Container Days Hamburg: Insights from a Cloud Native Technology Conference

The recent Container Days Hamburg conference featured a wide range of industry attendees and a lot of super informative presentations. Even the food was good! It seems Germans excel not only at car manufacturing and engineering but also at event catering. KubeCon take notes!

Standard exhibitors such as Camptocamp, Isovalent, Sysdig, SUSE were present doing their thing; showcasing their products and services in the exhibition area, giving away swag, and exchanging ideas.

It featured a diverse range of talks, covering application development, operations, AI and machine learning, networking, security, and edge computing. The sessions offered practical insights for both developers and engineers, highlighting key trends and challenges in cloud-native environments.

My top 3 favorite presentations were:

1. Continuous Security Testing with OWASP secureCodeBox in Kubernetes

The presentation by Jannik Hollenbach focused on the OWASP secureCodeBox, a powerful toolkit for automating and running security scanning tools in Kubernetes environments. The secureCodeBox runs as a Kubernetes operator, using custom resource definitions (CRDs) to define scan jobs. This Open Source project enables continuous security testing by integrating various scanning tools such as Nmap, ZAP, Nuclei and Trivy.

One of its most notable capabilities is auto discovery, which can identify components running in Kubernetes cluster and automatically initiate appropriate scans. For instance, it can run Trivy scans on all container images to check for vulnerabilities and dependencies, or use ZAP to scan services with HTTP ports. Even though I haven’t tested this yet, the solution feels pretty much plug and play.

2. Lessons learnt from implementing GitOps and Continuous Delivery at scale

In the context of managing 100+ Kubernetes clusters and dealing with 100+ diverse sources for applications, the challenges presented by GitOps mainstream tools may hit a few performance and security issues. SUSE presented certain use cases where the complexity of GitOps and Continuous Delivery implementation increases exponentially due to scale, requiring tailored strategies and tools.

The alternative architectures proposed during the presentation put emphasis on delegation of responsibilities to in-cluster agents instead of the more classical centralized solutions for CD. Also presenters discussed using pull-based update mechanisms and flexible synchronization strategies discussed would be vital in managing the vast array of applications from different sources, enabling more controlled and staged rollouts of updates across thousands of clusters.

Presenters encouraged the audience to give Rancher Fleet a try. It is simple, the ascetic solution to Deployment Management. Creators define it as a GitOps-based tool for managing Kubernetes clusters at scale. It stands out when handling thousands of clusters, supports centralized multi-repo management, uses a bundle system, allows grouping or for per-cluster customization, and integrates well with Helm and Kustomize. It also provides advanced RBAC and policy control, making it ideal for large-scale, multi-cluster setups.

3. Scaling up to your first 10 million users - The Kubernetes Edition

Have you watched the famous series of “Scaling up to your first 10 million users“ on AWS youtube channel? Well, Marco Ballerini from AWS, exposed a similar analysis, this time for Kubernetes clusters.

One of the nice takes from the presentation is that scaling is not only about tech. He listed requirements you may need to address as your clusters start growing. The analysis grew -just as any product does- from small clusters (~10 nodes), moving towards mid-sized clusters (~ 50 nodes), till you grow your clusters to 100+.

I echo here below a few organizational and operational aspects of this “scaling-up” requirements analysis I found most insightful.

For small clusters, the reasoning is that you should start with solid foundations, while keeping it simple. Set up standard procedures for cluster creation, implement Infrastructure as Code (IaC) early on, no clickOps in production and please don't forget about disaster recovery. Write your disaster recovery plan early and you will avoid engineering burn out when the time comes you need to activate one.

As you grow to mid-sized clusters, focus on dedicated role-based access control (RBAC), embrace GitOps (it’s non-negotiable!). Remember, use managed services when you can, they may cost a few extra pesos but so does your engineering team’s time. 

When you hit the big leagues with large clusters, it's all about smart management. In large-scale systems, the butterfly effect is real: what seems like a minor oversight can cascade into major issues when amplified across millions of instances. Vigilance in error prevention and robust error handling become paramount so think about Change management. Automate your change management, fine tune it to keep pace with development teams. Consider using Custom Resource Definitions (CRDs) to enrich your cluster API, users will thank you. Keep it simple, use IaC and GitOps, and you'll be on the right path towards the 10M Users!

Here is a 15 min read DevSecOps elevator speech on scaling Kubernetes clusters recommendations, deployment management at scale and monitoring and testing security continuously on Kubernetes clusters. Stay tuned for more news and trends on #DevSecOps, #IaC and #Kubernetes best practices—because the cloud-native journey is just getting started!

Do you need help putting DevSecOps practices in place or preparing your  infrastructure to hit a larger number of users?  Get in touch!