Anand Francis Joseph
Principal Software Engineer, Openshift Gitops/ArgoCD @Red Hat
Actions
Have around 20 years of Industry experience. Contributed to several open source projects like Argo CD, Argo CD Operator, Argo Rollouts, Verrazzano, GlassFish JavaEE, JavaEE TCK.
Links
Walled Gardens : Ensuring Robust Tenant Isolation in ArgoCD
Platform engineers who use ArgoCD for the provisioning and management of Kubernetes resources for multiple tenants face challenges in enforcing isolation between the various tenants.
ArgoCD uses a single service account for managing resources across all tenants. The limited isolation provided by ArgoCD creates an opportunity for malicious tenants to escape its intended scope and can cause issues like secret leakage between tenants. The Argo community has been actively working on addressing these challenges and a new way of decoupling ArgoCD operations using separate service accounts for each tenant has been introduced. The per tenant service account can be configured with the security concept of principle of Least privilege.
This talk will introduce the newest feature built in ArgoCD. We will be demonstrating this feature and how it can be used to build robust tenant isolation between the tenants with a practical use case of managing secrets.
Solving the Argo CD Scaling Puzzle: Distributed Agents, Shards, and the Quest for a Lag-Free GUI
As organizations move from "GitOps experimentation" to "GitOps at scale," many hit a performance wall. Whether it’s an Application Controller struggling with OOM kills on 50,000 resources, a Repo Server buckling under "thundering herd" monorepo commits, or a GUI that lags under the weight of 5,000+ applications, scaling Argo CD requires more than just adding more RAM.
This session deconstructs the Argo CD scaling puzzle, piece by piece. We start by examining the internal plumbing of the Application Controller, demonstrating how to tune for vertical scaling by demonstrating how resource inclusions/exclusions, respectRBAC and Go runtime tuning can be configured to reduce resource usage and prevent OOM kills in high-density environments.
We will compare Dynamic Cluster Sharding (using consistent hashing) against the Argo CD Agent (Managed vs. Autonomous modes) for multi-cluster topologies. Finally, we will take a look at the future road map for improvements in the GUI and the progress towards Application-based sharding, which promises to decouple the Live State Cache from cluster boundaries and unlock true horizontal scalability for the next generation of GitOps.
Securing Global Software Delivery with Argo CD Agent
Scaling GitOps across hundreds of clusters often creates security and performance bottlenecks. This session introduces the Argo CD Agent, a new open-source project that flips the script with a decentralized pull model.
Traditional multi-cluster GitOps often requires a "God-mode" control plane with broad network access and stored credentials for every managed cluster. This "Push" architecture creates a significant security risk: if the central orchestrator is compromised, the entire fleet is vulnerable. Furthermore, managing clusters across air-gapped environments or restrictive firewalls often requires punching holes in security perimeters.
This session introduces a new paradigm in secure software delivery: the Argo CD Agent. By shifting from a push-based model to a decentralized pull-based architecture, the Argo CD Agent enables a Zero-Inbound security posture. Remote clusters remain completely isolated, initiating outbound mTLS connections to a central hub to sync desired states without ever exposing their internal APIs.
The session will conclude with a live demo featuring ApplicationSets managing a fleet of remote clusters from a single, secure control plane.
Policy driven approach to secure your CI/CD workflow
In a dynamic and rapidly evolving DevOps landscape, ensuring supply chain security, vulnerability, compliance, and reliability across CI/CD pipelines is a challenge.
In this talk we will explore how Tekton, a powerful Kubernetes-native CI framework and ArgoCD, a powerful Kubernetes-native CD framework can be used to enforce policies using Kyverno, an open-source policy engine for Kubernetes. Together, they offer a formidable combination to automate policy enforcement and enhance the quality of your pipelines to meet the highest standards of security and compliance.
Key takeaway
1. Business use case
2. Key benefits on using Tekton, ArgoCD, and Kyverno
3. End to End demo on how one can solve supply chain security and vulnerability issues in their CI/CD pipeline
Level of expertise from audience
Beginner/experienced
Mitigating privilege escalation in multi-tenant Argo CD
Argo CD supports a multi-tenant operation model. Cluster scoped Argo CD instance is the widely used approach wherein it uses a single service account to manage resources across multiple tenant namespaces and this brings in the security challenge of privilege escalation. When a cluster scoped Argo CD instance is used to manage resources across multiple tenant namespaces, it violates the principle of "least privilege" providing escalated privileges to all the tenants.
In this talk we will be looking at some of the best practices for handling privilege escalation in multi-tenant scenarios and how the recent feature of decoupling application syncs using a service account per tenant can be a real game changer in improving the security posture of Argo CD for mult-tenant scenarios.
From Legacy to Scale: Cluster Management with CAPI and Multi-Cluster GitOps
Abstract:
In today's rapidly evolving cloud-native landscape, managing Kubernetes clusters efficiently is a paramount concern for organizations. Cluster API (CAPI) and Multi-Cluster GitOps can revolutionize your Kubernetes clusters' provisioning and management operations. This session addresses the challenges of managing Kubernetes clusters at scale, including scalability issues, configuration drift, operational overhead, and resilience concerns, and presents CAPI and Multi-Cluster GitOps as transformative solutions. Delve into the benefits of migrating from legacy pipelines to CAPI + GitOps-based pipelines, discussing key considerations and best practices. Witness a live demo showcasing these technologies in action and leave with actionable insights to streamline your Kubernetes operations.
Description:
Our talk will explore the challenges of managing Kubernetes clusters across multiple infrastructures and present a solution through the convergence of Cluster API and MultiCluster GitOps. Firstly, we'll uncover the core components and architecture of Cluster API, which provides a declarative API for orchestrating Kubernetes clusters and extends its capabilities to efficiently manage multiple clusters in diverse environments and cloud platforms.
After that, the session will highlight the synergy between Cluster API and MultiCluster GitOps, explaining how GitOps principles enhance multi-cluster management by ensuring precision, consistency, and version-controlled configurations. Through a concise live demonstration, we will showcase how CAPI combined with GitOps can efficiently handle the lifecycle of multiple production-grade Kubernetes clusters, including the migration from legacy pipelines to GitOps-based CI/CD pipelines.
Benefits to the audience:
Our primary objective is to enhance the understanding of the community about the challenges of multi-cluster lifecycle management. Ultimately, participants gain a profound understanding of Cluster API, MultiCluster GitOps principles, practical experience through live demos, and the knowledge needed to navigate the dynamic world of Kubernetes infrastructure management effectively.
From Code to Deployment: A Deep Dive into Pipelines as Code
In the fast-paced world of software development CI/CD are no longer optional.
Pipelines as Code (PaC) empowers to build, test, and deploy code with ease.
This session provides a deep dive into PaC where we will discuss its use cases, how it can be integrated with existing source code management as well as other services using webhook, how multi-tenancy is handled, and how to follow security best practices. Also will talk about how PaC automates your CI/CD workflows, accelerate software delivery and enhance team’s productivity.
Key takeaway
1. Business use case
2. Key benefits on using Pipelines as Code
3. End to End demo on how one can improve their productivity using Pipelines as Code
Level of expertise from audience
Beginner/experienced
Anand Francis Joseph
Principal Software Engineer, Openshift Gitops/ArgoCD @Red Hat
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top