Opening remarks

Cluster API has become the industry standard for managing Kubernetes clusters, taking care of the heavy lifting of cluster operations.
However, migrating to Cluster API can still be challenging, especially for organisations heavily invested in existing cluster management tools.
This talk presents Giant Swarm's journey from a custom operator-based Kubernetes cluster management system to Cluster API, including the live migration of hundreds of production clusters of major enterprises such as adidas and Vodafone.
The driving force for the migration will be covered, followed by challenges encountered during the migration, concluding with a discussion of the observed benefits and differences seen post-migration.
Attendees will come away with an understanding of potential risks and challenges to be considered when migrating to Cluster API, a better insight into the expectations and efforts required, and the benefits of using this upstream project.

Sponsor Keynote Speech TBD

In this case-study, we cover a pattern used at Bloomberg to describe and orchestrate our many in-house infrastructure platforms run on top of Kubernetes. Specifically, we use node-less, Kine-backed API Servers to host CRDs describing our:
* Kubernetes platforms
* Their deployment tiers
* Many, many clusters
* Even more numerous application environments

We describe how data synchronizes from these highly-available, multi-site metadata clusters to the operational platform clusters that operate like any normal Kubernetes cluster.

Issues we've overcome range from referential consistency across CRDs, safety systems which prevent amplification of configuration errors, data transformations from CRDs to propagate Kubernetes resources to operational clusters, and ways to replicate OPA-backed policy stores in etcd for cluster autonomy.

This case study brings lessons learned from using CRDs and Kine-backed API servers to manage multiple Kubernetes clusters. Our work has been similar to that proposed in SIG-Multicluster regarding ClusterSet, ClusterProfile API, and Cluster Inventory API.

By sharing this information, we aim to provide patterns to those who are building similar infrastructure on top of Kubernetes.

So you're running Kubernetes. You know it runs containers on lots of machines. Bin packing 4TW! But: Those pesky, noisy neighbors can be a real drag. That's where Kubernetes QoS comes in! Or does it? Meet the real magician behind the scenes: Linux cgroups, which enforce QoS guarantees based on your k8s configurations.

Containers are not native to the kernel; they emerge from low-level kernel concepts like cgroups, which are the backbone of Linux resource management. As such, they are used throughout the whole operating system, from the init system to each of your workloads. A deeper understanding of them will allow you to create harmony within your Kubernetes nodes, making sure that everything works well together and nothing steps on each other's toes.

By the end of this talk, you will understand:

• what cgroups are,
• the role of the different components in cgroup management,
• kubelet's QoS/cgroup configuration,
• and best practices for aligning cgroups to avoid potential issues.

Mentorship is crucial when building engineering teams, but is often the first casualty when the proverbial hits the fan. Being a good mentor is hard, and encouraging reluctant senior engineers to mentor their teammates is even harder.

In this talk, Simon discusses lessons learned from an area where mentoring is ingrained, offered generously and crucial to success - beekeeping.

Expect whimsy, pictures of queens and how beekeeping helped reframe the perennial problem of engineering mentorship.

After this talk, you will have tools to run improved mentoring programmes that encourage better transfer of knowledge and skills amongst your peers.

Distributed compute at scale is a bit complex back home in Mauritius - cloud service providers are an ocean away, and local policies don't help either.
To "bring the cloud home", so to speak, a small team of tech enthusiasts decided to build a Kubernetes cluster distributed across the country, in a bid to drive down costs while boosting resilience and availability.

It's time you stopped letting your telemetry data pressure your budgets and get in the way of  solving issues with agility! No more I say! Take back control of your telemetry data as we guide you through the open source project Fluent Bit. Learn how to manage your telemetry  data from source to destination using the pipeline phases covering collection, parsing, aggregation, transformation, and forwarding from any source to any destination. Buckle up for a fun ride as you learn by exploring how telemetry pipelines work, how to set up your first pipeline, and exploring several common use cases that Fluent Bit helps solve as you integrate with OpenTelemetry collectors in your organization. All this backed by a self-paced, hands-on workshop that attendees can pursue at home after this session (https://o11y-workshops.gitlab.io/workshop-fluentbit).

As a crucial part of a platform adoption journey, it’s essential to choose the right metrics to gain a clear, comprehensive view and drive success. While DORA metrics are valuable for platform teams, assessing platform adoption solely based on deployment frequency doesn’t make sense. Reflecting on our expertise, we’ve learned that measuring platform success involves two types of KPIs: progress metrics and outcome metrics.

In this talk, we’ll explore how measuring both allows us to identify patterns and correlations between technical improvements and business success. By combining these two sets of KPIs, we gain a comprehensive view of the platform’s value. This approach helps stakeholders quantify the platform’s technical contributions while also understanding its influence on key business objectives. Ultimately, it enables us to set meaningful milestones for future improvements and effectively communicate the platform’s value across the organization.

Kubernetes has become the backbone of distributed systems, but running low-latency, high-throughput workloads on it requires careful tuning and a deep understanding of its features. In this session, Frederic Branczyk (Polar Signals) and Jimmy Zelinskie (Authzed) bring years of experience contributing to Kubernetes and operating it at scale to explore the challenges and solutions for latency-sensitive applications.

We’ll dive into practical strategies, including Kubernetes 1.31 traffic distribution, optimal pod placement and QoS tuning, node-local optimizations, and debugging performance bottlenecks in real-world clusters. This talk is ideal for anyone looking to harness Kubernetes' full potential for high-performance workloads.

Explore the complexities and solutions involved in setting up a secure, air-gapped Control Plane for Novo Nordisk, a leading pharmaceutical company. Discover how architectural decisions tailored to industry demands, overcoming security challenges, and replicating GitOps workflows in disconnected systems have redefined infrastructure management within a highly regulated environment.

In G-Research’s ML environment of over 10,000 nodes, we leverage Cilium as the core network for on-premise, bare-metal clusters scaling to 1,000 nodes each. In this talk, we’ll discuss several Cilium features used in detail:
- Network policy to enforce strict security controls for segmenting and protecting market-sensitive information
- Host firewall to remove the need for external firewall appliances
- High-performance eBPF dataplane that directly improves ML job performance

We’ll also cover the implications of limiting Cilium’s identity labels to reduce policy map pressure, tuning conntrack garbage collection, and the performance implications of different policies at scale. Attendees will learn how to use Cilium’s built-in tools to observe and measure large deployments, and what to look out for in large Kubernetes clusters.

OpenID Connect (OIDC) and mutual TLS are popular authentication mechanisms used widely in cloud native environments, and commonly as a basis for workload identity in SPIFFE. However, OIDC tokens are prone to interception, replay, and forwarding attacks and are unable to guarantee end-to-end request authenticity. Mutual TLS solves those problems at the transport layer, but is rarely used in browsers, and seldom fully end-to-end in microservices-oriented systems. HTTP Message Signatures is a new IETF specification that aims to solve credential replay, forwarding and end-to-end integrity attacks, and be broadly deployable.

This talk introduces the audience to HTTP Message Signatures and demonstrates its security benefits to authentication in cloud native, microservice-oriented, systems. Further, we’ll cover how the use of smart caching and replication allows this protocol to scale to millions of requests per second, and how this could be integrated with SPIFFE.

Kubernetes has become the de facto standard for container orchestration, enabling developers to easily deploy applications in a distributed environment. However, managing security policies and compliance requirements can be challenging, especially when dealing with many clusters and workloads.

This talk will explore how Kyverno, an open-source Kubernetes-native policy engine, can help secure your Kubernetes workloads by automating policy management and enforcement. We will explore Kyverno's architecture, features, and use cases and discuss how it can be used to implement policies for security, compliance, and resource optimization.

If you are a Kubernetes user looking to simplify policy management and enforce compliance requirements, this talk is for you. You will learn how Kyverno can help you automate policy management and enforce policies at scale, making it easier to secure your Kubernetes workloads.

Shipping both the OS and Kubernetes as immutable, verifiable images sure has benefits for security, supply chain management, and compliance. But don't we just shift the load from security to operations? Doesn't the lack of flexibility and the restrictiveness add significant overhead for developers and operators?

Support for Common Expression Language (CEL) is a popular feature in Kubernetes which is being added to new areas of the project each release. CEL makes configuring existing features like validations for CRDs easier and efficient than how it was done before. CEL is very powerful and expressible with how we can use it and because of this, it is quickly becoming a standard in Kubernetes. This talk goes into the details of Kubernetes Enhancement Proposal #4595 - Adding CEL support for CRD additionalPrinterColumns.

Currently CRD additionalPrinterColumns only lets you use JSONPath to configure how to print data when fetching custom resources with kubectl get. When dealing with more complex data such as lists or arrays, JSONPath becomes very difficult to work with. Adding support for CEL would let users configure expressions to print more complex data and do conditional operations on the data.

This talk goes into the details of how CEL works, how CRD additionalPrinterColumns work and how we added CEL support for it.

This session explores the extended capabilities of OCI registries beyond traditional container images distribution, focusing on migrating a wide range of artifacts (SBOMs, Helm charts, GitOps, AI/ML models, WASM modules) to RegistryOps practices.

Leveraging OCI registries to distribute new type or artifacts presents a new approach to managing deployments. The discussion will cover the key features and capabilities of tools such as FluxCD, ORAS, Notary and Kubewarden, highlighting their role in enhancing the use of OCI registries.

Elaborating on practical use cases, such as deploying signed artifacts in secure environments, delivering signed GitOps artifacts, I will showcase the versatility of OCI registries and their central role in the secure supply chain.

Traditionally, container registries have been primarily used to distribute container images. However, the potential extends far beyond this conventional use. This extended functionality needs to be better known.

Cloud technology offers rapid resource adjustment, but implementing this in Kubernetes can be complex. As the go-to cloud OS, Kubernetes offers multiple scaling options, leaving many perplexed about how to choose and configure them.

In this talk, Nic will introduce key auto-scaling technologies like Vertical Pod Autoscaler (VPA), Horizontal Pod Autoscaler (HPA), and Kubernetes-based Event Driven Autoscaling (KEDA), showing their approaches to scaling. He will then demonstrate configuring different components—stateless containers, databases, and serverless functions—for auto-scaling.

Finally, Nic will explain how to measure auto-scaling effectiveness using metrics like throughput and latency. Attendees will leave with practical insights on using Kubernetes auto-scaling to optimize costs and maintain high performance in cloud applications.

Containers are a fundamental part of cloud-native workloads today and are set to evolve to meet the needs of tomorrow. Projects like Podman are at the center of this innovation for container technologies. That is why, while already a popular project with a strong user base, Podman, Podman Desktop and other containers tools have been submitted for contribution at the Sandbox level in the CNCF community. A lot of exciting things are happening and this session will give you everything you need to know!

We will also give an overview of the latest accomplishments and capabilities we have been driving during the year - as well as looking forward on our roadmaps and how you can get involved.
We will discuss how you can leverage these tools in different contexts, from cloud deployments to the Edge, automotive and AI - you’ll learn how you can best benefit the technology. You should expect a lot of demos during this talk to level up your container development workflows!

The Cloud Native is missing women's voices. We see it at CNCF conferences and Cloud Native meetups almost everywhere.

While we celebrate women who've "made it", and their visibility is vital, survivorship bias hides a crucial truth: up to half leave tech by age 35, we leave at a higher rate than men, and many never even join.

This talk exposes our own bias as women survivors in tech. The success stories of women around us overshadow the struggles of those who've fallen away, leading to misguided initiatives and hindering true inclusion. There is a dire need to identify and address these issues and implement successful initiatives to make our communities more diverse.

Whether you’re a contributor, maintainer, or community leader, this session will give you a deeper understanding of the problem and tangible ways to drive change in your circles. Be part of the solution for a genuinely inclusive cloud native community!

Kubernetes Pods may be the smallest deployable units in your clusters, but they hold hidden complexities that even seasoned users can overlook. If you think you know everything about Pods — think again!

This talk is designed to take you on a deep dive into the world of all things Pods, covering both the familiar and the obscure.

Starting with a quick overview of the basic architecture, we’ll then move into more nuanced territory — exploring topics like Pod readiness probes, lifecycle hooks, runtime classes, and the multitude of different container types that can be used. We’ll also discuss common misconceptions, gotchas that can trip you up in production, and offer some best practices suggestions along the way.

By the end of this session, you’ll have a deeper understanding and appreciation of Pods and the knowledge to leverage them expertly in your Kubernetes clusters.

Injection attacks like SQL injection (SQLi) are older than the Internet Explorer, yet they still plague modern applications. Our recent research examined SQLi, Command Injection, Path Traversal, and Cross-Site Scripting (XSS) vulnerabilities in open and closed-source projects to understand their prevalence in modern apps.
SQLi alone accounted for 6.7% of vulnerabilities in open-source and 10% of closed-source vulnerabilities discovered in 2024. Command injection, Path Traversal, and XSS also remain dominant threats.
This presentation explores why injection attacks persist despite known solutions and examines whether new technologies can finally eliminate them. We’ll review our research methodology, which included analyzing over 50,000 closed-source projects, and highlight key findings. Real-world case studies, such as the MoveIT attack, will underscore their ongoing impact. We’ll conclude with prevention strategies and discuss why injection vulnerabilities may persist for another decade.

Linux is the technology that underlies all of cloud native. In this talk, we will explore the vulnerabilities that bending Linux to support container technology has uncovered. We also share new and old technologies that have changed the paradigm for container security, like eBPF, and paravirtualization. Finally, we'll showcase how easy it is to adopt these technologies to secure your containerized workloads.

Service mesh solutions are widely adopted to protect the confidentiality and integrity of applications and data, but their architectures can inadvertently introduce vulnerabilities that attackers may exploit. To achieve true defense in depth, it’s critical to identify and address these gaps in service mesh security.
This session will explore the attack vectors targeting service meshes and offer practical guidance for hardening deployments. Attendees will gain actionable insights into enhancing security observability, enforcing or stopping malicious processes, and ensuring network isolation across layers 2 to 7. We’ll demonstrate how to secure the service mesh itself, covering anti-spoofing techniques, filtering non-HTTP/S protocols, and implementing a comprehensive foundational security framework. By identifying and addressing the holes in service mesh security, we can keep calm and mind the gap between vulnerabilities and robust protection.

Load Balancing is a critical aspect of modern cloud deployments, and it’s especially tricky and misunderstood in hybrid environments that span across public clouds and private datacenters on premise. Designing a future-proof solution that is scalable, robust, fast and includes automatic failovers for different disaster cases, is a challenge we need to tackle. Therefore, our evaluation focused on two base technologies: Multi-Cluster Meshes and DNS based Global Load Balancing.

Join us on our journey of evaluating the two CNCF projects Cilium and K8GB against real-world scenarios with complex multi-cloud deployments. Learn about the benefits, challenges and trade-offs you should expect when choosing a hybrid cloud strategy with Kubernetes!

A practical live demo will share our hands-on experience, pros and cons, alongside use-case-specific solution recommendations for your hybrid-cloud journey.

The ArgoCD CLI tool has been a cornerstone for managing GitOps workflows, but until now, it lacked support for extending its capabilities through plugins – a feature many users have long desired. This talk introduces an enhancement to the ArgoCD CLI: plugin support, enabling users to create custom plugins and use them as subcommands, extending the ArgoCD CLI tool functionality just like the kubectl.

As part of this feature rollout, we’ll demonstrate its real-world application by showcasing a plugin we developed: mta (migrate to ArgoCD). This plugin bridges the gap between Flux and ArgoCD by exporting Flux components into ArgoCD-compatible Custom Resources (CRs), simplifying migrations from Flux to ArgoCD.

Real-time communication (RTC) applications powered by WebRTC are at the forefront of modern technology, from video conferencing to gaming—and now even enabling real-time multimodal AI systems. However, WebRTC’s peer-to-peer networking model, while essential for low-latency communication, creates unique challenges when deploying in Kubernetes. Its reliance on dynamic port allocation and NAT traversal makes integration into Kubernetes clusters particularly complex.

In this session, we’ll explore the fundamentals of the WebRTC networking model and why traditional deployment approaches—such as using host networking—fall short in Kubernetes environments. We’ll then introduce STUNner, an open-source Kubernetes-native STUN/TURN media gateway that simplifies WebRTC deployment by acting as an Ingress for media traffic, much like Kubernetes Ingress API works for HTTP. STUNner eliminates the need for external NAT traversal services and enables scalable, secure, and efficient deployment of WebRTC applications directly within Kubernetes.

Attendees will learn about the basics of WebRTC deployments in Kubernetes, the design principles behind STUNner, and how it provides a seamless solution. To cap off the session, we’ll present a live demo of deploying a simple WebRTC media server into Kubernetes, showcasing how STUNner transforms real-time communication infrastructure for cloud-native environments. Whether you’re building RTC applications or scaling multimodal AI systems, this talk will provide practical insights and tools to simplify your journey.

Modern systems often require cross-cluster connectivity for failover, replication or shared services architectures, but these patterns introduce challenges. How do you establish zero-trust across clusters? Ensure quality observability across clouds? Debug inter-cluster traffic while enabling reliable service and infrastructure communication?

This talk demonstrates how Dapr and Cilium, both CNCF graduated projects, simplify cross-cluster, cross-cloud connectivity. See a live demo showcasing how Dapr provides straightforward APIs for building workflow, state and data apps while enabling seamless deployment across clouds without code changes. Paired with Cilium’s Multi-Cluster Mesh, see how services in one cluster interact with resources in another without sacrificing security, reliability or observability.

Attendees will gain practical knowledge for overcoming cross-cluster, cross-cloud architecture challenges while following microservices best practices and saving development time.

Is GenAI just another hype cycle, or can it deliver real value for the day-to-day operations of DevOps teams? While GenAI is revolutionizing workflows across industries, many tools in the DevOps domain barely move beyond being simple wrappers around ChatGPT APIs.

In this talk, I will share hands-on insights from building and experimenting with GenAI CLI agents specifically tailored for DevOps. My focus is on integrating popular CLI tools with AI to automate repetitive tasks and enable agents to investigate and self-heal infrastructure issues—essentially functioning as a third-level support team.

I will showcase how tools like HolmesGPT and GPTScript, combined with a custom AI backend, can go beyond the hype. From real-world case studies to practical configurations, you’ll gain actionable knowledge to assess what works, identify limitations, and deploy GenAI agents that truly streamline DevOps workflows.

Kubernetes controllers are the backbone of the cloud-native ecosystem, silently orchestrating everything from scaling pods and updating deployments to maintaining desired states. But what exactly makes these components so powerful, and how can you leverage them in your projects?

We’ll break down Kubernetes controllers, share critical problems they’ve solved, and build an operator live using Kubebuilder to showcase how accessible this technology is.
We’ll explore real-world projects like Argo CD and Kyverno–built on this controller model to tackle critical challenges with the help of visual diagrams, while also sharing our personal experiences of building controllers to simplify development workflows.
This session is ideal for newcomers and professionals alike, bridging theory and practice to show how controllers shape the cloud-native ecosystem. Through a live demo and visual map, you'll gain actionable skills, and the confidence to build and contribute to controller-driven projects.

As AI/ML workloads scale in cloud-native environments, ensuring the security, efficiency, and reliability of Kubernetes-based deployments becomes critical. This talk will explore the common challenges faced when building and managing container images for AI/ML workloads—ranging from dependency management and compatibility issues to the security risks posed by bloated images and CVEs.

We’ll dive into the challenges we faced while optimizing our container images, focusing on reducing size, achieving zero CVEs, and overcoming testing and performance hurdles. By discussing proven techniques like minimizing unnecessary dependencies, selecting secure base images, and optimizing build times, we’ll provide actionable insights and a clear roadmap for streamlining and securing AI/ML workflows at scale.

In a Kubernetes galaxy not so far away, operators face a crucial choice for managing and securing their networks: the simplicity of an Ingress controller or the power of a Service Mesh. Service Meshes promise resilient deployments with automatic retries, TLS encryption, traffic management, observability, and more. But not all meshes are created equal.

From Istio’s scalability, Linkerd’s simplicity, and Cilium’s eBPF innovation to Kuma’s multi-cluster versatility and Ambassador’s edge connectivity, each offers unique strengths. With options like sidecars or sidecar-less setups, choosing the right solution becomes a battle of priorities.

Join Henrik from Is It Observable? as he unveils a benchmark comparing these Service Mesh contenders across critical dimensions: proxy type, feature set, user experience, observability, and performance. By the end, you'll gain clarity on which Service Mesh aligns with your Kubernetes needs. May the Mesh be with you!

Do you already know databases? Are you new to Kubernetes? Do you want to focus your Kubernetes learning on only the bits which are relevant to databases? Then this is the talk for you! Skip the usual 'why run databases on Kubernetes' discussion and dive straight into the 'how.' We'll show you precisely what you need to know to get started today.

Using a Postgres database hosted on Kubernetes as an example, we will cover the components of Kubernetes involved in day-to-day activities - including network connectivity, storage, and the automation of restarts and upgrades.

Join us for an overview of the few, core components among the many, many pieces of the Kubernetes ecosystem you need to learn about first, to start your Data on Kubernetes journey.

DNS plays a pivotal role in a Kubernetes environment. It is the centerpiece that enables applications to locate each other dynamically. In a production environment, where many pods extensively communicate with each other using DNS, the importance of observability becomes increasingly paramount.

Gaining telemetry insights throughout the lifecycle of a DNS request is challenging due to the numerous hidden systems involved. Components such as the application pod, system resolver, nodelocaldns, CoreDNS, and upstream DNS servers add layers of complexity, making debugging ever more difficult.

In this talk, we will explore the journey of DNS requests across various components with Kuberentes/OS context. We will then move on to tools, starting with the CoreDNS log plugin, before delving into advanced tools like Hubble and Inspektor Gadget’s DNS gadget. By leveraging the power of eBPF, these tools provide deep insights, enabling efficient tracing and resolution of complex DNS problems.

The far edge, home to IoT devices, brings unique challenges: smaller, distributed clusters and the need for efficient management across constrained environments. This talk explores how Kubernetes can be effectively pushed to the far edge, adapting cloud-native principles for IoT integration.

Using lightweight Kubernetes distributions, such as k0s - a CNCF Sandbox project, as examples, we’ll demonstrate how centrally managed control planes can support far edge nodes, enabling resilient, disconnected deployments. This approach simplifies operations while handling the proliferation of smaller, isolated clusters common in IoT use cases.

We’ll also highlight Akri, a tool that automates IoT device discovery and orchestration, exposing devices as native Kubernetes resources. With Akri, Kubernetes becomes a powerful platform for managing IoT devices at the edge.

This session explores how tools like k0s and Akri can unlock new possibilities for scalable IoT orchestration, offering practical strategies for building resilient edge solutions.

In the fight to secure Kubernetes, we’re assembling a team of "Security Avengers" to defend your clusters from modern threats. Among the CNCF’s eBPF-based tools—Falco, Tetragon, KubeArmor, and Kubescape—each brings unique strengths, much like the Avengers. Despite their shared mission, their distinct features, architectures, and resource impacts make selecting the right "hero" a strategic decision.

This session unveils benchmarking results to help you choose the best fit for your Kubernetes security needs. We’ll explore key questions:

• What specialized features does each tool offer?
• How complex are setup and maintenance?
• How effectively do they detect and defend against attacks?
• What performance impact do they have?
  Join us to compare these Kubernetes guardians, evaluate their real-world pros and cons, and discover the "Security Avenger" that aligns with your cluster’s defense strategy.

With Falco recently graduating from the CNCF, the project continues to evolve to address community challenges. The latest addition, Falco Talon, is a dedicated response engine for Falco.

In this talk, we’ll demonstrate building an API-driven response action for Microsoft Azure Kubernetes Service (AKS) to mitigate risks based on Falco’s system call detections and Retina's advanced network observability. Microsoft has already open-sourced Retina, an eBPF-based, cloud-agnostic Kubernetes Network Observability platform. While Retina is planned for CNCF donation, automating its activities based on Falco detections is a powerful novel use-case.

Retina monitors application and network security, allowing annotations to specify which Pods to observe. In our demo, we’ll showcase how a Falco detection triggers a Talon response action, automatically annotating workloads when insecure or unusual behaviour is detected, enhancing automation and security for Kubernetes environments.

As organizations increasingly adopt multi-cluster Kubernetes deployments to enhance scalability and reliability, managing workload resilience becomes critical.
Traditional Pod Disruption Budgets (PDBs) are effective within single clusters but fall short in distributed, multi-cluster setups. In this talk, i introduce x-pdb, a novel approach to extending PDB capabilities across multiple clusters. Attendees will learn how x-pdb enables seamless coordination between clusters to prevent unexpected disruptions, reduce downtime, and optimize service availability. I will dive into the technical architecture, key use cases, and a live demo showcasing how x-pdb simplifies cross-cluster resilience. Whether you're managing large-scale production environments or planning a multi-cluster strategy, this session will equip you with practical insights to enhance your Kubernetes deployments.

As platform teams evolve, platforms extend beyond infrastructure to application services, cloud resource management, and middleware orchestration. Managing these distributed components across clusters and teams demands a unified, scalable approach. This session shows how to manage infrastructure, tenants, and application services entirely through Kubernetes by building a modular, multi-tenant, multi-control-plane platform. Attendees will learn to extend the Kubernetes API with Control Planes for distributed, tenant-aware infrastructure management. We’ll explore CNCF projects to create abstractions and automation, enabling platform teams to offer consistent services and self-service capabilities. Topics include multi-tenancy with in- and out-of-cluster isolation, unified APIs for control-plane orchestration, and avoiding common pitfalls in multi-control-plane management. By the end, attendees will have a roadmap for scalable platforms supporting centralized and tenant-managed services.

Ever watched your cloud bill grow faster than GPT's parameter count? That was us - burning through $50K on GPU instances while our LLM inference pipeline played hide and seek with production issues.

Our breaking point? Silent failures in production that were harder to catch than jerry to tom.

Join this session as we explore how we built ML telemetry that doesn't need its own data center by combining Pyroscope's lightweight profiling with OpenTelemetry's distributed tracing (because two tools are better than none when you're hunting GPU ghosts), we built a profiling pipeline that finally gave us clarity without burning cash.

The result? We cut our GPU costs by 40% (enough to make our CFO smile), slashed p99 latency by 65% (making our users actually believe in AI), and found memory leaks that were better hidden than my secret candy stash.

Hyperlight, which has been submitted to CNCF, adds a new layer of security to WebAssembly workloads. By leveraging hardware-assisted virtualization via KVM or Hyper-V, Hyperlight creates ultra-lightweight microVMs that could be embedded into your application to run purpose-built guest binaries.

In this talk, we explore how integrating Hyperlight with the Envoy proxy enhances security for WebAssembly filters, adding an extra layer of isolation where needed to protect shared infrastructure.

We will compare use cases for Hyperlight to those of other virtual machine monitors, demonstrate the implementation of an Envoy network filter using Hyperlight, and discuss performance benchmarks. You will leave ready to utilize Hyperlight to build robust and scalable production solutions with a solid defense-in-depth strategy.

Discover the transformative capabilities of Cloud Native Playground, powered by Meshery, an open-source, cloud-native manager. Experience the self-service engineering platform, simplifying provisioning, configuration, and management of your cloud-native infrastructure, enabling seamless operation of multi-Kubernetes deployments. With Cloud Native Playground, embrace the power of GitOps and collaborative workflows.

Free yourself from YAML intricacies as Meshery's extensible platform enables visual and collaborative GitOps, fostering multi-user collaboration. Explore the Cloud Native Computing Foundation's graduated, incubation, and sandbox projects, along with many other popular open source projects, to enhance your capabilities and leverage the full potential of the ecosystem. Join me to witness firsthand how Meshery revolutionizes Kubernetes operations, enabling seamless orchestration across multiple environments made possible by GitOps principles and multi-user collaboration.

Engineering teams need more than just metrics and logs—or even worse, static diagrams and outdated docs—they need a clear, real-time understanding of their systems.

This session explores the concept of "Observability 2.0" tools, highlighting how OpenTelemetry can also be used to proactively support teams throughout the software development lifecycle by automating system documentation and enhancing debugging.

Attendees will gain actionable insights on how to use distributed traces to generate accurate, dynamic system views, empowering them to navigate and manage the complexities of modern distributed architectures effectively.

Not least thanks to OpenTelemetry, there is a mature ecosystem of standards, frameworks and tools for observability. Yet, concerns and false myths around instrumentation overhead still discourage some engineers and organizations from properly adopting observability practices.
In this lightning talk, we will demystify instrumentation overhead and clear up misconceptions about instrumentation overhead.
- What is instrumentation overhead?
- When is it becoming a problem and when is it negligible?
- What are most common sources of overhead in practice?

We aim at inspiring attendees to think pragmatically about instrumentation overhead of their application and balance out valid concerns and unnecessary anxiety.

Show a step-by-step 5-minute example to illustrate how GatewayAPI's BackendTLSPolicy enables end-to-end (E2E) TLS in Kubernetes — from the client to your workload through your GatewayAPI Controller.

There are numerous ways to create a Kubernetes cluster on a local workstation using different frameworks. They all aim to facilitate the development and testing of containerized applications by Developers before implementing such solutions in production.

One of these available tools is Kind, which is a graduated CNCF project and is a Kubernetes utility for running local clusters using single-container "nodes", providing an easy way to create and manage Kubernetes environments for development and testing. kind lets you create a local multi-node Kubernetes clusters using Docker container nodes.

To make it better, you can use another CNCF graduated project by leveraging Podman Desktop, that will help you to run Kind-powered local Kubernetes clusters on a container engine, such as Podman.

So this session aims to demonstrate in practice how these two projects integrate and can help you facilitate the implementation of this testing environment on your local workstation.

This quick session explores an advanced multicluster scheduling system leveraging the Open Cluster Management (OCM) framework, enriched by custom annotations. Designed to optimise workload placement across Kubernetes clusters in multiple geographical locations. The system introduces specific annotations to guide scheduling, enabling nuanced placement strategies based on workload attributes, cluster health, and available resources. Key topics include OCM's core scheduling mechanisms and the role of annotations in fine-tuning decisions.

Sign up sheet will be at registration

TBD