KubeCon + CloudNativeCon is one of the must-attend events for cloud-native technologies. You will be able to learn, exchange, and network with peers about Kubernetes but also about containers and new development frameworks. For those who can't attend in person, it is possible to attend the live sessions from the virtual event. This event offers 200+ sessions including technical sessions, deep-dives, case studies, and more. To make sure you get the most out of your time, we've selected sessions delivered by security experts, whether they are customers, software vendors, or maintainers.
Below is a list of our top 10 sessions.
Using the EBPF Superpowers To Generate Kubernetes Security Policies
Format: 35-Minutes Briefings
Tracks: Security + Identity + Policy
Kubernetes has several security mechanisms that can be used to secure your applications: - limit network connectivity with network policies - block some system calls with seccomp profiles - restrict access to some Linux capabilities in security contexts Defining those policies is difficult. It usually happens that the team defining them is not the one that created the application, hence they might not have a good enough view of the architecture to know how to write them. We will present and demo different ways to automatically generate the 3 different kind of policies mentioned above by monitoring the application's events with the following eBPF-based tools: - Inspektor Gadget - Kubernetes Security Profiles Operator - oci-seccomp-bpf-hook We'll discuss the limitations of this approach and the future ahead of these tools. Finally, we will explain how applications can be audited to see if the security policies are respected.
Kubernetes to Cloud Attack Vectors: Demos Inside
Format: 35-Minutes Briefings
Tracks: Security + Identity + Policy
Cloud service providers are constantly enhancing and releasing new capabilities to provide the best managed Kubernetes experience, intertwining cloud-specific capabilities within, to ease integrations and reduce friction. This talk is about the fine line between your managed Kubernetes cluster and its underlying Cloud environment, and how intertwining cloud-specific capabilities within the managed Kubernetes services introduces potential attack vectors and lateral movement paths – from Kubernetes outwards, or from the cloud inwards. This talk is demo-driven, we'll demonstrates several scenarios where an attacker can gain a foothold in a Kubernetes cluster and move laterally in order to compromise other cloud resources outside the cluster, or alternatively, gaining access to a cloud resource with the intent of compromising resources within a cluster. This talk also covers some of the best practices for configurations and standards to adopt in EKS, AKS and GKE to secure them from cluster-to-cloud or cloud-to-cluster attacks.
Migrating From PodSecurityPolicy
Format: 35-Minutes Briefings
Tracks: Security + Identity + Policy
Pod Security Policy (PSP) has been completely removed in Kubernetes v1.25, making it essential for users to migrate their clusters before upgrading to v1.25. The good news is that the Pod Security admission controller, designed as a simpler successor to PSP, just graduated to stable. The bad news is that the migration is not always straightforward. In this talk, you will see the quick-and-dirty migration path, and then dive deep into the nuances and challenges of migrating off PSP. We will also explore a couple of alternatives to the Pod Security admission controller, and when and why you might choose those alternatives instead. The goal of this talk is to empower you to confidently and safely begin upgrading your clusters, and bid farewell to PSP.
How the Argo Project Transitioned From Security Aware To Security First
Format: 35-Minutes Briefings
Tracks: Security + Identity + Policy
When the Argo project applied for graduation, we believed we had a good handle on security. After all, we hadn't had any CVEs in a while, and we had 100s of companies using it in production. So everything must be great, right? This is the story of an incubating CNCF project learning: what we didn't know and how we dove headfirst into a mission to put security first. Attendees will learn about the project processes we put in place for reported vulnerabilities, how to work with external security companies, and the help we received from the CNCF. We’ll also dig into the engineering best practices we implemented as well as take a look at some concrete implementations around SBOMs and Fuzzing. The information in this talk will be especially beneficial to anyone from incubating or sandbox projects that are setting out to improve their security posture, but the learnings, stories and recommendations presented will be equally applicable to any software project or product.
Cilium Updates, News And Roadmap
Format: 35-Minutes Briefings
Tracks: Maintainer Track
Welcome to Cilium! In this session you'll get an update on how the Cilium project has been progressing on the road towards graduation. You'll hear about the latest developments and future roadmap, including news about some of the largest and most interesting deployments of Cilium. And don't miss this session if you're interested in contributing to the project, as there will be guides on how to get involved and where your help is needed.
Lightning Talk: A Puzzling Solution. How To Be Better At Accepting Others Experiences.
Format: 5-Minutes lightning Talk
Tracks: Maintainer Track
As we gain experience and expertise in an area of study we often find ourselves struggling to meet our colleagues where they are. In this session I am going to share an experience I've had that I think can help you bring a little objectivity to the problem. We can all do better at listening and raising others up. I've spent years at this and I still make mistakes all the time. If you are interested in seeing someone solve a rubiks cube live on stage come on over and join me for this lightning talk!
The New Stack Pancake Breakfast - "Devs and ops people – it’s time for some Kubernetes couples therapy"
Format: 60-Minutes Panel
Tracks: Experiences
Join us for a dive deep into how Kubernetes shapes the dynamic between dev and ops teams with people who’ve been there. Questions we will explore:
· Have you resolved the eternal tension between experimentation and control?
· Are you true partners with the same goals and priorities?
· Do you agree on the need for security and trust, or fight over complexity and cost?
· Do you really talk, or just swap trouble tickets?
Way back in May at KubeCon EU we hosted a packed panel about the ops experiences with Kubernetes ‘after the honeymoon'. But what about the developer experience? It’s not just about ops teams. Devs need some love, too.
They say a problem shared is a problem halved. Let’s avoid a food fight and talk it through at the breakfast table over a short stack with The New Stack, sponsored by Spectro Cloud.
Zero Trust Supply Chains with Project Sigstore and SPIFFE
Format: 35-Minutes Briefs
Tracks: Maintainers
In order to ensure the trustworthiness of your software supply chain, maintainers must restate a number of assumptions. As opposed to inherently trusting build systems to serve accurate package metadata, we propose verification of every claim in the chain against the actors and tasks involved in the process. The combination of cryptographically verifiable identities with the use of transparency logs provides a novel approach to accomplish so and increase the security guarantees of your release artifacts.
Project Sigstore provides a toolkit to allow organizations to publish verifiable provenance about publicly distributed artifacts. This metadata is in turn stored on the Sigstore Binary Transparency Log (Rekor), signed and verified by use of Keyless Signatures (Cosign) and the Sigstore Certificate Authority (Fulcio), and stored in an OCI registry where it can be verified, discovered, and used in policy engines. Backed by SPIFFE’s reference implementation SPIRE, all cryptographic operations are rooted in a strongly attested universal identity control plane for distributed systems.
This presentation will demonstrate how a zero trust supply chain architecture can be applied to build systems, through the use of Sigstore and SPIRE for a Federated, Verifiable, Zero-Trust Supply Chain. Additionally, TektonCD will be used as the example build system and in-toto as the example provenance format.
Format: 35-Minutes Briefs
Tracks: CI/CD
Automating cloud native app development and incorporating security through a transparent and consistent process is key in building any production level applications. On a daily basis, think about how often you build your application and scan for vulnerabilities in the code. This is mostly an afterthought and not always considered as the easy part of developing any applications. However, the recent vulnerability exploits reinforced the need for a secure development lifecycle. Simplifying and automating the process all in a single pull request makes it much easier for any cloud app developer to add security! This talk will cover how to leverage available open source tooling to build and test a cloud native application, run security scans across it, and package it for shipping. For automation, we will have a step-by-step demonstration on how to set it up all within a PR to provide consistency and push the containerized application to a Kubernetes environment.
Thriving With Kubernetes On-Call: Best Practices & Lessons Learned - Sunil Shah & Ramya Krishnan, Airbnb; Ashley Cutalo, Lyft; Madhu C.S., Robinhood; Fabio Kung, Netflix
Format: 35-Minutes Briefs
Tracks: Reliability + Operational Continuity
Kubernetes clusters are critical infrastructure at large, public companies, with large amounts of traffic, complex dependencies on 3rd party services, and constant change as developers release features and traffic scales up and down. In this panel discussion, engineers from Airbnb, Lyft, Netflix and Robinhood share their challenges, experiences and learnings when it comes to managing a sustainable on-call rotation that meets the needs of their internal users whilst maintaining a high uptime to serve business critical workloads. Topics covered will include: +Keeping on-call engineers happy + Balancing rapid response with alert fatigue + Strategies to proactively deal with production issues + Preparing engineers for on-call
