Kubernetes Integration Guide
|
|
- MargaretMargaret Grant
- 5 years ago
- Views:
Transcription
1 Kubernetes Integration Guide Cloud-Native Security
2 Aporeto Kubernetes Integration Guide The purpose of this document is to describe the features of Aporeto that secure application services deployed on Kubernetes clusters. General Functional Overview Aporeto offers a Zero Trust Security solution for microservices, containers and cloud. The Aporeto solution decouples security from the underlying network infrastructure. All requests, at the network or API layer, made between application components or between a user and application are first authenticated and then authorized following the Zero Trust methodology. Identity is central to authentication and authorization. Aporeto assigns every application component a unique service identity that provides context on the following: Where is this application running : Public or Private cloud specific information. Example cloud name, cloud region. What is this application running : Container image running. Who started this application : Kubernetes service account or user that launched an application. What is the reputation of this application : Vulnerabilities (CVEs) associated to a container. Any assigned metadata from any 3rd party system : User assigned metadata through Kubernetes. When an application is launched in a Kubernetes environment, Aporeto introspects the Kubernetes APIs and extracts this identity information. Aporeto also combines this application identity from Kubernetes with metadata from the cloud provider, host, and any 3rd party system (e.g. container image vulnerability scanners) for a comprehensive multi-attribute identity. The multi-attribute service identity assigned to applications allows the creation of dynamic declarative policies tied to an application instance. This new paradigm of dynamic policies allows operations and security teams to achieve continuous deployment of applications with security compliance. Since Aporeto policies operate independent of the underlying infrastructure security policies can be enforced across Kubernetes cluster or across hybrid environments that include Kubernetes and non Kubernetes deployments. Aporeto supports all formats of Kubernetes, including managed offerings such as Google GKE, AWS EKS, Microsoft Azure AKS, IBM Cloud Kubernetes, and well as private installations such as OpenShift, kubeadm and Heptio.
3 Aporeto Enforcer on Kubernetes: Architecture Aporeto secures network access to, from, and between Kubernetes pods, in the same or multiple clusters, and with services outside of Kubernetes, such as an AWS RDS instance. The solution has two core components: the centralized Aporeto Service and a per-node Enforcer. The Aporeto Service is comprised of a set of services for management of policy and Enforcer nodes, monitoring and visualization, and hierarchical access control of Aporeto itself. Remote Enforcer nodes are comprised of two services that run in Kubernetes: Kube-squall runs as a Kubernetes ReplicaSet. Kube-Squall is manages the synchronization (including namespaces and, by default, Kubernetes network policy) between Kubernetes control plane and Aporeto control plane. It doesn t handle any application pod data packets. Enforcerd runs as a Kubernetes DaemonSet. Each node in the Kubernetes cluster will have one instance of enforcerd running. Figure 1, below, is a logical diagram of the relationships and metadata for Kubernetes, kube-squall, enforcerd, and the Aporeto Service. Figure 1: Aporeto and Kubernetes architecture Kube-squall is a Kubernetes controller that synchronizes state between Kubernetes and Aporeto. Kube-squall reacts to the Kubernetes API calls for network policies, pods, and namespaces, and translates them into Aporeto metadata equivalents. Enforcerd is the distributed enforcement point for an Aporeto environment. Enforcerd monitors, reports, and enforces security intent (currently, network access) of pods on each Kubernetes node. Instantiated via a Kubernetes DaemonSet, the domain of an enforcerd instance are the pods on the Kubernetes node on which it runs.
4 Enforcerd and the Kubernetes Pod: Policy Distribution and Contextual Identity Extraction Kube-squall monitors the API request and forwards pod metadata to the Aporeto service. Enforcerd downloads network policies for the pod, and enforces network policy for connections to and from the pod based on extracted contextual identity and the downloaded network policy. Figure 2, below, shows an example of an nginx pod depicted as a Processing Unit (PU) in the Aporeto web interface: Figure 2: Aporeto Tags extracted from a Kubernetes pod Contextual identity for a pod is derived from the following: Kubernetes host & cloud environment (from enforcerd) Kubernetes, including the namespace (from kube-squall) Kubernetes container backend and image (e.g. docker) User-specific context (in the form of Kubernetes pod labels) Third party data hooks, such as container image scanning CVE data from Aporeto
5 In the above example app=app1 and role=service1 Tags were derived from user-specified Kubernetes labels in the corresponding pod definition. Figure 3: Google GKE web interface for the pod definition corresponding to the imported pod metadata referenced in Figure 2 In the above example app=app1 and role=service1 Tags were derived from user-specified Kubernetes labels in the corresponding pod definition. Figure 4: Sample Aporeto network policy for a Kubernetes pod
6 Since our example app1service1 service has the app=app1 and role=service1 Tags, per this example policy, any other service with app=app1 and role=service2 may connect. Figure 4: Sample Aporeto network policy for a Kubernetes pod In Figure 5, above, we created instances of service2 with app1=app1 and role=service2 in the same Kubernetes cluster. By policy, these service2 instances were permitted to connect to app1service1. We also created two instances of someservice without the appropriate Kubernetes labels, and these connections from these instances to app1service1 were denied. External to the Kubernetes cluster, we also created Linux instances wrapped by Aporeto with and without policy-matching labels, and connections from these instances to app1service1 were also appropriately policed. The labels sent as part of the data path connection handshake are cryptographically signed, preventing unauthorized label negotiation and TCP replay attacks. Up to this point is a description of the Aporeto core enforcement workflow. In the following sections, we describe individual Aporeto integrations with Kubernetes that not only powers the core workflow, but enhances it and differentiates Aporeto as an enterprise security solution for cloud-native services. Feature: Aporeto Service Installer for Kubernetes Aporeto has a command-line tool that will install the complete Aporeto service on a given Kubernetes cluster. Customers can install the full Aporeto centralized service anywhere they can run Kubernetes, on premises or in the cloud. The Aporeto Service Installer orchestrates the download, installation, and initial configuration of the Aporeto Service.
7 Feature: Aporeto Service Installer for Kubernetes The enforcerd is installed in the cluster through a daemonset. The corresponding configurations are auto-created by the Aporeto service and include a configmap, secrets, a ReplicaSet definition for kube-squall, and a DaemonSet definition for enforcerd. The YAML bundle can only be used on a single Kubernetes cluster and can only be created by an authorized Aporeto user. The workflow for the Aporeto Enforcer installation on Kubernetes is automated, easy, and secure. The installation procedure generates a set of customised YAML files that are ready to be launched on any Kubernetes cluster. Those YAML files describe the pods required for the Aporeto solution to run, together with the Certificates needed for Authentication on the Aporeto system. Feature: Network Policy with Kubernetes There are two different modes to manage policies from Kubernetes. The chosen mode determines whether Kubernetes or Aporeto is the authority for network policy, which can be decided per-kubernetes cluster instance. Kubernetes NetworkPolicy: the default, as described in this section. NoPolicies: In this mode, the policies are directly created on Aporeto s API, and Kubernetes policies are not synced at all to Aporeto. This mode should be used if the admin wishes to use all the features available on Aporeto s backend. Kubernetes provides a NetworkPolicy resource to define which pods in a Kubernetes cluster may connect. Kubernetes itself does not implement the enforcement of defined NetworkPolicy. Aporeto automatically imports. When Kubernetes NetworkPolicy resources are created, updated, or deleted, the kube-squall component intercepts the API request and forwards the change to the Aporeto Service. As mentioned in enforcerd and the Kubernetes pod: policy distribution and contextual identity extraction, above, when a Kubernetes pod is created, the Aporeto enforcerd component will download the appropriate policy based on the extracted contextual identity related to the pod. For example, the Aporeto Network policy in Figure 4, above, corresponds to the following Kubernetes NetworkPolicy definition: Figure 6: Sample Kubernetes Network Policy definition that corresponds to the Aporeto Network Policy in Figure 4 While the Kubernetes network policy is generally used for intent of allowable connectivity within a single Kubernetes cluster, Aporeto can secure network access between pods across multiple Kubernetes clusters if the Kubernetes administrator can coordinate label usage (see Feature: Aporeto namespace management for Kubernetes, below, for more information).
8 Feature Option: Aporeto Policy for Capabilities Outside of Kubernetes The Kubernetes NetworkPolicy capabilities do not support the following features: Explicit deny of source and/or destination Connection logging Encryption If any of this functionality is desired for Kubernetes pods, use the NoPolicies mode instead of using a Kubernetes NetworkPolicy mode. Remember that on a per- Kubernetes instance, Kubernetes NetworkPolicy mode & NoPolicies mode are mutually exclusive. To prevent conflicts, NetworkPolicy definitions that are imported from Kubernetes cannot be overridden in Aporeto. Figure 7: Configuration of actions for connection attempts that match source and target Tags in the Aporeto web interface The ability of Aporeto to automatically import and apply Kubernetes NetworkPolicy definitions gives Kubernetes users a familiar YAML interface for declaring intent for allowed network connections between Kubernetes pods in the same or multiple clusters, external services, and non-kubernetes compute platforms (e.g. Docker, Linux). Depending on the security need, Aporeto is flexible with network policy. Administrators can use either Kubernetes NetworkPolicy, Aporeto network policy, or both. Feature Option: Aporeto Policy for Capabilities Outside of Kubernetes Kubernetes Namespace Mapping and Hierarchical Management in Aporeto A Kubernetes namespace is a virtual cluster context for running Kubernetes pods/containers and scoping Kubernetes features such as resources, role-based access control, and network policy. Enterprises may also use Kubernetes namespaces to separate business units, applications, etc. An Aporeto namespace is a security context for Enforcer node registration, network policy, monitoring/visualization, and authorization of actions. When a Kubernetes cluster is added to the Aporeto security domain (by installation and registration of the Enforcer package), the Kubernetes cluster is represented as a sub-namespace of an Aporeto account user s namespace, with the Kubernetes namespaces mapped underneath that sub-namespace.
9 Figure 8A: Sample Kubernetes cluster and namespace mapping in Aporeto for the aporeto user account/namespace While the Kubernetes namespace domain is the Kubernetes cluster, the Aporeto namespace domain can be composed of multiple Kubernetes clusters, and in a heterogeneous compute platform environment, can also include Linux and Docker clusters. The Aporeto namespace is hierarchical, allowing for layered access and policy control. For example, the entire enterprise can be represented at the Aporeto root namespace /, and can contain enterprise-wide network policy, such as allowing company access to DNS servers. First level namespaces can represent company organizations (e.g. /prod and /qa ) and can inherit and have policies specific to the organization. Using a combination of labels, namespaces, and policy in an Aporeto hierarchical namespace structure, enterprise administrators, developers, and security teams can intelligently define security policy with layered control. Securing Multiple Kubernetes Clusters with Aporeto Aporeto secures environments with multiple Kubernetes clusters. In Aporeto, each Kubernetes cluster is mapped to its own namespace within an Aporeto user account namespace. The Aporeto namespace hierarchy and contextual identity for application services allows for flexible configurations based on the organizational security needs. Kubernetes scopes application labels to a single cluster, but since Aporeto transforms application labels into the data path, your application labels can have meaning for your entire organization, including among multiple Kubernetes clusters.
10 Example Configuration: Separating Multiple Instances of Applications by Cluster In this example, each instance of app1 service1 connects to its respective service2, and we want to make sure each service1 does not connect to the service2 in the other cluster. In Aporeto, this network policy and labels can be specified as: IF the source has namespace=k8s-1, app=app1, role=service1 AND IF the destination has namespace=k8s-1, app=app1, role=service2 THEN permit the connection Figure 8B: Separating application services by Kubernetes cluster (repeat for k8s-2) Example Configuration: Separating Services by Application and Service Names In this example, service types are separated by cluster. Perhaps service2 has a high-performance data store need that is only accessible by Kubernetes cluster k8s-2. Service1 might be web frontend applications that, based on routing needs, are best hosted in Kubernetes cluster k8s-1. As with the previous example, we want to keep app1 and app2 separated, even though the application services are not only distributed, but require separation in multiple clusters. In this case, the cluster name can be dropped, unless app and role labels might be used in another organization or cluster. In Aporeto, this network policy and labels can be specified as: IF the source has app=app1, role=service1 AND Figure 8C: Separating application services by application IF the destination has app=app1, role=service2 THEN permit the connection (repeat for app2)
11 Example Configuration: External Services Definition in Aporeto In both of these examples, network policy items that are common to child namespaces can be expressed in the parent namespace. For example, a common, external DNS service (external to the Kubernetes cluster) that should be accessed by services in k8s-1 and k8s-2 can be accessed via a network policy rule at the parent /my-organization namespace. This can be specified as an Aporeto rule versus a Kubernetes rule, as an external DNS service cannot be expressed in Kubernetes network policy selector labels, but Aporeto can represent an external service as a combination of an IP address and an Aporeto label. Figure 8D: Example external service definition in Aporeto With this external services definition, we can allow access to the external DNS server from any point in our hierarchical namespace structure, and can refer to the external service as any other identified service protected by Aporeto. In this example, we can allow access from services to role=externaldns to allow DNS access from services in Kubernetes clusters k8s-1 and k8s-2. Both ingress and egress traffic between application services hosted in Kubernetes and services external to the Kubernetes cluster can be controlled by Aporeto in this manner. The Aporeto hierarchical namespace, label definition, and external service access control gives administrators flexible, layered control over the Aporeto domain. When to use Aporeto Network Policy versus Kubernetes Network Policy In some Aporeto security workflows, the Kubernetes object definition structure may not be sufficient enough to express security intent. For example, to set the application service network policy corresponding to a Kubernetes namespace to be default-deny, the admin sets an annotation for the namespace. Two other features are even more removed: there s currently no facility in the Kubernetes namespace or network policy resources to require connection logging and encryption. For these cases, instead of importing a Kubernetes network policy, a network policy that requires connection logging or encryption can be defined in an Aporeto rule. Aporeto network policy and Kubernetes network policy can co-exist in an Aporeto environment.
12 Subfeature: Aporeto Namespace Audit Logs Aporeto logs every major Aporeto object create, read, update, and delete (CRUD), allowed and denied in the Audit Logs. When a change is made, Aporeto displays the differences in an audit log entry. This logging can be used as part of configuration change management (providing evidence of access, compliance), and forensics analysis (for example, determining what policy changes prevented network access between two particular services in a Kubernetes cluster). Figure 9: A sample Aporeto audit log entry showing the update of a Processing Unit
13 Feature: Other Identity Types that can be Used with Kubernetes Time of Day Policies in Aporeto can be qualified by time of day. For example, you might have a Kubernetes services that you want to allow access from other services during working hours/days. Amazon Web Services (AWS) Tags In addition to standard Aporeto system Tags, as well as user-specific Tags as part of a container compute platform, Aporeto provides these AWS-specific Tags for EC2 instances: AWS Region, AWS Availability Zone AWS Image ID, AMI launch index Local IPv4 address, MAC address, AWS Hostname AWS Instance Action, Reservation ID, Version, architecture Any of these can be used as source or destination tags for connections to application services in an Aporeto-protected Kubernetes cluster. Linux Tags For Linux process connecting to/from application services hosted on Kubernetes, these Linux-related tags can be used: Linux user name Binary checksum Library dependencies If automatically extracted identity or identity mechanisms via compute platforms (e.g. Cloud, Docker, or Kubernetes labels) are insufficient, developers can write code for a generic Aporeto plugin to connect with any 3rd party service to define application identity however needed. As a usable example of extensible identity, Aporeto provides integration with the CoreOS Clair image vulnerability scanner. Aporeto matches the image with the results of static image vulnerability scanner and automatically creates Aporeto Tags that can be used in policy to re-map Processing Units to other namespaces and/or effect changes to access by network policy.
14 Figure 10, below, depicts a Processing Unit with image vulnerability Tags. Figure 10: External vulnerability image scanner results as Aporeto Tags Feature: Flow Visibility and Network Policy Suggestions Run Aporeto in Design Mode to Observe your Current Service Network Flows Design Mode sets the default network policy in a namespace to allow all, except for any explicitly defined Deny policies. Design Mode distinguishes between flows with and without policy as solid and dashed lines, respectively. Figure 11, right, shows a zoomed in view of 2 applications running multiple Kubernetes clusters hosted on multiple cloud providers. Figure 11: Aporeto Design Mode observation of multiple Kubernetes clusters in the multicloud
15 Create network policy based on desired security posture and application attributes
16 In Design Mode, flows with policy are represented as solid lines, while flows without policy are represented as dashed lines Turn off Design Mode for Zero Trust Posture: only traffic with policy are permitted
17 View Contextual Identity that s already Part of your CI/CD Pipeline Following up on the multiple Kubernetes clusters example above, you can click on one of the Processing Units (a name Aporeto gives to all monitored services, regardless of platform), per Figure 12, to see what identity is already part of your applications. Figure 12: Aporeto detailed view of contextual identity of a Kubernetes pod The Aporeto Tags for each service are derived from the compute platform during container creation and live state (e.g. $operationalstatus). As expected from a cloud-native system, this information is also available via Aporeto API endpoints. Some of these Tags are derived as a result of user input to the compute platform. In this example, app and role Tags came from a Kubernetes pod definition (see Figure 13, below). Figure 13: Kubernetes YAML definition for the backend pod of the Aporeto demonstration lab
18 Aporeto can Suggest a Network Policy for your Current Flows Aporeto can show you your application service flows, but how can you start with Aporeto network access policy definitions? With a click of a button in the Aporeto permissive view, we can suggest a policy based on observed traffic flows and the contextual identity detected by the Aporeto Enforcer nodes that are watching your applications. Figure 14: Aporeto can automatically recommend a network access policy for your applications For example, we want frontend services in each cluster to be able to communicate with only their local backend services. Our suggestion for this narrowed observed flows view picks the Tags for source and destination services that are unique to the observed flows. If this is too specific or not specific enough, you can edit these prior to policy creation. Network access policies in Aporeto are automatically pushed to Aporeto Enforcer nodes in the same namespace. Figure 15, below, shows permitted and denied flows after adding the suggested Aporeto policy. Figure 15: Use an Aporeto network policy to restrict access between your application services
19 Conclusion In summary, Aporeto offers the following capabilities to help developers, DevOps and security teams achieve continuous deployment for applications with compliance: 1 Security policies operate independent of infrastructure allowing policy governance in cross cluster and heterogeneous deployments. 2 Visibility for application flows across clusters and heterogeneous environments to prove compliance. 3 Security policies are defined as-code allowing version control and automation. All of these capabilities rely on service identity which is abstract from infrastructure and independent of IP addresses. For more information, visit:
AWS Integration Guide
AWS Integration Guide Cloud-Native Security www.aporeto.com AWS Integration Guide Aporeto integrates with AWS to help enterprises efficiently deploy, manage, and secure applications at scale and the compute
More informationDefining Security for an AWS EKS deployment
Defining Security for an AWS EKS deployment Cloud-Native Security www.aporeto.com Defining Security for a Kubernetes Deployment Kubernetes is an open-source orchestrator for automating deployment, scaling,
More informationCloud Native Security. OpenShift Commons Briefing
Cloud Native Security OpenShift Commons Briefing Amir Sharif Co-Founder amir@aporeto.com Cloud Native Applications Challenge Security Change Frequency x 10x 100x 1,000x Legacy (Pets) Servers VMs Cloud
More informationKubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA
Kubernetes made easy with Docker EE Patrick van der Bleek Sr. Solutions Engineer NEMEA Docker Enterprise Edition is More than Containers + Orchestration... DOCKER ENTERPRISE EDITION Kubernetes integration
More informationKuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc
Kuberiter White Paper Kubernetes Cloud Provider Comparison Chart Lawrence Manickam Kuberiter Inc Oct 2018 Executive Summary Kubernetes (K8S) has become the de facto standard for Cloud Application Deployments.
More informationLife of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform
logo Life of a Packet KubeCon Europe 2017 Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick Google Cloud Platform Kubernetes is about clusters Because of that, networking
More informationWHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction
WHITE PAPER RedHat OpenShift Container Platform Abstract Benefits: Applications are designed around smaller independent components called microservices. Elastic resources: Scale up or down quickly and
More informationContainers, Serverless and Functions in a nutshell. Eugene Fedorenko
Containers, Serverless and Functions in a nutshell Eugene Fedorenko About me Eugene Fedorenko Senior Architect Flexagon adfpractice-fedor.blogspot.com @fisbudo Agenda Containers Microservices Docker Kubernetes
More informationCloud I - Introduction
Cloud I - Introduction Chesapeake Node.js User Group (CNUG) https://www.meetup.com/chesapeake-region-nodejs-developers-group START BUILDING: CALLFORCODE.ORG 3 Agenda Cloud Offerings ( Cloud 1.0 ) Infrastructure
More informationProject Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.
Project Calico v3.2 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified
More informationKuber-what?! Learn about Kubernetes
DEVNET-1999 Kuber-what?! Learn about Kubernetes Ashley Roach, Principal Engineer Evangelist Agenda Objectives A brief primer on containers The problems with running containers at scale Orchestration systems
More informationAuthorized Source IP for OpenShift Project
Page 1 of 11 Authorized Source IP for OpenShift Project Identification view online Avi Vantage can securely identify OpenShift projects using source IP addresses for traffic initiated from within the OpenShift
More informationOverview of Container Management
Overview of Container Management Wyn Van Devanter @wynv Vic Kumar Agenda Why Container Management? What is Container Management? Clusters, Cloud Architecture & Containers Container Orchestration Tool Overview
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationTable of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2
Table of Contents Introduction Overview of vsphere Integrated Containers 1.1 1.2 2 Overview of vsphere Integrated Containers This document provides an overview of VMware vsphere Integrated Containers.
More informationImportant DevOps Technologies (3+2+3days) for Deployment
Important DevOps Technologies (3+2+3days) for Deployment DevOps is the blending of tasks performed by a company's application development and systems operations teams. The term DevOps is being used in
More informationVMWARE PIVOTAL CONTAINER SERVICE
DATASHEET VMWARE PIVOTAL CONTAINER SERVICE AT A GLANCE VMware Pivotal Container Service (PKS) is a production-grade Kubernetes-based container solution equipped with advanced networking, a private container
More informationVMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET
DATASHEET VMWARE PKS AT A GLANCE VMware PKS is a production-grade Kubernetes-based container solution equipped with advanced networking, a private container registry, and full lifecycle management. VMware
More informationTEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist
TEN LAYERS OF CONTAINER SECURITY Kirsten Newcomer Security Strategist WHAT ARE CONTAINERS? Containers change how we develop, deploy and manage applications INFRASTRUCTURE Sandboxed application processes
More informationTop Nine Kubernetes Settings You Should Check Right Now to Maximize Security
White Paper Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security If you use Kubernetes, you know how much it can increase development velocity and reduce operational complexity.
More informationForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3
ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic
More informationSecure Kubernetes Container Workloads
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation
More informationProject Calico v3.1. Overview. Architecture and Key Components
Project Calico v3.1 Overview Benefits Simplicity. Traditional Software Defined Networks (SDNs) are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified
More informationKubernetes 1.8 and Beyond
Kubernetes 1.8 and Beyond Aparna Sinha, Group Product Manager, Google OpenShift Commons Gathering - Austin, Texas Why do users choose Kubernetes? Open Source Community Frequent releases Resource efficiency
More informationWhat s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect
What s New in Red Hat OpenShift Container Platform 3.4 Torben Jäger Red Hat Solution Architect OpenShift Roadmap OpenShift Container Platform 3.2 Kubernetes 1.2 & Docker 1.9 Red Hat
More informationTEN LAYERS OF CONTAINER SECURITY
TEN LAYERS OF CONTAINER SECURITY Tim Hunt Kirsten Newcomer May 2017 ABOUT YOU Are you using containers? What s your role? Security professionals Developers / Architects Infrastructure / Ops Who considers
More informationEASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER
EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER 2 WHY KUBERNETES? Kubernetes is an open-source container orchestrator for deploying and managing containerized applications. Building on 15 years of experience
More informationMcAfee Cloud Workload Security Product Guide
Revision B McAfee Cloud Workload Security 5.1.0 Product Guide (McAfee epolicy Orchestrator) COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection,
More informationSecuring Containers on the High Seas. Jack OWASP Belgium September 2018
Securing Containers on the High Seas Jack Mannino @ OWASP Belgium September 2018 Who Am I? Jack Mannino CEO at nvisium, since 2009 Former OWASP Northern Virginia chapter leader Hobbies: Scala, Go and Kubernetes
More informationVMWARE ENTERPRISE PKS
DATASHEET AT A GLANCE VMware Enterprise PKS is a productiongrade Kubernetes-based container solution equipped with advanced networking, a private container registry, and full lifecycle management. VMware
More information10 Kube Commandments
10 Kube Commandments We've been in the game for years That in itself is admirable There's rules to this biz We wrote y'all a manual A step-by-step conf talk for you to get... Your clusters on track And
More informationTable of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine
Table of Contents Overview Containers, Docker, Registries vsphere Integrated Containers Engine Management Portal Registry Roles and Personas 1.1 1.1.1 1.1.2 1.1.2.1 1.1.2.2 1.1.2.3 1.1.2.4 2 Overview of
More informationDEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE
SOLUTION OVERVIEW DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE Cut Costs and Control Access with VMware Kubernetes Engine Digital transformation, the Internet of things, the growing popularity of public
More information2018 Cisco and/or its affiliates. All rights reserved.
Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer
More informationSecuring Microservices Containerized Security in AWS
Securing Microservices Containerized Security in AWS Mike Gillespie, Solutions Architect, Amazon Web Services Splitting Monoliths Ten Years Ago Splitting Monoliths Ten Years Ago XML & SOAP Splitting Monoliths
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationPuppet on the AWS Cloud
Puppet on the AWS Cloud Quick Start Reference Deployment AWS Quick Start Reference Team March 2016 This guide is also available in HTML format at http://docs.aws.amazon.com/quickstart/latest/puppet/. Contents
More informationKubernetes 101. Doug Davis, STSM September, 2017
Kubernetes 101 Doug Davis, STSM September, 2017 Today's Agenda What is Kubernetes? How was Kubernetes created? Where is the Kubernetes community? Technical overview What's the current status of Kubernetes?
More informationKubernetes - Networking. Konstantinos Tsakalozos
Kubernetes - Networking Konstantinos Tsakalozos Kubernetes From the greek word κυβερνήτης originally designed by Google and donated to the Cloud Native Computing Foundation. Presented at "Large-scale cluster
More informationHacking and Hardening Kubernetes
SESSION ID: HT-W02 Hacking and Hardening Kubernetes Jay Beale CTO InGuardians, Inc @jaybeale and @inguardians Adam Crompton Senior Security Analyst InGuardians, Inc. @3nc0d3r and @inguardians Table of
More informationCONTAINERS AND MICROSERVICES WITH CONTRAIL
CONTAINERS AND MICROSERVICES WITH CONTRAIL Scott Sneddon Sree Sarva DP Ayyadevara Sr. Director Sr. Director Director Cloud and SDN Contrail Solutions Product Line Management This statement of direction
More informationTEN LAYERS OF CONTAINER SECURITY
TEN LAYERS OF CONTAINER SECURITY A Deeper Dive 2 WHAT ARE CONTAINERS? It depends on who you ask... INFRASTRUCTURE APPLICATIONS Sandboxed application processes on a shared Linux OS kernel Simpler, lighter,
More informationASP.NET Core & Docker
ASP.NET Core & Docker From 0 to Azure in 75 minutes Marco De Sanctis Visual Studio and Development Technologies MVP info@marcodesanctis.it @crad77 What s Docker and why should I care ASP.NET Core & Docker
More informationCPM. Quick Start Guide V2.4.0
CPM Quick Start Guide V2.4.0 1 Content 1 Introduction... 3 Launching the instance... 3 CloudFormation... 3 CPM Server Instance Connectivity... 3 2 CPM Server Instance Configuration... 4 CPM Server Configuration...
More informationAn Introduction to Kubernetes
8.10.2016 An Introduction to Kubernetes Premys Kafka premysl.kafka@hpe.com kafkapre https://github.com/kafkapre { History }???? - Virtual Machines 2008 - Linux containers (LXC) 2013 - Docker 2013 - CoreOS
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
CNA1612BU Deploying real-world workloads on Kubernetes and Pivotal Cloud Foundry VMworld 2017 Fred Melo, Director of Technology, Pivotal Merlin Glynn, Sr. Technical Product Manager, VMware Content: Not
More informationEfficiently exposing apps on Kubernetes at scale. Rasheed Amir, Stakater
Efficiently exposing apps on Kubernetes at scale Rasheed Amir, Stakater Problem Kubernetes runs container workloads in Pods... but these are not automatically accessible outside the cluster What options
More informationSymantec Endpoint Protection Family Feature Comparison
Symantec Endpoint Protection Family Feature Comparison SEP SBE SEP Cloud SEP Cloud SEP 14.2 Device Protection Laptop, Laptop Laptop, Tablet Laptop Tablet & & Smartphone Smartphone Meter Per Device Per
More informationReference Guide Revision B. McAfee Cloud Workload Security 5.0.0
Reference Guide Revision B McAfee Cloud Workload Security 5.0.0 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee
More informationLeveraging the Serverless Architecture for Securing Linux Containers
Leveraging the Serverless Architecture for Securing Linux Containers Nilton Bila, Paolo Dettori, Ali Kanso, Yuji Watanabe*, Alaa Youssef IBM T.J. Watson Research Center New York *IBM Research - Tokyo,
More informationContainer Deployment and Security Best Practices
Container Deployment and Security Best Practices How organizations are leveraging OpenShift, Quay, and Twistlock to deploy, manage, and secure a cloud native environment. John Morello CTO Twistlock Dirk
More informationDEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE
SOLUTION OVERVIEW DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE Cut Costs and Control Access with VMware Cloud PKS Digital transformation, the Internet of things, the growing popularity of public clouds,
More informationNGINX: From North/South to East/West
NGINX: From North/South to East/West Reducing Complexity with API and Microservices Traffic Management and NGINX Plus Speakers: Alan Murphy, Regional Solution Architect, APAC September, 2018 About NGINX,
More informationA10 HARMONY CONTROLLER
DATA SHEET A10 HARMONY CONTROLLER AGILE MANAGEMENT, AUTOMATION, ANALYTICS FOR MULTI-CLOUD ENVIRONMENTS PLATFORMS A10 Harmony Controller provides centralized agile management, automation and analytics for
More informationEnabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li
Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds John Joyce Robert Li Introduction Extending an Application across Multiple Clouds Public Cloud microservice
More informationContainer Orchestration on Amazon Web Services. Arun
Container Orchestration on Amazon Web Services Arun Gupta, @arungupta Docker Workflow Development using Docker Docker Community Edition Docker for Mac/Windows/Linux Monthly edge and quarterly stable
More informationCLOUD WORKLOAD SECURITY
SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud. As technology becomes an increasingly important element of business success, the adoption of highly
More informationRed Hat CloudForms 4.6
Red Hat CloudForms 4.6 Integration with OpenShift Container Platform Adding Red Hat OpenShift Container Platform (with Metrics Enabled) as a Container Provider Last Updated: 2018-05-18 Red Hat CloudForms
More informationBoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain
BoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain Wendy Dembowski, Staff Software Engineer, Google Stephen Elliott, Product Manager, Google Why are these questions so
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationKubernetes introduction. Container orchestration
Kubernetes introduction Container orchestration Container Orchestration Why we need container orchestration? Restart containers if they are not healthy. Provide private container network. Service discovery.
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become
More informationTenable.io User Guide. Last Revised: November 03, 2017
Tenable.io User Guide Last Revised: November 03, 2017 Table of Contents Tenable.io User Guide 1 Getting Started with Tenable.io 10 Tenable.io Workflow 12 System Requirements 15 Scanners and Agents 16 Link
More informationOpenShift Dedicated 3 Release Notes
OpenShift Dedicated 3 Release Notes Last Updated: 2018-05-17 OpenShift Dedicated 3 Release Notes Legal Notice Copyright 2018 Red Hat, Inc. The text of and illustrations in this document are licensed by
More informationgcp / gke / k8s microservices
gcp / gke / k8s microservices managing microservices with kubernetes 08.17.2016 Austin GCPUG Lou Scalpati CTO RxWiki microservices What are Microservices generally REST APIs returning json organized around
More informationRED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck
RED HAT QUAY As part of OCP Architecture Workshop Technical Deck What Is Quay? Market leading enterprise container registry Available on-premise, on public cloud and as a hosted service (SaaS) RED HAT
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationPexip Infinity and Amazon Web Services Deployment Guide
Pexip Infinity and Amazon Web Services Deployment Guide Contents Introduction 1 Deployment guidelines 2 Configuring AWS security groups 4 Deploying a Management Node in AWS 6 Deploying a Conferencing Node
More informationCisco CloudCenter Use Case Summary
Cisco CloudCenter Use Case Summary Overview IT organizations often use multiple clouds to match the best application and infrastructure services with their business needs. It makes sense to have the freedom
More informationTechnical Brief Distributed Trusted Computing
Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,
More informationThis document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and
Download the App to download the TIBCO NOW App visit now.tibco.com/2018/mobile-app 2 Mashery Local The Cloud Native API Platform for your Unique Environment Beerinder Rodey - Product Murty Gurajada - Senior
More informationKubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,
Kubernetes An open platform for container orchestration Johannes M. Scheuermann Karlsruhe, 30.08.2017 Johannes M. Scheuermann Cloud Platform Engineer @ inovex Software-Defined Datacenters Infrastructure
More informationIdentity Management and Compliance in OpenShift
Identity Management and Compliance in OpenShift Or Use DevOps to Make Your Auditors and Suits Happy Marc Boorshtein CTO, Tremolo Security Ellen Newlands Senior Security Product Manager, Cloud Business
More informationForeScout Amazon Web Services (AWS) Plugin
ForeScout Amazon Web Services (AWS) Plugin Version 1.1.1 and above Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic Segmentation
More informationNote: Currently (December 3, 2017), the new managed Kubernetes service on Azure (AKS) does not yet support Windows agents.
Create a Hybrid Kubernetes Linux/Windows Cluster in 7 Easy Steps Azure Container Service (ACS) makes it really easy to provision a Kubernetes cluster in Azure. Today, we'll walk through the steps to set
More informationCogniFit Technical Security Details
Security Details CogniFit Technical Security Details CogniFit 2018 Table of Contents 1. Security 1.1 Servers........................ 3 1.2 Databases............................3 1.3 Network configuration......................
More informationHALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.
HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated
More informationQualys Cloud Platform
18 QUALYS SECURITY CONFERENCE 2018 Qualys Cloud Platform Looking Under the Hood: What Makes Our Cloud Platform so Scalable and Powerful Dilip Bachwani Vice President, Engineering, Qualys, Inc. Cloud Platform
More informationebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS
ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS Introduction Load balancing isn t just about managing traffic anymore. As your infrastructure expands to include applications in
More informationDevOps Technologies. for Deployment
DevOps Technologies for Deployment DevOps is the blending of tasks performed by a company's application development and systems operations teams. The term DevOps is being used in several ways. In its most
More informationRed Hat Quay 2.9 Deploy Red Hat Quay on OpenShift
Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift Deploy Red Hat Quay on OpenShift Last Updated: 2019-03-11 Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift Deploy Red Hat Quay on OpenShift Legal Notice
More informationOpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers
OpenShift 3 Technical Architecture Clayton Coleman, Dan McPherson Lead Engineers Principles The future of *aas Redefine the Application Networked components wired together Not just a web frontend anymore
More informationConfiguring AWS for Zerto Virtual Replication
Configuring AWS for Zerto Virtual Replication VERSION 1 MARCH 2018 Table of Contents 1. Prerequisites... 2 1.1. AWS Prerequisites... 2 1.2. Additional AWS Resources... 3 2. AWS Workflow... 3 3. Setting
More informationAutomating Security Practices for the DevOps Revolution
Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018 Agenda Transformation of today s IT
More informationAmazon Web Services (AWS) Solutions Architect Intermediate Level Course Content
Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content Introduction to Cloud Computing A Short history Client Server Computing Concepts Challenges with Distributed Computing Introduction
More informationRed Hat Roadmap for Containers and DevOps
Red Hat Roadmap for Containers and DevOps Brian Gracely, Director of Strategy Diogenes Rettori, Principal Product Manager Red Hat September, 2016 Digital Transformation Requires an evolution in... 2 APPLICATIONS
More informationGrowth of Docker hub pulls
millions 6000 Growth of Docker hub pulls 5000 5000 4000 3000 2000 2000 1000 300 800 1200 0 May-15 Jun-15 Jul-15 Aug-15 Sep-15 2016 A Highly Complex Ecosystem Security challenges of container opera3ons
More informationAWS Reference Design Document
AWS Reference Design Document Contents Overview... 1 Amazon Web Services (AWS), Public Cloud and the New Security Challenges... 1 Security at the Speed of DevOps... 2 Securing East-West and North-South
More informationOpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift
OpenShift Roadmap Enterprise Kubernetes for Developers Clayton Coleman, Architect, OpenShift What Is OpenShift? Application-centric Platform INFRASTRUCTURE APPLICATIONS Use containers for efficiency Hide
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationBuilding a Modular and Scalable Virtual Network Architecture with Amazon VPC
Building a Modular and Scalable Virtual Network Architecture with Amazon VPC Quick Start Reference Deployment Santiago Cardenas Solutions Architect, AWS Quick Start Reference Team August 2016 (revisions)
More informationCoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018
CoreOS and Red Hat Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018 Combining Industry Leading Container Solutions RED HAT QUAY REGISTRY ETCD PROMETHEUS RED HAT COREOS METERING & CHARGEBACK
More informationRunning MarkLogic in Containers (Both Docker and Kubernetes)
Running MarkLogic in Containers (Both Docker and Kubernetes) Emma Liu Product Manager, MarkLogic Vitaly Korolev Staff QA Engineer, MarkLogic @vitaly_korolev 4 June 2018 MARKLOGIC CORPORATION Source: http://turnoff.us/image/en/tech-adoption.png
More informationHow-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018
How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationCode: Slides:
Workshop Resources Code: https://github.com/beekpr/public-workshops Slides: https://tinyurl.com/yc2uo3wk Make sure minikube and kubectl is setup (labs/1-setup-cluster.md has some instructions) Kubernetes
More informationHow Security Policy Orchestration Extends to Hybrid Cloud Platforms
How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments www.tufin.com
More informationIBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights
IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing
More informationWho done it: Gaining visibility and accountability in the cloud
Who done it: Gaining visibility and accountability in the cloud By Ryan Nolette Squirrel Edition $whoami 10+ year veteran of IT, Security Operations, Threat Hunting, Incident Response, Threat Research,
More informationDOCAVE ONLINE. Your Cloud. Our SaaS. A Powerful Combination. Online Services. Technical Overview ADMINISTRATION BACKUP & RESTORE
Online Services Technical Overview DOCAVE ONLINE Your Cloud. Our SaaS. A Powerful Combination. ADMINISTRATION Centralized Management Manage SharePoint Online security, settings, configurations, and content
More informationService Mesh and Microservices Networking
Service Mesh and Microservices Networking WHITEPAPER Service mesh and microservice networking As organizations adopt cloud infrastructure, there is a concurrent change in application architectures towards
More information