Kubernetes & State of the Secure Software Supply Chain — DevOps DC Feb 2022 Recap
Thank you to our speakers, organizers, and attendees for a fantastic first sets of talks for 2022!
In case you missed it — the full recording is available on DevOps DC YouTube.
The History of Kubernetes
— Steven Black (Github, Linkedin) Talk Description: Kubernetes is so hot right now but where did this project come from? Learn how this critical piece of cloud-native infrastructure with an ancient greek namesake has cultivated an open-source ecosystem unlike any other.
My key takeaways from the talk:
- Kubernetes is Greek for Helmsman or pilot
- Past logos for different versions of Kubernetes have included Left Shark, Capybaras, and Laser Cats
- The next release of Kubernetes will include moving away from Dockershim
I would also like to promote Steven’s suggested logo of a giant inflatable SpongeBob releasing hot air balloons.
Our next speaker dived into the state of secure software supply chain and contained many excellent links you’ll want to dive into —
State of the Secure Software Supply Chain
— Brandon Mitchell (Github, Twitter, Docker Captain) Talk Description: Building a secure software supply chain is no easy feat. SolarWinds showed us that even the experts have a difficult time. This talk gives an overview of what’s required, including ingesting external dependencies, attestation of the build infrastructure, signing artifacts, SBoMs, reproducible builds, and admission controllers. We’ll also look at some of the key projects in this space being developed within the CNCF and Linux Foundation. The topics here are focused on deploying with containers in a Kubernetes infrastructure, but the overall ideas transfer to other environments that build and package applications using open source dependencies and CI/CD pipelines.
I loved the reference to this classic XKCD comic illustrating the fragility of modern digital infrastructure that depends on small but critical open source projects.
The two standards Brandon shared for Software Bill of Materials, which should list all components in a software and help to identify areas that need more support — that are under active development open to contribution:
Check out the presentation slides for more links for supporting attestation, signing, admission control, and other related projects. After we finished talking about securing the software supply chain, we also discussed Reproducible Builds and the benefits and challenges of making this a reality.
Wrapping Up
Other links shared during our chat:
- Large-scale cluster management at Google with Borg
- The Children’s Illustrated Guide to Kubernetes
- Respond to Survey Topic on Regulatory Compliance in Software Industry
- SELinux Coloring Book
- Container Coloring Book
- Zero Trust in 5 Minutes
- Understanding How Hackers Are Targeting Your Microsoft 365 Infrastructure
Our next meetup will feature a workshop with Casey Wats LGBTQIA+ Inclusive Environment Workshop: DevOps is all about increasing transparency, communication, and collaboration across development and operations. Information flow happens so much better in an inclusive, psychologically safe environment (see the 2021 DORA DevOps Report for evidence). Active allyship for LGBTQIA+ team members supports a DevOps Culture where these team members can contribute to the fullest. We depend them being comfortable sharing their perspectives fully — and we can do that by making the environment welcoming.
Get involved with DevOps DC future events!
- Want to be a speaker? Speaker Request Form
- Want to be a sponsor? Sponsor Interest Form
Keep the conversation going and join us on the links below:
- DEVOPS DC Meetup
- DC Tech Slack #DevOps
- Twitter @DevOpsDC
- Email meetup@devopsdaysdc.org
From the event sponsor:
Rhythmic will be donated a total of $120 to ByteBack! Because of your attendance to this great event, you made a difference!
- We hope you walked away with a better picture behind this critical cloud-native infrastructure. If you have anymore questions for Steven or want to follow more of his work, shoot us a message or follow us on LinkedIn. Visit https://www.rhythmictech.com/blog/ to check out more of Steven’s blogs on other topics and unique takes you’ll want to see.