Kubernetes Integration Guide

Size: px
Start display at page:

Download "Kubernetes Integration Guide"

Transcription

1 Kubernetes Integration Guide Cloud-Native Security

2 Aporeto Kubernetes Integration Guide The purpose of this document is to describe the features of Aporeto that secure application services deployed on Kubernetes clusters. General Functional Overview Aporeto offers a Zero Trust Security solution for microservices, containers and cloud. The Aporeto solution decouples security from the underlying network infrastructure. All requests, at the network or API layer, made between application components or between a user and application are first authenticated and then authorized following the Zero Trust methodology. Identity is central to authentication and authorization. Aporeto assigns every application component a unique service identity that provides context on the following: Where is this application running : Public or Private cloud specific information. Example cloud name, cloud region. What is this application running : Container image running. Who started this application : Kubernetes service account or user that launched an application. What is the reputation of this application : Vulnerabilities (CVEs) associated to a container. Any assigned metadata from any 3rd party system : User assigned metadata through Kubernetes. When an application is launched in a Kubernetes environment, Aporeto introspects the Kubernetes APIs and extracts this identity information. Aporeto also combines this application identity from Kubernetes with metadata from the cloud provider, host, and any 3rd party system (e.g. container image vulnerability scanners) for a comprehensive multi-attribute identity. The multi-attribute service identity assigned to applications allows the creation of dynamic declarative policies tied to an application instance. This new paradigm of dynamic policies allows operations and security teams to achieve continuous deployment of applications with security compliance. Since Aporeto policies operate independent of the underlying infrastructure security policies can be enforced across Kubernetes cluster or across hybrid environments that include Kubernetes and non Kubernetes deployments. Aporeto supports all formats of Kubernetes, including managed offerings such as Google GKE, AWS EKS, Microsoft Azure AKS, IBM Cloud Kubernetes, and well as private installations such as OpenShift, kubeadm and Heptio.

3 Aporeto Enforcer on Kubernetes: Architecture Aporeto secures network access to, from, and between Kubernetes pods, in the same or multiple clusters, and with services outside of Kubernetes, such as an AWS RDS instance. The solution has two core components: the centralized Aporeto Service and a per-node Enforcer. The Aporeto Service is comprised of a set of services for management of policy and Enforcer nodes, monitoring and visualization, and hierarchical access control of Aporeto itself. Remote Enforcer nodes are comprised of two services that run in Kubernetes: Kube-squall runs as a Kubernetes ReplicaSet. Kube-Squall is manages the synchronization (including namespaces and, by default, Kubernetes network policy) between Kubernetes control plane and Aporeto control plane. It doesn t handle any application pod data packets. Enforcerd runs as a Kubernetes DaemonSet. Each node in the Kubernetes cluster will have one instance of enforcerd running. Figure 1, below, is a logical diagram of the relationships and metadata for Kubernetes, kube-squall, enforcerd, and the Aporeto Service. Figure 1: Aporeto and Kubernetes architecture Kube-squall is a Kubernetes controller that synchronizes state between Kubernetes and Aporeto. Kube-squall reacts to the Kubernetes API calls for network policies, pods, and namespaces, and translates them into Aporeto metadata equivalents. Enforcerd is the distributed enforcement point for an Aporeto environment. Enforcerd monitors, reports, and enforces security intent (currently, network access) of pods on each Kubernetes node. Instantiated via a Kubernetes DaemonSet, the domain of an enforcerd instance are the pods on the Kubernetes node on which it runs.

4 Enforcerd and the Kubernetes Pod: Policy Distribution and Contextual Identity Extraction Kube-squall monitors the API request and forwards pod metadata to the Aporeto service. Enforcerd downloads network policies for the pod, and enforces network policy for connections to and from the pod based on extracted contextual identity and the downloaded network policy. Figure 2, below, shows an example of an nginx pod depicted as a Processing Unit (PU) in the Aporeto web interface: Figure 2: Aporeto Tags extracted from a Kubernetes pod Contextual identity for a pod is derived from the following: Kubernetes host & cloud environment (from enforcerd) Kubernetes, including the namespace (from kube-squall) Kubernetes container backend and image (e.g. docker) User-specific context (in the form of Kubernetes pod labels) Third party data hooks, such as container image scanning CVE data from Aporeto

5 In the above example app=app1 and role=service1 Tags were derived from user-specified Kubernetes labels in the corresponding pod definition. Figure 3: Google GKE web interface for the pod definition corresponding to the imported pod metadata referenced in Figure 2 In the above example app=app1 and role=service1 Tags were derived from user-specified Kubernetes labels in the corresponding pod definition. Figure 4: Sample Aporeto network policy for a Kubernetes pod

6 Since our example app1service1 service has the app=app1 and role=service1 Tags, per this example policy, any other service with app=app1 and role=service2 may connect. Figure 4: Sample Aporeto network policy for a Kubernetes pod In Figure 5, above, we created instances of service2 with app1=app1 and role=service2 in the same Kubernetes cluster. By policy, these service2 instances were permitted to connect to app1service1. We also created two instances of someservice without the appropriate Kubernetes labels, and these connections from these instances to app1service1 were denied. External to the Kubernetes cluster, we also created Linux instances wrapped by Aporeto with and without policy-matching labels, and connections from these instances to app1service1 were also appropriately policed. The labels sent as part of the data path connection handshake are cryptographically signed, preventing unauthorized label negotiation and TCP replay attacks. Up to this point is a description of the Aporeto core enforcement workflow. In the following sections, we describe individual Aporeto integrations with Kubernetes that not only powers the core workflow, but enhances it and differentiates Aporeto as an enterprise security solution for cloud-native services. Feature: Aporeto Service Installer for Kubernetes Aporeto has a command-line tool that will install the complete Aporeto service on a given Kubernetes cluster. Customers can install the full Aporeto centralized service anywhere they can run Kubernetes, on premises or in the cloud. The Aporeto Service Installer orchestrates the download, installation, and initial configuration of the Aporeto Service.

7 Feature: Aporeto Service Installer for Kubernetes The enforcerd is installed in the cluster through a daemonset. The corresponding configurations are auto-created by the Aporeto service and include a configmap, secrets, a ReplicaSet definition for kube-squall, and a DaemonSet definition for enforcerd. The YAML bundle can only be used on a single Kubernetes cluster and can only be created by an authorized Aporeto user. The workflow for the Aporeto Enforcer installation on Kubernetes is automated, easy, and secure. The installation procedure generates a set of customised YAML files that are ready to be launched on any Kubernetes cluster. Those YAML files describe the pods required for the Aporeto solution to run, together with the Certificates needed for Authentication on the Aporeto system. Feature: Network Policy with Kubernetes There are two different modes to manage policies from Kubernetes. The chosen mode determines whether Kubernetes or Aporeto is the authority for network policy, which can be decided per-kubernetes cluster instance. Kubernetes NetworkPolicy: the default, as described in this section. NoPolicies: In this mode, the policies are directly created on Aporeto s API, and Kubernetes policies are not synced at all to Aporeto. This mode should be used if the admin wishes to use all the features available on Aporeto s backend. Kubernetes provides a NetworkPolicy resource to define which pods in a Kubernetes cluster may connect. Kubernetes itself does not implement the enforcement of defined NetworkPolicy. Aporeto automatically imports. When Kubernetes NetworkPolicy resources are created, updated, or deleted, the kube-squall component intercepts the API request and forwards the change to the Aporeto Service. As mentioned in enforcerd and the Kubernetes pod: policy distribution and contextual identity extraction, above, when a Kubernetes pod is created, the Aporeto enforcerd component will download the appropriate policy based on the extracted contextual identity related to the pod. For example, the Aporeto Network policy in Figure 4, above, corresponds to the following Kubernetes NetworkPolicy definition: Figure 6: Sample Kubernetes Network Policy definition that corresponds to the Aporeto Network Policy in Figure 4 While the Kubernetes network policy is generally used for intent of allowable connectivity within a single Kubernetes cluster, Aporeto can secure network access between pods across multiple Kubernetes clusters if the Kubernetes administrator can coordinate label usage (see Feature: Aporeto namespace management for Kubernetes, below, for more information).

8 Feature Option: Aporeto Policy for Capabilities Outside of Kubernetes The Kubernetes NetworkPolicy capabilities do not support the following features: Explicit deny of source and/or destination Connection logging Encryption If any of this functionality is desired for Kubernetes pods, use the NoPolicies mode instead of using a Kubernetes NetworkPolicy mode. Remember that on a per- Kubernetes instance, Kubernetes NetworkPolicy mode & NoPolicies mode are mutually exclusive. To prevent conflicts, NetworkPolicy definitions that are imported from Kubernetes cannot be overridden in Aporeto. Figure 7: Configuration of actions for connection attempts that match source and target Tags in the Aporeto web interface The ability of Aporeto to automatically import and apply Kubernetes NetworkPolicy definitions gives Kubernetes users a familiar YAML interface for declaring intent for allowed network connections between Kubernetes pods in the same or multiple clusters, external services, and non-kubernetes compute platforms (e.g. Docker, Linux). Depending on the security need, Aporeto is flexible with network policy. Administrators can use either Kubernetes NetworkPolicy, Aporeto network policy, or both. Feature Option: Aporeto Policy for Capabilities Outside of Kubernetes Kubernetes Namespace Mapping and Hierarchical Management in Aporeto A Kubernetes namespace is a virtual cluster context for running Kubernetes pods/containers and scoping Kubernetes features such as resources, role-based access control, and network policy. Enterprises may also use Kubernetes namespaces to separate business units, applications, etc. An Aporeto namespace is a security context for Enforcer node registration, network policy, monitoring/visualization, and authorization of actions. When a Kubernetes cluster is added to the Aporeto security domain (by installation and registration of the Enforcer package), the Kubernetes cluster is represented as a sub-namespace of an Aporeto account user s namespace, with the Kubernetes namespaces mapped underneath that sub-namespace.

9 Figure 8A: Sample Kubernetes cluster and namespace mapping in Aporeto for the aporeto user account/namespace While the Kubernetes namespace domain is the Kubernetes cluster, the Aporeto namespace domain can be composed of multiple Kubernetes clusters, and in a heterogeneous compute platform environment, can also include Linux and Docker clusters. The Aporeto namespace is hierarchical, allowing for layered access and policy control. For example, the entire enterprise can be represented at the Aporeto root namespace /, and can contain enterprise-wide network policy, such as allowing company access to DNS servers. First level namespaces can represent company organizations (e.g. /prod and /qa ) and can inherit and have policies specific to the organization. Using a combination of labels, namespaces, and policy in an Aporeto hierarchical namespace structure, enterprise administrators, developers, and security teams can intelligently define security policy with layered control. Securing Multiple Kubernetes Clusters with Aporeto Aporeto secures environments with multiple Kubernetes clusters. In Aporeto, each Kubernetes cluster is mapped to its own namespace within an Aporeto user account namespace. The Aporeto namespace hierarchy and contextual identity for application services allows for flexible configurations based on the organizational security needs. Kubernetes scopes application labels to a single cluster, but since Aporeto transforms application labels into the data path, your application labels can have meaning for your entire organization, including among multiple Kubernetes clusters.

10 Example Configuration: Separating Multiple Instances of Applications by Cluster In this example, each instance of app1 service1 connects to its respective service2, and we want to make sure each service1 does not connect to the service2 in the other cluster. In Aporeto, this network policy and labels can be specified as: IF the source has namespace=k8s-1, app=app1, role=service1 AND IF the destination has namespace=k8s-1, app=app1, role=service2 THEN permit the connection Figure 8B: Separating application services by Kubernetes cluster (repeat for k8s-2) Example Configuration: Separating Services by Application and Service Names In this example, service types are separated by cluster. Perhaps service2 has a high-performance data store need that is only accessible by Kubernetes cluster k8s-2. Service1 might be web frontend applications that, based on routing needs, are best hosted in Kubernetes cluster k8s-1. As with the previous example, we want to keep app1 and app2 separated, even though the application services are not only distributed, but require separation in multiple clusters. In this case, the cluster name can be dropped, unless app and role labels might be used in another organization or cluster. In Aporeto, this network policy and labels can be specified as: IF the source has app=app1, role=service1 AND Figure 8C: Separating application services by application IF the destination has app=app1, role=service2 THEN permit the connection (repeat for app2)

11 Example Configuration: External Services Definition in Aporeto In both of these examples, network policy items that are common to child namespaces can be expressed in the parent namespace. For example, a common, external DNS service (external to the Kubernetes cluster) that should be accessed by services in k8s-1 and k8s-2 can be accessed via a network policy rule at the parent /my-organization namespace. This can be specified as an Aporeto rule versus a Kubernetes rule, as an external DNS service cannot be expressed in Kubernetes network policy selector labels, but Aporeto can represent an external service as a combination of an IP address and an Aporeto label. Figure 8D: Example external service definition in Aporeto With this external services definition, we can allow access to the external DNS server from any point in our hierarchical namespace structure, and can refer to the external service as any other identified service protected by Aporeto. In this example, we can allow access from services to role=externaldns to allow DNS access from services in Kubernetes clusters k8s-1 and k8s-2. Both ingress and egress traffic between application services hosted in Kubernetes and services external to the Kubernetes cluster can be controlled by Aporeto in this manner. The Aporeto hierarchical namespace, label definition, and external service access control gives administrators flexible, layered control over the Aporeto domain. When to use Aporeto Network Policy versus Kubernetes Network Policy In some Aporeto security workflows, the Kubernetes object definition structure may not be sufficient enough to express security intent. For example, to set the application service network policy corresponding to a Kubernetes namespace to be default-deny, the admin sets an annotation for the namespace. Two other features are even more removed: there s currently no facility in the Kubernetes namespace or network policy resources to require connection logging and encryption. For these cases, instead of importing a Kubernetes network policy, a network policy that requires connection logging or encryption can be defined in an Aporeto rule. Aporeto network policy and Kubernetes network policy can co-exist in an Aporeto environment.

12 Subfeature: Aporeto Namespace Audit Logs Aporeto logs every major Aporeto object create, read, update, and delete (CRUD), allowed and denied in the Audit Logs. When a change is made, Aporeto displays the differences in an audit log entry. This logging can be used as part of configuration change management (providing evidence of access, compliance), and forensics analysis (for example, determining what policy changes prevented network access between two particular services in a Kubernetes cluster). Figure 9: A sample Aporeto audit log entry showing the update of a Processing Unit

13 Feature: Other Identity Types that can be Used with Kubernetes Time of Day Policies in Aporeto can be qualified by time of day. For example, you might have a Kubernetes services that you want to allow access from other services during working hours/days. Amazon Web Services (AWS) Tags In addition to standard Aporeto system Tags, as well as user-specific Tags as part of a container compute platform, Aporeto provides these AWS-specific Tags for EC2 instances: AWS Region, AWS Availability Zone AWS Image ID, AMI launch index Local IPv4 address, MAC address, AWS Hostname AWS Instance Action, Reservation ID, Version, architecture Any of these can be used as source or destination tags for connections to application services in an Aporeto-protected Kubernetes cluster. Linux Tags For Linux process connecting to/from application services hosted on Kubernetes, these Linux-related tags can be used: Linux user name Binary checksum Library dependencies If automatically extracted identity or identity mechanisms via compute platforms (e.g. Cloud, Docker, or Kubernetes labels) are insufficient, developers can write code for a generic Aporeto plugin to connect with any 3rd party service to define application identity however needed. As a usable example of extensible identity, Aporeto provides integration with the CoreOS Clair image vulnerability scanner. Aporeto matches the image with the results of static image vulnerability scanner and automatically creates Aporeto Tags that can be used in policy to re-map Processing Units to other namespaces and/or effect changes to access by network policy.

14 Figure 10, below, depicts a Processing Unit with image vulnerability Tags. Figure 10: External vulnerability image scanner results as Aporeto Tags Feature: Flow Visibility and Network Policy Suggestions Run Aporeto in Design Mode to Observe your Current Service Network Flows Design Mode sets the default network policy in a namespace to allow all, except for any explicitly defined Deny policies. Design Mode distinguishes between flows with and without policy as solid and dashed lines, respectively. Figure 11, right, shows a zoomed in view of 2 applications running multiple Kubernetes clusters hosted on multiple cloud providers. Figure 11: Aporeto Design Mode observation of multiple Kubernetes clusters in the multicloud

15 Create network policy based on desired security posture and application attributes

16 In Design Mode, flows with policy are represented as solid lines, while flows without policy are represented as dashed lines Turn off Design Mode for Zero Trust Posture: only traffic with policy are permitted

17 View Contextual Identity that s already Part of your CI/CD Pipeline Following up on the multiple Kubernetes clusters example above, you can click on one of the Processing Units (a name Aporeto gives to all monitored services, regardless of platform), per Figure 12, to see what identity is already part of your applications. Figure 12: Aporeto detailed view of contextual identity of a Kubernetes pod The Aporeto Tags for each service are derived from the compute platform during container creation and live state (e.g. $operationalstatus). As expected from a cloud-native system, this information is also available via Aporeto API endpoints. Some of these Tags are derived as a result of user input to the compute platform. In this example, app and role Tags came from a Kubernetes pod definition (see Figure 13, below). Figure 13: Kubernetes YAML definition for the backend pod of the Aporeto demonstration lab

18 Aporeto can Suggest a Network Policy for your Current Flows Aporeto can show you your application service flows, but how can you start with Aporeto network access policy definitions? With a click of a button in the Aporeto permissive view, we can suggest a policy based on observed traffic flows and the contextual identity detected by the Aporeto Enforcer nodes that are watching your applications. Figure 14: Aporeto can automatically recommend a network access policy for your applications For example, we want frontend services in each cluster to be able to communicate with only their local backend services. Our suggestion for this narrowed observed flows view picks the Tags for source and destination services that are unique to the observed flows. If this is too specific or not specific enough, you can edit these prior to policy creation. Network access policies in Aporeto are automatically pushed to Aporeto Enforcer nodes in the same namespace. Figure 15, below, shows permitted and denied flows after adding the suggested Aporeto policy. Figure 15: Use an Aporeto network policy to restrict access between your application services

19 Conclusion In summary, Aporeto offers the following capabilities to help developers, DevOps and security teams achieve continuous deployment for applications with compliance: 1 Security policies operate independent of infrastructure allowing policy governance in cross cluster and heterogeneous deployments. 2 Visibility for application flows across clusters and heterogeneous environments to prove compliance. 3 Security policies are defined as-code allowing version control and automation. All of these capabilities rely on service identity which is abstract from infrastructure and independent of IP addresses. For more information, visit:

AWS Integration Guide

AWS Integration Guide AWS Integration Guide Cloud-Native Security www.aporeto.com AWS Integration Guide Aporeto integrates with AWS to help enterprises efficiently deploy, manage, and secure applications at scale and the compute

More information

Defining Security for an AWS EKS deployment

Defining Security for an AWS EKS deployment Defining Security for an AWS EKS deployment Cloud-Native Security www.aporeto.com Defining Security for a Kubernetes Deployment Kubernetes is an open-source orchestrator for automating deployment, scaling,

More information

Cloud Native Security. OpenShift Commons Briefing

Cloud Native Security. OpenShift Commons Briefing Cloud Native Security OpenShift Commons Briefing Amir Sharif Co-Founder amir@aporeto.com Cloud Native Applications Challenge Security Change Frequency x 10x 100x 1,000x Legacy (Pets) Servers VMs Cloud

More information

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA Kubernetes made easy with Docker EE Patrick van der Bleek Sr. Solutions Engineer NEMEA Docker Enterprise Edition is More than Containers + Orchestration... DOCKER ENTERPRISE EDITION Kubernetes integration

More information

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc Kuberiter White Paper Kubernetes Cloud Provider Comparison Chart Lawrence Manickam Kuberiter Inc Oct 2018 Executive Summary Kubernetes (K8S) has become the de facto standard for Cloud Application Deployments.

More information

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform logo Life of a Packet KubeCon Europe 2017 Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick Google Cloud Platform Kubernetes is about clusters Because of that, networking

More information

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction WHITE PAPER RedHat OpenShift Container Platform Abstract Benefits: Applications are designed around smaller independent components called microservices. Elastic resources: Scale up or down quickly and

More information

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko Containers, Serverless and Functions in a nutshell Eugene Fedorenko About me Eugene Fedorenko Senior Architect Flexagon adfpractice-fedor.blogspot.com @fisbudo Agenda Containers Microservices Docker Kubernetes

More information

Cloud I - Introduction

Cloud I - Introduction Cloud I - Introduction Chesapeake Node.js User Group (CNUG) https://www.meetup.com/chesapeake-region-nodejs-developers-group START BUILDING: CALLFORCODE.ORG 3 Agenda Cloud Offerings ( Cloud 1.0 ) Infrastructure

More information

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads. Project Calico v3.2 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified

More information

Kuber-what?! Learn about Kubernetes

Kuber-what?! Learn about Kubernetes DEVNET-1999 Kuber-what?! Learn about Kubernetes Ashley Roach, Principal Engineer Evangelist Agenda Objectives A brief primer on containers The problems with running containers at scale Orchestration systems

More information

Authorized Source IP for OpenShift Project

Authorized Source IP for OpenShift Project Page 1 of 11 Authorized Source IP for OpenShift Project Identification view online Avi Vantage can securely identify OpenShift projects using source IP addresses for traffic initiated from within the OpenShift

More information

Overview of Container Management

Overview of Container Management Overview of Container Management Wyn Van Devanter @wynv Vic Kumar Agenda Why Container Management? What is Container Management? Clusters, Cloud Architecture & Containers Container Orchestration Tool Overview

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2 Table of Contents Introduction Overview of vsphere Integrated Containers 1.1 1.2 2 Overview of vsphere Integrated Containers This document provides an overview of VMware vsphere Integrated Containers.

More information

Important DevOps Technologies (3+2+3days) for Deployment

Important DevOps Technologies (3+2+3days) for Deployment Important DevOps Technologies (3+2+3days) for Deployment DevOps is the blending of tasks performed by a company's application development and systems operations teams. The term DevOps is being used in

More information

VMWARE PIVOTAL CONTAINER SERVICE

VMWARE PIVOTAL CONTAINER SERVICE DATASHEET VMWARE PIVOTAL CONTAINER SERVICE AT A GLANCE VMware Pivotal Container Service (PKS) is a production-grade Kubernetes-based container solution equipped with advanced networking, a private container

More information

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET DATASHEET VMWARE PKS AT A GLANCE VMware PKS is a production-grade Kubernetes-based container solution equipped with advanced networking, a private container registry, and full lifecycle management. VMware

More information

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist TEN LAYERS OF CONTAINER SECURITY Kirsten Newcomer Security Strategist WHAT ARE CONTAINERS? Containers change how we develop, deploy and manage applications INFRASTRUCTURE Sandboxed application processes

More information

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security White Paper Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security If you use Kubernetes, you know how much it can increase development velocity and reduce operational complexity.

More information

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3 ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic

More information

Secure Kubernetes Container Workloads

Secure Kubernetes Container Workloads Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation

More information

Project Calico v3.1. Overview. Architecture and Key Components

Project Calico v3.1. Overview. Architecture and Key Components Project Calico v3.1 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified

More information

Kubernetes 1.8 and Beyond

Kubernetes 1.8 and Beyond Kubernetes 1.8 and Beyond Aparna Sinha, Group Product Manager, Google OpenShift Commons Gathering - Austin, Texas Why do users choose Kubernetes? Open Source Community Frequent releases Resource efficiency

More information

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect What s New in Red Hat OpenShift Container Platform 3.4 Torben Jäger Red Hat Solution Architect OpenShift Roadmap OpenShift Container Platform 3.2 Kubernetes 1.2 & Docker 1.9 Red Hat

More information

TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY TEN LAYERS OF CONTAINER SECURITY Tim Hunt Kirsten Newcomer May 2017 ABOUT YOU Are you using containers? What s your role? Security professionals Developers / Architects Infrastructure / Ops Who considers

More information

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER 2 WHY KUBERNETES? Kubernetes is an open-source container orchestrator for deploying and managing containerized applications. Building on 15 years of experience

More information

McAfee Cloud Workload Security Product Guide

McAfee Cloud Workload Security Product Guide Revision B McAfee Cloud Workload Security 5.1.0 Product Guide (McAfee epolicy Orchestrator) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection,

More information

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Securing Containers on the High Seas. Jack OWASP Belgium September 2018 Securing Containers on the High Seas Jack Mannino @ OWASP Belgium September 2018 Who Am I? Jack Mannino CEO at nvisium, since 2009 Former OWASP Northern Virginia chapter leader Hobbies: Scala, Go and Kubernetes

More information

VMWARE ENTERPRISE PKS

VMWARE ENTERPRISE PKS DATASHEET AT A GLANCE VMware Enterprise PKS is a productiongrade Kubernetes-based container solution equipped with advanced networking, a private container registry, and full lifecycle management. VMware

More information

10 Kube Commandments

10 Kube Commandments 10 Kube Commandments We've been in the game for years That in itself is admirable There's rules to this biz We wrote y'all a manual A step-by-step conf talk for you to get... Your clusters on track And

More information

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine Table of Contents Overview Containers, Docker, Registries vsphere Integrated Containers Engine Management Portal Registry Roles and Personas 1.1 1.1.1 1.1.2 1.1.2.1 1.1.2.2 1.1.2.3 1.1.2.4 2 Overview of

More information

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE SOLUTION OVERVIEW DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE Cut Costs and Control Access with VMware Kubernetes Engine Digital transformation, the Internet of things, the growing popularity of public

More information

2018 Cisco and/or its affiliates. All rights reserved.

2018 Cisco and/or its affiliates. All rights reserved. Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer

More information

Securing Microservices Containerized Security in AWS

Securing Microservices Containerized Security in AWS Securing Microservices Containerized Security in AWS Mike Gillespie, Solutions Architect, Amazon Web Services Splitting Monoliths Ten Years Ago Splitting Monoliths Ten Years Ago XML & SOAP Splitting Monoliths

More information

Getting Started with AWS Security

Getting Started with AWS Security Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move

More information

Puppet on the AWS Cloud

Puppet on the AWS Cloud Puppet on the AWS Cloud Quick Start Reference Deployment AWS Quick Start Reference Team March 2016 This guide is also available in HTML format at http://docs.aws.amazon.com/quickstart/latest/puppet/. Contents

More information

Kubernetes 101. Doug Davis, STSM September, 2017

Kubernetes 101. Doug Davis, STSM September, 2017 Kubernetes 101 Doug Davis, STSM September, 2017 Today's Agenda What is Kubernetes? How was Kubernetes created? Where is the Kubernetes community? Technical overview What's the current status of Kubernetes?

More information

Kubernetes - Networking. Konstantinos Tsakalozos

Kubernetes - Networking. Konstantinos Tsakalozos Kubernetes - Networking Konstantinos Tsakalozos Kubernetes From the greek word κυβερνήτης originally designed by Google and donated to the Cloud Native Computing Foundation. Presented at "Large-scale cluster

More information

Hacking and Hardening Kubernetes

Hacking and Hardening Kubernetes SESSION ID: HT-W02 Hacking and Hardening Kubernetes Jay Beale CTO InGuardians, Inc @jaybeale and @inguardians Adam Crompton Senior Security Analyst InGuardians, Inc. @3nc0d3r and @inguardians Table of

More information

CONTAINERS AND MICROSERVICES WITH CONTRAIL

CONTAINERS AND MICROSERVICES WITH CONTRAIL CONTAINERS AND MICROSERVICES WITH CONTRAIL Scott Sneddon Sree Sarva DP Ayyadevara Sr. Director Sr. Director Director Cloud and SDN Contrail Solutions Product Line Management This statement of direction

More information

TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY TEN LAYERS OF CONTAINER SECURITY A Deeper Dive 2 WHAT ARE CONTAINERS? It depends on who you ask... INFRASTRUCTURE APPLICATIONS Sandboxed application processes on a shared Linux OS kernel Simpler, lighter,

More information

ASP.NET Core & Docker

ASP.NET Core & Docker ASP.NET Core & Docker From 0 to Azure in 75 minutes Marco De Sanctis Visual Studio and Development Technologies MVP info@marcodesanctis.it @crad77 What s Docker and why should I care ASP.NET Core & Docker

More information

CPM. Quick Start Guide V2.4.0

CPM. Quick Start Guide V2.4.0 CPM Quick Start Guide V2.4.0 1 Content 1 Introduction... 3 Launching the instance... 3 CloudFormation... 3 CPM Server Instance Connectivity... 3 2 CPM Server Instance Configuration... 4 CPM Server Configuration...

More information

An Introduction to Kubernetes

An Introduction to Kubernetes 8.10.2016 An Introduction to Kubernetes Premys Kafka premysl.kafka@hpe.com kafkapre https://github.com/kafkapre { History }???? - Virtual Machines 2008 - Linux containers (LXC) 2013 - Docker 2013 - CoreOS

More information

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme CNA1612BU Deploying real-world workloads on Kubernetes and Pivotal Cloud Foundry VMworld 2017 Fred Melo, Director of Technology, Pivotal Merlin Glynn, Sr. Technical Product Manager, VMware Content: Not

More information

Efficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater

Efficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater Efficiently exposing apps on Kubernetes at scale Rasheed Amir, Stakater Problem Kubernetes runs container workloads in Pods... but these are not automatically accessible outside the cluster What options

More information

Symantec Endpoint Protection Family Feature Comparison

Symantec Endpoint Protection Family Feature Comparison Symantec Endpoint Protection Family Feature Comparison SEP SBE SEP Cloud SEP Cloud SEP 14.2 Device Protection Laptop, Laptop Laptop, Tablet Laptop Tablet & & Smartphone Smartphone Meter Per Device Per

More information

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0 Reference Guide Revision B McAfee Cloud Workload Security 5.0.0 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee

More information

Leveraging the Serverless Architecture for Securing Linux Containers

Leveraging the Serverless Architecture for Securing Linux Containers Leveraging the Serverless Architecture for Securing Linux Containers Nilton Bila, Paolo Dettori, Ali Kanso, Yuji Watanabe*, Alaa Youssef IBM T.J. Watson Research Center New York *IBM Research - Tokyo,

More information

Container Deployment and Security Best Practices

Container Deployment and Security Best Practices Container Deployment and Security Best Practices How organizations are leveraging OpenShift, Quay, and Twistlock to deploy, manage, and secure a cloud native environment. John Morello CTO Twistlock Dirk

More information

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE SOLUTION OVERVIEW DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE Cut Costs and Control Access with VMware Cloud PKS Digital transformation, the Internet of things, the growing popularity of public clouds,

More information

NGINX: From North/South to East/West

NGINX: From North/South to East/West NGINX: From North/South to East/West Reducing Complexity with API and Microservices Traffic Management and NGINX Plus Speakers: Alan Murphy, Regional Solution Architect, APAC September, 2018 About NGINX,

More information

A10 HARMONY CONTROLLER

A10 HARMONY CONTROLLER DATA SHEET A10 HARMONY CONTROLLER AGILE MANAGEMENT, AUTOMATION, ANALYTICS FOR MULTI-CLOUD ENVIRONMENTS PLATFORMS A10 Harmony Controller provides centralized agile management, automation and analytics for

More information

Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li

Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds John Joyce Robert Li Introduction Extending an Application across Multiple Clouds Public Cloud microservice

More information

Container Orchestration on Amazon Web Services. Arun

Container Orchestration on Amazon Web Services. Arun Container Orchestration on Amazon Web Services Arun Gupta, @arungupta Docker Workflow Development using Docker Docker Community Edition Docker for Mac/Windows/Linux Monthly edge and quarterly stable

More information

CLOUD WORKLOAD SECURITY

CLOUD WORKLOAD SECURITY SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud. As technology becomes an increasingly important element of business success, the adoption of highly

More information

Red Hat CloudForms 4.6

Red Hat CloudForms 4.6 Red Hat CloudForms 4.6 Integration with OpenShift Container Platform Adding Red Hat OpenShift Container Platform (with Metrics Enabled) as a Container Provider Last Updated: 2018-05-18 Red Hat CloudForms

More information

BoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain

BoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain BoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain Wendy Dembowski, Staff Software Engineer, Google Stephen Elliott, Product Manager, Google Why are these questions so

More information

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo

More information

Kubernetes introduction. Container orchestration

Kubernetes introduction. Container orchestration Kubernetes introduction Container orchestration Container Orchestration Why we need container orchestration? Restart containers if they are not healthy. Provide private container network. Service discovery.

More information

Cisco Tetration Analytics

Cisco Tetration Analytics Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become

More information

Tenable.io User Guide. Last Revised: November 03, 2017

Tenable.io User Guide. Last Revised: November 03, 2017 Tenable.io User Guide Last Revised: November 03, 2017 Table of Contents Tenable.io User Guide 1 Getting Started with Tenable.io 10 Tenable.io Workflow 12 System Requirements 15 Scanners and Agents 16 Link

More information

OpenShift Dedicated 3 Release Notes

OpenShift Dedicated 3 Release Notes OpenShift Dedicated 3 Release Notes Last Updated: 2018-05-17 OpenShift Dedicated 3 Release Notes Legal Notice Copyright 2018 Red Hat, Inc. The text of and illustrations in this document are licensed by

More information

gcp / gke / k8s microservices

gcp / gke / k8s microservices gcp / gke / k8s microservices managing microservices with kubernetes 08.17.2016 Austin GCPUG Lou Scalpati CTO RxWiki microservices What are Microservices generally REST APIs returning json organized around

More information

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck RED HAT QUAY As part of OCP Architecture Workshop Technical Deck What Is Quay? Market leading enterprise container registry Available on-premise, on public cloud and as a hosted service (SaaS) RED HAT

More information

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering

More information

Pexip Infinity and Amazon Web Services Deployment Guide

Pexip Infinity and Amazon Web Services Deployment Guide Pexip Infinity and Amazon Web Services Deployment Guide Contents Introduction 1 Deployment guidelines 2 Configuring AWS security groups 4 Deploying a Management Node in AWS 6 Deploying a Conferencing Node

More information

Cisco CloudCenter Use Case Summary

Cisco CloudCenter Use Case Summary Cisco CloudCenter Use Case Summary Overview IT organizations often use multiple clouds to match the best application and infrastructure services with their business needs. It makes sense to have the freedom

More information

Technical Brief Distributed Trusted Computing

Technical Brief Distributed Trusted Computing Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,

More information

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and Download the App to download the TIBCO NOW App visit now.tibco.com/2018/mobile-app 2 Mashery Local The Cloud Native API Platform for your Unique Environment Beerinder Rodey - Product Murty Gurajada - Senior

More information

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe, Kubernetes An open platform for container orchestration Johannes M. Scheuermann Karlsruhe, 30.08.2017 Johannes M. Scheuermann Cloud Platform Engineer @ inovex Software-Defined Datacenters Infrastructure

More information

Identity Management and Compliance in OpenShift

Identity Management and Compliance in OpenShift Identity Management and Compliance in OpenShift Or Use DevOps to Make Your Auditors and Suits Happy Marc Boorshtein CTO, Tremolo Security Ellen Newlands Senior Security Product Manager, Cloud Business

More information

ForeScout Amazon Web Services (AWS) Plugin

ForeScout Amazon Web Services (AWS) Plugin ForeScout Amazon Web Services (AWS) Plugin Version 1.1.1 and above Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic Segmentation

More information

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.

Note: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents. Create a Hybrid Kubernetes Linux/Windows Cluster in 7 Easy Steps Azure Container Service (ACS) makes it really easy to provision a Kubernetes cluster in Azure. Today, we'll walk through the steps to set

More information

CogniFit Technical Security Details

CogniFit Technical Security Details Security Details CogniFit Technical Security Details CogniFit 2018 Table of Contents 1. Security 1.1 Servers........................ 3 1.2 Databases............................3 1.3 Network configuration......................

More information

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere. HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated

More information

Qualys Cloud Platform

Qualys Cloud Platform 18 QUALYS SECURITY CONFERENCE 2018 Qualys Cloud Platform Looking Under the Hood: What Makes Our Cloud Platform so Scalable and Powerful Dilip Bachwani Vice President, Engineering, Qualys, Inc. Cloud Platform

More information

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS Introduction Load balancing isn t just about managing traffic anymore. As your infrastructure expands to include applications in

More information

DevOps Technologies. for Deployment

DevOps Technologies. for Deployment DevOps Technologies for Deployment DevOps is the blending of tasks performed by a company's application development and systems operations teams. The term DevOps is being used in several ways. In its most

More information

Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift

Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift Deploy Red Hat Quay on OpenShift Last Updated: 2019-03-11 Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift Deploy Red Hat Quay on OpenShift Legal Notice

More information

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers OpenShift 3 Technical Architecture Clayton Coleman, Dan McPherson Lead Engineers Principles The future of *aas Redefine the Application Networked components wired together Not just a web frontend anymore

More information

Configuring AWS for Zerto Virtual Replication

Configuring AWS for Zerto Virtual Replication Configuring AWS for Zerto Virtual Replication VERSION 1 MARCH 2018 Table of Contents 1. Prerequisites... 2 1.1. AWS Prerequisites... 2 1.2. Additional AWS Resources... 3 2. AWS Workflow... 3 3. Setting

More information

Automating Security Practices for the DevOps Revolution

Automating Security Practices for the DevOps Revolution Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018 Agenda Transformation of today s IT

More information

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content Introduction to Cloud Computing A Short history Client Server Computing Concepts Challenges with Distributed Computing Introduction

More information

Red Hat Roadmap for Containers and DevOps

Red Hat Roadmap for Containers and DevOps Red Hat Roadmap for Containers and DevOps Brian Gracely, Director of Strategy Diogenes Rettori, Principal Product Manager Red Hat September, 2016 Digital Transformation Requires an evolution in... 2 APPLICATIONS

More information

Growth of Docker hub pulls

Growth of Docker hub pulls millions 6000 Growth of Docker hub pulls 5000 5000 4000 3000 2000 2000 1000 300 800 1200 0 May-15 Jun-15 Jul-15 Aug-15 Sep-15 2016 A Highly Complex Ecosystem Security challenges of container opera3ons

More information

AWS Reference Design Document

AWS Reference Design Document AWS Reference Design Document Contents Overview... 1 Amazon Web Services (AWS), Public Cloud and the New Security Challenges... 1 Security at the Speed of DevOps... 2 Securing East-West and North-South

More information

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift OpenShift Roadmap Enterprise Kubernetes for Developers Clayton Coleman, Architect, OpenShift What Is OpenShift? Application-centric Platform INFRASTRUCTURE APPLICATIONS Use containers for efficiency Hide

More information

Cisco Application Policy Infrastructure Controller Data Center Policy Model

Cisco Application Policy Infrastructure Controller Data Center Policy Model White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications

More information

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC Building a Modular and Scalable Virtual Network Architecture with Amazon VPC Quick Start Reference Deployment Santiago Cardenas Solutions Architect, AWS Quick Start Reference Team August 2016 (revisions)

More information

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018 CoreOS and Red Hat Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018 Combining Industry Leading Container Solutions RED HAT QUAY REGISTRY ETCD PROMETHEUS RED HAT COREOS METERING & CHARGEBACK

More information

Running MarkLogic in Containers (Both Docker and Kubernetes)

Running MarkLogic in Containers (Both Docker and Kubernetes) Running MarkLogic in Containers (Both Docker and Kubernetes) Emma Liu Product Manager, MarkLogic Vitaly Korolev Staff QA Engineer, MarkLogic @vitaly_korolev 4 June 2018 MARKLOGIC CORPORATION Source: http://turnoff.us/image/en/tech-adoption.png

More information

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018 How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment

More information

Code: Slides:

Code:   Slides: Workshop Resources Code: https://github.com/beekpr/public-workshops Slides: https://tinyurl.com/yc2uo3wk Make sure minikube and kubectl is setup (labs/1-setup-cluster.md has some instructions) Kubernetes

More information

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

How Security Policy Orchestration Extends to Hybrid Cloud Platforms How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments www.tufin.com

More information

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing

More information

Who done it: Gaining visibility and accountability in the cloud

Who done it: Gaining visibility and accountability in the cloud Who done it: Gaining visibility and accountability in the cloud By Ryan Nolette Squirrel Edition $whoami 10+ year veteran of IT, Security Operations, Threat Hunting, Incident Response, Threat Research,

More information

DOCAVE ONLINE. Your Cloud. Our SaaS. A Powerful Combination. Online Services. Technical Overview ADMINISTRATION BACKUP & RESTORE

DOCAVE ONLINE. Your Cloud. Our SaaS. A Powerful Combination. Online Services. Technical Overview ADMINISTRATION BACKUP & RESTORE Online Services Technical Overview DOCAVE ONLINE Your Cloud. Our SaaS. A Powerful Combination. ADMINISTRATION Centralized Management Manage SharePoint Online security, settings, configurations, and content

More information

Service Mesh and Microservices Networking

Service Mesh and Microservices Networking Service Mesh and Microservices Networking WHITEPAPER Service mesh and microservice networking As organizations adopt cloud infrastructure, there is a concurrent change in application architectures towards

More information