SCaLE is a rare and unique event that still draws on its heritage as the place where five different Southern California Linux Users Groups (LUGs) came together. It attracts professionals and enthusiasts alike to a single event, which is why it's scheduled for the weekend. I met several attendees who brought their whole families, people with jobs completely outside of technology who stay up late in the night playing with Linux kernels and Kubernetes clusters on Raspberry Pis.
Kubernetes is top of mind
Without a doubt, the most popular topic for professionals and enthusiasts alike was anything related to Kubernetes. It’s absolutely the accepted method for deployment. An entire track was dedicated to it and there was a Thursday “Getting Started” workshop.
One particularly fun session was “Speedrunning Kubernetes Deployments” by Kat Cosgrove of Pulumi. That session was followed by the always popular “Must have controllers in Kubernetes” and several other talks about hardening, multi-region deployments, cluster management, and more. When talking with attendees, the most common frustration with Kubernetes is just keeping up with the rate of change and best practices.
An emerging trend on the expo floor was solutions for day-two Kubernetes problems—like testing, deployment, and security—that teams face after completing their initial Kubernetes rollouts. Traditional CI/CD players like GitLab and CircleCI were both on hand, focusing heavily on deployment and DevOps capabilities. New Kubernetes native entrants in the market—such as Harness and Octopus Deploy—also showed off deep integrations for managing CD in a Kubernetes world. And many CD services are putting emphasis on DevOps collaboration around infrastructure.
Collaboration between application and operations teams, particularly around security, came up continually in our booth conversations. It was discussions like these that originally inspired us to build Mondoo’s deep integrations with CI/CD platforms. Now teams with Mondoo can:
- Find security violations early in their development processes
- Monitor security of workloads as they’re deployed
- Continuously evaluate the security of workloads running in production
Security & compliance in La La Land
It goes without saying that a large proportion of tech in Los Angeles revolves around the entertainment industry. At the Mondoo booth, we got to meet several technologists who were excited about how they could use our technology to satisfy their compliance requirements and improve their security posture.
Most of us know about security compliance for credit cards (PCI-DSS) and healthcare (HIPAA), but did you know that the Motion Picture Association of America (MPAA) has their own “Content Security Program”? This was news to me. Like many other frameworks, it draws heavily upon ISO 27001/27002 and NIST SP 800-53 controls and even includes a helpful appendix mapping the controls, but deviates in some key areas, such as controls for:
- Content Tracking (DS-12)
- Shipping & Receiving (PS-17 & PS-18)
- Transport Vehicles (PS-21)
- Searches (PS-11)
- Cameras (PS-9)
Topics like alarms, keys, and perimeter security take on new meaning when you’re securing a film set instead of a data center, but it’s the controls related to physical searches that strike me as the most interesting, namely:
PS-11.0: Establish a policy, as permitted by local laws, which allows security to randomly search persons, bags, packages, and personal items for client content
and
PS-11.4: Implement a dress code policy that prohibits the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts)
Find and fix the security risks that pose the biggest threat to your business.
Monitoring asset inventory
Mondoo can’t query your environment for baggy pants. But we are excited about opportunities for Mondoo to help secure infrastructure in the entertainment industry. With the wide range of devices and services used in media production, the possibilities are intriguing.
As the saying goes, you can’t secure what you can’t see. Many visitors to the booth loved the massive collection of policies as code that are available in Mondoo Platform’s Policy Hub. They were impressed by how quickly they could use Mondoo to scan their assets to get visibility into the security of their infrastructure.
Upon learning that the policies themselves are written using our powerful Mondoo Query Language (MQL), one infrastructure engineer remarked, “Do you mean I can use your query language to find all of my AWS RDS instances that are public facing?!?”
Yes, you can!!
Mondoo Client not only runs scans against remote targets like AWS, GCP, Azure, Kubernetes, and more, but also you can open an interactive shell directly against those targets and live-query your infrastructure.
To answer the infrastructure engineer’s question, we popped open a laptop and simply ran mondoo shell -t aws
to connect to a real AWS account. Then we ran the following MQL query:
Within seconds we had the answer, which prompted the response, “You guys definitely need to talk to my security team.”
A few of my favorite things
SCaLE’s dedication to openness goes so far as to make video of the entire conference available online for free. On the SCaLE YouTube page you can find all the material. Just be warned that generally the recordings are streams of a given room for the full day. Be sure to review the schedule to find a particular talk you're interested in.
Here are three of my personal favorites from the event:
- Vint Cerf’s keynote: The father of the internet has given this talk before but it’s hilarious and fun every time. He steps back in time to shed some light on the context of design decisions and provides useful lessons for us today.
- End of Support, But Not End of Use (John Sicklick, SANS): John presents some very interesting work around the impact of EOL. Readers of Patrick’s blog posts will appreciate just how critical patching is. John utilized some traditional external scanners but using Mondoo for these analyses would be far more powerful.
- Podman New Features (Daniel Walsh, Red Hat): There has been a lot of buzz about Podman as a Docker alternative, and there are many other compelling reasons to adopt Podman. I was excited to learn about Podman Desktop coming along, its deep systemd integration, and most of all podman kube play, which allows you to deploy Kubernetes manifests (Pods and Deployments) without Kubernetes. This is ideal as a local development alternative to docker-compose, and an excellent alternative to Kubernetes on small devices like Raspberry Pi.
I also want to give a special shout-out to System76, the Linux-first hardware manufacturer, who introduced their amazing new Launch keyboard. The weight and quality of the keyboard has to be experienced to be fully appreciated. Built like a 1920’s typewriter, with configurable keycaps and fully programmable LED’s, the keyboard is a gem.
And, of course, the best part of any conference is spending time with friends, old and new. The Mondoo SCaLE crew was so happy to connect with JJ Asghar, Developer Advocate at IBM, and Kennon Kwok, Product Solutions Architect at DataDog!
Get ready for SCaLE 20x
This year's event was delayed, but the 2023 event is expected to be back on schedule for March in their Pasadena, CA home. We’re looking forward to seeing all our Southern California friends again then. In the meantime, keep on scanning and be on the lookout for the final dates of next year's event at https://www.socallinuxexpo.org/.