KubeCon + CloudNativeCon North America 2019

Within Verizon IT we manage multiple multi-tenant Kubernetes clusters across on-prem and multiple clouds hosting hundreds of applications. Containers, Kubernetes, and cloud-native are central pillars: both for our application modernization strategy, and for our north star architecture. However we operate in a highly regulated environment, and our security posture is such that our developers are not permitted to run tools locally that might be considered essential to deliver on this strategy: Docker and Minikube! In this talk we will candidly discuss how we are evolving the developer experience in this space, despite the security constraints, leveraging open source tooling such as Skaffold, Harbor, Kaniko, and Jib.

Open Policy Agent is built to be used as a library in other tools and there are already several open source projects using OPA as generic policy engine. This is powerful because it allows end users to invest in one use case, and reuse some of the same knowledge and tools, especially the Rego data assertion language, to solve other adjacent problems.

In this talk we will look at applying Open Policy Agent tools throughout the application lifecycle. We’ll explore:

* Writing unit tests for Kubernetes configuration (and Helm charts) using Conftest
* Defining a CI pipeline in code, and testing that using OPA
* Gating deployments to the cluster using Gatekeeper
* Auditing the cluster for security best practices, by porting the Kubesec ruleset to Rego
* Porting pod security policies to OPA
* Writing unit tests for the Rego policy code we wrote above

Disk speed screeches to a crawl, packets get dropped, connections time out: welcome to the cloud! Most of the time the cloud "just works", but when it doesn’t, how does Kubernetes and etcd handle failure? In this talk Micah will discuss considerations for building and configuring cloud native systems for failure including how Amazon EKS’s architecture and design accounts for outages and dependency failures. Micah will also cover and lessons learned from managing lots and lots of Kubernetes and etcd for customers around the world.

Admission (mutating and validating) webhooks have become popular mechanisms for extending Kubernetes API request admission. The admission webhook API is graduating GA in Kubernetes 1.16, where new features are introduced and debuggability improvements are made. In this talk, the audience will learn common pitfalls in admission webhook development, best practices in webhook configuration, and how to identify and debug failures caused by misconfigured or buggy admission webhooks.

Virtually every organization over a certain size wants to be able to share their clusters between different sets of users. As a result, the Multi-tenancy Working Group is seeing increasingly high demand for higher-level features to support Kubernetes multi-tenancy. Unfortunately, each organization has different and often unspoken assumptions about what tenancy means to them, so different use cases and needs often get conflated. In this discussion, our panelists will share their proposals for the principles of multi-tenancy, according to both the type of concerns (control plane vs data plane) as well as the type of tenants (such as dev teams, production teams and third-party users).

Please bring your laptop fully charged as we will have limited charging stations available in the room.

A deep-dive on GitOps which will help you, even if you only have minimal GitOps experience, to get a total understanding of everything GitOps.

Firstly you’ll get an introduction into what is GitOps and it’s key benefits, then we’ll walk through foundational techniques, such as tools and strategies, then we’ll take it to the next level with advanced techniques and best practices. Finally, you’ll get a chance to get your hands dirty with an accelerated GitOps lab.

Parts:

- Introduction
- Foundations
- Advanced Techniques
- Hands On Argo CD Lab

Prerequisites:
Audience members should be familiar with core Kubernetes concepts, as well as comfortable using Git. Those interested in the lab should have a laptop with git and minikube installed.

What to Bring:  A laptop on which you can clone and push code to github.com

Please bring your laptop fully charged as we will have limited charging stations available in the room.

How can you be confident that the change you make is functioning as you expect *before* you submit that PR?

Many contributors to the Kubernetes code base want to increase the confidence they have in their code prior to pushing that code upstream. This workflow will simplify this process for you!

Bring your Mac, Windows or Linux laptop to this session! We will show how to install the tools you need - Docker, golang and Kind. 

We will  guide you through a great workflow for contributing and testing your code. We will be leveraging sigs.k8s.io/kind to show you how to build Kubernetes locally and test your code. Then we’ll use Kind to run e2e tests against your local build. 

Together, these new skills will enable you to feel more confident in the changes you are introducing to the existing code base and enable you to contribute more frequently!

Please bring your laptop fully charged as we will have limited charging stations available in the room.

To prepare for the session, follow the setup instructions at: https://bit.ly/2JWsbxC

CRDs have become the main vehicle to extend the Kubernetes API. They are ready to build serious products on-top of them. But with more and more features like admission and conversion they are no longer just a hundred lines of YAML, but involve real software development. In this talk/tutorial we will start with a YAML-only CRD project and step-by-step go through the development life-cycle towards a powerful multi-version CRD:

- add schema validation using OpenAPI schema generators
- enable pruning
- add defaulting
- add an admission webhook for powerful turing-complete validation
- evolve the CRD to a new version with a conversion webhook
- including comprehensive testing.

On this journey we will learn a lot of about the expected webhook behaviour, how they fit into API machinery, and about API compatibility and good & bad API practices.