DevNexus 2019 – Containing the Cloud – Wes Widner

See the table of contents for my other blog posts from the conference



  • Represent complexity
  • lots of components
  • notes help manage complexity – write down what doing
  • were not designed to be secure. Were designed for developers to have a feel of a greenfield system
  • just a set of processses
  • developers and ops have different goals. Need different images for debugging vs prod


  • Log and audit what is in the images. Logging smokes out bad practices. Can’t prevent password, but can catch it at build time
  • Prod image should come from CI/CD pipeline
  • Add forensics info to labels. Ex: git hash. Pretend the cloud is down. Can you explain what is in your image
  • Scan image regularly. The base image will become vunlerable over time. Scan hashes and layers of image
  • Build own scratch image or ami so know what is in it. This is hard, but then you know what is in it
  • Monitor what running to ensure what you intend
  • Config as code
  • Use read only mode in container where possible. Hard to break the container
  • Can tag so only data from specific pods can send certain data. Emerging tech. No standard yet
  • Can taint workers and only certain pods can run


  • Allowing a broad set of system calls. Makes hard to find atypical patterns. Also broadens attack surface
  • Hypervisor shims – limit what can do
  • Chaos engineering – keeps you honest. A pod running for months and behaves differently on next start is hard to track down.

Cloud maturity

  • Access contol which can push
  • execution logs
  • images from a build system
  • version controk docker configs
  • tagged packets from pods and continuous image scanning


My take

Lots of information. I learned a lot. I also realize how much I’ve forgotten about Kubernettes since i last poked it.

Leave a Reply

Your email address will not be published. Required fields are marked *