Seattle, WA
December 10–13, 2018
Click Here for More Information & Registration
View Venue Map

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Runtimes [clear filter]
Thursday, December 13


How to Choose a Kubernetes Runtime - Justin Cormack, Docker
This year has seen the launch of several new container runtimes,including gVisor from Google and Nabla from IBM, as well as the consolidation of the Hyper and Intel VM container projects into Kata containers. This talk looks at all the runtimes, how we can evaluate their security, and how they compare to the standard OCI runtime, runc.

There are a variety of ways of measuring how much the different runtimes reduce the Linux kernel attack surface, so this talk makes an assessment of those risks, based on types of code that are blocked, and actual and theoretical attacks. In addition we discuss the threat models for different types of users and code, and look at which types of user should consider these options.

This talk is aimed at people wishing to increase the security of the runtimes they are using for Kubernetes, and who wish to understand what the risks and improvements are.

avatar for Justin Cormack

Justin Cormack

Security Lead, Docker
Justin Cormack is security lead at Docker, a maintainer on the CNCF's Notary project, and a contributor to the CNCF SIG Security. He is particularly interested in container security, application isolation, authentication, policy and supply chain security. He has spoken at several... Read More →

Thursday December 13, 2018 10:50am - 11:25am
4C 1/2


Getting Your Hands "Dirty" in Container Sandbox - Ariel Shuper, Aqua Security
The session addresses the proliferation of "sandboxing" techniques to isolate containers and improve their security posture. It'll provide a short background on the rise of "sandboxing" technology in the global security space and will drill down into different containers "sandboxing" technologies/projects. It'll examine and compare different sandboxing initiatives: Google's gVisor, Openstack's Katacontainers, Hardware based initiative (containers "enclaves") as opposed to legacy Linux isolation tools applied for Containers (SELinux and Seccomp). It'll analyze the benefit and the challenges of each implementation and will demonstrate the attacks types sandboxing/isolation technologies can mitigate vis-a-vis the attacks which sandboxing/isolation technologies can't mitigate and require additional security layers.

avatar for Ariel Shuper

Ariel Shuper

VP, Product Management, Portshift
Ariel Shuper is Vice President of proudct management at Portshift Security, specializing in cloud native identity based security for micro services. He specialized in serverless environments as an entrepreneur prior to joining Aqua. He also focuses on other innovative cloud native... Read More →

Thursday December 13, 2018 11:40am - 12:15pm
4C 1/2


Security Considerations for Container Runtimes - Daniel Walsh, Red Hat
Explain/demonstrates using Kubernetes with different security features for your container environment

General Concept
- Run containers without root, period
- Take advantage of all security features the host provides

Configuring CRI-O:
- Run containers with read-only images
- Limit the Linux capabilities running within your container
- Set up container storage to modify the storage options in a more secure manner
- Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers

Building images with security in mind.
- Limit packages/attack surface of container images
- Build container images within a locked down kubernetes container

Advances in User Namespaces
- Demonstrate running each container with a different User Namespace
- Configure system to take advantage of user namespace container separation, without taking a drastic speed hit

And many more...

avatar for Daniel Walsh

Daniel Walsh

Senior Distinguished Engineer, Red Hat
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Consulting Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container tec

Thursday December 13, 2018 1:45pm - 2:20pm
4C 1/2


How Standards, Specifications and Runtimes Make for Better Containers – Chris Aniszczyk, The Linux Foundation/CNCF; Jeffrey Borek, IBM; Rithu Leena John, CoreOS/Red Hat; Patrick Chanezon, Docker
With the rapid growth of containers over the past few years — including container-based solutions from almost all major IT vendors, cloud providers & emerging start-ups — the industry needs a set of common, open standards & specifications. As the container market — which is poised to reach $2.7 billion by 2020 — flourishes, the fear of lock-in is real. Chris Aniszczyk, Jeffrey Borek, Patrick Chanezon, & Rithu Leena John plan to dive into how standards impact the ecosystem at large; container runtimes like containerd & rkt; how specifications ensure interoperability & neutrality + much more. Attendees will learn about developing/deploying containers and/or learning the benefits of standardization in container environments. They can also expect to hear how contributions to OCI bridge the industry closer to standardized container distribution via runtime and image format specifications.

avatar for Chris Aniszczyk

Chris Aniszczyk

CTO, The Linux Foundation
avatar for Jeffrey Borek

Jeffrey Borek

WW Program Director, IBM
Jeffrey Borek is a senior technology and communications professional with over twenty years of leadership and technical experience in the Software, Telecommunications, and Information Technology industries. He is currently the leader of the OSPO at IBM, and works in the Open Technologies... Read More →
avatar for Patrick Chanezon

Patrick Chanezon

Chief Developer Advocate, Docker
As the Chief Developer Advocate for Docker, Patrick Chanezon helps drive the direction of the company’s open source projects, acting as an advocate for the developer community to assure that their requirements and issues are addressed in the Docker platform. From 2013 to 2015, he... Read More →
avatar for Rithu Leena John

Rithu Leena John

Sr. Software Engineer, CoreOS/Red Hat
Rithu Leena John is a senior software engineer at Red Hat, who works on the Operator-SDK project. Prior to joining this team she has experience writing her own networking operator for Kubernetes. Rithu is also the primary maintainer of the open source Dex project, which is a federated... Read More →

Thursday December 13, 2018 2:35pm - 3:10pm
4C 1/2


Kata and gVisor: A Quantitative Comparison - Xu Wang, hyper.sh
In the past year, hyper.sh+intel released Kata Containers, and Google released gVisor. The two projects shared many features:

- both aim to work with kubernetes CRI seamlessly;
- both could be treated as secure container runtimes;
- both introduce some hypervisor technologies to improving isolation.

On the other hand, the two projects have many differences. Kata Containers is a more general solution and could work with existing accelerating technologies, while gVisor provide better flexibility, which means the user could scale up/down a running container easily.

In this session, the speakers will introduce both projects in detail, and make the quantitive comparison between them -- how much footprint/performance costs are introduced by the different methods of isolation; which perform better in standard benchmarks and lifetime workload, etc.

avatar for Xu Wang

Xu Wang

Senior Staff Engineer, Ant Financial
Xu Wang is a senior staff engineer at Ant Financial and an initial member of Kata Containers Architecture Committee. He was the CTO and Cofounder of hyper.sh and created hypervisor-based open source container runtime runV (secure as VM, fast as container). runV merged with clear containers... Read More →

Thursday December 13, 2018 3:40pm - 4:15pm
4C 1/2


Container Security and Multi-Tenancy Tales from Kata and Nabla - Ricardo Aravena, Branch Metrics & James Bottomley, IBM
With the introduction of the Kubernetes CRI many different choices have emerged for users to run their various containerized workloads. There have been concerns about the complexity of making traditional containers more secure using Linux kernel facilities such as AppArmor, SELinux, and seccomp.

In this talk, Ricardo will showcase how Kata and Nabla Containers can be used to isolate your tasks effortlessly. He'll describe the unique capabilities of each containerized approach along with their pros and cons, and how both of their communities are collaborating. He will also demonstrate how to make use of the Kubernetes RuntimeClass with both of these runtimes.

By the end of this talk, the audience will be able to understand how to use Kata and Nabla Containers with Kubernetes and its new RuntimeClass to fully enable multi-tenancy with minimal risks in their infrastructure.

avatar for Ricardo Aravena

Ricardo Aravena

Infrastructure Manager, Rakuten
Ricardo currently works at Rakuten as an Infrastructure Manager, automating everything in containers using open source and lately contributing to the Kata Containers project. He has been working in tech for more than 19 years and comes from a diverse professional background, having... Read More →
avatar for James Bottomley

James Bottomley

James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to... Read More →

Thursday December 13, 2018 4:30pm - 5:05pm
4C 1/2