Loading…
In-person
November 12-15
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
or to bookmark your favorites and sync them to your phone or calendar.
strong>Security [clear filter]
Wednesday, November 13
 

11:15am MST

AuthZEN: The “OpenID Connect” for Authorization - Omri Gazitt, Aserto
Wednesday November 13, 2024 11:15am - 11:50am MST
Today, the authorization world is fractured - each vendor supports its own APIs & protocols. But this is about to change. AuthZEN, a new OpenID Foundation working group, was created in late 2023 to establish authorization standards. OIDF is the home of OpenID Connect, the ubiquitous standard for federated login, and that’s where we’re setting our sights. In this talk, I'll describe the current state of cloud-native authorization, including the policy-as-code and policy-as-data approaches, and the various open source projects in each camp. I'll also share the progress we’ve made creating a single authorization API that works across both policy-as-code (OPA, Topaz) and policy-as-data (Zanzibar-style projects), present the API specs we've created so far, and show off the various interoperable implementations. With this foundation in place, engineering teams can be more confident in externalizing their authorization and picking a provider without being locked in to a proprietary API.
Speakers
avatar for Omri Gazitt

Omri Gazitt

Co-founder & CEO, Aserto
Omri is the co-founder/CEO of Aserto, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's Cloud... Read More →
Wednesday November 13, 2024 11:15am - 11:50am MST
Salt Palace | Level 1 | 151 G
  Security
  • Content Experience Level Any

11:15am MST

GitOops... I Did It Again! Protecting Your GitOps System from Being Used for Privilege Escalation - Oreen Livni & Elad Pticha, Cycode
Wednesday November 13, 2024 11:15am - 11:50am MST
From data theft to privilege escalation in the Kubernetes cluster, you don't want to be the one telling your boss that your GitOps system has been compromised. This talk covers the security of GitOps tools, highlighting common misconfiguration pitfalls and how to avoid them. We will share the story of CVE-2024-31989, a critical vulnerability we discovered in the popular tool Argo. When installed with the default configuration, this vulnerability allowed privilege escalation from any access point to the cluster (such as a webshell) to complete cluster takeover. We will discuss common insecure configurations like this and provide examples from popular open-source projects to explain how your organization can protect itself from these risks. Attendees will receive a guide and practical tools to protect their GitOps systems against such threats.
Speakers
avatar for Elad Pticha

Elad Pticha

Security Researcher, Cycode
Elad is a passionate security researcher with a focus on software supply chain and web application security. He dedicates his time to writing security research tools and finding vulnerabilities across a broad spectrum, from open-source projects and web applications to IoT devices... Read More →
avatar for Oreen Livni

Oreen Livni

Security Researcher, Cycode
Oreen Livni is a passionate security researcher specializing in application and supply chain security, Domain, and networking. With a focus on software supply chain vulnerabilities. Alongside his professional commitments, he immerses himself in art, gardening, and the world of surfing... Read More →
Wednesday November 13, 2024 11:15am - 11:50am MST
Salt Palace | Level 2 | 250 AD
  Security
  • Content Experience Level Any

12:10pm MST

Breaking Free from Vulnerability Scanning Noise: Automated VEX Aggregation for Accuracy - Teppei Fukuda, Aqua Security Software Ltd.
Wednesday November 13, 2024 12:10pm - 12:45pm MST
Vulnerability scanners detect known vulnerabilities in software dependencies, but often produce inaccurate results (false-positives) due to their inability to automatically determine if a vulnerability is actually exploitable. Vulnerability Exploitability eXchange (VEX) is an industry-wide initiative that aims to address this issue, but the lack of standardized distribution hinders its effective utilization. This talk introduces VEX Hub, a central repository that automatically aggregates VEX documents published by open-source projects. VEX Hub’s unique architecture makes it easy and practical for software maintainers to start adopting VEX, while at the same time making it seamless for scanners and users to incorporate VEX in their workflow. The presentation showcases a practical use case of VEX Hub with Trivy, an open-source security scanner that popularizes VEX thanks to VEX Hub and delivers more accurate and actionable scanning results to its users.
Speakers
avatar for Teppei Fukuda

Teppei Fukuda

Open Source Engineer, Aqua Security Software Ltd.
Teppei Fukuda is the creator of Trivy and works at Aqua Security as an Open Source Software Engineer. He has a wealth of software engineering experience working on network and security. Away from the work, he is an avid manga enthusiast, dreaming of reading every comic book in the... Read More →
slides pdf
Wednesday November 13, 2024 12:10pm - 12:45pm MST
Salt Palace | Level 1 | 151 G
  Security
  • Content Experience Level Any

12:10pm MST

🚩 An Introduction to Capture The Flag - Andy Martin & Kevin Ward, ControlPlane
Wednesday November 13, 2024 12:10pm - 12:45pm MST
The Cloud Native Capture The Flag (CTF) is available to all in-person KubeCon + CloudNativeCon North America attendees. In preparation for getting started with the activity, you are invited to attend an introductory session.

This session aims to introduce how to participate in CTF competition to those who are new to them. We will share our tips and tricks for completing these challenges and work through a practice scenario together. Want to know more about the CTF? Learn more.
Speakers
avatar for Andrew Martin

Andrew Martin

CEO, ControlPlane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
avatar for Kevin Ward

Kevin Ward

Principal Consultant, ControlPlane
Kevin is an Principal Consultant with over 10 years of experience designing, building and testing secure solutions for Government, Defence and Finance sectors. In his own time, Kevin enjoys hacking and hardening systems to discover the balance between security and usability. He co-authored... Read More →
Wednesday November 13, 2024 12:10pm - 12:45pm MST
Salt Palace | Level 2 | 255 A

2:30pm MST

Bridging Clouds: TikTok’s Blueprint for Unified OIDC Access on Multi-Cloud Kubernetes - Naveen Mogulla, TikTok
Wednesday November 13, 2024 2:30pm - 3:05pm MST
As businesses embrace increasingly complex multi-cloud environments, managing access across diverse Kubernetes setups becomes paramount. At TikTok, we faced the challenge of unifying OpenID Connect (OIDC) access for Kubernetes clusters across GKE, EKS, OKE and on-prem clusters each providing different levels of support and integration. This talk will detail our journey to develop a scalable, centralized OIDC framework using a reverse proxy approach, ensuring seamless authentication and authorization across different cloud providers. We will discuss our architectural strategy, highlighting how we leveraged Envoy for request handling and dynamic configuration with external authorization filters to accommodate diverse OIDC implementations. Discover how TikTok overcame identifying OIDC discrepancies among providers to implementing a unified solution that not only simplifies k8s access management but also reinforces security and compliance across our global, multi-cloud infrastructure.
Speakers
avatar for Naveen Mogulla

Naveen Mogulla

Tech Lead, TikTok
Naveen Mogulla is a Tech Lead at TikTok kubernetes edge platform team. He has worked in Infrastructure engineering for almost 13+ years. He is also the main contributor to the AWS IAM operator in the keiko project. He was part of the Intuit core team which created multiple open source... Read More →
Wednesday November 13, 2024 2:30pm - 3:05pm MST
Salt Palace | Level 1 | 151 G
  Security

2:30pm MST

🚩 An Introduction to Capture The Flag - Andy Martin & Kevin Ward, ControlPlane
Wednesday November 13, 2024 2:30pm - 3:05pm MST
The Cloud Native Capture The Flag (CTF) is available to all in-person KubeCon + CloudNativeCon North America attendees. In preparation for getting started with the activity, you are invited to attend an introductory session.

This session aims to introduce how to participate in CTF competition to those who are new to them. We will share our tips and tricks for completing these challenges and work through a practice scenario together. Want to know more about the CTF? Learn more.
Speakers
avatar for Kevin Ward

Kevin Ward

Principal Consultant, ControlPlane
Kevin is an Principal Consultant with over 10 years of experience designing, building and testing secure solutions for Government, Defence and Finance sectors. In his own time, Kevin enjoys hacking and hardening systems to discover the balance between security and usability. He co-authored... Read More →
avatar for Andrew Martin

Andrew Martin

CEO, ControlPlane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →
Wednesday November 13, 2024 2:30pm - 3:05pm MST
Salt Palace | Level 2 | 255 A

3:25pm MST

CEL-Ebrating Simplicity: Mastering Kubernetes Policy Enforcement - Kevin Conner, Getup Cloud & Anish Ramasekar, Microsoft
Wednesday November 13, 2024 3:25pm - 4:00pm MST
As Kubernetes deployments grow increasingly complex, robust policy enforcement is crucial. The Common Expression Language (CEL) provides a powerful solution, enabling the creation of sophisticated, human-readable expressions for Kubernetes policies. This session explores CEL's integration with Kubernetes, simplifying policy definition and enforcement. Key takeaways: - Fundamentals of CEL and its Kubernetes integration. - Practical use cases for CEL in admission control, resource management, and security. - Enhancing policy expressiveness and flexibility with CEL. - Introduction to CEL Playground for testing and validating CEL expressions. Through live demos, learn to leverage CEL and CEL Playground for streamlined policy management in Kubernetes. Ideal for administrators, developers, and DevOps professionals, this session equips you to enhance your Kubernetes policies using CEL. Join us to discover how CEL and CEL Playground can transform your Kubernetes policy management.
Speakers
avatar for Anish Ramasekar

Anish Ramasekar

Principal Software Engineer, Microsoft
Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.
avatar for Kevin Conner

Kevin Conner

Chief Engineer, Getup Cloud
Kevin Conner is the Chief Engineer at GetUp Cloud, a startup focused on Kubernetes and DevSecOps. He has worked at startups like Integrated Micro Products, Arjuna Technologies, JBoss, and Aviatrix, as well as Sun Microsystems and Red Hat where he led teams for Cloud Enablement, Service... Read More →
Wednesday November 13, 2024 3:25pm - 4:00pm MST
Salt Palace | Level 1 | 151 G
  Security

4:30pm MST

Expanding the Capabilities of Kubernetes Access Control - Jimmy Zelinskie, authzed & Lucas Käldström, Upbound
Wednesday November 13, 2024 4:30pm - 5:05pm MST
Kubernetes RBAC is an effective way of managing ACLs in one cluster. However, there are many other effective paradigms out there, such as Attribute- & Relation-based Access Control. In this talk, we’ll demystify how these differ, and when to use respective paradigms, giving context and guidance. We’ll highlight how Kubernetes access control has recently evolved towards supporting lots of different use-cases. We take this opportunity to cover multiple perspectives: security within a single cluster (zooming in) and security within real-life production environments with external services and multiple clusters (zooming out). As containers became ubiquitous first with excellent tools like Docker, we believe the same can and will happen for access control, yielding uniform, interoperable and understandable authorization. Finally, we'll propose future work that could be done to supercharge Kubernetes and ensure it keeps up with the ever increasing security requirements in our industry.
Speakers
avatar for Lucas Käldström

Lucas Käldström

Senior Software Engineer, Upbound
Lucas is a Kubernetes and cloud native expert who has been serving the CNCF community in lead positions for 6 years. He’s awarded Top CNCF Ambassador 2017 with Sarah Novotny. Lucas was a co-lead for SIG Cluster Lifecycle, co-created kubeadm, Weave Ignite, and ported Kubernetes to... Read More →
avatar for Jimmy Zelinskie

Jimmy Zelinskie

Co-founder, authzed
Jimmy Zelinskie is a software engineer and product leader with a goal of democratizing software via open source development. He's currently CPO of authzed where he's focused on bringing hyperscaler best-practices in authorization to the industry at large. At CoreOS, he helped pioneer... Read More →
Wednesday November 13, 2024 4:30pm - 5:05pm MST
Salt Palace | Level 1 | 151 G
  Security

5:25pm MST

From Observability to Enforcement: Lessons Learned Implementing eBPF Runtime Security - Anna Kapuścińska & Kornilios Kourtis, Isovalent
Wednesday November 13, 2024 5:25pm - 6:00pm MST
eBPF is getting widely adopted in cloud native runtime security tools like Falco, KubeArmor, and Tetragon. Using eBPF we can collect relevant security events right in the kernel and pass them to Security Engineers for retroactive attack detection and response. Having reliable and complete visibility is great, but wouldn't it be even better to proactively prevent attacks in progress? This talk covers the Tetragon team’s experience moving from security observability to enforcement and lessons learned along the way: from defining security models to hardening interactions between the local kernel and distributed Kubernetes systems. It will deep dive into how eBPF-based enforcement works, why it differs from observability, and the challenges of implementing it. The audience will walk away understanding the inner workings and common pitfalls of eBPF-based runtime security.
Speakers
avatar for Kornilios Kourtis

Kornilios Kourtis

Software Engineer, Isovalent at Cisco
I am a software engineer at Isovalent, working on cloud-native networking, security, and observability using eBPF. Before that, I worked in industrial (IBM) and academic research (ETH Zurich, NTU Athens) in systems, including operating systems, storage and network stacks, and high-performance... Read More →
avatar for Anna Kapuscinska

Anna Kapuscinska

Software Engineer, Isovalent at Cisco
Anna is a software engineer at Isovalent, focusing on eBPF-based observability and security. Her previous roles span the industry: she wore both developer and SRE hats, and worked in AdTech, FinTech, public healthcare, end-user SaaS company and a hosting provider. On good weather... Read More →
Wednesday November 13, 2024 5:25pm - 6:00pm MST
Salt Palace | Level 1 | 151 G
  Security

5:25pm MST

Workload Identity Federation – Stop Using Long-Lived Credentials - Benjamin Dronen, Ford Motor Company & Anjali Telang, Red Hat
Wednesday November 13, 2024 5:25pm - 6:00pm MST
Workload identity federation is a somewhat daunting but extremely beneficial topic in Kubernetes security. In this session, we will share the lessons Ford Motor Company has learned through using workload identity federation with Google Cloud Platform, Microsoft Entra ID, and other platforms at scale from a wide variety of different workload types, how it has enhanced our security posture, improved developers’ lives, and reduced outages.
Speakers
avatar for Anjali Telang

Anjali Telang

Principal Product Manager, OpenShift Security and Identity, Red Hat
Anjali Telang is a Principal Product Manager for Security and Identity in OpenShift at RedHat. She is a security and cloud enthusiast with over 16 years of experience in cloud, security and networking. Prior to joining RedHat, she worked in various product and engineering roles at... Read More →
avatar for Benjamin Dronen

Benjamin Dronen

Kubernetes Platform Engineer, Ford Motor Company
Ben Dronen started at Ford Motor Company in 2022 as part of their Ford College Graduate rotational program. He currently holds a Kubernetes Platform Engineering position and focuses on bare metal Kubernetes deployments. Ben attended Andrews University in Southwest Michigan and holds... Read More →
Wednesday November 13, 2024 5:25pm - 6:00pm MST
Salt Palace | Level 2 | 254 B
  Security
  • Content Experience Level Any
 
Thursday, November 14
 

11:00am MST

From Silicon to Service: Ensuring Confidentiality in Serverless GPU Cloud Functions - Zvonko Kaiser, NVIDIA
Thursday November 14, 2024 11:00am - 11:35am MST
With the widespread adoption of cloud computing, concerns about data privacy and infrastructure security are increasing. This session will focus on confidential cloud functions, including serverless environments and GPU-accelerated workloads, to ensure the security of your code and data within the cloud infrastructure. We will explore technologies such as hardware-based Trusted Execution Environments (TEEs) and confidential computing. In addition, we will cover hardware and software attestation to guarantee integrity from the silicon level upwards, complete stack attestation for end-to-end trust, and supply chain security to trace and verify all application components. Participants will learn practical steps to implement confidential serverless functions, utilizing GPUs for high-performance computing while ensuring data integrity and privacy. Join us to discover how to innovate securely, build your own secure cloud functions infrastructure, and enhance your cloud security posture.
Speakers
avatar for Zvonko Kaiser

Zvonko Kaiser

Principal Systems Software Engineer, NVIDIA
Zvonko is a Principal Systems Engineer at NVIDIA, working on the Cloud Native Technologies team. Focusing right now on all things related to confidential computing, especially in the context of accelerators.
Thursday November 14, 2024 11:00am - 11:35am MST
Salt Palace | Level 1 | 151 G
  Security

11:00am MST

🚩 Capture The Flag Experience
Thursday November 14, 2024 11:00am - 5:05pm MST
The Capture The Flag (CTF) experience runs concurrently to KubeCon + CloudNativeCon North America 2024!

Delve deeper into the dark and mysterious world of cloud native security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, utilize your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play three increasingly treacherous and demanding scenarios to bushwhack their way through the dense jungle of cloud native security. Everybody is welcome, from beginner to seasoned veterans, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise! Learn more.
Thursday November 14, 2024 11:00am - 5:05pm MST
Salt Palace | Level 2 | 255 A

11:55am MST

What Agent to Trust with Your K8s: Falco, Tetragon or KubeArmor? - Henrik Rexed, Dynatrace
Thursday November 14, 2024 11:55am - 12:30pm MST
In the CNCF landscape we have plenty of ebpf based security solutions that help us protect our k8s cluster from runtime vulnerabilities. On paper though Falco, Tetragon and KubeArmor look very similar. Eventually you have to make a choice on which one best fits your needs. To give you additional insights to make your decision join this session. We have run extensive benchmarks against those three solutions and will answer the following questions that came out of our testing: - What are the different featuresets? - What about the performance impact of each agent? - Which privileges does each solution need? - What are the pros and cons across the three options?
Speakers
avatar for Henrik Rexed

Henrik Rexed

Cloud Native Advocate, Dynatrace
Henrik is a Cloud Native Advocate at Dynatrace, the leading Observability platform. Prior to Dynatrace, Henrik has worked more than 15 years, as Performance Engineer. Henrik Rexed Is Also one of the Organizer of the conferences named WOPR, KCD Austria and the owner of the Youtube... Read More →
Thursday November 14, 2024 11:55am - 12:30pm MST
Salt Palace | Level 1 | 151 G
  Security

2:30pm MST

From Standards to Practice: The Journey to Container Maturity - Carmen Chow & Thomas Robinson, Yelp
Thursday November 14, 2024 2:30pm - 3:05pm MST
Yelp runs tens of thousands of Docker containers in Kubernetes. How do we track their vulnerabilities, baseline their security needs, and prioritize our most critical findings? Security standards change constantly, so we need a robust model of container maturity to guide our adoption of these standards in a way that addresses Yelp’s specific needs and risk tolerance. Finally, to maximize our model’s value, over 1,000 engineers must understand its practical guidance well enough to apply it to their daily work. This talk covers designing and incorporating a container maturity model into Yelp’s development lifecycle, along with our strategy for proactively improving our security posture. We believe our experiences will assist others in creating similar models that work for their organizations, help evaluate and assess risks to their own containers, and drive next steps towards future risk evaluation platforms.
Speakers
avatar for Carmen Chow

Carmen Chow

Software Engineer, Yelp
Carmen Chow is a Software Engineer on Yelp’s Infrastructure Security team, where she has worked on cost modeling, data lifecycle tools, and Kubernetes observability. Previously, she was an infrastructure developer responsible for containerizing services and migrating them to Kubernetes... Read More →
avatar for Thomas Robinson

Thomas Robinson

Software Engineer, Yelp
Tom is a software engineer living near Seattle, Washington. Having previously worked in security research and antivirus software, he's spent the last decade helping keep Yelp secure.
Thursday November 14, 2024 2:30pm - 3:05pm MST
Salt Palace | Level 1 | 151 G
  Security

3:25pm MST

It's Dangerous to Build It Alone, Take This. - Jeremy Rickard & Ashna Mehrotra, Microsoft
Thursday November 14, 2024 3:25pm - 4:00pm MST
You've got high and critical CVEs in open source software packages that are critical to your platform or business. Time is almost up to patch them, and the upstream project hasn't fixed things. If you don't patch, your accreditation might be at risk. You're going to have to do it yourself! But where do you start? Fork the projects? Can you just patch in place? In this session, you'll learn about tools and strategies that can help you respond to CVEs in your container images faster, starting with patching existing images in place with Copacetic and moving on to patching and building projects from scratch. We'll look at challenges to building and testing upstream projects using existing tools and learn from emerging practices in industry. We'll also talk about how to inform your teams to stop using bad images! After this session, you'll have best practices and tools at your disposal, understand some of the pitfalls of owning your entire open source software supply chain.
Speakers
avatar for Ashna Mehrotra

Ashna Mehrotra

Software Engineer, Microsoft
Ashna Mehrotra is a software engineer on the Upstream Security team, working on cloud-native open source security projects at Microsoft.
avatar for Jeremy Rickard

Jeremy Rickard

Principal Software Engineer, Microsoft
Jeremy Rickard is a principal software engineer at Microsoft where he works on the Azure Container Upstream team. He is currently a co-chair for SIG Release and serves on both the CNCF and the Kubernetes Code of Conduct Committees. He was also the Kubernetes 1.20 Release Lead.
Thursday November 14, 2024 3:25pm - 4:00pm MST
Salt Palace | Level 1 | 151 G
  Security
  • Content Experience Level Any

4:30pm MST

Mish-Mesh: Abusing the Service Mesh to Compromise Kubernetes Environments - Hillai Ben-Sasson & Nir Ohfeld, Wiz
Thursday November 14, 2024 4:30pm - 5:05pm MST
Service mesh solutions are common components in almost every large Kubernetes environment. Many engineers and security teams have adopted solutions like Linkerd and Istio to better segment and isolate their Kubernetes networks. In this talk, we will demonstrate how we were able to exploit common misconfigurations and insecure features in popular service mesh solutions, to escalate low-severity vulnerabilities to critical service takeovers. Our real-life examples include several major cloud service providers, where these vulnerabilities allowed us to gain unauthorized access to internal systems and sensitive secrets. This talk will help engineers understand whether their service mesh deployment acts as a proper security barrier, and how to make sure that it does. Security teams – both attackers and defenders – will learn new techniques for hacking Kubernetes environments, and how to properly defend against them.
Speakers
avatar for Nir Ohfeld

Nir Ohfeld

Security Researcher, Wiz
Nir Ohfeld is a 25-years-old senior security researcher at Wiz. Ohfeld focuses on cloud-related security research and specializes in research and exploitation of cloud service providers, web applications, application security, and in finding vulnerabilities in complex high-level systems... Read More →
Thursday November 14, 2024 4:30pm - 5:05pm MST
Salt Palace | Level 1 | 151 G
  Security

5:25pm MST

Multi-Tier Security in WasmCloud: From Developer Constraints to Platform Extensibility - Brooks Townsend, Cosmonic
Thursday November 14, 2024 5:25pm - 6:00pm MST
In 2024, 96% of codebases contain open source, and 74% of these have high-risk vulnerabilities — a 54% increase from 2023. As open source adoption grows and the cloud native landscape evolves, robust security practices are critical. This session explores wasmCloud, a CNCF platform for distributed WebAssembly applications, focusing on achieving a secure-by-default environment. wasmCloud's multi-tier security model addresses the needs of both developers and platform engineers. Developers work in a deny-by-default mode, requiring explicit declaration of all application capabilities. Platform engineers grant these capabilities in a fine-grained manner and extend security through pluggable services. Grounded in real-world experience and practical demos, you’ll leave this talk with the knowledge to configure and extend security using pluggable services, enabling you to leverage WebAssembly to secure your cloud native applications.
Speakers
avatar for Brooks Townsend

Brooks Townsend

Senior Software Engineer II, Cosmonic
Brooks is a Lead Software Engineer at Cosmonic, focusing on harnessing WebAssembly to alleviate the pains of modern software development. Brooks started his software development career with Critical Stack, a Kubernetes container orchestration platform that is now open source. He joined... Read More →
Thursday November 14, 2024 5:25pm - 6:00pm MST
Salt Palace | Level 1 | 151 G
  Security
 
Friday, November 15
 

11:00am MST

Powering Automatic Authorization in Envoy Through Live Traffic Inspection - Dom Del Nano, Pixie core maintainer
Friday November 15, 2024 11:00am - 11:35am MST
The dynamic nature of today’s environments coupled with the importance of data privacy has made AuthN/Z crucial for safeguarding sensitive data. However, many large scale environments existed before these best practices and tooling were commonplace. Retrofitting systems requires a deep understanding of service to service access patterns and requires significant effort to achieve least privilege access. While service dependencies are often difficult to track, the rise of zero instrumentation Observability tools has eased access to this data, providing a potential baseline for AuthZ rules. Projects such as CNCF Pixie and Hubble expose language agnostic protocol traces providing full visibility of their environments. Pixie even supplies access to the span payloads making L7 analysis possible. In this talk, we present a case study of using Pixie to generate OPA policies for Envoy AuthZ using real traffic. This approach provides a starting point for scoping permissions on a L7 basis.
Speakers
avatar for Dom Delnano

Dom Delnano

Dom Delnano, Pixie core maintainer
Dom is CEO of Cosmic and a core maintainer of the Pixie open source project. He previously worked at Crowdstrike, focusing on the eBPF Linux sensor, and at New Relic, working on Pixie full-time. Dom first began building observability tooling at Twitter, where he scaled the internally... Read More →
Friday November 15, 2024 11:00am - 11:35am MST
Salt Palace | Level 1 | 151 G
  Security

11:55am MST

Rogue No More: Securing Kubernetes with Node-Specific Restrictions - Anish Ramasekar, Microsoft & James Munnelly, Apple
Friday November 15, 2024 11:55am - 12:30pm MST
Did you know that a component running across multiple nodes, such as in a daemonset, intended to perform node-specific actions, can pose a significant security risk? If any node the component is running on goes rogue, it can lead to attacks on the cluster, or even worse, a complete takeover of it. What if we could restrict the component's ability to write resources only to those belonging to the node it is running on to prevent such escalation attacks? In this talk, Anish and James will introduce new Kubernetes security enhancements to bound service account tokens, which can be used with validating admission policies to enforce per-node restrictions on service accounts. This session will provide you with practical implementation guidelines and show you how these enhancements can mitigate risks and protect your infrastructure with robust node isolation.
Speakers
avatar for James Munnelly

James Munnelly

Staff Field Engineer, Apple
James Munnelly is a Field Engineer at Apple, helping customers adopt and adapt Kubernetes, and driving adoption of OSS cloud native technologies. James is also the founder of the cert-manager project, a Kubernetes extension for managing x509 certificates. He's an active member of... Read More →
avatar for Anish Ramasekar

Anish Ramasekar

Principal Software Engineer, Microsoft
Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.
Friday November 15, 2024 11:55am - 12:30pm MST
Salt Palace | Level 1 | 151 G
  Security

2:00pm MST

Seccomp and eBPF; What’s the Difference? Why Do I Need to Know? - Natalia Reka Ivanko & Duffie Cooley, Isovalent @ Cisco
Friday November 15, 2024 2:00pm - 2:35pm MST
Containers in Kubernetes share a common Linux kernel so how can we limit access where it isn’t required so we can follow the principle of least privilege? Join Natalia and Duffie as they each explore different approaches to harden your container security with Secure Computing (seccomp) and eBPF! The talk will begin with an overview and comparison between seccomp and eBPF and how they both can solve the same problem - limiting access to the Linux Kernel that all containers share. This will be a fun talk, showing each solution with a live demo. You will leave this talk with a better understanding of how to limit what system calls a process can make and restrict your containers’ behavior to only access the files, binaries and external DNS names they need and nothing more. Which is the right solution for your environment? Come and learn about two of the commonly used technologies in use today!
Speakers
avatar for Natalia Reka Ivanko

Natalia Reka Ivanko

Sr. Product Manager, Isovalent, now part of Cisco
Natalia Ivanko is a Sr. Product Manager at Isovalent, and now part of Cisco, leading an eBPF-based Runtime Security Product, Tetragon. She has been  previously a Security Engineer with a strong background in Linux, Container and Cloud Security. Passionate about building things that... Read More →
avatar for Duffie Cooley

Duffie Cooley

Field CTO, Isovalent @ Cisco
Duffie is Field CTO at Isovalent focused on helping enterprises find success with Cilium and modern security tooling. Duffie has been working with all things systems and networking for 20 years and remembers most of it. A student of perspective, Duffie is always interested in working... Read More →
Friday November 15, 2024 2:00pm - 2:35pm MST
Salt Palace | Level 1 | 151 G
  Security

2:00pm MST

The Policy Engines Showdown - Gabriel L. Manor, Permit.io; Andres Aguiar, Okta; Omri Gazitt, Aserto; Pauline Jamin, Agicap; Tyler Schade, Geico; Joy Scharmen, StrongDM
Friday November 15, 2024 2:00pm - 2:35pm MST
OPA, Cedar, OpenFGA, Topaz, OPAL, OSO, should I continue? Policy engines, languages, and standards are everywhere, making the decision for a good decision engine increasingly difficult. In this panel, I'll host four talented engineers, each from a different policy engine's core team, for a friendly showdown. We will assist the audience in making the most important decision - choosing a suitable and fitting decision engine for their specific use case. We will also delve into the nuances of running multiple engines together and learn how to scale them properly.
Speakers
avatar for Pauline Jamin

Pauline Jamin

Staff Software Engineer, Agicap
Staff software engineer with a love for Domain-Driven Design (DDD) and back-end development. Skilled in leading teams and embracing the Site Reliability Engineering (SRE) philosophy. When not crafting code, you'll find me exploring the great outdoors with my loyal dog. Catch me sharing... Read More →
avatar for Tyler Schade

Tyler Schade

Distinguished Engineer, GEICO
Living in Miami, Florida, I'm an engineering lead at GEICO working on service mesh and traffic management. Prior to joining GEICO, I was at Solo.io, working on multi-cluster service mesh and API gateways. I love learning more about networking and distributed systems and sharing what... Read More →
avatar for Joy Scharmen

Joy Scharmen

Senior Director, Infrastructure Engineering, StrongDM
Passionate about infrastructure, and I love learning. Tell me about the great ideas you have for building scalable sustainable humane systems!
avatar for Gabriel Manor

Gabriel Manor

Director of DevRel, Permit.io
Gabriel is a senior full-stack developer who blends his passion for technical leadership, security, authorization, and devtools into his current role as the Head of Growth and DevRel at Permit.io. Before joining Permit.io, Gabriel worked as a technical leader and principal engineer... Read More →
avatar for Omri Gazitt

Omri Gazitt

Co-founder & CEO, Aserto
Omri is the co-founder/CEO of Aserto, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP's Cloud... Read More →
avatar for Andres Aguiar

Andres Aguiar

Product Manager, Okta
Andres has spent his 20+ year career building tools for developers, wearing different hats. He’s been working on the identity space for the last 6 years, and is currently the Product Manager for OpenFGA.
talk pdf
Friday November 15, 2024 2:00pm - 2:35pm MST
Salt Palace | Level 2 | 254 B
  Security

2:55pm MST

Practical Supply Chain Security: Implementing SLSA Compliance from Build to Runtime - Enguerrand Allamel, Ledger
Friday November 15, 2024 2:55pm - 3:30pm MST
Securing the software supply chain can feel overwhelming, especially with dynamic frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session on software supply chain security explores practical strategies to secure your software from build to runtime.

We will utilize GitHub Actions, implement Cosign for seamless artifact signing without managing keys, and apply Kyverno for enforcing runtime policies. Additionally, you will learn how to use in-toto and Kubescape to verify and maintain artifact integrity effectively. To further bolster security, we will briefly explore integrating Hardware Security Modules (HSMs) into your workflow, providing a robust layer for key management.

By the end of this talk, you will have actionable insights and a clear understanding of how to achieve SLSA compliance within the CNCF ecosystem.
Speakers
avatar for Enguerrand Allamel

Enguerrand Allamel

Staff Cloud Security Engineer, Ledger
Enguerrand is a Staff Cloud Security Engineer at Ledger with a background in Site Reliability Engineering.His focus areas include Software Supply Chain Security and Cloud Security.
Friday November 15, 2024 2:55pm - 3:30pm MST
Salt Palace | Level 1 | 151 G
  Security

4:00pm MST

SPIFFE Deployments in Non-Kubernetes Environments - Nadin El-Yabroudi & Eli Nesterov, SPIRL
Friday November 15, 2024 4:00pm - 4:35pm MST
The SPIFFE ideology is that workloads running in all types of environments can be issued an identity. However, in practice most deployments have focused on workloads in Kubernetes and there are few examples of SPIFFE being used in non-cloud native environments. In this talk we’ll explore SPIFFE deployments on a Linux environment. What does attestation for these types of workloads look like? How can you provide an identity to a bash script that cannot open a socket connection to the Workload API? We’ll focus on describing some of the existing challenges to non-Kubernetes SPIFFE deployments and provide some ideas for how to solve them.
Speakers
avatar for Nadin El-Yabroudi

Nadin El-Yabroudi

Software Engineer, SPIRL
Nadin is a founding engineer at SPIRL where she’s currently focused on building a new implementation of the SPIFFE specification. Before working on machine identity Nadin worked as a Security and Systems Engineer at Cloudflare where she worked on securing Cloudflare’s 200+ datacenters... Read More →
avatar for Eli Nesterov

Eli Nesterov

CTO, SPIRL
Eli Nesterov is a co-founder at SPIRL. He spent years in security research and engineering, building and scaling security products at TikTok, Facebook, ShapeSecurity, and F5 Networks. He built the world's largest SPIFFE/SPIRE deployment with over 1M nodes. Eli shares his knowledge... Read More →
Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | 151 G
  Security

4:00pm MST

SPIFFE the Easy Way: Universal X509 and JWT Identities Using cert-manager - Tim Ramlot & Ashley Davis, Venafi
Friday November 15, 2024 4:00pm - 4:35pm MST
SPIFFE is incredible. Each workload is assigned its own universal identity, simplifying the security and management of communications in distributed systems. While SPIRE (the reference SPIFFE implementation) is exceptionally powerful, it is also quite complex. Deploying SPIRE on Kubernetes requires StatefulSets, which can be challenging and frustrating. Many cloud vendors are starting to offer turnkey SPIFFE solutions, but that comes with risk of vendor lock-in. In this talk, we will demonstrate how to use the Cloud Native cert-manager solution to implement SPIFFE (x509 and JWT) with low operational overhead for all Kubernetes workloads. The session includes all you need to know to issue X.509 SVIDs, use them and validate them. Additionally, we will introduce an experimental solution to convert x509 SVIDs into JWT SVIDs. The demo will highlight how to authenticate to third-party APIs (such as AWS, GCP, Azure, and others) using these JWT SVIDs.
Speakers
avatar for Ashley Davis

Ashley Davis

Staff Software Engineer, Venafi
As a teenager, Ash taught himself to program after wondering how exactly video games were made. That led to adventures trawling through open source codebases, sparking an interest in computers spanning from bare-metal machine code right up to scalable distributed platforms like Kubernetes... Read More →
avatar for Tim Ramlot

Tim Ramlot

Senior Software Engineer - cert-manager maintainer, Venafi
Tim started working at Venafi as a software engineer after his graduation as computer science engineer at Ghent University. He learned about cert-manager and Venafi through a Google Summer of Code internship. His mission at Venafi is to advance his problem solving skills, whilst contributing... Read More →
Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 1 | Grand Ballroom B
  Security

4:00pm MST

Why Perfect Compliance Is the Enemy of Good Kubernetes Security - Michele Chubirka, Google
Friday November 15, 2024 4:00pm - 4:35pm MST
Technology organizations often struggle over who should manage the security of their Kubernetes environment. This task usually falls to platform or cloud engineering teams, but they often feel abandoned by their security counterparts, uncertain of which requirements will deliver real security value. While published benchmarks and security guides for Kubernetes are helpful, not all recommendations work for every use-case. They may require Kubernetes alpha or beta features which could cause issues with platform stability. Our desire to prioritize “perfect” security over having a functional platform that addresses relevant risks can leave us with nothing, frustrating everyone. Kubernetes is meant to increase application delivery velocity, but when overly strict compliance prevents a team from moving forward, they will subvert security requirements. Let’s stop obsessing over the red in our security and compliance dashboards and focus on what adds real value by reducing risk.
Speakers
avatar for Michele Chubirka

Michele Chubirka

Cloud Security Advocate, Google
Michele Chubirka is a recovering Unix and network engineer currently working as a cloud security advocate for Google. She has been an architect, podcaster and freelance writer for various B2B publications such as Network Computing, Dark Reading and TechTarget. She likes long walks... Read More →
Friday November 15, 2024 4:00pm - 4:35pm MST
Salt Palace | Level 2 | 254 B
  Security
 

Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
  • 🚨 Contribfest
  • 🪧 Poster Sessions
  • AI + ML
  • Breaks
  • ⚡ Lightning Talks
  • Cloud Native Experience
  • Cloud Native Novice
  • CNCF-hosted Co-located Events
  • Connectivity
  • Data Processing + Storage
  • Diversity + Equity + Inclusion
  • Emerging + Advanced
  • Experiences
  • Keynote Sessions
  • Maintainer Track
  • Observability
  • Operations + Performance
  • Platform Engineering
  • Project Opportunities
  • Registration
  • SDLC
  • Security
  • Solutions Showcase
  • Sponsor-hosted Co-located Event
  • Tutorials