Skip to Content

KubeHuddle

🗓 October 3rd and 4th, 2022
🌍 Edinburgh International Conference Centre, Edinburgh, Scotland

The inaugural KubeHuddle conference, hosted in the beautiful Scottish capital, Edinburgh.

KubeHuddle is Scotland’s first Kubernetes conference, hosted and organized by the Scottish community.

You can buy tickets now. We have limited tickets available at each price point:

  • Believer - £100 GBP [SOLD OUT]
  • Early Bird - £150 GBP [SOLD OUT]
  • Standard - £200 GBP

If you’re unable to afford a ticket, we may be able to help with our diversity and inclusion tickets, kindly sponsored by members and organizations within our community. ✉️ Speak to us

Programme

Track 1 - Introductions & Intermediate Presentations

This track will feature beginner friendly and intermediate content to cater for a wide variety of experiences, including beginers to Kubernetes.

Track 2 - Advanced Presentations

This track will feature advanced Kubernetes topics revolving around scale, multi-tenancy, and operations - you know, all that “fun” stuff.

Collaboration Space

There will be tables provided for people that want to sit with their laptops and collaborate with others, perhaps hacking on a cool new operator?
A small selection of workshops and tutorials will also be available throughout the two days, at no extra cost.

Socials

There will be a small social on Sunday, October 2nd, and the main social on Monday October 3rd.
More details coming soon...

Monday, October 3rd

Programme

Track 1

  • Coffee
  • Opening
  • eBPF or sidecars?
    Liz Rice
  • Applying GitOps To Everything
    Viktor Farcic
  • Clear Your Own Path to Open Source Maintainer
    Martin Hickey
  • Break
  • Integrating Backup Into Your GitOps CI/CD Pipeline
    Michael Cade
  • Securing Kubernetes with Open Policy Agent
    Anton Sankov
  • Lunch
  • Hacking Kubernetes Like a Beginner with kdigger
    Mahé Tardy
  • Stick a fork in it, it’s done: how to halt your sidecar jobs
    Matei David
  • Network Engineering Goes DevOoopsie
    Marino Wijay
  • Deploying a simple (Python) app to Kubernetes/OpenShift
    Jj Asghar
  • Break
  • Secret Management: The Soft Way
    Lian Li
  • Kubernetes cost monitoring best practices
    Kunal Kushwaha
  • Closing

Track 2

  • Coffee
  • Opening
  • Hacking Kubernetes: Live Demo Marathon
    Andrew Martin
  • The Dark Side of GitOps: Unanswered Real-life Challenges
    Ádám Szücs-Mátyás
  • You've been holding it wrong
    Gerhard Lazu
  • Break
  • Who Can You Really Trust?
    Ric Featherstone
  • Step by step Kubernetes observability with eBPF
    Denis Jannot
  • Lunch
  • Migrating a cluster with 2000+ microservices to managed Kubernetes: lessons and learnings
    Miles Bryant, Suhail Patel
  • How to protect your Kubernetes cluster using Crowdsec
    Hamza Essahely, Sebastien Blot
  • Policy + Cloud Controllers = Secure Scalable Dev-Centric Infrastructure.
    Rowan Baker, Henry Mortimer
  • Break
  • Building auto-scalable task processing system on Kubernetes
    Denis Makogon
  • Building Operators for Legacy Software or: Running Minecraft on Kubernetes
    James Laverack
  • Closing

Collaboration Space

  • - Building event-driven, serverless functions in Kubernetes with Peter Mbanugo
  • - Get to know Envoy - the modern proxy for cloud-native infrastructure with Baptiste Collard
  • - eBPF workshop with Denis Jannot

Tuesday, October 4th

Programme

Track 1

  • Coffee
  • Opening
  • Climbing High -- The state of DevSecOps today
    Anais Urlichs
  • K8s & meat: How we got Kubernetes into the Kaufland meat processing factories
    Engin Diri
  • ClickOps over GitOps
    Laszlo Fogas
  • tall oaks from little acorns grow - an Open Source journey
    Dan Finneran
  • Lunch
  • The Wonders and Woes of Webhooks
    Marcus Noble
  • Crowdsourcing a Kubernetes distribution: What we learnt with MicroK8s
    Alex Jones
  • How to automate troubleshooting a k8s cluster environment
    Alexander Trelore
  • GitOps for the people
    Lian Li
  • Break
  • What DragonBall can teach us about being engineers
    Marcus Noble
  • Scaling Communities to be more Inclusive
    Kunal Kushwaha
  • State of Open - what is open source and why it matters in Scotland today
    Amanda Brock
  • Closing

Track 2

  • Coffee
  • Opening
  • EBPF and Kubernetes - Next level observability
    Owen Bowers Adams
  • BumbleBee: Or How I Learned To Stop Worrying And Love eBPF
    Krisztian Fekete
  • Why We Chose To Ditch Helm To Gain Open Source Sanity
    Simon Emms
  • Lunch
  • Using Kubernetes and A Service Mesh to Build a Resilient Platform
    Guy Templeton, Alex Williams
  • Gateway APIs and API Gateways - modern ingress demystified
    Matt Turner
  • Break
  • Closing

Collaboration Space

  • - Capture the Flag - Kubernetes Edition with Andrew Martin

Speakers

Our call for papers is now closed. We will announce our speakers shortly.

🅧 Close
Ádám Szücs-Mátyás

Speaker Bio

Adam is leading to currently leading cloud transformation and redesigned Kubernetes deployment across the organisation. Security is crucial in what we deliver to our customers, therefore everything we do has to meet the highest standards. He has 5 years experience with Kubernetes and over 2 years with GitOps, and use this knowledge to deliver impactful changes across engineering and how they work and deliver software.

Talks

The Dark Side of GitOps: Unanswered Real-life Challenges
Session format: Presentation (20m)
Level: Advanced
Abstract:
You’ve probably heard all the benefits of GitOps practices, but even most trivial challenges are going unanswered in vendor demos and keynotes. Things like how I promote between environments, how can I handle infrastructure, what if I already got infrastructure that is managed by others like networking… Deploying to Kubernetes with GitOps is quite mature, though you’ll need additional services like databases, clusters. You’ll find that if you’d use Cluster API, Crossplane, AWS Controllers for Kubernetes it might solve your issue until it doesn’t integrate as you’d imagine. During this presentation I’ll go through some of the challenges we faced during rewriting LastPass’ full deployment model, solving end-to-end automation for real-life while writing less YAML files by moving towards Infrastructure as Software.

🅧 Close
Alex Jones

Speaker Bio

Alex works as both a contributor and end-user of cloud-native technology. He spends his work-time translating tooling, practices and behaviours into generators of strategic value and positive cultural change. His passion is to create positive engineering cultures that enable inclusivity and diversity as a core attribute rather than a vague goal. Enabling engineers to build more reliable services through shared accountability, observability and automation of toil. He has worked at companies such as JPMorgan, American Express, Microsoft, British Sky Broadcasting.

Talks

Crowdsourcing a Kubernetes distribution: What we learnt with MicroK8s
Session format: Presentation (20m)
Level: Intermediate
Abstract:
MicroK8s went from a part-time project to an Open-source success story available on every Ubuntu server in the world. However, behind its meteoric rise in usage, we struggled to balance the needs of end-users, the challenges of competition and In this talk we’ll talk about how it took us time to realise the power of community, to build a way to enable them to help guide our roadmap and to truly recognise the power of crowdsourcing engineering through open source.

🅧 Close
Alex Williams

Speaker Bio

.

Talks

Using Kubernetes and A Service Mesh to Build a Resilient Platform
Session format: Presentation (40m)
Level: Advanced
Abstract:
This session will discuss how Skyscanner's Production Platform tribe designed a new, resilient architecture to allow Skyscanner's engineers to deliver new features to travelers on a reliable multi-tenant platform. We'll discuss what inspired the design choices, where trade-offs had to be made, the challenges faced, and the successes along the way. This will include how this architecture enabled Skyscanner to perform multiple cluster upgrades and migrations without service owners even noticing, as well as more day-to-day cluster tasks like component upgrades in a safe and scalable manner.

🅧 Close
Alexander Trelore

Speaker Bio

Alexander is a senior software engineer at Replicated, where he is responsible for a collection of backend Go micro-services. In his spare time he streams various software projects on twitch, ranging from making video games, to toying with CNCF projects.

Talks

How to automate troubleshooting a k8s cluster environment
Session format: Presentation (20m)
Level: Intermediate
Abstract:
This session will introduce troubleshoot.sh, an open source project that helps diagnose common issues that could impact the successful deployment and operation of a Kubernetes cluster. We'll talk about how to use out-of-the-box tools, plus show you how to write your own custom collectors and analysers. Together these components should help identify issues before you install and once you are up and running.

🅧 Close
Amanda Brock

Speaker Bio

Amanda Brock is CEO of OpenUK, the UK organisation for the business of Open Technology in the UK – being open source software, open hardware and open data -with a purpose of UK Leadership and International Collaboration in Open Technology. She is a Board Member of the Open Source Initiative; UK Cabinet Office Open Standards Board Member; British Computer Society Inaugural Influence Board Member; Advisory Board Member: KDE, Planet Crust, and Mimoto; Charity Trustee, Creative Crieff and GeekZone; and European Representative of the Open Invention Network. A lawyer of 25 years’ experience, she previously chaired the Open Source and IP Advisory Group of the United Nations Technology Innovation Labs, sat on the OASIS Open Projects and UK Government Energy Sector Digitalisation Task Force. Advisory Boards. She was General Counsel of Canonical for 5 years and set up their legal function. Amanda was awarded the 2022 UK Lifetime Achievement Award in the Women, Influence & Power Awards, and included in Computer Weekly’s Most influential Women in Tech Long list in 2021 and in their UK Tech50 longlist for 2022. She is the editor of Open Source, Law, Policy and Practise, second edition being published by Oxford University Press in September 2022 and with open access thanks to the Vietsch Foundation. linkedin.com/in/amandabrocktech/ @openuk_uk @amandabrockUK

Talks

State of Open - what is open source and why it matters in Scotland today
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
A strategic scene setting of open source and how it got to its premier status in the software market today, an update from OpenUK's State of Open : The UK in 2022 report, and a strategic view on curation, stewardship and the future of open source in the enterprise and public sector as it becomes our critical national infrastructure.

🅧 Close
Anais Urlichs

Speaker Bio

Anaïs is a Developer Advocate at Aqua Security, where she contributes to Aqua’s cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she worked on infrastructure for hundreds of tenant clusters. As CNCF ambassador, her passion lies in making tools and platforms more accessible to developers and community members.

Talks

Climbing High -- The state of DevSecOps today
Session format: Presentation (40m)
Level: Advanced
Abstract:
Security-specific tools are often overlooked until it becomes a requirement, necessity or things have gone terribly wrong. While many organisations will build a security team to address related issues, smaller organisations and individual contributors do not have this option. This talk is divided into two sections. In the first one, Anais will share the similarities between climbing and the importance of establishing a security-centric mindset. What happens if we do not have security specialists supporting our team? Free-climbing might be an option for experts with years of experience but not for most cluster admins. The second part will go over security-specific tools in the cloud native ecosystem. We will highlight the different tools available, how and when they are used, as well as emerging technologies in the security space. Anais will showcase how we can get started and the benefits of integrating cloud native security tools, such as Trivy and Cilium, into our existing processes and monitoring stack. The goal is to provide Kubernetes cluster admins and engineers with the tools and knowledge to take ownership of securing their resources without having to become security experts.

🅧 Close
Andrew Martin

Speaker Bio

Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience delivering containerised solutions to enterprise and government. He is CEO at https://control-plane.io

Talks

Hacking Kubernetes: Live Demo Marathon
Session format: Presentation (40m)
Level: Advanced
Abstract:
In a live evocation of the recent O’Reilly title Hacking Kubernetes (Martin, Hausenblas, 2021), this ultimate guide to threat-driven Kubernetes defence threat models and details how to attack and defend your precious clusters from nefarious adversaries. This broad and detailed appraisal of end-to-end cluster security teaches you how to attack and defend against a range of historical and current CVEs, misconfigurations, and advanced threats: - See the historical relevance of CVEs and demonstrations of attacks against your containers, pods, supply chain, network, storage, policy, and wider organisation - Understand when to use next-generation runtimes like gVisor, firecracker, and Kata Containers - Delve into workload identity and advanced runtime hardening - Consider the trust boundaries in soft- and hard-multitenant systems to appraise and limit the effects of compromise - Learn to navigate the choppy waters of advanced Kubernetes security

Capture the Flag - Kubernetes Edition
Session format: Tutorial / Workshop
Level: Advanced
Abstract:
Delve deeper into the dark and mysterious world of Kubernetes security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, exploit your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way! Attendees can play six increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise! To attend this workshop, you will need a laptop (or tablet if so inclined) as well as a basic understanding of how to interact with Linux from a terminal (e.g. ls, cd, cat, grep). You will be given access to a cluster and it's up to you if you'd like to run this alone or as part of a team.

🅧 Close
Anton Sankov

Speaker Bio

Anton is a software engineer at VMware Carbon Black. He has a strong engineering background, having previously worked at market leaders in multiple industries - from payments, to cloud and infrastructure provisioning. At VMware, he is helping define the future of container and cloud security. The Kubernetes ecosystem is interesting to him because of its elegant solutions to real-world problems and constant drive for innovation.

Talks

Securing Kubernetes with Open Policy Agent
Session format: Presentation (20m)
Level: Introductory and overview
Abstract:
Kubernetes RBAC goes as far as whether a user can or cannot create new Kubernetes resources. However, it does not provide any capabilities for having more granular control on what resources can be created and what properties they might have. Validation webhooks fix that problem. They allow the user to define custom logic that looks at the resource being created/edited and, based on their properties, to allow or deny the operation. Gatekeeper is an implementation of a validation webhook that uses Open Policy Agent and allows you to define policies via the Rego language. These policies are applied to the Kube API server and live in Kubernetes as first-class citizens. This presentation will describe what validating webhooks are, how they work and how OPA and Gatekeeper leverage this functionality to protect your Kubernetes cluster. We will also dive into Rego and write our custom OPA policies.

🅧 Close
Baptiste Collard

Speaker Bio

Baptiste Collard is a Field Engineer at Solo.io. Baptiste worked as a middleware expert and also as an IT Architect over the last decade. He likes plumbing pieces of software together and even more when it's running on Kubernetes!

Talks

Get to know Envoy - the modern proxy for cloud-native infrastructure
Session format: Tutorial / Workshop
Level: Intermediate
Abstract:
Envoy Proxy is a foundational layer for many of the innovations propelling the Kubernetes community, including service meshes and cloud-native API gateways. But many engineers understand it only as a black box, hidden by simplifying levels of abstraction. The purpose of this workshop is to provide a hands-on workshop that will bridge those gaps in Envoy's understanding. Participants will explore first principles regarding Envoy architecture, filter chains, and a day-in-the-life of a request.

🅧 Close
Dan Finneran

Speaker Bio

Dan Finneran is the VP of Marketing for Loft Labs Inc. His journey to today has included bare-metal, jails, zones, vms and containers where he is currently enjoying the fast paced ride in the cloud native space. He also created & maintains a popular Open-Source load-balancer for Kubernetes and contributes to upstream Kubernetes. He’s also been fortunate to present at events ranging from the British computing society, HPE Technical solutions summit to DockerCon and KubeCon amongst others.

Talks

tall oaks from little acorns grow - an Open Source journey
Session format: Presentation (40m)
Level: Intermediate
Abstract:
This session will detail the trials and tribulations of starting with a few lines of code to fix a problem, to ending up with a project that underpins millions of Kubernetes clusters. From angering end users by implementing what seemed at the time "a good idea" to being dragged in-front of a legal team, it isn’t all plain sailing. However through this talk the attendees will hopefully learn the joys of being part of Open Source, the elation of a community that comes to contribute and the realisation that it was worth it in the end!

🅧 Close
Denis Jannot

Speaker Bio

Denis is the Director of Field Engineering at Solo.io, a company building application networking solutions for the edge and service mesh. Denis is a passionate engineer who has spent his career in technical roles working directly with customers and users in architecting and adopting technologies like Object Storage, Big Data, Containerization, Service Mesh into their infrastructure. He enjoys sharing what he learns with the community and can be found creating demos, writing blogs, and speaking at events.

Talks

Step by step Kubernetes observability with eBPF
Session format: Presentation (40m)
Level: Intermediate
Abstract:
In this talk, I'm exploring how someone can use eBPF to get insights about the communications happening in a Kubernetes cluster. I write an eBPF program and then use the BumbleBee (https://github.com/solo-io/bumblebee) open source project to build and deploy it. This program gathers information about all the network communications happening in the cluster and publish the corresponding metrics that I store on Prometheus. I then deploy a service gets the metrics and correlate them with the Pod and Service IP addresses to build a graph displaying all the communications.

eBPF workshop
Session format: Tutorial / Workshop
Level: Intermediate
Abstract:
eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. BumbleBee (https://github.com/solo-io/bumblebee) is a new Open Source project which helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs. In this workshop, we're introducing eBPF and the different ways to create eBPF programs. Then, attendees are creating their first eBPF program using BCC and libbpf to have a better understanding of the main concepts. Finally, they are going through several labs to build and deploy an eBPF program with BumbleBee. They also deploy Prometheus and a web application on Kubernetes to display all the communications happening in the Kubernetes cluster.

🅧 Close
Denis Makogon

Speaker Bio

Software enthusiast, a fan of designing and developing platform and software as a service application for various cloud infrastructures. He’s a principal software developer, developer advocate at Oracle, concentrating on product development along with bringing well-designed and production-ready integration with cloud solutions, a contributor to various open-source projects, cloud-related technologies along with having fun with IoT devices and photography. Blogger, photographer, traveler. Denis is a regular attendee and speaker at OpenStack summits (Atlanta, Austin, Paris, Barcelona, Boston) and PyCons (Hong Kong, Singapore, Italy), PyLondinium, Decompile.De. Co-author of OpenStack Application development, OpenStack Trove Essentials.

Talks

Building auto-scalable task processing system on Kubernetes
Session format: Presentation (40m)
Level: Intermediate
Abstract:
In most cases, for a cloud-native software architect, it’s always a question of what kind of a workload the application will face. Is it compliant with the CQRS concept? Does it have constant operations that require the application or its components to have zero downtime? Does it have short synchronous operations, does it have long-running async operations? Making a decision to introduce new cloud services to a system is a quite challenging operation, especially for containerized applications: whether we are okay (have a valid justification) for using Kubernetes only, or we need to introduce a few more cloud services to address a need to event-driven processing in addition to K8s? How do we know that this type of hosting system wouldn’t be under-utilized? Can we be sure that we’re paying for what we’re using and not overpaying just for the sake of a few more lines in the portfolio? In this talk we will focus on Kubernetes and: - deployment autoscaling capabilities (pros/cons), - cluster autoscaling features (pros/cons), - API extensions mechanisms, - concepts of building auto-scalable task processing solutions. And of course, we’ll do some practical work like: - Introduce a term of deployment healthiness and do the estimation of it, - develop a custom metric server based on deployment - simulate the workload to see the mechanism in action.

🅧 Close
Engin Diri

Speaker Bio

My name is Engin Diri and I work for more than 15 years in the IT industry. Started as a Java developer and went there from fronted to backend development until I found my sweet spot in all things related to CI/CD and cloud topics. Currently, I am working in the Schwarz Group, the people behind the big retail brands Lidl and Kaufland. Here I help different projects and teams on their journey to the cloud. I love everything about Cloud, Cloud Transformation and Enablement. I am a multi-cloud person with a strong passion for Kubernetes. Furthermore, I am very curious and love to try out new technologies.

Talks

K8s & meat: How we got Kubernetes into the Kaufland meat processing factories
Session format: Presentation (40m)
Level: Intermediate
Abstract:
Kubernetes, Kubernetes everywhere. Without any doubt, the adoption and usage of Kubernetes skyrocketed through the entire IT world. From tech-savvy startups, working on their next unicorn product, to conservative insurance companies increasing productivity and reducing time to market. It's hard to not see all the benefits Kubernetes creates to IT organization. So it was a matter of time, that our very own business gave us the task: Bring Kubernetes to our production facilities, and start with the Kaufland meat processing factories. In this talk, I want to share our one-year-long journey to accomplish this mission. Sharing all the mistakes and the successes we made during this huge project. From learnings about all the security and compliance requirements when working in the industrial area to enabling the platform and application teams. Of course, we will talk about all the technics we used like GitOps, Infrastructure as Code, Policy as Code and so on. In short: k8s & meat, it's not always as tender as we thought it would.

🅧 Close
Gerhard Lazu

Speaker Bio

Gerhard enjoys infrastructure, good conversations and improving. He is improving CI/CD through his role at Dagger.io, runs changelog.com infra for the fun of it and helps others level up via changelog.com/shipit

Talks

You've been holding it wrong
Session format: Presentation (20m)
Level: Advanced
Abstract:
CI/CD is what gets your code from your laptop to your Kubernetes. If that is not the case, this talk is not for you. What if I told you that you've been holding CI/CD wrong all this time? If you can't run it locally, need to wait more than 5 minutes to see if a change works, and get goose bumps when someone on your team mentions migrating CI/CD, you're holding it wrong. After decades thinking about this problem, this is what holding it right means to me. Kubernetes is a small piece of the puzzle, and contrary to what many think, it should not be used to solve all problems. I learned this from someone else, and also... Join me if you are curious to see where this goes.

🅧 Close
Guy Templeton

Speaker Bio

Guy is a principal software engineer at Skyscanner, working in the Production Platform tribe where he’s focused on providing the best possible platform for Skyscanner’s travelers and engineers. Within Skyscanner, he’s the SME on scaling Kubernetes and containerised workloads. He’s also a co-chair of Kubernetes’ SIG Autoscaling. When he's not knees-deep in YAML he can usually be found having type 2 fun on a bike.

Talks

Using Kubernetes and A Service Mesh to Build a Resilient Platform
Session format: Presentation (40m)
Level: Advanced
Abstract:
This session will discuss how Skyscanner's Production Platform tribe designed a new, resilient architecture to allow Skyscanner's engineers to deliver new features to travelers on a reliable multi-tenant platform. We'll discuss what inspired the design choices, where trade-offs had to be made, the challenges faced, and the successes along the way. This will include how this architecture enabled Skyscanner to perform multiple cluster upgrades and migrations without service owners even noticing, as well as more day-to-day cluster tasks like component upgrades in a safe and scalable manner.

🅧 Close
Hamza Essahely

Speaker Bio

Coming from a sys admin then pentester/secops background, I'm now core developer at Crowdsec.

Talks

How to protect your Kubernetes cluster using Crowdsec
Session format: Presentation (40m)
Level: Intermediate
Abstract:
The [CrowdSec](https://github.com/crowdsecurity/crowdsec/) project aims at providing a crowdsourced approach to common infrastructure defense problems, by distributing free & open-source software allowing you to protect yourself and share information about malevolent actors. CrowdSec could be perceived as a modern form of Fail2ban, though for Cloud and container-based infrastructure as well and capable of taking way more advanced decisions a lot faster. Mainly, it’s using a decoupled and distributed approach (detect here, remedy there) and an inference engine that leverages leaky buckets, YAML & Grok patterns to identify aggressive behaviors. It acquires signals from various data sources like files, syslogd, journald, AWS Cloudwatch and Kinesis, Docker logs and Windows Event Log, normalizes them, enriches them to apply heuristics and triggers a bouncer to deal with the threat, if need be. Since it’s written in Go, it’s compatible with almost any environment, fast in execution and ressource conservative. The endgame is the Reputation engine though. If you want to partake in the network to benefit from its findings, CrowdSec captures all aggression signals (timestamp, IP, behavior) and sends them for curation. That way, it establishes a reliable IP blacklist that is constantly redistributed to the network members, in order to achieve a form of Digital Herd Immunity. An IP caught aggressing WordPress sites will quickly be banned by all members using CrowdSec that subscribed to the WordPress defense collection. In that way, we share the IPs that are relevant to your technical context. While Crowdsec is in charge of the detection, the reaction is performed by "bouncers" that aim to be deployable at any level of the applicative / infrastructure stack : * via nftables/iptables/pf based on an IP set * via Nginx lua plugin * via Traefik middleware * on Cloudflare via our bouncer that integrates with Cloudflare API * Or GCP/AWS/Azure firewall, slack or scripting, notifications, etc. .. or in many other ways. Over time the possibilities will increase as the application design basically supports anything. This approach, combined with a declarative configuration and a stateless behavior, will make it an ideal candidate to enhance the security of modern stacks (containers, kubernetes, serverless and more generally automatically deployed infrastructures). Furthermore, we intend to create and share the most accurate database of malevolent actors as possible, under the form of a real-time IP reputation system, accessible through API. Whenever an attack is locally blocked/detected by Crowdsec, the "meta" information of the attack is shared amongst participants (source ip, date and triggered scenario) for redistribution to network members. We are committed to building a strong community, with all that it implies : * [a public hub](https://hub.crowdsec.net) to find, share and amend parsers, scenarios and blockers * permissive open-source license to stay business friendly * and overall a strong commitment to transparency and community-first mentality, by tooling and behavior The microservice architecture is the most significant security challenge in a Kubernetes cluster. Every application you deploy opens a new potential entry for attackers, increasing the attack surface. In this talk, we'll present the Crowdsec project and see how we can protect a kubernetes cluster using Crowdsec and the power of the Crowd.

🅧 Close
Henry Mortimer

Speaker Bio

Henry is a security engineer at ControlPlane. He has subject matter expertise in using custom policy agents to automate plicy enforcment within k8s and combines experience across engineering and security to improve the security landscape through better tooling, automation and documentation.

Talks

Policy + Cloud Controllers = Secure Scalable Dev-Centric Infrastructure.
Session format: Presentation (40m)
Level: Intermediate
Abstract:
In large organizations, securing cloud infrastructure around Kubernetes is hard. Application developers, who’ve already had to learn Kubernetes, shouldn’t need to become IAC SMEs to operate their applications' backend cloud infrastructure. Alternatively, using infrastructure teams to service requests and centralize control doesn’t scale with an increasing number of users and use cases. In this talk, Rowan and Henry will demonstrate how infrastructure teams can use policy engines to secure an emerging model that uses Kubernetes hosted cloud controllers (Crossplane, ACK, config-connector) to provision infrastructure. This model enables application teams to self serve, whilst preventing the launch of insecure infrastructure. To ease adoption of the model, Rowan and Henry will open source policies and templates to enforce controls aligned with the CIS benchmarks and to simplify the developer experience by setting secure defaults and dynamically generating supporting cloud resources.

🅧 Close
James Laverack

Speaker Bio

James is a engineer specialising in cloud native software and distributed systems. He’s an active contributor to the Kubernetes project and has been on the release team for Kubernetes v1.18 through v1.24, culminating in being the Release Team Lead for Kubernetes 1.24 Stargazer. ✨ Before Jetstack, James worked as an application developer in fintech.

Talks

Building Operators for Legacy Software or: Running Minecraft on Kubernetes
Session format: Presentation (20m)
Level: Advanced
Abstract:
I've always loved Minecraft, and I've always loved playing it with my friends. Being the one with a home server, I setup my own Minecraft server. Soon I wanted to manage it with Kubernetes like the rest of my applications, and wanted to automate common tasks like backups and upgrades. So I made an operator. This talk will cover the how of making an operator for a 'legacy' application that is not designed to be cloud-native, and why you might want to do it. The operator is open source at https://github.com/jameslaverack/minecraft-operator. The operator and the talk are not endorsed by Mojang Studios or Microsoft in any way.

🅧 Close
Jj Asghar

Speaker Bio

JJ works as a Developer Advocate representing the IBM Cloud all over the world. He mainly focuses on the IBM Kubernetes Service and OpenShift trying to make companies and users have a successful onboarding to the Cloud Native ecosystem. He’s also been known in the DevOps tooling ecosystem and generalized Linux communities. If he isn’t building automation to make his work streamlined he’s building the groundwork to do just that. He lives and grew up in Austin, Texas. A father and husband, trying to learn to balance his natural nerdiness with family life. He enjoys a good strong dark ale, hoppy IPA, some team building Artemis, and epic Gloomhaven campaigning. He has recently dove headfirst into Fedora since IBM buying Redhat, but still secretly wants FreeBSD everywhere. He’s always trying to become a better web technology developer, though normally just uses bash to get the job done.

Talks

Deploying a simple (Python) app to Kubernetes/OpenShift
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
JJ will walk you through deploying a simple python application to Kubernetes/OpenShift. We’ll start from the ground up, then get a complete automated build. The goal is to enable your developers to focus on code, not the infrastructure! It’s a chance to see the power of OpenShift and why taking the time to learn cloud-native development can get you the velocity you need.

🅧 Close
Krisztian Fekete

Speaker Bio

Krisztian is enthusiastic about observability and cloud infrastructures. He's now working at Solo.io as a Field engineer. Previously, he was working at LastPass as senior DevOps/SRE engineer. Krisztian is building a self hosted blog on top of Istio in his spare time. The main topics of the blog are aligned with his interests while he is also using the platform to share operational anecdotes on running one of the most "over-engineered" blog out there.

Talks

BumbleBee: Or How I Learned To Stop Worrying And Love eBPF
Session format: Presentation (40m)
Level: Intermediate
Abstract:
eBPF is hard. There are more and more docs and blogs, but the learning curve seems to be really steep. Where could you possibly start to play around with this new technology? In this talk, I will briefly introduce the (e)BPF landscape, then show you one of the easiest way to get started with eBPF. We will explore existing tools, and see what it takes to drop them into a Kubernetes cluster, and learn how can you expose their output as Prometheus metrics with only a few keystrokes.

🅧 Close
Kunal Kushwaha

Speaker Bio

Kunal is working towards empowering communities via Open Source and Education. He finds passion in teaching and has taught thousands of folks online and in person. He is currently a Developer Advocate at Civo, CNCF Ambassador, track chair of the KubeCon + CloudNativeCon student track, Major League Hacking Coach. In the past, he has been a Google Summer of Code Mentor at Red Hat Middleware, Student Program Manager at Data on Kubernetes Community, part of the Kubernetes release team, and a TEDx speaker. He is the founder of Kubeworld, Community Classroom, and also started the official Cloud Native Student Community group joined by thousands of students, focussed on getting more young people involved in the ecosystem.

Talks

Kubernetes cost monitoring best practices
Session format: Presentation (20m)
Level: Intermediate
Abstract:
There have been scenarios in which companies struggle to understand where they spend their cloud budget. For example, distinguishing between projects, teams, and applications with infrastructure services utilising them. Starting with why cost monitoring is essential, in this session, we'll learn about some of the best practices for monitoring your Kubernetes costs to maximise efficiency and reduce spending across teams, followed by some of the approaches we have seen organisations follow. Cost allocation can be complex in Kubernetes; hence, we'll also discuss what cost allocation models should be used. Such a set of best practices can reduce cloud spend and increase awareness within one's organisation.

Scaling Communities to be more Inclusive
Session format: Lightning Talk / Ignite
Level: Introductory and overview
Abstract:
Being an open-source enthusiast, Kunal believes that diversity in the workplace and participation from people hailing from different cultures is necessary as well as instrumental for the growth of the IT sector. It exposes one to the multitude of values and principles that people from varying ethnicities hold. Meeting people from around the world teaches people to respect opposing perspectives and opinions, and ingrains in them respect for their peers. He finds passion in teaching and has taught thousands of students both online and in-person. He is the founder of Community Classroom, an organisation focussed on providing training & mentorship, free of cost. He also started the Official Cloud Native Student Community group joined by thousands of students, focussed on getting more young people involved in the Cloud Native world. These platforms are utilised by conducting hands-on workshops, events, podcasts, and sharing about opportunities in the field. The talk is going to be focussed around what defines a community, and figuring out what are the community's shared struggles. It’s also important to know what is the mission of your community and what members look to get out of it. Communication is key and we’ll also talk about how to future proof your community. Regarding diversity and inclusion, it’s important to know who might be excluded from accessing your community activities in their current form. We’ll also discuss about what are some of the negative scenarios which might happen while running activities for your community which will make them less inclusive to marginalised groups. Following up with designing for your community's needs, and last but not least, having a Code of Conduct. Attendees will learn about: How to start a new community and make it inclusive from the beginning. How to scale communities to under-representative groups How to deal with conflicts and take care of your audience’s needs.

🅧 Close
Laszlo Fogas

Speaker Bio

Laszlo is the founder of https://gimlet.io, a 100% open-source gitops based developer platform. Prior to that, Laszlo spent 5 years consulting, and building dev platforms on Kubernetes for mid-sized SaaS businesses of the Nordics region.

Talks

ClickOps over GitOps
Session format: Presentation (40m)
Level: Intermediate
Abstract:
The delta between Kubernetes and a developer friendly PaaS is where the next layer of value is being created today. Many products are racing to fill the void that is called Kubernetes developer experience. This is also the place where things get opinionated, a requirement for reliable end to end workflows. In this talk you will learn about Gimlet.io's approach on how Kubernetes UIs can be quick to use, and safe at the same time. In this talk you will see how you can create a developer platform - with the usual components Cert-Manager, Nginx Ingress etc - and deploy on it with only clicking on a dashboard. You will also see that behind the curtains, all Gimlet does is writing yamls into a git repository. ClickOps.. over GitOps.

🅧 Close
Lian Li

Speaker Bio

Lian always wanted to save the world After a failed attempt at becoming a lawyer, she decided to do something with computers instead. Working as a Fullstack Software Engineer, she got into attending tech events and giving talks on Machine Learning. During this time, she fell in love with the tech community and discovered her passion for building community and providing a safe and productive environment for all, which led to her co-organising the community conference ServerlessDays Amsterdam. Currently, Lian lives in Amsterdam and works as Developer Advocate at Loft Labs, trying to make developing on Kubernetes easy and fun.

Talks

Secret Management: The Soft Way
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
Secrets. Security best-practices mandate that they stay away from the code—or else! And that’s what we did for a long time. But as CI/CD practices evolved, for a myriad of reasons, we now want to ship the code, the environment, and the secrets, all in one lump. So, we can’t hide the secrets anymore… unless? Tools like HashiCorp Vault attempt to address this by managing secrets outside the delivery chain. Great! But you can’t use those inside local dev environments, so… When that’s precisely what you need to do, then what? In this talk, Lian will show the audience how to manage secrets the GitOps way, so you can maintain security best-practices while also being able to use them in your local environment for development. Sound like magic? That’s because it is. After this talk, the audience will be able to understand secret management solutions that work seamlessly in a variety of environments.

GitOps for the people
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
MoneyBank Inc. is a fintech enterprise that recently made the jump to K8s and GitOps to cope with the shift of demands from cranking out features towards stability and scalability. Yet, even with a fully automated CICD and shiny new microservices, features still take weeks to be released. As teams keep waiting on each other, frustrations, resentment, and mistrust grow. MoneyBank’s situation is typical for organizations with enterprise processes and startup mindsets. When faced with problems, the urge is often to move fast and automate them away. However, the cultural and regulatory structures to support these changes are not in the scope of said automation. One more piece is missing to address the needs of non-technical stakeholders within the ever-changing CICD landscape. In this talk, we will attempt to automate the non-automatable with ReleaseOps: GitOps for the people.

🅧 Close
Liz Rice

Speaker Bio

Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium project. She was chair of the CNCF's Technical Oversight Committee 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She is also the author of Container Security, published by O'Reilly. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.

Talks

eBPF or sidecars?
Session format: Presentation (40m)
Level: Intermediate
Abstract:
eBPF allows us to build custom programs that run directly within the kernel. This talk explores how eBPF enables observability, security and connectivity tools that no longer need to rely on the sidecar model, and shows how Cilium now supports both sidecar-based and sidecarless Service Mesh. Along the way this talk will clarify some container and kernel concepts so that attendees can leave with a mental model for the pros and cons of sidecar-based or sidecarless approaches.

🅧 Close
Mahé Tardy

Speaker Bio

Mahé Tardy is a Security R&D Engineer at Quarkslab specializing in Kubernetes and container security. More generally he’s enjoying Linux, programming languages, security and might be a beer geek. He’s contributing to Kubernetes, especially in the security sub-group.

Talks

Hacking Kubernetes Like a Beginner with kdigger
Session format: Presentation (20m)
Level: Introductory and overview
Abstract:
During this session, Mahé will demonstrate a simple scenario of a multi-tenant attack in a Kubernetes cluster. He will explain the risks, see how to prevent this kind of attack and show how kdigger can speed up the discovery process of the environment. kdigger, short for "Kubernetes digger", is a context discovery and container assessment tool for Kubernetes penetration testing. This tool is a compilation of various plugins to facilitate pentesting Kubernetes from inside a pod. On top of discovering a new tool, this presentation will give you an idea of how pentesters generally try to pivot in typical Kubernetes clusters.

🅧 Close
Marcus Noble

Speaker Bio

Marcus is a platform engineer at Giant Swarm, a company dedicated to offering managed Kubernetes solutions. His main area of focus in recent years has been around Go, Kubernetes, containers and DevOps but originally started out as a web developer and JavaScript enthusiast. A self-described “tinkerer”, when not building Kubernetes solutions, Marcus likes to dabble with 3D printing and experimenting with smart home tech.

Talks

The Wonders and Woes of Webhooks
Session format: Presentation (40m)
Level: Intermediate
Abstract:
Since introduced in Kubernetes v1.9, webhooks have been a key feature, making up one of the cornerstones of Kubernetes extensibility. When used right, they can allow operators to have much more control over their clusters and with tooling like Kyverno and Gatekeeper it’s easier than ever to leverage their full power. But, when misused, things can get very, very messy. So how do we ensure our webhooks are full of wonders and not woes? By taking a look at the history of webhooks in Kubernetes, the driving force behind their adoption and through several horror stories of webhooks gone wrong, we can develop a set of best practices and guidelines to follow to ensure our webhooks stay full of wonder without the woes.

What DragonBall can teach us about being engineers
Session format: Lightning Talk / Ignite
Level: Introductory and overview
Abstract:
The world of DragonBall has many teachings that we can apply to our life as developers, SREs and DevOps engineers. In this fun and fast-paced talk we'll learn how the Z Warriors were ahead of their time and how they fully embrace the engineer mindset.

🅧 Close
Marino Wijay

Speaker Bio

Marino leads the Developer Relations and Advocacy team at Solo.io. He is passionate about technology and modern distributed systems. He will always fall back to the patterns of Networking and the ways of the OSI. Community building is his driving force; A modern Jedi Academy.

Talks

Network Engineering Goes DevOoopsie
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
I sit here and reflect back to 2008 when my supervisor suggested I look into the CCNA and Network+. My world changed from plugging a cable into a switch to setting up BGP peers, to configuring Load Balancers for High Availability. Network Engineering has evolved and from my eyes, has been entirely reimagined, retaining the foundations of networking. As I've slowly pivoted to the world of Cloud Native technologies and DevOps, a lot of my previous Network Engineering skills have translated to today's approach to microservices architecture. FOLLOW THE PACKETS I SAY! What does Networking mean for consumers of Kubernetes and Containers? What does K8S and containers mean Network Engineers? What does that transformation for a Network Engineer look like? In this restrospective talk, I share my journey of Network Engineering from the late 2000s to one in 2022 surrounded by the world distributed systems, observability, the deeper need for security/identity and what our traffic tells us. My hope is to inspire others to transform their network engineering career.

🅧 Close
Martin Hickey

Speaker Bio

Martin works on the Open Technology team at IBM focusing on open source software. He is a regular contributor to open source and a core maintainer for Helm. He has also contributed previously to the OpenStack and Elastic communities. Martin enjoys speaking at conferences and meet-ups. He has many years’ experience in the creation of enterprise software for different industries, from Telcos to Cloud.

Talks

Clear Your Own Path to Open Source Maintainer
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
How many times have you heard the phrase "chop wood and carry water"? What about "look at the good first issues" or "triage the issues queue"? Or even "go out there and make yourself known to the community"? Open Source project members throw around these phrases as if they are the panacea to becoming a contributor, then a committer, and finally a maintainer. However, it is not that easy. These phrases can only help if you know what they mean! Demystifying this path to leadership in Open Source is imperative to the industry because we can’t grow on a path to continuous learning if we aren’t welcoming the next generation of contributors to our projects with clear and inclusive language. So here are some better questions to ask yourself when approaching a new Open Source project: What can I do if the first issues queue doesn’t contain any issues to work on? How do I introduce myself to the community? What if I can't find anything on the issue queue that makes sense? What contributions are needed most by this community? How do I climb the community role ladder toward leadership? People need guidance and support when climbing the mountain from the valley of becoming a new contributor to the zenith of maintainership. It is not always just as simple as following the community contributor guidelines. In this presentation I cover tips and trick on how to conquer that journey. Through practical examples of how I became a Helm maintainer, I hope that more people will realize it is within their grasp to become maintainers in Open Source projects. And the reality is that these projects NEED you too.

🅧 Close
Matei David

Speaker Bio

Matei is a London based software engineer at Buoyant and an avid open source contributor. One of the maintainers of the Linkerd project, CNCF's graduated service mesh, Matei is passionate about networking (not just the social type!) and systems engineering. He got involved in the cloud native space early on in his career through CNCF's Community Bridge program by contributing topology-aware service routing for Linkerd. Since then, Matei joined the Buoyant team permanently and now works on all things service mesh related. Outside of work, Matei likes to unwind with a good book, a board game session or an evening stroll on his longboard. You can often find him helping out community members on the Linkerd Slack.

Talks

Stick a fork in it, it’s done: how to halt your sidecar jobs
Session format: Presentation (20m)
Level: Introductory and overview
Abstract:
Inspired by some of the research done by the Linkerd team and by suggestions from the Linkerd community, Linkerd maintainer Matei David will present a few ways of ensuring that when deploying jobs, sidecar containers terminate successfully when the main container finishes. Since the early days of Kubernetes, the sidecar container design pattern represents an easy and intuitive way to enhance the main container in a pod. The pattern has seen increased usage and adoption in production environments and serves a variety of platform-agnostic use cases such as collecting metrics and proxying traffic. Sidecar containers work well with most Kubernetes primitives, such as deployments, but they fall short when used in job objects. For service meshes or metric collectors, sidecars need to run continuously, blocking jobs from completing even after the main container has finished its work.

🅧 Close
Matt Turner

Speaker Bio

Matt is a software engineer at Tetrate, where he loves sharing what he's learning with the whole community. He helps people understand Istio, Envoy, and other open source projects, as well as Tetrate's solutions for enterprise service mesh management. He's been doing Dev, sometimes with added Ops, for nearly two decades; his idea of "full-stack" is Linux, Kubernetes, and now Istio too. He likes Rust, hot dogs, and terraforming unexpected things. He tweets @mt165 and blogs at https://mt165.co.uk

Talks

Gateway APIs and API Gateways - modern ingress demystified
Session format: Presentation (40m)
Level: Intermediate
Abstract:
Up until now, Ingress routes into K8s clusters have been defined by the Ingress kind, or by vendor-specific CRDs. Neither of these were satisfactory, so a new set of built-in k8s APIs was developed - the Gateway API. In this talk, Matt will cover the motivation for a new API, its design, and show some examples of its use. He'll then also cover implimentations of it today and in the future, and talk about the exciting merging of several of the existing ingress controllers into one new de facto standard - Envoy Gateway.

🅧 Close
Michael Cade

Speaker Bio

A community first technologist for Kasten by Veeam Software. Based in the UK with over 16 years of industry experience with a key focus on technologies such as cloud-native, automation & data management. His role at Kasten is to act as a technical thought leader, community champion and project owner to engage with the community to enable influencers and customers to overcome the challenges of Cloud-Native Data Management and be successful, speaking at events sharing the technical vision and corporate strategy whilst providing ongoing feedback from the field into product management to shape the future success.

Talks

Integrating Backup Into Your GitOps CI/CD Pipeline
Session format: Presentation (40m)
Level: Intermediate
Abstract:
The ability to deploy code and version code has been a de facto requirement and a reason we have CI/CD pipelines for our application development, but with Kubernetes in particular we are seeing a closer tie between code and data. In particular, code being deployed can affect and change your data, for that reason, we need to consider protecting that data as part of our Continuous Development pipelines, In this session, we will focus on how we can incorporate backup actions into your pipeline to ensure that any code changes will start by creating a restore point be it a snapshot or an export to another external repository. We will then as part of a demo incorporate a failure scenario into the environment pipeline to simulate how a configmap can manipulate data to cause data loss. Then we need a way to bring the data back!

🅧 Close
Miles Bryant

Speaker Bio

Miles is an engineer at Monzo, where he has spent the last four years working on a super-powered Kubernetes-based internal developer platform that allows engineers to deploy over 100 times a day without worrying about where their code runs or how it communicates. He's keen to chat about Kubernetes, Envoy or Prometheus, and to see photos of your dog.

Talks

Migrating a cluster with 2000+ microservices to managed Kubernetes: lessons and learnings
Session format: Presentation (40m)
Level: Advanced
Abstract:
Monzo has been running a single self-hosted Kubernetes cluster per-environment for years, and we decided to migrate to a managed Kubernetes service. This talk is all about the challenges and perils of doing a high stakes, real world, zero downtime Kubernetes migration at scale 🤓 We’ll talk about the constraints and challenges, including: - the complexity, diversity and quantity of the systems running on the cluster - downtime having real human impact with someone potentially not being able to pay for food or make a rent payment - the sheer number of different services and teams to interact with which meant that we had to adopt an automated process that was fully transparent to other engineers We’ll dive into some of the technical details that allowed us to migrate within these constraints, and our plans for rearchitecting our platform to make future upgrades and migrations easier. Takeaways will include: - How Kubernetes makes infrastructure migrations more manageable - Actionable learnings about doing migrations at scale in general

🅧 Close
Owen Bowers Adams

Speaker Bio

Reformed systems engineer, former ambassador for the CDF and currently head of platform engineering for Intelligent Growth Solutions. Powered by OpenSource

Talks

EBPF and Kubernetes - Next level observability
Session format: Presentation (40m)
Level: Advanced
Abstract:
A deep dive into how EBPF pairs with kubernetes to provide real time, low overhead tracing. This will focus on what ebpf is, how it fits into the kubernetes ecosystem and how tools like pixie can take tie it all together

🅧 Close
Peter Mbanugo

Speaker Bio

I'm a software developer interested in building quality and maintainable software solutions. My interest areas are around Software Architecture and Offline First applications.

Talks

Building event-driven, serverless functions in Kubernetes
Session format: Tutorial / Workshop
Level: Intermediate
Abstract:
In modern organizations, event-driven architecture combined with FaaS has become more popular because they address some of the challenges of building distributed systems. As these organisations grow, they switch to Kubernetes to scale and manage more services. With the switch to Kubernetes, you want to provide a seamless experience for building and deploying services on Kubernetes. That begs the question, how do I build event-driven serverless applications in Kubernetes? This workshop will teach you how to build such applications with Kubernetes. You're going to develop an e-commerce serverless API. By the end of this course, you will have learned how to work with Knative and Cloud Events, manage the functions using a monorepo, and implement a continuous deployment pipeline.

🅧 Close
Ric Featherstone

Speaker Bio

From Engineer to Architect and back, Ric’s greying hair comes from his years of hard-won experience consulting in the Financial Services and Media sectors. Happy treading the conveyor belt of Cloud-Native technologies, trying to keep up and sharing his thoughts along the way. He is Head of Engineering at https://control-plane.io

Talks

Who Can You Really Trust?
Session format: Presentation (40m)
Level: Intermediate
Abstract:
Intangible “trust” is required to secure our systems: we need it to bootstrap infrastructure, secure the software supply chain, run workloads, and reassure our customers of their privacy. But how do we establish and secure this "trust" in a dynamic cloud-native system? The advent of hardware-based attestation and certificate authentication gives us new hope. But this brave new dawn has been just over the horizon for the last few years, and new technologies have emerged to champion the identification of our workloads. In this talk we: * Demystify the nebulous concept of Workload Identity * Define the importance of autonomous identity generation in a Zero Trust Architecture * Demonstrate practical examples of bootstrapping and using Workload Identity * Introduce existing and emerging technologies that enable you to anchor Workload Identity to a Hardware Root of Trust

🅧 Close
Rowan Baker

Speaker Bio

Rowan has extensive experience auditing, accrediting, and developing Kubernetes and containerised systems for high compliance commercial and public sector organisations. He is an author of the GKE CIS Benchmark, contributor to the CNCF Financial Services User Group Kubernetes Threat Models, and is Head of Security at ControlPlane.

Talks

Policy + Cloud Controllers = Secure Scalable Dev-Centric Infrastructure.
Session format: Presentation (40m)
Level: Intermediate
Abstract:
In large organizations, securing cloud infrastructure around Kubernetes is hard. Application developers, who’ve already had to learn Kubernetes, shouldn’t need to become IAC SMEs to operate their applications' backend cloud infrastructure. Alternatively, using infrastructure teams to service requests and centralize control doesn’t scale with an increasing number of users and use cases. In this talk, Rowan and Henry will demonstrate how infrastructure teams can use policy engines to secure an emerging model that uses Kubernetes hosted cloud controllers (Crossplane, ACK, config-connector) to provision infrastructure. This model enables application teams to self serve, whilst preventing the launch of insecure infrastructure. To ease adoption of the model, Rowan and Henry will open source policies and templates to enforce controls aligned with the CIS benchmarks and to simplify the developer experience by setting secure defaults and dynamically generating supporting cloud resources.

🅧 Close
Sebastien Blot

Speaker Bio

After working in penetration testing, high-security hosting, and satellite imagery for the past 10 years, Sebastien Blot joined CrowdSec as a Core Developer to focus on developing their open-source IPS. The tool is leveraging both IP behavior & reputation to build a community-fueled CTI accessible to all to tackle the global hacking issue

Talks

How to protect your Kubernetes cluster using Crowdsec
Session format: Presentation (40m)
Level: Intermediate
Abstract:
The [CrowdSec](https://github.com/crowdsecurity/crowdsec/) project aims at providing a crowdsourced approach to common infrastructure defense problems, by distributing free & open-source software allowing you to protect yourself and share information about malevolent actors. CrowdSec could be perceived as a modern form of Fail2ban, though for Cloud and container-based infrastructure as well and capable of taking way more advanced decisions a lot faster. Mainly, it’s using a decoupled and distributed approach (detect here, remedy there) and an inference engine that leverages leaky buckets, YAML & Grok patterns to identify aggressive behaviors. It acquires signals from various data sources like files, syslogd, journald, AWS Cloudwatch and Kinesis, Docker logs and Windows Event Log, normalizes them, enriches them to apply heuristics and triggers a bouncer to deal with the threat, if need be. Since it’s written in Go, it’s compatible with almost any environment, fast in execution and ressource conservative. The endgame is the Reputation engine though. If you want to partake in the network to benefit from its findings, CrowdSec captures all aggression signals (timestamp, IP, behavior) and sends them for curation. That way, it establishes a reliable IP blacklist that is constantly redistributed to the network members, in order to achieve a form of Digital Herd Immunity. An IP caught aggressing WordPress sites will quickly be banned by all members using CrowdSec that subscribed to the WordPress defense collection. In that way, we share the IPs that are relevant to your technical context. While Crowdsec is in charge of the detection, the reaction is performed by "bouncers" that aim to be deployable at any level of the applicative / infrastructure stack : * via nftables/iptables/pf based on an IP set * via Nginx lua plugin * via Traefik middleware * on Cloudflare via our bouncer that integrates with Cloudflare API * Or GCP/AWS/Azure firewall, slack or scripting, notifications, etc. .. or in many other ways. Over time the possibilities will increase as the application design basically supports anything. This approach, combined with a declarative configuration and a stateless behavior, will make it an ideal candidate to enhance the security of modern stacks (containers, kubernetes, serverless and more generally automatically deployed infrastructures). Furthermore, we intend to create and share the most accurate database of malevolent actors as possible, under the form of a real-time IP reputation system, accessible through API. Whenever an attack is locally blocked/detected by Crowdsec, the "meta" information of the attack is shared amongst participants (source ip, date and triggered scenario) for redistribution to network members. We are committed to building a strong community, with all that it implies : * [a public hub](https://hub.crowdsec.net) to find, share and amend parsers, scenarios and blockers * permissive open-source license to stay business friendly * and overall a strong commitment to transparency and community-first mentality, by tooling and behavior The microservice architecture is the most significant security challenge in a Kubernetes cluster. Every application you deploy opens a new potential entry for attackers, increasing the attack surface. In this talk, we'll present the Crowdsec project and see how we can protect a kubernetes cluster using Crowdsec and the power of the Crowd.

🅧 Close
Simon Emms

Speaker Bio

Simon has been working as a software engineer since 2006, in which time he's done work for the likes of Gitpod, DPD, Specsavers, British Pathé, the NHS, the Red Cross and others. He's used pretty much all of the major languages over the years and since 2017 has been focused on building DevOps solutions and Cloud-native applications that help engineers to work faster and more productively. Since 2021, he has been working with Gitpod to improve the self-hosted experience, which is relied upon by companies with specific security and compliance requirements. When not behind a computer he's a keen gardener, beekeeper and makes his own sausages.

Talks

Why We Chose To Ditch Helm To Gain Open Source Sanity
Session format: Presentation (40m)
Level: Advanced
Abstract:
Helm is a truly excellent ecosystem and is rightly valued by the world over for giving full customisation of deployments. For open-source projects with a finite number of support engineers, full customisation is not always something that is desirable. Sometimes, you need to provide opinionated guide rails for people in order to provide effective support for your product. This session will focus on the reasons why Gitpod has deprecated its Helm charts and switched to a custom-built Installer. Simon will explore some of the benefits and pitfalls experienced and how the community reacted to such a seismic change. He will also answer the question - "would he do it again?"

🅧 Close
Suhail Patel

Speaker Bio

Suhail is a Staff Engineer at Monzo focused on building the Core Platform. His role involves building and maintaining Monzo's infrastructure which spans over two thousand microservices and leverages key infrastructure components like Kubernetes, Cassandra, Etcd and more. He focuses specifically in investigating deviant behaviour and ensuring services continue to work reliably in the face of a constantly shifting environment in the cloud.

Talks

Migrating a cluster with 2000+ microservices to managed Kubernetes: lessons and learnings
Session format: Presentation (40m)
Level: Advanced
Abstract:
Monzo has been running a single self-hosted Kubernetes cluster per-environment for years, and we decided to migrate to a managed Kubernetes service. This talk is all about the challenges and perils of doing a high stakes, real world, zero downtime Kubernetes migration at scale 🤓 We’ll talk about the constraints and challenges, including: - the complexity, diversity and quantity of the systems running on the cluster - downtime having real human impact with someone potentially not being able to pay for food or make a rent payment - the sheer number of different services and teams to interact with which meant that we had to adopt an automated process that was fully transparent to other engineers We’ll dive into some of the technical details that allowed us to migrate within these constraints, and our plans for rearchitecting our platform to make future upgrades and migrations easier. Takeaways will include: - How Kubernetes makes infrastructure migrations more manageable - Actionable learnings about doing migrations at scale in general

🅧 Close
Viktor Farcic

Speaker Bio

Viktor Farcic is a Developer Advocate at Upbound, a member of the Google Developer Experts and Docker Captains groups, and a published author. His big passions are DevOps, Containers, Kubernetes, Microservices, Continuous Integration, Delivery and Deployment (CI/CD) and Test-Driven Development (TDD). He often speaks at community gatherings and conferences. He published The DevOps Toolkit Series (https://www.devopstoolkitseries.com/), DevOps Paradox (https://amzn.to/2myrYYA) and Test-Driven Java Development (http://www.amazon.com/Test-Driven-Java-Development-Viktor-Farcic-ebook/dp/B00YSIM3SC), as well as courses in Udemy (https://www.udemy.com/user/viktor-farcic/). His random thoughts and tutorials can be found in his blog TechnologyConversations.com. He is the host of the DevOps Toolkit (https://youtube.com/c/devopstoolkit) YouTube channel and a co-host of DevOps Paradox (https://www.devopsparadox.com/) podcast.

Talks

Applying GitOps To Everything
Session format: Presentation (40m)
Level: Introductory and overview
Abstract:
You are likely already using GitOps for your applications, but not for everything else. You are likely not using Argo CD, Flux, Rancher Fleet, or similar tools to manage the state of your infrastructure and services. Why is that? If GitOps is a great solution for apps, isn't it safe to assume that it would be equally beneficial for anything else? What is missing? The problem is that most of the commonly used GitOps tools are managing Kubernetes resources which, traditionally, do not deal with infrastructure and Cloud services. That's what we need to change. We need to expand Kubernetes with custom resources that can manage anything, no matter whether that's AWS, Azure, Google Cloud, GitHub, Elastic, DataDog, or any other Cloud service. If we do that, we might convert Kubernetes API into a universal API. We might convert the Kubernetes control plane into a universal control plane. If we do that, we will get end-to-end GitOps through which everything is always in sync and where all we have to do is push changes to Git repositories. All we need to make that happen is Crossplane (an open-source project donated to CNCF), combined with Argo CD, Flux, or Rancher Fleet. Let's see it in action.

Location

Conference Venue

Edinburgh International Conference Centre,
The Exchange,
150 Morrison St,
Edinburgh,
EH3 8EE,
Scotland

Hotel

We have secured some reduced rate at the Hampton by Hilton for KubeHuddle attendees.

When selecting your room, use the group code: CHHGKH.

Hampton by Hilton Edinburgh West End
166 Fountainbridge,
Edinburgh,
EH3 9RX
Scotland

About

Our Values

KubeHuddle is a community run conference and we want to ensure that everything we do and say is transparent and made publicly available.

  • Our task list and what we’re planning is all public on GitHub
  • Our sponsorship details are all public
  • All titles submitted as potential sessions at KubeHuddle are public on Sessionize
  • This website is open source
  • Currently KubeHuddle is being run through my (@rawkode) company, but <<<<<<< HEAD after the first event we’ll migrate this to a non-profit. All financial transactions for KubeHuddle will be made public as soon as I find a nice way to handle that. ======= after the first event we’ll migrate this to a non-profit. All financial transactions for KubeHuddle will be made public as soon as I find a nice way to handle that. >>>>>>> 21ad116 (feat: skyscanner sponsor)

Organizers