Cloud architect & IaC Geek
IT guy since 2004
Cloud architect, (mainly on Azure) since 2015
Still exploring the Cloud platform capabilities (which get new stuff all the time)
Breath IaC and Automation (but more Hashicorp stuff than other ^^)
Still struggles in the K8S landscape
MVP Azure since 2019
MCT since 2020
Area of Expertise
Development with containers and Docker eased the applications deployment and allowed an optimization of the consumed resources which were lost in Virtualization.
However, It may happen that a greater isolation is required. In this case, how to better the isolation without going back to classic virtualization?
In this session, we will look at the different available scenarios to achieve better kernel isolation and we will then focus on sandbox containers solutions.
We'll look at a pragmatic use case in a cloud managed Kubernetes with AKS example.
Leave with a better understanding on why and how to isolate workload beyond the basics of containerization in Kubernetes.
With maturity growing, AKS cluster host more and more critical workloads.
So the question arise: how do I recover an app, or a node pool, or a cluster.
In this session, we will start by an overview of the available solutions for workload protection in AKS, mixing known community tools and Azure native features.
Then we will illustrate the following scenarios:
Simple workload recovery
Full cluster recovery
Each time selecting the appropriate solution.
By the end of this session, you will have the pointers to implement the protection of your AKS clusters
The nice thing with AKS is that it's evolving really fast... Or is it the worst thing?
Are you lost in which part is using which Identity... Stuff?
Not sure how to authenticate on the API server?
Not clear on how to interact with other Azure part? From Kubelet or the apps?
In this session, we go back on the AAD integration and what is managed in either the Azure plane or the Kubernetes control plane.
We also take a look at the Kubernetes worker plane and what are the options to manage Identities on the pod's level.
#AKS #AAD #PodIdentity #WorkloadIdentity #ManagedIdentity
The demand for hybrid cloud is rising, and with It the need for managing multi cloud resources.
Unfortunately, it's not as simple to get a hybrid kubernetes as, let's say a sheep drawing.
Or is it ?
In this session we'll take a look at the Azure Arc proposal.
We'll start looking at what is behind the Azure Arc offer.
Then we'll focus on Azure Arc Enabled Kubernetes and what we can achieve from Azure plane with Kubernetes plane... well everywhere.
We'll take a look at the "how to" with Azure Arc and Kubernetes and try to find what level of integration with the Azure platform can be achieved for Azure engineer so they can manage other (cloud managed) Kubernetes.
With a growing adoption of containerized workloads and AKS as a target, Security topics are at the heart of the architecturing discussions.
Specifically, securing data through the encryptions capabilities of one cloud platform can rapidly becomes a headache.
In this session, we will start by a rapid state of the art of the available encryption options in the Azure platform.
Then we will focus on the 2 parts that matters for managing encryption at rest in AKS:
- Managing Encryption at rest for the control plane
- Managing Encryption at rest for the worker plane
At the end of the session, you will have a clearer and better grasp of the way you can manage encryption with Microsoft managed Kubernetes solution, and the potential impacts on the operations.
Infrastructure as Code is now definitely in our IT Landscape.
If you're using terraform, you probablably came accros time when the resource was not available, or some features were not yet present in the terraform resource argument.
There are different way to work the lacks around, and the last in the list is the AzAPI provider.
In this session, we'll start by a state of the available workaround for lacks in a terraform provider.
Then we'll deep in the AzAPI provider and what it propose, before having a use case on an hypothetical iaC workflow involving and AKS cluster.
At the end of the session, you 'll add a new tool in your Azure IaC workflow
Kubernetes is more than ever at the center of projects.
Workloads hosted in Kubernetes thus need to interact with various other systems.
Managing authorizations can be complex, especially when limiting the use of credential in Kubernetes secrets is a strong constraint.
In Azure cas, we usually leverage managed identity with RBAC assignment.
Problem: a pod has no knowledge of Managed Identity.
In this session we'll have a look at how Azure AD workload Identity can help to federate various Identity provider to manage access in Azure and take the case of workload identity to manage granular authorization at the pod level.
We will dtail a use case with the Key Vault CSI Secret provider which will definitely help to reduce the global footprint of Kubenetes secrets.
Take away: a better grasp of Identity management for Kubernetes hosted workloads and an implementation of the Key Vault CSI Secret provider.
With all its fire power, AKS leaves important questions open in its architecture before being production ready.
In this session, we will approach AKS network options through Its Terraform resource:
Looking at the network related arguments, we will translate those in actual architecture options and identify each strenght and weakness.
Afterward, because this session is IaC orientated, we will write Terraform configurations for those network configuration options.
Leave this session with a better understanding of AKS network and basis for your terraform workflow.
Cloud architect & IaC Geek