Operations | Monitoring | ITSM | DevOps | Cloud

January 2019

Leveraging Service Accounts for Label-based Security

One of the key Kubernetes security concepts is that workload identity is tied back to information that the orchestrator has. The orchestrator is actually the authoritative entity for what the actual workloads are in the platform. Kubernetes uses labels to select objects and to identify collections of objects that satisfy certain conditions. We, and others in the Kubernetes networking space, often talk about using Kubernetes ‘labels’ as identity bearers.

Image Management & Mutability in Docker and Kubernetes

Kubernetes is a fantastic tool for building large containerised software systems in a manner that is both resilient and scalable. But the architecture and design of Kubernetes has evolved over time, and there are some areas that could do with tweaking or rethinking. This post digs into some issues related to how image tags are handled in Kubernetes and how they are treated differently in plain Docker.

Zero Trust Security: Supporting a CARTA approach with Network Security

Learn how to support, what Gartner has termed, a continuous adaptive risk and trust assessment (CARTA) when building a CaaS platform using Kubernetes. Network security enables microsegmentation and is a core component of a zero trust security model. It allows you to protect your workloads against threats without relying on assumptions about the network, infrastructure, and workloads.

Why I Changed My Mind and Embraced Managed Kubernetes Services

I am embracing managed Kubernetes services and here’s my journey. While I attended KubeCon 2018 ready to soak up all I could about Kubernetes and the cloud-native ecosystem, I sought to learn as much as I could to aid me in running my clusters day to day. More importantly, though, I experienced a fundamental shift in what I see as the future of Kubernetes, and what getting started in Kubernetes looks like for companies today.

Kubernetes Networking with Calico

In this post, I’m going to cover some of the fundamentals of how Calico works. I really don’t like the idea that with these Kubernetes deployments, you simply grab a yaml file and deploy it, sometimes with little to no explanation of what’s actually happening. Hopefully, this post will servce to better understand what’s going on.

Adding CVE scanning to a CI/CD pipeline

A Docker image contains an application and all its dependencies. As it also contains the numerous binaries and libraries of an OS, it’s important to make sure no vulnerabilities exist in its root filesystem, or at least no critical or major ones. Scanning an image within a CI/CD pipeline can ensure this additional level of security.

Why I love containerd...and Docker!

I talk a lot about containerd. I write blog posts about it, speak at conferences about it, give introductory presentations internally at IBM about it and tweet (maybe too much) about it. Due to my role at IBM, I’ve helped IBM’s public cloud Kubernetes service, IKS, start a migration to use containerd as the CRI runtime in recent releases and similarly helped IBM Cloud Private (our on-premises cloud offering) offer containerd as a tech preview in the past two releases.