KubeCon + CloudNativeCon North America 2024: Full Schedule

In-person
November 12-15
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.

arrow_back View All Dates

11:00am MST

Powering Automatic Authorization in Envoy Through Live Traffic Inspection - Dom Del Nano, Pixie core maintainer

Friday November 15, 2024 11:00am - 11:35am MST

Salt Palace | Level 1 | 151

The dynamic nature of today’s environments coupled with the importance of data privacy has made AuthN/Z crucial for safeguarding sensitive data. However, many large scale environments existed before these best practices and tooling were commonplace. Retrofitting systems requires a deep understanding of service to service access patterns and requires significant effort to achieve least privilege access. While service dependencies are often difficult to track, the rise of zero instrumentation Observability tools has eased access to this data, providing a potential baseline for AuthZ rules. Projects such as CNCF Pixie and Hubble expose language agnostic protocol traces providing full visibility of their environments. Pixie even supplies access to the span payloads making L7 analysis possible. In this talk, we present a case study of using Pixie to generate OPA policies for Envoy AuthZ using real traffic. This approach provides a starting point for scoping permissions on a L7 basis.

Speakers

Dom Del Nano

Dom Delnano, Pixie core maintainer

Dom is a Principal Software Engineer at New Relic working on the Pixie open source project, which provides observability to Kubernetes applications through eBPF based auto instrumentation. Prior to his full time work on Pixie, Dom was at Twitter scaling its internally developed time... Read More →

Friday November 15, 2024 11:00am - 11:35am MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Advanced

11:55am MST

Rogue No More: Securing Kubernetes with Node-Specific Restrictions - Anish Ramasekar, Microsoft & James Munnelly, Apple

Friday November 15, 2024 11:55am - 12:30pm MST

Salt Palace | Level 1 | 151

Did you know that a component running across multiple nodes, such as in a daemonset, intended to perform node-specific actions, can pose a significant security risk? If any node the component is running on goes rogue, it can lead to attacks on the cluster, or even worse, a complete takeover of it. What if we could restrict the component's ability to write resources only to those belonging to the node it is running on to prevent such escalation attacks? In this talk, Anish and James will introduce new Kubernetes security enhancements to bound service account tokens, which can be used with validating admission policies to enforce per-node restrictions on service accounts. This session will provide you with practical implementation guidelines and show you how these enhancements can mitigate risks and protect your infrastructure with robust node isolation.

Speakers

James Munnelly

Staff Field Engineer, Apple

James Munnelly is a Field Engineer at Apple, helping customers adopt and adapt Kubernetes, and driving adoption of OSS cloud native technologies. James is also the founder of the cert-manager project, a Kubernetes extension for managing x509 certificates. He's an active member of... Read More →

Anish Ramasekar

Principal Software Engineer, Microsoft

Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.

Friday November 15, 2024 11:55am - 12:30pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Intermediate

2:00pm MST

Seccomp and eBPF; What’s the Difference? Why Do I Need to Know? - Natalia Reka Ivanko & Duffie Cooley, Isovalent @ Cisco

Friday November 15, 2024 2:00pm - 2:35pm MST

Salt Palace | Level 1 | 151

Containers in Kubernetes share a common Linux kernel so how can we limit access where it isn’t required so we can follow the principle of least privilege? Join Natalia and Duffie as they each explore different approaches to harden your container security with Secure Computing (seccomp) and eBPF! The talk will begin with an overview and comparison between seccomp and eBPF and how they both can solve the same problem - limiting access to the Linux Kernel that all containers share. This will be a fun talk, showing each solution with a live demo. You will leave this talk with a better understanding of how to limit what system calls a process can make and restrict your containers’ behavior to only access the files, binaries and external DNS names they need and nothing more. Which is the right solution for your environment? Come and learn about two of the commonly used technologies in use today!

Speakers

Natalia Reka Ivanko

Sr. Product Manager, Isovalent, now part of Cisco

Natalia Ivanko is a Sr. Product Manager at Isovalent, and now part of Cisco, leading an eBPF-based Runtime Security Product, Tetragon. She has been previously a Security Engineer with a strong background in Linux, Container and Cloud Security. Passionate about building things that... Read More →

Duffie Cooley

Field CTO, Isovalent @ Cisco

Duffie is Field CTO at Isovalent focused on helping enterprises find success with Cilium and modern security tooling. Duffie has been working with all things systems and networking for 20 years and remembers most of it. A student of perspective, Duffie is always interested in working... Read More →

Friday November 15, 2024 2:00pm - 2:35pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Beginner

2:55pm MST

Securing the Supply Chain: A Practical Guide to SLSA Compliance from Build to Runtime - Enguerrand Allamel, Ledger

Friday November 15, 2024 2:55pm - 3:30pm MST

Salt Palace | Level 1 | 151

Navigating the complexities of supply chain security might seem intimidating, especially with evolving frameworks like SLSA (Supply-chain Levels for Software Artifacts). This talk introduces beginners to the foundational practices required to secure software from build to runtime using CNCF tools. We'll explore how GitHub Actions can automate build processes, integrate with Cosign for keyless artifact signing, and use Kyverno for runtime policy enforcement. Additionally, we'll discuss how tools like in-toto and Kubescape help manage and verify artifact integrity, providing a holistic view of SLSA compliance in the Kubernetes ecosystem. To enhance security further, we will also briefly discuss the potential integration of Hardware Security Modules (HSMs) into the supply chain. HSMs can offer an added layer of security for key management operations critical to signing processes, ensuring that cryptographic keys are managed securely and are resilient against attack.

Speakers

Enguerrand Allamel

Staff Cloud Security Engineer, Ledger

I am a Staff Cloud Security Engineer with a focus on securing scalable and reliable cloud systems. My expertise encompasses hybrid computing technologies and automation tools such as Terraform and Ansible, along with container orchestration via Kubernetes. I am committed to optimizing... Read More →

Friday November 15, 2024 2:55pm - 3:30pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Beginner

4:00pm MST

SPIFFE Deployments in Non-Kubernetes Environments - Nadin El-Yabroudi & Eli Nesterov, SPIRL

Friday November 15, 2024 4:00pm - 4:35pm MST

Salt Palace | Level 1 | 151

The SPIFFE ideology is that workloads running in all types of environments can be issued an identity. However, in practice most deployments have focused on workloads in Kubernetes and there are few examples of SPIFFE being used in non-cloud native environments. In this talk we’ll explore SPIFFE deployments on a Linux environment. What does attestation for these types of workloads look like? How can you provide an identity to a bash script that cannot open a socket connection to the Workload API? We’ll focus on describing some of the existing challenges to non-Kubernetes SPIFFE deployments and provide some ideas for how to solve them.

Speakers

Nadin El-Yabroudi

Software Engineer, SPIRL

Nadin is a founding engineer at SPIRL where she’s currently focused on building a new implementation of the SPIFFE specification. Before working on machine identity Nadin worked as a Security and Systems Engineer at Cloudflare where she worked on securing Cloudflare’s 200+ datacenters... Read More →

Eli Nesterov

CTO, SPIRL

Eli Nesterov is a co-founder at SPIRL. He spent years in security research and engineering, building and scaling security products at TikTok, Facebook, ShapeSecurity, and F5 Networks. He built the world's largest SPIFFE/SPIRE deployment with over 1M nodes. Eli shares his knowledge... Read More →

Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Advanced

4:55pm MST

SPIFFE the Easy Way: Universal X509 and JWT Identities Using Cert-Manager - Tim Ramlot & Ashley Davis, Venafi

Friday November 15, 2024 4:55pm - 5:30pm MST

Salt Palace | Level 1 | 151

SPIFFE is incredible. Each workload is assigned its own universal identity, simplifying the security and management of communications in distributed systems. While SPIRE (the reference SPIFFE implementation) is exceptionally powerful, it is also quite complex. Deploying SPIRE on Kubernetes requires StatefulSets, which can be challenging and frustrating. Many cloud vendors are starting to offer turnkey SPIFFE solutions, but that comes with risk of vendor lock-in. In this talk, we will demonstrate how to use the Cloud Native cert-manager solution to implement SPIFFE (x509 and JWT) with low operational overhead for all Kubernetes workloads. The session includes all you need to know to issue X.509 SVIDs, use them and validate them. Additionally, we will introduce an experimental solution to convert x509 SVIDs into JWT SVIDs. The demo will highlight how to authenticate to third-party APIs (such as AWS, GCP, Azure, and others) using these JWT SVIDs.

Speakers

Ashley Davis

Staff Software Engineer, Venafi

As a teenager, Ash taught himself to program after wondering how exactly video games were made. That led to adventures trawling through open source codebases, sparking an interest in computers spanning from bare-metal machine code right up to scalable distributed platforms like Kubernetes... Read More →

Tim Ramlot

Senior Software Engineer - cert-manager maintainer, Venafi

Tim started working at Venafi as a software engineer after his graduation as computer science engineer at Ghent University. He learned about cert-manager and Venafi through a Google Summer of Code internship. His mission at Venafi is to advance his problem solving skills, whilst contributing... Read More →

Friday November 15, 2024 4:55pm - 5:30pm MST
Salt Palace | Level 1 | 151

Security

Content Experience Level Intermediate