KubeCon + CloudNativeCon North America 2022: Our top 10 sessions to attend

KubeCon 2022 will be full of great presentations and content. Here's our take on the conference sessions (apart from our own) that you shouldn't miss, whether you're onsite or attending virtually.

7 minutes read

KubeCon + CloudNativeCon is one of the must-attend events for cloud-native technologies. You will be able to learn, exchange, and network with peers about Kubernetes but also about containers and new development frameworks. For those who can't attend in person, it is possible to attend the live sessions from the virtual event. This event offers 200+ sessions including technical sessions, deep-dives, case studies, and more. To make sure you get the most out of your time, we've selected sessions delivered by security experts, whether they are customers, software vendors, or maintainers. 

Below is a list of our top 10 sessions.  

Using the EBPF Superpowers To Generate Kubernetes Security Policies 

Format: 35-Minutes Briefings 

Tracks: Security + Identity + Policy 

Kubernetes has several security mechanisms that can be used to secure your applications: - limit network connectivity with network policies - block some system calls with seccomp profiles - restrict access to some Linux capabilities in security contexts Defining those policies is difficult. It usually happens that the team defining them is not the one that created the application, hence they might not have a good enough view of the architecture to know how to write them. We will present and demo different ways to automatically generate the 3 different kind of policies mentioned above by monitoring the application's events with the following eBPF-based tools: - Inspektor Gadget - Kubernetes Security Profiles Operator - oci-seccomp-bpf-hook We'll discuss the limitations of this approach and the future ahead of these tools. Finally, we will explain how applications can be audited to see if the security policies are respected. 

More info about the session > 

 

Kubernetes to Cloud Attack Vectors: Demos Inside 

Format: 35-Minutes Briefings 

Tracks: Security + Identity + Policy 

Cloud service providers are constantly enhancing and releasing new capabilities to provide the best managed Kubernetes experience, intertwining cloud-specific capabilities within, to ease integrations and reduce friction. This talk is about the fine line between your managed Kubernetes cluster and its underlying Cloud environment, and how intertwining cloud-specific capabilities within the managed Kubernetes services introduces potential attack vectors and lateral movement paths – from Kubernetes outwards, or from the cloud inwards. This talk is demo-driven, we'll demonstrates several scenarios where an attacker can gain a foothold in a Kubernetes cluster and move laterally in order to compromise other cloud resources outside the cluster, or alternatively, gaining access to a cloud resource with the intent of compromising resources within a cluster. This talk also covers some of the best practices for configurations and standards to adopt in EKS, AKS and GKE to secure them from cluster-to-cloud or cloud-to-cluster attacks. 

More info about the session > 

 

Migrating From PodSecurityPolicy 

Format: 35-Minutes Briefings 

Tracks: Security + Identity + Policy 

Pod Security Policy (PSP) has been completely removed in Kubernetes v1.25, making it essential for users to migrate their clusters before upgrading to v1.25. The good news is that the Pod Security admission controller, designed as a simpler successor to PSP, just graduated to stable. The bad news is that the migration is not always straightforward. In this talk, you will see the quick-and-dirty migration path, and then dive deep into the nuances and challenges of migrating off PSP. We will also explore a couple of alternatives to the Pod Security admission controller, and when and why you might choose those alternatives instead. The goal of this talk is to empower you to confidently and safely begin upgrading your clusters, and bid farewell to PSP. 

More info about the session > 

 

How the Argo Project Transitioned From Security Aware To Security First 

Format: 35-Minutes Briefings 

Tracks: Security + Identity + Policy 

When the Argo project applied for graduation, we believed we had a good handle on security. After all, we hadn't had any CVEs in a while, and we had 100s of companies using it in production. So everything must be great, right? This is the story of an incubating CNCF project learning: what we didn't know and how we dove headfirst into a mission to put security first. Attendees will learn about the project processes we put in place for reported vulnerabilities, how to work with external security companies, and the help we received from the CNCF. We’ll also dig into the engineering best practices we implemented as well as take a look at some concrete implementations around SBOMs and Fuzzing. The information in this talk will be especially beneficial to anyone from incubating or sandbox projects that are setting out to improve their security posture, but the learnings, stories and recommendations presented will be equally applicable to any software project or product. 

More info about the session > 

 

Cilium Updates, News And Roadmap 

Format: 35-Minutes Briefings 

Tracks: Maintainer Track 

Welcome to Cilium! In this session you'll get an update on how the Cilium project has been progressing on the road towards graduation. You'll hear about the latest developments and future roadmap, including news about some of the largest and most interesting deployments of Cilium. And don't miss this session if you're interested in contributing to the project, as there will be guides on how to get involved and where your help is needed. 

More info about the session > 

 

Lightning Talk: A Puzzling Solution. How To Be Better At Accepting Others Experiences. 

Format: 5-Minutes lightning Talk 

Tracks: Maintainer Track 

As we gain experience and expertise in an area of study we often find ourselves struggling to meet our colleagues where they are. In this session I am going to share an experience I've had that I think can help you bring a little objectivity to the problem. We can all do better at listening and raising others up. I've spent years at this and I still make mistakes all the time. If you are interested in seeing someone solve a rubiks cube live on stage come on over and join me for this lightning talk! 

More info about the session > 

 

The New Stack Pancake Breakfast - "Devs and ops people – it’s time for some Kubernetes couples therapy" 

Format: 60-Minutes Panel 

Tracks: Experiences 

Join us for a dive deep into how Kubernetes shapes the dynamic between dev and ops teams with people who’ve been there. Questions we will explore: 

·       Have you resolved the eternal tension between experimentation and control? 

·       Are you true partners with the same goals and priorities? 

·       Do you agree on the need for security and trust, or fight over complexity and cost? 

·       Do you really talk, or just swap trouble tickets? 

Way back in May at KubeCon EU we hosted a packed panel about the ops experiences with Kubernetes ‘after the honeymoon'. But what about the developer experience? It’s not just about ops teams. Devs need some love, too. 

They say a problem shared is a problem halved. Let’s avoid a food fight and talk it through at the breakfast table over a short stack with The New Stack, sponsored by Spectro Cloud. 

More info about the session > 

 

Zero Trust Supply Chains with Project Sigstore and SPIFFE 

Format: 35-Minutes Briefs 

Tracks: Maintainers 

In order to ensure the trustworthiness of your software supply chain, maintainers must restate a number of assumptions. As opposed to inherently trusting build systems to serve accurate package metadata, we propose verification of every claim in the chain against the actors and tasks involved in the process. The combination of cryptographically verifiable identities with the use of transparency logs provides a novel approach to accomplish so and increase the security guarantees of your release artifacts. 
 
Project Sigstore provides a toolkit to allow organizations to publish verifiable provenance about publicly distributed artifacts. This metadata is in turn stored on the Sigstore Binary Transparency Log (Rekor), signed and verified by use of Keyless Signatures (Cosign) and the Sigstore Certificate Authority (Fulcio), and stored in an OCI registry where it can be verified, discovered, and used in policy engines. Backed by SPIFFE’s reference implementation SPIRE, all cryptographic operations are rooted in a strongly attested universal identity control plane for distributed systems. 
 
This presentation will demonstrate how a zero trust supply chain architecture can be applied to build systems, through the use of Sigstore and SPIRE for a Federated, Verifiable, Zero-Trust Supply Chain. Additionally, TektonCD will be used as the example build system and in-toto as the example provenance format. 

More info about the session > 

 

From Security Testing To Deployment In a Single PR - Sarah Khalife, GitHub & Grant Griffiths, Pure Storage 

Format: 35-Minutes Briefs 

Tracks: CI/CD 

Automating cloud native app development and incorporating security through a transparent and consistent process is key in building any production level applications. On a daily basis, think about how often you build your application and scan for vulnerabilities in the code. This is mostly an afterthought and not always considered as the easy part of developing any applications. However, the recent vulnerability exploits reinforced the need for a secure development lifecycle. Simplifying and automating the process all in a single pull request makes it much easier for any cloud app developer to add security! This talk will cover how to leverage available open source tooling to build and test a cloud native application, run security scans across it, and package it for shipping. For automation, we will have a step-by-step demonstration on how to set it up all within a PR to provide consistency and push the containerized application to a Kubernetes environment. 

More info about the session > 

 

Thriving With Kubernetes On-Call: Best Practices & Lessons Learned - Sunil Shah & Ramya Krishnan, Airbnb; Ashley Cutalo, Lyft; Madhu C.S., Robinhood; Fabio Kung, Netflix 

Format: 35-Minutes Briefs 

Tracks: Reliability + Operational Continuity 

Kubernetes clusters are critical infrastructure at large, public companies, with large amounts of traffic, complex dependencies on 3rd party services, and constant change as developers release features and traffic scales up and down. In this panel discussion, engineers from Airbnb, Lyft, Netflix and Robinhood share their challenges, experiences and learnings when it comes to managing a sustainable on-call rotation that meets the needs of their internal users whilst maintaining a high uptime to serve business critical workloads. Topics covered will include: +Keeping on-call engineers happy + Balancing rapid response with alert fatigue + Strategies to proactively deal with production issues + Preparing engineers for on-call 

More info about the session > 

Continue reading

Meet Wiz at KubeCon North America

Wiz will be attending and sponsoring KubeCon for the first time and we have a lot to share regarding how enterprises can better secure their container and Kubernetes environments. Come say hi!

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management