Quick welcome to welcome attendees and share logistics.
What are supply chain attestations and why are you hearing more about them? Attestations are the underlying metadata building blocks from which we can build up supply chain security, in a flexible way, building up more detailed layers of security over time. They can be used as components of an SBOM, to show evidence of how something was built as in TestifySec's Witness project, or that expected processes were followed. They can also be used to support different kinds of policy, especially zero trust. This talk will cover an introduction to attestations, explain their use cases and importance, how they relate to and enhance signatures and JWTs, how to verify and validate them, and about in-toto layouts and policies. It will talk about the addition of in-toto attestations to the Buildkit open source project that powers Docker build, and what this enables you to do, and attestations in Docker Official Images. We will also cover current and future work we are doing on attestations, verification and zero trust.
Exhausted by APM inefficiencies? Harness open-source tools like Grafana, PromQL, OpenMetrics, Jaeger for optimal data handling. Achieve superior monitoring at a lower cost, cutting through data clutter, and rise above the 'Shannon Limit'.
One of the most neglected parts of application security is the ingredients that go into developing software. Over 80 percent of code used in enterprise applications comes from open source dependencies, but how much attention goes towards the provenance and security of those packages. And in the pursuit of accelerated software development, developers are leveraging more and more libraries and also code “created” by generative AI algorithms, so how do you prevent defects or malicious payloads from compromising your security?
This is analogous to a restaurant where you invest in modern decor, professional chefs, and world class service. But if you don’t get fresh, quality ingredients delivered daily, the taste and hygiene of the food will suffer. Securing the software supply chain is a huge undertaking for the entire tech industry, and we will talk about some of the ongoing efforts by open source projects, foundations, and corporations to help us all know our ingredients.
As the complexity of software systems continues to grow, ensuring their security becomes paramount. This necessitates a comprehensive understanding of the reachability & exploitability of vulnerabilities within software applications.
Inspektor Gadget is a newly accepted CNCF Sandbox project that has evolved from being a tool for gathering system data using eBPF programs into a containerized framework for building custom eBPF system inspection pipelines.
This talk will guide attendees through the process of creating, packaging and distributing 'Gadgets' (eBPF programs/scripts + metadata in OCI images), using existing Gadgets and leveraging Inspektor Gadget's framework to collect, enrich (map Linux to Kubernetes resources), and export data via Prometheus or expose it via an API, and visualizing data; all based on a simple config file.
The transition of Inspektor Gadget from being a tool to a framework opens a multitude of opportunities. It paves the way for many existing and future projects that follow the pattern of gathering and exporting eBPF data to be implemented via a simple configuration file. This talk provides attendees with the knowledge to fully exploit Inspektor Gadget for these purposes.
The Cloud Native community has made many strides in improving the security of containers and Kubernetes. The aim of this talk is to showcase these efforts such as signing Kubernetes artefacts with sigstore, SBOMs for Kubernetes (sigs/bom), etc.
The second part of this talk will focus on how to secure basic cloud native workflows. The will be a demo component that will educate attendees about signing images, generating SBOMs, consuming them, creating deployment policies, and other ways to secure images and other artefacts.
Every team and every project evolves a tailored development environment. This collection of tools, services, and configurations is usually maintained by convention and transmitted (you hope) by osmosis. It often sprawls across each programmer’s laptop—and when details don’t match, problems happen.
Backstage Software Templates provide a consistent way for teams to enable self-service delivery of cloud native software components. Templates ease onboarding and daily development work by establishing the tools, services, documentation, and best practices as “golden paths” for users to navigate.
Attendees will learn how to use CNCF products and technologies together to construct flexible foundations for cloud-native development using Templates, and will review common workflows for delivering and updating these offerings via the Backstage Software Catalog.
Enable your team with the tools and components to get to work immediately with Software Templates for Backstage.
Our hero, a running application in a Kubernetes development environment, knows that they are destined for greater things! They long to be living in production, serving end users! However, the journey from dev to prod is hard, filled with system design choices concerning cluster provisioning, GitOps, traffic routing, app config, and production-grade backing services. And who knows what unseen forces lurk in the shadows! One wrong step could be catastrophic.
It is up to you, the audience, to guide our hero and help them grow from an app in development to their final form⎯an app running in production. In their second KubeCon ‘Choose Your Own Adventure’-style talk, Whitney and Viktor will present choices that an anthropomorphized app must make as they try to find their way to production. Throughout the presentation, the audience (YOU!) will vote to decide our hero app's path! Can we navigate CNCF projects and avoid dead-ends to get our app to production before the session time elapses?
Developers are not security experts! I’ve heard this exclamation time and again and I wonder, why not? And should they be?
There is no denying that software teams must work to address a number of security concerns today. But we’re still learning and actively developing best practices. We’re still figuring out — sometimes through trial and error — the best way to tackle security issues that won’t negatively interfere with delivering functional (and secure) software.
When it comes to developers securing software, there is only a subset of prevention and mitigation strategies that make sense to put on a developer’s plate. Even then, an expectation that all developers by default are equipped to handle this additional workload is unreasonable.
Melissa will define common security related terms and lingo; share typical places to shore up applications when it comes to dependencies, packaging, and supply chain concerns; and discuss the plethora of scanning tools available today and how they actually work. Learn how to integrate a measure of security that makes sense in existing development processes and how to introduce a security culture to your team in a healthy way without exhausting your developers.
Most importantly, don’t lose heart! We’re getting better and better at this and the future looks bright!
Webhooks in Kubernetes play an essential role in extending the functionality of the cluster and go a long way towards the power Kubernetes offers. However, as with any technology, they also come with their set of risks and even potential disaster.
In this talk we’ll go through scenarios that could possibly impact an otherwise healthy Kubernetes cluster by making use of a misconfigured or malicious webhook. Can we take down the whole cluster? Can we block access to others?
For each risk we’ll take a look at the ways we can try to avoid them or mitigate their impact, if at all possible.
By attending this talk, attendees will gain a better understanding of the potential risks associated with webhooks and the measures they can take to ensure a more secure and stable Kubernetes cluster.
Want to provide multi-arch container images but stuck with a legacy CI/CD pipeline? Do you want to secure the images but do not know how to incorporate it in your existing CI/CD setup?
Join us to know how Cloudera incorporates these practices into our existing CI/CD setup to ship thousands of container images every year and also how you could also do it for your project or company. We will take into consideration different CI/CD setups that companies have (ranging from monolith, to on-prem microservices and cloud-native environments)
For years tech companies have chased the fabled “single pane of glass” , the one observability tool to understand your system from north to south and east to west. Leafing through promo materials promising instant insights and seamless turnkey integrations you’d think increasing system observability is as easy as assembling a Lego set.
In my experience chasing the “single pane of glass” translates to “pain in the ass”. Survey data supports this revealing the majority of engineers cite tool sprawl as a minor or non-existent problem despite relying on several tools. As alluring as the siren call of “single pane of glass” is, let's be practical and examine how to best observe systems across a myriad of tooling.
From the telemetry buffet of metrics, events, traces and logs learn when to reach for which type and ways to bridge the gaps with links and enhance with context to free yourself from the fool’s errand of a “single pane of glass”.
This talk will cover identities between a kubernetes cluster and a cloud service provider (focusing on AWS). We will dive into every step of the authorization flow from a workload to a cloud service for how those decisions are made and ways they can be abused. This includes Kubernetes RBAC, Kubelet authorization, AWS IAM roles, S3 bucket policies and more. The talk will discuss various options of identity provider integrations such as SAML and OIDC and how they each have unique attack vectors in the auth workflow. To conclude, we’ll summarize attack techniques that would best leverage misconfigurations of this complicated flow.
This talk will cut through the hype of WebAssembly and teach you the fundamentals. You'll learn the basics of what a WebAssembly module is, how it is executed, and how they are created. This information will help you whether you're using WebAssembly in the browser, on the server-side, or in an embedded use case.
Data encryption is not a solved problem today, at least not fully. Data is either stored, transmitted, or processed. We have solved data encryption for data at rest and data in transit. But the data is still decrypted and stored in plain text while it is being processed. Enter confidential computing technology, that stores data encrypted in memory. Confidential computing technology allows data to be encrypted in memory. This feature is enabled by the processor itself.
Kubernetes has become the de-facto platform for running cloud-native applications. This talk delves into the CNCF-sandbox project confidential containers and how it is bringing the confidential compute technology to the Kubernetes. The talk also goes on to showcase how cloud-native applications can add another layer of security using confidential compute. This technology can protect workloads against certain kinds of attack vectors pertaining to virtualization, hypervisors, host operating systems, etc. because all the underlying layers of the application stack are now out of trust boundary, now you only trust the processor without worrying about what happens to the intermediate layers.
Further the talk will discuss numerous ways to use confidential containers with Kubernetes and end with a demo that displays using confidential containers on Kubernetes deployed on a public cloud. The demo will showcase an artificial intelligence model deployed for image inferencing.
As developers, we have many skills we use and constantly improve when writing code. But when it comes to debugging, most of us go for a primarily research-based approach, asking ourselves questions like “how did this bug happen?” and “what in the code is causing this behavior?“.
By taking this approach and asking these questions, we’re treating our codebase like it’s a mystery and the bug like it’s a malicious piece of code injected by some evil entity (when, let’s admit, that’s usually not the case). This means that we are leaving the skills we pride ourselves on having as developers - such as logical thinking, designing code and problem-solving - behind. This causes the debugging process to be that much harder and more time-consuming than it has to be.
In this talk, I will present a different approach to debugging, one that takes advantage of our programming abilities and utilizes them to find bugs faster all while improving our software development and design skills.
“Community” is a broad term and many have opinions on how to set up, grow, engage, and measure your community activities. Through trial and error, I have a set of my go-tos when I’m building a community that will focus on inclusivity, transparency, openness, collaboration, and participation.
In this talk, I’ll cover a few of the top things to think about with your community efforts. I’ll touch on open source communities and how project usage can feed the product-led growth model. I’ll close with sharing some case studies from communities in different areas of their evolution.
Are you tired of dealing with multiple microservices, a complex architecture, and recurring performance issues? The complexity of service meshes often results in a lack of visibility, making troubleshooting a daunting task along with prolonged downtown and frustrated customers.
In this talk, we'll shed some light on service mesh observability and reliability. From setting up a service mesh to configuring basic security measures, we'll employ advanced chaos engineering principles to make our service mesh more resilient. To showcase how this would work, we'll have a demo of using Litmus Chaos along with Istio to observe our service mesh and in turn, take preventive measures to make it more reliable.
So, don't let your service mesh be a mystery any longer - attend the talk and learn how to make it more observable and reliable than ever before!
Many developers are excited about dev containers, but until now, people needed to use a managed service like Codespaces or Gitpod to feel that dev container magic. DevPod is a new open source tool that allows users to launch dev containers with any infrastructure that they have available.
DevPod uses a provider model like Terraform's, and there are currently providers for local Docker daemons, Kubernetes, AWS, GCP, Azure, and several other cloud providers. It's also possible to develop providers if you don't find one that fits your needs.
While you can choose the infra you want to use with DevPod, you don't have to manage it. DevPod handles the lifecycle of the infrastructure it runs on, and it can even suspend cloud resources automatically to save on costs. DevPod uses the open devcontainer.json standard, so it's compatible with VS Code and many other IDEs, as well as tools like Codespaces.
We'll look at how DevPod works and get into a quick demo that showcases how it can help developers and teams standardize their dev environments.
Web assembly, or Wasm, is shaping up to have a huge impact on the future of cloud computing. As Solomon Hykes, co-founder of Docker, said "If WASM+WASI existed in 2008, we wouldn't have needed to create Docker. That's how important it is."
In this talk, we take a look at some of the parallels between the evolution of the container ecosystem and that of Wasm, focusing in particular on the foundational technology of the operating system. CoreOS established the concept of a container Linux - what is the equivalent for the Wasm world?
Join us as we demonstrate deploying a completely open source, reproducible, cloud native, 5G RAN in order to facilitate a phone call on stage using Kubernetes. We will be using a faraday cage, a universal radio, SRSRan, and Open5gs as the 5G core. When we are done you will have the steps, code, and the list of equipment needed to build, test, and debug a 5G network.
"In today's dynamic landscape of containerization, security within Kubernetes clusters is a critical priority. This session brings you an in-depth look at KubeWarden, an innovative project leveraging the flexibility and power of WebAssembly to implement and enforce policy-as-code. KubeWarden addresses key challenges in Kubernetes security, empowering you to write policies in any language that compiles to WebAssembly, enhancing the security posture of your cluster.
Join us as we delve into KubeWarden's capabilities, including establishing secure container bases, managing image authorizations, regulating container permissions, and controlling mount types. Moreover, we will explore KubeWarden's capacity for verifying image signatures, adding an extra layer of security to your container deployments. This session is designed to equip attendees with the necessary knowledge and strategies to enforce robust security and compliance in Kubernetes clusters."
Do you know how to…
…wait for a Pod to be Running, or for a Deployment to be Available?
…"turn off and on again" a Deployment?
…connect to a Service in a different Namespace when the client is hardcoded to connect to "db"?
… generate a YAML manifest without copy-pasting it from the docs or ChatGPT?
… switch between namespaces (or even clusters!) super quickly?
… get an image with (almost) any tool you need without having to write and build a Dockerfile?
If you answered "no" to any of these questions, then this talk is for you, since you'll see how to do all these things (and a few more). You're invited to a parade of tips, tricks, and techniques, to improve your productivity and reduce your frustration with Kubernetes!
The Kubernetes API server is a declarative, uniform and extensible REST API server capable of storing a diverse set of APIs for infrastructure control. API objects tend to contain parent-child and sibling relations such as “ReplicaSet owns Pod refers to Node”. However, with this graph-based structure, access control and multi-tenancy become a real challenge. The default RBAC authorizer is best for resource-scoped authorization (“allow listing all Pods”), not fine-grained authorization (“allow listing Pods of these Deployments”).
OpenFGA is a Relationship-Based Access Control (ReBAC) engine inspired by Google Zanzibar and a CNCF sandbox project. ReBAC is a superset of RBAC, and empowers administrators to configure authorization in an object-scoped manner with minimal configuration sprawl.
A Kubernetes contributor and a OpenFGA maintainer will demo an open-source implementation of a Kubernetes authorizer and controller that configures and queries OpenFGA for authorization decisions.
Do you deploy stateful applications with block volumes in Kubernetes? Do you have difficulty defining a backup strategy for these applications? Join Carl and Pavan as they unveil KEP-3314, a game-changing proposal to introduce Change Block Tracking (CBT) to the CSI specification in Kubernetes. Learn how CBT can enable efficient and reliable differential backups of CSI block volumes and how this can benefit your stateful applications. Discover the evolution of KEP-3314 and the collaborative efforts of the Data Protection Working Group. Get a sneak peek into its design for the alpha release with a live prototype demonstration. Don't miss this engaging session to revolutionize your backup strategies and unleash the true power of CBT in Kubernetes!
Long before Kubernetes, DevOps teams used configuration practices and policies to ensure successful and secure deployments. While K8s' declarative configuration model and built-in validation mechanisms were intended to streamline these processes, the distributed nature of K8s has led to new challenges. Traditional configuration practices and policies are no longer efficient, resulting in an inability to bridge the gap between developers and Ops.
Ensuring that configurations and policies are properly managed and consistent with the intended behavior of a cluster is a challenging task. Add to that the lack of standardization in large organizations with multiple projects, dynamic deployments, and the difficulty of balancing policy enforcement with developer flexibility to innovate, and most platform engineers face a major challenge.
This talk will discuss how creating guardrails for developers through modern configuration practices and policy enforcement can solve these issues ultimately helping teams adhere to established standards, security practices, and compliance requirements throughout the CI/CD pipeline while fostering collaboration between Devs and Ops once and for all.
Benefits to the Ecosystem
This session offers attendees a comprehensive understanding of the challenges teams face when employing configuration practices and policy enforcement in Kubernetes while providing insight and practical strategies for tackling these obstacles using cloud-native solutions.
Platform engineers and DevOps practitioners will be better equipped to help their teams
navigate the complexities of Kubernetes configurations and policy enforcement resulting in higher quality, secure deployments, and faster time to market by establishing a common language among Devs and Ops to empower individuals and increase collaboration among teams.
By sharing various tools, strategies, and real-world examples, this session aims to foster a culture of knowledge sharing and continuous improvement within the Kubernetes community
In a galaxy not so far away, where data is as vast as the cosmos, our team was troubled with observability data chaos.
Seeking some clarity, we sought salvation with Thanos and Fluentbit – fabled titans against our metric storage and logging issues.
Thanos empowered us with a Prometheus setup with high availability and virtually infinite historical data storage. Prometheus ascended to new heights, flawlessly scaling horizontally while Thanos Compactor's downsampling abilities promised faster results for querying older data.
Fluentbit made collecting, filtering, and outputting logs across multiple sources and destinations effortless.
But, little did we know that even the most powerful tools, when not wielded correctly could be double-edged Infinity Stones.
Join us on a thrilling tale of blunders as we recount some missteps in configuring these tools, easily missed caveats in data downsampling and log storage, and how the pursuit of seamless data handling almost cost us over $100,000.
Getting started with any new technology is challenging, but it doesn’t (always) have to be! Whether you’re new to observability or a seasoned practitioner new to OpenTelemetry, we’ll show you what to keep in your toolbox. This way, you spend less time figuring out why your data isn’t showing up and more time getting value from your telemetry.
We’ll begin by showing how you can get a quick start by using telemetrygen to generate telemetry. We’ll sneak in some problems to teach you about the common gotchas of instrumenting your services or exporting your data. Then we’ll show you how to debug those issues using the OpenTelemetry Collector. We’ll also demo some additional tools you may not be aware of!
Join us as we explore the diverse range of tools, techniques, and best practices for effective debugging in OpenTelemetry!
Application Pod Autoscaling is a very challenging problem and the solutions available currently works well individually but not as a whole and may not solve all usecases (ex: peak hour traffic, weekday/weekend, month end, year end etc.). The current solutions helps with realtime scaling based on short term analysis but not based on both short and long term analysis.
We created a thorough solution (a.k.a. Global Updater) considering most of the usecases with multiple components which will address the realtime + longterm vertical sizing(pod size) and Horizontal sizing(num of pods).
Global updater analyzes vertical size recommendations from VPA(opensource), pod-size recommender(internal), horizontal recommendations from HPA(opensource), replica-recommender(internal) and generate a recommendation finetune file that contain both vertical and horizontal size after multiple checks and safeguards ensuring the reliability of the service is not impacted.
Global Updater product runs remotely and is designed to work for multiple services across clusters and different environments per service and generate recommendations for a service considering metrics from multiple environments (pre-prod and prod).
This solution helped scaling both vertical and horizontal without human intervention thereby saving time and cost and also reliability of the application.
Benefits to the ecosystem:
We are planning to open source the solutions we built as this will not just benefit us but also the community/companies with similar problems. We will keep enhancing the product and rollout the changes. This talk will help the audience in understanding the innovative approaches we have taken to solve this complex problem.
Have you ever run a vulnerability scanner? Were you shocked by the results? Vulnerabilities are both a security risk and a giant time suck for anyone tasked with investigating them, yet it's not unusual to find dozens or even hundreds of vulnerabilities in commonly-used images.
But it doesn't have to be this way!
This talk will go into details about how to dramatically reduce the vulnerability count in your images. We'll talk about the importance of reducing complexity, keeping software up-to-date and why Chainguard built a new Linux distribution called Wolfi to help in this quest. We'll also delve into the murky world of security advisories to understand why scanners sometimes report false positive vulnerabilities and what can be done about them.
Join Adrian and find out how to get your vulnerability count down without sacrificing functionality or velocity.
Large Language Models (LLMs), the underlying technology powering AI applications, are black boxes without predictable outputs. A change of a single word can return a completely different answer. Engineers with LLMs in production have to be prepared for the unpredictable – users will submit prompts that break the system, a simple PR to fix one issue will lead to four unforeseen issues, and latency can get quickly out of hand. However, abnormal behavior in production isn’t specific to running LLMs – it’s a reality for most modern software. Observability allows engineers to analyze the inputs and outputs of complex software, even black boxes like LLMs, providing multiple signals needed to troubleshoot in production.
In this talk, learn how you can leverage OpenTelemetry’s Python instrumentation to easily monitor traces, metrics, and logs from your AI applications, whether you are using a framework like Langchain or a foundation model API, like AWS Bedrock. Then, we will walk through how we can use this data to better debug and improve performance and cost efficiency of your AI stack!
It's common in manufacturing to see a large number of smart industrial machines out on the factory floor, all tied into a web of events with a Kubernetes cluster at the center.
Right now, the industrial machines and the cluster are two different worlds with a patchwork mess of communications holding them together. In particular, there is no common mechanism for security, reliability, and observability out to the edge devices -- even though these elements are at least as critical there as within the cluster itself.
We can solve these problems by using two CNCF projects, Linkerd and K3s, to push security and control past the edge of the cluster out onto the factory floor. This is a world of unique challenges (from sorting out identity in an industrial setting to providing critical insights about failures before they turn into safety hazards) but also huge benefits.
Join us for a guided tour and demo of how this all works and what it can bring you.
You've just perfected CI and/or CD for your organization, again. It was a huge, frustrating effort, and learning another proprietary DSL or YAML didn't deliver the promised tenfold increase in release frequency. It wasn't the first re-platform and it won’t be the last. Now that things have calmed down, there must be a way to prepare, to future-proof your CI/CD and protect developers, the business, and your sanity. In this talk we’ll demonstrate how to use abstraction, containerization, DAGs, and general-purpose programming languages that your team already knows to create portable CI/CD workflows that can run anywhere without rewriting everything. We’ll also highlight how this approach has additional benefits like composability, reuse, testing of CI/CD code itself, and fast feedback loops for developers (since you can run these pipelines locally). This talk is aimed at anyone who is expecting to have to re-platform CI/CD again in the future (that’s you) and just wants the pain to stop.
KubeVirt enables us to unify our multi-form factor infrastructure (VMs and Containers) workloads and provide all the K8s features. However, we had to overcome many challenges and address gaps.
This session will discuss the HCO setup and running VMs at scale and highlight the challenges we had trying to run both pods and VMs. E.g., setting up external connectivity for both VMs and Pods? How do we assign IP addresses dynamically?
Maintaining an open source project is hard work, and maintainer burnout is common. It can be hard for overworked maintainers to balance the work that keeps the project running while investing in activity to increase future sustainability. The CNCF has resources, guides, and templates available to make it easier for you to build a contributor strategy that leads to becoming a sustainable CNCF project. This talk will help you apply those resources in your project.
The containerization of applications and the declarative nature of Kubernetes has greatly reduced difficulties in deploying, managing and scaling complex applications. However, when you deploy more workloads and related resources in a cluster, you spend more time managing infrastructure setups like ingress, DNS, etc., than building.
To solve this problem, the journey of defining “applications” rather than “containers” started — the birth of the Open Application Model (OAM) and its implementation KubeVela.
Divine will start this talk by introducing OAM and how it makes abstractions to the architecture of applications with the concept of Component and Trait. After that, Divine will discuss KubeVela, and how it achieves application modelling in Kubernetes.
Towards the end, Divine will share a list of organizations using KubeVela in production, testing, and its roadmap.
Integrating eBPF observability data with static scanning tools in Kubernetes, such as API scans and image vulnerability scanners, can yield more accurate and actionable insights.
Static scanning tools (like Kubescape, Trivy, Grype) are a cornerstone in maintaining the security posture of our K8s clusters. However, their output can often be overwhelming and challenging to triage.
By harnessing eBPF's real-time, kernel-level observability, we propose to augment the accuracy of these tools, focusing their results and not overwhelm developers.
The cloud native dev cycle has become slow and cumbersome - you code locally, then go through CI, then deploy to staging, only to fail and start over again.
With mirrord, you can run a local process in the context of your k8s cluster, without changing the process’ code, and without installing anything in the cluster. By running your code in cloud conditions while developing locally, you can spare yourself long CI iterations, and by doing so without actually deploying to the cluster you lower the risk of interrupting the other devs using it.
In this tutorial, we'll show how to get started with mirrord - all you need is a k8s cluster running an HTTP server, and that server's code on your local machine. We'll go through mirrord's full functionality, including mirroring incoming traffic, accessing remote databases and queues, running independent utilities in cloud context, and more.
Finally, we'll show how mirrord works under the hood by hooking libc calls and proxying them to the cloud.
Let's get back to Resources Requests and Limits and see how much your apps are being Throttled despite all your efforts !
Cloud native extends beyond just Kubernetes, it would be great if the Kubernetes networking did as well. The new node-to-node encryption capability introduced in the Cilium makes it possible to have workloads external to an Kubernetes cluster, such as virtual machines, participating as labeled entities in a transparently encrypted Cilium managed network alongside Kubernetes pods. Once configured as part of the secure clustermesh, not only do the external virtual machine get the benefits of transparent encryption, but also Cilium powered observability and access control via label based network policy!
This talk will review how to setup a transparently encrypted Cilium clustermesh with support for external virtual machines, how to observe these external workloads using Cilium Hubble, and provide examples of using Cilium network policy to secure access between these virtual machines and microservices running inside a Cilium managed Kubernetes clusters.
Effective communication is crucial for the success of any open source project, and the right communication platforms and methods can make all the difference. In this talk, we will explore ten engaging and catchy topics related to communication platforms and methods, content management, and social media for open source communities. We will discuss proven techniques and strategies for turning communication chaos into collaboration excellence, from documentation to community engagement, and managing your project's digital assets. We will also dive into social media advocacy and share practical tips for driving engagement and growing your community.
Engage, Collaborate, and Thrive! As open source communities continue to grow and thrive, it's important to navigate the fine line between moderation and censorship, build trust and transparency with your audience in a post-truth world, and reach diverse audiences through inclusive communication. Visual storytelling can be a powerful tool to communicate your project's message, and we will explore creative ways to leverage it. We will also take a look at the evolution of communication tools in open source communities, from IRC to Slack, and discuss their impact.
Finally, we will cover crisis communication in open source projects and share best practices and some super compelling case studies. Throughout the talk, Faeka will provide concrete examples and case studies of successful open source communication strategies and platforms, such as those used by the Linux Kernel community, Kubernetes, RedHat, Mozilla Foundation, and more!
This session is an example of a practical use of recording rules to deal with high volumes of data or abstracting complex queries. It illustrates the power of the feature and also shows some common pitfalls. It is a session focused on showing how to get the most value out of a Prometheus installation. I hope to give people confidence to try to do new things by being very honest about our failures.
Understanding and adapting to CNCF projects, such as Kubernetes, requires a lot of prior knowledge. This can sometimes discourage people from getting started with Cloud Native open source. In this session, I will share my journey from being a cloud-native novice to an active contributor to Litmus. I will also discuss my experience as a participant in the LFX Mentorship program, where I was provided guidance as a newcomer who wants to contribute to Cloud Native Open Source but is uncertain about how to do so. Finally, I will emphasize the importance of engaging with the cloud native community and the benefits of collaborating in open source projects.
Living with AD(H)D can present unique challenges in various aspects of life, including focus, decision-making, and impulse control. As a professional (and even a project maintainer ☺), you have to keep tabs on many things. In this talk, we explore an unconventional yet effective approach to managing AD(H)D symptoms: playing chess daily.
Chess is not merely a game; it is a mental exercise that engages multiple cognitive faculties simultaneously. Chess activates critical areas of the brain involved in planning, judgment, memory, and visual processing. It activates both the left and the right hemispheres of the brain. AD(H)D affects the very same parts of the brain associated with thinking, paying attention, and planning. By integrating chess into our daily routine, we can harness its benefits to improve our ability to handle AD(H)D and enhance overall cognitive functioning.
Warning: this is not your regular KubeCon talk 😉
Recently the use of GPUs for LLM model training and inference has experienced significant growth. Kubernetes is an ideal platform for these workloads. However, GPU instances are considerably more expensive (10x-50x) than the general-purpose instances. The challenge is to develop a cost-effective Kubernetes cluster tailored for LLM inference workloads at scale.
We found that using GPUs on Kubernetes to infer a GPT-3-like model costs less than $0.001 per call, and it can automatically scale up and down using Kubernetes HPA.
In this session, we will delve into valuable cost optimization techniques, including horizontal autoscaling based on GPU and TPS metrics, predicting incoming traffic patterns to accelerate cluster autoscaling, choosing the correct instance size based on workload patterns, and improving GPU utilization through time-sharing.
While OpenTelemetry is most closely associated with the 'three pillars' of tracing, logs, and metrics, its open design means that it can be extended to add new signals. In this talk, you'll learn about two new additions: Sessions and Profiles, and how you'll be able to use them to achieve end-to-end observability.
There are two hard problems in computer science: naming, cache invalidation, and off-by-one errors. In this lightning yet lighthearted talk, we'll show a few areas where Kubernetes chose rather confusing names, and we'll (try to) explain why. Exhibit A: services (we can't start/stop them in Kubernetes). Exhibit B: services strike back (you don't need a LoadBalancer service to do load balancing). Exhibit C: return of the services (ExternalNames are not necessarily external, in fact, quite the contrary!). Exhibit D: apiVersion is not (just) the version of the API. If you know Kubernetes, this talk will help you to understand (or memorize) better how it works. And if you don't (lucky you, and is there a bit of room available under that rock?) you'll probably still have a good laugh (hopefully not at the expenses of the other folks).