pixel
Select Page

NETWAYS Blog

stackconf online 2021 | Continuous Security – Integrating Security into your Pipelines

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Matt Jarvis held a talk about the continuous security within pipelines. This is a great topic as security is not only extremly important, but more and more people are realising its importance.

Matt started off by giving us an introduction as to how Dev-ops has progressed and in the pre-cloud era the developer wrote the application and then IT operations took over the security side of things. Nowadays developers write the code, check, deploy and manage almost everything. Which can be a lot! The line has become blurred and the responsibility of security doesn’t have a rightful place, which is where Snyk comes in.

Security is usually considered to be an external practise and as it requires a higher responsibility, it needs to be made easier for developers to use. As we all know, once deployed, it is hard to implement security and having a secure system will help win over the trust of your customers. This problem only grows as each year, more and more code is written, which of course means a higher probability for errors and vunerabilities.

Dependencies and Vunerabilities

The problem with these vunerabilities isn’t always with dependencies themselves, but in fact their dependencies. Up to 70% of the vunerabilities are found here and these indirect dependencies can be used to hide malicious code.

In this example here, the code is hidden in sub dependencies and has had over 440,000 downloads/month! If people are only checking the top layer, there is a whole lot more they are missing. Sometimes all it takes is rebuilding an image or getting newer images. Up to 44% of Docker image vunerabilities can be resolved with a newer base image.

Here lies another problem and that is mainly when it comes to configuring the code. One of the most commonly seen issues is the misconfiguration of code. This is usually unintentional, but also what some developers don’t realise is that not all applications need root access. By default containers run as root and if this rule was changed before it was deployed, it could restrict access for would-be attackers. Something else to consider is the writable file systems that are mounted onto a container. By allowing this an attacker that compromises a container then has write access to the mount drive. If your containers are stateless, the attacker will have a harder time doing damage.

Integrate in a Developers Workflow

Matt went on to talk about how these security flaws can be shifted to the developers level. Security needs to be integrated into a developers workflow to help eliminate these problems at the source. Repositories need to also be taken into consideration and things like two factor authentication, strong key management practises and strong review processes are a great way to reduce weaknesses being exploited.

With the help of Snyk a developer is able to identify a lot of these flaws with monitoring scans and checks. These scans and checks can be automated into pipelines and relieve a lot of the responsibility. This was shown in the demo that Matt gave us and with these checks, the vunerabilities were able to be fixed with the Snyk wizard, amazing! This means that errors are found and corrected before they are even deployed. This is what was meant by moving the responsibility back and fixing the problem at the source. By integrating Snyk into the IDE, it fixes issues right away and elimates the need to worry about containers that are already deployed. Snyk is even smart enough to check packages and repos before they are pulled.

This is exactly the right approach to fixing the problem and by making the whole process easier, there really is no reason not to start implementing Snyk in you setups. Matt has identified the problem and shifted the responsibility to developer, but at the same time made it easy to implement. These tools give developers the help they need in order to secure their containers at the source and not cause future problem that can be easily solved with a few checks and corrections. Snyk helps developers at every step on the way and takes care of the security aspect allowing to release code faster and more securely.

Full talk and more from and about stackconf

Watch the the whole talk by Matt Jarvis:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Ara Pulido from Datadog talked about “Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper”.

What is Kubernetes

Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.

What is Open Policy Agent (OPA)

A Policy Rule that governs the behavior of a software service.

The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.

What is Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.

Example

In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.

To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.

This is done by wrapping our query into a ContrainTemplate resource:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{“msg”: msg, “details”: {“missing_labels”: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(“you must provide labels: %v”, [missing])
}

We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [“”]
kinds: [“Namespace”]
parameters:
labels: [“gatekeeper”]

So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.

Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.

I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.

Full talk and more from and about stackconf

Watch the the whole talk by Ara Pulido:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Claude Weladji
Claude Weladji
Junior Systems Engineer

Claude ist seit April 2021 bei NETWAYS. Sie macht ein Praktikum in der Abteilung NETWAYS Web Services im Zuge ihrer Umschulung zur Fachinformatikerin für Systemintegration. Davor hat sie in Heilbronn Software Engineering studiert. In ihrer Freizeit reist und kocht Claude gerne, geht spazieren, hört Musik und treibt Sport.

stackconf online 2021 | Stretching the Service Mesh Beyond the Clouds

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Rosemary Wang was with us, and she had a great topic on how to extend a service network beyond clouds. At the beginning she told us about her work at an organization, where different environments were used. These environments were running applications, some in AWS, data centres, Kubernetes, virtual machines, or Azure. The last thing that is missing is a way to control everything from one point.

So, what is needed is an infrastructure layer and an automation that controls the infrastructure layer. The combination of these is a service mesh. She showed us a solution with a Consul cluster, which is used in the datacenter and in the cloud.

This means that everything that is service to service goes through the proxies first. For example, in the data centre, the UI goes through the proxies to communicate with the application. Consul takes care of the configuration of the proxies and controls the rules and placement of where traffic is allowed to go within the environment.

The UI can also use the proxies to reach the application in the cloud. This allows cross cloud access. But aren’t there more problems with a service mesh? The answer is yes, you do have certain issues that you need to address, but you need to consider whether or not to avoid the service mesh. If you do not use a service mesh you end up with little automation and multiple checkpoints for the environments.

Several Types of Topologies

To get back on topic, we won’t try to get the service mesh across all environments, but Rosmary would like to show us the several types of topologies you have.

First, the service mesh is deployed in the cloud and then a network automation piece is added to synchronize. The benefits in the service mesh are controlled retries and error handling to non-service mesh and progressive delivery techniques such as canary, A/B testing and feature flagging. On the other hand, we have the benefits in the non-service mesh like automated control and no change to existing applications.

Let’s move on. After deploying the service mesh in the cloud, you deploy an ingress gateway that helps control traffic from the ingress to the cluster. The information it receives is transmitted to a Consul Terraform Sync, which configures the application load balancer.

How Consul Terraform Sync Works

Here Rosmary explains the advantages and disadvantages as well as how Consul Terraform Sync works. Afterwards there was a demo of how everything works together.
On the whole, I can say that Rosmary’s talk was very successful. I was able to learn a lot about the topic myself, even though I didn’t know a lot about it before. I hope the talk can convince you as much as it convinced me.

I could go on explaining in detail what Rosmary mentioned in her talk, but I would like to leave you with this.
If you want to learn more about the talk you can watch it in full length, I really recommend it.

Full talk and more from and about stackconf

Watch the the whole talk by Rosemary Wang:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Joshua Hartmann
Joshua Hartmann
Junior Systems Engineer

Joshua startete im Sommer 2020 seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Zusammen mit seinen Kollegen kümmert er sich hier derzeit um die Kundenbetreuung sowie die Weiterentwicklung der SaaS Apps. Joshua ist musikalisch und spielt gerne Klavier, entdeckte vor einiger Zeit aber auch seine Liebe zum Wintersport. Außerdem hat Joshua eine Karriere in der Amateur Liga eines PC Spiels als professioneller Spieler hinter sich, verbringt heute seine Zeit aber lieber...

stackconf online 2021 | Spot the Anti-Pattern

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

Arushi Jain, a senior software engineer at Reddit, talked about anti-pattern in her speech at stackconf 2021.

The talk on “Spot the Anti-Pattern” dives deep into the study of anti-patterns. How it helps to create a common language and focus the stakeholders on it. It helps to analyse the past and find out how to interrupt the patterns in the future to avoid the same mistakes. The presence of anti-patterns and how to find one, this information is properly communicated, such as a commonly implemented practice with negative effects when used in varying degrees of severity.  A common example of an anti-pattern is the fart system at work. Every system needs an upgrade after time and a variety of frameworks to develop the concerns and the need to show continuous upgrades.  To develop a solution for any kind of anti-pattern, the one common thing is to analyse the record consisting of a particular volume to find out the pattern and then work towards the alternative things to design a better way. 

Anti-patterns can be identified in almost everything and architectural and some micro-organisational examples that occur in everyday life were discussed. The follow up work is to keep all stakeholders informed and then have meaningful conversations to identify the counter plan by collecting the data and identifying the root cause. It also takes a team effort to identify the counter pattern and then work on the solution because nothing will happen in one go. Some patterns are complex and require multi-layered iteration to address.

About Patterns and Anti-Patterns

Following are some questions and answers that summarise the subject:

What is a pattern? 

A pattern is a general repeatable solution to a commonly occurring problem.

What is an anti-pattern? 

An anti-pattern is a common response to a recurring problem that is usually ineffective and risks being highly counterproductive.

Note the reference to “a common response”. Anti-patterns are not occasional mistakes, they are common ones, and are nearly always followed with good intentions.

Why anti-patterns exist? 

Patterns exist because humans are flawed thinkers. Cognitive bias is a systemic error in thinking that occurs when people process and interpret information from their environment and then use that information to influence the decisions and judgements they make.

How can you identify an anti-pattern?

Identify human conflict.

Incomprehensible systems are a sign.

Look for teams who are constantly behind.

More from and about stackconf

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Sukhwinder Dhillon
Sukhwinder Dhillon
Junior Developer

Sukhwinder ist seit Januar 2020 bei NETWAYS und macht bei uns seine Ausbildung als Fachinformatiker für Anwendungsentwicklung. In seiner Freizeit fährt er gerne Fahrrad, trifft sich mit Freunden, oder sitzt vorm Computer und lernt etwas Neues.

How to rewind & relive stackconf online 2021

Just recently, we hosted the second online version of stackconf, and we’re still over the moon!

From June 15 – 17, 2021, not only the 31 high-level speakers from around the world made this year’s online edition extraordinary and absoulutely exciting. Especially the 414 registered attendees made stackconf online 2021 surely one to remember! Thank you for three wonderful days full of Open Source Infrastructure Love!
For me, it was my first time working at stackconf and I mean, what can I say: I love NETWAYS and the people! 🙂 How can you not?

If we could turn back time

There’s no need to! We’re happy to let you know that the conference archives is now all updated and online! Whether it’s this year’s talks or from previous years: take a walk down memory lane to rewind & relive all your favourite talks: reminisce by browsing through all the slides, speaker videos and conference photographs!

 

..or if we could make time pass faster

And you know: after the event is before the event! We‘re beyond excited that we’re going to see each other in person again next time! So, mark your calendars for stackconf 2022 in Berlin! For those, who can not wait until next year, I can warmly recommend OSMC – the Open Source Monitoring Conference – happening from November 09 – 11, 2021 – here in Nuremberg.

 

PS: After writing the headline, I have Cher’s song “If I could turn back time” stuck in my head..

Jessica Kupfer
Jessica Kupfer
Online Marketing Manager

Jessica ist seit September 2020 bei NETWAYS dabei und freut sich unglaublich darüber! Unser Marketing Team bereichert sie mit ihrem Wissen über Social Media und Performance Marketing. Nach 3 Jahren als Au Pair in Boston, L.A. und London und weiteren 6 Jahren in Wien, hat es die gebürtige Saarländerin mit ungarischen Wurzeln nun nach Nürnberg verschlagen. In ihrer Freizeit besucht sie am liebsten Freunde & Familie, reist gerne und ergreift jede sich bietende Chance, Hunde...

Trainings

Web Services

Events