KubeCon + CloudNativeCon North America 2024: Full Schedule

In-person
November 12-15
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.

arrow_back View All Dates

11:00am MST

Powering Automatic Authorization in Envoy Through Live Traffic Inspection - Dom Del Nano, Pixie core maintainer

Friday November 15, 2024 11:00am - 11:35am MST

Salt Palace | Level 1 | 151

The dynamic nature of today’s environments coupled with the importance of data privacy has made AuthN/Z crucial for safeguarding sensitive data. However, many large scale environments existed before these best practices and tooling were commonplace. Retrofitting systems requires a deep understanding of service to service access patterns and requires significant effort to achieve least privilege access. While service dependencies are often difficult to track, the rise of zero instrumentation Observability tools has eased access to this data, providing a potential baseline for AuthZ rules. Projects such as CNCF Pixie and Hubble expose language agnostic protocol traces providing full visibility of their environments. Pixie even supplies access to the span payloads making L7 analysis possible. In this talk, we present a case study of using Pixie to generate OPA policies for Envoy AuthZ using real traffic. This approach provides a starting point for scoping permissions on a L7 basis.

Speakers

Dom Del Nano

Dom Delnano, Pixie core maintainer

Dom is a Principal Software Engineer at New Relic working on the Pixie open source project, which provides observability to Kubernetes applications through eBPF based auto instrumentation. Prior to his full time work on Pixie, Dom was at Twitter scaling its internally developed time... Read More →

Friday November 15, 2024 11:00am - 11:35am MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Advanced

4:00pm MST

SPIFFE Deployments in Non-Kubernetes Environments - Nadin El-Yabroudi & Eli Nesterov, SPIRL

Friday November 15, 2024 4:00pm - 4:35pm MST

Salt Palace | Level 1 | 151

The SPIFFE ideology is that workloads running in all types of environments can be issued an identity. However, in practice most deployments have focused on workloads in Kubernetes and there are few examples of SPIFFE being used in non-cloud native environments. In this talk we’ll explore SPIFFE deployments on a Linux environment. What does attestation for these types of workloads look like? How can you provide an identity to a bash script that cannot open a socket connection to the Workload API? We’ll focus on describing some of the existing challenges to non-Kubernetes SPIFFE deployments and provide some ideas for how to solve them.

Speakers

Nadin El-Yabroudi

Software Engineer, SPIRL

Nadin is a founding engineer at SPIRL where she’s currently focused on building a new implementation of the SPIFFE specification. Before working on machine identity Nadin worked as a Security and Systems Engineer at Cloudflare where she worked on securing Cloudflare’s 200+ datacenters... Read More →

Eli Nesterov

CTO, SPIRL

Eli Nesterov is a co-founder at SPIRL. He spent years in security research and engineering, building and scaling security products at TikTok, Facebook, ShapeSecurity, and F5 Networks. He built the world's largest SPIFFE/SPIRE deployment with over 1M nodes. Eli shares his knowledge... Read More →

Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Advanced