Date: Tue, 21 Aug 2018 16:26:35 +0000
<p><a href="https://twitter.com/jonpulsifer">Jon Pulsifer</a> is a Production Security Engineer at <a href="https://shopify.com/">Shopify</a>, and Canada’s biggest Kubernetes fan. <a href="https://kubernetespodcast.com/about">Adam and Craig</a> dig into why, and what Adam’s new mode of transport is going to be.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="chatter">Chatter</h3> <ul> <li><a href="https://kubernetes.io/case-studies/slingtv/">Sling TV using Kubernetes</a> <ul> <li><a href="https://twitter.com/asynchio/status/1029050398844186624">Tesla using Kubernetes?</a></li> </ul> </li> <li><a href="https://mitmproxy.org/">MITMproxy</a>, <a href="https://www.charlesproxy.com/">Charles</a> and <a href="https://www.telerik.com/fiddler">Fiddler</a> <ul> <li><a href="https://www.herebedragons.io/intercept-docker-traffic">Intercept HTTP traffic exiting a docker container</a></li> </ul> </li> <li>Adam has a lot of <a href="https://www.choicehotels.com/econo-lodge">EconoLodge</a> points <ul> <li>Not as many as <a href="http://www.softwaredefinedtalk.com/">Software Defined Talk</a> hosts <a href="https://twitter.com/mattray">Matt Ray</a> and <a href="https://twitter.com/cote">Michael Coté</a></li> <li>Craig thinks he should spend them on the <a href="https://en.wikipedia.org/wiki/Leonard_v._Pepsico,_Inc.">Pepsi jet</a> as seen in this <a href="https://youtu.be/ZdackF2H7Qc?t=14">wonderful video</a></li> </ul> </li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://blog.gojekengineering.com/service-networking-in-a-hybrid-infrastructure-30030c71f6eb"> Service Networking in a Hybrid Infrastructure</a> by <a href="https://twitter.com/_praveenshukla">Praveen Shukla</a> from GoJek</li> <li><a href="https://www.lfasiallc.com/events/kubecon-cloudnativecon-china-2018/"> KubeCon and CloudNativeCon China</a> <ul> <li><a href="http://sched.co/FuLm">Craig’s session</a></li> </ul> </li> <li><a href="https://cloud.google.com/blog/products/gcp/7-best-practices-operating-containers"> 7 best practices for operating containers</a> by Théo Chamley from Google Cloud</li> <li><a href="https://formulae.brew.sh/formula/kustomize">kustomize on Homebrew for macOS</a></li> <li><a href="https://medium.com/google-cloud/understanding-the-container-storage-interface-csi-ddbeb966a3b"> Understanding the Container Storage Interface (CSI)</a> by Anoop Vijayan Maniankara</li> <li>The <a href="https://www.twitch.tv/videos/298514646##">Istio 1.0 Release Stream</a> or jump straight to <a href="https://www.twitch.tv/videos/298514646?t=02h19m50s">the part with Dan Ciruli</a> from <a href="https://kubernetespodcast.com/episode/015-istio/">episode 15</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="http://www.navy-marine.forces.gc.ca/en/index.page">Royal Canadian Navy</a> - Canadian Forces NOC</li> <li><a href="https://www.sans.org/">SANS institute</a> and <a href="https://www.sans.org/instructors/">instructors</a></li> <li><a href="https://twitter.com/jonpulsifer">Jon Pulsifer</a> is a Production Security Engineer at <a href="https://shopify.com/">Shopify</a> <ul> <li><a href="https://engineering.shopify.com/blogs/engineering/why-shopify-moved-to-the-production-engineering-model"> Why Shopify Moved to The Production Engineering Model</a></li> <li><a href="https://code.fb.com/category/production-engineering/">Production Engineering from Facebook</a></li> <li><a href="https://landing.google.com/sre/">SRE from Google</a></li> <li><a href="https://www.shopify.com/careers/production-engineering-scalability-and-reliability-799a7d"> They’re hiring!</a></li> </ul> </li> <li><a href="https://engineering.shopify.com/blogs/engineering/shopify-infrastructure-collaboration-with-google"> Shopify’s adopting Kubernetes and Google Cloud</a></li> <li>The evolution of Kubernetes security <ul> <li>Before RBAC, you used to have to <a href="https://github.com/kubernetes/kubernetes/issues/16779">mount an empty directory over the service account</a> to disable access to it</li> <li><a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"> seccomp and AppArmor</a></li> <li><a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">RBAC</a></li> <li><a href="https://kubernetes.io/docs/concepts/policy/pod-security-policy/">PodSecurityPolicy</a></li> <li><a href="https://github.com/google/gvisor">gVisor</a> and <a href="https://katacontainers.io/">Kata Containers</a></li> <li><a href="https://docs.google.com/document/d/1QQ5u1RBDLXWvC8K3pscTtTRThsOeBSts_imYEoRyw8A/edit"> Planning for Secure Container Isolation in Kubernetes</a></li> <li><a href="https://github.com/kubernetes/community/blob/master/keps/sig-node/0014-runtime-class.md"> RuntimeClass</a> enhancement proposal</li> </ul> </li> <li><a href="https://cloud.google.com/binary-authorization/">Binary Authorization</a> <ul> <li><a href="https://cloud.google.com/blog/products/identity-security/deploy-only-what-you-trust-introducing-binary-authorization-for-google-kubernetes-engine"> Launch blog post</a></li> <li><a href="https://grafeas.io/docs/concepts/what-is-kritis/overview.html">Kritis</a> - open source reference implementation of Binary Authorization (the judge)</li> <li><a href="https://grafeas.io/">Grafaes</a> - API spec for Container Analysis API</li> <li><a href="https://github.com/shopify/voucher">Shopify Voucher</a>, a tool that creates attestations for Binary Authorization and prevents the deployment of images that don’t meet Shopify’s security requirements.</li> <li>Jon’s talk on Binary Authorization at Google Cloud Next: <a href="https://cloud.withgoogle.com/next18/sf/sessions/session/156125">Securing the Software Supply Chain</a></li> </ul> </li> <li><a href="https://hackerone.com/reports/341876">Shopify’s $25,000 Kubernetes bug bounty payout</a> <ul> <li><a href="https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF"> What is a server-side request forgery?</a></li> </ul> </li> <li>Getting started with security by reading <a href="https://kubesec.io/">kubesec.io</a></li> <li>Around Ottawa <ul> <li><a href="https://www.meetup.com/Kubernetes-Ottawa/">Kubernetes Ottawa meetup</a></li> <li><a href="https://www.meetup.com/Google-Cloud-Platform-Meetup-Ottawa/">GDG Cloud Ottawa</a></li> <li><a href="https://twitter.com/JonPulsifer/status/996165245642166275">Jon’s car</a></li> </ul> </li> <li><a href="https://twitter.com/jonpulsifer">Jon Pulsifer on Twitter</a></li> </ul>
