...
- IBM booth demos:
- Workload runtime security (OH + KubeArmor + ???)
- Application-centric connectivity (OH + Skupper + ???)
- ML deployment automation (OH + TinyLlama? or Yolo v8 or v9?)
- LF Edge booth demos:
- Handsfree device onboarding (OH + FDO + LF Edge Sandbox + Project EVE)
- Realtime workload metrics (OH + EdgeLake + Grafana + optionally KubeArmor)
- Dynamic runtime secrets binding (OpenBao
...
- with Open Horizon
...
- )
...
KubeArmor is the gold standard for workload runtime security
Value prop: Open Horizon works with KubeArmor on bare Linux and Kubernetes clusters to enforce security at the host and workload levelsSecure and harden your edge solutions using Security-by-default principles and active mitigation measures from Days 0 - N.
Owner: Prashant Mishra and Sanjeev Gupta
...
- How do we stop, not just detect. Not post-detect strategies but active mitigation. Ex. application without hardening has these misconfigurations/access. KubeArmor will sandbox the application behavior to only allow the specified behavior and nothing else.
- Multiple applications on a device. If one is compromised, the blast radius could impact other running containers. How do you isolate the workloads to limit the blast radius.
- Specific use cases for Vault
- ORRA Kamakura demo showing addition of KubeArmor to the running application to enforce network micro-segmentation
Provide application-centric and -directed connectivity
Value-prop: Quickly connect deployed applications with remote resources in any location. Align distributed application connectivity with the applications themselves so both can be deployed and managed together by the same team.
Owner: Jeff Lu and Sanjeev Gupta?
Todo: Create Skupper service and show how to connect a distributed application to its remote services. Linux host to start, then Kubernetes example?
Adopters: IBM Hybrid Cloud Mesh with Red Hat Service Interconnect
Dynamic ML association/placement/delivery/bi-directional sync
Value prop: Associate ML models with the applications that use them while allowing independent delivery and lifecycle management of each. Separate teams typically develop and maintain ML assets and their consuming applications. Why force the assets and applications to be deployed together by the same pipelines?
Owner: Jeff Lu
Todo: Determine which models/framework to show, how to update?
Adopters:
Zero-touch device onboarding with FDO is a reality
...
- Create a secret in the OpenBao secrets manager named hw-secret-name
- Register an edge node with the helloSecretWorld example service
- Show the "<your-node-id> says: Hello <secret-value>!" output of the service in a separate terminal updating every 5 seconds ("<secret-value>" here is the contents of the hw-secret-name secret)
- Update the hw-secret-name secret with a new value "<new-secret-value>"
- A few seconds later in the still open terminal window being updated live with the service output, observe the output change to "<your-node-id> says: Hello <new-secret-value>!"
Demonstrate OH managing ML placement/delivery/bi-directional sync
Value prop: Models are trained in the cloud or elsewhere, but don't have the ability to deliver securely to edge devices. OH can be that last mile delivery solution.
Owner: Jeff Lu
Todo: Determine which models/framework to show, how to update?
Adopters:
Provide application-centric and -directed connectivity
Value-prop: Align distributed application connectivity with the applications themselves so both can be deployed and managed together by the same team.
Owner: Jeff Lu and Sanjeev Gupta?
Todo: Create Skupper service and show how to connect a distributed application to its remote services. Linux host to start, then Kubernetes example?
...