KubeCon + CloudNativeCon North America 2024: Full Schedule

In-person
November 12-15
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.

arrow_back View All Dates

11:15am MST

AuthZEN: The “OpenID Connect” for Authorization - Omri Gazitt, Aserto

Wednesday November 13, 2024 11:15am - 11:50am MST

Salt Palace | Level 1 | 151 G

Today, the authorization world is fractured - each vendor supports its own APIs & protocols. But this is about to change. AuthZEN, a new OpenID Foundation working group, was created in late 2023 to establish authorization standards. OIDF is the home of OpenID Connect, the ubiquitous standard for federated login, and that’s where we’re setting our sights. In this talk, I'll describe the current state of cloud-native authorization, including the policy-as-code and policy-as-data approaches, and the various open source projects in each camp. I'll also share the progress we’ve made creating a single authorization API that works across both policy-as-code (OPA, Topaz) and policy-as-data (Zanzibar-style projects), present the API specs we've created so far, and show off the various interoperable implementations. With this foundation in place, engineering teams can be more confident in externalizing their authorization and picking a provider without being locked in to a proprietary API.

Speakers

Omri Gazitt

Co-founder & CEO, Aserto

Omri is the co-founder/CEO of Aserto, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's Cloud... Read More →

AuthZEN OIDC of Authorization pdf

Wednesday November 13, 2024 11:15am - 11:50am MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Any

12:10pm MST

Breaking Free from Vulnerability Scanning Noise: Automated VEX Aggregation for Accuracy - Teppei Fukuda, Aqua Security Software Ltd.

Wednesday November 13, 2024 12:10pm - 12:45pm MST

Salt Palace | Level 1 | 151 G

Vulnerability scanners detect known vulnerabilities in software dependencies, but often produce inaccurate results (false-positives) due to their inability to automatically determine if a vulnerability is actually exploitable. Vulnerability Exploitability eXchange (VEX) is an industry-wide initiative that aims to address this issue, but the lack of standardized distribution hinders its effective utilization. This talk introduces VEX Hub, a central repository that automatically aggregates VEX documents published by open-source projects. VEX Hub’s unique architecture makes it easy and practical for software maintainers to start adopting VEX, while at the same time making it seamless for scanners and users to incorporate VEX in their workflow. The presentation showcases a practical use case of VEX Hub with Trivy, an open-source security scanner that popularizes VEX thanks to VEX Hub and delivers more accurate and actionable scanning results to its users.

Speakers

Teppei Fukuda

Open Source Engineer, Aqua Security Software Ltd.

Teppei Fukuda is the creator of Trivy and works at Aqua Security as an Open Source Software Engineer. He has a wealth of software engineering experience working on network and security. Away from the work, he is an avid manga enthusiast, dreaming of reading every comic book in the... Read More →

slides pdf

Wednesday November 13, 2024 12:10pm - 12:45pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Any

2:30pm MST

Bridging Clouds: TikTok’s Blueprint for Unified OIDC Access on Multi-Cloud Kubernetes - Naveen Mogulla, TikTok

Wednesday November 13, 2024 2:30pm - 3:05pm MST

Salt Palace | Level 1 | 151 G

As businesses embrace increasingly complex multi-cloud environments, managing access across diverse Kubernetes setups becomes paramount. At TikTok, we faced the challenge of unifying OpenID Connect (OIDC) access for Kubernetes clusters across GKE, EKS, OKE and on-prem clusters each providing different levels of support and integration. This talk will detail our journey to develop a scalable, centralized OIDC framework using a reverse proxy approach, ensuring seamless authentication and authorization across different cloud providers. We will discuss our architectural strategy, highlighting how we leveraged Envoy for request handling and dynamic configuration with external authorization filters to accommodate diverse OIDC implementations. Discover how TikTok overcame identifying OIDC discrepancies among providers to implementing a unified solution that not only simplifies k8s access management but also reinforces security and compliance across our global, multi-cloud infrastructure.

Speakers

Naveen Mogulla

Tech Lead, TikTok

Naveen Mogulla is a Tech Lead at TikTok kubernetes edge platform team. He has worked in Infrastructure engineering for almost 13+ years. He is also the main contributor to the AWS IAM operator in the keiko project. He was part of the Intuit core team which created multiple open source... Read More →

Wednesday November 13, 2024 2:30pm - 3:05pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Advanced

3:25pm MST

CEL-Ebrating Simplicity: Mastering Kubernetes Policy Enforcement - Kevin Conner, Getup Cloud & Anish Ramasekar, Microsoft

Wednesday November 13, 2024 3:25pm - 4:00pm MST

Salt Palace | Level 1 | 151 G

As Kubernetes deployments grow increasingly complex, robust policy enforcement is crucial. The Common Expression Language (CEL) provides a powerful solution, enabling the creation of sophisticated, human-readable expressions for Kubernetes policies. This session explores CEL's integration with Kubernetes, simplifying policy definition and enforcement. Key takeaways: - Fundamentals of CEL and its Kubernetes integration. - Practical use cases for CEL in admission control, resource management, and security. - Enhancing policy expressiveness and flexibility with CEL. - Introduction to CEL Playground for testing and validating CEL expressions. Through live demos, learn to leverage CEL and CEL Playground for streamlined policy management in Kubernetes. Ideal for administrators, developers, and DevOps professionals, this session equips you to enhance your Kubernetes policies using CEL. Join us to discover how CEL and CEL Playground can transform your Kubernetes policy management.

Speakers

Anish Ramasekar

Principal Software Engineer, Microsoft

Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.

Kevin Conner

Chief Engineer, Getup Cloud

Kevin Conner is the Chief Engineer at GetUp Cloud, a startup focused on Kubernetes and DevSecOps. He has worked at startups like Integrated Micro Products, Arjuna Technologies, JBoss, and Aviatrix, as well as Sun Microsystems and Red Hat where he led teams for Cloud Enablement, Service... Read More →

CEL Ebrating Simplicity Mastering Kubernetes Policy Enforcement pdf

Wednesday November 13, 2024 3:25pm - 4:00pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Intermediate

4:30pm MST

Expanding the Capabilities of Kubernetes Access Control - Jimmy Zelinskie, authzed & Lucas Käldström, Upbound

Wednesday November 13, 2024 4:30pm - 5:05pm MST

Salt Palace | Level 1 | 151 G

Kubernetes RBAC is an effective way of managing ACLs in one cluster. However, there are many other effective paradigms out there, such as Attribute- & Relation-based Access Control. In this talk, we’ll demystify how these differ, and when to use respective paradigms, giving context and guidance. We’ll highlight how Kubernetes access control has recently evolved towards supporting lots of different use-cases. We take this opportunity to cover multiple perspectives: security within a single cluster (zooming in) and security within real-life production environments with external services and multiple clusters (zooming out). As containers became ubiquitous first with excellent tools like Docker, we believe the same can and will happen for access control, yielding uniform, interoperable and understandable authorization. Finally, we'll propose future work that could be done to supercharge Kubernetes and ensure it keeps up with the ever increasing security requirements in our industry.

Speakers

Lucas Käldström

Senior Software Engineer, Upbound

Lucas is a Kubernetes and cloud native expert who has been serving the CNCF community in lead positions for 6 years. He’s awarded Top CNCF Ambassador 2017 with Sarah Novotny. Lucas was a co-lead for SIG Cluster Lifecycle, co-created kubeadm, Weave Ignite, and ported Kubernetes to... Read More →

Jimmy Zelinskie

Co-founder, authzed

Jimmy Zelinskie is a software engineer and product leader with a goal of democratizing software via open source development. He's currently CPO of authzed where he's focused on bringing hyperscaler best-practices in authorization to the industry at large. At CoreOS, he helped pioneer... Read More →

Expanding the Capabilities of Kubernetes Access Control pdf

Wednesday November 13, 2024 4:30pm - 5:05pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Intermediate

5:25pm MST

From Observability to Enforcement: Lessons Learned Implementing eBPF Runtime Security - Anna Kapuścińska & Kornilios Kourtis, Isovalent

Wednesday November 13, 2024 5:25pm - 6:00pm MST

Salt Palace | Level 1 | 151 G

eBPF is getting widely adopted in cloud native runtime security tools like Falco, KubeArmor, and Tetragon. Using eBPF we can collect relevant security events right in the kernel and pass them to Security Engineers for retroactive attack detection and response. Having reliable and complete visibility is great, but wouldn't it be even better to proactively prevent attacks in progress? This talk covers the Tetragon team’s experience moving from security observability to enforcement and lessons learned along the way: from defining security models to hardening interactions between the local kernel and distributed Kubernetes systems. It will deep dive into how eBPF-based enforcement works, why it differs from observability, and the challenges of implementing it. The audience will walk away understanding the inner workings and common pitfalls of eBPF-based runtime security.

Speakers

Kornilios Kourtis

Software Engineer, Isovalent at Cisco

I am a software engineer at Isovalent, working on cloud-native networking, security, and observability using eBPF. Before that, I worked in industrial (IBM) and academic research (ETH Zurich, NTU Athens) in systems, including operating systems, storage and network stacks, and high-performance... Read More →

Anna Kapuscinska

Software Engineer, Isovalent at Cisco

Anna is a software engineer at Isovalent, focusing on eBPF-based observability and security. Her previous roles span the industry: she wore both developer and SRE hats, and worked in AdTech, FinTech, public healthcare, end-user SaaS company and a hosting provider. On good weather... Read More →

Kubecon 2024 NA From Observability to Enforcement Lessons Learned Implementing eBPF Runtime Security pdf

Wednesday November 13, 2024 5:25pm - 6:00pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Intermediate