 Bonjour Paris, nice to be here, nice to be on this event. So this is the 10th year of Kubernetes and I noticed I already, this is my third talk on a KubeCon and if I count the zero, it's KubeCon which was a Linux-con container-con. And this is what I'm doing normally. My major topic is Kubernetes security and especially in critical infrastructure. So energy, healthcare, German government, but also traffic. I'm a founder of a cloud computing security company. I have several Kovono memberships where I supported even the German IT Planning Council and more or less what I did, I applied a DevSecOps and GitOps strategy which is now being part of the German cloud strategy. My latest customers, but this is not important. Just one disclaimer before this, as a cloud security architect, I've been involved with the two projects I will present later. This is an open desk project by the German government and as a consultant on computer security or Kubernetes security, we in C Lagoon in the aerospace industry. So the history, this is the first thing to notice. There is a promise and I traced it back to 1998, the Linux desktop. This is the year of the Linux desktop. I personally presented Linux in the, I pitched it in the German Bundestag so the German parliament in 2001. This shows me how old I am. And as you might have noticed, it did not really take off. The market share jumped to 4%, which is astonishing and it is more or less that thing which powers Chromebooks. And yeah, but now we have two solutions usable and if I count next cloud and own cloud, also we have four solutions which are more or less ready for production as your desktop in the browser. What are the drivers behind this? So the first driver is security. In Germany and elsewhere, municipalities are going down after a ransomware attacks, ransomware is a black plaque of our time on IT. The last major breach in Germany took down seven cities. In one of the cities I have been born. So this means with you services, social welfare is under stress. You cannot do relocation notifications anymore and for the business, you have to switch back to import, export notifications on paper. This was the incident in the south of Faesphalia. It's down since November last year. Not fully recovered, 70 cities affected. If you see further the drivers at the moment, we see also that the big cloud vendors, whatever they tell you are not able to guarantee every level of security. It might be okay for your business, for your hotel booking sites, but it is not okay on a governmental or military side. So the last incident is Microsoft and they have been visited by a Russian group. They stole the source code. So if you talk about open source and security, yes, effectively the Microsoft Windows Azure Code now might be open source, at least to the people who want to attack. And what the security community talks about is, you have the four riders of the apocalypse on your desktop, which is Outlook Exchange Active Directory and Office. It is virtually impossible now for smaller teams to make them secure and it is not possible to operate them without stress. And this is part of the movement of Microsoft. They want the users to go into the cloud, but if they themselves are not able to keep the security level high, we have a problem as a government or if you have really secure operations on the way. Personally, it's not only Microsoft. I have seen flaws in every cloud, including Google and Amazon. And this is just a matter of how much you have contact with the cloud. If you look into cloud applications, at least let's say three months, then it's highly probable that you find a flaw which affects the entire cloud. Another driver, how should I frame this, is more or less haircut-driven sovereignty. The US Cloud Act allows the US government to visit all the data, even if it's in European data centers. This is not acceptable. There is a certain fear of the American administration going mad in of the year. And as I told you, there is some doubt in the security of the hyperscalers. They are doing much things better, but on that scale, we really have a problem with our own sovereignty. Problem is that if, let's say, the American NSA goes into the European data, the NSA has also been hacked by the Russians, the Iranian, the North Korean groups and probably by some others. So this means if the NSA can read your data, more or less everybody can read your data. And digital serenity, this is a CNCF survey from 2021. You have to build your own competence. You have to build your own cloud. And this is only possible if you use something like Kubernetes. In former times, it was also OpenStack, but OpenStack was limited to a certain amount of customers. There are a lot of companies in Germany who are able to do Kubernetes on scale. Some of them are here, like Agile Systems or KubaMatic or Server in CloudStack, which I've not seen here. So we have the competence. We have the competence in Germany. We have it in France. We have it in Europe. So why not build our own clouds with our own data? Well, definitely under our control. There's a certain movement at the moment to create a secure stack. And you might have seen all the talks here about the Kubernetes security, edge security, service mesh, minimal containers and so on. What you probably did not notice is that there are also other initiatives from the CPU vendors to create secure enclaves on the CPU and even on the GPU level that you can probably not extract the data even if your workload is running in the cloud. This security community says we are questioning this. You have trusted boot, trusted boot works. Every Chromebook proofs that trusted boot is working. People are telling you that the Linux kernel is secure. You have to trust them. Some people say on our level, the Linux kernel is not secure enough. So they are building a microkernel with automated proofs below the Linux kernel. And then this microkernel is able to be aware of the container workload in the Linux kernel. So the microkernel controls the workload of the Linux kernel and the container workload. This works also with Kubernetes. So they can definitely tell you that it is not only by EBPF, impossible to run an unknown workload. It is also possible by a microkernel. They are in the middle of the proof. So the proof is about 100,000 lines of C++ code. This means they are using automated proving systems and then they can create a microkernel controlling the Linux kernel in a secure way. The other thing is confidential computing. This is also a big buzz at the moment. So you can create a secure version of Kubernetes which relies on the GPU and CPU and clouds. So you have definitely a connection to a CPU. Obviously we need the hardware vendors in this project. And then you are fine. I already mentioned the Kubernetes layer. There's even, there's much more. And then the final frontier more or less is application security. It does not really make sense to run an insecure application on a secure stack. So we need kind of secure workload. In our case, we need kind of complex workload like a desktop. If I ask people what is a desktop, I get different answers. And this is a summary of all the answers I've gotten so far, classic desktop. So yeah, it's a Windows, no, it's a Linux. Which kind of Linux? GNOME, KDE, I personally use I3, but this is a minority. This, it's definitely something with Office. And you can discuss, is it diagram drawing, mail, calender, browser, video conference, chatting, is a wiki part of your desktop? I don't know, project management, some people want that file sharing, ticketing, search, identity and access management, definitely must be involved. You want to control who is chatting with whom. So the desktop suite is not well defined. You have Microsoft Office as a classic idea of a desktop, but you also have the open source tools, which are now integrated into these cloud native desktops. Sometimes it's getting really complicated because some institutions have documents which must be kept for 100 years. This means you need archive systems. If you go to the crypto community, not the Bitcoin community, the old fashioned crypto community who is able to sign documents and is doing the real research, there is no algorithm at the moment, which guarantees for you that the hash will be stable for 100 years. They give you five years, maybe 10. And this means you have challenges on this desktop in certain institutions where you have to re-sign the documents and prove that it has been re-signed before the algorithm is flawed, which you are actually using, which makes it even more complicated. One example from the German government that did a release, another release three days ago, was Open Desk. Here you see what's involved in Open Desk. So you start with an operating system by an invention, which is a Debian flavor. Then you have office system, presentation system. You can use Collabora here. You have something like Excel, table calculation. You have something like NextCloud. You have a project management tools. This is a governmental project. So they need project management. You have a wiki for documentation. You have some simple CripPad for exchanging short messages. You have a whiteboard, which is effectively based on element. You have Open Exchange as a mail server. You have Element itself with a JITC video client. So this is the definition of a desktop as a German government does it at the moment. And here you see we need open standards. We need everything open. It should be part of the German cloud strategy, which means it must be in Kubernetes. It must be independent of the operator. You need some security. You have integration. Finally, not at this release, but in the end release, it must be usable on mobile devices. It must be inclusive so that everybody can use it. It must be a web application. The design must be changeable. It should unite under a single look and feel and it should have something. As a single sign on. So here's a link if you want to it. Unfortunately, the German government insists on having the documents in German first. So if you are German, it's no problem. Otherwise, you will understand the concept and have to translate them into your mother language. This is part of the architectural design on Kubernetes. So this is a typical Kubernetes setup. You have a load balancer at the top. When you have a log in, this is more or less done by an Ingress. And on the Ingress level, you also have something like mod security, which means you have an application gateway inside your Ingress layer. And you have also a packet filter, which is a load balancer. And you have internal packet filters and the security officials, they accept it that we are doing it with some kind of network policies. So the red lines are isolating the application inside the desktop cluster. This means, for example, if something is hacked, if one of the applications is hacked, then you cannot, if the chat is hacked, you cannot go into the documents. It's all on open code. I have been also working pro bono for open code. This is a German GitLab. So this cannot compete with GitLab, with GitHub on size and scaling, but legally, it is now in a control that you have the guarantees that all the applications on open code are complying with German law, which is not the case on GitHub. And this is important for a government that you have, that you imply compliance rule on that level. This is the outcome of a broader strategy, the Deutsche Verwaltungstrategie, so the German administration cloud strategy, which is, this was my little contribution, more or less inspired by the CNCF DevSecOps approach. So we just copied the basic ingredients of the DevSecOps approach into this strategy, and this means it's a GitHub strategy, it has a lot of security built in, and effectively, the base is a DevOps strategy with security built in. This is all published on basis by the Federal Ministry of the Interior and Community in Germany, and this means, yeah, it's more or less public, it's a Creative Commons license, and you can use it. The other desktop, which is already in use by some companies who are doing really security stuff, is VNC Lagoon, which is also a fully integrated desktop with a different focus. I did the Kubernetes adaptation within six weeks, so together with the team, of course, they are using hardened container, they are also using this micro segmentation, network policies, and other things. And the demo, actually, if we look here, the demo is actually this presentation, so I'm presenting out of this cloud, and I can show you how it looks like, so it's a little bit fancy, so they also have an adaptable theme, you can change it by your company. Here you have the file applications, and you have task manager, you have a mail, which is a different mail client, it's Zimbra, and you can send mails to this in the browser, and this is, I think it's a network here. Okay, it tells me I've opened it elsewhere in another window, but this is definitely one mail application, and I've not so many content here, so let's just go further. To compare the both approaches a little bit, it's a network, it's always a network, has a little bit different components, like Zimbra mail and own cloud instead of next cloud, which is not a big difference. They are not using OpenProject, but RedMind for ticketing, they are not using Matrix, but XMPP chat, and the biggest asset is they have a search engine based on Solar, and Solar is a search engine of Bloomberg, who is giving you all the nice content of the American Stock Exchange, and all the financial information you want to have, and one of the less known approaches is they have Cortesar, which is a French company, they have a low-code application, so you can click with very limited knowledge of programming and a fancy application in Cortesar low-code, and they already have a mobile app which is fully adapting to a mobile environment, so you have definitely the goal which OpenDesk is aiming for end of the year, or next year already reached, and they can play with it in a way that they can roll out an application just in a few weeks, which is based on that stack. What are the challenges? The final challenge is always the desktop or the mobile, if you have to bring your own device policy in your company, nobody can help you if the phone or the desktop is not hardened, and so this would be the next step to create some Chromebook-like application for the German administration where you can have a secure version of a real operating system. Another problem always from a security point of view is the browser. It has more code than the operating system, frequent updates, and it is virtually impossible to make security audits on a browser system, and for every application you have to do it on your own, so application by application, and also the interplay of the applications must be audited. Kubernetes services compared to this is quite easy. We have a standard, what we have to do, we need internal isolation, we need minimal containers, we have either some network layer like Calico or some service mesh like Istio or LinkerD, so this is pretty standard. Nowadays this was, in the beginning of the project, it was more challenges. What surprised me is, effectively, mail systems are not cloud-native, and it is really hard to get a mail system which is cloud-native because it is based on POSIX storage. It's not 12-factor, it's not scaling horizontally. It wants vertical scaling, give me more memory, give me more resources, and one other problem is, if you integrate so many components, they have partially their own integration, and you are dismantling the applications and take out the parts which you need for this kind of desktop. Another thing is, in this area of the German administration, we are just starting with microservices, so you cannot think that any microservice language or any cloud-native knowledge is already in the developer community of these services. And same with security, it's not really known how to secure the systems. This was my job, and we made a lot of assumptions which then broke some applications because people, if they start developing microservices, put the entire operating system in a container, and then you have to tell them how to get rid of the components you don't need. From a Kubernetes point of view, yeah, hardened container images is more or less straightforward. I have, on my GitHub repo, I have an example how you harden even an engine X that you can take any engine X with dynamic libraries and throw out everything. So the standard engine X example in Kubernetes is the worst example for beginners of Kubernetes security you can have, but you can do better. Microsegmentation is something you need. Some operations need an air-gap environment. This means you have a difficulty to bring cloud-native applications into an air-gap environment. I also have an example how to do this with a mixture of Kubernetes cluster running only Haber and Argo CD and kind of GITI, small Git installation that you have one cluster per security zone that you can pull it into an air-gap environment through standard tools of Kubernetes. Also a thing is the existing network segmentation. People think we have network segmentation, therefore we are secure. And finally, yes, if you look into it, this is not the case. Another challenge, this was a German army paid a certain version of element that they included MLS, so the message layer security standard and they had their own crypto, which is a national crypto standard. So they needed an Apache license and they are breeding their own version of matrix with the existing crypto algorithms and a top layer with their own standards. So this altogether can give you a high level of isolation and it can be run in secured environments. And it can be used for confidential and secret documents. If you see this side by side, so the left side is open desk and the right side is VNC Lagoon. So you see this is more appealing, this is more neutral, let's to say it. So we will see how both projects will evolve in the future, maybe they will join somehow, maybe because this is definitely so the interoperability of all the components in VNC Lagoon is very high. So this is more or less whatever you want to do on a very administration like desktop, this is more fancy. So, yeah, next things for example, integrate, draw IO, have a full integration layer that you can simply say, fire up a chat with these persons, fire up a video conference with these persons. This will be controlled by an API guy, gateway Angela and what's already going on is integration of immutable archive systems and there is an example where you have the integration of an archive systems into VNC Lagoon where you have one million signed documents per day. This is a bigger system. Challenges, yeah, when Google gave away Kubernetes, this was not a big deal for Google. But if you have all the small and medium companies you have seen here, these are more or less the crown jewels. They have real assets and they have problems if some big companies getting free ride off on that. So all the companies have some hidden secrets where you get a professional version which scales better just to keep the big free riders out. We have seen the same problem with databases in the cloud. So this led to a clash with the licensing. This is this SSPL versus AGPL problem. AGPL should be sufficient because all the big companies hate AGPL. So the first thing you should think about is if you want to negotiate, put your code like Element does under the AGPL then you get the free riders out but they can negotiate if you can make them an offer by contract then you can go back to the Apache license or to another license. What I want to kick off in the near future is to have something like a cloud native desktop foundation under the umbrella of the Linux and the CNCF. We are on common ground, can develop and integrate components in a cloud based desktop and that's basically it and I'm still around until Friday. If you have questions, ask me now. Thank you for coming.