SlideShare ist ein Scribd-Unternehmen logo

The Messy Underlay Dilemma - automating PKI at Defragcon

rhirschfeld
rhirschfeld

Deep discussion of why IT infrastructure is hard to automate with very specific examples building and rotating an internal PKI infrastructure.

Internet
1 von 19
Downloaden Sie, um offline zu lesen
The Messy Underlay Dilemma Lessons Learned Securing K8s Rob Hirschfeld, @zehicle
Hang on tight! We’re going deep. To automated live encryption key rotation
Is Operating Kubernetes HARD? DF No. But underlay is hard. From http://www.slideshare.net/rhirschfeld/ Containers, Orchestration and Security, Oh My!
Underlay vs Overlay Platform Overlay Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay Underlay = Crust Overlay = Filling App = Topping Underlay components are the operational integrations and prerequisites that go into building a system to before we can install a platform.
Why is Underlay Hard? It’s Sequential, Multi-node & Environment Specific Unlike development environments, production cannot overlook integration points HA/LB PKI DNS SDN IPAM BMC RAID BIOS Highly Available & Load Balanced Public Key Infrastructure Domain Name Servers Software Defined Networks IP Address Management Out of Band Management Drive Arrays Firmware Even in cloud only deployments, these critical components for production platforms and applications require a level of different systems thinking. Strong underlay builds an IT foundation.
Platform & Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay DevOps Is Struggling Developers don’t want do this infrastructure specific stuff Companies are turning to containers and application platforms (like Kubernetes) to abstract the messy underlay. While platforms hide complexity from developers, the issues still need to be addressed by Ops.
What makes underlay hard? Let’s look at Internal PKI
Protection via Tunnel Level Security (TLS) This is pretty complex stuff…. At a very basic level: 1. Send public key to client 2. Client encrypts token with public key 3. Client returns encrypted package 4. Server decrypts token with private key 5. Server uses token to encrypt tunnel Server Private Key Client Public 1 2 Token 4 Token 3 5 T L S
Trusted 3rd Party Trust Anchor Trust Chain of Trust in Public Key Infrastructure (PKI) PKI is doing something amazing! It establishes asynchronous trust By relying on strong encryption And Trust Anchors. Server Private Key Cert Auth Client Public T L S Digital Signature Root
Half of all Internet Traffic is encrypted! HTTPS > 50% That’s great for public traffic where trust is anchored / embedded into clients What about the internal traffic? We want a “narrow trust domain” so there’s no embedded trust mechanism and we maintain full control. We also want to protect both sides. Public End Points East-West Traffic North-SouthTraffic Back End Services End User Clients
Server Client TrustTrust Shared Root in Public Key Infrastructure (PKI) Self-signing keys is not considered secure. Internal PKI uses a shared root strategy The private root of the CA must not be known to in the trust relationship. Members of the Trust Domain rely on the CA to verify membership and identity. External Trust Anchors are not desirable because we want an exclusive Trust Domain. Private Key Public T L S D. SigRoot Private Key D. Sig Public Root Site CA
Master Node 1 Worker Nodes Worker Nodes Master Node 2+ “Narrow” Trust Domain Limits Shared Roots etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User! Illustration from Slideshare Rob Hirschfeld
Master Node 1 Root Worker Nodes Worker Nodes Master Node 2+ RootRoot Root Shared Roots Create Trust Zones etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User!
Services Files 1 2 Config App How do we automate this? Mix of Service and Configuration 1. Run a Root CA Service 2. Create a unique Root 3. Generate Key Pair Certificate for Server 4. Generate Digital Signature with Public Key for Client(s) 5. Configure Server with Certificate 6. Configure Client with Signature Private Key Digital Sig Public Site CA Root Server Certificate Client Certificate 3 4 5 6 Public
Old Root New Root Root Rotation protects Trust Zone - Do it daily?! By design, root rotation breaks cluster communications! Like an in-place upgrade, rotation can break APIs. We need to change the keys without breaking communication between components. Previous Cluster Member Cluster Trust Zone Old New New New Old New
Step 1: Root Rotation without Downtime Relies on Client to using support multiple digital signatures for the server. Create a new root and propagate new certificates in the cluster. Update the client configurations to use either signature. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old Old New New
Step 2: Root Rotation without Downtime Ensure all the desired clients have new signature. Replace the server private key with the new value. Old keys will no longer work. In a daily rotation, leave both old and new signatures in place. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old New New New
Happily, this is a repeatable pattern for underlay automation.
Questions? Rob Hirschfeld @zehicle RackN.com Rebar.Digital Private Key Site CA Root Public

Empfohlen

Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)rhirschfeld
 
Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)rhirschfeld
 
Containers and Kubernetes
Containers and KubernetesContainers and Kubernetes
Containers and KubernetesAltoros
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
State of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryState of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryRandy Bias
 
Running and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackRunning and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackVictor Palma
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersLinuxCon ContainerCon CloudOpen China
 
KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016Apcera
 

Empfohlen

Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)Joint OpenStack Kubernetes Environment (OpenStack Summit)
Joint OpenStack Kubernetes Environment (OpenStack Summit)rhirschfeld
 
Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)Joint OpenStack Kubernetes Environment (March 17 update)
Joint OpenStack Kubernetes Environment (March 17 update)rhirschfeld
 
Containers and Kubernetes
Containers and KubernetesContainers and Kubernetes
Containers and KubernetesAltoros
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
State of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryState of the Stack v4 - OpenStack in All It's Glory
State of the Stack v4 - OpenStack in All It's GloryRandy Bias
 
Running and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackRunning and Managing Kubernetes on OpenStack
Running and Managing Kubernetes on OpenStackVictor Palma
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersLinuxCon ContainerCon CloudOpen China
 
KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016KURMA - A Containerized Container Platform - KubeCon 2016
KURMA - A Containerized Container Platform - KubeCon 2016Apcera
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and DockerAndrew Kennedy
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoEmma Gordon
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...Josef Adersberger
 
berne.*tesday1
berne.*tesday1berne.*tesday1
berne.*tesday1Anne Starr
 
Architecting for Continuous Delivery
Architecting for Continuous DeliveryArchitecting for Continuous Delivery
Architecting for Continuous DeliveryMohammad Bilal Wahla
 
Driving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckDriving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckSlideTeam
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro servicesSpyros Lambrinidis
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
Using Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudUsing Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudAndrew Kennedy
 
Why kubernetes matters
Why kubernetes mattersWhy kubernetes matters
Why kubernetes mattersPlatform9
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahDocker, Inc.
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTLinuxCon ContainerCon CloudOpen China
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native worldLibbySchulze
 
SpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSASpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSAOracle Korea
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformPacket
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads Carlos Andrés García
 
nete.*@kursday2
nete.*@kursday2nete.*@kursday2
nete.*@kursday2Anne Starr
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
 
Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017rhirschfeld
 
Functional Ops - the cake is a lie
Functional Ops - the cake is a lieFunctional Ops - the cake is a lie
Functional Ops - the cake is a lierhirschfeld
 

Weitere ähnliche Inhalte

Was ist angesagt?

Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and DockerAndrew Kennedy
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoEmma Gordon
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...Josef Adersberger
 
berne.*tesday1
berne.*tesday1berne.*tesday1
berne.*tesday1Anne Starr
 
Architecting for Continuous Delivery
Architecting for Continuous DeliveryArchitecting for Continuous Delivery
Architecting for Continuous DeliveryMohammad Bilal Wahla
 
Driving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckDriving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckSlideTeam
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro servicesSpyros Lambrinidis
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
Using Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudUsing Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudAndrew Kennedy
 
Why kubernetes matters
Why kubernetes mattersWhy kubernetes matters
Why kubernetes mattersPlatform9
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahDocker, Inc.
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native worldLibbySchulze
 
SpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSASpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSAOracle Korea
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformPacket
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Kublr
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads Carlos Andrés García
 
nete.*@kursday2
nete.*@kursday2nete.*@kursday2
nete.*@kursday2Anne Starr
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
 

Was ist angesagt? (20)

Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 
berne.*tesday1
berne.*tesday1berne.*tesday1
berne.*tesday1
 
Architecting for Continuous Delivery
Architecting for Continuous DeliveryArchitecting for Continuous Delivery
Architecting for Continuous Delivery
 
Driving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete DeckDriving Digital Transformation With Containers And Kubernetes Complete Deck
Driving Digital Transformation With Containers And Kubernetes Complete Deck
 
introduction to micro services
introduction to micro servicesintroduction to micro services
introduction to micro services
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
Using Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the CloudUsing Clocker with Project Calico - Running Production Workloads in the Cloud
Using Clocker with Project Calico - Running Production Workloads in the Cloud
 
Why kubernetes matters
Why kubernetes mattersWhy kubernetes matters
Why kubernetes matters
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad AfanahOn-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native world
 
SpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSASpringBoot and Spring Cloud Service for MSA
SpringBoot and Spring Cloud Service for MSA
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads
 
nete.*@kursday2
nete.*@kursday2nete.*@kursday2
nete.*@kursday2
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
 

Andere mochten auch

Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017rhirschfeld
 
Functional Ops - the cake is a lie
Functional Ops - the cake is a lieFunctional Ops - the cake is a lie
Functional Ops - the cake is a lierhirschfeld
 
Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!rhirschfeld
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with DockerPatrick Chanezon
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Andere mochten auch (14)

Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017Kubernetes community demo march 16 2017
Kubernetes community demo march 16 2017
 
Functional Ops - the cake is a lie
Functional Ops - the cake is a lieFunctional Ops - the cake is a lie
Functional Ops - the cake is a lie
 
Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!Containers, orchestration and security, oh my!
Containers, orchestration and security, oh my!
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with Docker
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Ähnlich wie The Messy Underlay Dilemma - automating PKI at Defragcon

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29MysoreMuleSoftMeetup
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Oracle Developers
 
Puppet devops wdec
Puppet devops wdecPuppet devops wdec
Puppet devops wdecWojciech Dec
 
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE
 
Running Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudRunning Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudDataWorks Summit
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Explore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsExplore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsCA Technologies
 
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesBest Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesMarkus Michalewicz
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PROIDEA
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCloudIDSummit
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupYashrajNayak4
 

Ähnlich wie The Messy Underlay Dilemma - automating PKI at Defragcon (20)

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.Building Cloud Native Applications with Oracle Autonomous Database.
Building Cloud Native Applications with Oracle Autonomous Database.
 
Puppet devops wdec
Puppet devops wdecPuppet devops wdec
Puppet devops wdec
 
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
 
Running Enterprise Workloads in the Cloud
Running Enterprise Workloads in the CloudRunning Enterprise Workloads in the Cloud
Running Enterprise Workloads in the Cloud
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Explore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration TopicsExplore Advanced CA Release Automation Configuration Topics
Explore Advanced CA Release Automation Configuration Topics
 
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c FeaturesBest Practices for the Most Impactful Oracle Database 18c and 19c Features
Best Practices for the Most Impactful Oracle Database 18c and 19c Features
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Dmz aa aioug
Dmz aa aiougDmz aa aioug
Dmz aa aioug
 
Dmz aa aioug
Dmz aa aiougDmz aa aioug
Dmz aa aioug
 
Architecting Multi-Org Solutions
Architecting Multi-Org SolutionsArchitecting Multi-Org Solutions
Architecting Multi-Org Solutions
 
PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management PLNOG 6: Piotr Szołkowski - Identity Management
PLNOG 6: Piotr Szołkowski - Identity Management
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 MeetupPreparing for Neo - Singapore OutSystems User Group October 2022 Meetup
Preparing for Neo - Singapore OutSystems User Group October 2022 Meetup
 

Mehr von rhirschfeld

What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?rhirschfeld
 
RackN Physical Layer Automation Innovation
RackN Physical Layer Automation InnovationRackN Physical Layer Automation Innovation
RackN Physical Layer Automation Innovationrhirschfeld
 
Kubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch KubernetesKubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch Kubernetesrhirschfeld
 
#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmtrhirschfeld
 
Immutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWImmutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWrhirschfeld
 
Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]rhirschfeld
 
Interop ITX Kubernetes Presentation
Interop ITX Kubernetes PresentationInterop ITX Kubernetes Presentation
Interop ITX Kubernetes Presentationrhirschfeld
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)rhirschfeld
 
SRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native PresoSRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native Presorhirschfeld
 
The developer rebellion against infrastructure
The developer rebellion against infrastructureThe developer rebellion against infrastructure
The developer rebellion against infrastructurerhirschfeld
 
IBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open SourceIBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open Sourcerhirschfeld
 
Gluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container InfrastructureGluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container Infrastructurerhirschfeld
 
OpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid InfrastructureOpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid Infrastructurerhirschfeld
 
OpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid InfrastructureOpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid Infrastructurerhirschfeld
 
Git & dev ops come together, right now!
Git & dev ops come together, right now!Git & dev ops come together, right now!
Git & dev ops come together, right now!rhirschfeld
 
Apply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gapApply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gaprhirschfeld
 
Tokyo DefCore Presentation
Tokyo DefCore PresentationTokyo DefCore Presentation
Tokyo DefCore Presentationrhirschfeld
 
Containers all the way down
Containers all the way downContainers all the way down
Containers all the way downrhirschfeld
 
Kubernetes in 15 minutes
Kubernetes in 15 minutesKubernetes in 15 minutes
Kubernetes in 15 minutesrhirschfeld
 
Community DefCore Presentation
Community DefCore PresentationCommunity DefCore Presentation
Community DefCore Presentationrhirschfeld
 

Mehr von rhirschfeld (20)

What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?What is Digital Rebar Provision (and how RackN extends)?
What is Digital Rebar Provision (and how RackN extends)?
 
RackN Physical Layer Automation Innovation
RackN Physical Layer Automation InnovationRackN Physical Layer Automation Innovation
RackN Physical Layer Automation Innovation
 
Kubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch KubernetesKubecon 2017 Zero Touch Kubernetes
Kubecon 2017 Zero Touch Kubernetes
 
#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt#SREcon Immutable Infrastructure: rethinking configuration mgmt
#SREcon Immutable Infrastructure: rethinking configuration mgmt
 
Immutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEWImmutable infrastructure & Rethinking Configuration PREVIEW
Immutable infrastructure & Rethinking Configuration PREVIEW
 
Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]Open Patterns for Day 2 Ops [Gluecon 2017]
Open Patterns for Day 2 Ops [Gluecon 2017]
 
Interop ITX Kubernetes Presentation
Interop ITX Kubernetes PresentationInterop ITX Kubernetes Presentation
Interop ITX Kubernetes Presentation
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)
 
SRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native PresoSRE vs DevOps vs Cloud Native Preso
SRE vs DevOps vs Cloud Native Preso
 
The developer rebellion against infrastructure
The developer rebellion against infrastructureThe developer rebellion against infrastructure
The developer rebellion against infrastructure
 
IBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open SourceIBM Interconnect: Think you can Out Innovate Open Source
IBM Interconnect: Think you can Out Innovate Open Source
 
Gluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container InfrastructureGluecon Preso: Hybrid Container Infrastructure
Gluecon Preso: Hybrid Container Infrastructure
 
OpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid InfrastructureOpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid Infrastructure
 
OpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid InfrastructureOpenServerSummit: Operating Hybrid Infrastructure
OpenServerSummit: Operating Hybrid Infrastructure
 
Git & dev ops come together, right now!
Git & dev ops come together, right now!Git & dev ops come together, right now!
Git & dev ops come together, right now!
 
Apply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gapApply, rinse and repeat: avoid the fidelity gap
Apply, rinse and repeat: avoid the fidelity gap
 
Tokyo DefCore Presentation
Tokyo DefCore PresentationTokyo DefCore Presentation
Tokyo DefCore Presentation
 
Containers all the way down
Containers all the way downContainers all the way down
Containers all the way down
 
Kubernetes in 15 minutes
Kubernetes in 15 minutesKubernetes in 15 minutes
Kubernetes in 15 minutes
 
Community DefCore Presentation
Community DefCore PresentationCommunity DefCore Presentation
Community DefCore Presentation
 

Kürzlich hochgeladen

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 

Kürzlich hochgeladen (17)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 

The Messy Underlay Dilemma - automating PKI at Defragcon

  • 1. The Messy Underlay Dilemma Lessons Learned Securing K8s Rob Hirschfeld, @zehicle
  • 2. Hang on tight! We’re going deep. To automated live encryption key rotation
  • 3. Is Operating Kubernetes HARD? DF No. But underlay is hard. From http://www.slideshare.net/rhirschfeld/ Containers, Orchestration and Security, Oh My!
  • 4. Underlay vs Overlay Platform Overlay Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay Underlay = Crust Overlay = Filling App = Topping Underlay components are the operational integrations and prerequisites that go into building a system to before we can install a platform.
  • 5. Why is Underlay Hard? It’s Sequential, Multi-node & Environment Specific Unlike development environments, production cannot overlook integration points HA/LB PKI DNS SDN IPAM BMC RAID BIOS Highly Available & Load Balanced Public Key Infrastructure Domain Name Servers Software Defined Networks IP Address Management Out of Band Management Drive Arrays Firmware Even in cloud only deployments, these critical components for production platforms and applications require a level of different systems thinking. Strong underlay builds an IT foundation.
  • 6. Platform & Infrastructure Underlay Ready State 0 Ready Prerequisites 1 Prereq Cluster API & Control Services 2 Control Worker Nodes 3 Nodes Cluster Add-ons 4 Add-Ons User Applications 5 Apps Application Overlay DevOps Is Struggling Developers don’t want do this infrastructure specific stuff Companies are turning to containers and application platforms (like Kubernetes) to abstract the messy underlay. While platforms hide complexity from developers, the issues still need to be addressed by Ops.
  • 7. What makes underlay hard? Let’s look at Internal PKI
  • 8. Protection via Tunnel Level Security (TLS) This is pretty complex stuff…. At a very basic level: 1. Send public key to client 2. Client encrypts token with public key 3. Client returns encrypted package 4. Server decrypts token with private key 5. Server uses token to encrypt tunnel Server Private Key Client Public 1 2 Token 4 Token 3 5 T L S
  • 9. Trusted 3rd Party Trust Anchor Trust Chain of Trust in Public Key Infrastructure (PKI) PKI is doing something amazing! It establishes asynchronous trust By relying on strong encryption And Trust Anchors. Server Private Key Cert Auth Client Public T L S Digital Signature Root
  • 10. Half of all Internet Traffic is encrypted! HTTPS > 50% That’s great for public traffic where trust is anchored / embedded into clients What about the internal traffic? We want a “narrow trust domain” so there’s no embedded trust mechanism and we maintain full control. We also want to protect both sides. Public End Points East-West Traffic North-SouthTraffic Back End Services End User Clients
  • 11. Server Client TrustTrust Shared Root in Public Key Infrastructure (PKI) Self-signing keys is not considered secure. Internal PKI uses a shared root strategy The private root of the CA must not be known to in the trust relationship. Members of the Trust Domain rely on the CA to verify membership and identity. External Trust Anchors are not desirable because we want an exclusive Trust Domain. Private Key Public T L S D. SigRoot Private Key D. Sig Public Root Site CA
  • 12. Master Node 1 Worker Nodes Worker Nodes Master Node 2+ “Narrow” Trust Domain Limits Shared Roots etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User! Illustration from Slideshare Rob Hirschfeld
  • 13. Master Node 1 Root Worker Nodes Worker Nodes Master Node 2+ RootRoot Root Shared Roots Create Trust Zones etcd Kublet Proxy API Server Controller Controller etcd API Server Scheduler Scheduler User!
  • 14. Services Files 1 2 Config App How do we automate this? Mix of Service and Configuration 1. Run a Root CA Service 2. Create a unique Root 3. Generate Key Pair Certificate for Server 4. Generate Digital Signature with Public Key for Client(s) 5. Configure Server with Certificate 6. Configure Client with Signature Private Key Digital Sig Public Site CA Root Server Certificate Client Certificate 3 4 5 6 Public
  • 15. Old Root New Root Root Rotation protects Trust Zone - Do it daily?! By design, root rotation breaks cluster communications! Like an in-place upgrade, rotation can break APIs. We need to change the keys without breaking communication between components. Previous Cluster Member Cluster Trust Zone Old New New New Old New
  • 16. Step 1: Root Rotation without Downtime Relies on Client to using support multiple digital signatures for the server. Create a new root and propagate new certificates in the cluster. Update the client configurations to use either signature. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old Old New New
  • 17. Step 2: Root Rotation without Downtime Ensure all the desired clients have new signature. Replace the server private key with the new value. Old keys will no longer work. In a daily rotation, leave both old and new signatures in place. Old Root New Root Previous Cluster Member Cluster Trust Zone Old Old New Old Old New New New
  • 18. Happily, this is a repeatable pattern for underlay automation.