# Akri KubeCon 2023 - CFP ##### If your talk is selected, the abstract title you choose will be the title shown in the conference schedule, often what attendees use as a starting point to determine if they will be interested in the talk. Choose your title carefully - make sure that it accurately describes what your talk will cover. Be sure your title complies with the The Linux Foundation's Inclusive Language Initiative. ##### Please use title case when inputting your title here. ##### (75 Character Max) ### *Can You Keep a Secret? Securely Interacting with Edge Devices In Kubernetes* ## Abstract: ##### Provide an abstract that briefly summarizes your proposal. Provide as much information as possible about what the content will include and what the presentation will cover. Do not be vague. Be sure your abstract complies with the Linux Foundation's Inclusive Language Initiative. ##### This is the description that will be posted on the website schedule if your talk is selected, so be sure to spell check, use complete sentences (and not just bullet points ), and write in the third person (use your name instead of “I”). ##### Remember that this description is what will make an attendee decide whether your session would be a good fit for them. Be sure to provide enough information to help attendees make the right choice. Be clear and concise. This description is also one of two primary factors the Program Committee will use to measure the strength and relevance of the presentation, making your abstract strong is essential. ##### The presentation selection process is very competitive, with many proposals rejected. A well-written, thoughtful, and enticing abstract will greatly increase the possibility of the proposal being accepted. ##### (1300 character Max) <!-- Kubernetes on the edge is becoming increasingly popular for orchestrating workloads closer to where the data is located. When integrating with edge devices, security is a major challenge. The edge usually consists of leaf devices that are too small, too old, or too locked down to run Kubernetes on their own (i.e. IP cameras, thermometers, humidity sensors). On top of that, each of these sensors can have different authentication mechanisms and have unique requirements for handling credentials. They may also have intermittent downtime so how can leaf devices be dynamically bridged to a cluster? And most importantly, how do we determine whether the devices are real or malicious as we scale? In this talk, Adithya and Yu Jin will go over how they enhanced Akri (a CNCF sandbox project for exposing leaf devices as resources in a cluster) to add support for native Kubernetes secrets and secrets stores to We aim to show how even newcomers to Kubernetes can quickly connect their edge devices in a more secure manner and restrict access on resources based on a customizable criteria. --> Kubernetes on the edge is becoming increasingly popular for orchestrating workloads closer to where the data is located. However, the edge usually consists of leaf devices that are too small, too old, or too locked down to run Kubernetes on their own (i.e. IP cameras, thermometers, humidity sensors), and they may operate with intermittent availabilities and downtime. On top of that, security becomes a major challenge at the edge. Each of these sensors can have different authentication mechanisms and have unique requirements for handling credentials. So how can these leaf devices be dynamically bridged to a cluster? And most importantly, how does one determine whether newly discovered devices are real or malicious, especially at scale? In this talk, Adithya and Yu Jin will go over how they enhanced Akri (a CNCF sandbox project for exposing leaf devices as resources in a cluster) to integrate with Kubernetes secrets and secrets stores allowing devices to uniquely identify themselves in a Kubernetes cluster. They will show how even newcomers to Kubernetes can quickly connect their edge devices in a secure manner and restrict access on resources based on a customizable criteria. <!-- Reference from before: This talk describes using device identities and secrets management with Akri (a CNCF project) to expose your leaf devices as resources on your cluster, share secrets and manage those devices. We will talk about the various key management methods in Kubernetes and discuss the roadmap to a more secure device attestation framework. Akri exists as a Kubernetes resource interface to discover and attach edge devices (ex: an IP camera, thermometers, humidity sensors) to a cluster. As you scale up your clusters and add more devices, we have no way to determine if a device is real or simulated/malicious. --> ## Benefits to the Ecosystem: ##### This is your chance to elaborate, emphasize why your presentation has to be shown and why attendees should care. Tell us how the content of your presentation will help better the ecosystem or anything you wish to share with the co-chairs and program committee. We realize that this can be a difficult question to answer, but as with the abstract, the relevance of your presentation is just as important as the content and that second determining factor in acceptance. ##### (1000 Character Max) Security should not be an afterthought, it is a necessity. With the recent boom in demand for IoT & edge devices, the unique challenges that come with secure device management are becoming more apparent. Handling credentials at scale becomes a major headache as each device has independent requirements for authentication and storing secrets. For example, some protocols (ex: OPC UA) can utilize certificates but others (ex: ONVIF) require connection strings. To solve this, we believe flexibility is key. This talk will showcase an open and extensible framework for handling device authentication at the edge, so that users can avoid vendor lock-in to specific secret stores and maintain security while scaling. We want to empower Kubernetes users of all levels to easily get started with connecting devices to a cluster and introduce them to the basic foundations of device identity and attestation. ## References: Akri Credential Proposal: https://github.com/project-akri/akri-docs/blob/main/proposals/credentials-passing.md Akri Security Model Design: https://github.com/project-akri/akri-docs/blob/main/proposals/security.md Akri Project: https://github.com/project-akri/akri Akri Documentation: https://docs.akri.sh/ <!-- < talk about how as we scale, we need to make sure security is considered in our design> < enable multiple external secret store providers / avoid vendor lock in?> < circle back on the beginners should be able to use k8s on the edge as light as possible? idk> Recently, there has been increasing demand for IoT devices as factories and buildings evolve to become "smarter". According to market projections, IoT devices are expected to grow from 14 billion connected devices in 2022 to 27 billion in 2025. With the boom in the IoT industry, the unique challenges that come with IoT device management are becoming more apparent. (we aim to enable designing with security in mind.) Currently, developers are familiar with best practices for security and authentication in their existing workflows. However, these key management systems (KMS) need to be adapted to work with a cluster and the guarantees of availability that the KMS expects may not exist as a cluster scales. Each KMS has its own set of APIs and production scenarios may require multiple KMS providers. In addition, as we start to look at adding more resources onto a cluster, these devices may not even support modern forms of authentication and attestation. Our talk investigates how we can easily connect edge resources to a Kubernetes cluster and showcases some simple ways to securely access and identify these resources. We aim to show how even newcomers to Kubernetes can quickly connect their edge devices in a more secure manner and restrict access on resources based on a customizable criteria. --> ## Speaker Bios ### Adithya Adithya is a Software Engineer at Microsoft working on running containers at the edge. He is an active maintainer for Akri, a CNCF sandbox project to connect edge devices to clusters and is a contributor to the open-source projects like Mariner. In his spare time he bikes, plays volleyball, and is an avid baker. ### Yu Jin Yu Jin Kim is a Product Manager at Microsoft’s Edge and Platforms team, working on IoT and Kubernetes on the edge. She is leading open-source efforts for Akri, a CNCF sandbox project. Outside of work, Yu Jin likes to read by the beach and cook for her friends. https://www.linkedin.com/in/yu-jin-kim/