Tetrate is excited to be participating at KubeCon + CloudNativeCon Europe 2023 from April 19 – 21, 2023 in Amsterdam, The Netherlands. The Cloud Native Computing Foundation’s flagship conference gathers adopters and technologists from leading open source and cloud native communities. Be sure to stop by our Booth #S98 to learn from and connect with our onsite team!
REQUEST A MEETING
The Tetrate team of experts and engineers will be available for a demo and discuss how our Application Connectivity and Security platform can support your application networking needs.
Tetrate is thrilled to be the platinum sponsor of Istio Day Europe 2023, taking place on April 18th. This event provides a deep dive into open source Istio – the industry’s most popular service mesh. Industry experts and project maintainers from across the ecosystem will deliver thought leadership, lessons learned and actionable insight from deploying Istio in production as well as provide hands-on training and tutorials. This is a great way to deepen your understanding of the service mesh and the value it can bring to your organization.
Tetrate is partnering with Sysdig, Snyk and Chainguard to host an amazing evening of networking at the Heineken Experience after hours party on Tuesday, April 18th from 18:00 – 21:00. The event will be located at the Heineken Brewery, Stadhouderskade 78, 1072AE, Amsterdam, The Netherlands.
Enjoy great food and beverage as well as provocative presentations by leading open source security vendors. Zack Butcher, Tetrate founding Engineer, will also be on hand discuss the updated Service Mesh Handbook.
ENVOY MOVIE PREMIERE
The world premiere of the Envoy documentary, featuring Tetrate co-founder Varun Talwar, is happening at KubeCon + CloudNativeConEU and is a must-attend top experience!
Join Varun Talwar and the Tetrate team on Thursday April 20th from 18:15 – 19:00 in the Forum Centre for Inside Envoy – The Proxy for the Future, a captivating documentary that delves into the origins and rapid ascent of one of the most significant open source projects in the community today.
CHECK OUT OUR TALKS
We are excited to be involved in multiple program streams this year including the following talks during Istio Day co-located event and KubeCon + CloudNativeCon.
Istio for Controls Compliance
Istio’s mTLS gets talked about a lot for security and compliance — but it’s only a tiny piece of the puzzle. In this talk, Zack Butcher — a NIST co-author on microservice security standards and zero trust — will break down how Istio can be used to satisfy controls for all kinds of regulatory regimes. We’ll look at specific use cases of folks using Istio to help implement a variety of controls for PCI DSS, FedRAMP, and GDPR compliance in production.
Finally, we’ll take a forward look at an upcoming NIST Special Publication on Zero Trust (which Zack is co-authoring) and discuss how Istio can be used as a stepping stone from a traditional perimeter based security model to a modern identity based model. You’ll leave this talk with a solid understanding of the types of controls Istio can be used to implement, how to actually implement a variety of them, and an understanding of how Istio can be used to iterate forward on your security posture.
KubeCon + CloudNativeCon
Envoy Gateway Update
Come here about updates on Envoy Gateway, the OSS Envoy ingress controller that the community has been working on!
Revamping Kubernetes with Contextual and Structured Logging, a Deep Dive
Kubernetes is undergoing fundamental changes in its logging infrastructure to emit structured logs containing references to Kubernetes objects and the context of a log entry, making logging in Kubernetes uniform and machine-readable, bringing more automation to Kubernetes monitoring. Much effort has gone into enhancing klog and migrating Kubernetes components to achieve structured and contextual logging. We aim to cover a deep dive into the changes, a demo comparing performances and seamless log ingestion with log collection agents like Fluent Bit. It affects the complete code base of Kubernetes and needs collaboration between maintainers of different SIGs.
This talk will make adopting best practices easy as we advance. We welcome everyone contributing to Kubernetes or interested in understanding the modern way of Kubernetes logs collection. New contributors are most welcome as it gives a good starting point to familiarize themselves with the Kubernetes code base.
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world.
In this talk, Francesco and Matt will * Recap incident response 101 * Introduce some cloud-native tech including Kubernetes, Istio, and GitOps * Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo * Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.
Safe, Dynamic Middleware with Dapr and WebAssembly
Join us for a practical talk on how the Dapr event-driven runtime implements dynamic extensions with WebAssembly. We’ll cover how things work in general as well rationale and a peek into implementation. When you leave, you’ll have a good idea of how WebAssembly lets you extend cloud native architecture without RPC. Dapr allows custom processing pipelines to be defined by chaining a series of middleware components. A request goes through all defined middleware components before it’s routed to user code, and backwards through the same components before a response is returned to the client.
This talk shows how custom HTTP middleware can used without changing the Dapr binary, using WebAssembly technology. Dapr loads these dynamically and without requiring any system dependencies or RPC services. Specifically, we’ll review the http-wasm application binary interface (ABI) which SDKs implements, and how this relates to other ABI like proxy-wasm or waPC. Well cover how the middleware works, including the wazero runtime which Dapr embeds to run wasm without system dependencies. Finally, we’ll chat about how this fits into Dapr’s long-term strategy in extensibility.
Apiserver-Only Clusters for Fun and Profit
Kubernetes is a very extensible system, to the point that the apiserver and database can be run on their own. In this configuration there’s no controller-manager or scheduler, and no support for actually running workloads. However these components can support CRDs and Operators. This makes it a perfect host for lightweight control planes for other systems.
In this talk, Matt will show how an Operator can run on just a bare-bones control plane. The control-plane cannot run workloads and the Operator (Istio, in this case) doesn’t deal with anything in the cluster. However, together they functions as a small, lightweight unit providing services outside the cluster. Matt will explain the theory of this style of deployment, and how to set it up yourself. He will show a demo using the Istio control plane, which will provide networking services to a set of VMs (as there is no cluster).
The Top 10 List of Istio Security Risks and Mitigation Strategies
CNCF is developing its first ever Top 10 list of security risks facing Istio deployments. As a community-driven effort, it draws on the expertise of a wide range of security professionals and cloud native computing experts to ensure the list reflects the most current and relevant security risks facing cloud native applications.
The Top 10 will help organizations prioritize their security efforts and focus on the most significant security risks that they may face. By understanding and addressing these risks, organizations can better protect against malicious attacks, data breaches, and other security incidents.
In this talk we’ll cover what’s in the list, the selection criteria for it, and discuss strategies organizations should take to mitigate these critical risks to cloud native computing security.
WE ARE HIRING!
If you are passionate about cloud native technologies like containers, K8s, Istio, Envoy Proxy, GraphQL, eBPF, serverless functions, and more, then Tetrate.io is the place for you! Be sure to check out the Careers page, or chat with us in person!