Introduction
This year KubeCon | CloudNativeCon NA was held in Salt Lake City. Again a unique moment to share ideas, exciting technology and mind blowing innovation within the space of Cloud Native Computing. Unfortunately for us we couldn’t join in-person, but have watched the online conferences and followed the socials to pick our cherries in the space of Cloud Security and Observability.
Welcome keynote
Let’s start with the welcome keynote, traditionally kicked-off by Priyanka Sharma, Chris Aniszczyk and others. Again a massive amount of numbers were presented, which really showed the interest of Open Source and especially CNCF projects. Fantastic news for engineers and developers, but there was also some serious news about Patent Trolls targeting the Open Source Software (OSS) communities. Again this seems a more US problem, but in fact it will impact Europe also when using certain affected technologies. A challenge was started by the CNCF and partners like Microsoft and UnifiedPatents.com to contribute and vanquish trolls in a bounty program. Curious about how you can participate? Find more information about participation on the Cloud Native Hero Challenge here.
Software Supply Chain Security
Looking at the overall program we noticed a very strong focus on Security, specially in the field of securing Software Supply Chains. Thursday the keynotes were almost all Security related, starting with that “Open Source Security is not a spectator sport”. A great insight in the need for well-architected Software Supply Chain Security measures and the communities behind CNCF Security groups like TAG Security and sister project OpenSSF, commonly known for GUAC, Sigstore and others. They mentioned the benefits of using the in-toto framework to secure the integrity of software supply chains. Great to see technology like these Software Attestations getting absorbed for better/verified application integrity. You can see the recording here.
Microsoft Keynote Contribution
Again this wasn’t the last interesting Security keynote. Microsoft also delivered a great contribution to KubeCon NA 2024. Toddy Mladenov talked about how developers can secure the Software Supply Chain using various CNCF projects. Also great to see that Observability plays an important role to monitor the integrity with OpenTelemetry delivered metrics following the SLSA Framework practices. Think here about artifact signing, but also ensuring accurate SBOMs, which can be a challenge. Interested in how Microsoft does Software Supply Chain security? Just watch the recording here.
Securing AI
This conference we also saw a lot of AI spiced talks, besides the use cases, attention is also on topics like responsible/sustainable AI and securing your AI applications with special AI SBOMs and comprehensive Observability. Here we learn about the model behavior and its performance. Security wise we look at transparency, reproducibility and accountability when looking at AI SBOMs. A good talk here is given by Idit Levine from Solo.io. They developed an Envoy Proxy based gateway called Gloo. Gloo is widely adopted as Kubernetes gateway, donated during KubeCon NA 2024 to CNCF as K8sGateway. K8sGateway serves as the foundation for K8sGateway AI for managing LLM Security and Observability challenges. K8sGateway AI integrates well in the Kubeflow ecosystem, to make AI/ML simple, portable, and scalable for the future.
Identity Verification & Attestation
SPIFFE, based on the SPIRE reference architecture is also a technology that showed up at this conference. SPIFFE provides an universal identity control plane for distributed systems. When looking at verifiable identity documents (SVIDs in short), think particularly about x509 certificates and JSON Web tokens (JWT). Vendors like Venafi (CyberArk) provide tools to actually implement SPIFFE in a cloud native way using Cert-manager. Have a look at the session here. We really believe that SPIFFE is ready to secure & protect the future of managed identities. That brings us to the announcement of Cert-manager graduated as CNCF project. Again another great milestone for the Venafi, a CyberArk Company team.
Policy-as-Code Selection Story
To wrap up, I also want to mention a really recognizable customer story by Robin Hood about selecting a Kubernetes Policy-as-Code solution. Great to listen to their story, migrating from a homegrown solution to a more beneficial community approach delivered by CNCF projects. Definitely simplicity, community support and sharing definitely wins over complex and proprietary approaches. Their reason for choosing Kyverno over Open Policy Agent (OPA).
Closing Thoughts
Also this KubeCon | CloudNativeCon edition can be added to the succes list. Both online audience and conference visitors are treated with high quality content, presented by industry leaders and community heroes. They proved again why it’s my favourite conference. I really impressed how much energy and passioned people are working in the Cloud Native space. Hopefully I see you at the next KubeCon EU 2025 Edition in London UK.