KubeCon + CloudNativeCon India 2024

Vector databases like Milvus and LanceDB are revolutionizing similarity search and AI workloads. However, their performance in cloud-native environments depends heavily on optimized storage configurations. This session will delve into configuring Ceph's RADOS Gateway (RGW) using Rook for this workload. And provide a sample demo of how to run these applications with RGW.

In this comprehensive session, we will delve into the intricate details of data protection in the context of cloud-native applications. We will start by examining the automation of application discovery. This includes a special focus on application-consistent backups, particularly crucial for distributed applications utilizing multiple persistent volumes. We will then navigate the considerations for temporary storage and compute needs during backup and restore operations. The discussion will extend to the impact on production applications' compute and I/O performance. As a highlight, the session will explore strategies for detecting and protecting applications from ransomware attacks. The final segment of the presentation will cover application recovery and thereby mobility of applications across different Kubernetes platform distributions. Each aspect is designed to prepare participants for a future where cloud-native data protection is efficient, resilient, and cost-effective.

In the telecom industry, service availability is critical, making local and geographic redundancy essential for disaster recovery. While 5G Core Networks emphasize centralized, cloud-native strategies, 5G Access Networks require distributed, low-latency redundancy for edge cloud environments. Current CNCF tools like Velero, Portworx, and Stash offer Backup and Recovery Solutions but lack live synchronization between active and standby clusters, crucial for telecom's KPI needs. This session will explore a K8S-native solution designed to bridge this gap, offering seamless redundancy for telecom workloads, particularly in microservices-based deployments like vRAN/ORAN. This solution supports a 2-way policy-based sync, allowing for fine-grained control on how data is managed during failover. The solution integrates with CNCF projects, including Nephio for intent-based automation and Prometheus for real-time monitoring, aligning with the move towards distributed cloud-native deployments.

Embark on a journey to supercharge your Go applications targeting WebAssembly by harnessing the profiling capabilities of pprof and wzprof. This session unravels the intricacies of optimizing Go-powered web applications for maximum performance. Discover how pprof provides deep insights into CPU and memory usage, forming the foundation of our optimization journey. Complementing pprof, wzprof, tailored for WebAssembly, offers streamlined performance analysis during module execution. Through practical demonstrations, learn how pprof and wzprof work together to resolve performance bottlenecks, optimize computations, and manage memory effectively. This talk equips both seasoned Go developers and WebAssembly newcomers with essential tools and techniques to maximize application efficiency and speed.

With user namespaces reaching beta in Kubernetes and new developments in CRI-O, we’re closer to making nested containers within pods more flexible and powerful. Traditionally limited by masked /proc and restricted user namespaces, this approach now offers capabilities similar to Podman. In this talk, we will explore how Kubernetes’ security features—privileged mode, rootless containers, and network isolation—can enable running containers inside pods. We’ll examine the support matrix for various configurations and discuss upcoming work to bring VM-like flexibility to Kubernetes pods for more secure and dynamic container orchestration.

Through the years, ClusterAPI has evolved into an indispensable tool, streamlining the lifecycle management of Kubernetes clusters across multiple infrastructure providers. The current approach adds a layer of complexity at the image-building stage, presenting users with a multitude of options. But what if we challenge this conventional approach? This presentation introduces a paradigm shift in ClusterAPI image building, leveraging systemd-sysext and image composability. Join me in this talk as we explore how this innovative approach could help cope with the never-ending matrix of Kubernetes versions and Distro images, significantly enhancing usability for users managing their workloads.

The most widely used runtime enforcement techniques today are prone to attackers. Many of these techniques work on the principle of stopping or killing a process in response to an attack, which relies at the mercy of an exploit writer putting little to no effort into avoiding triggering these detection mechanisms. Our discussion will focus on various aspects of runtime security: how it is currently implemented, its shortcomings, and the performance implications associated with these approaches. We'll explore a various range of cloud-based runtime security implementations. We'll expose the attacker's perspective, demonstrating how they can bypass these common runtime security measures. This will equip you to anticipate and counter their tactics. Finally, we will cover recent popular attacks and how appropriate runtime security measures can prevent them in the future.

Among the 4C (Cloud, Cluster, Container, Code) security in Kubernetes, there are various techniques to enhance the security of the cluster surface. In particular, Admission Control (webhook) is one of the most flexible and powerful methods. As this trend, there is movement to apply it to various forms of Kubernetes(e.g. GKE, Openshift and so on). In my opinion, one of the easiest and most efficient ways to apply it is to improve security through CEL (Common Expression Language). I believe that the Validating Admission Policy becoming `stable` in v1.30 is part of this proof. So I will show you the CEL DEMO provided by Google Cloud to get a quick and easy understanding of how to improve the security of GKE. Through this exercise, you will learn the basic structure of CEL and the freedom of scope that can be applied, and you will be able to apply it to any other platform with minimal effort.

Security is non-negotiable area and Kubernetes based environments are no exception! Usage of x509 certificates is the key thing. Be it K8s deployments in private or public cloud, ensuring availability of "right" X509 certificate for a service is very important. If this service is getting connected from external (apps/clients which are outside of K8s cluster) clients, this is even more important! But what is really the "right" x509 certificate and how can we ensure that is always remains "right"? Can we make corrections dynamically? Can we also ensure easy propagation of certificates imported from outside the cluster? Propagation of Certificate revocation lists to ensure services can deny revoked certificates? This talk helps describe the strategy K8s based products can use to dynamically generate, make correction and propagation of X509 certificates within K8s cluster using K8s operator design pattern and makes use of well-known CNCF projects such as cert-manager and trust-manager.

Join this talk to uncover the story of a high severity CVE-2024-26147 [CVSS: 7.5] discovered in Helm and understand the role of fuzzing in maintaining the ecosystem’s integrity. Through this demonstration, you'll see firsthand the systematic approach used to identify the vulnerability that caused Helm to panic when faced with missing YAML metadata. The issue enabled crashing Helm SDK-based clients over the network and additionally, bricking local Helm client installations. We'll dive into the specific tools and techniques that were instrumental in detecting the issue, focusing on their applicability to your daily work. This session is designed not just to share a discovery but to foster a community-wide commitment to proactive security practices. Learn how these insights can be applied to strengthen the security and reliability of your Kubernetes deployments, ensuring a safer environment for all users of the ecosystem.

Emerging Telco trends such as ORAN, advanced 5G core demands a disaggregated arch for scaling. Kubernetes based deployments are becoming a norm and much of the open CNCF/LF tooling are playing a major role. The aim of this submission is to talk about the challenges that Nephio(www.nephio.org) SIG-Security team faced about streamlining security operations across multi-cluster multi-region, multi-vendor based deployments. The aim is to talk about specific instances/use-cases where the Nephio management cluster needs to securely interact with regional/edge clusters for the control plane needs. Also why/how the Nephio security team envisaged SPIFFE as a foundational layer to bind multi region together. A particular problem statement in the context of ORAN deployments where SMO (Service Mgmt Orchestation) has to securely interact with IMS (Infra Mgmt Service) for secure creation of infrastructure and the role SPIFFE played in the context would be highlighted.

Expedia Group's journey to implement GitOps with ArgoCD is a story of innovation, scalability, and overcoming challenges. Our GitOps journey involved migrating from KubeFed to ArgoCD, focusing on extensive scalability testing across hundreds of virtual clusters, set up using open source tool, vcluster. We proactively identified potential challenges and prepared comprehensive test cases tailored to different application flavors. We created three types of applications for testing, with sizes varying between 15-30 resources, including CRDs and jobs, small applications containing 15 resources and large applications containing 30 resources. We experimented with multiple test scenarios, using permutation and combination of applications tested on 300 vclusters, scaling approximately 1,000 applications to 30,000+ across these clusters. We concluded this initiative with determining optimal settings for various tunable parameters in the ArgoCD controllers.