[18:00 - 18:45] Christian Weichel, “Going Rootless: How Gitpod secured multi-tenant Kubernetes workspaces”
[19:00 - 19:45] Yann Hamon, “Ensuring Kubernetes manifests validity & compliance - a tooling overview”
Both talks will be followed by 5 minute Q&A and a 5-minute break.
“Going Rootless: How Gitpod secured multi-tenant Kubernetes workspaces”, Christian Weichel
Abstract: At Gitpod, we have built an open source automated development environment based on Kubernetes. As a multi-tenant platform that enables developers to spin up workspaces (implemented as Kubernetes pods) to develop, compile and run code, we have some extreme security requirements.
One of the most-requested features has been Docker support within a Gitpod workspace, i.e. running a Docker daemon within a Kubernetes pod. In order to isolate the user’s workspace, it needed to run “rootless”, but Linux containers' intricacies make this extremely challenging.
In this talk, we will explain how, together with our friends at Kinvolk, we approached this challenge and managed to implement this feature, leveraging these latest upstream enhancements.
We will cover an overview of current user namespace efforts in Kubernetes, how we employed user namespaces to provide good isolation of workspaces, about the challenges we had to overcome to make rootless Docker work, giving an overview of upcoming technologies that enable the next generation of rootless containers.
“Ensuring Kubernetes manifests validity & compliance - a tooling overview”, Yann Hamon
Abstract: In an Infrastructure as code / GitOps world, testing that your Kubernetes configuration is correct, secure, and compliant to your company's requirements & best practices is more important than ever. An increasingly large list of tools is there to help you - linters, validators, testing frameworks, admission controllers... each working in subtly different ways.
To help you navigate these waters, I will present some of the most common tools for Kubernetes manifests validation & compliance testing, detail their use, limitations and provide some usage examples.
I will also introduce Kubeconform, a new Kubernetes validation tool I authored.