KubeCon + CloudNativeCon North America 2019

Onboarding development teams can often be the critical point in determining if a team will adopt modern Cloud Native and DevSecOps practices. If there is too much friction for developers to build, scan, and test their applications or to secure their application environments then these best practices are often pushed aside. In this talk we’ll cover how we automated the creation of a trusted software supply chain. Through a live demonstration, we will show how this approach accelerates adoption by allowing developers to inherit a preconfigured pipeline performing various security tests (and underlying tooling) as well as safeguards (via the CNCF Sandbox project Falco) put in place to monitor production workloads for security problems.

Open Policy Agent is built to be used as a library in other tools and there are already several open source projects using OPA as generic policy engine. This is powerful because it allows end users to invest in one use case, and reuse some of the same knowledge and tools, especially the Rego data assertion language, to solve other adjacent problems.

In this talk we will look at applying Open Policy Agent tools throughout the application lifecycle. We’ll explore:

* Writing unit tests for Kubernetes configuration (and Helm charts) using Conftest
* Defining a CI pipeline in code, and testing that using OPA
* Gating deployments to the cluster using Gatekeeper
* Auditing the cluster for security best practices, by porting the Kubesec ruleset to Rego
* Porting pod security policies to OPA
* Writing unit tests for the Rego policy code we wrote above

Kubernetes has taken a key role at CERN both for physics analysis and core IT services, simplifying and accelerating deployments and allowing a much higher rate of updates and upgrades.

This session will describe how helm is used for managing the description and configuration of the services. How CERN uses chartmuseum to maintain its private chart repositories, and how a custom plugin is used to manage secrets in the configuration, safely pushing encrypted payloads into git repositories. How a well defined structure of umbrella charts (sometimes referred to as meta charts) is used to define high level applications with complex dependencies, and how the notion of service variants and environments is exposed.

A demo will show the full gitops lifecycle for both production and canary deployments, relying on weave flux to quickly propagate changes to clusters.

Automotive industry is getting more and more digitalized. Vehicles are not only a mean of transportation, but they pursue to be the drivers' control center with multiple software components onboard. To keep pace with evolving customer expectations and the newest technological solutions, vehicle's software requires frequent updates. However, the delivery process in a scaled up environment is not straightforward. Developers and operators have to face challenges, which are unusual in the typical Cloud Native world. Even basic service deployment may be complicated due to network performance or geographical considerations. During this talk, Rafał will show how to use Kubernetes, KubeEdge, k3s, Jenkins and RSocket for building continuous deployment pipelines, which ship software directly to the car, deals with rollbacks and connectivity issues.

Tekton is a Kubernetes-native, lightweight, easy to manage CI/CD pipelines engine. Pipeline building blocks can be reused, version controlled and curated in a catalogue that embeds best practices. Tekton, hosted by the CD Foundation, aspires to be the common denominator in CI/CD. The Tekton team wanted to make sure that the project is going in the right direction by "dogfooding" i.e. by using Tekton to run its own automation "plumbing". The initial continuous integration setup embedded most of the testing pipelines in bash scripts. The speakers replaced this with Tekton, hence improving the readability of the pipelines and the reproducibility of CI runs. Eventually, they moved onto continuously delivering Tekton and its pipelines via Tekton. In this talk, the speakers will tell their experiences about using a cloud-native pipeline system to test, release and continuously deploy itself.

Serverless and Eventing are two ultra-popular areas of tech right now, describing a broad set of ideas and capabilities that can service a range of possible systems. We are told that these concepts will expand and help define the next generation of web services.

That’s all well and good, but what is really going on inside these systems? What technology do those terms rely on and what does an Eventing workflow look like under the hood? Given the complexity and size of these projects’ codebases, it can be difficult to drill down and see what’s happening on a micro scale.

Together, we will discuss, operate and modify a running distributed system built with CloudEvents and Knative Eventing. The system will be based around the concept of an automated conversation between kubernetes services.

Kubernetes Continuous Delivery methods have continued to evolve to more advanced strategies such as canary, A/B testing, and blue-green. Progressive delivery is the next step of CD, enabling service promotion for a subset of users in an automated fashion backed by metrics.

There’s no one-size-fits-all on what are the appropriate metrics to drive promotions. Often, the four golden signals (latency, traffic, errors, saturation) are used, but what if this isn’t enough? More sophisticated techniques might use algorithmic or even AI-driven analysis.
The Argo Experiment and Analysis CRDs provides simple constructs to drive automated promotion in an extensible fashion.

This session discusses how Intuit leverages experimentation and analysis, the challenges in providing an automatic but generic approach to analyzing experiments, and envisioning the future of declarative progressive delivery.

Have you ever shipped changes to a Kubernetes app and found yourself wondering what actually happened? Krane is an open-source command-line tool created to solve this problem: it helps developers, especially those who may be new to Kubernetes, deploy with confidence.

Krane translates Kubernetes’ asynchronous convergence process into a clear pass/fail result for each deploy. It detects unsuccessful rollouts and shows developers the information they need to take corrective action. Krane also helps ensure dependencies are rolled out in a sane order, it natively supports custom resources, it allows developers to run scripts as part of their deploys, and more! Come find out what Krane can do, learn how its design makes it resilient and scalable, and discover how it may help your organization provide a better developer experience for Kubernetes apps.

The expression, GitOps, has taken off and resonated in the Kubernetes community since its launch by Weaveworks in 2017. GitOps is a way to do Continuous Delivery by using git as a single source of truth for declarative infrastructure and applications.
Meet actual GitOps practitioners in this panel, hear their use cases, challenges, constraints, and which tools they use to execute GitOps. If you’ve been wanting to get started, learn from these actual solutions:

*Automated Helm-based deployments for code and infrastructure changes through Jenkins and GitLab at Palo Alto Networks
*Simplified access control for Kubernetes clusters using Weave Flux at Branch
*Flux, Terraform and Vault, oh my! Unique ways Under Armour leverages GitOps
*GitOps at Scale: Patterns and processes enabling Intuit to manage thousands of applications and repositories, across 100+ clusters using Jenkins and Argo CD

Application Deployment on K8S can be quite convoluted, especially for an organization that operates thousands of microservices. Pinterest is a visual discovery engine that serves over 250MM users.
For successful adoption of K8S, it is imperative to provide a well integrated self-serve CI/CD platform that abstracts K8S complexities & offers a simple path of migration for existing workloads. This talk will discuss how we build a Continuous Delivery system for Kubernetes at Pinterest, and how we help engineering teams to deploy and migrate their services onto Kubernetes.
Topics include:

1. Kubernetes and deployments at Pinterest
2. Introducing Hermez and the Continuous Delivery experience on K8S
3. How do we design and build the CD system, and lessons we learned
4. Our journey of onboarding and migrating services to the new CD system and K8S