Past Events - Spring 2023

There are multiple components to delivering high integrity software to the cloud. Let's talk a little about security.

The cloud native ecosystem can be a difficult place to navigate. In this lightning talk, hear about 5 non-technical great ideas and programs that are being driven by the CNCF that will turbo-charge your understanding on how the cloud native ecosystem works.

“Zero trust” has become an increasingly popular topic for discussion recently – zero trust and the service mesh! zero trust and certificate management! zero trust policy enforcement! It’s all but impossible to escape serious looks at “zero trust” applied to whatever industry niche you care to imagine.

What seems to be missing is a serious look at what an entire application looks like when designed with zero trust in mind… so the KubeCrash hosts have decided to get together with an eye toward solving that. Rather than just talk in isolation about our individual pieces of the cloud native world, we’ve assembled a single application bringing everything together:

• Our application runs on Kubernetes, of course, and is agnostic to the type of cluster and CNI in use.
• Emissary-ingress is running at the edge of the cluster, providing secure access to our cluster with TLS and enforcing end-user authentication, bridging the external and internal worlds.
• Linkerd manages secure communications inside the cluster, supporting mTLS everywhere and enforcing low-level security policies to guarantee that each workload has exactly the minimal access needed.
• Cert-manager manages the many, many TLS certificates we need to be sure of identity within (and outside of) our cluster.
• Polaris keeps an eye on exactly which policies are defined, and makes sure that no one is straying from our zero-trust best practices (intentionally or otherwise).

The end result is that our application is running in an environment where every access is checked, every time, at every level of the infrastructure and the application… and at the Spring 2023 KubeCrash, we’ll be taking a deep dive into how this entire reference architecture fits together. Experts on each of the open source projects listed above will provide a deep dive not just into how the project works, but how they all work with each other and with the application. We’ll wrap up by showing how you can apply this open-source reference architecture to your own work.

Home security begins at your front door, and in the world of cloud native apps running on Kubernetes, the ingress is the door to all of your apps. Using a “defense in depth” approach to security is vital, and there are many layers to securing an ingress, from TLS, to auth/n and authz, to rate limiting and allow/deny IP lists.

This talk will focus on how zero-trust requires a secured transport layer, from user to ingress to service(s). You will learn how to acquire a TLS certificate from LetsEncrypt and configure this with JetStack’s cert-manager for use with the CNCF Emissary-ingress API gateway.

You will also walk away from the session with an understanding of, and pointers to additional resources, for further securing your Kubernetes ingress.

Zero trust requires checking every access, every time, and a service mesh is the perfect tool to make that happen everywhere within the cluster running a cloud-native application. Of course, the mesh doesn’t exist in isolation! It’s important to consider not just how the mesh can run, but also how it interacts with other areas of infrastructure and the application.

In this talk, Alex will walk you through not just how to set Linkerd up for proper mTLS, but also how Linkerd can work well with the other pieces of our demo application. You'll see Linkerd get certificate information from cert-manager and routing information from Emissary-ingress, and how to define policies that can be curated by Polaris. Finally, you'll see how the application developer can take advantage of Linkerd to find and safely fix bugs no matter where they are in the call graph, with a live demonstration of how all these pieces fit together.

cert-manager is an open source X.509 certificate controller for Kubernetes. It automates certificate issuance for Kubernetes workloads. In this demo, certificates will be used to prove the identity of the Emissary API gateway and to prove the identity of peers in an mTLS Linkerd service mesh. Thanks to cert-manager's Issuer integrations, external CAs like Vault can be used to sign these certificates.

trust-manager is another project led by the cert-manager team. It distributes and manages the trusted CA certificates in a Kubernetes cluster. In this workshop, it is used to make all Kubernetes services trust the CA that is used for Linkerd mTLS, this way we can verify the peer identity in an mTLS connection. Additionally, it can be used to quickly update what public CAs are trusted.

Polaris is an open source policy engine for Kubernetes that validates and remediates resource configuration. It includes 30+ built in configuration policies, as well as the ability to build custom policies with JSON Schema.

When building a zero-trust environment using tools like Cert-manager, Emissary-ingress, and Linkerd, there are a vast number of objects and configurations available to both cluster operators and end-users. Many of these configurations may be undesirable, or worse insecure. In this talk, Stevie will demonstrate how cluster operators can use Polaris to enforce best practices and secure configurations in your zero-trust environment.