CNCF-hosted Co-located Events North America 2024

NVIDIA has embarked on an innovative journey to streamline their Kubernetes operations by leveraging the power of Python CDK, GitOps, and various cutting-edge tools. In this session, we will explore why NVIDIA chose Python CDK as their Infrastructure as Code (IaC) tool for creating EKS clusters We will examine the implementation of a GitOps mechanism for EKS Fleet Management using ArgoCD ApplicationSets, known as the GitOps-Bridge for Addons. Learn how NVIDIA is onboarding application teams through GitOps, managing Tenant/Namespace ArgoCD Projects, and utilizing Helm Charts for application delivery and centralizing application Helm Charts. The talk will cover the integration of External Secret Operator (ESO) with Vault for secrets management, and how teams are onboarded with GitOps for secure secret management. Additionally, we'll discuss NVIDIA's ongoing experiments with GitOps for AWS Infrastructure using Crossplane, and their future plans to implement Backstage.

Managing large-scale batch workflows efficiently is critical for AI/ML workloads. Data preparation for training or fine tuning models can involve a large number of steps. These make for excellent Argo workflows. But Argo faces the etcd limitation of the 1.5MB object size. This limitation restricts the ability of Argo to run truly large-scale workflows. This talk will delve into the intricacies of this limitation and its impact on AI/ML workflows. We will illustrate with examples how this has been a non-deterministic and frustrating bottleneck for users. To address this challenge, Argo introduced a feature that circumvents the etcd object size restriction. By offloading the bulk of the workflow status to an RDBMS and only storing the reference in etcd, Argo maintains its scaling capabilities still adhering to Kubernetes' limitations. This talk will provide a comprehensive guide on configuring and utilizing the Argo offloading feature in AWS using Aurora Postgres RDS and EKS.

The Argo CD UI is renowned for its powerful capabilities, but granting users full-time control over applications in production environments can present significant risks. Direct mutations from the UI can disrupt GitOps practices and induce state drift, making issues difficult to debug. In this talk, we will delve into the challenges posed by Argo CD UI's powerful features and how we are addressing them to ensure safer and more compliant operations at scale. We will introduce a new Argo CD extension that enables ephemeral UI access, aimed at reducing risk, improving change management tracking, and minimizing Mean Time to Recovery (MTTR). This extension also enables integration with various compliance requirements, such as change request creation. Join us to learn how to effectively manage Argo CD UI capabilities while enhancing safety and compliance.

Seccomp has long been a critical security feature in the Linux kernel, as a powerful tool for access control. With the emergence of eBPF, the landscape of kernel security has started evolving rapidly. It offers opportunities for improving and extending security policies. In this talk we will show how to achieve some of seccomp's capabilities and extend them using eBPF and KRSI in security use cases. The talk will give an overview of Seccomp in general and in Kubernetes, focus on its importance in securing containerized workloads. We will review applicable eBPF capabilities, showing how it changes the way we can inspect and filter syscalls at runtime. We will introduce KRSI and LSM, showing how they can enhance kernel security. The session will end with a demo of our PoC that leverages eBPF and KRSI to create a modern alternative to seccomp. Illustrating a real-world option, will provide attendees with practical knowledge on how to reinvent Seccomp for enhanced security.

Having strong observability is key to understanding the inner workings of your workflows.

This talk dives deep into how observability empowers you to efficiently understand your workflows. We'll explore how to answer critical questions about your running workflows, including:
- What's the current state of my workflow?
- Are there any bottlenecks or resource constraints?
- How long are specific steps taking to execute?

We'll demonstrate practical techniques, including:
- Adding custom traces for tailored insights
- Leveraging built-in default metrics for immediate visibility
- Converting traces to metrics for observability of critical paths

Get a sneak peek at the upcoming Workflow Traceability feature! We'll showcase its ability to provide a granular view of your workflow execution, allowing you to pinpoint issues with laser focus. Learn how you can add your own spans into the overall workflow trace.

The techniques used to increase IPSec network performance are often kept as secrets because they act as a competitive advantage and a lucrative product offering. This talk transparently presents a technique for massively boosting IPSec performance that is simple to implement (less than 200 lines of C), and based entirely on open-source work. An early Proof of Concept (POC) implementation showed an increase in p99 throughput by 412%! This talk will take a deep-dive into how it all works, covering: the implementation, the pros and cons of the design, and an analysis of benchmark results. As transparent encryption becomes more crucial for securing data in transit, we hope this talk will enable users required to use IPSec for compliance or infrastructure reasons to learn how to speed up their network without having to compromise their security.

ArgoCD has the capability to manage more then one cluster, the question is how to securely connect to those remote clusters? This session will explore how to securely connect your remote clusters, regardless of if they're cloud managed or on-prem, using ArgoCD's own native Kubernetes identity through a token exchange to get an identity for that remote cluster. We'll start with the challenge of connecting to remote clusters securely, detail how token exchange works, then walk through updating the ArgoCD container with custom tools, creating Secrets to represent remote clusters, and ApplicationSets to generate the Application without any static tokens. The session will demo management of cloud hosted clusters, on-prem clusters, and clusters that support Kubernetes' beta of AuthenticationConfiguration in 1.30. By the end of this session you'll see where the configuration points are in ArgoCD to secure your GitOps infrastructure without relying on a single cloud provider's IAM.

In the rapidly evolving financial services landscape, the ability to innovate at scale is crucial for maintaining a competitive edge and meeting customer expectations. This talk delves into the strategic, product and technical aspects of creating and managing developer platforms aka shield platform in U.S. Bank that drives innovation, enhance efficiency, and support scalable growth to achieve business goals such as cloud migration , digital transformation etc. The Shield Platform (an internal development platform) is a set of curated services to mitigate common challenges involved with building software. It does this by providing a series of frameworks, integrations, and automations to deliver applications and infrastructure to the cloud. Each service provided within the platform supplies its own controls and guardrails in accordance to security and compliance best practices. We will walk through our journey to build secure & reliable internal developer platform.

A lot of eBPF programs fall into the category of observing the Linux system, i.e the kernel, system libraries or user-space programs. For the purpose of observing the system, we mostly rely on reading memory with eBPF, either kernel or user-space memory. However, sometimes various eBPF use cases require writing memory, for example propagating W3C context for various application protocols. This talk focuses on our journey to implement W3C trace context propagation with eBPF at various levels of the protocol stack. We explore what memory write eBPF APIs are available to us today, along with their implications to system security, stability, required permissions and implementation difficulty. We’ll present two working solutions with their pros and cons, a lot of dead ends, as well as explore what a new approach might look like by leveraging the “BPF arena” feature in kernel 6.9.