Compare commits
2 Commits
00d8ae29c4
...
57d04670ec
Author | SHA1 | Date |
---|---|---|
Nicolai Ort | 57d04670ec | |
Nicolai Ort | 11a08345af |
|
@ -1,8 +1,9 @@
|
|||
FROM betterweb/hugo:latest as build
|
||||
FROM registry.odit.services/hub/betterweb/hugo:latest as build
|
||||
WORKDIR /app
|
||||
|
||||
COPY . /app/
|
||||
RUN hugo
|
||||
|
||||
FROM registry.odit.services/library/nginx-brotli
|
||||
FROM registry.odit.services/library/nginx-brotli:3.15
|
||||
COPY ./nginx.conf /etc/nginx/nginx.conf
|
||||
COPY --from=build /app/public /usr/share/nginx/html
|
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
title: Stop leaking Kubernetes service information via DNS
|
||||
weight: 1
|
||||
---
|
||||
|
||||
A talk by Google and Ivanti.
|
||||
|
||||
## Background
|
||||
|
||||
* RBAC is ther to limit information access and control
|
||||
* RBAC can be used to avoid interfearance in shared envs
|
||||
* DNS is not really applicable when it comes to RBAC
|
||||
|
||||
### DNS in Kubernetes
|
||||
|
||||
* DNS Info is always public -> No auth
|
||||
* Services are exposed to all clients
|
||||
|
||||
## Isolation and Clusters
|
||||
|
||||
### Just don't share
|
||||
|
||||
* Specially for smaller, high growth companies with infinite VC money
|
||||
* Just give everyone their own cluster -> Problem solved
|
||||
* Smaller (<1000) typicly use many small clusters
|
||||
|
||||
### Shared Clusters
|
||||
|
||||
* Becomes imporetant when cost is a question and engineers don't have any platform knowledge
|
||||
* A dedicated kube team can optimize both hardware and deliver updates fast -> Increased productivity by utilizing specialists
|
||||
* Problem: Noisy neighbors by leaky DNS
|
||||
|
||||
## Leaks (demo)
|
||||
|
||||
### Base scenario
|
||||
|
||||
* Cluster with a bunch of deployments and services
|
||||
* Creating a simple pod results in binding to default RBAC -> No access to anything
|
||||
* Querying DNS info (aka services) still leaks everything (namespaces, services)
|
||||
|
||||
### Leak mechanics
|
||||
|
||||
* Leaks are based on the `<service>.<nemspace>.<svc>.cluster.local` pattern
|
||||
* You can also just reverse looku the entire service CIDR
|
||||
* SRV records get created for each service including the service ports
|
||||
|
||||
## Fix the leak
|
||||
|
||||
### CoreDNS Firewall Plugin
|
||||
|
||||
* External plugin provided by the coredns team
|
||||
* Expression engine built-in with support for external policy engines
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
req-->metadata
|
||||
metadata-->firewall
|
||||
firewall-->kube
|
||||
kube-->|Adds namespace/clientnamespace metadata|firewall
|
||||
firewall-->|send nxdomain|metadata
|
||||
metadata-->res
|
||||
```
|
||||
|
||||
### Demo
|
||||
|
||||
* Firwall rule that only allows queries from the same namespace, kube-system or default
|
||||
* Every other cross-namespace request gets blocked
|
||||
* Same SVC requests from before now return NXDOMAIN
|
||||
|
||||
### Why is this a plugin and not default?
|
||||
|
||||
* Requires `pods verified` mode -> Puts the watch on pods and only returns a query result if the pod actually exists
|
||||
* Puts a watch on all pods -> higher API load and coredns mem usage
|
||||
* Potential race conditions with initial lookups in larger clusters -> Alternative is to fail open (not really secure)
|
||||
|
||||
### Per tenant DNS
|
||||
|
||||
* Just run a cporedns instance for each tenant
|
||||
* Use a mutating webhook to inject the right dns into each pod
|
||||
* Pro: No more pods verified -> Aka no more constant watch
|
||||
* Limitation: Platform services still need a central coredns
|
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
title: "Product market misfit: Adventures in user empathy"
|
||||
weight: 2
|
||||
---
|
||||
|
||||
Mitch from aviatrix -a former software engineer who has now switched over to product managment.
|
||||
|
||||
## Opening Thesis
|
||||
|
||||
Opening with the Atari 2600 E.T. game as very bad fit sample.
|
||||
Thesis: Missing user empathy
|
||||
|
||||
* A very hard game aimed at children without the will to trail and error
|
||||
* Other aspect: Some of the devalopers were pulled together from throughout the company -> No passion needed
|
||||
|
||||
### Another sample
|
||||
|
||||
* Idea: SCADA system with sensors that can be moved and the current location get's tracked via iPad.
|
||||
* Result: Nobody used the iPad app - only the desktop webapp
|
||||
* Problem: Sensor get's moved, location not updated, the measurements for the wrong location get reported until update
|
||||
* Source: Moving a sensor is a pretty involved process including high pressure aka no priority for iPad
|
||||
* Empathy loss: Different working endvironments result in drastic work experience missmatch
|
||||
|
||||
## The source
|
||||
|
||||
* Idea: A software engineer writes software, that someone else has to use, not themselfes
|
||||
* Problem: Distance between user and dev is high and their perspectives differ heavily
|
||||
|
||||
## User empathy
|
||||
|
||||
* The art of taking on the perspective of one's users/customers
|
||||
* Without this your product will fail
|
||||
|
||||
## Stories from Istio
|
||||
|
||||
* Classic implementation: Sidecar Proxy
|
||||
* Question: Can the same value be provided without a sidecar anywhers
|
||||
* Answer: Ambient mode -> split into l4 (proxy per node) and l7 (no sharing)
|
||||
* Problem: After alpha release ther was a lack of exitement and feedback
|
||||
* Result: Twitter Space event for feedback
|
||||
|
||||
### Ideas and feedback
|
||||
|
||||
* Idea: Sidecar is somewhat magical
|
||||
* Feedback: Sidecars are a pain, but after integrating istio can be automated -> a problem gets solved, that already had a solution
|
||||
* Result: Highly overvalued the pain of sidecars
|
||||
* Idea: Building istio into a platform sounds easy
|
||||
* Feedback: The platform has to be changed for the new ambient mode -> High time investment while engineers are hard
|
||||
* Result: The cost of platform changes was highly undervalued
|
||||
* Idea: Sidecar compute sound expensive and networking itself pretty cheap
|
||||
* Feedback: Many users have multi-region clusters -> Egress is whery expoenive
|
||||
* Result: The relation between compute and egress cost was pretty much swapped
|
||||
|
||||
### What now?
|
||||
|
||||
* Ambient is the right solution for new users (fresh service mesehes)
|
||||
* Existing users probaly won't upgrade
|
||||
* Result: They will move forward with ambient mdoe
|
||||
|
||||
## So what did we lern
|
||||
|
||||
### Basic questions
|
||||
|
||||
* Who are my intended users?
|
||||
* What exites/worries them?
|
||||
* What do they find easy/hard?
|
||||
* What is ther biggest expense and what is inexpensive?
|
||||
|
||||
### How to get better empathy
|
||||
|
||||
1. Shared perspective comes from proximity
|
||||
1. Where they are
|
||||
2. What they do -> Dogfood everything related to the platform (not just your own products)
|
||||
2. Never stop listening
|
||||
1. Even if you love your product
|
||||
2. Especially if you love your product
|
||||
3. Invite critical feedback
|
||||
|
||||
### Takeaways
|
||||
|
||||
* Don't ship a puzzlebox (landscape) but a picture (this integrates with this and that)
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
archetype: chapter
|
||||
title: Day 3
|
||||
weight: 3
|
||||
---
|
||||
|
||||
Spent most of the early day with headache.
|
20
hugo.yaml
20
hugo.yaml
|
@ -27,19 +27,9 @@ params:
|
|||
menu:
|
||||
shortcuts:
|
||||
- identifier: ds
|
||||
name: <i class='fa-fw fab fa-github'></i> GitHub repo
|
||||
url: https://github.com/McShelby/hugo-theme-relearn
|
||||
name: Imprint
|
||||
url: https://nicolai-ort.com/imprint
|
||||
weight: 10
|
||||
- name: <i class='fa-fw fas fa-camera'></i> Showcases
|
||||
url: showcase/
|
||||
weight: 11
|
||||
- identifier: hugodoc
|
||||
name: <i class='fa-fw fas fa-bookmark'></i> Hugo Documentation
|
||||
url: https://gohugo.io/
|
||||
weight: 20
|
||||
- name: <i class='fa-fw fas fa-bullhorn'></i> Credits
|
||||
url: more/credits/
|
||||
weight: 30
|
||||
- name: <i class='fa-fw fas fa-tags'></i> Tags
|
||||
url: tags/
|
||||
weight: 40
|
||||
- name: Privacy
|
||||
url: https://nicolai-ort.com/privacy
|
||||
weight: 11
|
|
@ -0,0 +1,49 @@
|
|||
events {
|
||||
}
|
||||
http {
|
||||
include mime.types;
|
||||
sendfile on;
|
||||
server {
|
||||
error_page 404 /index.html;
|
||||
root /usr/share/nginx/html;
|
||||
location ~ /index\.html$ {
|
||||
internal;
|
||||
add_header Cache-Control 'no-store';
|
||||
}
|
||||
location ~* \.(png|jpg|jpeg|webp|gif|ico|woff|otf|ttf|eot|svg|txt|pdf|docx?|xlsx?)$ {
|
||||
access_log off;
|
||||
expires 1y;
|
||||
}
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
# --- GZIP
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types application/javascript
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font
|
||||
application/x-font-opentype
|
||||
application/x-font-otf
|
||||
application/x-font-truetype
|
||||
application/x-font-ttf
|
||||
application/x-javascript
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
font/otf
|
||||
font/ttf
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/javascript
|
||||
text/plain
|
||||
text/xml;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue