This event has ended. Visit the official site or create your own event on Sched.
Customize your schedule by session topic and skill level:  Session Topic - Refer to the "Type" filter list to the right to find a session based on topic. Talk Difficulty - Sessions are categorized as [B]eginner, [I]ntermediate or [A]dvanced at the end of each talk title.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

KubeCon Ops [clear filter]
Wednesday, March 29

11:15 CEST

KubeVirt - Kubernetes, Virtualization and Your Future Data Center [I] - Itamar Heim & Fabian Deutsch, Red Hat
Kubernetes is a great orchestration tool for containers, but why stop there? Containers and virtual machines are going to co-exist in the data center. Let’s re-envision our virtualization and cloud solutions with Kubernetes as a single underlying platform.

We’ll introduce KubeVirt - a project to converge the future data center using Kubernetes as its infrastructure. We will cover how we are implementing a caring and stateful environment to run pet VMs in containers on top of Kubernetes - without contradicting its core assumptions. We will also be discussing gaps and how we plan to tackle those, drawing on our experience with KVM and and caring for pet VMs (and cats) for many years. The session will also include a demo of how we are doing this today and where we want to go next.

avatar for Fabian Deutsch

Fabian Deutsch

Engineering Manager, Red Hat
Fabian Deutsch is working for Red Hat and has been working in the virtualization space for the last couple of years. Initially covering some node level aspects in oVirt and now building a robust virtual machine add-on for Kubernetes with KubeVirt. Throughout the years he spoke at... Read More →

Itamar Heim

Senior Director, Software Engineering, Red Hat
Itamar Heim is a Senior Director of engineering for Container, Virtualization and System Management. Itamar leads the community and product engineering teams comprising Satellite, Red Hat Enterprise Virtualization and Container Management groups. Prior to this Role Itamar worked on... Read More →

Wednesday March 29, 2017 11:15 - 11:50 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

12:00 CEST

Leverage LXD/LXC with Kubernetes [A] - Lin Sun, IBM
Do you want to increase the density of your Kubernetes workers? We have run some experiments with Kubernetes workers in LXC containers managed by LXD. Come to hear our experience and challenges during the experiment!

avatar for Lin Sun

Lin Sun

Senior Technical Staff Member, IBM
Lin has been working on container and cloud-native since 2014 from Docker to Kubernetes to Service Mesh. She is currently an Istio maintainer, a member of the Istio steering committee and technical oversight committee. She is passionate about new technologies and loves to play with... Read More →

Wednesday March 29, 2017 12:00 - 12:35 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany
  KubeCon Ops, Developer

13:55 CEST

How Google Cloud Hosts and Manages Kubernetes at Scale [I] - David Aronchick, Google
A breakdown of what we do on Google Cloud to make running Kubernetes great, both managing large amounts of Kubernetes clusters, and what we do on behalf of users to ensure everything is running in the optimal configuration. Folks will be able to take away our best practices and apply them to their own installations.

avatar for David Aronchick

David Aronchick

Head of OSS Machine Learning, Microsoft
David leads Open Source Machine Learning Strategy at Azure. This means he spends most of his time helping humans to convince machines to be smarter. He is only moderately successful at this.Previously, he led product management for Kubernetes, launched Google Kubernetes Engine and... Read More →

Wednesday March 29, 2017 13:55 - 14:30 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

14:40 CEST

Kubernetes at DigitalOcean: Building a Platform for the Future [B] - Joonas Bergius, DigitalOcean
Like in much of our industry today, DigitalOcean has been on a journey to evolve its monolithic architecture of the early days towards one made up of cloud-native micro services. This talk will provide an overview our journey from where we started to what our motivations were, share what we built and provide you with lessons we learned along the way.

You can expect to take away examples and ideas of how you can make Kubernetes your own as the platform for the future reinforced by concrete examples of exactly how and what we have done at DigitalOcean.

avatar for Joonas Bergius

Joonas Bergius

Engineering Manager, DigitalOcean
Joonas Bergius is an Engineering Manager at DigitalOcean focused on the Compute services. Engineer at heart, Joonas is often thinking of ways of utilizing the current best-in-class software to provide the engineers he works with better tooling than what they have at their disposal... Read More →

Wednesday March 29, 2017 14:40 - 15:15 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

15:35 CEST

Steward, the Kubernetes-Native Service Broker [A] - Gabe Monroy, Deis
No application is an island. Most applications interact with a diverse set of services, not all of which run on a Kubernetes cluster. How do you manage access to both on and off cluster resources? Join Gabe Monroy, CTO of Deis, for a discussion about service catalogs, explicit service bindings, and how they can help you rationalize heterogeneous computing environments. We will end with a demo of Steward, an open source service broker for Kubernetes.


Gabe Monroy

CTO, Deis
Gabriel Monroy (@gabrtv) is the CTO and creator of Deis. As an early contributor to Docker and Kubernetes, Gabriel has deep experience with containers in production and frequently advises organizations on PaaS, distributed systems, and cloud-native architectures. Gabriel speaks regularly... Read More →

Wednesday March 29, 2017 15:35 - 16:10 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

16:20 CEST

Kubernetes Operators: Managing Complex Software with Software [I] - Josh Wood, CoreOS & Jesus Carrillo, Ticketmaster
The Kubernetes container orchestrator scales and connects stateless applications quite easily. Stateful applications can require more work. Databases, caching systems, and file stores are harder to dynamically manage with data intact, and sometimes come with their own notion of clustering. Operators automate these tasks. Operators are Kubernetes agents that know how to deploy, scale, manage, and even upgrade complex applications.

In this talk, we'll illustrate the Operator concept, showing how Operators are built atop the Kubernetes third-party resources mechanism, with a close examination of the open source etcd Operator. We'll demonstrate Operators in action, including the extension of the Operator concept to upgrading Kubernetes control plane components themselves. The audience will learn how to deploy Operators, and how to begin developing Operators to manage their own stateful applications.

avatar for Jesus Carrillo

Jesus Carrillo

Senior Systems Engineer, Ticketmaster
Jesus Carrillo is a Senior Systems Engineer at Ticketmaster. He previously worked at AWS and Oracle and is passionate about new technologies and the best way to adopt them. When Jesus is not working he likes to relax and enjoy life.
avatar for Joshua Wood

Joshua Wood

DocOps, CoreOS
Josh Wood’s early adoption of the rkt container runtime led him to CoreOS, where he is responsible for documentation. Josh has worked in a variety of roles in innovative startups throughout his career, holding diverse titles from systems admin to product director and CTO. He is... Read More →

Wednesday March 29, 2017 16:20 - 16:55 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany
Thursday, March 30

11:30 CEST

Building for Trust: How to Secure Your Kubernetes Cluster [I] - Alexander Mohr & Jess Frazelle, Google
This talk will cover all the ways you can secure your Kubernetes cluster using a Certificate Authority, Authentication, Secrets and more. We will also describe and demo the ways you can use Seccomp, Apparmor, SELinux and cgroups to make your application containers as secure as possible.



Senior Engineering Manager, Google
Alex is currently the Technical Lead and Manager of Google Seattle's Kubernetes and Container Engine teams. Previously, he was Engineering Lead for Google Compute Engine's initial public launch, and also lead the design and launch of its VM instance manager subsystem.
avatar for Jessie Frazelle

Jessie Frazelle

Software Engineer, Mcrosoft
Jess Frazelle works at Microsoft on open source, containers, and Linux. She has been a maintainer of Docker, contributor to RunC, Kubernetes and Golang as well as other projects. She loves all things involving Linux namespaces and cgroups and is probably most well known for running... Read More →

Thursday March 30, 2017 11:30 - 12:05 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

11:30 CEST

Rise of the Machines [B] - Anne Currie, Microscaling Systems
What does a containerised, orchestrated world look like and who will be in control? Are server-less and state-less the opposite of what they appear? Can we trust the AIs? If you ever ask yourself this kind of question, you'll probably enjoy this talk.

avatar for Anne Currie

Anne Currie

Technologist, Anne Currie
Anne has spent over 20 years in the tech sector working on everything from worthy server products in the '90s to international online lingerie in the '00s to containers and the future of operations in the '10s.

Thursday March 30, 2017 11:30 - 12:05 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

12:15 CEST

Kubernetes Day 2: Cluster Operations [I] - Brandon Philips, CoreOS
How do you keep a Kubernetes cluster running long term? Just like any other service, you need a combination of monitoring, alerting, backup, upgrade, and infrastructure management strategies to make it happen. This talk will walk through and demonstrate the best practices for each of these questions and show off the latest tooling that makes it possible. The takeaway will be lessons and considerations that will influence the way you operate your own Kubernetes clusters.

avatar for Brandon Philips

Brandon Philips

CTO, CoreOS, Inc.
Brandon Philips is helping to build modern Linux server infrastructure at CoreOS as CTO. Prior to CoreOS, he worked at Rackspace hacking on cloud monitoring and was a Linux kernel developer at SUSE. As a graduate of Oregon State's Open Source Lab he is passionate about open source... Read More →

Thursday March 30, 2017 12:15 - 12:50 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

12:15 CEST

Network-independent ACLs: Why Security Shouldn't Depend on Your Network [I] - Bernard Van De Walle, Aporeto
The conventional view is that Security and ACLs are implemented in the network, through a set of typical firewall rules that rely on the IP and Port number.

In Kubernetes, everything is a label and pod communications are defined as a set of labels allowed to communicate with each other. (Through the definition of network policies).
This model fully abstracts the pod network information (IP/Port) from the pod's identity (pod's labels).

With the traditional approach, the NetworkPolicies are implemented by the Kubernetes networking backend (Flannel, Calico, ...) that translates the policies into a set of IPs/Ports that need to be constantly updated.

However, another approach is possible by using the labels associated with each pods directly as metadata on the networking stack (transparently from the networking backend). NetworkPolicies then become a simple API-level authentication scheme that is completely independent from the network backend.

This talk will go over the pros and cons of each model, describing specific use-cases where it makes sense to use the one or the other.

It will introduce a new way of implementing those NetworkPolicies that doesn't rely at all on network primitives, but only on the set of labels associated to each pod.

Networking should be used for reachability between cluster nodes.
but security and network policies should not always be tied to your networking.

avatar for Bernard Van De Walle

Bernard Van De Walle

Engineer/Product, Aporeto
Working initially on massive production core/edge network routers, I saw the evolution of networking and security from fully physical to the new models emerging today: SDN, virtual networks and massive scaling for micro-services. After spending 4 years implementing a well-recognized... Read More →

Thursday March 30, 2017 12:15 - 12:50 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

14:00 CEST

High Availability Kubernetes on Bare Metal [A] - Muhammad Kamran Azeem & Henrik Høegh, Praqma
To run mission critical applications on your own datacenter you need high availability on every part of the system. In a kubernetes cluster, this includes your controllers, etcd, and even the load balancers. This talk will describe about setting up high availability mechanisms for Kubernetes Controllers and load balancing nodes. It will also cover creating highly available etcd, worker nodes, and other components necessary in a functioning cluster based on a real world project.


Muhammad Kamran Azeem

Senior Consultant Infrastructure and Security, Praqma
Muhammad Kamran Azeem is a senior consultant for infrastructure and security at Praqma’s Oslo office, where has has been working for past two years. He brings with him about 20 years of experience covering programming, database administration, networks, information security and... Read More →

Henrik Høegh

DevOps consultant, Praqma
Senior consultant with more than 15 years experience within operations, DevOps, and Continuous Delivery on Kubernetes, Docker, Linux, Atlassian, Jenkins. As a DevOps consultant Henrik regularly works with build servers, Container technologies, version control, and agile task management... Read More →

Thursday March 30, 2017 14:00 - 14:35 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

14:00 CEST

How We Run Kubernetes in Kubernetes, aka Kubeception [I] - Timo Derstappen, Giant Swarm
At Giant Swarm our users want fully-managed Kubernetes clusters without any limitations (incl. privileged access to the nodes). We deploy and manage these clusters either in our data center, in the preferred cloud of the customer, or even on-premise. Both for ourselves as well as for enterprise customers we need full isolation between clusters and a easy way to manage and update clusters without downtime.

In this talk we explain how we use a “mother” Kubernetes to deploy and manage fully-isolated and encrypted Kubernetes clusters for different customers or teams - aka Kubeception. Our model treats (inner) Kubernetes clusters as a third party resource and manages them with a custom controller. This way we have an automated way of provisioning and managing clusters without additional tooling or complex monitoring setups. Further, through our API, we are to be able to spin clusters up and down on demand, scale them, update them, keep track of which clusters are available, and be able to assign them to organizations and teams flexibly.

avatar for Timo Derstappen

Timo Derstappen

CTO, Giant Swarm
Timo Derstappen is CTO and co-founder of Giant Swarm. He has many years of experience in building scalable and automated cloud architectures.

Thursday March 30, 2017 14:00 - 14:35 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

14:45 CEST

Elephants on Automatic: HA Clustered PostgreSQL with Helm [I] - Josh Berkus, Red Hat & Oleksii Kliukin, Zalando
Kuberntes and Helm are not only the best way to automate high-availability PostgreSQL clusters, they're also the easiest! Join us to find out how you can deploy several different PostgreSQL cluster types using Helm in 30 minutes or less.

Helm is a package manager of choice for the Kubernetes community. PostgreSQL is the most advanced open-source database and is quickly becoming the relational database of choice for numerous developers running their applications in the cloud. In this talk, we are going to show two different types of fully automated PostgreSQL clusters with Helm: Spilo and CitusDB. Spilo provides automated failover and support services for single-master database clusters, and CitusDB provides sharded, big-data PostgreSQL.

We will demonstrate both of these types of clusters (and possibly others), explain how the Helm charts which set them up work, and how you can modify them to support your production environment.

avatar for Josh Berkus

Josh Berkus

Kubernetes Community Manager, Red Hat
Josh Berkus is co-chair of TAG Contributor Strategy, and works for Red Hat Open Source Program Office. In his 25 years of open source contributions, he has been part of developing governance and growing contributor communities for countless projects, including Kubernetes, PostgreSQL... Read More →

Oleksii Kliukin

Database Engineer, Zalando SE
Oleksii Kliukin is an engineer for Zalando, where he helps improve and maintain Spilo and Patroni, providing the fashion giant with full-automated, self-deploying database clusters.

Thursday March 30, 2017 14:45 - 15:20 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

14:45 CEST

Kubernetes-Defined Monitoring [I] - Gianluca Borello, Sysdig
Over the past few years we’ve all learned how Kubernetes can dramatically change the process of deploying an application, improve reliability, and accelerate operations. As Kubernetes matures, I believe it will have ripple effects on other elements of DevOps, including monitoring.

In this talk, we’ll explore the question, “What if Kubernetes also defined and automated monitoring?” We’ll explore some of the available tooling to answer questions like:

*What are the right ways to instrument Kubernetes minons & pods?
*How do you effectively get visibility into aggregate microservices vs just containers?
*How can Kubernetes automate the act of setting up monitoring dashboards and alerts?
*How can teams use Kubernetes to allow them to isolate monitoring data more effectively, so that the right data is exposed only to the right people?

This will be a demo-driven session, based on a real Kubernetes environment, using a variety of tools at our disposal. Attendees should have a basic understanding of Kubernetes deployments as well as monitoring requirements.


Gianluca Borello

Gianluca is an engineering manager at Sysdig, where he wears many hats. He's a core developer of sysdig, an open source troubleshooting tool for Linux and containers, and spends his days dealing with backend development, performance analysis and cloud infrastructure management.Prior... Read More →

Thursday March 30, 2017 14:45 - 15:20 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

15:40 CEST

IPVS for Scaled Private Cloud Load Balancing [I] - Kimberly Messimer, Comcast VIPER
In this talk, we discuss how Comcast VIPER addresses network-scaling bottlenecks using IPVS as a load balancer. We discuss the benefits including enabling us to achieve over 500Gbit/s egress from a modest Kubernetes cluster as well as dynamic VIP allocation.

Using a tool we’ve written in-house called Kube2IPVS, which utilize Kubernetes config maps, we can assign an ingress IP address and port to a Kubernetes service, and our load balancer will automatically reconfigure, with no downtime, to load balance traffic into a service.

We go into technical detail in this presentation, starting with a brief overview of IPVS and why it’s useful. We will then descend into the requirements surrounding L2 adjacency and why ARP is your frenemy. We’ll discuss how we addressed the challenges of running IPVS internal to Kubernetes, including IPVS master and backend co-location.

Finally, we'll highlight how port forwarding is not possible using IPVS in direct-reply mode, and then discuss how Kube2IPVS manages iptables rules to route packets directly into Kubernetes service chains, effectively bypassing this restriction.

We expect to have Kube2IPVS open-sourced in 2017.


Kimberly Messimer

Principal Systems Engineer, Comcast VIPER

Thursday March 30, 2017 15:40 - 16:15 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

15:40 CEST

Success of CRI: Bringing Hypervisor Based Container to Kubernetes [I] - Lei Zhang, HyperHQ
CRI, aka Container Runtime Interface, is the new mechanism designed to plug any container runtime in Kubernetes. In this presentation, I will introduce how we introduce the hypervisor based container into Kubernetes as native container runtime by using CRI. And enables users to serve their customers directly with virtualized containers, instead of wrapping them inside of full blown VMs. CRI design principles and implementation details will be explained. As well as the essential differences between Kubernetes and other projects like SwarmKit and how hyper.sh made the choice. Today, many developers are not comfortable with Linux containers as an effective boundary, and requires for a stronger degree of isolation, particularly for those running in a multi-tenant environment. We believe HyperContainer with Kubernetes is one of the best answers.

avatar for Lei Zhang

Lei Zhang

Core Dev Member, HyperHQ
Phd candidate, and also a feature maintainer of Kubernetes project. I once worked for Cloud Foundry team in VMware and Baidu. Now as HyperCrew, the author team of world's leading open-source hypervisor based container. I mainly focus on Kubernetes upstream about scheduler and CRI... Read More →

Thursday March 30, 2017 15:40 - 16:15 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

16:25 CEST

Sched.net: A Network-Aware Kubernetes Scheduler [I] - Akash Gangil & Salvatore Orlando, VMware
Different workloads have different optimal scheduling requirements. For instance, a video streaming microservice would need higher network bandwidth than a microservice running the codec. Kubernetes exposes an interface to build a custom scheduler. In this talk, we will show how better scheduling decisions can be made with information about the network topology. The scheduler would make pod scheduling decisions as a function of network health, in addition to other resources like cpu and memory predicates used by the default scheduler.

The talk would highlight:
* How kubernetes empowers the users to build their own custom scheduler and challenges that come along with it.
* Why we needed sched.net over the current default scheduler?
* Demonstrate how better scheduling decisions can be made, if the scheduler is also aware of the current network state with a simple demo described below.

Demo setup would consist of kubernetes with OVN as a networking backend using the ovn-kubernetes plugin. It provides a well defined translation between Kubernetes and OVN logical network abstractions. Ex: namespace → logical switch, pod → logical switch port. Sched.net would be implemented by adding a predicate function which would determine “network health” from information gathered from OVN controller.

avatar for Akash Gangil

Akash Gangil

Software Engineer, Uhana
Akash is currently a Sr. Software Engineer at Uhana. Previously, he was a software engineer at Networking and Security Business Unit at VMware. He worked at enabling VMware NSX as a networking fabric for Kubernetes. He recently graduated from Georgia Tech with a focus on Computer... Read More →
avatar for Salvatore Orlando

Salvatore Orlando

Staff Engineer, VMware
Salvatore used to be very involved with Openstack Networking. He actually implemented the first version of the Neutron API, then called Quantum. It was so good it had to be re-done from scratch. At some point he decided he made enough damage and left. After spending some time picking... Read More →

Thursday March 30, 2017 16:25 - 17:00 CEST
B 05 - B 06 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

16:25 CEST

Switching From External Load Balancing to consul & ingress [I] - Dan Wilson, Concur
At Concur we integrated our kubernetes clusters to our own internal F5 ecosystem which worked well for internal data center deployments but turned out to be cumbersome when trying to maintain a consistent setup for our cloud environments. We'll discuss what the issues are that we faced and the new architecture that we're using which combines consul for dns service discovery with kubernetes ingress in a multi kubernetes cluster design.

avatar for Dan Wilson

Dan Wilson

Principal Architect IV, Concur
I have a passion for collaborating across the business and using data to drive decision making. My primary areas of focus include container orchestration, developer pipeline, cloud service architecture, scale out technologies, design for failure and open source technologies.

Thursday March 30, 2017 16:25 - 17:00 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany
Filter sessions
Apply filters to sessions.