stackconf online 2021 -

stackconf online 2021 | Pragmatic App Migration to the Cloud: Quarkus, Kotlin, Hazelcast and GraalVM in action

von Katja Kotschenreuther | Okt 29, 2021 | Events, stackconf, NETWAYS

This entry is part 10 of 27 in the series stackconf online 2021

This year’s stackconf is over and was a big success. The three-day conference this summer was all about open source infrastructures where trendsetting concepts, state-of-the-art technical expertise, top-level discussions and new perspectives have shaped the event.

Besides our 30 amazing experts sessions we were also excited about the large amount of participants from all over the world. Our audience included renowned infrastructure spezialists, industry leaders, experienced administrators and IT architects as well as a wild bunch of open source community enthusiasts.

For all of you who couldn’t join the Open Source Infrastructure Conference I’ve something awesome today. Nicolas Fränkel was one of our speakers and talked about „Pragmatic App Migration to the Cloud: Quarkus, Kotlin, Hazelcast and GraalVM in action“. In his talk, he created a simple URL shortener with a „standard“ stack: Kotlin, JAX-RS and Hazelcast. With the help of Quarkus and GraalVM, he turned this application into a native executable with all Cloud/Container related work has been moved to build the process. Doesn’t that sound exciting? Enjoy his lecture!

stackconf 2022 will take place in Berlin. We are already looking forward to meeting you all again in person next year. The exact date of the event will be announced soon.

If you want to learn more about infrastructure solutions in advance always keep in mind that there’s our archive where you can find all slides and videos of every stackconf speaker.

Stay tuned!

Katja Kotschenreuther

Manager Marketing

Katja ist seit Oktober 2020 Teil des Marketing Teams. Als Manager Marketing kümmert sie sich hauptsächlich um das Marketing für die Konferenzen stackconf und OSMC sowie unsere Trainings. Zudem unterstützt sie das Icinga Team mit verschiedenen Social Media Kampagnen und der Bewerbung der Icinga Camps. Sie ist SEO-Verantwortliche für all unsere Websites und sehr viel in unserem Blog unterwegs. In ihrer Freizeit reist sie gerne, bastelt, backt und engagiert sich bei Foodsharing. Im Sommer kümmert sie sich außerdem um ihren viel zu großen Gemüseanbau.

Lies mehr von Katja und triff unser Team

stackconf online 2021 | Why you should take care of infrastructure drift

von Henrik Triem | Okt 26, 2021 | NETWAYS, Events, stackconf

This entry is part 1 of 27 in the series stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

Stephane Jourdan, co-author of Infrastructure-as-Code Cookbook and co-founder of Driftctl lectures us in the talk „Why you should take care of infrastructure drift“ about infrastructure drift, why it’s causing issues and how to avoid and mitigate it.

The talk starts off by looking for a definition for infrastructure drift, asking users and customers for their experiences. Infrastructure drift happens when the reality and the expectations don’t match is the definition given. This is supplemented by a technical explanation: the configuration provided by our management tools doesn’t match the configuration on our actual machines. For varying reasons, whatever configuration we have running in our cloud infrastructure, in our AWS machines, differs from the configuration we have provided in Terraform. That difference is infrastructure drift.

Infrastructure drift: A simple overview

It is caused by unmanaged resources in the cloud infrastructure, be it manual inputs directly into the machines, dynamic updates, different teams working with different software, making changes to the configuration in the cloud. These changes are not being supervised by our configuration management tool, and if not checked regularly for infrastructure drift, these differences can stay there for weeks, months even. Many companies are adopting automation when using and providing cloud infrastructure and it is very easy to overlook infrastructure drift, posing a considerable security threat. Driftctl helps us by checking for these differences and giving us a report about the quantity of infrastructure drift.

Then Stephane shares user stories with us. We hear about using Driftctl to check Terraform: users making manual inputs, changing access rules and firewall configurations in AWS creating rules which are not being covered by Terraform. These issues were caused by varying authorized people making changes directly in AWS web UI, and persisted in each case with unacceptable duration. The usage of Driftctl is being presented to us in live demos – the user inputs of the stories were being replicated and Stephane demonstrates how Driftctl checks these differences and notifies the user by giving a percentage calculated, informing them about the serverity of the infrastructure drift in their environments.

Driftctl scans Terraform and finds two rouge instructions

To finish up his talk, Stephane shows us more usages of Driftctl: scanning JSON Output for differences, using the .driftignore file to ignore occurrences of infrastructure drift, scanning with filters to focus on specific areas of the AWS accounts, and using Driftctl in CI setups, where a Docker container is being provided for easy integration in various CI systems.

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

stackconf online 2021: Data Driven Security

von Katja Kotschenreuther | Okt 5, 2021 | stackconf

This entry is part 11 of 27 in the series stackconf online 2021

This year’s stackconf is over and was a big success. The three-day conference this summer was all about open source infrastructures where trendsetting concepts, state-of-the-art technical expertise, top-level discussions and new perspectives have shaped the event.

Besides our 30 amazing experts sessions we were also excited about the large amount of participants from all over the world. Our audience included renowned infrastructure spezialists, industry leaders, experienced administrators and IT architects as well as a wild bunch of open source community enthusiasts.

For all of you who couldn’t join the Open Source Infrastructure Conference I’ve something awesome today. Have you ever heard of „Data Driven Security“? Peter Elmer outlines in the following video why this is more effective than traditional research methodologies, as it combines data, human experience and logic made by machines to define the verdict. Enjoy!

stackconf 2022 will take place in Berlin. We are already looking forward to meeting you all again in person next year. The exact date of the event will be announced soon.

If you want to learn more about infrastructure solutions in advance always keep in mind that there’s our archive where you can find all slides and videos of every stackconf speaker.

Stay tuned!

Katja Kotschenreuther

Manager Marketing

Katja ist seit Oktober 2020 Teil des Marketing Teams. Als Manager Marketing kümmert sie sich hauptsächlich um das Marketing für die Konferenzen stackconf und OSMC sowie unsere Trainings. Zudem unterstützt sie das Icinga Team mit verschiedenen Social Media Kampagnen und der Bewerbung der Icinga Camps. Sie ist SEO-Verantwortliche für all unsere Websites und sehr viel in unserem Blog unterwegs. In ihrer Freizeit reist sie gerne, bastelt, backt und engagiert sich bei Foodsharing. Im Sommer kümmert sie sich außerdem um ihren viel zu großen Gemüseanbau.

Lies mehr von Katja und triff unser Team

stackconf online 2021 | Continuous Security – Integrating Security into your Pipelines

von Andrew Constant | Sep 21, 2021 | stackconf

This entry is part 3 of 27 in the series stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Matt Jarvis held a talk about the continuous security within pipelines. This is a great topic as security is not only extremly important, but more and more people are realising its importance.

Matt started off by giving us an introduction as to how Dev-ops has progressed and in the pre-cloud era the developer wrote the application and then IT operations took over the security side of things. Nowadays developers write the code, check, deploy and manage almost everything. Which can be a lot! The line has become blurred and the responsibility of security doesn’t have a rightful place, which is where Snyk comes in.

Security is usually considered to be an external practise and as it requires a higher responsibility, it needs to be made easier for developers to use. As we all know, once deployed, it is hard to implement security and having a secure system will help win over the trust of your customers. This problem only grows as each year, more and more code is written, which of course means a higher probability for errors and vunerabilities.

Dependencies and Vunerabilities

The problem with these vunerabilities isn’t always with dependencies themselves, but in fact their dependencies. Up to 70% of the vunerabilities are found here and these indirect dependencies can be used to hide malicious code.

In this example here, the code is hidden in sub dependencies and has had over 440,000 downloads/month! If people are only checking the top layer, there is a whole lot more they are missing. Sometimes all it takes is rebuilding an image or getting newer images. Up to 44% of Docker image vunerabilities can be resolved with a newer base image.

Here lies another problem and that is mainly when it comes to configuring the code. One of the most commonly seen issues is the misconfiguration of code. This is usually unintentional, but also what some developers don’t realise is that not all applications need root access. By default containers run as root and if this rule was changed before it was deployed, it could restrict access for would-be attackers. Something else to consider is the writable file systems that are mounted onto a container. By allowing this an attacker that compromises a container then has write access to the mount drive. If your containers are stateless, the attacker will have a harder time doing damage.

Integrate in a Developers Workflow

Matt went on to talk about how these security flaws can be shifted to the developers level. Security needs to be integrated into a developers workflow to help eliminate these problems at the source. Repositories need to also be taken into consideration and things like two factor authentication, strong key management practises and strong review processes are a great way to reduce weaknesses being exploited.

With the help of Snyk a developer is able to identify a lot of these flaws with monitoring scans and checks. These scans and checks can be automated into pipelines and relieve a lot of the responsibility. This was shown in the demo that Matt gave us and with these checks, the vunerabilities were able to be fixed with the Snyk wizard, amazing! This means that errors are found and corrected before they are even deployed. This is what was meant by moving the responsibility back and fixing the problem at the source. By integrating Snyk into the IDE, it fixes issues right away and elimates the need to worry about containers that are already deployed. Snyk is even smart enough to check packages and repos before they are pulled.

This is exactly the right approach to fixing the problem and by making the whole process easier, there really is no reason not to start implementing Snyk in you setups. Matt has identified the problem and shifted the responsibility to developer, but at the same time made it easy to implement. These tools give developers the help they need in order to secure their containers at the source and not cause future problem that can be easily solved with a few checks and corrections. Snyk helps developers at every step on the way and takes care of the security aspect allowing to release code faster and more securely.

Full talk and more from and about stackconf

Watch the the whole talk by Matt Jarvis:

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper

von Claude Weladji | Sep 7, 2021 | stackconf

This entry is part 5 of 27 in the series stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Ara Pulido from Datadog talked about „Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper“.

What is Kubernetes

Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.

What is Open Policy Agent (OPA)

A Policy Rule that governs the behavior of a software service.

The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.

What is Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.

Example

In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.

To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.

This is done by wrapping our query into a ContrainTemplate resource:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{„msg“: msg, „details“: {„missing_labels“: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(„you must provide labels: %v“, [missing])
}

We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [„“]
kinds: [„Namespace“]
parameters:
labels: [„gatekeeper“]

So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.

Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.

I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.

Full talk and more from and about stackconf

Watch the the whole talk by Ara Pulido:

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!