Skip to content

Instantly share code, notes, and snippets.

@jnaulty
Created January 7, 2020 23:11
Show Gist options
  • Save jnaulty/c4ca4e5e48d0e53e566bd3b2f7b8916c to your computer and use it in GitHub Desktop.
Save jnaulty/c4ca4e5e48d0e53e566bd3b2f7b8916c to your computer and use it in GitHub Desktop.
ODSC Kubernetes Notes 2018

Kubernetes Materials

Author: John Naulty Date: August 12, 2019

Video Notes

Hour-long Dive into Kubernetes

OSDC 2018 | Three Years Running Containers with Kubernetes in Production by Thomas Fricke

Introduction into containers and kubernetes with an emphasis on security.

Note on Author:
Will be talking at 2019 CCCamp: Lecture: Hacking Containers and Kubernetes

FIrst 20 minutes are basic infrastructure and containers info ("the layers below").

Root Isolation

They use ROOT, which is not actually necessary

6:56
(really good example of how to pronounce ROOT in english capitalized form)

Kubernetes

20:10

3 month release cycle. new stable major version

strictest governance of an opensource project I've seen

KUBERNETES PODS

26:43

[PODS]...live together, die together

20:17

a pod is a bunch of containers...I will talk about this in a few seconds

(but first, security) the docker hub-image-by-default warning

"one interesting part" statefulsets, 31:46

Design patterns for container-based distributed systems no-excuse-to-read-paper-because-its-only-six-pages ([clicker caveat], it is a random url ending in a pdf...so, up to you)

Reference to paper in video: 35:11

37:40
"PodDisruptionBudget"

How expensive to recreate on another machine

"Configuration as volumes in containers" (what we [should be doing] in devops)

39:00
DB password changes (might require a little translation regarding the violation of certain principles at 39:23 (in german))

Kubernetes Services

44:15
simplest form:
related to pods by the app selector
type (load balancer, etc), ports can easily be exposed to outside world (caution)
if not using service of cloud owners, must implement on own

side note:(check out chick-fil-A at scale)

47:45

Microservice spahghetti is on its way...higher layers should only use the lower layers

Ending Notes

Mindeset change

points crowd to 12 factor app for microservice compliance exclaims these are the 12 commandments

pay a price for anything you violate here

End Notes

pay attention to lifecycle maintenance

G10 Compliance? Every connection must be encrypted, by a HSM under their control (using hashicorp vault)

Change code in config maps (for machine learning, but also applicable to other places)

Securing Kubernetes

Great Audit

Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which detail their assessment of Kubernetes security posture and their findings.

security audit working group

Official Docs

Kubernetes Release Cycle

kubeadm-release-cycle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment