Kubernetes Podcast from Google

Jorge Castro is a community manager employed by VMware to help keep the Kubernetes project running smoothly. He joins Adam and Craig to talk about the programs run by SIG Contributor Experience, the difference between supporting contributors and end users, and the recent steering committee election. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week The Jordan Luck Band The Exponents Snippets from Who Loves Who The Most, Victoria and Why Does Love Do This To Me News of the week Kubernetes Steering Committee election results Envoy proxy journey report October updates to the StackRox Security Platform Protecting Kubernetes against a Billion Laughs attack by Stackrox Billion laughs attack on Wikipedia Open Source in VMware Tanzu Project Contour moves IngressRoute to HTTPProxy Sloop from Salesforce Kontena Lens: free desktop app GKE master on-prem routing AKS managed identity Envoy proxy perforamcne on Kubernetes by Ambassador Announcing Kubernetes Community Days WeaveWorks GitOps Manager and WKSctl Transmogrify Kubernetes APIs by David Young Links from the interview About Jorge Castro 11th Armored Cavalry Regiment John Wick horse scene (Ok, Bradley Fighting Vehicles, not horses) From Ubuntu to Heptio Community episodes & community managers: Episode 27 with Sarah Novotny Episode 1 with Paris Pittman Kubernetes Slack bot Contributor Experience properties: YouTube Office hours (and calendar) Meet our Contributors Kubernetes subreddit Kubernetes Users mailing list - now archived discuss.kubernetes.io Ask Ubuntu SIG Contributor Experience End user content: KEP for setting up discuss.kubernetes.io Proposal with steering for end user committee Kubernetes Failure Stories Kubernetes tag on Stack Overflow Bots fixing bugs, merging and celebrating with no humans needed Humans Need Not Apply WG Kubernetes Infrastructure Kubernetes Steering Committee 2019 Steering committee election Election process: no electioneering Condorcet method Three “chop wood/carry water” winners were elected Jorge himself was also a recipient! Self-organised community: “Kubeyland” Disneyland trip Cloud Native Rejekts Jorge and his many friends all hang out on #sig-contribex on Slack and the kubernetes-sig-contribex mailing list Jorge Castro on Twitter

Daniel Smith is co-Chair and co-TL of SIG API Machinery, as well as TL of the corresponding Google team. Daniel has been working on Kubernetes since before it was open sourced, and is one of the top overall contributors to the codebase. He joins Adam and Craig to discuss CRDs and extensibility. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Old Man’s Journey Rocketman Funeral For A Friend/Love Lies Bleeding Aladdin (2019) Aladdin (1992) News of the week Kubevirt joins the CNCF KubeCon San Diego Contributor Summit ServiceMeshCon 2019 schedule announced GKE Intranode Visibility #KUBE100; hosted k3s from Civo k8s vs k3s by Andy Jeffries Docker: Designing your first application on Kubernetes Docker raising funds IBM launches Apache CouchDB operator 90% of all PaaS and SaaS on IBM Cloud is on Kubernetes Kubecost: Requests and Limits by Webb Brown Kubeadvisor 1.0 from Magalix Kubernetes Liveness Probes are Dangerous! by Henning Jacobs Links from the interview DevStats says Daniel is number 2 or number 3 contributor to Kubernetes, in either case just behind Tim Hockin from Episode 41 Either way, someone is wrong on the Internet! Carina star constellation and having to rename it from that The Kubernetes API API Machinery First proposal for API plugins - issue 991! Third party resources (deprecated in 1.7) Operator packaging Custom Resources Moving TPRs to CRDs by Nikhita Raghunath API Aggregator Extension via webhooks 1.15 release blog talks about CRD extensibility Daniel’s KubeCon talks: Life of an API Request (slides) The hand-drawn trilogy: Kubernetes-Style APIs of the Future (slides) A Vision For API Machinery: Coming to Terms with the Platform We Built (slides) The Kubernetes Control Plane for Busy People Who Like Pictures (slides) The Nut That Ties Everything Together Daniel Smith on Twitter

Kubernetes 1.16 is out, and our guest this week is its release manager, Lachlan Evenson. Lachie is a Principal Program Manager at Microsoft and an Australian living in the US; Craig and Adam are therefore method-interviewing, being this week in those two countries respectively. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week New Zealand: man brings clown to redundancy meeting Cloud Summit Sydney and APIdays Melbourne News of the week Kubernetes 1.16 is released Traefik 2.0 Announcing .NET Core 3.0 gRPC on .NET Core GKE Container Native Load Balancing now GA Google makes €3 billion of data center investment CloudARK’s 5 takeaways from the Helm Summit Crossplane 0.3 Agones 1.0.0 Episode 26 with Cyril Tovena and Mark Mandel Spire TPM plugin from Bloomberg Episode 45 with Andrew Jessup Azure: EKS now GA in Government regions Egress lockdown now GA AKS Periscope open source released Monitor your Google Anthos clusters with the Sumo Logic Istio app Google Cloud Build named a Leader for Continuous Integration in the Forrester Wave Banzai Cloud updates Logging Operator and Istio Operator The problem with Cloud Native by Quentin Hardy of Google Cloud Citrix integrates its ADC portfolio with Istio ContainerShip shuts down Links from the interview Prison England Lithium Technologies Kubernetes 1.0 launch roster CrashLoopBackOff Helm Classic Deis acquired by Microsoft Deis Labs Episode 61, with Jeremy Rickard and Ralph Squillace Phippy and Captain Kube Childrens Illustrated Guide to Kubernetes 1.16 release blog What Lachie is excited about: Dual stack IPv4/IPv6 Endpoint slices What he’s looking at in Alpha: Ephemeral containers Distroless What slipped: Sidecar containers Breaking old APIs in Kubernetes 1.16 Deprecation policy 1.16 release team Emeritus Advisors KubeCon San Diego session on shadowing in releases Kubernetes 1.17: run by women Removing the Test-Infra release role Release notes from annotated PRs Community retrospective Release mascots: 1.16 Release patch 1.11 1.14 Olive Garden When you’re here, you’re family History of the breadstick Cutting people off from unlimited breadsticks 2019 Steering Committee elections are happening Lachlan Evenson on Twitter

containerd was born from community desire for a core, standalone runtime to act as a piece of plumbing that applications like Kubernetes could use. It sits between command line tools like Docker, which it was spun out from, and lower-level runtimes like runC or gVisor, which execute the container’s code. This week’s guest is Derek McGowan, a Software Engineer at Docker and a containerd maintainer-d. Along with the news of the week, Adam and Craig discuss the many Vancouvers. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Vancouver, Vancouver, and George Vancouver South Bend, North Bend, and Bend Cosmpolis “50 Year Sensation: the Dave McMacken Retrospective” (album art show in Astoria, Oregon) News of the week Istio 1.3 is out Google’s Anthos now incudes Anthos Service Mesh, Cloud Run for Anthos and more Cloud Native Application Bundles hit 1.0 Episode 61 with Ralph Squillace and Jeremy Rickard Nominations for the annual CNCF Community Awards Bloomberg hits 90% utilization with Kubernetes Mistakes that “cost” thousands by Gajus Kuizinas Kubernetes Edge working group publishes whitepaper Isopod, by Cruise Pulumi 1.0 5 RBAC mistakes you must avoid (number 4 will shock you) OpenShift 4.2 disconnected install Red Hat Quay 3.1 Microsoft AKS brings Scale Sets and Standard LB to GA Upstream kernel bugs Amazom EKS adds cluster tagging and IAM roles for service accounts Deep dive into AWS Fargate by Abhisheck Ray from Amazon Kong introduces Kuma, “universal service mesh” Google introduces Cloud Dataproc for Kubernetes Apache Flink operator from Google Cloud Container runtime security bypasses on Falco by Mark “Antitree” Manning Rafay Systems lands $8m in Series A funding Links from the interview containerd Original announcement The many meanings of ‘container runtime’ kubelet and Container Runtime Interfaces runC, gVisor, Kata Containers, and the Windows Host Compute Service (HCS) ctr debug tool containerd’s graduation from the CNCF containerd shim API gVisor shim Firecracker containerd integration Kata Containers shim Windows Container shim rkt announced in 2014 with appC spec Open Container Initiative libcontainer, which became runC Web Assembly (WASM) BuildKit 1.3.0 releases are coming Contribution opportunities: Reporting issues Plugin ecosystem Derek McGowan and containerd on Twitter

Patrick Lang is the co-chair of the Kubernetes Windows SIG. He is a Senior Software Engineer at Microsoft, developing Kubernetes and related open-source projects supporting Windows Server Containers. Patrick joins Adam and Craig to tell the story of how containers came to Windows. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Getting to the Peak Tram News of the week KubeCon 2019 schedule Tim Hockin and Kal Henidak on dual stack IPv4 Building a 5G network live on stage GKE Shielded VM Nodes Mæsh Project Contour 0.15 Contour on Kind TechCrunch video: How Kubernetes Changed Everything Aaron Roydhouse reverse engineers release schedules as 1.15 hits Preview on Azure and Rapid Channel on GKE GKE Scalability best practices The Kubernetes scalability hypercube Cloud Foundry Networking Team Update Building a Continuous Delivery Pipeline for Symphony by Ivan Babenko The Cult of Kubernetes and Hacker News discussion Links from the interview Windows Server containers Windows Server Core and Nano Server Sessions on Windows Docker and Windows partnership announced in 2014 Active Directory Group Managed Service Accounts (GMSA) GMSAs for Windows containers Windows network namespaces Host Networking Service and Virtual Filtering Platform GMSA integration with Kubernetes GPU acceleration in Windows Containers Batch files! Patching: Patch Tuesday Windows base OS images on Docker Hub Windows container version compatibility Hyper-V isolation Docker for Windows Get started with Windows containers Windows Server Containers in preview on AKS, EKS or GKE SIG Windows and their Slack channel Patrick Lang on GitHub

kind stands for Kubernetes in Docker. Originally built for continuous integration (CI) and testing of Kubernetes itself, kind has found many uses, including acting as a cluster for bootstrapping other clusters. Original author Ben Elder from Google Cloud joins Craig and Adam to talk about it. Want to see Adam’s puzzles? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Adam’s new Seattle office building Example Quick Cryptic from The Times Example USA Today crossword New York Times crossword puzzle case study The NYT mini crossword Craig’s record is 13 seconds! Times for the Times solver blog A puzzle in a tweet The answer Code Golf News of the week Introducing Kubernetes Academy Brought To You By VMware Kubernetes Academy Brought To You By VMware Knative serverless Kubernetes bypasses FaaS to revive PaaS Helm 3 Beta To Helm or not to Helm? by Stepan Stipl Announcing etcd 3.4 by Gyuho Lee and Jingyi Hu Blocking old Cert Manager versions from Lets Encrypt Linux Namespaces by Ifeanyi Ubah How kubectl exec works by Erkan Erol Announcing the CNCF Kubernetes Project Journey Report The report Adopting Istio for a multi-tenant kubernetes cluster in Production by Vishal Banthia StackRox 2.5 Platform9 raises $25m in Series D The first managed Kubernetes service on VMware? Dell previews data protection software for Kubernetes DNS spoofing in Kubernetes clusters by Daniel Sagi Dynamic Kubernetes informers by Robert Ross What’s next for Vault and Kubernetes? Consul 1.6 is now GA Kubernetes security audit: What GKE and Anthos users need to know Managed AD now in Beta on Google Cloud Introducing Red Hat OpenShift 4.2 in Developer Preview; releasing nightly builds Developer Preview now available on GCP Operational Insights for Containers and Containerized Applications Deploying GitOps with Weave Flux and Amazon EKS Links from the interview Ben’s GSoC proposal and first Kubernetes project: use iptables for proxying instead of userspace kind webpage Documentation kind on GitHub Privileged containers kubernetes CI Cluster API IPv6 on kind End to end testing Running Kubernetes in a CI pipeline by Loodse Cluster API logo - it’s turtles all the way down kubeadm cluster-api-provider-docker Other tools: kinder kindest Shoutouts to: Antonio Ojea from SUSE James Munnelly from JetStack SIG Cluster Lifecycle Ben Elder on Twitter

Container Camp is a series of independent conferences, spanning three continents and in their fifth year. “Camp mother” Angie Maguire is the co-organiser, and is also the founder of Ladies of Code. She joins Adam, who is yet to attend a Camp, but actually goes camping, and Craig, who has spoken at Camps in London and Sydney, and prefers hotels. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week The mound is moving The traffic isn’t News of the week VMware buys: Pivotal Carbon Black Intrinsic Greenland VMworld news: Introducing Project Pacific Project Pacific technical overview Reintroducing Project Bonneville? Joe Beda’s take Tanzu, VMware’s approach to modern applications Tanzu Mission Control Splunk acquires SignalFX 2019 Accelerate State of DevOps report Red Hat OpenShift Service Mesh is GA Maistra, the upstream of the operators Cilium 1.6 is out E2E Kubernetes testing with GitHub Actions Why does developing on Kubernetes suck? Hacker News says it doesn’t CNCF Google Summer of Code projects Links from the interview Container Camp Ladies of Code Women Who Code Black Girls Code Container Camp videos on YouTube Craig’s talk from London in 2016 Kaggle talk from San Francisco in 2016 IPFS Camp Digital nomads Angie’s Netflix recommendations: Blown Away Mindhunter When They See Us Ava DuVernay Container Camp and Angie Maguire on Twitter

Kubernetes and Docker might not seem the obvious choice for managing virtual macOS instances on hosted Apple hardware. Learn how they were used to build Orka - Orchestration for Kubernetes on Apple - a virtualisation layer for Mac build infrastructure offered by hosting company MacStadium. Craig and Adam ask MacStadium SVP of Software Chris Chapman about Orka, and how Kubernetes is useful in places you might not expect. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Letterboxing Geocaching Orienteering News of the week HTTP/2 security bulletin from Netflix New releases for: Kubernetes Istio Envoy gRPC NGINX And others CNCF archives the rkt project GitHub Actions is now a CI/CD service Announcing preview of GitHub Actions for Azure Kubernetes web UIs in 2019 and Kubernetes Web View by Henning Jacobs Episode 38: Kubernetes Failure Stories, with Henning Jacobs k3sup by Alex Ellis Episode 57: Rancher Labs, with Darren Shepherd Evolving Istio’s APIs, by Sandeep Parikh and Louis Ryan Episode 58: Istio 1.2, with Louis Ryan Istio 1.3 release branch cut Intel GPU Plugin for Kubernetes by Brian Carey Kubernetes Gated Deployments at GoDaddy CNCF now has 100 end user members VMware, Pivotal and Dell: VMware in talks to acquire Pivotal Pivotal CTO: Kubernetes means we’re all distributed systems programmers now Kubernetes is set to take over VMworld 2019 AT&T brings Dell into the Airship program Helm Summit EU 2019 Links from the interview MacStadium Orka Conference presentation videos from Chris: macOS in a Docker container for development - MacADUK 2019 Announcing Orka - AltConf 2019 Mac OS X Lion supports running additional OS X instances (up to two) 10.7 EULA (PDF) Device test labs Docker for Mac Virtual Command, Chris’s prior company acquired by MacStadium The orca kubevirt Mac hardware: Mac Pro (2013) - the “trashcan” The MacStadium sled Mac Pro 2019 - the return of the “cheesegrater” T2 security chip MacStadium in WWDC 2018 keynote Inside the MacStadium data center JenkinsWorld 2019 Orka plugin for Jenkins Docker for Mac in macOS on Docker Yo dawg, I hear you like Docker Spinning top Turducken MacStadium on Twitter

No matter how you say it, you probably use kubectl all the time. Did you know you can extend it with plugins? Did you know you can find and install those plugins using krew, a plugin manager for kubectl? krew was built by Luk Burchard, a student at TUBerlin, as an intern project. He was supervised by Ahmet Alp Balkan at Google Cloud, and they both join Craig and Adam to discuss it. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Pluots Fox evidence News of the week “Open sourcing” the Kubernetes security audit CyberArk’s penetration testing methodology Docker reverse shells and making it rain shells in Kubernetes by Rory McCune Google Cloud Security Scanner: web application vulnerability scanner for GKE Knative 0.8 release notes Building a Kubernetes platform at Pinterest Octant by VMware Call to participate in the CNCF Survey Direct link Reannouncing the Kubernetes Forum Links from the interview kubectl overview Extend kubectl with plugins Sample CLI plugin Write your own kubectl subcommands and The case for a kubectl plugin manager by Ahmet Alp Balkan kustomize becoming a kubectl sub-command kubectl access-matrix (a.k.a. rakkess, as a stand-alone binary) krew krew plugin index Ahmet’s recruitment tweet Luk’s first day at Google Ahmet Alp Balkan: Web Twitter Luk Burchard: Web Twitter

Ian Coldwater specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. A pre-eminent voice in the Kubernetes security community, they are currently a Lead Platform Security Engineer at Heroku. Ian joins Adam and Craig to talk about the offensive and defensive arts. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Black Hat USA DEFCON Scavenger hunts An example of Spot the Fed An example of the Mystery Challenge News of the week Mesosphere becomes D2iQ Google Cloud launches Migrate for Anthos in Beta Google Cloud Game Servers coming soon Episode 26: Agones, with Mark Mandel and Cyril Tovena Announcing Kubernetes Summits in Seoul and Sydney Security updates of the week CVE-2019-11247: API server allows access to custom resources via wrong scope CVE-2019-11249: kubectl cp (round 3!) IBM and Red Hat: OpenShift on IBM Cloud OpenShift coming to Z Series and LinuxONE Cloud Paks and services Cisco Container Platform now supports Microsoft AKS Helm deployments at the Kubedex How Kubernetes can be used for genetic analysis by Mu Huan and Eric Li Alibaba Cloud Announcing CloudBees Jenkins X Distribution Episode 44, Continuous Delivery Foundation, with Tracy Miranda TiDB Operator now Generally Available Links from the interview Red teams and penetration testing Fuzzing Attacking Helm’s Tiller Black-box and white-box testing DevSecOps: guard rails, not gates OWASP - the Open Web Application Security Project The math behind calculating security risk CVSS score etcd: encrypt it at rest! Admission control Technologies for isolation: AppArmor Seccomp gVisor Firecracker (not yet supported with Kubernetes) “Kubernetes is powerful, and it’s insecure by design” Ian and Duffie Cooley’s BlackHat talk Cloud doesn’t make it better! Threat modelling hostpath - “a powerful escape hatch” Trail of Bits blog: understanding Docker container escapes Recommended watching: Ship of Fools by Ian Coldwater (slides) Hacking and Hardening Kubernetes by Example by Brad Geesaman (slides) A Hackers Guide to Kubernetes and the Cloud by Rory McCune (and his upcoming Black Hat training) DIY Pen Testing for your Kubernetes Cluster by Liz Rice (our guest on episode 19) Ian Coldwater on Twitter