Thursday 21st & Friday 22nd June 2018
The Clayton Hotel, Cork City

David Gonzalez
Continuous delivery DevSecOps with Kubernetes: stay safe at the speed of light

Nowadays, Continuous Delivery is a must. Nobody starts a new application without asking: how can we make deployments as painless as possible? The only answer to it is Kubernetes. Full stop. Kubernetes is the solution to 99% of the problems on a software development/deployment pipeline because it was engineered for it.

The problem with CD pipelines is the security: there are no standards for securing a CD pipeline as it is something new and security takes time to catch up with the requirements.

Attack vectors

Docker and orchestration platforms like Kubernetes, as well as your process, introduce new attack vectors that you haven’t even think of:

  • Flawed images
  • Shared volumes in containers exposing more than what they should
  • People deploying dangerous code into production (accidentally or intentionally).

We need to reinvent how do we approach security in order to be successful in the big enterprise by ensuring that the standards are at the same level as in a traditional software company which can only be achieved by creating new tools (like I did with Gammaray) and improving your process staying on the safety but allowing your engineers to move as quickly as they can by providing them early feedback of potential threats as well as training.

Mitigation

In order to mitigate the attack vectors stated above we need to get very very creative as DevOps is the wild West of the 21st century. We need a combination intellect and common sense to reduce its risks:

  • Security scanning
  • 4 eye policies
  • Hardened configurations

On this talk, I will introduce the problematic with real examples on how to compromise CD pipelines as well as solutions to the attack vectors mentioned above. I will also demo the process of, creating a Docker image with very high security standards, with an application that has already been scanned using Gammaray looking for vulnerabilities on its dependencies and deploy it on a secured Kubernetes cluster without any obstruction to the engineering team ensuring that we have visibility through the full process..

David Gonzalez

Consultant at nearForm

David is a DevOps enthusiast coming from a software engineering background that loves speaking at events.

He is the author of three books, and planning a 4th one (DevSecOps pipelines):

He is also the only Google Developer Expert in Kubernetes on Europe. Nowadays, he is a consultant in nearForm that enjoys facing new challenges with customers that require help with Software, infrastructure or security helping them to achieve their goals on the best possible way.

David is an open source enthusiast who contributes to a number of projects and created few of them such as:

  • Gammaray (vulnerability scanner)
  • Vishnu (circuit breaker for kubernetes, in progress)
  • Visigoth (a load balancer with circuit breaker incorporated)

On his free time, he loves riding my bike and walking his dogs on the green Ireland.

David, you’re coming back to RebelCon for a second year in row! For those who don’t know you, could you tell us a little bit more about yourself and what you’re working on right now?

David: I would say I’m a DevOps Engineer, but that’s not the really true… I do a lot of development, DevOps, security aswell so kind of DevSecOps! I come from a Java background but I like to mess around with a lot of technologies, so when I got an opportunity to write a book on microservices with NodeJS, I took it! That got me a job in nearForm, who I’m working for today. I started getting in to DevOps/DevSecOps… all these new technologies like Kubernetes. I’m lucky to be the only Google Developer Expert in Kubernetes in the world, which is fantastic!!

At nearForm, I mainly do consulting for companies, setting up delivery pipelines, security and orchestration with Docker. When I started working with these technologies, I had a lot of questions, and since I’ve noticed that every company working with Kubernetes has the same questions,my talk is about how to overcome these new challenges, especially around security.

Your talk is called “Continuous Delivery DevSecOps with Kubernetes”, what are the motivations behind it?

David: Usually the problem with Security is that it’s very obstructive. If you are doing CI/CD, you can’t really hold the pipeline for 2 days for security reviews. What I’m going to be talking about is how to overcome the challenge of embedded security in the CI/CD pipeline and what are the biggest problems and pitfalls of doing so.

Who is this talk for?

David: This will be a talk that everybody will be able to understand. It will help companies who are already using Kubernetes to become safer companies, but I also want to open people’s mind to be more curious about security around DevOps.

What do you hope for people to bring back from your talk?

David: I’d like people to start worrying about security in DevOps! The first impression is that DevOps is secure because you’re in control of everything, but then once you see the potential of attack vectors… you won’t be able to sleep for a week!

You’ve been working with Kubernetes for a while now, how have you seen that space evolve over the last few years?

David: It has completely exploded, it’s amazing! We have gone from simple bare-metal Kubernetes to now talking about Istio and service meshes.

Today I’m looking a lot into Istio, because it’s focusing in security… and it blew my mind because it’s a whole new world on how to deploy applications on Kubernetes. I always joke that it’s a great time to be a DevOps Engineer because you don’t get bored… so many things to explore.

This is still a pretty young space, do you see this as a challenge?

David: The biggest challenge remains the people. Kubernetes is not a simple tool, so you can’t just put in production and pretend to be successful. One of the things I like about consulting is that I have crashed in the same wall many times, and I have seen people crashing in the same wall many time… so now I can see things coming, and help companies prevent bad things from happening.

Anything you would like to say to people coming to RebelCon?

David: I’ve spoken at a lot of conferences and up to now, RebelCon was the most amazing one! The vibe at the conference was amazing - Cork is one of the most alive tech city I’ve come across!

One cool thing is that the inspiration for my NodeJS microservices book was Sam Newman’s “Building microservices” book, and he’s going to be there this year, so I’m going to have to get my copy signed!

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Follow RebelCon