Anish Ramasekar
Principal Software Engineer, Microsoft
Seattle, Washington, United States
Actions
Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.
Links
Secret Guardians: (Secrets Store) CSI Driver and Sync Controller
Applications running on Kubernetes require access to sensitive information (passwords, SSH keys and authentication tokens). But how do you configure your applications when the source of truth for these secrets is an external secret store? What if you need to store, retrieve and perform zero touch rotation of these secrets securely? Meet the (Secrets Store) CSI Driver and Sync Controller, sig-auth subprojects providing a simple way to retrieve secrets from enterprise-grade external stores such as Azure Key Vault, Google Secret Manager and HashiCorp Vault.
In this lightning talk, Anish will introduce you to the (Secrets Store) CSI driver and Sync controller and discuss trade-offs of the CSI driver versus Sync controller.
Rogue No More: Securing Kubernetes with Node-Specific Restrictions
Did you know that a component running across multiple nodes, such as in a daemonset, intended to perform node-specific actions, can pose a significant security risk? If any node the component is running on goes rogue, it can lead to attacks on the cluster, or even worse, a complete takeover of it. What if we could restrict the component's ability to write resources only to those belonging to the node it is running on to prevent such escalation attacks?
In this talk, Anish and James will introduce new Kubernetes security enhancements to bound service account tokens, which can be used with validating admission policies to enforce per-node restrictions on service accounts. This session will provide you with practical implementation guidelines and show you how these enhancements can mitigate risks and protect your infrastructure with robust node isolation.
CEL-Ebrating Simplicity: Mastering Kubernetes Policy Enforcement
As Kubernetes deployments grow increasingly complex, robust policy enforcement is crucial. The Common Expression Language (CEL) provides a powerful solution, enabling the creation of sophisticated, human-readable expressions for Kubernetes policies. This session explores CEL's integration with Kubernetes, simplifying policy definition and enforcement.
Key takeaways:
- Fundamentals of CEL and its Kubernetes integration.
- Practical use cases for CEL in admission control, resource management, and security.
- Enhancing policy expressiveness and flexibility with CEL.
- Introduction to CEL Playground for testing and validating CEL expressions.
Through live demos, learn to leverage CEL and CEL Playground for streamlined policy management in Kubernetes. Ideal for administrators, developers, and DevOps professionals, this session equips you to enhance your Kubernetes policies using CEL.
Join us to discover how CEL and CEL Playground can transform your Kubernetes policy management.
OIDC And Workload Identity In Kubernetes
Traditionally, when applications running in Kubernetes pods need to access public cloud services, they would use service account credentials or other forms of authentication.
Workload identity provides a convenient and secure way to manage access to Cloud (e.g. Google, Azure etc) resources from within Kubernetes by mapping the service account to the associated cloud provider service account. It eliminates the need for managing and distributing individual service account keys or credentials, improving the overall security posture of your applications.
The speakers will walk through the concepts of workload identity on the following lines:
- Explain how OpenID Connect is used to achieve workload identity and the authentication workflow for the same.
- How to set up workload identity on public clouds for managed and unmanaged Kubernetes clusters for public clouds.
- They will also do a demo on how to set up workload identity with an example of Azure/Google public cloud.
KubeCon + CloudNativeCon North America 2024 Sessionize Event Upcoming
Project Lightning Talk + ContribFest + Maintainer Track: KubeCon + CloudNativeCon North America 2024 Sessionize Event Upcoming
KubeCon + CloudNativeCon North America 2023 Sessionize Event
Anish Ramasekar
Principal Software Engineer, Microsoft
Seattle, Washington, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top