Liz Rice
Chief Open Source Officer, Isovalent @ Cisco
London, United Kingdom
Actions
Liz Rice is Chief Open Source Officer at Isovalent, the creators of the Cilium project, and now part of Cisco. Currently on the boards of the CNCF and OpenUK, she was chair of the CNCF's Technical Oversight Committee 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She is an award-winning speaker, and the author of O'Reilly books on "Container Security" and "Learning eBPF".
She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.
Awards
Area of Expertise
Topics
eBPF or sidecars?
eBPF allows us to build custom programs that run directly within the kernel. This talk explores how eBPF enables observability, security and connectivity tools that no longer need to rely on the sidecar model, and shows how Cilium now supports both sidecar-based and sidecarless Service Mesh. Along the way this talk will clarify some container and kernel concepts so that attendees can leave with a mental model for the pros and cons of sidecar-based or sidecarless approaches.
eBPF: a new era in cloud infrastructure tools
eBPF has become something of a buzzword recently, but why is it being used in so many tools for observability, security and networking? What does it bring that other approaches don't offer? How can you leverage the power of eBPF in your organization?
Join this session to learn from the creators and maintainers of leading open source eBPF projects about how this kernel technology enables high-performance, scalable cloud infrastructure tools.
Fireside Chat: Open Source and the Global Security Response
Host: Amanda Brock, CEO, OpenUK
Andrew Martin, Control Plane Founder and CEO and OpenUK CISO
Liz Rice, Chief Open Source Officer, Isovalent and OpenUK Director
Thomas Meadows, Solutions Engineer, Jetstack
When is a secure connection not encrypted? And other stories
Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption.
When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency?
With demos to make concepts concrete, let’s dive into authentication and encryption, and the differences between mTLS and in-kernel alternatives.
- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP
With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.
Zero-overhead container networking with eBPF and Netkit
Netkit is a new enhancement to eBPF that replaces the virtual Ethernet (veth) connections that previously connected containers to the network namespace of their host. Until now, the overhead of veth connections meant that containerised applications could not communicate as quickly as if they were running directly on the host. In this talk you'll how Netkit and other eBPF-enabled capabilities now allow container networking to run as fast as host networking.
Simplifying multi-cluster and multi-cloud deployments with Cilium
Multi-cloud, multi-cluster Kubernetes deployments are used for high-availability, global distribution, to take advantage of different cloud vendor features, or to use both on-prem and public clouds. But sharing workloads in these distributed environments doesn’t have to be complicated!
This talk uses live demos to introduce Cilium’s ClusterMesh capabilities, which make it easy to connect and secure workloads distributed across clouds and clusters.
- Securely connecting multiple Kubernetes clusters
- Distributing services across them
- Load balancing and service affinity
- Applying network policies across multiple clusters
- Exposing distributed services to external traffic
You’ll also learn about the requirements for the underlying internet connectivity between clusters, with an overview of IP address management considerations.
You’ll need a basic familiarity with Kubernetes concepts like pods, services, nodes and clusters to get the most out of attending this talk.
KEYNOTE: Using eBPF for High-Performance Networking in Cilium
The Cilium project is a popular networking solution for Kubernetes, based on eBPF. This talk uses eBPF code and demos to explore the basics of how Cilium makes network connections, and manipulates packets so that they can avoid traversing the kernel's built-in networking stack. You'll see how eBPF enables high-performance networking as well as deep network observability and security.
Isovalent: A Case Study in Open Source Startups
Cisco recently announced that it’s acquiring Isovalent, the startup known for creating the Cilium project, and for its expertise in eBPF. Let’s explore from both the Cisco and Isovalent perspective how alignment between maintainers’ project vision, end user needs, community growth, and a model for generating revenue, can lay the foundations for a successful business, whether a startup or a major industry player.
eBPF’s abilities and limitations: the truth
eBPF is proving to be a great platform for cloud native infrastructure tooling, with several CNCF projects leveraging it to implement networking, security and observability capabilities from within the kernel. But as with any new technology, there are various myths and uncertainties circulating about it in the community, particularly around its limitations: you might hear that it’s not Turing complete, that it can’t be used for anything that involves state, or that it can’t be used to parse Layer 7 protocols. In this talk we’ll disprove all these rumors with demonstrations including:
- Looping in eBPF
- Leveraging maps for state
- An eBPF implementation of a Turing machine equivalent
This doesn’t mean eBPF is the right hammer for every nail; using the Cilium project as an example we’ll discuss why not every feature is implemented in the kernel. (Yet?)
eBPF vs Sidecars
From its vantage point in the kernel, eBPF provides a platform for building a new generation of infrastructure tools for things like observability, security and networking. These kinds of facilities used to be implemented as libraries, and then in container environments they were often deployed as sidecars. In this talk let's consider why eBPF can offer numerous advantages over these models, particularly when it comes to performance.
Coping with Zero days with Cilium Tetragon
However good the tools and processes you use to catch CVEs and security problems pre-deployment, it's still possible that your code and the platform it's running on could be compromised. When a new CVE and its patches are announced, it's called a "zero day", and it's a race against time for security teams to understand whether their deployments are vulnerable, and to get updated versions of all affected components deployed.
In this talk (with demos) you'll learn about strategies for using the open source runtime security tool, Cilium Tetragon, to detect components that are affected by a CVE. You'll see how eBPF allows Tetragon to generate rich forensic information to understand whether a vulnerability has been exploited in your system, and understand how the component was compromised.
A Load Balancer from scratch
Let's see how an eBPF Load Balancer works by writing one in a few lines of C code
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top