Most Active Speaker

David Frappart

David Frappart

Cloud architect & IaC Geek

Soissons, France

IT guy since 2004
Cloud architect, (mainly on Azure) since 2015
Still exploring the Cloud platform capabilities (which get new stuff all the time)
Breath IaC and Automation (but more Hashicorp stuff than other ^^)
Still struggles in the K8S landscape
MVP Azure since 2019
MCT since 2020

https://www.linkedin.com/in/david-frappart-66625627/
https://blog.teknews.cloud

Awards

  • Most Active Speaker 2023
  • Most Active Speaker 2022

Area of Expertise

  • Information & Communications Technology

Topics

  • Azure
  • Azure Kubernetes Services (AKS)
  • Terraform
  • Azure DevOps

Pod, kernel & isolation, why and how with sandbox containers

Development with containers and Docker eased the applications deployment and allowed an optimization of the consumed resources which were lost in Virtualization.

However, It may happen that a greater isolation is required. In this case, how to better the isolation without going back to classic virtualization?

In this session, we will look at the different available scenarios to achieve better kernel isolation and we will then focus on sandbox containers solutions.
We'll look at a pragmatic use case in a cloud managed Kubernetes with AKS example.

Leave with a better understanding on why and how to isolate workload beyond the basics of containerization in Kubernetes.

AKS & Cilium, a love story?

Have you ever felt that network for AKS was a pain?
Even more, have you ever felt that some feature were missing?
Well, there are some good news.
In the recent months (years?), Cilium imposed its print in the Kubernetes landscape.
And also in the Azure landscape!

In this session, we'll take a look at the new networking options for AKS & clarify the different offers available to use Cilium.
Then we'll look at some of Cilium features that make a difference for a kubernetes environment.

Leave with a clarified view of Azure CNI options and Cilium features for your Azure Kubernetes hosted workloads.

GPS for network routing with Azure Virtual WAN

Azure Virtual WAN, with the Virtual Hubs, change the way we build a Hub & Spokes topology.
On the paper, evrtything seems nice.
What about in real life?
In this session, we'll walktrhough the differents steps of a Hub & Spoke configuration with Virtual WAN and become familiar with our options for configuring routing, and build a Secure Hub.
After this session, hopefully, you'll be much more clear on the way to find your network route in Azure ^^, hence the GPS/

Overview of AKS Cluster Recovery options

With maturity growing, AKS cluster host more and more critical workloads.
So the question arise: how do I recover an app, or a node pool, or a cluster.
In this session, we will start by an overview of the available solutions for workload protection in AKS, mixing known community tools and Azure native features.
Then we will illustrate the following scenarios:
Simple workload recovery
NodePool recovery
Full cluster recovery
Each time selecting the appropriate solution.
By the end of this session, you will have the pointers to implement the protection of your AKS clusters

The state of Identity management in AKS

The nice thing with AKS is that it's evolving really fast... Or is it the worst thing?

Are you lost in which part is using which Identity... Stuff?
Not sure how to authenticate on the API server?
Not clear on how to interact with other Azure part? From Kubelet or the apps?

In this session, we go back on the AAD integration and what is managed in either the Azure plane or the Kubernetes control plane.
We also take a look at the Kubernetes worker plane and what are the options to manage Identities on the pod's level.

#AKS #AAD #PodIdentity #WorkloadIdentity #ManagedIdentity

Please Azure Arc, give me a hybrid Kubernetes

The demand for hybrid cloud is rising, and with It the need for managing multi cloud resources.

Unfortunately, it's not as simple to get a hybrid kubernetes as, let's say a sheep drawing.

Or is it ?

In this session we'll take a look at the Azure Arc proposal.
We'll start looking at what is behind the Azure Arc offer.

Then we'll focus on Azure Arc Enabled Kubernetes and what we can achieve from Azure plane with Kubernetes plane... well everywhere.

We'll take a look at the "how to" with Azure Arc and Kubernetes and try to find what level of integration with the Azure platform can be achieved for Azure engineer so they can manage other (cloud managed) Kubernetes.

Managing Azure Kubernetes Service Encryption

With a growing adoption of containerized workloads and AKS as a target, Security topics are at the heart of the architecturing discussions.
Specifically, securing data through the encryptions capabilities of one cloud platform can rapidly becomes a headache.

In this session, we will start by a rapid state of the art of the available encryption options in the Azure platform.

Then we will focus on the 2 parts that matters for managing encryption at rest in AKS:

- Managing Encryption at rest for the control plane

- Managing Encryption at rest for the worker plane

At the end of the session, you will have a clearer and better grasp of the way you can manage encryption with Microsoft managed Kubernetes solution, and the potential impacts on the operations.

Hands on AzAPI provider in an IaC workflow for AKS

Infrastructure as Code is now definitely in our IT Landscape.
If you're using terraform, you probablably came accros time when the resource was not available, or some features were not yet present in the terraform resource argument.

There are different way to work the lacks around, and the last in the list is the AzAPI provider.

In this session, we'll start by a state of the available workaround for lacks in a terraform provider.
Then we'll deep in the AzAPI provider and what it propose, before having a use case on an hypothetical iaC workflow involving and AKS cluster.

At the end of the session, you 'll add a new tool in your Azure IaC workflow

Granular AAD authorization management in Kubernetes with Workload Identity

Kubernetes is more than ever at the center of projects.

Workloads hosted in Kubernetes thus need to interact with various other systems.
Managing authorizations can be complex, especially when limiting the use of credential in Kubernetes secrets is a strong constraint.
In Azure cas, we usually leverage managed identity with RBAC assignment.
Problem: a pod has no knowledge of Managed Identity.

In this session we'll have a look at how Azure AD workload Identity can help to federate various Identity provider to manage access in Azure and take the case of workload identity to manage granular authorization at the pod level.
We will dtail a use case with the Key Vault CSI Secret provider which will definitely help to reduce the global footprint of Kubenetes secrets.

Take away: a better grasp of Identity management for Kubernetes hosted workloads and an implementation of the Key Vault CSI Secret provider.

Hands on AKS networking architecture with Terraform

With all its fire power, AKS leaves important questions open in its architecture before being production ready.

In this session, we will approach AKS network options through Its Terraform resource:

Looking at the network related arguments, we will translate those in actual architecture options and identify each strenght and weakness.

Afterward, because this session is IaC orientated, we will write Terraform configurations for those network configuration options.

Leave this session with a better understanding of AKS network and basis for your terraform workflow.

David Frappart

Cloud architect & IaC Geek

Soissons, France