Loading…
In-person
1-4 April 2025
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
or to bookmark your favorites and sync them to your phone or calendar.
Venue: Level 1 | Hall Entrance S10 | Room D clear filter
Wednesday, April 2
 

11:15 BST

Stateful Superpowers: Explore High Performance and Scaleable Stateful Workloads on K8s - Alex Chircop & Chris Milsted, Akamai
Wednesday April 2, 2025 11:15 - 11:45 BST
Level 1 | Hall Entrance S10 | Room D
There is no such thing as a stateless application - All applications need to store state somewhere!

Stateful workloads like databases and key value stores are often deployed outside of K8s, missing out on all the benefits of declarative config, scaling, failover and automatic healing.

In this talk we show how running stateful workloads in K8s is not only performant and scalable but are also resilient, and can facilitate Disaster Recovery.

We will discuss the cloud native ecosystem and provide live demos of:
* Running a million RPS on a KV store with TiKV
* Running scalable, replicated and resilient Postgres databases with CloudNativePG
* Running analytics & ML on a distributed filesystem with CubeFS
… all in K8s, using K8s features to scale, failover and run day 2 operations. Working examples for the demos will be shared to enable the audience to run their own databases and stateful workloads in K8s.

Finally, we will end with a discussion of use cases and best practices.
Speakers
avatar for Alex Chircop

Alex Chircop

Chief Architect, Akamai
Chief Architect at Akamai. Previously a founder and CTO of Ondat (formerly StorageOS), building software defined solutions for cloud native environments. Alex is also a co-chair of the CNCF Storage TAG. Before embarking on the startup adventure he spent over 25 years engineering infrastructure... Read More →
avatar for Chris Milsted

Chris Milsted

Senior Product Architect, Akamai
Chris has been working with Kubernetes since pre 1.0 when it was the Beta for OpenShift version 3 at Red Hat. Since then he has moved, via VMware and Tanzu, to Akamai (via Ondat) as a Senior Product Architect, helping to design and deliver cloud scale technologies. Outside of work... Read More →
Wednesday April 2, 2025 11:15 - 11:45 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage

12:00 BST

Streamlined Efficiency: Unshackling Kubernetes Image Volumes for Rapid AI Model and Dataset Loading - Esteban Rey, Microsoft & Yifan Yuan, AlibabaCloud
Wednesday April 2, 2025 12:00 - 12:30 BST
Level 1 | Hall Entrance S10 | Room D
In this presentation, we will introduce a novel approach to utilizing Kubernetes’ new Image Volumes for quickly and efficiently loading large language models and extensive datasets. We will explain how streaming loading and open-source technologies speed up mounting Open Container Initiative (OCI) artifacts without packaging existing object storage blobs. This ensures effective usage of storage space and faster loading times.

Packaging large models and petabyte-level datasets into OCI artifacts presents two challenges:

1. Converting existing datasets is time-consuming.
2. Pulling time and disk space usage are unacceptable.

Our approach eliminates the need to convert existing data and uses streaming loading technology to mount image volumes without pulling. It ensures high performance for accessing numerous small files and loading large models, making it practical for new and demanding scenarios.
Speakers
avatar for Yifan Yuan

Yifan Yuan

senior software engineer, AlibabaCloud
Yifan Yuan is a software engineer in the Alibaba Cloud storage team and is a major maintainer of containerd/overlaybd project. He has rich experience in improving the startup efficiency of containers and large-scale data distribution. Yifan has collaborated with companies such as... Read More →
avatar for Esteban Rey

Esteban Rey

Software Engineer II, Microsoft
Esteban Rey is a Software Engineer at Azure and a maintainer of the containerd/accelerated-container-image project. Over the past four years, he has played a key role in developing the Azure Container Registry, ensuring Open Container Initiative conformance, and integrating open-source... Read More →
Wednesday April 2, 2025 12:00 - 12:30 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage

14:30 BST

The Future of Data on Kubernetes: From Database Management To AI Foundation - Melissa Logan, Constantia; Nimisha Mehta, Confluent; Gabriele Bartolini, EDB; Akshay Ram, Google
Wednesday April 2, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
The Data on Kubernetes (DoK) ecosystem has expanded beyond persistent storage to support critical data workloads including databases and AI/ML operations. While databases remain the primary DoK use case per the 2024 DoK Report, organizations increasingly use Kubernetes to power next-gen data infrastructure and AI initiatives.

Panelists from the Data on Kubernetes Community will discuss:

* The evolution of workload patterns from basic stateful services to advanced AI/ML deployments

* Critical considerations for running production database workloads, which remain the #1 use case

* Emerging patterns in AI/ML operations, including batch scheduling, preemption, and gang scheduling

* Technical approaches to common challenges, including feature maturity and integration with existing tools

* Strategies for optimizing resource utilization and reducing infrastructure costs for data-intensive workloads
Speakers
AR
avatar for Melissa Logan

Melissa Logan

CEO, Constantia
Melissa Logan is a technology industry veteran and CEO of Constantia.io, a technology marketing agency she founded in 2018. With over 25 years of experience, she specializes in developing marketing and community strategies for enterprise technology and open source organizations. Prior... Read More →
avatar for Gabriele Bartolini

Gabriele Bartolini

CloudNativePG maintainer, EDB
Gabriele, a passionate open-source advocate, has played a pivotal role in shaping PostgreSQL's global growth. His focus on enhancing business continuity for large-scale databases aligns with his advocacy for stateful workloads in cloud-native environments since 2019. As a co-founder... Read More →
avatar for Nimisha Mehta

Nimisha Mehta

Software Engineer, Confluent
Nimisha is a Software Engineer working on Confluent's Kubernetes Platform team. She has been in the cloud infra space for over 5 years, and has been an end-user of Kubernetes and many other open source technologies. Apart from learning about distributed systems and infrastructure... Read More →
Wednesday April 2, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage
  • Content Experience Level Any

15:15 BST

Trino and Data Governance on Kubernetes - Sung Yun & Aki Sukegawa, Bloomberg
Wednesday April 2, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
As secure and seamless data discovery and exploration become top priorities for data science platforms and their generative AI workflows, intelligent solutions for data access, catalog management, and distributed data analytics are becoming critical for cloud platform teams. One extremely popular solution is to utilize Trino in combination with Open Policy Agent (OPA) to deliver a distributed and secure SQL solution that can answer authorization checks at runtime, in a cloud native manner.

In this talk, we will walk through how we designed various Trino CustomResources on top of Kubernetes, Envoy Proxy, and Istio to enable a self-service and scalable data exploration platform. This design, in conjunction with a granular and centralized data governance framework, enables secure data discovery at a company-wide level within Bloomberg.
Speakers
AS

Aki Sukegawa

Principal Engineer, Bloomberg
Aki Sukegawa is a Senior Software Engineer with the Enterprise Data Science Infrastructure team at Bloomberg. He is a contributor to various open source projects and is an Apache Thrift committer and PMC member.
avatar for Sung Yun

Sung Yun

Team Lead, Bloomberg
Sung Yun is the Team Lead of Bloomberg's Cloud Native Compute Services (CNCS) Trino & Catalog engineering team, based out of New York City. His team focuses on utilizing open source tools like Kubernetes, Trino and Apache Iceberg to build a scalable data exploration platform for the... Read More →
Wednesday April 2, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage

16:15 BST

Unleashing the Power of Init Containers: Reducing Database Management Toil at Yelp - Muhammad Junaid Muzammil, Yelp
Wednesday April 2, 2025 16:15 - 16:45 BST
Level 1 | Hall Entrance S10 | Room D
Init containers are specialized containers that are launched during pod initialization and complete their tasks before the main containers in the pod start. But how do they unleash their potential in real-life situations, particularly when it comes to database management?
At Yelp, we run several Cassandra clusters in production on Kubernetes. Init containers have been instrumental in transforming the operational efficiency for managing these Cassandra clusters, especially during horizontal scaling, upgrades, and restoring clusters from backups. Join us to explore the strategic use of init containers by the Database Reliability Engineering team at Yelp.
Speakers
avatar for Muhammad Junaid Muzammil

Muhammad Junaid Muzammil

Tech Lead, Yelp
Muhammad Junaid Muzammil is a Tech Lead in the Database Reliability Engineering team at Yelp. His primary focus is on distributed datastores like Cassandra and Zookeeper, including their interactions and automation. Outside of work, you'd find him playing different games with his... Read More →
Wednesday April 2, 2025 16:15 - 16:45 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage

17:00 BST

Kubernetes Backup Legitimized: CSI Changed Block Tracking Has Arrived - Mark Lavi, Carl Braganza & Prasad Ghangal, Veeam; Xing Yang, VMware by Broadcom
Wednesday April 2, 2025 17:00 - 17:30 BST
Level 1 | Hall Entrance S10 | Room D
Kubernetes storage is compared to traditional facilities for backup, disaster recovery, cyber-resilience against ransomware, and audit compliance. To meet the fastest recovery point operation and return to production objectives, one critical area has been missing: Changed Block Tracking (CBT). Since 2018, Kubernetes has deprecated "in-tree" storage drivers in favor of Container Storage Interface (CSI) specification for industry wide collaboration and standardization. CBT radically improves backup efficiency and to meet business needs, proprietary storage drivers were required. For over two years, the Kubernetes Data Protection Working Group has worked to bring CBT to the CSI specification and Kubernetes API. Join us to learn how cloud native storage backup and disaster recovery can finally compete with traditional infrastructure, progress made with storage and backup vendors and projects, and the architecture, security, testing, and scalability of Kubernetes CSI CBT.
Speakers
avatar for Xing Yang

Xing Yang

Tech Lead, VMware by Broadcom
Xing Yang is a Tech Lead in the Cloud Native Storage team at VMware by Broadcom. She is a co-chair of CNCF Storage TAG, a co-chair of the Kubernetes Storage SIG, a co-chair of the Data Protection WG, and a maintainer in Kubernetes CSI. Before joining VMware, Xing was the Lead Architect... Read More →
avatar for Mark Lavi

Mark Lavi

Principal Cloud Native Product Manager, Veeam Software
Mark was an early web developer, administrator, and advocate at Netscape, Silicon Graphics, CNN, and News Corp., spending over 20 years in Silicon Valley with numerous start-ups across engineering, IT, and marketing. As a Cloud Native Product Manager at Veeam, Mark drives Kubernetes... Read More →
avatar for Carl Braganza

Carl Braganza

Software Engineer, Veeam
I've worked in the data storage and protection space for most of my career, most recently on Kasten by Veeam, a Kubernetes backup product. I'm a member of the Kubernetes SIG-Storage Data Protection Working Group and have co-authored the Changed Block Tracking KEP and its associated... Read More →
avatar for Prasad Ghangal

Prasad Ghangal

Member of Technical Staff, Veeam
Prasad works as an MTS at Kasten by Veeam (kasten.io). His main areas of interest are Kubernetes, distributed systems, and Open source. He likes to create and talk about dev tools. He is the creator of an open-source tool BotKube (botkube.io) and a contributor to the Changed Block... Read More →
Wednesday April 2, 2025 17:00 - 17:30 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage

17:45 BST

Flink on Karmada: Building Resilient Data Pipelines on Multi-Cluster K8s - Michas Szacillo, Bloomberg & Hongcai Ren, Huawei
Wednesday April 2, 2025 17:45 - 18:15 BST
Level 1 | Hall Entrance S10 | Room D
Karmada is an increasingly popular open source tool for deploying and managing cloud-native applications across Kubernetes clusters. It can also be used to boost workload resiliency with its existing failover support. But what happens if we need to conserve state?

Within the context of data processing (e.g., Apache Flink or Apache Spark), the state is often critical to making sure workloads are able to gracefully resume in the event of a disruption. In collaboration with the Karmada community, the Bloomberg Streaming Analytics team has worked to bridge this gap in Karmada’s existing failover features.

During this talk, we’ll use a real-life Flink on Karmada use case to discuss:
- The complexities related to intelligently scheduling stateful workloads, improving resiliency, and ensuring state consistency during failover on multi-cluster K8s
- The open source enhancements to Karmada to manage these challenges
- How to leverage Karmada to support other stateful use cases!
Speakers
avatar for Michas Szacillo

Michas Szacillo

Tech Lead, Bloomberg
Michas is a senior software engineer and tech lead on Bloomberg’s Streaming Analytics engineering team. The platform, which is running on Kubernetes, serves as the foundation for many of Bloomberg's data streaming use cases. Michas is also a frequent collaborator to the CNCF community... Read More →
avatar for Hongcai Ren

Hongcai Ren

Senior Software Engineer, Huawei
Hongcai Ren(@RainbowMango) is the CNCF Ambassador, who has been working on Kubernetes and other CNCF projects since 2019, and is the maintainer of the Kubernetes and Karmada projects.
Wednesday April 2, 2025 17:45 - 18:15 BST
Level 1 | Hall Entrance S10 | Room D
  Data Processing + Storage
 
Thursday, April 3
 

11:00 BST

A Cloud Native Workflow for Hardware-in-the-Loop Software Development - Miguel Angel Ajo, Red Hat
Thursday April 3, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
Does your organization build firmware for hardware devices on Kubernetes? Do you still test firmware on hardware manually? Jumpstarter, an open-source project started by Red Hat, connects your software factory to your hardware, modernizing embedded software development. Developed in collaboration with a leading automotive manufacturer, Jumpstarter bridges the gap between embedded and cloud-native workflows.

This session demonstrates how to automate software testing on physical devices within Kubernetes using Tekton Pipelines and GitLab, leasing devices for tasks like flashing firmware, booting, and interfacing through serial, CAN bus, audio, and video. Eclipse Che will also be showcased for developing and debugging tests.

The presentation will include a live demo and will share deployment instructions, workflow examples, and real-world use cases from Red Hat and other community projects.
Speakers
avatar for Miguel Angel Ajo Pelayo

Miguel Angel Ajo Pelayo

Senior Principal Software Engineer, Red Hat
Miguel has been an upstream contributor to open-source projects throughout his career at Red Hat. He has always been interested in hardware and the low-level details of how technology works. Before joining Red Hat, he ran a small consulting startup that developed embedded systems... Read More →
Thursday April 3, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

11:45 BST

Beyond the Limits: Scaling Kubernetes Controllers Horizontally - Tim Ebert, STACKIT
Thursday April 3, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
Do your Kubernetes controllers struggle to keep up with the demands of your growing infrastructure? As your clusters scale, traditional controller setups face increasing challenges, leading to slow reconciliation times, impacting application performance and overall cluster stability.

This session introduces sharding for Kubernetes controllers as a groundbreaking solution. By horizontally scaling controller workloads across multiple instances, it significantly improves scalability and addresses the inherent limitations of traditional leader election mechanisms.

In this session, we'll dive deep into the technical details of applying proven sharding mechanism from distributed databases to effectively partition controller workloads. We'll explore the underlying concepts and how to implement sharding in your own Kubernetes controllers.

Join us to learn how to overcome the scalability challenges of your Kubernetes controllers and unlock the full potential of your infrastructure.
Speakers
avatar for Tim Ebert

Tim Ebert

Cloud Engineer, STACKIT
Tim loves designing, developing, and operating cloud native systems at STACKIT. He is knee-deep in managing infrastructure and Kubernetes clusters themselves using Kubernetes operators. Tim is a core developer of Gardener, an open source project for managing Kubernetes clusters at... Read More →
Thursday April 3, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

14:15 BST

eBPF and Wasm: Unifying Userspace Extensions With Bpftime - Yusheng Zheng, eunomia-bpf
Thursday April 3, 2025 14:15 - 14:45 BST
Level 1 | Hall Entrance S10 | Room D
In cloud-native systems, extending and customizing applications is key to improving development, deployment, and observability. eBPF is powerful for kernel-level enhancements, and WebAssembly brings extension to userspace. Yet, both face challenges when userspace extensions need to interact deeply with host applications. eBPF's kernel-focused design struggles in diverse userspace environments, and Wasm’s sandboxing introduces overhead and complexity due to extra checks and data copying. Enter bpftime, a framework that extends eBPF’s capabilities into userspace. Using dynamic binary instrumentation, bytecode verification, and hardware isolation, bpftime allows secure, high-performance extensions without the overhead of Wasm’s sandboxing. This talk explores how bpftime works with the eBPF Interface to simplify userspace extensions, compares the evolution of eBPF and Wasm, and shows how bpftime can power observability, networking, and other cloud-native extensions.
Speakers
avatar for Yusheng Zheng

Yusheng Zheng

OSS maintainer, eunomia-bpf
Yusheng Zheng is an open-source maintainer and researcher focused on improving complex systems through comprehensive understanding and strategic, small-scale modifications. As the co-founder of the eunomia-bpf open-source community and a PhD student, Yusheng is at the forefront of... Read More →
Thursday April 3, 2025 14:15 - 14:45 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

15:00 BST

Dynamic Multi-Cluster Controllers With Controller-runtime - Marvin Beckers, Kubermatic & Stefan Schimanski, Upbound
Thursday April 3, 2025 15:00 - 15:30 BST
Level 1 | Hall Entrance S10 | Room D
controller-runtime is the most popular SDK to write controllers for individual Kubernetes clusters. But the Kubernetes landscape is changing quickly: multi-cluster is becoming ubiquitous (e.g. through Cluster API), with clusters joining and leaving dynamically. controller-runtime has had no direct support, making writing uniform multi-cluster controllers hard and fracturing the emerging ecosystem.

This talk explores how to build controllers that reconcile resources across a dynamic fleet of Kubernetes clusters. A key change is the ability to plug in a dynamic cluster provider that registers new Kubernetes clusters from a specific source. While implementation internals are briefly discussed, focus is on a hands-on walkthrough for writing your own cluster provider, event handlers and reconciler functions.

We discuss a simplistic cluster provider implementation for “kind” clusters as an example and extrapolate from that how more complex providers could look like (e.g. for CAPI or kcp).
Speakers
avatar for Stefan Schimanski

Stefan Schimanski

Senior Principal Engineer, Upbound
Stefan is a Senior Principal Engineer at Upbound working on control planes, Kubernetes, kcp, and as a tech-lead in Sig API Machinery. He contributed a major part of the CRD feature set. Stefan is a 2nd time GoogleSummer of Code mentor with CNCF, loves to teach and help people to learn... Read More →
avatar for Marvin Beckers

Marvin Beckers

Team Lead, Kubermatic
Marvin started out as a sysadmin, gradually turned into a software engineer and now works as an Software Engineering Team Lead at Kubermatic. He always had a passion for effective management of large server fleets, which has turned his attention to Kubernetes in 2018. He has been... Read More →
Thursday April 3, 2025 15:00 - 15:30 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

16:00 BST

Get WITty: Evolving Kubernetes Scheduling With the WebAssembly Component Model - Dejan Pejchev & Jonathan Giannuzzi, G-Research
Thursday April 3, 2025 16:00 - 16:30 BST
Level 1 | Hall Entrance S10 | Room D
At KubeCon NA 2024, we introduced WASM + KWOK Wizardry: Writing and Testing Kubernetes Scheduler Plugins at Scale, showcasing how WASM plugins transform Kubernetes scheduling. This session continues the story, highlighting our progress toward a language-agnostic framework using the WebAssembly Component Model.

The current Go-centric WASM plugin SDK restricts innovation to a single language. By adopting the Component Model, we enable developers to write plugins in Rust, Python, JavaScript, and more, unlocking new possibilities. This approach enhances modularity, simplifies integration with standardized interfaces, and strengthens security through improved isolation.

We’ll also showcase how this aligns with the Kubernetes Scheduler Simulator, providing a powerful testing environment for these advanced plugins. Join us to see how the Component Model fosters collaboration, innovation, and extensibility in Kubernetes scheduling. Let’s move beyond wizardry and get truly WITty!
Speakers
avatar for Dejan Zele Pejchev

Dejan Zele Pejchev

Open Source Software Engineer, G-Research
Dejan is a seasoned Software Engineer with over 8 years of experience building and scaling distributed systems and an advocate of open source & Kubernetes-native solutions. Dejan is also a maintainer of Armada, the Kubernetes multi-cluster batch scheduling tool, Testkube, the Kubernetes-native... Read More →
avatar for Jonathan Giannuzzi

Jonathan Giannuzzi

Open Source Evangelist, G-Research
Jonathan is an Open Source Evangelist at G-Research, where he applies his nerdy wizardry powers to solve deep problems that can bubble up all the way to the end-user.
Thursday April 3, 2025 16:00 - 16:30 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

16:45 BST

GPU Sharing at CERN: Cutting the Cake Without Losing a Slice! - Diana Gaponcic, CERN
Thursday April 3, 2025 16:45 - 17:15 BST
Level 1 | Hall Entrance S10 | Room D
GPUs and accelerators are changing traditional High Energy Physics (HEP) deployments while also being the key to enabling efficient machine learning. However, their high cost and increasing demand oblige service managers to look into ways to maximize the HW utilization through sharing. While the existing methods are flexible and easy to use, complex use cases still require building custom components on top of the existing device plugin API.

This talk explores the new, exciting way of allocating and sharing GPUs - using Dynamic Resource Allocation (DRA). We go over the multiple options for GPU scheduling: time sharing, MPS, and MIG. We cover the features and limitations of each option and present extensive benchmark results that helped us assign each of our ML and scientific workloads to the most appropriate layout. Finally, we describe how managing GPUs in a centralized way improves resource utilization across interactive and batch workloads while optimizing costs in the long run.
Speakers
avatar for Diana Gaponcic

Diana Gaponcic

Computing Engineer, CERN
Diana is a Computing Engineer in the CERN IT department. After an internship at CERN focusing on containerization of ETL applications she later joined the Kubernetes team, working on the GitOps and monitoring infrastructure. Her current focus is on optimizing the usage of GPUs and... Read More →
Thursday April 3, 2025 16:45 - 17:15 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced

17:30 BST

Image Snapshotters for Efficient Container Execution in Particle Physics - Clemens Lange, Paul Scherrer Institute & Valentin Volkl, CERN
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room D
In particle physics, compute-intensive workloads often involve thousands of "embarrassingly parallel" jobs relying on multi-gigabyte container images. A large fraction of these workloads is executed using software containers. Efficient execution across large-scale computing environments demands advanced caching and image loading techniques to prevent network saturation and reduce startup times. Leveraging the industry-standard containerd runtime, we evaluate snapshotter plugins such as CVMFS (a CERN-developed distributed file system for large-scale software distribution), SOCI, and Stargz, which use "lazy" image loading to optimise performance. This talk includes an analysis of metrics such as container startup time and image data downloaded, alongside usability evaluations in a research environment. We demonstrate how these tools enhance the reusability and reproducibility of physics analyses---insights relevant to broader high-performance computing scenarios.
Speakers
avatar for Clemens Lange

Clemens Lange

Research Physicist, Paul Scherrer Institute
Clemens is a particle physicist at Switzerland’s Paul Scherrer Institute, where he contributes to the CMS experiment at CERN’s Large Hadron Collider. He focusses on Higgs boson analysis, the development of new particle detectors, and is passionate about computing and open science... Read More →
avatar for Valentin Volkl

Valentin Volkl

Systems Software Engineer, CERN
Valentin is a physicist and staff software engineer at CERN. In the past he has worked on software and simulations for the next generation of particle colliders. Since 2023 he is lead developer for the CernVM-FileSystem (CVMFS) that is used to distribute software for users in science... Read More →
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room D
  Emerging + Advanced
 
Friday, April 4
 

11:00 BST

Container Runtimes... on Lockdown: The Hidden Costs of Multi-tenant Workloads - Lewis Denham-Parry, Edera & Caleb Woodbine, ii.nz
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
Container runtimes form the bedrock of Kubernetes, but running diverse workloads side-by-side introduces complex security challenges that many teams overlook. This talk peels back the layers of container isolation, starting with the fundamentals of how containers operate as Linux processes and evolving through today's runtime landscape.

We'll dive deep into the hidden costs and security implications of different container runtime choices in multi-tenant environments. Through real-world examples and performance benchmarks, we'll explore the delicate balance between isolation and efficiency. You'll learn about emerging solutions in the container runtime space and practical approaches to securing workloads without sacrificing performance.

Attendees will leave with critical security considerations for choosing container runtimes, strategies for workload isolation, and tools to evaluate isolation versus performance tradeoffs.
Speakers
avatar for Caleb

Caleb

Software Engineer, calebwoodbine.nz
Open Source, software, cloud native community and distributed cloud enthusiast.
avatar for Lewis Denham-Parry

Lewis Denham-Parry

Staff Solutions Engineer, Edera
Lewis Denham-Parry orchestrates containers by day and puts them through rigorous security testing by night. As Staff Solutions Engineer at Edera, he leverages his diverse background to deliver the robust security and isolation that modern systems demand.A dynamic speaker at KubeCon... Read More →
Friday April 4, 2025 11:00 - 11:30 BST
Level 1 | Hall Entrance S10 | Room D
  Security

11:45 BST

Enhancing Software Composition Analysis Resilience Against Container Image Obfuscation - Agathe Blaise, Thales & Jacopo Bufalino, CNAM
Friday April 4, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
Malicious compliance has been highlighted in previous KubeCon talks as a challenge for software composition analysis, as it conceals OS and package information in container images and hides vulnerabilities. In this talk, we analyze how the landscape evolved over the past two years and propose improvements for SBOM generation. We found that open-source and cloud providers' tools remain vulnerable, which is even more visible in compressed images from public container registries. We uncover another form of malicious compliance with no standardization of package identifier format, resulting in inconsistencies in detected vulnerabilities between SBOM tools. To address this, we introduce an open-source methodology for layer-by-layer container image analysis, reconstructing complete history of file modifications and retrieving package metadata and package-related content, improving file coverage and SBOM accuracy. We finally outline concrete steps for advancing SBOM resilience and accuracy.
Speakers
avatar for Agathe Blaise

Agathe Blaise

Research Engineer, Thales
Agathe Blaise is currently a research engineer at Thales (Gennevilliers, France). She received the Ph.D. degree in Computer Science from LIP6, Sorbonne University (Paris, France) in 2020. Her research interests focus on cloud computing security, studying various aspects (container... Read More →
avatar for Jacopo Bufalino

Jacopo Bufalino

Security Researcher, CNAM
I've always enjoyed breaking things, that's why I work in security. After some years in industry working as DevOps, I moved to academia, focusing on cloud network security.
Friday April 4, 2025 11:45 - 12:15 BST
Level 1 | Hall Entrance S10 | Room D
  Security

13:45 BST

Do Your Containers Even Lift – A Hardening Guide for K8s Containers - Cailyn Edwards & Daniel Murphy, Okta
Friday April 4, 2025 13:45 - 14:15 BST
Level 1 | Hall Entrance S10 | Room D
In a world where containers are centre stage it's important that they look and feel their best. In this talk we will go over the Kubernetes security checklist - identifying quick fixes that will yield huge gains. Together Cailyn and the audience will take a container from flimsy and squishy to rock solid in a Rocky worthy montage of a demo. Become the trainer your containers need, and ensure that your security routines are sustainable and maintainable! From slim images, to access control we will cover techniques and tools that will make your security dreams a reality. Attendees will leave this talk with a list of Cloud Native tools that will take their container security to the next level and help their containers get a PB on their next CIS BENCHmark!
Speakers
avatar for Daniel Murphy

Daniel Murphy

Senior Security Engineer, Okta
Daniel Murphy (they/them/he/him) is a Senior Security Engineer at Okta, where their main focus is making managing vulnerabilities less tedious. Prior to joining Okta, Daniel also spent time in Quality and Software Engineering, and Application Security. Outside of work Daniel enjoys... Read More →
avatar for Cailyn Edwards

Cailyn Edwards

Senior Security Engineer, Okta
Cailyn Edwards (she/her) is a CNCF Ambassador and a Senior Security Engineer at Okta, where she spends her time paving roads, putting up guard rails and generally helping to secure the cloud. She is also an active contributor to SIG-Security and 2022 Contributor Award recipient. Her... Read More →
Friday April 4, 2025 13:45 - 14:15 BST
Level 1 | Hall Entrance S10 | Room D
  Security

14:30 BST

Fresh Secrets From the Docks: Lessons Learnt From Analyzing 180,000 Public DockerHub Images - Guillaume Valadon, GitGuardian
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
Hardcoded secrets remain a common practice in containerized environments, often used for convenience during testing or deployment, despite their significant, well-known security risks.

Docker images are not immune and can inadvertently leak secrets through Dockerfiles, configuration files, or image layers. Once pushed to registries such as DockerHub, these secrets become discoverable to attackers, putting environments at risk.

In this session, we will share insights from an extensive analysis of 180,000 public Docker images retrieved from DockerHub, uncovering a staggering number of 35,000 secrets from 18,000 images. More than 6,000 of these secrets were valid when the study was conducted in late 2024, including AWS keys, GCP keys, OpenAI tokens, and GitHub tokens belonging to Fortune 500 companies.

Finally, we will discuss common misuses and pitfalls in Dockerfile files that lead to secrets being leaked, and describe best practices for handling secrets in Docker images.
Speakers
avatar for Guillaume Valadon

Guillaume Valadon

Staff CyberSecurity Researcher, GitGuardian
Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!
Friday April 4, 2025 14:30 - 15:00 BST
Level 1 | Hall Entrance S10 | Room D
  Security

15:15 BST

EVAPorating Kubernetes Security Risk: Adopting Validating Admission Policy at Scale - Kaitlyn Lee & Jordan Conard, Datadog
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
Is the cost and operational toil of security policy enforcement raining on your parade? Learn how Datadog is simplifying its internal security policies across its dozens of clusters using Validating Admission Policy. We’ll cover our motivations for adopting VAP, detailing its features and contrasts with webhook-based admission controllers, like OPA Gatekeeper.

We will dive into the design of our policy that restricts the use of additional capabilities on containers, sharing tips on Common Expression Language, the use of multiple types of VAP parameters, and how we provide helpful validation error messages to our engineers. Lastly, we will outline our migration from OPA and how we ensure the health and reliability of our API servers by monitoring metrics and validation cost budgets.

Discover VAP’s features, scalable policy design, and our migration insights to help enhance your security posture, streamline policy enforcement, and safeguard your environments against abuse and bypass.
Speakers
avatar for Kaitlyn Lee

Kaitlyn Lee

Software Engineer, Datadog
Kaitlyn Lee is a software engineer at Datadog. She works in the Compute team which is responsible for running the company’s Kubernetes platform. She focuses on workload autoscaling and node lifecycle automation.
avatar for Jordan Conard

Jordan Conard

Security Engineer, Datadog
Jordan joined DataDog in 2022 as a Security Engineer and is currently focused on securing its Kubernetes infrastructure through admission policies and secure-by-default initiatives. Jordan’s decade of industry experience runs the gamut from managing hybrid cloud environments to... Read More →
Friday April 4, 2025 15:15 - 15:45 BST
Level 1 | Hall Entrance S10 | Room D
  Security
 
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Monday, March 31
Tuesday, April 1
Wednesday, April 2
Thursday, April 3
Friday, April 4
Bafta | Ray Dolby Room
Civo Tech Junction
Crowne Plaza London Docklands
Level 0 | ICC Auditorium
Level 0 | ICC Capital Hall | Room 1
Level 0 | ICC Capital Hall | Room 2
Level 1 | Hall Entrance N10 | Room E
Level 1 | Hall Entrance N10 | Room F
Level 1 | Hall Entrance N10 | Room G
Level 1 | Hall Entrance N10 | Room H
Level 1 | Hall Entrance N11
Level 1 | Hall Entrance S10 | Room A
Level 1 | Hall Entrance S10 | Room B
Level 1 | Hall Entrance S10 | Room C
Level 1 | Hall Entrance S10 | Room D
Level 1 | Hall Entrance S5
Level 1 | Hall Entrances S8 - S9, N8 - N9
Level 2 | South Gallery | Room 11 - 12
Level 3 | ICC Capital Suite 1
Level 3 | ICC Capital Suite 10-12
Level 3 | ICC Capital Suite 14-16
Level 3 | ICC Capital Suite 17
Level 3 | ICC Capital Suite 7-9
Platinum Suite | Level 3
Platinum Suite | Level 3 | Room 1-2
Platinum Suite | Level 3 | Room 3-4
The Steel Yard
  • 🚨 Contribfest
  • 🪧 Poster Sessions
  • AI + ML
  • Application Development
  • Breaks
  • ⚡ Lightning Talks
  • Cloud Native Experience
  • Cloud Native Novice
  • CNCF-hosted Co-located Events
  • Connectivity
  • Data Processing + Storage
  • Emerging + Advanced
  • Experiences
  • Keynote Sessions
  • Maintainer Track
  • Observability
  • Operations + Performance
  • Platform Engineering
  • Project Opportunities
  • Registration
  • Security
  • Solutions Showcase
  • Sponsor-hosted Co-located Event
  • Tutorials
  • Content Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate