Incontro DevOps Italia 2024
15 Mar 2024 at Hotel Savoia Regency, Bologna

In this session, we'll unravel the core and essential pillars of any 'secure' Kubernetes cluster, that you absolutely can't ignore if you are running Kubernetes in production (or plan to). You'll discover the key concepts and strategies pivotal to safeguarding your Kubernetes environments. Our focus will be on practical, real-world applications, demystifying complex security challenges. Regardless if you are from a large organisation or from a small start-up, a seasoned DevOps professiyou will walk away with foundational knowledge and actionable insights, ready to implement stronger security measures in their Kubernetes deployments. Whether you're a seasoned DevOps professional or new to the cloud native arena, this talk will enhance your understanding of Kubernetes security, ensuring you're prepared for the evolving landscape of cloud native security.

6

Crossplane is an open-source project that allows the management of any cloud resource via the Kubernetes API. It's become a key component in the field of platform engineering. In this talk we'll provide an overview of Crossplane, spanning Managed Resources, Providers, Composition Function pipelines, Authentication, and integration with systems like ArgoCD and Flux. During this overview we'll demonstrate code how to define and validate internal new platform APIs, assembling infrastructure components, handling secrets, and creating functions in the language of your choice.

One of the peculiar aspects of microservices architecture is the possibility of designing a system as a set of independent but collaborative components. At the root of this collaboration there are well-defined contracts among all the microservices: breaking even a single contract might compromise the health of the entire system. With AWS Lambda, we have the ability to simply create an ever-increasing number of microservices and, therefore, it becomes crucial to find a way to catch errors in advance whenever one of these contracts has been broken.

7

In the ever-evolving landscape of database systems, PostgreSQL stands as a robust and highly capable RDBMS. However, achieving optimal performance at scale requires careful consideration of the underlying file system. This presentation will talk about ZOL (ZFS on Linux), a powerful and advanced file system originally developed by Sun Microsystems. ZFS point of strength are robust data storage management, data integrity, data compression, snapshotting, and efficient storage allocation. However ZFS performances are terrible if compared with the native file systems like XFS or EXT4. This presentation will help the attendees to have a better understanding for harnessing the power of ZFS and run PostgreSQL at scale levels not so different from XFS or EXT4.

Embark on a journey through the core facets of GitLab and Kubernetes integration. Dive deep into the pivotal role of GitLab's Agent, uncovering its seamless orchestration between GitLab and Kubernetes. Explore the intricacies of Cluster Access, understanding how GitLab ensures secure and controlled connections to your Kubernetes clusters. Security takes center stage as we unveil the robust features ingrained in the integration. From access controls to vulnerability scanning, discover how GitLab and Kubernetes collaboratively fortify your DevOps workflows, ensuring airtight security throughout the development lifecycle. Perfect for both DevOps veterans and beginners, this talk promises practical insights, empowering you to optimize development and deployment processes while upholding the highest standards of security. Elevate your understanding of GitLab and Kubernetes synergy for enhanced efficiency and reliability in your projects.

5

The daily hype is all around you. From cloud native, multicloud, to hybrid cloud, this is the path to your digital future. The choices you make as a developer does not preclude the daily work of enhancing your customer's experience and agile delivery of your applications. With all this delivery and infrastructure, there is a lot of data generated when engaging with any cloud experience. Regulatory and compliance pressures force us to store audit and observability data. Understanding the pitfalls around the collection, storage, and maintenance of your cloud data can mean the difference between bankruptcy and success with our cloud native strategy. Let us take you on a journey, looking closely at the decisions you are making as a DevOps team delivering and dealing with monitoring applications. Join us for an hour of power, where real customer experiences are used to highlight the three top lessons learned as their DevOps teams transitioned their data needs into cloud native environments. Key Takeaways: Attendees to this session will gain insights into the data explosion that is part of the large scale cloud native world. Real customer experiences are used to highlight the three top lessons learned as their DevOps teams transitioned their data needs into cloud native environments.

7

È sempre un argomento delicato prendere il lavoro di un collega e proporre un refactoring perché possa essere automatizzato. Ma una volta trovato il sistema di gestione che si adatta meglio alle vostre esigenze, sarà un gioco da ragazzi! AWS mette a disposizione alcune soluzioni fully managed per un ciclo MLOps, altre possono essere una combinazione di servizi. Tutto dipende dal ciclo di vita del modello, dalle figure coinvolte e dall’effort che si ha a disposizione. Dopo una breve introduzione delle figure coinvolte e delle soluzioni principali che potremmo adottare con i servizi AWS, le metteremo a confronto in termini di effort, knowledge, tempi d'implementazione e costi.

2

The Digitalist Cloud motto is 'For the public good', with this general scope in mind we have set up a SaaS service offering GDPR safe web analysis tools based on the Opensource project Matomo. Many of our clients are from the Swedish public administration, but awareness and interest in ethical web analysis is constantly increasing in all business sectors. In this presentation I want to show how applying Rancher to our different Matomo clusters have proved fruitful for our organisation, in terms of getting an immediate and clear overview of crucial operational info on the infrastructure and application status, as well as how applying Neuvector has facilitated the monitoring and management of security risks in the system. We'll dive into our pipeline architecture and show how our continuous updates are deployed seemlessly with ArgoCD. Finally I'll demo our recently released and much requested add-on tool, RebelMetrics, an analysis dashboard for advanced visualization and exploration of the data and smoother reporting for the clients.

9

Maintaining compliance in a Cloud world requires a new approach that maximizes the balance between agility and safety. Just like we use infrastructure-as-code in infrastructure automation and approach of CI/CD in application lifecycle management, at the same time our DevSecOps teams should adopt compliance-as-code, especially in a cloud world. We can introduce compliance-as-code on the left side of the DevOps lifecycle and/or on the right side. Working on the left side we can detect issues very early in the process, but our tests are limited in scope, more related to a specific workload. On the right side, we can detect and remediate issues that would be difficult to anticipate during the building phase, we can assess the resources against requirements defined at a more high level, but the improvement requires more effort. On the left side, we can leverage general-purpose tools such as OPA - Open Policy Agent - an open-source engine incubated in the CNCF. On the right side, it's better to leverage services provided by the Cloud provider as AWS config

12

Site Reliability Engineering (SRE) is a discipline founded at Google that is now widely practiced across the Tech industry. SRE represents a set of principles and practices that applies aspects of software engineering to IT infrastructure and operations. In this talk, we will discuss the key principles and practices of SRE, and how they can be used to build high performance software and teams. We’ll explore insights from the State of DevOps Report and how SRE can help foster the type of generative organizational culture that is a hallmark of high performing organizations.

La trasformazione di un'azienda da country-based a global è un processo complesso e pieno di ostacoli. La ristrutturazione di processi, infrastrutture e ways-of-working ha impatti significativi sia dal punto di vista tecnico, sia da quello umano. In questo talk vedremo come Prima Assicurazioni sta affrontando questo tipo di cambiamento utilizzando un approccio Domain Driven, con un focus dettagliato su come questo ha impatto sui team di Cloud Engineering. Scopriremo cosa è stato necessario affrontare per supportare questa trasformazione sia da un punto di vista tecnico (a livello di AWS Organization, di cluster Kubernetes, di IAM), sia da un punto di vista organizzativo, analizzando come i teams di Cloud Engineering si sono riorganizzati per sostenere questo sforzo con un numero limitato di risorse.

What are we using for pipelines? Which infrastructure do we support? Is service mesh enabled?'. These types of questions - revolving on tech choices and implementation - currently occupy most of the conversations around platform engineering. According to most evidence, though, these are not the only things that make a cloud-native platform successful: cultural change, communication and collaboration, reorganized processes, shared vision and roadmap - among others - play a key role in determining the success of platform transformation. If we don’t address change comprehensively, the risk is that in a few years we’ll discover that platforms are not bringing the results we expected. In this talk we’ll see some key aspects that are often overlooked in implementing a platform and how it’s possible to address them along the way. We’ll also share some of the pitfalls and lessons we learned in our experience, supporting large and small organizations in building their cloud-native platforms.

K8s Plumber è lo strumento basato su Terraform+Git che controlla il lifecycle di ~100 cluster Kubernetes in InfoCert, dal provisioning 'chiavi in mano', alla gestione degli upgrade dei servizi, delle configurazioni e della control-plane. Racconteremo come in InfoCert siamo arrivati al 100esimo cluster e della loro operatività, che ci ha portati ad automatizzare tutto con Plumber. Alla fine, 'basta un click'.

6

Explore the convergence of cost management and development with FinOps in the context of Kubernetes. This talk presents an integrated solution to effortlessly collect costs from service providers' APIs, convert them to the FinOps Foundation FOCUS specification, and store them in a central data lake. Leveraging advanced algorithms, including machine learning, the collected data is analyzed to uncover opportunities for cost and quality of service optimization. This solution includes a closed-loop feedback system where insights gleaned from the analysis are fed back into Kubernetes to enhance integrated auto-scaling features. This talk will unravel the complexities of FinOps within Kubernetes, gaining practical insights into transforming cloud cost management and bolstering DevOps efficiency.

How to handle huge load spikes during a live event in a serverless fashion: a technical deep dive into Sky Italia's voting platform architecture.

Logs and traces generated by applications are valuable sources of information that can help detect issues and improve performance. However, they are often treated separately from other data, even though they are no different from the data an application works with. In this talk, we will explore a different approach: treating logs and traces as part of a scalable cloud storage repository that can be analyzed with the same techniques used for big data. By keeping all the data together, we can apply machine learning models to detect situations of interest and alert us in real-time when unwanted behavior is occurring or brewing. This approach enables intelligent monitoring that goes beyond simple threshold-based alerts and can help identify complex issues that would otherwise go unnoticed. We will discuss how to harness existing technologies to implement this approach, providing attendees with practical tips and insights that they can apply to their own projects.

3

Solitamente il codice Ansible viene eseguito con un alto livello di accesso per assicurarsi che possa eseguire le azioni per cui è preposto. Questo alto livello di accesso, però, crea un potenziale rischio di sicurezza, dato che il codice potrebbe essere modificato da un attaccante, permettendogli quindi di eseguire codice arbitrario. Per evitare che questo possa succedere, si può utilizzare un processo di firma e verifica crittografica per assicurare che solo il codice autorizzato possa essere eseguito. In questa presentazione vedremo come si può integrare un processo di firma e verifica crittografica in Ansible. Ci soffermeremo anche su alcune decisioni e suggerimenti di implementazioni per assicurare che il processo risultante soddisfi tutti i requisiti.