SlideShare une entreprise Scribd logo

Developer Secure Containers for the Cyberspace Battlefield

VMware Tanzu
VMware Tanzu

SpringOne Platform 2018 Developer Secure Containers for the Cyberspace Battlefield Chris Saunders, Pivotal; Jason Scanga, VMware

Logiciels
1  sur  36
Télécharger pour lire hors ligne
Developer Secure Containers for the Cyberspace Battlefield Chris Saunders-Pivotal Federal Jason Scanga-VMware Federal
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Mobility 2
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Protection and Security
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ We still build network security like a castle Internet VM VM VM VM VM VM VM
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Mission Command “The concept of mission command/command and control allows subordinates to be innovative and operate independently according to clear orders, commander’s intent, and clearly articulated rules of engagement.” URBAN OPERATIONS Headquarters, Department of the Army Headquarters, United States Marine Corps
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Application Fielding With A DoD Customer 7 • Request for Environment Creation • Systems and Network IT shops rack and stack infrastructure, install middleware, and supporting technologies • Request ticket for DNS and firewall changes • Testing for Verification & Acceptance • Environment available for application hosting in production • Fix issues/bugs, • Open Change Control • Change Control Approval is Given • Implement Change Control • Rinse and Repeat Average Estimated Time: 3 months
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How Can we Help DOD IT Evolve?
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Hardware IaaS Container Orchestrator Application Platform Serverless Functions Strategic goal (portfolio optimization): Push as many workloads as technically feasible to the top of the platform hierarchy Higher flexibility and less enforcement of standards Lower development complexity and higher operational efficiency Choose the right tool for the job
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Stability + Scalability Deliver enterprise SLAs and breakthrough operational efficiency ● Four layers of HA ● Zero downtime deployments ● Logging, metrics, and scaling ● Linux + Windows Server HIGHLIGHTS HIGHLIGHTS HIGHLIGHTS Typical Customer Outcomes with Pivotal Cloud Foundry Security Improve your security posture with built-in capabilities ● “Secure by default” containers ● Full-stack support ● Rapid fixes to CVEs ● “Repair, repave, rotate” Speed Deploy new code thousands of times a month ● Best platform for Spring Boot ● Container-ready ● Native Windows + .NET ● Full integrated with CI/CD
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is PKS?
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Kubernetes Kubernetes is an open-source platform designed to automate deploying, scaling, and operating application containers. With Kubernetes, you are able to quickly and efficiently respond to customer demand: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ • Deploy your applications quickly and predictably. • Scale your applications on the fly. • Roll out new features seamlessly. • Limit hardware usage to required resources only. • Manage your applications like cattle instead of pets
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ > kubectl Storage NetworkingCompute Kubernetes Dashboard Dev / Apps IT / Ops App User Kubernetes is a Runtime for Containerized Workloads
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry App Monitoring App Logging OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale Command Line / API Management GUI Monitoring GUI ...but Kubernetes alone is not enough for enterprises
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry App Monitoring App Logging OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale Command Line / API Management GUI Monitoring GUI ...but Kubernetes alone is not enough for enterprises
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Pivotal Container Service (PKS) provides what’s missing Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale App Logging PKS Control Plane GCP Service Broker > pks Operations Manager vRealize Operations* *integration
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security In PKS
Common CI/CD Pipelines for Federal Dev on Low Side (AWS GovCloud) End to End Tests Package Unit Tests Static Analysi s Artifact Repository Version Control PCF Development (Product Owner Acceptance) Dynamic Analysis Developers commit code to version control Deploy WWW/NIPR Cross Domain Device (Coming soon) SIPR/JWICS PCF Production (Blue/Green Deploy) Smoke Tests Accepted ? Deploy Artifact Repository End to End Tests (with real endpoints e.g. UFMS Dev/Test) PCF Staging (Integration and Acceptance) Deploy Integrity Check Prod on High Side (SIPR/JWICS) 1 3 2 6 4 5 7
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ A new security patch is released for Kubernetes. Pivotal releases a new CVE for PKS within a few hours. The Platform Operator can then apply the CVE with no platform downtime.
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ … or ... Pivotal NetworkConcourse pipelinePlatform Ops Execute Verify pre-reqs Verify current install Download updated binaries Rolling Updates Config Update PKS
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Role-Based Access Control (RBAC) LDAP/AD Integration Image Vulnerability Scanning (Clair) Notary Image Signing Policy-Based Image Replication Graphical User Portal & RESTful API Image Deletion & Garbage Collection Auditing An enterprise-class registry server for Docker images Build Image Push Image Scan Image for CVEs Sign Image kubectl run Dev Team Image Registry Clair Notary R B A C UAA Auth R E PL
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How do we bake in Security?
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • Unified VM to Container Networking • On-demand network virtualization • Micro-segmentation • Full Network Visibility • Enterprise Support • Pod-Level Container Networking • Load Balancing • Network Security policies • Tenant - level isolation • Unique logical switch per K8s namespace
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Multi-Tenancy PKSControlPlane Kubernetes cluster Kubernetes cluster Harbor GCP SB NSX-T BOSH Kubernetes cluster Master Worker Worker etcd Worker Master etcd Worker How to isolate and secure access from different tenants?
Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Deployment Topologies & Multi-Tenancy Multi-cluster Single cluster K8s Cluster A K8s Cluster BOSH Namespace A Namespace B Namespace C BOSH K8s Cluster B K8s Cluster C NSX-T cluster-based namespace-based PKSControlPlane PKSControlPlane
Confidential │ ©2018 VMware, Inc. PKS Technical Overview – NSX-T Physical Infrastructure BOSH NSX-T Service Broker(s) vSANvSphere etcd worker Container Registry master etcd workermaster PKS Control Plane Kubernetes Cluster Kubernetes Cluster Wavefront by VMware vRealize Automation vRealize Log Insight vRealize Operations vRealize Network Insight
Confidential │ ©2018 VMware, Inc. Kubernetes NSX Topology Namespace: foo Namespace: bar NSX/ K8s topology • Namespaces: NSX-T builds a separate network topology per K8s namespace • Pods: Every Pod has its own logical port on a NSX logical switch dedicated to its namespace • Nodes: Every Node can have Pods from different Namespaces from different IP Subnets / Topologies • Firewall: Every Pod has DFW rules applied on its Interface • Routing: High performant East/West and North/South routing using NSX’s routing infrastructure • Visibility and troubleshooting: The full suite of NSX-T troubleshooting tools works for pod networking • IPAM: NSX-T provides IPAM services enabling policy-based dynamic IP allocation for all Kubernetes components Kubernetes NSX Topology 10.24.0.0/24 10.24.1.0/24 34.14.5.0/24
Confidential │ ©2018 VMware, Inc. 28 With most networking technologies, the source IP of the traffic can't be mapped to the tenancy. This is the biggest hurdle today to get K8s integrated in enterprise IT environments
Confidential │ ©2018 VMware, Inc. NSX-T PKS Integration – Namespace/Topology Mapping admin@k8s-master:~$ kubectl create namespace foo namespace ”foo" created admin@k8s-master:~$ kubectl create namespace bar namespace ”bar" created admin@k8s-master:~$ kubectl run nginx-foo --image=nginx -n foo deployment "nginx-foo" created admin@k8s-master:~$ kubectl run nginx-bar --image=nginx -n bar deployment "nginx-bar" created Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary K8s nodesK8s Masters
Confidential │ ©2018 VMware, Inc. NSX-T & PKS Integration • Micro-Segmentation in K8s: The data model to describe segmentation policies between Namespaces, and within namespaces is called ’Network Policies’ and is released on Kubernetes 1.7 (Beta on 1.6) Firewalling in Kubernetes • NSX could utilize K8s Network Policies to define Dynamic Security Groups & Policies. • Capabilities are limited to K8s Network Policy capabilities. K8s Network Policy • Security Groups & Policies could be predefined on NSX. Labels are used to specify Pods Membership • Mapping of IP based groups, egress rules, VM based matching could be available to be used in the policy definition Pre-Defined Label based rules • The NSX / K8s integration intends to support both the pre-defined label based rules and K8s network policy. Firewalling in NSX / K8s
Confidential │ ©2018 VMware, Inc. 31 NSX-T & PKS Integration – Pods Micro-Segmentations Option1: Predefined Label Based Rules admin@k8s-master:~$ kubectl label pods nginx-foo-3492604561-nltrf secgroup=web -n foo Pod "nginx-nsx-3492604561-nltrf" labeled admin@k8s-master:~$ kubectl label pods nginx-bar-2789337611-z09x2 secgroup=db -n bar pod "nginx-k8s-2789337611-z09x2" labeled admin@k8s-master:~$ kubectl get pods --all-namespaces -Lsecgroup NAMESPACE NAME READY STATUS RESTARTS AGE SECGROUP k8s nginx-foo-2789337611-z09x2 1/1 Running 0 58m web nsx nginx-bar-3492604561-nltrf 1/1 Running 0 1h db Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary Web • Security Groups are defined in NSX with ingress and egress policy • Each Security Group could be micro-segmented to protect Pods from each other DB
Confidential │ ©2018 VMware, Inc. 32 NSX-T & PKS Integration – Pods Micro-Segmentations Option 2: K8s Network Policy admin@k8s-master:~$ vim nsx-demo-policy.yaml apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: nsx-demo-policy spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: ncp/project: db ports: - port: 80 protocol: TCP admin@k8s-master:~$ kubectl create -f nsx-demo-policy.yaml • Use Case: Using Network Policy, users can define firewall rules to allow traffic into and out of a Namespace, and between Pods. The network policy is a Namespace property. The default behavior is drop. Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary DB Label: app=db Web Label: app=web
Confidential │ ©2018 VMware, Inc. NSX-T & PKS Integration – Pods Micro-Segmentations $ kubectl create -f nsx-demo-policy.yaml Dynamic Creation of Security Groups Dynamic Creation of Security Policy based on k8s Network Policy Once the Network Policy is applied, NSX will dynamically create source & destination Security Groups and apply the right policy
Confidential │ ©2018 VMware, Inc. 34 NSX-T & PKS Operational Tools Why having a centralized SDN Controller enhances visibility With most other networking technologies in K8s and PCF. So, there's no counters, troubleshooting tools, 'span ports', Firewall Rules Overview, etc.
Confidential │ ©2018 VMware, Inc. 35 NSX-T & PKS Operational Tools Why having a centralized SDN Controller enhances visibility With NSX-T you are gain deep visibility into the container networks, and you can use the same troubleshooting tools we created for VM based workloads
> Stay Connected. csaunders@pivotal.io jscanga@vmware.com Mission Impossible Deploying Pivotal Cloud Foundry to Nine Air Operational Sites in a Year #springone@s1p

Recommandé

The Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKSThe Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKS
VMware Tanzu
 
Spring Cloud on Kubernetes
Spring Cloud on KubernetesSpring Cloud on Kubernetes
Spring Cloud on Kubernetes
VMware Tanzu
 
Kubernetes and Windows: At Scale with Enterprise PKS
Kubernetes and Windows: At Scale with Enterprise PKSKubernetes and Windows: At Scale with Enterprise PKS
Kubernetes and Windows: At Scale with Enterprise PKS
VMware Tanzu
 
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
VMware Tanzu
 
Chaos Engineering for PCF
Chaos Engineering for PCFChaos Engineering for PCF
Chaos Engineering for PCF
VMware Tanzu
 
Pivotal Platform: A First Look at the October Release
Pivotal Platform: A First Look at the October ReleasePivotal Platform: A First Look at the October Release
Pivotal Platform: A First Look at the October Release
VMware Tanzu
 
Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0
VMware Tanzu
 
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-TPCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
VMware Tanzu
 

Recommandé

The Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKSThe Reality of DIY Kubernetes vs. PKS
The Reality of DIY Kubernetes vs. PKS
VMware Tanzu
 
Spring Cloud on Kubernetes
Spring Cloud on KubernetesSpring Cloud on Kubernetes
Spring Cloud on Kubernetes
VMware Tanzu
 
Kubernetes and Windows: At Scale with Enterprise PKS
Kubernetes and Windows: At Scale with Enterprise PKSKubernetes and Windows: At Scale with Enterprise PKS
Kubernetes and Windows: At Scale with Enterprise PKS
VMware Tanzu
 
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
PKS Networking with NSX-T: You Focus on your App, We'll Take Care of the Rest!
VMware Tanzu
 
Chaos Engineering for PCF
Chaos Engineering for PCFChaos Engineering for PCF
Chaos Engineering for PCF
VMware Tanzu
 
Pivotal Platform: A First Look at the October Release
Pivotal Platform: A First Look at the October ReleasePivotal Platform: A First Look at the October Release
Pivotal Platform: A First Look at the October Release
VMware Tanzu
 
Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0Deep Dive into Pivotal Cloud Foundry 2.0
Deep Dive into Pivotal Cloud Foundry 2.0
VMware Tanzu
 
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-TPCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
PCF in the Land of NSX: A Closer Look at PCF with NSX-V vs. NSX-T
VMware Tanzu
 
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSXCloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
VMware Tanzu
 
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
VMware Tanzu
 
Enterprise Application Migration
Enterprise Application MigrationEnterprise Application Migration
Enterprise Application Migration
VMware Tanzu
 
Developers Are Users, Too
Developers Are Users, TooDevelopers Are Users, Too
Developers Are Users, Too
VMware Tanzu
 
State of Steeltoe 2020
State of Steeltoe 2020State of Steeltoe 2020
State of Steeltoe 2020
VMware Tanzu
 
Leveraging Standard Buildpacks to Migrate Not-So-Standard Apps
Leveraging Standard Buildpacks to Migrate Not-So-Standard AppsLeveraging Standard Buildpacks to Migrate Not-So-Standard Apps
Leveraging Standard Buildpacks to Migrate Not-So-Standard Apps
VMware Tanzu
 
Ensuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu ObservabilityEnsuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu Observability
VMware Tanzu
 
Pivotal Platform - December Release A First Look
Pivotal Platform - December Release A First LookPivotal Platform - December Release A First Look
Pivotal Platform - December Release A First Look
VMware Tanzu
 
Kubernetes for the Spring Developer
Kubernetes for the Spring DeveloperKubernetes for the Spring Developer
Kubernetes for the Spring Developer
VMware Tanzu
 
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
VMware Tanzu
 
Containers Were Never Your End State
Containers Were Never Your End StateContainers Were Never Your End State
Containers Were Never Your End State
VMware Tanzu
 
Distribute Your App and Engage Your Community with a Helm Repository
Distribute Your App and Engage Your Community with a Helm RepositoryDistribute Your App and Engage Your Community with a Helm Repository
Distribute Your App and Engage Your Community with a Helm Repository
VMware Tanzu
 
Packaging and Distributing Applications for Kubernetes
Packaging and Distributing Applications for KubernetesPackaging and Distributing Applications for Kubernetes
Packaging and Distributing Applications for Kubernetes
VMware Tanzu
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
VMware Tanzu
 
Reimagining Customer Experiences Utilizing Pivotal Cloud Foundry
Reimagining Customer Experiences Utilizing Pivotal Cloud FoundryReimagining Customer Experiences Utilizing Pivotal Cloud Foundry
Reimagining Customer Experiences Utilizing Pivotal Cloud Foundry
VMware Tanzu
 
Travelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platformTravelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platform
Rohit Kelapure
 
Should That Be a Microservice ?
Should That Be a Microservice ?Should That Be a Microservice ?
Should That Be a Microservice ?
Rohit Kelapure
 
DevOps KPIs as a Service: Daimler’s Solution
DevOps KPIs as a Service: Daimler’s SolutionDevOps KPIs as a Service: Daimler’s Solution
DevOps KPIs as a Service: Daimler’s Solution
VMware Tanzu
 
PKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesPKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade Kubernetes
VMware Tanzu
 
Welcome to the Metrics
Welcome to the MetricsWelcome to the Metrics
Welcome to the Metrics
VMware Tanzu
 
P to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to ContainersP to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to Containers
VMware Tanzu
 
Cross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud FoundryCross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud Foundry
VMware Tanzu
 

Contenu connexe

Tendances

Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
VMware Tanzu
 
Pivotal Platform - December Release A First Look
Pivotal Platform - December Release A First LookPivotal Platform - December Release A First Look
Pivotal Platform - December Release A First Look
VMware Tanzu
 
Travelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platformTravelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platform
Rohit Kelapure
 
Should That Be a Microservice ?
Should That Be a Microservice ?Should That Be a Microservice ?
Should That Be a Microservice ?
Rohit Kelapure
 
PKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesPKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade Kubernetes
VMware Tanzu
 

Tendances (20)

Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSXCloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
 
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
Cloud Foundry Networking: Enabling Direct Communicatitions for Microservices
 
Enterprise Application Migration
Enterprise Application MigrationEnterprise Application Migration
Enterprise Application Migration
 
Developers Are Users, Too
Developers Are Users, TooDevelopers Are Users, Too
Developers Are Users, Too
 
State of Steeltoe 2020
State of Steeltoe 2020State of Steeltoe 2020
State of Steeltoe 2020
 
Leveraging Standard Buildpacks to Migrate Not-So-Standard Apps
Leveraging Standard Buildpacks to Migrate Not-So-Standard AppsLeveraging Standard Buildpacks to Migrate Not-So-Standard Apps
Leveraging Standard Buildpacks to Migrate Not-So-Standard Apps
 
Ensuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu ObservabilityEnsuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu Observability
 
Pivotal Platform - December Release A First Look
Pivotal Platform - December Release A First LookPivotal Platform - December Release A First Look
Pivotal Platform - December Release A First Look
 
Kubernetes for the Spring Developer
Kubernetes for the Spring DeveloperKubernetes for the Spring Developer
Kubernetes for the Spring Developer
 
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
 
Containers Were Never Your End State
Containers Were Never Your End StateContainers Were Never Your End State
Containers Were Never Your End State
 
Distribute Your App and Engage Your Community with a Helm Repository
Distribute Your App and Engage Your Community with a Helm RepositoryDistribute Your App and Engage Your Community with a Helm Repository
Distribute Your App and Engage Your Community with a Helm Repository
 
Packaging and Distributing Applications for Kubernetes
Packaging and Distributing Applications for KubernetesPackaging and Distributing Applications for Kubernetes
Packaging and Distributing Applications for Kubernetes
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 
Reimagining Customer Experiences Utilizing Pivotal Cloud Foundry
Reimagining Customer Experiences Utilizing Pivotal Cloud FoundryReimagining Customer Experiences Utilizing Pivotal Cloud Foundry
Reimagining Customer Experiences Utilizing Pivotal Cloud Foundry
 
Travelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platformTravelers 360 degree health assessment of microservices on the pivotal platform
Travelers 360 degree health assessment of microservices on the pivotal platform
 
Should That Be a Microservice ?
Should That Be a Microservice ?Should That Be a Microservice ?
Should That Be a Microservice ?
 
DevOps KPIs as a Service: Daimler’s Solution
DevOps KPIs as a Service: Daimler’s SolutionDevOps KPIs as a Service: Daimler’s Solution
DevOps KPIs as a Service: Daimler’s Solution
 
PKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade KubernetesPKS: The What and How of Enterprise-Grade Kubernetes
PKS: The What and How of Enterprise-Grade Kubernetes
 
Welcome to the Metrics
Welcome to the MetricsWelcome to the Metrics
Welcome to the Metrics
 

Similaire à Developer Secure Containers for the Cyberspace Battlefield

Lattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring Applications
Matt Stine
 

Similaire à Developer Secure Containers for the Cyberspace Battlefield (20)

P to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to ContainersP to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to Containers
 
Cross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud FoundryCross-Platform Observability for Cloud Foundry
Cross-Platform Observability for Cloud Foundry
 
What We're Learning Adopting Spring Boot and PCF for Dell.com's eCommerce
What We're Learning Adopting Spring Boot and PCF for Dell.com's eCommerceWhat We're Learning Adopting Spring Boot and PCF for Dell.com's eCommerce
What We're Learning Adopting Spring Boot and PCF for Dell.com's eCommerce
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
 
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ....NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
.NET and Kubernetes: Bringing Legacy .NET Into the Modern World with Pivotal ...
 
It’s a Multi-Cloud World, But What About The Data?
It’s a Multi-Cloud World, But What About The Data?It’s a Multi-Cloud World, But What About The Data?
It’s a Multi-Cloud World, But What About The Data?
 
How to Build More Secure Service Brokers
How to Build More Secure Service BrokersHow to Build More Secure Service Brokers
How to Build More Secure Service Brokers
 
Automation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform OperationAutomation and Culture Changes for 40M Subscriber Platform Operation
Automation and Culture Changes for 40M Subscriber Platform Operation
 
Containerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for KubernetesContainerizing a Data Warehouse for Kubernetes
Containerizing a Data Warehouse for Kubernetes
 
Accelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud FoundryAccelerating the Consumption of APIs Built on Cloud Foundry
Accelerating the Consumption of APIs Built on Cloud Foundry
 
YugaByte DB—A Planet-Scale Database for Low Latency Transactional Apps
YugaByte DB—A Planet-Scale Database for Low Latency Transactional AppsYugaByte DB—A Planet-Scale Database for Low Latency Transactional Apps
YugaByte DB—A Planet-Scale Database for Low Latency Transactional Apps
 
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
Cloud Foundry Services on PKS with No Extra Code, "We Bosh So You Don’t Have ...
 
Heavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large FoundationsHeavyweights: Tipping the Scales with Very Large Foundations
Heavyweights: Tipping the Scales with Very Large Foundations
 
How to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and IstioHow to Manage Microservices and APIs with Apigee and Istio
How to Manage Microservices and APIs with Apigee and Istio
 
Building a Data Exchange with Spring Cloud Data Flow
Building a Data Exchange with Spring Cloud Data FlowBuilding a Data Exchange with Spring Cloud Data Flow
Building a Data Exchange with Spring Cloud Data Flow
 
Experience + Education = Empowerment
Experience + Education = EmpowermentExperience + Education = Empowerment
Experience + Education = Empowerment
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
PCF 2.3: A First Look
PCF 2.3: A First LookPCF 2.3: A First Look
PCF 2.3: A First Look
 
Lattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring Applications
 
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-InSteeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
Steeltoe: Develop .NET Microservices Without Cloud Platform Lock-In
 

Plus de VMware Tanzu

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 

Dernier (20)

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 

Developer Secure Containers for the Cyberspace Battlefield

  • 1. Developer Secure Containers for the Cyberspace Battlefield Chris Saunders-Pivotal Federal Jason Scanga-VMware Federal
  • 2. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Mobility 2
  • 3. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
  • 4. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Protection and Security
  • 5. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ We still build network security like a castle Internet VM VM VM VM VM VM VM
  • 6. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Evolution of Military Tactics-Mission Command “The concept of mission command/command and control allows subordinates to be innovative and operate independently according to clear orders, commander’s intent, and clearly articulated rules of engagement.” URBAN OPERATIONS Headquarters, Department of the Army Headquarters, United States Marine Corps
  • 7. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Application Fielding With A DoD Customer 7 • Request for Environment Creation • Systems and Network IT shops rack and stack infrastructure, install middleware, and supporting technologies • Request ticket for DNS and firewall changes • Testing for Verification & Acceptance • Environment available for application hosting in production • Fix issues/bugs, • Open Change Control • Change Control Approval is Given • Implement Change Control • Rinse and Repeat Average Estimated Time: 3 months
  • 8. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How Can we Help DOD IT Evolve?
  • 9. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Hardware IaaS Container Orchestrator Application Platform Serverless Functions Strategic goal (portfolio optimization): Push as many workloads as technically feasible to the top of the platform hierarchy Higher flexibility and less enforcement of standards Lower development complexity and higher operational efficiency Choose the right tool for the job
  • 10. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Stability + Scalability Deliver enterprise SLAs and breakthrough operational efficiency ● Four layers of HA ● Zero downtime deployments ● Logging, metrics, and scaling ● Linux + Windows Server HIGHLIGHTS HIGHLIGHTS HIGHLIGHTS Typical Customer Outcomes with Pivotal Cloud Foundry Security Improve your security posture with built-in capabilities ● “Secure by default” containers ● Full-stack support ● Rapid fixes to CVEs ● “Repair, repave, rotate” Speed Deploy new code thousands of times a month ● Best platform for Spring Boot ● Container-ready ● Native Windows + .NET ● Full integrated with CI/CD
  • 11. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is PKS?
  • 12. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Kubernetes Kubernetes is an open-source platform designed to automate deploying, scaling, and operating application containers. With Kubernetes, you are able to quickly and efficiently respond to customer demand: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ • Deploy your applications quickly and predictably. • Scale your applications on the fly. • Roll out new features seamlessly. • Limit hardware usage to required resources only. • Manage your applications like cattle instead of pets
  • 13. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ > kubectl Storage NetworkingCompute Kubernetes Dashboard Dev / Apps IT / Ops App User Kubernetes is a Runtime for Containerized Workloads
  • 14. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry App Monitoring App Logging OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale Command Line / API Management GUI Monitoring GUI ...but Kubernetes alone is not enough for enterprises
  • 15. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry App Monitoring App Logging OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale Command Line / API Management GUI Monitoring GUI ...but Kubernetes alone is not enough for enterprises
  • 16. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storage NetworkingCompute Pivotal Container Service (PKS) provides what’s missing Dev / Apps App User IT / Ops > kubectl Kubernetes Dashboard Load Balancing / Routing Container Image Registry OS Updates OS Images K8S Updates K8S Images Log & Monitor Recover & Restart Backup & Restore External Data Services Cluster Provisioning Provision & Scale App Logging PKS Control Plane GCP Service Broker > pks Operations Manager vRealize Operations* *integration
  • 17. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security In PKS
  • 18. Common CI/CD Pipelines for Federal Dev on Low Side (AWS GovCloud) End to End Tests Package Unit Tests Static Analysi s Artifact Repository Version Control PCF Development (Product Owner Acceptance) Dynamic Analysis Developers commit code to version control Deploy WWW/NIPR Cross Domain Device (Coming soon) SIPR/JWICS PCF Production (Blue/Green Deploy) Smoke Tests Accepted ? Deploy Artifact Repository End to End Tests (with real endpoints e.g. UFMS Dev/Test) PCF Staging (Integration and Acceptance) Deploy Integrity Check Prod on High Side (SIPR/JWICS) 1 3 2 6 4 5 7
  • 19. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ A new security patch is released for Kubernetes. Pivotal releases a new CVE for PKS within a few hours. The Platform Operator can then apply the CVE with no platform downtime.
  • 20. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ … or ... Pivotal NetworkConcourse pipelinePlatform Ops Execute Verify pre-reqs Verify current install Download updated binaries Rolling Updates Config Update PKS
  • 21. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Role-Based Access Control (RBAC) LDAP/AD Integration Image Vulnerability Scanning (Clair) Notary Image Signing Policy-Based Image Replication Graphical User Portal & RESTful API Image Deletion & Garbage Collection Auditing An enterprise-class registry server for Docker images Build Image Push Image Scan Image for CVEs Sign Image kubectl run Dev Team Image Registry Clair Notary R B A C UAA Auth R E PL
  • 22. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How do we bake in Security?
  • 23. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ • Unified VM to Container Networking • On-demand network virtualization • Micro-segmentation • Full Network Visibility • Enterprise Support • Pod-Level Container Networking • Load Balancing • Network Security policies • Tenant - level isolation • Unique logical switch per K8s namespace
  • 24. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Multi-Tenancy PKSControlPlane Kubernetes cluster Kubernetes cluster Harbor GCP SB NSX-T BOSH Kubernetes cluster Master Worker Worker etcd Worker Master etcd Worker How to isolate and secure access from different tenants?
  • 25. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Deployment Topologies & Multi-Tenancy Multi-cluster Single cluster K8s Cluster A K8s Cluster BOSH Namespace A Namespace B Namespace C BOSH K8s Cluster B K8s Cluster C NSX-T cluster-based namespace-based PKSControlPlane PKSControlPlane
  • 26. Confidential │ ©2018 VMware, Inc. PKS Technical Overview – NSX-T Physical Infrastructure BOSH NSX-T Service Broker(s) vSANvSphere etcd worker Container Registry master etcd workermaster PKS Control Plane Kubernetes Cluster Kubernetes Cluster Wavefront by VMware vRealize Automation vRealize Log Insight vRealize Operations vRealize Network Insight
  • 27. Confidential │ ©2018 VMware, Inc. Kubernetes NSX Topology Namespace: foo Namespace: bar NSX/ K8s topology • Namespaces: NSX-T builds a separate network topology per K8s namespace • Pods: Every Pod has its own logical port on a NSX logical switch dedicated to its namespace • Nodes: Every Node can have Pods from different Namespaces from different IP Subnets / Topologies • Firewall: Every Pod has DFW rules applied on its Interface • Routing: High performant East/West and North/South routing using NSX’s routing infrastructure • Visibility and troubleshooting: The full suite of NSX-T troubleshooting tools works for pod networking • IPAM: NSX-T provides IPAM services enabling policy-based dynamic IP allocation for all Kubernetes components Kubernetes NSX Topology 10.24.0.0/24 10.24.1.0/24 34.14.5.0/24
  • 28. Confidential │ ©2018 VMware, Inc. 28 With most networking technologies, the source IP of the traffic can't be mapped to the tenancy. This is the biggest hurdle today to get K8s integrated in enterprise IT environments
  • 29. Confidential │ ©2018 VMware, Inc. NSX-T PKS Integration – Namespace/Topology Mapping admin@k8s-master:~$ kubectl create namespace foo namespace ”foo" created admin@k8s-master:~$ kubectl create namespace bar namespace ”bar" created admin@k8s-master:~$ kubectl run nginx-foo --image=nginx -n foo deployment "nginx-foo" created admin@k8s-master:~$ kubectl run nginx-bar --image=nginx -n bar deployment "nginx-bar" created Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary K8s nodesK8s Masters
  • 30. Confidential │ ©2018 VMware, Inc. NSX-T & PKS Integration • Micro-Segmentation in K8s: The data model to describe segmentation policies between Namespaces, and within namespaces is called ’Network Policies’ and is released on Kubernetes 1.7 (Beta on 1.6) Firewalling in Kubernetes • NSX could utilize K8s Network Policies to define Dynamic Security Groups & Policies. • Capabilities are limited to K8s Network Policy capabilities. K8s Network Policy • Security Groups & Policies could be predefined on NSX. Labels are used to specify Pods Membership • Mapping of IP based groups, egress rules, VM based matching could be available to be used in the policy definition Pre-Defined Label based rules • The NSX / K8s integration intends to support both the pre-defined label based rules and K8s network policy. Firewalling in NSX / K8s
  • 31. Confidential │ ©2018 VMware, Inc. 31 NSX-T & PKS Integration – Pods Micro-Segmentations Option1: Predefined Label Based Rules admin@k8s-master:~$ kubectl label pods nginx-foo-3492604561-nltrf secgroup=web -n foo Pod "nginx-nsx-3492604561-nltrf" labeled admin@k8s-master:~$ kubectl label pods nginx-bar-2789337611-z09x2 secgroup=db -n bar pod "nginx-k8s-2789337611-z09x2" labeled admin@k8s-master:~$ kubectl get pods --all-namespaces -Lsecgroup NAMESPACE NAME READY STATUS RESTARTS AGE SECGROUP k8s nginx-foo-2789337611-z09x2 1/1 Running 0 58m web nsx nginx-bar-3492604561-nltrf 1/1 Running 0 1h db Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary Web • Security Groups are defined in NSX with ingress and egress policy • Each Security Group could be micro-segmented to protect Pods from each other DB
  • 32. Confidential │ ©2018 VMware, Inc. 32 NSX-T & PKS Integration – Pods Micro-Segmentations Option 2: K8s Network Policy admin@k8s-master:~$ vim nsx-demo-policy.yaml apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: nsx-demo-policy spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: ncp/project: db ports: - port: 80 protocol: TCP admin@k8s-master:~$ kubectl create -f nsx-demo-policy.yaml • Use Case: Using Network Policy, users can define firewall rules to allow traffic into and out of a Namespace, and between Pods. The network policy is a Namespace property. The default behavior is drop. Namespace: foo Namespace: bar NSX / K8s topology 10.24.0.0/24 10.24.1.0/24 10.24.2.0/24 NAT boundary DB Label: app=db Web Label: app=web
  • 33. Confidential │ ©2018 VMware, Inc. NSX-T & PKS Integration – Pods Micro-Segmentations $ kubectl create -f nsx-demo-policy.yaml Dynamic Creation of Security Groups Dynamic Creation of Security Policy based on k8s Network Policy Once the Network Policy is applied, NSX will dynamically create source & destination Security Groups and apply the right policy
  • 34. Confidential │ ©2018 VMware, Inc. 34 NSX-T & PKS Operational Tools Why having a centralized SDN Controller enhances visibility With most other networking technologies in K8s and PCF. So, there's no counters, troubleshooting tools, 'span ports', Firewall Rules Overview, etc.
  • 35. Confidential │ ©2018 VMware, Inc. 35 NSX-T & PKS Operational Tools Why having a centralized SDN Controller enhances visibility With NSX-T you are gain deep visibility into the container networks, and you can use the same troubleshooting tools we created for VM based workloads
  • 36. > Stay Connected. csaunders@pivotal.io jscanga@vmware.com Mission Impossible Deploying Pivotal Cloud Foundry to Nine Air Operational Sites in a Year #springone@s1p