Speaker

Hans Kristian Flaatten

Hans Kristian Flaatten

Platform Engineer at NAV

Bergen, Norway

Actions

CNCF Abassasor, Grafana Champion and Platform Engineering at the Norwegian Labor and Welfare Administration (NAV) working on NAIS - a platform built to increase development speed by providing the best experience to build, run and operate applications. Previously Principal Consultant at TietoEVRY with focus on large enterprises in public government, telecom, banking and insurance sectors. Co-organiser of KCD Oslo, Cloud Native and GDG meetups in Norway. Regular speaker at national and international conferences on all things cloud native.

Area of Expertise

  • Information & Communications Technology

Topics

  • Kubernetes
  • Open Source
  • Platform Engineering
  • Security

Workshop: Securing (and Observing) Kubernetes clusters with Cilium and eBPF - Part 2/2

Getting Kubernetes up and running and deploying your first application is relatively easy, managing them securely on scale however can be quite a challenge. Knowing what applications are communicating with each other and how to restrict, verify, and debug traffic policies is a real game changer for complex environments.

Cilium is an open source container network interface (CNI) for Kubernetes to secure and observe network connectivity between container workloads built on top of eBPF and is an official CNCF project. It provides transparent network encryption, multi-mesh connectivity, traffic observability, network policy management and debugging, and security forensic and auditing.

Join us for this workshop where we will get our hands dirty with setting up policies to inspect and secure the traffic to and from your Kubernetes applications.

Part 2/2: Securing Container Supply Chain Workshop

“Software supply chain” is a term describing everything that happens to code from the time it leaves the developers fingers until it runs in production. The code needs to be compiled, tested, packaged and deployed, and these steps take place in a variety of systems and use lots of complex third party solutions. Our apps also depend on an increasing number of third party libraries and frameworks that we often know next to nothing about.

Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard.

Cosign - Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.
Kyverno - Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.

In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.

* Setting up automated container builds
* Signing containers using sigstore/cosign
* Verifying signed containers using Kyverno
* Working with Kyverno policy reports at scale

Part 1/2: Securing Container Supply Chain Workshop

“Software supply chain” is a term describing everything that happens to code from the time it leaves the developers fingers until it runs in production. The code needs to be compiled, tested, packaged and deployed, and these steps take place in a variety of systems and use lots of complex third party solutions. Our apps also depend on an increasing number of third party libraries and frameworks that we often know next to nothing about.

Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard.

Cosign - Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.
Kyverno - Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.

In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.

* Setting up automated container builds
* Signing containers using sigstore/cosign
* Verifying signed containers using Kyverno
* Working with Kyverno policy reports at scale

How we secure NAV.no and 1/3 of Norway's national budget

Norwegian Labour and Welfare Administration (NAV) has over the past few years been through an extensive digital transformation journey that fundamentally changed who develop and deliver digital services and has influenced everything to how we work to the technology decisions we make. This journey will continue and we must adapt our approach to security accordingly.

As our attack surfaces grows with every new service, and our supply chain is growing longer and longer the threat landscape is becoming more and more complex. We experience an increase of digital threats and they can not be handled only by those who are operating the applications. Digital security concerns all roles and has to be implemented across the organization.

In this presentation we will shed some light on how NAV systematically works to enhance it's digital security from the very start of how the organization is structured with Security Champions in all teams, to planning/design/implementation of new systems, to how we secure the runtime and infrastructure that powers it all and how we proactively prevent and train on security related events.

Bulding a dedicated platform for frontend developers at NAV

The even the best container-based application platforms like NAIS are inadvertently better suited for microservices and more traditional backend applications, often leaving much to be desired for single page applications that have their own unique challenges.

At the Norwegian Labor and Welfare Administration (NAV) we have over 100 product teams running 1.600 applications on our application platform, 400 of which are frontend applications. Most of them written in React or Next.js, but other frontend frameworks is still in existence as well.

These applications does not get the benefit of our Prometheus monitoring, automatic SQL-database creation, cluster network security policies and many other features available from our application platform and they often have to do the heavy lifting of build their own micro-frontend architecture, monitoring, testing and much more.

At NAV we have perfected our container application platform for the better part of a decade. Along the way we have started a dedicated data platform (NADA) and since 2022 we have started a new team dedicated towards building platform services for our frontend developers to give them the best tools to build and run their frontend applications.

As far as we know, NAV is the first government agency in Norway to build a platform specifically for frontend application and we are super excited to share how far we have come 🚀

KubeCon + CloudNativeCon Europe 2024 Sessionize Event

March 2024 Paris, France

State of Open Con 24 Sessionize Event

February 2024 London, United Kingdom

NDC Oslo 2023 Sessionize Event

May 2023 Oslo, Norway

NDC Oslo 2022 Sessionize Event

September 2022 Oslo, Norway

Hans Kristian Flaatten

Platform Engineer at NAV

Bergen, Norway

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top