Day One - Tuesday
KubeCon + CloudNativeCon Europe 2020 Virtual happened online, August 18-20. It was the first virtual KubeCon, due to the coronavirus pandemic. I was happy to attend, although this was the second straight virtual conference I’ve participated in that ran on Amsterdam time.
I did make it up for the 4 AM Pacific time start, though, and I was ready to go. As I got settled in, in front of my laptop, I knew I would be missing the hallway track a lot. The Kubernetes community is filled with a lot of amazing people, and I missed many of my friends who would have been at a physical KubeCon. But I knew there would be some great content, and I’d at least get to see some of my friends on my laptop screen.
TL;DR - If you only have time to watch a few of the talk I mention below, I definitely recommend Ian Coldwater and Brad Geesaman’s talk on Advanced Persistence Threats, Duffie Cooley’s talk Seccomp Security Profiles and You, and Holly Cummins’s day two keynote slot, How to Love Kubernetes and Not Wreck the Planet. The videos for the talks are still available to registered attendees through the conference platform, but they will be posted later on the CNCF YouTube.
Dawn Foster - Be a Good Corporate Citizen in Kubernetes
The first talk that I attended was from Dawn Foster, titled Be a Good Corporate Citizen in Kubernetes. Dawn is probably my oldest friend in the Kubernetes community (we worked together at Puppet and knew each other previously). She’s also an expert in Open Source community building.
There are a lot of Kubernetes contributors and maintainers who are paid by their employer for that work. Dawn’s talk focused on how to navigate that situation, which can have some tension and conflicts. She had some great tips for anyone who wants to contribute to Kubernetes.
And of course, be kind.
If you’re interested in community, I recommend watching this talk.
KubeCon is a big, multitrack conference, and the virtual version wasn’t any different. I found myself briefly getting lost in the UI, trying to find the next presentation that I wanted to attend.
Laurent Bernaille - DNS Horror Stories
Laurent works at Datadog, and his talk was filled with a lot of DNS related head-scratchers that his team had dealt with. I love talks like this, where people dig into things that have caused them pain.
After walking through a few scenarios that his team had encountered, Laurent left us with some advice:
They day one keynotes were scheduled later in the day than usual. I think the organizers did this to give folks from the US a better shot to attend. They started with Priyanka Sharma, who mentioned something I appreciated, that virtual events are more accessible for people. The cost for me to attend a KubeCon in Europe would have been prohibitive, but the registration for this event was only $75.
Cheryl Hung talked about the importance of end-users in the Kubernetes community. She mentioned her journey into using Linux, which started at age 17. Cheryl spoke about the number of tools in the cloud native space and mentioned something I hadn’t heard about, the CNCF Technology Radar. Then Constance Caramanolis gave some project updates. She mentioned a couple I hadn’t heard of, Argo, a continuous delivery tool for Kubernetes, and TiKV, a distributed transactional key-value database. There are so many tools out there, so I appreciate getting the heads up on some newer ones.
I also really enjoyed Kris Nova and Shane Lawrence talking about Falco, a super useful looking intrusion detection tool. And Liz Rice spoke about the Technical Oversight Committee, which helps make sure there are good solutions to problems users have in the CNCF.
This tweet came across my Twitter feed during the keynotes.
One of my favorite parts of KubeCon San Diego was the group that volunteered with dogs for people to pet, and it was nice to get some virtual dogs to love. Apparently there was some sort of puppy cam as well but I didn’t end up seeing that.
Darren Shepherd - Running k3s, Lightweight Kubernetes, for the Edge and Beyond
After the keynotes, I watched Darren’s talk about k3s, a lightweight distribution of Kubernetes. Congrats to the team for k3s becoming a CNCF sandbox project. Darren mentioned that some popular use cases for k3s are dev and test environments, and things on the edge.
I didn’t know how big k3s can scale.
I’m very interested in these projects like ks3 and Kind that let people use Kubernetes in different ways.
I gave some advice during day one which I often give at conferences:
And I took it myself this year. I didn’t attend a talk in every slot, and I felt pretty good about that. It’s easy to get burned out at a conference, especially getting up at 4 AM.
I had a lot of fun on day one and left looking forward to the next two days.
Day Two - Wednesday
Lukas Heinrich and Alessandra Forti - Reimagining the Worldwide LHC Computing Grid on Kubernetes
I started the second day watching a talk about how CERN is using Kubernetes. A very nerdy part of me is always happy to hear about CERN. I worked at Puppet as an SRE a few years ago, and one of my favorite things was knowing CERN ran our software on a lot of machines. The project they’re working on is a grid that people spin up k8s clusters to connect to.
They had me at “millions of CPUs.” And this.
Unfortunately I had a problem reading the text on their terminals during the talk, which may have been a streaming resolution issue. But I did enjoy hearing about their grid. It’s cool to see what people do with tools at scale.
Next up were the day two keynotes.
The keynote from Holly Cummins about the impact of Kubernetes on the climate was an important talk, and one of my favorites of the conference.
Kubernetes isn’t secure by default, and namespaces don’t solve all of the security issues. So, a lot of people end up isolating apps by deploying them to their own clusters. Remember the fun of finding running VMs in your cloud infra that were provisioned years ago, and aren’t being used? Well, now that’s happening but it’s entire clusters that are being abandoned. Holly referred to them as zombie clusters. And running those zombie clusters means using fossil fuels in many cases.
Using Infrastructure as Code patterns makes it easier to provision new things, which removes some of the pressure to keep old unused clusters around.
Duffie Cooley - Seccomp Security Profiles and You: A Practical Guide
After the keynotes, my friend Duffie spoke about seccomp. I was excited to see him speak. Duffie is one of the kindest people you’ll meet, and super sharp. The Kubernetes community seems to attract a lot of people with those qualities. Duffie’s talk was super informative. I learned a lot. Rather than write up all of the details again, I will point you to my Twitter thread about the talk. I also encourage you to watch the video when it’s posted. It takes work to secure Kubernetes, and seccomp is an important tool in your toolbox. Shoutout to Jessie Frazelle for all of her work in this area.
Panel - Kubernetes and Cloud Native Security: A State of the Union
The last thing I watched on day two was a panel about Kubernetes security. I didn’t expect to watch so many security talks at KubeCon, but they kept catching my eye on the schedule. The panelists were Gareth Rushgrove, Kirsten Newcomer, Scott Coulton, Phil Estes, and Rags Srinivas moderated it. I’ve worked with Gareth in the past and saw his KubeCon talk last year about Open Policy Agent, and thought the panel lineup was great.
Unfortunately, I felt like the panel didn’t have a great flow. It felt like a bunch of random questions from the audience, and I think we could have had a more interesting conversation if it was more structured. The panelists brought some fantastic experience to the table. But there were some great moments. One topic that came up was the issue of Kubernetes not being secure by default.
This all tied together for me with Holly’s talk about zombie clusters.
There was also some good conversation around how you get app developers involved in security, instead of it being an afterthought.
After the talk, I saw a tweet about Kubernetes 1.20 coming.
I know a bunch of folks involved in SIG Release, and they are all awesome. Release management can be a very thankless task, and all of us who use Kubernetes owe them a lot.
Day Three - Thursday
After two straight days of waking up at 4 AM, I took my own advice and slept in a couple of hours longer. It was the right call.
I made it online for the keynotes, which started with a talk by Derek Argueta about how his team at Pinterest built a service mesh using Envoy. I really enjoyed this talk. Derek’s team implemented Envoy for ingress load balancing but ended up using it for a lot more.
When your traffic is all passing through Envoy, you can use it in many interesting ways, and get a lot of visibility into what’s happening.
I also liked Vicki Cheung’s talk about Observability.
Leigh Capili and Chris Hein - Dynamic Configuration with ComponentConfig and the Control Loop
I had seen Leigh give one of my favorite talks of KubeCon San Diego, and I was looking forward to seeing him speak with Chris. This is also a topic that interested me a lot. I spent several years of my career focused on config management. I was an SRE at Puppet and used Puppet for a few years before that.
This was a very technical talk, and honestly, a bit of it was over my head. But if the idea of dynamic config interests you, you should definitely check out the video when it’s posted. I may be watching it again too.
Ian Coldwater and Brad Geesaman - Advanced Persistence Threats: The Future of Kubernetes Attacks
This talk was very informative and scary, as well. I didn’t realize until partway through that I’d seen an earlier version of it somewhere before. It’s maybe credit to how good the talk is that I took so long to realize it. The talk mainly dealt with scenarios where an attacker had gained admin access to a cluster and wanted to hang around for a while. Some attackers might want to deface a web page, but some will do things like install back doors to allow them to continue to access a system without being detected.
One theme that has run through Ian’s recent talks is the idea of thinking like an attacker. When a new feature is added to Kubernetes, ask yourself how an attacker might use it to gain access to your cluster or keep that access. Much of this talk was filled with demos, and they mainly leveraged pretty well known Kubernetes tools and features.
If you have any interest in security (and I hope you do if you’re operating clusters), this is a talk you should watch.
And that was it for KubeCon Europe 2020 Virtual. I had a lot of fun and thought the organizers did a great job translating a very complex conference experience to a virtual conference. As much as I enjoyed it, though, it wasn’t a physical KubeCon. I’m very much looking forward to attending one of those again, hugging some friends, and petting some dogs. But until that’s possible, this type of event is an excellent substitute.