This event has ended. Visit the official site or create your own event on Sched.
Customize your schedule by session topic and skill level:  Session Topic - Refer to the "Type" filter list to the right to find a session based on topic. Talk Difficulty - Sessions are categorized as [B]eginner, [I]ntermediate or [A]dvanced at the end of each talk title.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

KubeCon Ops [clear filter]
Thursday, March 30

11:30 CEST

Building for Trust: How to Secure Your Kubernetes Cluster [I] - Alexander Mohr & Jess Frazelle, Google
This talk will cover all the ways you can secure your Kubernetes cluster using a Certificate Authority, Authentication, Secrets and more. We will also describe and demo the ways you can use Seccomp, Apparmor, SELinux and cgroups to make your application containers as secure as possible.



Senior Engineering Manager, Google
Alex is currently the Technical Lead and Manager of Google Seattle's Kubernetes and Container Engine teams. Previously, he was Engineering Lead for Google Compute Engine's initial public launch, and also lead the design and launch of its VM instance manager subsystem.
avatar for Jessie Frazelle

Jessie Frazelle

Software Engineer, Mcrosoft
Jess Frazelle works at Microsoft on open source, containers, and Linux. She has been a maintainer of Docker, contributor to RunC, Kubernetes and Golang as well as other projects. She loves all things involving Linux namespaces and cgroups and is probably most well known for running... Read More →

Thursday March 30, 2017 11:30 - 12:05 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany

12:15 CEST

Network-independent ACLs: Why Security Shouldn't Depend on Your Network [I] - Bernard Van De Walle, Aporeto
The conventional view is that Security and ACLs are implemented in the network, through a set of typical firewall rules that rely on the IP and Port number.

In Kubernetes, everything is a label and pod communications are defined as a set of labels allowed to communicate with each other. (Through the definition of network policies).
This model fully abstracts the pod network information (IP/Port) from the pod's identity (pod's labels).

With the traditional approach, the NetworkPolicies are implemented by the Kubernetes networking backend (Flannel, Calico, ...) that translates the policies into a set of IPs/Ports that need to be constantly updated.

However, another approach is possible by using the labels associated with each pods directly as metadata on the networking stack (transparently from the networking backend). NetworkPolicies then become a simple API-level authentication scheme that is completely independent from the network backend.

This talk will go over the pros and cons of each model, describing specific use-cases where it makes sense to use the one or the other.

It will introduce a new way of implementing those NetworkPolicies that doesn't rely at all on network primitives, but only on the set of labels associated to each pod.

Networking should be used for reachability between cluster nodes.
but security and network policies should not always be tied to your networking.

avatar for Bernard Van De Walle

Bernard Van De Walle

Engineer/Product, Aporeto
Working initially on massive production core/edge network routers, I saw the evolution of networking and security from fully physical to the new models emerging today: SDN, virtual networks and massive scaling for micro-services. After spending 4 years implementing a well-recognized... Read More →

Thursday March 30, 2017 12:15 - 12:50 CEST
A 05 Berlin Congress Center, Alexanderstraße 11, 10178 Berlin, Germany
Filter sessions
Apply filters to sessions.