KubeCon EU 2023

--- title: 'KubeCon EU 2023' --- KubeCon EU 2023 === [TOC] ## Monday > [time=Mon, Apr 17, 2023] * :eyes:Operator Day Hosted by Canonical * Run DB on k8s * Operators "everywhere" ## Tuesday > [time=Tue, Apr 18, 2023] ### CiliumCon Hosted by CNCF * :eyes: [Cilium on Azure: Most Scalable and Performant Implementation in the Cloud - Deepak Bansal, Microsoft](https://colocatedeventseu2023.sched.com/event/1Jo69?iframe=no) * Default Azure CNI Overlay * :eyes: [The Cilium Story - Why We Created Cilium - Thomas Graf, Isovalent](https://colocatedeventseu2023.sched.com/event/1Jo6C/the-cilium-story-why-we-created-cilium-thomas-graf-isovalent?iframe=no) * mTLS for Network Policy * Cilium Mesh (one mesh to connect them all) * :eyes: [Some Assembly Required: IKEA Private Cloud, Cloud Native Networking - Karsten Nielsen, IKEA Retail (Ingka Group)](https://colocatedeventseu2023.sched.com/event/1Jo6F/some-assembly-required-ikea-private-cloud-cloud-native-networking-karsten-nielsen-ikea-retail-ingka-group?iframe=no) * Cilium in datacenter / K8s in datacenter * :eyes: [Designing and Securing a Multi-Tenant Runtime Environment at the New York Times - Ahmed Bebars, The New York Times](https://colocatedeventseu2023.sched.com/event/1Jo6I/designing-and-securing-a-multi-tenant-runtime-environment-at-the-new-york-times-ahmed-bebars-the-new-york-times?iframe=no) * Multi-Tenant K8s Clusters * By default disable all outgoing traffic (devs needs to bring their fw rules) * Install EKS by Terrafrom + Cilium "hacks" * :eyes: [Cilium in Practice: Building Data Sandboxes at Bloomberg - Anne Zepecki & Sritej Attaluri, Bloomberg LP](https://colocatedeventseu2023.sched.com/event/1Jo6L/cilium-in-practice-building-data-sandboxes-at-bloomberg-anne-zepecki-sritej-attaluri-bloomberg-lp?iframe=no) * :eyes: [Tales from an eBPF Program’s Murder Mystery - Hemanth Malla & Guillaume Fournier, Datadog](https://colocatedeventseu2023.sched.com/event/1Jo6O/tales-from-an-ebpf-programs-murder-mystery-hemanth-malla-guillaume-fournier-datadog?iframe=no) * Realy "technical" * :eyes: [More Churn No Problem: Lessons Learned Running Cilium in Production - Lu Zhang & Madhu C.S., Robinhood Markets](https://colocatedeventseu2023.sched.com/event/1Jo6R/more-churn-no-problem-lessons-learned-running-cilium-in-production-lu-zhang-madhu-cs-robinhood-markets?iframe=no) ### AWS Container Day featuring Kubernetes Hosted by AWS * :eyes: Afternoon Keynote - Amazon EKS roadmap * :eyes: Kubernetes threat detection, investigation, and incident response automation * [GuardDuty EKS Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html) - runtime protection * :eyes: Operating OpenTelemetry Collector for Scale and Resiliency in Container environments * AWS Distro for OpenTelemetry (ADOT) * ADOT Collector * :eyes: eBPF based node telemetry and visibility on EKS * eBPF basic details * eBPF Node Agent -> Standard Network Policies in k8s * :eyes: Future proof your Kubernetes cluster for cost optimization * Graviton based instances * Spot instances * Karpenter (consolidation, pick cheaper nodes) * Cross-AZ cost * [Kubecost](https://www.kubecost.com/) + demo * CloudWatch Logs - by default stored "forever" * :eyes: Running Kubernetes workloads at scale * Managed node groups with K8s Cluster Autoscaler * Karpenter(talks to AWS API directly - EC2 Fleet instance API) * Karpenter demo * :eyes: Lightning Talk: Debugging Kubernetes E2E Tests with Delve - Mauricio Poppe, Google * [kubetest](https://github.com/kubernetes/test-infra/blob/master/kubetest/README.md) * [delve](https://github.com/go-delve/delve) - debugger for the Go programming language * :eyes: Lightning Talk: Be the Main Character of Your Story: The Cloud Native Way of Technical Writing - Karuna Tata, Aurora's Degree and PG College * Technical documentation - [Layer5](https://layer5.io/community/handbook/writing-program) * :eyes: Lightning Talk: Airflow and Armada - Airflow Meets Multi-Cluster Kubernetes with Armada - Kevin Patrick Hannon, G Research * [Armada](https://armadaproject.io/) - multi-cluster batch queuing system for high-throughput workloads on Kubernetes * [Apache Airflow](https://airflow.apache.org/docs/apache-airflow/stable/administration-and-deployment/kubernetes.html) * :eyes: Lightning Talk: GreenCourier: Towards Sustainable Serverless Computing - Mohak Chadha, Technical University of Munich * [GreenCourier](https://github.com/thandayuthapani/GreenCourier) - Optimising delivery of serverless functions across geo-spatial multi Kubernetes clusters in the cloud for carbon efficiency * :eyes: Lightning Talk: The CNCF Board Game Rules Explained - Peter O'Neill, Styra * :eyes: Lightning Talk: FAQs for CFPs: A Beginners Guide to Conference Speaking - Paula Kennedy, Syntasso * :eyes: Lightning Talk: Tricks for Enforcing Conventions for Your Kubernetes Cluster Using Only YAML - Joe Betz, Google * [Validation Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) examples * [CEL](https://kubernetes.io/docs/reference/using-api/cel/) - programming language * :eyes: Lightning Talk: Power-Aware Scheduling in Kubernetes - Yuan Chen, Apple Inc. * :eyes: Lightning Talk: Talking to Kubernetes with Rust - James Laverack, Jetstack ## Wednesday > [time=Wed, Apr 19, 2023] * :eyes: Keynotes * Kubecon EU 2024 - Paris 2024-03-17 - 2024-03-23 * CNCF Projects ![CNCF Projects](https://i.imgur.com/S0O5m8o.png) * Envoy Gateway * Helm support * Flux * GA in June * GitOps - Terraform + CloudFormation * FluentBit * Harbor * Notary deprecation * Chart museum removal * Linkerd * Open Policy Agent * Kubernetes CEL * Prometheus * New Alertmanager UI * TUF * Vitess > [time=Wed, Apr 19, 2023 11:00] * [Kubernetes from Scratch for Neuroscientific Research - Carolina Lindqvist & Daniel Fernández, EPFL](https://youtu.be/QJUeZy-yslA) * Building High-Throughput Applications with Bulk Messaging in Dapr - Shubham Sharma, Microsoft * [1] :eyes: Gateway API Project Update - Nick Young, Isovalent & Rob Scott, Google * Policy Attachment * Path Redirect / Rewrites * Response Header Modifier * Gateway API has ~5x as many features as Ingress API * Gateway API for Mesh Management and Administration (GAMMA) * Ingress2Gateway * [2] Policy Matters! A Policy Working Group Introduction and Deep Dive - Jim Bugwadia, Nirmata & Frank Jogeleit, LOVOO * Node Resource Management: The Big Picture - Sascha Grunert & Swati Sehgal, Red Hat; Alexander Kanevskiy, Intel; Evan Lezar, NVIDIA; David Porter, Google > [time=Wed, Apr 19, 2023 11:55] * Silly Gooses, Let's Make Sense of the Security Supply Chain, Together - Grace Nguyen, University of Waterloo * [2] What Happened to the Service Catalog? - Adam Wolfe Gordon, DigitalOcean * Emissary-Ingress: Self-Service APIs and the Kubernetes Gateway API - Lance Austin, Ambassador Labs & Flynn, Buoyant * [1] :eyes: How We Securely Scaled Multi-Tenancy with VCluster, Crossplane, and Argo CD - Ilia Medvedev & Kostis Kapelonis, Codefresh * Vcluster (helm chart) * Crossplane * [Cypress](https://docs.cypress.io/guides/overview/why-cypress) for e2e tests * Codefresh Architecture: ![Codefresh Architecture](https://i.imgur.com/0wumWEv.png) * [Cluster API Provider](https://www.vcluster.com/docs/operator/cluster-api-provider) * Confidential Containers Made Easy - Fabiano Fidencio, Intel & Jens Freimann, Red Hat * Using OpenTelemetry for Application Security, with a Real Life Example - Ron Vider, Oxeye * Flux Beyond Git: Harnessing the Power of OCI - Stefan Prodan & Hidde Beydals, Weaveworks > [time=Wed, Apr 19, 2023 14:30] * Fight Back Against Cyber Risk in the Software Supply Chain with a Secure and Compliant DevSecOps Pipeline for Regulated Environments - Krishna Rajeesh Nallur Valiyaveettil & Brendan Kelly, IBM * [2] Filling the Gaps in Kubernetes Flavored SLSA with Threat Modeling - Christie Wilson, Google & Priya Wadhwa, Chainguard * Argo CD Core - A Pure GitOps Agent for Kubernetes - Alexander Matyushentsev, Akuity & Leonardo Luz Almeida, Intuit * Envoy Gateway Update - Alice Wasko, Ambassador Labs & Arko Dasgupta, Tetrate * Emergent Load Testing: Rules for Organized Chaos - Nicole van der Hoeven, Grafana Labs * [1] :eyes: The Hacker's Guide to Kubernetes - Patrycja Wegrzynowicz, Form3 * Terraform "everything" * OWASP Kybernetes Top 10 2022 ![OWASP Kybernetes Top 10 2022](https://i.imgur.com/NvpVCWP.png) * [kubeletctl](https://github.com/cyberark/kubeletctl) * [Exploiting Distroless Images](https://www.form3.tech/engineering/content/exploiting-distroless-images) > [time=Wed, Apr 19, 2023 15:25] * Multi-Arch Infrastructure from the Ground up - Cheryl Hung, Arm * [2] Operating CERN SaaS at Scale with Operators - Michael Hrivnak & Varsha Prasad Narsing, Red Hat; Rajula Vineet Reddy & Francisco Borges Aurindo Barros, CERN * Hazardous Defaults: Managing Cardinality and Perform * Availability and Storage Autoscaling of Stateful Workloads on Kubernetes - Leila Abdollahi Vayghan, Shopify * [1] :eyes: From SBOMs to IBOMs - Know What's Happening in Your Clusters - Ido Neeman, Firefly * IBOM definition ![IBOM definition](https://i.imgur.com/YOl8xoD.png) * Asset management * Prisma Cloud / Wiz * CloudHealth / Apptio * CMDB (Configuration Management DataBase) - "old" IT * Cloud Native CMDB * Infrastructure Drifts * All should be codified - IaC (Okta configuration in Terraform) > [time=Wed, Apr 19, 2023 16:30] * [2] Verifiable GitHub Actions with eBPF - Jose Donizetti, Aqua * Protecting Your Crown Jewels with External Secrets Operator - Moritz Johner, Form3 * [1] :eyes: Customizing Your Buildpacks Build – Yes You Can! - Natalie Arellano, VMware & Aidan Delaney, Bloomberg * Buildpacks ![Buildpacks](https://i.imgur.com/vCbmiXV.png) * 🦝 Canals and Bridges: Using Amsterdam’s Transit System To Secure K8s Networks - Cailyn Edwards, Shopify > [time=Wed, Apr 19, 2023 17:25] * [2] Highly Available Routing with Multi Cluster Gateways - Rob Scott, Google & Liwen Wu, AWS * Adopting Network Policies in Highly Secure Environments - Raymond de Jong, Isovalent * 🦝 RBAC to the Future: Untangling Authorization in Kubernetes - Jimmy Mesta, KSOC * Let’s Go Backstage: IDP Security for Platform Engineers - Rotem Refael, ARMO & Suzanne Daniels, Spotify * [1] :eyes: Cilium Updates, News, Roadmap, and in the Wild - Liz Rice, Isovalent; Andy Allred, EfiCode; Richard Hartmann, Grafana Labs * Cilium ![Cilium](https://i.imgur.com/rytkOtc.png) * [Cilium Mesh](https://isovalent.com/blog/post/introducing-cilium-mesh/) * Istio Ambient Mesh - sidecar free Istio * mTLS for NetworkPolicy - encryption per service (any traffic) * Grafana Dashboards in Hubble UI ## Thursday > [time=Thu, Apr 20, 2023] * :eyes: Keynotes * [Open Cluster Management](https://open-cluster-management.io/) * [Kubernetes CVE in Beta](https://kubernetes.io/docs/reference/issues-security/official-cve-feed/) * Backstage * cert-manager * [trust-manager](https://cert-manager.io/docs/projects/trust-manager/) * Cilium * [Cloud Custodian](https://cloudcustodian.io/) * [Cloudevents](https://cloudevents.io/) * cri-o * [dapr](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-overview/) * Dragonfly * Emissary Ingress * Falco * gRPC * [in-toto](https://www.cncf.io/projects/in-toto/) * [VMClarity](https://github.com/openclarity) * [The Cloud Native Playground](https://play.meshery.io/) * [Metal3](https://metal3.io/) * Artifacthub * Kind > [time=Thu, Apr 20, 2023 11:00] * [1] :eyes: Unlocking Argo CD’s Hidden Tools for Chaos Engineering - Featuring VCluster and More - Dan Garfield & Brandon Phillips, Codefresh * Demo - How to test ArgoCD performance * [2] Life of a CVE with Ingress-Nginx; Understanding the Project's Release Cycle - James Strong, Chainguard & Dylen Turnbull, Nginx INC > [time=Thu, Apr 20, 2023 11:55] * [1] :eyes: How We Migrated Over 1000 Services to Backstage Using GitOps and Survived to Talk About It! - Shahar Shmaram & Ran Mansoor, AppsFlyer * Backstage, Flux, Terraform, GitOps * [2] Use Knative When You Can, and Kubernetes When You Must - David Hadas & Michael Maximilien, IBM * Automated Cloud-Native Incident Response with Kubernetes and Service Mesh - Matt Turner, Tetrate & Francesco Beltramini, Control Plane > [time=Thu, Apr 20, 2023 14:30] * [2] Hacking and Defending Kubernetes Clusters: We'll Do It LIVE!!! - Fabian Kammel & James Cleverley-Prance, ControlPlane * [1] :eyes: Image Signing and Runtime Verification at Scale: Datadog's Journey - Ethan Lowman, Datadog * Sign & verify images ![Sign & verify images](https://i.imgur.com/kxA4o6h.png) * Sigstore / cosign, Notary v2 * Node level image verification - containerd 2.0 * Unlocking the Potential of KEDA: New Features and Best Practices - Jorge Turrado Ferrero, SCRM Lidl International Hub & Zbynek Roubalik, Red Hat > [time=Thu, Apr 20, 2023 15:25] * Processing of Amsterdam City Data with Vendor Agnostic Serverless Functions - Mohit Suman & Zbynek Roubalik, Red Hat * Automating Configuration and Permissions Testing for GitOps with OPA Conftest - Eve Ben Ezra & Michael Hume, The New York Times * Exiting Ingress 201: A Primer on Extension Mechanisms in Gateway API - Sunjay Bhatia, VMware, Inc. & Daneyon Hansen, Solo.io * [2] The Day We Delete(d) Production - Ricardo Rocha & Spyridon Trigazis, CERN * Checking the Chains at the Gate: Building Supply Chain Policies with Gatekeeper and Ratify - Jeremy Rickard, Microsoft * [1] :eyes: 🦝 Interactive Playground to Learn Kubernetes and Cloud Native Security - Madhu Akula * [Kubernetes Goat](https://madhuakula.com/kubernetes-goat/) * [OWASP Kubernetes Top 10](https://madhuakula.com/kubernetes-goat/docs/owasp-kubernetes-top-ten) * [MITRE ATT&CK](https://madhuakula.com/kubernetes-goat/docs/mitre/mitre-attack) > [time=Thu, Apr 20, 2023 16:30] * Breakpoints in Your Pod: Interactively Debugging Kubernetes Applications - Daniel Lipovetsky, D2IQ * Future of Istio - Sidecar, Sidecarless or Both? - Neeraj Poddar, Solo.io * OpenTelemetry: Using Unified Semantics to Drive Insights + Project Update - Morgan McLean, Splunk; Alolita Sharma, Apple; Daniel Dyla, Dynatrace; Ted Young, Lightstep * [1] :eyes: The Path to Self Contained CRDs - Cici Huang, Google * Webhooks - not so easy to use (+ latency) * Common Expression Language - CEL * CRD Validation Rules ![CRD Validation Rules](https://i.imgur.com/NkOq5wP.png) * [kcp](https://www.kcp.io/) * Policy Enforcement in Kubernetes ![Policy Enforcement in Kubernetes](https://i.imgur.com/Vqqhekr.png) * ValidatingAdmissionPolicy ![ValidatingAdmissionPolicy](https://i.imgur.com/62xayK4.png) * Deny * Warn * Audit * Alpha feature in K8s 1.27 * [kubescape](https://github.com/kubescape/kubescape) * 🦝 Guardians of the Runtime: Leveraging Behavioral Analysis and Policies - Ben Hirschberg, ARMO * [2] Tutorial: Deploying Cloud-Native Applications Using Kubevela and OAM - Daniel Higuero, Napptive > [time=Thu, Apr 20, 2023 17:25] * [2] Disaster Recovery: Bringing Back Production from Scratch in Under 1 Hour Using KOps, ArgoCD and Velero - Andre Jay Marcelo-Tanner, Ada Support * [1] Across Kubernetes Namespace Boundaries: Your Volumes Can Be Shared Now! - Masaki Kimura & Takafumi Takahashi, Hitachi ## Friday > [time=Fri, Apr 21, 2023] * :eyes: Keynotes * Importance of Backup in "containerized world" * Media Streaming Mesh * [Kuasar](https://kuasar.io/) - An Efficient Multi-Sandbox Container Runtime > [time=Fri, Apr 21, 2023 11:00] * [1] :eyes: Navigating the Delivery Lifecycle with Keptn - Giovanni Liva, Dynatrace; Ana Margarita Medina, Lightstep; Brad McCoy, Basiq; Meha Bhalodiya, Red Hat * ??? * Cloud Computing’s First Economic Recession? Let’s Talk Platform Efficiency - Aparna Subramanian, Shopify; Todd Ekenstam, Intuit; Phillip Wittrock, Apple; Nagarajan Chinnakaveti Thulasiraman, Zalando SE * [2] Prevent Embarrassing Cluster Takeovers with This One Simple Trick! - Daniele de Araujo dos Santos & Shane Lawrence, Shopify * [kubeaudit](https://github.com/Shopify/kubeaudit) * Tutorial: Create and Deploy a Lightweight Microservice in WebAssembly - Tai Hung-Ying & Vivian Hu, Second State > [time=Fri, Apr 21, 2023 11:55] * Paved Paths Leading the Way to Compliance - Kasper Borg Nissen & Brian Nielsen, Lunar * [2] Recovering from Regional Failures at Cloud Native Speeds - Yury Tsarev, Upbound & Nuno Guedes, Millennium bcp * Knative's Road Ahead: A Project Update - Roland Huss & Naina Singh, Red Hat; Paul Schweigert, IBM; David Protasowski, VMware; Mauricio Salatino, Diagrid * Surviving Day 2 - How to Troubleshoot Kubernetes Networking - Thomas Graf, Isovalent * [1] :eyes: Least Privilege Containers: Keeping a Bad Day from Getting Worse - Greg Castle & Vinayak Goyal, Google * non-root containers * [Rootless Containers](https://rootlesscontaine.rs/) * linux user_namespaces ![linux user_namespaces](https://i.imgur.com/BMqoul0.png) * K8s hostUsers ![K8s hostUsers](https://i.imgur.com/mldmZkS.png) * Stateless pods only * Alpha state * hostUsers ![hostUsers](https://i.imgur.com/nFcpDYa.png) > [time=Fri, Apr 21, 2023 14:00] * [1] :eyes: Tilt Your World! Lessons Learned in Improving Dev Productivity with Tilt - Yuvaraj Balaji Rao Kakaraparthi & Sagar Muchhal, VMware * [Tilt](https://tilt.dev/) * Development Workflow ![Development Workflow](https://i.imgur.com/EXKXhfT.png) * Securing the Container Supply Chain with Notary - Justin Cormack, Docker & Toddy Mladenov, Microsoft * How to Make Kubernetes Rhyme with Prod-Readiness - Tiffany Jernigan, VMware & Matthias Haeussler, Novatec Consulting GmbH * Malicious Compliance: Reflections on Trusting Container Scanners - Ian Coldwater, Independent; Duffie Cooley, Isovalent; Brad Geesaman, Ghost Security; Rory McCune, Datadog * Tutorial: Building an Open Source Observability Stack - Hannah Troisi, Vihang Mehta & Michelle Nguyen, New Relic; Clemens Kolbitsch, VMware > [time=Fri, Apr 21, 2023 14:55] * Collaboratively Building App Manifests at Scale in Complex Organizations - Wim Henderickx, Nokia * Effortless Open Source Observability with Cilium, Prometheus and Grafana - LGTM! - Raymond de Jong & Anna Kapuścińska, Isovalent * [2] Building SLSA 3 Conforment Attestors for Artifacts Generated on GitHub - Ian Lewis & Asra Ali, Google * [1] :eyes: Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines - Alex Ilgayev & Elad Pticha, Cycode * OpenID Connect * JWT ![](https://i.imgur.com/6rlozRK.png) > [time=Fri, Apr 21, 2023 16:00] * [1] :eyes: Tutorial: Exploring the Power of OpenTelemetry on Kubernetes - Pavol Loffay, Benedikt Bongartz & Yuri Oliveira Sa, Red Hat; Severin Neumann, Cisco; Kristina Pathak, LightStep * https://github.com/pavolloffay/kubecon-eu-2023-opentelemetry-kubernetes-tutorial ![Collector Overview](https://raw.githubusercontent.com/pavolloffay/kubecon-eu-2023-opentelemetry-kubernetes-tutorial/main/images/otel-collector.png) * hands-on demo :-) > [time=Fri, Apr 21, 2023 16:55] * [2] Can You Keep a Secret? on Secret Management in Kubernetes - Liav Yona & Gal Cohen, Firefly * [1] Keeping It Simple: Cilium Networking for Multicloud Kubernetes - Liz Rice, Isovalent ## Summary Most important topics: * Zero Trust ([Cilium Mesh](https://isovalent.com/blog/post/introducing-cilium-mesh/)) * [Gateway API](https://gateway-api.sigs.k8s.io/) * eBPF * GitOps * OpenTelemetry + Observability * Supply Chain Security * https://www.danielstechblog.io/azure-kubernetes-service-news-from-kubecon-europe-2023/ ###### tags: `kubecon` `2023` `kubecon-eu-2023` `eu`