0.7 cloud-native-rejekts-atlanta-na-atlanta-2025 2025-11-08 2025-11-08 1 00:05 https://cfp.cloud-native.rejekts.io https://cfp.cloud-native.rejekts.io/media/cloud-native-rejekts-atlanta-na-atlanta-2025/img/CNR_Logo_Default_Stacked_maMQPVR.png US/Eastern Crystal Dining Room Talk 2025-11-08T10:10:00-05:00 10:10 00:30 As teams move from traditional CI/CD pipelines to GitOps tools like Argo CD, they often hit a common roadblock: how do you manage promotions across dev, staging, and production? Tools like Argo CD and Flux often leave a gap when it comes to multi-stage promotions. What used to be a simple approval click now involves juggling image tags, config changes, and pull requests across multiple repos. This shift often creates confusion, adds manual steps, and breaks the developer workflow. Tools like 'GitOps Promoter' by Argo offer a promising approach to this problem, but are still in their experimental phase, limiting their readiness for production. Other enterprise solutions offer robust features but come with licensing costs, which can be a barrier for teams. In this talk, we’ll explore Kargo, a Kubernetes-native OSS tool for automating multi-stage promotions, and compare it with GitOps Promoter. We’ll walk through their design choices, strengths, and tradeoffs with a live demo so users can see how each tool handles this and choose the approach that best fits their GitOps workflow, without ever relying on custom scripts. cloud-native-rejekts-atlanta-na-atlanta-2025-1550-why-is-ci-still-doing-your-promotions- Nitish KumarFaeka Ansari en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/MRPMHL/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/MRPMHL/feedback/ Crystal Dining Room Talk 2025-11-08T11:10:00-05:00 11:10 00:30 # The Paranoid's Guide to Deploying Skynet's Interns So, you've built an AI Agent. Congratulations! It's brilliant, autonomous, and probably a little bit terrifying. While we're all racing to build the next generation of intelligent applications, we're bolting them onto deployment architectures that treat them like any other legacy system or worse, blindly deploying them without a plan. This is a mistake, and it's going to get weird. This talk presents a reference deployment architecture for AI Agent applications, starting with a quick primer on their core components: the **Agents**, the **MCP servers**, the **Tools** they access, and the **Memory** that gives them context. Then, we dive into the deep end of the security nightmare they represent. We'll explore the messy reality of modern AI deployments: - **A Tangled Web of Trust:** Agents and MCPs are exposed to a chaotic mix of tools and services with wildly different levels of trust. How do you keep your high-security internal tool from being manipulated by an agent that just scraped a questionable Reddit thread? - **Persistent Threats:** The very nature of an Agent's memory means that attacks and threats can persist and evolve across sessions. A vulnerability exploited today could be a weapon wielded by the agent tomorrow. - **Amplified Supply Chain Risks:** Autonomous AI actions turn opaque, previously inaccessible components into active parts of your supply chain. This dramatically increases the attack surface, making vulnerabilities that were once theoretical suddenly very exploitable. - **Compounding Complexity:** The introduction of multi-agent communication protocols and centralized MCP servers adds layers of complexity that can obscure risk and reduce control when you need it most. The core of this talk is a simple, radical recommendation: **true, paranoid, and unapologetic isolation at every level of the AI Agent application stack.** We'll argue that AI components are dynamic, untrusted supply chains and must be handled with the same (if not more) scrutiny as any other production system. You will leave this session understanding why segmentation of components by trust level isn't just a good idea, but absolutely vital. We'll show you why you need *more* control over your MCP servers, not less, and provide a practical, defense-in-depth architecture for deploying AI Agents that won't turn on you. cloud-native-rejekts-atlanta-na-atlanta-2025-1580-the-paranoid-s-guide-to-deploying-skynet-s-interns Dan Fernandez en While we're all racing to build the next generation of intelligent applications, we're bolting them onto deployment architectures that treat them like any other legacy system or worse, blindly deploying them without a plan. This is a mistake, and it's going to get weird. You will leave this session understanding why segmentation of components by trust level isn't just a good idea, but absolutely vital. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/ZCZSMW/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/ZCZSMW/feedback/ Crystal Dining Room Talk 2025-11-08T11:45:00-05:00 11:45 00:30 As observability systems grow more complex, the cognitive load on users increases quite fast. This talk presents an approach that could be game-changer in the future: using AI assistants as intelligent interfaces to your observability stack. By implementing and using MCP (Model Context Protocol) servers, we can transform how observability users interact with metrics, logs, and traces. You will see how teams can query their stack in plain English and use natural language to explore data, debug issues, and even work with configurations. The session covers both theoretical foundations and practical implementation. It demonstrates how you can integrate AI assistants directly into your day-to-day workflows and provides a comprehensive walkthrough of: - MCP architecture and how it enables LLMs (Large Language Models) to execute observability tasks - Setting up and configuring MCP servers (demonstrated with VictoriaMetrics) and integration with popular AI assistants - Current and planned features of VictoriaMetrics MCP Server - Real-world use cases: data exploring, query explanation, working with alerting rules, cardinality analysis, intelligent debugging, obtaining context-rich answer for your questions, etc - Various tips on how to make AI assistants work better with the observability stack Whether you're an SRE looking to reduce toil, a platform engineer seeking to democratize monitoring access, or a leader evaluating AI's role in operations, this talk provides practical insights and tools for possible transformation of your observability practice. This approach doesn't replace monitoring expertise at the moment — it amplifies it, making expert knowledge accessible to entire teams, giving you a powerful teammate in the form of AI assistant. cloud-native-rejekts-atlanta-na-atlanta-2025-1508-how-to-use-an-ai-assistant-with-your-monitoring-system Mathias Palmersheim en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/PHPK7Y/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/PHPK7Y/feedback/ Crystal Dining Room Talk 2025-11-08T14:00:00-05:00 14:00 00:30 Software Bill of Materials (SBOMs) are no longer a nice-to-have; they're quickly becoming table stakes for secure software delivery. But generating SBOMs is just the start. How do you manage them at scale across thousands of artifacts, teams, and environments? How do you ensure they’re accurate, tamper-proof, and usable in real-world pipelines? We will walk users through integrating SBOM generation, storage, and validation into a modern CI/CD workflow using cloud-native tooling. - Best practices for generating SBOMs for containers - Securely storing and indexing SBOMs alongside your artifacts - Validating artifacts against SBOM data before deployment - Using SBOMs in incident response, compliance, and auditing The session will provide attendees a clear roadmap to make SBOMs a first-class citizen in their pipelines and will provide a real-world example of how Cloudsmith integrates CNCF projects like Trivy with OSS projects like CycloneDX, Syft and Grype for automated SBOM generation. cloud-native-rejekts-atlanta-na-atlanta-2025-1588-building-trust-in-every-artifact-with-sboms Nigel DouglasEsteban Garcia en The talk will provide clear, actionable guidance for integrating SBOMs into real-world pipelines using cloud-native tooling, specifically cosign, kyverno, kubewarden. As the cloud-native ecosystem continues to mature, supply chain security is becoming a critical concern - not just for security teams, but for developers and platform engineers as well. By sharing practical techniques for generating, storing, and validating SBOMs, we would like to: - Help teams improve the security and transparency of their build and release processes - Encourage adoption of open standards like SPDX, CycloneDX, and in-toto - Stressing why Trivy has become a standard for vulnerability scanning in cloud-native environments. - Highlight the value of OCI-native approaches to artifact metadata, promoting registry-driven workflows - Build an understanding of how DevOps and DevSecOps teams can respond more quickly and confidently to emerging threats - Empower organizations to meet growing compliance demands without slowing down software delivery SBOMs are a very powerful tool that is emerging but not fully used by development teams. We want to help expand their usage. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/YQGRTY/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/YQGRTY/feedback/ Crystal Dining Room Talk 2025-11-08T14:35:00-05:00 14:35 00:30 Drowning in logs from your Kubernetes clusters? Struggling to scale observability without overwhelming your telemetry systems? You're not alone—and there's a better way. In this talk, you’ll learn how to efficiently manage and streamline logging data from source to destination using telemetry pipelines. We’ll walk through the key stages of a modern telemetry pipeline—collection, parsing, filtering, routing, and forwarding—demonstrating how to build powerful, flexible pipelines that can handle logs from any source to any destination. Along the way, you’ll see a live demo in a real Kubernetes environment, where we’ll deploy your first telemetry pipeline tailored to a real-world use case. Whether you're debugging production issues, operating multi-tenant clusters, or just trying to cut through the noise, this session will give you the tools and patterns you need to simplify and scale log collection. Plus, you’ll get access to a self-paced, hands-on workshop to continue exploring after the session: o11y-workshops.gitlab.io/workshop-fluentbit. cloud-native-rejekts-atlanta-na-atlanta-2025-1459-expanding-your-toolbox-beginners-guide-to-controlling-kubernetes-logs Eric D. Schabell en This talk includes a 15-minute live demo showcasing key integration phases: 1. Deploying a real workload: Start with a Kubernetes cluster running a real application (a CMS) that generates log data. 2. Installing a telemetry pipeline: Deploy a telemetry pipeline to the cluster to begin streaming logs from all containers. 3. Streaming to an output: Route collected logs to an external destination for analysis or storage. 4. Optimizing log volume: Refine the pipeline to filter out noisy or unnecessary logs—reducing telemetry costs and improving signal-to-noise ratio. 5. Filtering logs: Enrich logs with metadata, isolate error-level telemetry, and ensure only the necessary logs (e.g., error logs from the CMS) are exported securely from the cluster. Demo source: gitlab.com/o11y-workshops/logs-control-easy-install false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/BSVWYC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/BSVWYC/feedback/ Crystal Dining Room Talk 2025-11-08T15:10:00-05:00 15:10 00:30 Kubernetes enables teams to deploy almost any workload without modification, but its boundaries are still defined by namespaces and cgroups. The presence of seven container-escape CVEs from 2022 to 2024 shows these boundaries can be breached. Full VMs or Kata Containers can restore security but suffer from multi-second cold starts and high memory usage, impacting latency-sensitive or densely packed clusters. In this talk, we will explore a middle ground with Hyperlight, a CNCF virtual-machine monitor that boots micro-VMs, and Nanvix, an open-source Rust microkernel designed to keep guests small yet compatible. This combination allows unmodified Rust, Python, and Wasm services to start up in tens of milliseconds while maintaining VM-class isolation. We will delve into the architecture, present head-to-head benchmarks, and conduct a live demo. By the end of the session, you will have a clear understanding of the trade-offs and a checklist for implementing micro-VM isolation. cloud-native-rejekts-atlanta-na-atlanta-2025-1590-vm-class-secure-millisecond-fast-cloud-native-apps-with-hyperlight-nanvix Danilo (Dan) ChiarlonePedro Henrique Penna en 'Benefits to the ecosystem' section of our KubeCon submission: The integration of Hyperlight and Nanvix brings significant benefits to the cloud-native ecosystem by enabling applications to run with strong isolation in a virtualized sandbox environment, while simultaneously enhancing performance and workload density. This combination leverages the lightweight, Rust-based microkernel architecture of Nanvix and the fast, open-source VMM capabilities of Hyperlight, a CNCF project, to reduce cold start times and maintain language-level compatibility. Notably, Hyperlight+Nanvix can boot up apps in tens of milliseconds, providing rapid responsiveness for cloud-native services. Currently, Hyperlight+Nanvix supports popular programming languages such as Rust, Python, and Wasm, facilitating the acceleration of cloud-native deployments. Future plans include expanding support to additional languages like JavaScript and Go, as well as deeper integration with Kubernetes. This architecture not only improves resource efficiency but also unlocks new possibilities for container isolation through containerd shims, making it a versatile and forward-looking solution for modern cloud-native applications. Attendees of this talk will walk away with concrete insights and architectural guidance on how to speed up their cloud-native applications with Hyperlight+Nanvix. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/3JKGF7/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/3JKGF7/feedback/ Crystal Dining Room Talk 2025-11-08T16:00:00-05:00 16:00 00:30 GPU multitenancy in Kubernetes faces significant security challenges when deploying AI workloads on shared infrastructure. Time slicing enables GPU sharing but lacks hardware isolation, risking exposure of sensitive data. NVIDIA Multi-Instance GPU (MIG) provides true hardware isolation with dedicated compute cores, memory slices, and L2 cache partitions, ensuring consistent performance and strict QoS guarantees. Since the default Kubernetes scheduler cannot partition GPU resources like CPUs for workloads, advanced schedulers—KAI, Volcano, and Kueue can serve as the scheduler for your workloads. They improve GPU sharing through hierarchical queues for secure multi-tenant environments. This talk demonstrates how combining isolation in multi-tenant setups with intelligent scheduling results in optimal utilization, fair resource distribution, and robust security boundaries, guiding the transition from default to GPU-aware scheduling solutions for scalable AI infrastructure. cloud-native-rejekts-atlanta-na-atlanta-2025-1544-beyond-the-default-scheduler-navigating-gpu-multitenancy-in-the-ai-era Shivay LambaHrittik RoySaiyam Pathak en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/GUBJVM/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/GUBJVM/feedback/ Theater Opening/Sponsor Keynote Speech 2025-11-08T09:30:00-05:00 09:30 00:10 Opening remarks cloud-native-rejekts-atlanta-na-atlanta-2025-1601-welcome-to-cloud-native-rejekts-na-2025- Ralph SquillaceJaiveer Katariya en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/VN9YBE/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/VN9YBE/feedback/ Theater Talk 2025-11-08T09:40:00-05:00 09:40 00:30 Leonardo DiCaprio made it look glamorous, but real-world container escapes are less Hollywood and more chaotic. Still, the parallels are striking. Like Frank Abagnale slipping past the guards at an Atlanta prison, modern attackers escape containers not with brute force but with clever misdirection: exploiting weak isolation, abusing misconfigured permissions, and sidestepping detection. In this talk, we’ll trace the path of a container breakout—from the initial escape to lateral movement across a Kubernetes cluster. We’ll walk through the attack step by step (yep, there’s a demo), then flip the perspective to show how modern defenses shut it down. We’ll cover: - How container escapes actually happen in the wild - What user namespaces in Kubernetes 1.33 bring to the table - How to achieve multi-tenancy workload isolation - How to detect breakout attempts before they go full clusterf*ck Whether you're a platform engineer, security lead, or just into a good cat-and-mouse chase through the control plane, you’ll leave with real-world tactics for keeping your cluster escape-proof. cloud-native-rejekts-atlanta-na-atlanta-2025-1462-catch-me-if-you-can-a-kubernetes-escape-story Jed SalazarJames Petersen en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/MEJ3TC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/MEJ3TC/feedback/ Theater Talk 2025-11-08T10:10:00-05:00 10:10 00:30 Migrating from a traditional ingress controller to a service mesh-based solution in a live environment with thousands of internal users presents significant challenges. In this session, we share Bloomberg's experience transitioning from NGINX to Istio as the ingress layer for our internal private cloud platform—a managed service supporting application deployments across the firm. We explore the motivations behind this shift, the architectural and operational changes implemented, and the hurdles encountered during the migration process. Our journey offers practical insights into planning and executing such a migration with minimal disruption, while also highlighting the new capabilities unlocked through Istio. Attendees will benefit from our lessons learned, best practices, and retrospective advice aimed at helping other engineering teams undertake similar transitions with greater confidence and fewer surprises. cloud-native-rejekts-atlanta-na-atlanta-2025-1512-migrating-bloomberg-s-internal-private-cloud-from-nginx-to-the-world-of-istio Kavya ElchuriSahil Thandra en Migrating from a traditional ingress controller in a live environment with thousands of internal users can be challenging — but it doesn’t have to be. In this session, we’ll share our journey transitioning from NGINX to Istio as an ingress solution for Bloomberg's internal private cloud platform that is provided to the firm's engineers as a managed service for application deployment. We’ll discuss what motivated the change, the architectural and operational adjustments we made, the challenges we faced during the migration, and the benefits we achieved post-deployment. Attendees will gain practical insights and best practices for adopting Istio in production environments, including how to plan and execute a migration with minimal disruption -- while unlocking new capabilities. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/8LRE7M/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/8LRE7M/feedback/ Theater Talk 2025-11-08T11:10:00-05:00 11:10 00:30 What does operational overhead look like in the era of MLOps? If you're grappling with this question, like many others, and would like a way to apply the paradigm of containers and cloud native to AI workloads ― you're in luck. There is an effort underway to align AI workloads with the knowledge we have of operational excellence in cloud native. The CNCF Sandbox project ModelSpec brings much needed clarity to MLOps workflows. It provides the right abstraction to be able to define how DevOps and cloud native practices can be applied for machine learning operations. APplying the ModelSpec is the KitOps tool. It helps bridge the gaps that currently exist in the tooling space for MLOps. It creates a "Docker"-like interface for AI workloads and makes it easy and efficient to work with models on Kubernetes (or other container runtimes). In this talk, I aim to bring together the ML overhead, how cloud native paradigms can help, the ModelSpec, and KitOps. Together, all these will help expose an important painpoint in productionalizing AI in the workplace. Let's eliminate all the disconnected ways in which data teams, developers, and operations folks are working by using the principles that will be highlighted during this talk. cloud-native-rejekts-atlanta-na-atlanta-2025-1554-ease-the-move-from-devops-to-mlops-a-case-for-modelspec-kitops Ram Iyengar en - Understand MLOps Challenges: Learn to identify the key operational hurdles in deploying and managing AI/ML models. - Discover a New Solution: Get introduced to ModelSpec and KitOps, a practical framework for streamlining MLOps. - Apply DevOps Principles to AI: Find out how to use familiar cloud-native concepts to manage AI workloads efficiently. - Improve Team Collaboration: Learn how to bridge the gap between your data science and operations teams with a unified workflow. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/QKCFNE/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/QKCFNE/feedback/ Theater Talk 2025-11-08T11:45:00-05:00 11:45 00:30 Developers don’t code eight hours a day. They code one — and fight with TicketOps, Infrastructure dependencies and Security blockers the rest of the time. Many platform teams build Internal Developer Platforms (IDPs) to help, but poor abstraction choices make things worse. In this talk, we’ll share a battle-tested approach to building the right level of abstraction on top of Kubernetes using Score and Kro. You’ll learn how to go beyond templating, reduce cognitive load, and deliver a developer experience that people actually want to use. We’ll demo how developers can deploy secure, production-grade workloads by just focusing on their applications to bring value to their end users — while the platform handles the hard parts behind the scenes. This talk isn’t about Kubernetes and GitOps. It’s about empathy. It’s about platforms people adopt, not abandon. cloud-native-rejekts-atlanta-na-atlanta-2025-1581-make-your-developer-s-pains-go-away-with-the-right-level-of-abstraction-for-your-platform Artem LajkoMathieu Benoit en Many platform teams build Internal Developer Platforms (IDPs) to make developers’ lives easier. But the wrong abstraction choices often have the opposite effect: developers get stuck wrestling with endless YAML files, manually navigating security checklists, and troubleshooting infrastructure instead of writing code. In this session, we’ll share a proven approach to avoiding that trap — choosing the right level of abstraction for your Kubernetes-based platform. Using the open source tools Score and Kro, we’ll walk through a live demo showing how to fully automate complex infrastructure and security requirements behind the scenes, so developers never have to think about them. You’ll learn how to: - Minimize cognitive load and boost the “developer joy” factor. - Combine GitOps workflows with platform automation for smooth deployments. - Enable production-grade deployments with minimal developer effort. The goal: platforms that teams actually want to use — because they solve real problems instead of creating new ones. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/X3LUL3/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/X3LUL3/feedback/ Theater Talk 2025-11-08T14:00:00-05:00 14:00 00:30 AI agents for Kubernetes automation fail because they're trained on unrealistic, simplified scenarios. Unfortunately, there is a dearth of such training data available, as most companies are reticent to publicly share cluster operations data. Moreover, even existing data from, e.g., Google or Alibaba, is not representative of usage patterns seen in smaller organizations. In this talk, we will demonstrate how to use a small “seed” of real, production data from existing Kubernetes clusters to generate a large set of representative, synthetic training data for Kubernetes AI agents. We use graph-theoritic and statistical methods to generate a diverse set of training data covering failure modes, scaling events, resource contention problems, and other common scenarios found in production systems. These techniques, based on research from a team at Harvey Mudd College, allow AI Kubernetes Agents to be trained on high-quality data that is tailored to your company’s production infrastructure. cloud-native-rejekts-atlanta-na-atlanta-2025-1499-building-kubernetes-ai-agents-at-scale-generating-synthetic-training-data-for-autonomous-operation David Morrison en The modern AI industry is evolving at a break-neck pace; as new techniques and models become available, the rapid (re)-training of AI agents is critical for companies to remain competitive. Moreover, doing this training in a cost-effective manner provides these companies with a longer runway to get their products to market. Lastly, while AI agents trained to manage Kubernetes can often solve simple problems on small clusters, they have thus far have failed to work in large, general-purpose clusters like those seen in many companies’ production infrastructure. In this talk, users will learn how they can build a custom, personalized set of training data for AI Kubernetes agents, based on a relatively small amount of initial data. This capability will enable them to stay competitive in a rapidly-changing ecosystem, while keeping costs under control. We will also provide users with an easy-to-use “sandbox” training environment where agents can interact with the Kubernetes API and observe the effects of these interactions on the training data. This work was done in collaboration with a team of researchers at Harvey Mudd College, and will additionally benefit the ecosystem by facilitating the flow of knowledge from the academic community into industry. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/EBZREM/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/EBZREM/feedback/ Theater Talk 2025-11-08T14:35:00-05:00 14:35 00:30 Many FOSS project maintainers are operating extensive CI systems to ensure quality, stability, and rapid delivery of their software. Homebrew, the package manager beloved by macOS developers, is one such project. In this session, we’ll dive into the evolution of Homebrew’s CI pipelines for pull request validations, integration testing, and full regression tests for releases. Each tier of CI and test automation comes with its own unique challenges. With a variety of pull requests coming in across the Homebrew and Workbrew repositories, CI pipelines need to be fast and efficient. While a pull request may look simple on the surface, complexity often arises in the testing phase, as a modification may need to be tested against everything that runs on a particular package. We’ll explore how Homebrew balances scalability and reliability across its CI landscape by utilizing open source virtualization and orchestration technology tailored to developers on macOS. cloud-native-rejekts-atlanta-na-atlanta-2025-1463-brewed-for-scale-how-homebrew-virtualized-macos-devops-with-kubernetes Rin OliverBrandon Valentine en Since 2019, Homebrew has used a macOS native orchestration and CI solution that brought scalability, virtualization, resource flexibility, and workload customization to its cloud environment. When you have the intensive demand Homebrew does from downloading upstream source code and building binary packages to support multiple versions of macOS across both Intel and Apple Silicon architecture, the ability to scale and customize is critical. This work benefits the entire macOS ecosystem, as faster CI cycles mean quicker delivery of up-to-date software to millions of Homebrew users. Optimized infrastructure gives contributors and maintainers of the project the power to iterate with confidence, regardless of their local development setup. By sharing these strategies, we aim to inspire other projects facing similar macOS CI challenges to adopt their own sustainable, scalable best practices. This presentation will appeal to a variety of audiences including platform engineers, CI/CD architects, SREs, and FOSS maintainers who are interested in reproducible builds, improving or scaling macOS CI workloads, or designing pipelines that fit the needs of a high-volume, fast-paced open source project. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/X3YHRS/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/X3YHRS/feedback/ Theater Talk 2025-11-08T15:10:00-05:00 15:10 00:30 Edera leveraged SPIRE for cryptographically attestation of a workload’s environment. We started with a question: how do we prove that workloads are running in an isolated environment? It turns out that this is very similar to the workload identity question already answered by SPIFFE/SPIRE. By integrating SPIRE, Edera’s users are able to prove that workloads are running in a fully isolated Edera zone and get end-to-end encryption between these workloads, allowing for use cases like non-falisifiable build provenance and remote attestation. In this talk, we will discuss workload identity and the SPIFFE specification, explaining how workload identity enabled us to build a hypervisor-based, verifiable identity system for isolated workloads. We will talk about lessons learned when deploying SPIRE, walk through some of our configuration choices, and give some tips to others looking to use this project. cloud-native-rejekts-atlanta-na-atlanta-2025-1474-in-spire-ing-identity-using-spire-for-verifiable-container-isolation Marina Moore en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/8JVWUX/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/8JVWUX/feedback/ Theater Talk 2025-11-08T16:00:00-05:00 16:00 00:30 When you're managing millions of storage volumes across 13 regions, traditional deployment approaches break down. At DigitalOcean, we transformed our Storage Platform operations using ArgoCD to bring sanity to complexity. In this talk, we'll share how DigitalOcean's Storage Platform team turned our deployment process into a GitOps-powered engine using ArgoCD. We'll take you behind the scenes of operating our Storage Kubernetes platform, StorK8s, our storage orchestration platform that powers millions of volumes across DigitalOcean's global infrastructure. You’ll learn: 1. How we architected a single ArgoCD instance to manage 13+ clusters across 13 regions while maintaining sub-5-minute deployment times. 2. Real-world canary and blue-green deployment patterns for stateful workloads. 3. Why centralised GitOps beats federation for our use case (and when you shouldn't follow our lead) We’ll share what worked, what didn’t, and secret ingredients that helped us scale GitOps reliably. cloud-native-rejekts-atlanta-na-atlanta-2025-1457-managing-millions-of-storage-volumes-at-scale-inside-digitalocean-s-argocd-strategy Yash SharmaNikhil Pathak en This talk gives the community a real-world end user story, large-scale example of GitOps in action using ArgoCD to manage complex, stateful workloads. By sharing lessons learned from operating across 13+ regions, we’ll show how CNCF open source tools can handle high-stakes infrastructure without compromising velocity or safety, through the lens of how DigitalOcean’s Storage Platform, StorK8s, powers millions of volumes globally. DigitalOcean has been running storage platform AKA StorK8s for the past 10+ years, and in this talk storage team senior engineer Nikhil and dev advocate Yash will share learnings with hands on practical patterns, deployment strategies, and tooling ideas on GitHub that attendees can apply to their own environments, helping push GitOps adoption forward across the open source and CNCF ecosystem. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/H7EYBC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/H7EYBC/feedback/ Theater Talk 2025-11-08T16:35:00-05:00 16:35 00:30 What if you could build serverless applications that cold-start in under a millisecond, run anywhere—from your laptop to Kubernetes to the edge—and require no changes to move between environments? This talk introduces Spin, a CNCF open-source WebAssembly (Wasm) developer toolkit designed for performance, portability, and simplicity. cloud-native-rejekts-atlanta-na-atlanta-2025-1541-truly-portable-code-serverless-webassembly-in-a-distributed-world Caleb Schoepp en What if you could build serverless applications that cold-start in under a millisecond, run anywhere—from your laptop to Kubernetes to the edge—and require no changes to move between environments? This talk introduces Spin, a CNCF open-source WebAssembly (Wasm) developer toolkit designed for performance, portability, and simplicity. Attendees will learn how to build a Spin app, write polyglot WebAssembly functions with sub-millisecond cold starts, and run them locally using the Spin CLI. The same app will then be deployed to Azure Kubernetes Service with SpinKube, the open-source Spin runtime for Kubernetes, and to Fermyon Wasm Functions, Akamai’s multi-tenant, globally distributed PaaS — all without rewriting or cross-compilation. The talk shows how WebAssembly and Spin enable true portability across the compute continuum, letting developers build once and run anywhere with no vendor lock-in. This talk demonstrates how Spin is reshaping what serverless can be. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/YPWVLM/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/YPWVLM/feedback/ Theater Lightning Talk 2025-11-08T17:10:00-05:00 17:10 00:05 Kube Resource Orchestrator (kro) has been steadily gaining traction as a Kubernetes-native way to build higher-level abstractions for platform engineering. Kro enables platform teams to create Platform APIs that bundle multiple Kubernetes and cloud resources into a single, self-service interface. At its core, kro uses a ResourceGraphDefinition to define the components, their dependencies, and how they should be deployed. This eliminates sprawling YAML files, automates ordering, and lets application teams consume infrastructure without wrestling with raw Kubernetes manifests. In this lightning talk, I’ll show: 1. What a Platform API built with kro looks like. 1. How it compares to tools like Crossplane compositions and Helm. 1. Where kro fits in your platform engineering roadmap. In just 5 minutes, you’ll see how this approach can make your platform APIs higher-level—and your delivery pipelines faster. cloud-native-rejekts-atlanta-na-atlanta-2025-1565-beyond-yaml-building-platform-apis-with-kro Engin Diri en If you’re a platform engineer, DevOps practitioner, or Kubernetes enthusiast who’s tired of juggling endless YAML files, this lightning talk is for you. We’ll explore how Kube Resource Orchestrator (kro) turns complex deployments into clean, reusable Platform APIs that app teams can use without touching low-level manifests. In just 5 minutes, you’ll learn what kro is, how it works, and why it might be the missing abstraction in your platform engineering toolkit. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/M3TVS3/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/M3TVS3/feedback/ Theater Lightning Talk 2025-11-08T17:15:00-05:00 17:15 00:05 Ever wondered how to speed up your Kubernetes container delivery and get results in the blink of an eye? Look no further! In this action-packed 5-minute session, you will experience the magic of Dragonfly, the ultimate tool for accelerating container delivery in Kubernetes that slashes delivery times, boosts efficiency and ensures lightning-fast container distribution across your infrastructure. Whether you're looking to optimize deployment speed or just curious about how to supercharge your container workflow, this talk is for you. This talk covers how to: 1. Integrate Dragonfly with Kubernetes, ArgoCD, and other tools fromthe CNCF landscape for seamless container delivery. 2. Unlock the magic behind Dragonfly’s peer-to-peer container distribution. 3. Real-world examples of using Dragonfly to accelerate deployments in Kubernetes. cloud-native-rejekts-atlanta-na-atlanta-2025-1563-the-dragonfly-5-minute-formula-for-speedy-container-delivery Aditya SoniHrittik Roy en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/3FQ7NM/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/3FQ7NM/feedback/ Theater Lightning Talk 2025-11-08T17:20:00-05:00 17:20 00:05 Kubernetes Ingress doesn’t scale well in multi-tenant clusters, especially when teams need to share ports or protocols. In this talk, I’ll show how the experimental XListenerSet in Gateway API solves that. Using a real use case, I’ll walk through how it lets different teams define their own listeners safely, without stepping on each other. If you're managing shared clusters and fighting with ingress conflicts, this is five minutes that could save you hours. cloud-native-rejekts-atlanta-na-atlanta-2025-1468-from-messy-to-modular-fixing-multi-tenant-ingress-with-gateway-api-s-xlistenerset Mengin Nicolas en Managing Ingress in multi-tenant Kubernetes clusters is complex and error-prone, especially when teams need to share ports or protocols. The new XListenerSet extension in Gateway API provides a clean way to delegate listener configuration safely. In this talk, I’ll present a real-world use case where XListenerSet resolved conflicts and improved isolation between teams. false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/9RUPBC/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/9RUPBC/feedback/ Theater More Lightning Talks - Sign up sheet at registration (limited slots available) 2025-11-08T17:25:00-05:00 17:25 00:50 5 mins talks from attendees - sign up sheet at registration (limited slots available) cloud-native-rejekts-atlanta-na-atlanta-2025-1602-more-lightning-talks-signup-sheet-at-registration en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/PQWWSW/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/PQWWSW/feedback/ Theater Lightning Talk 2025-11-08T18:15:00-05:00 18:15 00:05 Closing out Rejekts NA 2025 in Atlanta, GA cloud-native-rejekts-atlanta-na-atlanta-2025-1603-closing-keynote Duffie Cooley en false https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/VS7TPL/ https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-atlanta-na-atlanta-2025/talk/VS7TPL/feedback/