KubeCon + CloudNativeCon North America 2024: Full Schedule

In-person
November 12-15
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.

arrow_back View All Dates

11:00am MST

Powering Automatic Authorization in Envoy Through Live Traffic Inspection - Dom Del Nano, Pixie core maintainer

Friday November 15, 2024 11:00am - 11:35am MST

Salt Palace | Level 1 | 151 G

The dynamic nature of today’s environments coupled with the importance of data privacy has made AuthN/Z crucial for safeguarding sensitive data. However, many large scale environments existed before these best practices and tooling were commonplace. Retrofitting systems requires a deep understanding of service to service access patterns and requires significant effort to achieve least privilege access. While service dependencies are often difficult to track, the rise of zero instrumentation Observability tools has eased access to this data, providing a potential baseline for AuthZ rules. Projects such as CNCF Pixie and Hubble expose language agnostic protocol traces providing full visibility of their environments. Pixie even supplies access to the span payloads making L7 analysis possible. In this talk, we present a case study of using Pixie to generate OPA policies for Envoy AuthZ using real traffic. This approach provides a starting point for scoping permissions on a L7 basis.

Speakers

Dom Delnano

Dom Delnano, Pixie core maintainer

Dom is CEO of Cosmic and a core maintainer of the Pixie open source project. He previously worked at Crowdstrike, focusing on the eBPF Linux sensor, and at New Relic, working on Pixie full-time. Dom first began building observability tooling at Twitter, where he scaled the internally... Read More →

Kubecon Powering Automatic Authorization pdf

Friday November 15, 2024 11:00am - 11:35am MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Advanced

11:55am MST

Rogue No More: Securing Kubernetes with Node-Specific Restrictions - Anish Ramasekar, Microsoft & James Munnelly, Apple

Friday November 15, 2024 11:55am - 12:30pm MST

Salt Palace | Level 1 | 151 G

Did you know that a component running across multiple nodes, such as in a daemonset, intended to perform node-specific actions, can pose a significant security risk? If any node the component is running on goes rogue, it can lead to attacks on the cluster, or even worse, a complete takeover of it. What if we could restrict the component's ability to write resources only to those belonging to the node it is running on to prevent such escalation attacks? In this talk, Anish and James will introduce new Kubernetes security enhancements to bound service account tokens, which can be used with validating admission policies to enforce per-node restrictions on service accounts. This session will provide you with practical implementation guidelines and show you how these enhancements can mitigate risks and protect your infrastructure with robust node isolation.

Speakers

James Munnelly

Staff Field Engineer, Apple

James Munnelly is a Field Engineer at Apple, helping customers adopt and adapt Kubernetes, and driving adoption of OSS cloud native technologies. James is also the founder of the cert-manager project, a Kubernetes extension for managing x509 certificates. He's an active member of... Read More →

Anish Ramasekar

Principal Software Engineer, Microsoft

Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.

Rogue No More Securing Kubernetes with Node Specific Restrictions pdf

Friday November 15, 2024 11:55am - 12:30pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Intermediate

2:00pm MST

Seccomp and eBPF; What’s the Difference? Why Do I Need to Know? - Natalia Reka Ivanko & Duffie Cooley, Isovalent @ Cisco

Friday November 15, 2024 2:00pm - 2:35pm MST

Salt Palace | Level 1 | 151 G

Containers in Kubernetes share a common Linux kernel so how can we limit access where it isn’t required so we can follow the principle of least privilege? Join Natalia and Duffie as they each explore different approaches to harden your container security with Secure Computing (seccomp) and eBPF! The talk will begin with an overview and comparison between seccomp and eBPF and how they both can solve the same problem - limiting access to the Linux Kernel that all containers share. This will be a fun talk, showing each solution with a live demo. You will leave this talk with a better understanding of how to limit what system calls a process can make and restrict your containers’ behavior to only access the files, binaries and external DNS names they need and nothing more. Which is the right solution for your environment? Come and learn about two of the commonly used technologies in use today!

Speakers

Natalia Reka Ivanko

Sr. Product Manager, Isovalent, now part of Cisco

Natalia Ivanko is a Sr. Product Manager at Isovalent, and now part of Cisco, leading an eBPF-based Runtime Security Product, Tetragon. She has been previously a Security Engineer with a strong background in Linux, Container and Cloud Security. Passionate about building things that... Read More →

Duffie Cooley

Field CTO, Isovalent @ Cisco

Duffie is Field CTO at Isovalent focused on helping enterprises find success with Cilium and modern security tooling. Duffie has been working with all things systems and networking for 20 years and remembers most of it. A student of perspective, Duffie is always interested in working... Read More →

Friday November 15, 2024 2:00pm - 2:35pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Beginner

2:00pm MST

The Policy Engines Showdown - Gabriel L. Manor, Permit.io; Andres Aguiar, Okta; Omri Gazitt, Aserto; Pauline Jamin, Agicap; Tyler Schade, Geico; Joy Scharmen, StrongDM

Friday November 15, 2024 2:00pm - 2:35pm MST

Salt Palace | Level 2 | 254 B

OPA, Cedar, OpenFGA, Topaz, OPAL, OSO, should I continue? Policy engines, languages, and standards are everywhere, making the decision for a good decision engine increasingly difficult. In this panel, I'll host four talented engineers, each from a different policy engine's core team, for a friendly showdown. We will assist the audience in making the most important decision - choosing a suitable and fitting decision engine for their specific use case. We will also delve into the nuances of running multiple engines together and learn how to scale them properly.

Speakers

Pauline Jamin

Staff Software Engineer, Agicap

Staff software engineer with a love for Domain-Driven Design (DDD) and back-end development. Skilled in leading teams and embracing the Site Reliability Engineering (SRE) philosophy. When not crafting code, you'll find me exploring the great outdoors with my loyal dog. Catch me sharing... Read More →

Tyler Schade

Distinguished Engineer, GEICO

Living in Miami, Florida, I'm an engineering lead at GEICO working on service mesh and traffic management. Prior to joining GEICO, I was at Solo.io, working on multi-cluster service mesh and API gateways. I love learning more about networking and distributed systems and sharing what... Read More →

Joy Scharmen

Senior Director, Infrastructure Engineering, StrongDM

Passionate about infrastructure, and I love learning. Tell me about the great ideas you have for building scalable sustainable humane systems!

Gabriel Manor

Director of DevRel, Permit.io

Gabriel is a senior full-stack developer who blends his passion for technical leadership, security, authorization, and devtools into his current role as the Head of Growth and DevRel at Permit.io. Before joining Permit.io, Gabriel worked as a technical leader and principal engineer... Read More →

Omri Gazitt

Co-founder & CEO, Aserto

Omri is the co-founder/CEO of Aserto, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's Cloud... Read More →

Andres Aguiar

Product Manager, Okta

Andres has spent his 20+ year career building tools for developers, wearing different hats. He’s been working on the identity space for the last 6 years, and is currently the Product Manager for OpenFGA.

talk pdf

Friday November 15, 2024 2:00pm - 2:35pm MST
Salt Palace | Level 2 | 254 B

Security

Content Experience Level Intermediate

2:55pm MST

Practical Supply Chain Security: Implementing SLSA Compliance from Build to Runtime - Enguerrand Allamel, Ledger

Friday November 15, 2024 2:55pm - 3:30pm MST

Salt Palace | Level 1 | 151 G

Securing the software supply chain can feel overwhelming, especially with dynamic frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session on software supply chain security explores practical strategies to secure your software from build to runtime.

We will utilize GitHub Actions, implement Cosign for seamless artifact signing without managing keys, and apply Kyverno for enforcing runtime policies. Additionally, you will learn how to use in-toto and Kubescape to verify and maintain artifact integrity effectively. To further bolster security, we will briefly explore integrating Hardware Security Modules (HSMs) into your workflow, providing a robust layer for key management.

By the end of this talk, you will have actionable insights and a clear understanding of how to achieve SLSA compliance within the CNCF ecosystem.

Speakers

Enguerrand Allamel

Staff Cloud Security Engineer, Ledger

Enguerrand is a Staff Cloud Security Engineer at Ledger with a background in Site Reliability Engineering.His focus areas include Software Supply Chain Security and Cloud Security.

Practical Supply Chain Security Implementing SLSA Compliance from Build to Runtime pdf

Friday November 15, 2024 2:55pm - 3:30pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Beginner

4:00pm MST

SPIFFE Deployments in Non-Kubernetes Environments - Nadin El-Yabroudi & Eli Nesterov, SPIRL

Friday November 15, 2024 4:00pm - 4:35pm MST

Salt Palace | Level 1 | 151 G

The SPIFFE ideology is that workloads running in all types of environments can be issued an identity. However, in practice most deployments have focused on workloads in Kubernetes and there are few examples of SPIFFE being used in non-cloud native environments. In this talk we’ll explore SPIFFE deployments on a Linux environment. What does attestation for these types of workloads look like? How can you provide an identity to a bash script that cannot open a socket connection to the Workload API? We’ll focus on describing some of the existing challenges to non-Kubernetes SPIFFE deployments and provide some ideas for how to solve them.

Speakers

Nadin El-Yabroudi

Software Engineer, SPIRL

Nadin is a founding engineer at SPIRL where she’s currently focused on building a new implementation of the SPIFFE specification. Before working on machine identity Nadin worked as a Security and Systems Engineer at Cloudflare where she worked on securing Cloudflare’s 200+ datacenters... Read More →

Eli Nesterov

CTO, SPIRL

Eli Nesterov is a co-founder at SPIRL. He spent years in security research and engineering, building and scaling security products at TikTok, Facebook, ShapeSecurity, and F5 Networks. He built the world's largest SPIFFE/SPIRE deployment with over 1M nodes. Eli shares his knowledge... Read More →

SPIFFE Deployments in Non K8s Environments pdf

Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | 151 G

Security

Content Experience Level Advanced

4:00pm MST

SPIFFE the Easy Way: Universal X509 and JWT Identities Using cert-manager - Tim Ramlot & Ashley Davis, Venafi

Friday November 15, 2024 4:00pm - 4:35pm MST

Salt Palace | Level 1 | Grand Ballroom B

SPIFFE is incredible. Each workload is assigned its own universal identity, simplifying the security and management of communications in distributed systems. While SPIRE (the reference SPIFFE implementation) is exceptionally powerful, it is also quite complex. Deploying SPIRE on Kubernetes requires StatefulSets, which can be challenging and frustrating. Many cloud vendors are starting to offer turnkey SPIFFE solutions, but that comes with risk of vendor lock-in. In this talk, we will demonstrate how to use the Cloud Native cert-manager solution to implement SPIFFE (x509 and JWT) with low operational overhead for all Kubernetes workloads. The session includes all you need to know to issue X.509 SVIDs, use them and validate them. Additionally, we will introduce an experimental solution to convert x509 SVIDs into JWT SVIDs. The demo will highlight how to authenticate to third-party APIs (such as AWS, GCP, Azure, and others) using these JWT SVIDs.

Speakers

Ashley Davis

Staff Software Engineer, Venafi

As a teenager, Ash taught himself to program after wondering how exactly video games were made. That led to adventures trawling through open source codebases, sparking an interest in computers spanning from bare-metal machine code right up to scalable distributed platforms like Kubernetes... Read More →

Tim Ramlot

Senior Software Engineer - cert-manager maintainer, Venafi

Tim started working at Venafi as a software engineer after his graduation as computer science engineer at Ghent University. He learned about cert-manager and Venafi through a Google Summer of Code internship. His mission at Venafi is to advance his problem solving skills, whilst contributing... Read More →

KubeCon NA 2024 spiffe pdf

Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | Grand Ballroom B

Security

Content Experience Level Intermediate

4:00pm MST

Why Perfect Compliance Is the Enemy of Good Kubernetes Security - Michele Chubirka, Google

Friday November 15, 2024 4:00pm - 4:35pm MST

Salt Palace | Level 2 | 254 B

Technology organizations often struggle over who should manage the security of their Kubernetes environment. This task usually falls to platform or cloud engineering teams, but they often feel abandoned by their security counterparts, uncertain of which requirements will deliver real security value. While published benchmarks and security guides for Kubernetes are helpful, not all recommendations work for every use-case. They may require Kubernetes alpha or beta features which could cause issues with platform stability. Our desire to prioritize “perfect” security over having a functional platform that addresses relevant risks can leave us with nothing, frustrating everyone. Kubernetes is meant to increase application delivery velocity, but when overly strict compliance prevents a team from moving forward, they will subvert security requirements. Let’s stop obsessing over the red in our security and compliance dashboards and focus on what adds real value by reducing risk.

Speakers

Michele Chubirka

Cloud Security Advocate, Google

Michele Chubirka is a recovering Unix and network engineer currently working as a cloud security advocate for Google. She has been an architect, podcaster and freelance writer for various B2B publications such as Network Computing, Dark Reading and TechTarget. She likes long walks... Read More →

KCNA24 perfect compliance enemy good k8s security pdf

Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 2 | 254 B

Security

Content Experience Level Intermediate