging is difficult, and security is scary. How can you scale your organization without losing an understanding of your environment? Services mesh is here to help! It gives you the observability of connected services and is easier to adopt than you might think. Come and learn service mesh concepts, best practices, and key challenges.

Kubernetes Observability & Troubleshooting: Best Practices - Raj Singh, Box

Early adoption of Kubernetes came with its set of challenges for Box, that led to innovative solutions & learnings. In this session, the speaker will take you through some of those solutions around Kubernetes Observability & best practices which will make your Kubernetes journey easier.

Calico/VPP : Unlocking performance & innovation for large scale Kubernetes clusters

Calico/VPP data plane renderer was introduced as Tech Preview in Calico 3.19 for Kubernetes. It leverages the FD.io/VPP userspace data plane which brings great benefits in terms of performance and flexibility for large-scale Kubernetes clusters. Thanks to its fast IPSec & Wireguard implementation, it makes it possible to provide intra-cluster full mesh crypto without compromising performance. Beyond performance, it implements differentiated features like MagLev based load balancing with DSR for k8s services making it a good choice for large-scale applications having strong high availability requirements. This is the first release but moving forward, it will provide support for superfast packet-oriented virtual interfaces as well TCP/UDP/Quic stack to applications having extreme networking performance.

Beyond the network: Next Generation Security and Observability with eBPF - Shaun Crampton, Tigera

Learn how eBPF will bring a richer picture of what's going on in your cluster, without changing your applications. With eBPF we can safely collect information from deep within your applications, wherever they interact with the kernel. For example, collecting detailed socket statistics to root-cause network issues, or pinpointing the precise binary inside a container that made a particular request for your audit trail. This allows for insights into the behavior (and security) of the system that previously would have needed every process to be (manually) instrumented.

Join Us to learn Service Mesh, Observability and Beyond

How can you scale your organization without losing an understanding of your environment? Services mesh is here to help! It gives you the observability of connected services and is easier to adopt than you might think. Come and learn service mesh concepts, best practices, and key challenges.

Threats targeting Kubernetes and Defences

Attackers are continuously evolving their techniques to target Kubernetes. They are actively using Kubernetes and Docker functionality in addition to traditional attack surfaces to compromise, gain required privileges and add a backdoor entry to the clusters. A combination of Kubernetes security and observability tools is required to ensure the cloud infrastructure monitoring and lockdown and to enable DevSecOps teams with the right tools for the job.

Securing Kubernetes workloads at Discover Financial Services

It’s a daunting task starting down the path to securing your workloads running on Kubernetes in the Cloud. There are no shortages of vendors with great tools in the Cloud security space. There is a multitude of domains that must be accounted for, along with internal challenges in bringing an organization along into new ways of thinking. This talk will focus on Discover’s Cloud security journey, with an overview of how the program has evolved over the last 4 years, key capabilities & concepts that have been embraced and challenges faced.

Ensuring adequate security, observability, & compliance for cloud native applications

Containers, Microservices, and cloud-based applications have revolutionized the way companies build and deliver products globally. This has also changed the attack surface and requires very different security strategies and tools to avoid exposure to sensitive information and other cyber attacks. Regulatory compliance has also evolved making it ever so important for companies to adapt to this new paradigm.

Enabling You to Get the Best from AWS: Introducing the New Calico AWS Expert Certification

Calico is the industry standard for Kubernetes networking and security. It offers a proven platform for your workloads across a huge range of environments, including cloud, hybrid, and on-premises. Given this incredibly wide support, why did we decide to create a course specifically about AWS?

CVE-2021-31440: Kubernetes container escape using eBPF

In a recent post by ZDI, researchers found an out-of-bounds access flaw (CVE-2021-31440) in the Linux kernel’s (5.11.15) implementation of the eBPF code verifier: an incorrect register bounds calculation occurs while checking unsigned 32-bit instructions in an eBPF program. The flaw can be leveraged to escalate privileges and execute arbitrary code in the context of the kernel.