Today was a very special day. Why? Because it was the first day that Proteon’s Container Engine went outside! And the first day of KubeCon + Cloud Native Con was where this all happened. For most of the Proteon team, it was the first time at KubeCon and what a surprise were we in for 🙂 With over 4,000 attendees, 323 speakers, and 177 in-depth sessions it’s the biggest container event we’ve ever seen. And the best part is, we are all here to learn, share and discover new things about Kubernetes. Walking around and talking to like-minded people made us feel more than welcome in the Kubernetes community.

But, walking around and talking to people isn’t the only thing we’ve done all day. Our developers, Freark and Alwyn visited the talks from Lukas Puheringer and Wendy Dembowski, Dave Cheney, and Ed Kind and Julz Friedman and more. I got a sneak peek into marketing for Open Source projects where it’s all about building and supporting the community. I also got a crash course in the history of containers and why we stand here today.

Kim McMahon showed me how you can reach the Open Source community through social media. Quite useful, since I’m the marketer of Proteon. From writing blogs to using SlideShare, many things can be used to connect with the community. Twitter seems to be the most valuable tool at the moment. The trick though is to tweet consistent and know who your writing too. It’s also important to tweet personal since the Open Source community consists of contributors, rather than companies. But, I guess you’re not here to read about marketing tips and tricks, so I will quickly go to the next talk I visited. 

Sarah Christoff took me on a journey through the history of containers. From the beginning of VMs to Container Orchestration nowadays, the whole timeline passed by. It was great to have the birth of containers explained in a nutshell, especially with the bits of humor that Sarah added to it. When you’re new to the world of containers and Kubernetes the recording is a must watch to get up-to-date in 30 minutes-ish :-). 

Alwyn also visited Sarah’s presentation. In his notes, he speaks of a short history of the development and came-to-be of container functionality. Starting at OpenVZ in 2005, through cgroups, LXC, and eventually Docker.

 

With Docker, the solid groundwork had been laid as they introduced a reusable library called libcontainer in 2014. After that, alternatives to the Docker engine came into existence, such as rkt (or rocket) by CoreOS, Kata from OpenStack, an engine using GPU’s for computing by Nvidia, and very recently, crun, by RedHat.

All of these have different focuses, intended audiences and supported stacks. Some come with out of the box support for Kubernetes, others have this as work in progress.

Some examples would be that Docker has very wide adoption and is fairly stable; Kata is aimed at security by combining true virtualization with containerization; crun is aimed at being very performant.

The second presentation Alwyn attended was from Adrian Mouat of Container Solutions. Or in short: KWTFISGOIYC, or Know What Is Going On In Your Cluster.

These were mostly issues mentioned with images, and how you can pay attention to them, or even help prevent them.

With the status of a container:

  • How do you know where it came from?
  • Is it up to date?
  • Is it really what you think it is?

With keeping images up to date… The default policy in Kubernetes, for example, is IfNotPresent, meaning it will only be pulled if the image isn’t already present.

In Docker Swarm, images get pulled by a specific digest.

Taking these two infrastructure packages as examples, in Docker Swarm, tags are mutable, but in Kubernetes they are immutable. Either side has strengths and weaknesses.

There seems to be a debate between having reproducible images and having up to date containers.

Two things could be implemented to aid ensuring what images you use and build are the ones you want: signing images with for example Notary; scanning images during the build process.

 

Freark’s recap of day 1

The talk Completely securing the software supply chain using Grafeas + in-toto by Lukas Puheringer and Wendy Dembowski explained that within-toto you can declaratively define security and release tasks of your software to guarantee no irregularities have happened in these processes. In-toto is starting to work with multiple Linux distributions to secure their build processes and package management. Grafeas can be used to collect metadata about these types of events and give broader insight and atest certain compliancy conditions your organization needs to add here too.
In a presentation about Heptio’s Contour @davecheney gives a little under the hood view of the architectural decisions made in their software, which handles ingress networking using Envoy. He also explains a bit about Heptio’s development process and gives some general tips on software development for systems interacting with Kubernetes.
The route to the rootless container by Ed King and Julz Friedman starts off by giving an overview of the various system primitives Docker uses to ensure security between containers and the host operating system. For managing stuff like cgroups, set capabilities, mounting layers filesystems, etc a privileged (root) user is used by the container daemons. One-by-one Ed and Julz illustrate how, with some tricks and hacks, many of these functions can be used in a non-privileged manner. In the future these methods could be used as an additional layer in the security defense in depth approach.