A Zero Trust Reference Architecture DOWNLOAD E-BOOK

Past Events - Spring 2023


Día 1

Zero Trust Day

Frederick Kautz, KubeCon Co-Chair, SPIFFE Steering Committee Member

Read abstract

Lightning talk: Frederick Kautz on Zero Trust

There are multiple components to delivering high integrity software to the cloud. Let's talk a little about security.

Ricardo Torres, Chief Engineer of Open Source & Cloud Native, Boeing

Read abstract

Keynote: High Integrity Software in the Clouds

The cloud native ecosystem can be a difficult place to navigate. In this lightning talk, hear about 5 non-technical great ideas and programs that are being driven by the CNCF that will turbo-charge your understanding on how the cloud native ecosystem works.

Richard Collins, Co-chair CNCF Business Value Subcommittee, Jetstack

Read abstract

Lightning talk: 5 Must-knows for an Easy Life Using Cloud Native

“Zero trust” has become an increasingly popular topic for discussion recently – zero trust and the service mesh! zero trust and certificate management! zero trust policy enforcement! It’s all but impossible to escape serious looks at “zero trust” applied to whatever industry niche you care to imagine.

What seems to be missing is a serious look at what an entire application looks like when designed with zero trust in mind… so the KubeCrash hosts have decided to get together with an eye toward solving that. Rather than just talk in isolation about our individual pieces of the cloud native world, we’ve assembled a single application bringing everything together:

  • Our application runs on Kubernetes, of course, and is agnostic to the type of cluster and CNI in use.
  • Emissary-ingress is running at the edge of the cluster, providing secure access to our cluster with TLS and enforcing end-user authentication, bridging the external and internal worlds.
  • Linkerd manages secure communications inside the cluster, supporting mTLS everywhere and enforcing low-level security policies to guarantee that each workload has exactly the minimal access needed.
  • Cert-manager manages the many, many TLS certificates we need to be sure of identity within (and outside of) our cluster.
  • Polaris keeps an eye on exactly which policies are defined, and makes sure that no one is straying from our zero-trust best practices (intentionally or otherwise).

The end result is that our application is running in an environment where every access is checked, every time, at every level of the infrastructure and the application… and at the Spring 2023 KubeCrash, we’ll be taking a deep dive into how this entire reference architecture fits together. Experts on each of the open source projects listed above will provide a deep dive not just into how the project works, but how they all work with each other and with the application. We’ll wrap up by showing how you can apply this open-source reference architecture to your own work.

Edidiong Asikpo, Ambassador Labs, Developer Advocate

Read abstract

Cloud Native Zero Trust: Multiple Projects, One Goal

Home security begins at your front door, and in the world of cloud native apps running on Kubernetes, the ingress is the door to all of your apps. Using a “defense in depth” approach to security is vital, and there are many layers to securing an ingress, from TLS, to auth/n and authz, to rate limiting and allow/deny IP lists.

This talk will focus on how zero-trust requires a secured transport layer, from user to ingress to service(s). You will learn how to acquire a TLS certificate from LetsEncrypt and configure this with JetStack’s cert-manager for use with the CNCF Emissary-ingress API gateway.

You will also walk away from the session with an understanding of, and pointers to additional resources, for further securing your Kubernetes ingress.

Dave Sudia, Senior Developer Advocate, Ambassador Labs

Read abstract

Securing the Front Door: Configuring TLS in Emissary-ingress with cert-manager

Zero trust requires checking every access, every time, and a service mesh is the perfect tool to make that happen everywhere within the cluster running a cloud-native application. Of course, the mesh doesn’t exist in isolation! It’s important to consider not just how the mesh can run, but also how it interacts with other areas of infrastructure and the application.

In this talk, Alex will walk you through not just how to set Linkerd up for proper mTLS, but also how Linkerd can work well with the other pieces of our demo application. You'll see Linkerd get certificate information from cert-manager and routing information from Emissary-ingress, and how to define policies that can be curated by Polaris. Finally, you'll see how the application developer can take advantage of Linkerd to find and safely fix bugs no matter where they are in the call graph, with a live demonstration of how all these pieces fit together.

Alex Leong, Linkerd maintainer, Buoyant

Read abstract

The Well-Tempered Mesh: Linkerd, Zero Trust, and the Application

cert-manager is an open source X.509 certificate controller for Kubernetes. It automates certificate issuance for Kubernetes workloads. In this demo, certificates will be used to prove the identity of the Emissary API gateway and to prove the identity of peers in an mTLS Linkerd service mesh. Thanks to cert-manager's Issuer integrations, external CAs like Vault can be used to sign these certificates.

trust-manager is another project led by the cert-manager team. It distributes and manages the trusted CA certificates in a Kubernetes cluster. In this workshop, it is used to make all Kubernetes services trust the CA that is used for Linkerd mTLS, this way we can verify the peer identity in an mTLS connection. Additionally, it can be used to quickly update what public CAs are trusted.

Tim Ramlot, cert-manager maintainer, Jetstack

Read abstract

Generating and Distributing Trusted Certificates Using Cert-manager and Trust-manager

Polaris is an open source policy engine for Kubernetes that validates and remediates resource configuration. It includes 30+ built in configuration policies, as well as the ability to build custom policies with JSON Schema.

When building a zero-trust environment using tools like Cert-manager, Emissary-ingress, and Linkerd, there are a vast number of objects and configurations available to both cluster operators and end-users. Many of these configurations may be undesirable, or worse insecure. In this talk, Stevie will demonstrate how cluster operators can use Polaris to enforce best practices and secure configurations in your zero-trust environment.

Stevie Caldwell, Polaris maintainer, Fairwinds

Read abstract

Zero Trust Policy Enforcement with Polaris

Join us on a journey through our history of managing a fleet of Kubernetes clusters. Our journey began eight years ago with a single cluster for everyone. As the need for dedicated cluster grew, we realized the need for self-service and API-driven cluster provisioning, leading us to replace Terraform pipelines with Cluster API for managing Kubernetes with Kubernetes itself.

By leveraging the extensibility of Cluster API, we now support multiple cloud providers and manage infrastructure and clusters the Kubernetes native way. Our journey has taught us valuable lessons about managing infrastructure at scale, and we are thrilled to share our insights with you. Join us to discover how we navigated the challenges of fleet management and achieved Kubernetes native multi-cluster management. Our ultimate goal is to move automation, desired state, cluster and infrastructure provisioning, as well as add-on management into Kubernetes. Don't miss out on this exciting opportunity to learn from our journey!

Sean Schneeweiß, Software Engineer, Mercedes-Benz Tech Innovation

Read abstract

Mercedes-Benz Tech Innovation's Journey to Kubernetes Native Multi-Cluster Management

Innovation Day

Supporting millions of concurrent users at one time as they build a world, battle creatures, or race to the finish line is a scale challenge. In this panel session we talk with innovators in the gaming industry to find out how they use cloud native technologies to build modern, data-intensive applications that scale to millions of users.

Viviane Costa, Super Evil Megacorp; Christopher Voss, Xbox; moderated by Rob Reid, Cockroach Labs

Read abstract

Keynote Fireside Chat: Cloud Native in Gaming —Supporting Scale

During this talk, Taylor Dolezal, Head of Ecosystem at the CNCF, will share how cloud native tech is fueling innovation in a variety of industries.

Taylor Dolezal, Head of Ecosystem, CNCF

Read abstract

Lightning talk: How Cloud Native is Fueling Innovation at CNCF End User Companies

Jake Moshenko has been an innovator in the cloud native ecosystem for over 15 years. After engineering roles at Amazon and Google, Jake founded Quay, the first private Docker registry, which was acquired by CoreOS. Jake then became an engineering leader at CoreOS, which was acquired by Red Hat (and then IBM). He is now the co-founder and CEO of AuthZed, the company commercializing SpiceDB, the industry-leading cloud-native permissions database.

In this talk, Jake will discuss one of the most unappreciated barriers to application innovation: scaling fine-grained permissions. Whether you know it or not, your apps are scaling along one or more dimension:

- Traffic
- Development velocity
- Feature requests
- New geographies

When distributed cloud native apps scale along these dimensions, the complexity of storing, querying, and validating application permissions becomes burdensome and slows innovation. Jake will describe how cloud native permissions services, like SpiceDB, are allowing teams to unlock to the full potential of their applications.

Jake Moshenko, Co-Founder and CEO, AuthZed

Read abstract

Unlocking the Full Potential of Your Applications

Danielle Cook, co-chair of the CNCF Cartografos Working Group, VP at Fairwinds

Read abstract

Lightning Talk: The CNCF Cloud Native Maturity Model

74% of industry executives and leaders are backing Machine Learning and AI to solve their next generation of business problems. But only 53% of Machine Learning projects ever make it from prototype to production.

The potential for machine learning is enormous, but across all industries we are faced with long unsolved challenges of executing rapid experimentation and graceful scaling whilst keeping costs minimal to maximize return on investment.

Join Josh who will dive into how to reduce the barrier of entry and create more accessible scaling entry points using cloud native technology.

Josh Mesout, Chief Innovation Officer, Civo

Read abstract

How Civo is Backing Cloud-Native to Reduce the Cost of Machine Learning

Join us for a panel discussion featuring thought leaders from a variety of industries to examine the present and future of these rapidly evolving technologies.

The panelists will shed light on how machine learning and AI will impact different industries and the world as a whole, and provide guidance on how businesses can effectively utilize these technologies for progress and better performance. They will also delve into the ethical aspects and potential difficulties that arise from the widespread use of ML and AI.

Expect an engaging and educational conversation in this rapidly transforming area.

Josh Mesout, Moderator; Matt Dupree, Data Chimp; Tiffany Jachja, Autodesk; Dr. Morten Middelfart, Lumina Analytics

Read abstract

Panel Discussion: Exploring the Future of Machine Learning and AI

Solomon Hykes, founder of Docker, and Patrick Chanezon, GM of Cloud Developer Advocacy, Microsoft

Read abstract

Closing Keynote Fireside Chat with Docker founder Solomon Hykes