Loading…
In-person
1-4 April 2025
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
← Back to schedule
The Key To Security: Externalized Service Account Key Management - Mo Khan & Rita Zhang & Stanislav Láznička & Anish Ramasekar, Microsoft
Thursday April 3, 2025 11:45 - 12:15 BST
Level 3 | ICC Capital Suite 10-12
Service account signing keys are critical for JWT signing and authentication in Kubernetes, yet the current model - loading keys from disk during kube-apiserver startup - introduces challenges in key rotation and security. Restarting kube-apiserver for key rotation disrupts operations, while storing signing keys on disk exposes sensitive materials to potential exfiltration. This talk explores KEP 740 which is an enhancement to Kubernetes’ service account key management, enabling seamless integration with HSMs and cloud KMSes. By offloading signing to external systems, we eliminate the need for restarts during key rotations and significantly enhance security by removing signing materials from the filesystem. Join us to learn how these updates can strengthen security and auditability, and provide Kubernetes distributions with the flexibility to choose key management solutions that meet their needs.
Speakers
avatar for Standa Láznička

Standa Láznička

Principal Software Engineer, Microsoft
I've been dealing with authentication, authorization and certificates in Open Source for quite some time.
avatar for Rita Zhang

Rita Zhang

Principal software engineer, Kubernetes SIG Auth co-chair, Security Response Committee, Microsoft
Rita Zhang is a Principal software engineer at Microsoft, based in San Francisco bay area. She leads the Azure Container Upstream team of maintainers and contributors building features for Kubernetes upstream and CNCF projects. She is a Kubernetes sig-auth chair, a member of the Kubernetes... Read More →
avatar for Mo Khan

Mo Khan

Software Engineer, Microsoft
Mo Khan is a software engineer who is passionate about open source and security. He started working on Kubernetes in 2016, and currently serves as a chair, technical lead and subproject owner for Kubernetes SIG Auth, a member of the Kubernetes Security Response Committee and a contributor... Read More →
avatar for Anish Ramasekar

Anish Ramasekar

Principal Software Engineer, Microsoft
Anish Ramasekar is a software engineer at Microsoft. He is on the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects that are part of the Azure Kubernetes Service. Anish is a maintainer of the Secrets Store CSI Driver project.
Thursday April 3, 2025 11:45 - 12:15 BST
Level 3 | ICC Capital Suite 10-12
  Maintainer Track, Auth

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Share Modal

Share this link via

Or copy link