Bill Mulligan is a cloud native pollinator and community builder. He has given talks, written articles, and appeared on podcasts on a wide range of topics around cloud native. While at CNCF he restarted the Kubernetes Community Day program. He is currently at Isovalent growing the... Read More →
Confluent Cloud is a data streaming platform built on thousands of Kubernetes clusters across AWS, Azure & GCP. Confluent migrated clusters to use Cilium for its advanced security features like transparent encryption and DNS name-based network policies, along with performance, scalability & observability improvements. The main challenge was executing a live migration without disrupting stateful workloads, complicated by the risks of replacing a low-level component like the CNI. The process required meticulous planning to ensure intra-cluster connectivity during migration, while accommodating each cloud provider's unique network config. This talk shares the journey of migrating to Cilium, highlighting obstacles and lessons learned. We will explore uninstalling pre-existing CNIs, setting up Cilium & addressing cloud-specific issues to maintain connectivity. Benefits like transparent encryption, policies, and Hubble observability, along with the challenges faced, will also be discussed.
Alvaro is a software engineer with a deep passion for infrastructure and open source. He has been working with Kubernetes since 2017 and is a maintainer of the popular controller-runtime library.
Nimisha is a Software Engineer working on Confluent's Kubernetes Platform team. She has been in the cloud infra space for over 5 years, and has been an end-user of Kubernetes and many other open source technologies. Apart from learning about distributed systems and infrastructure... Read More →
eBay's cloud consists of thousands of microservices running on millions of containers across hundreds of Kubernetes clusters. In this dynamic & complex cloud environment, mapping dependencies between microservices is crucial. This session delves into how eBay innovatively and scalably uses Cilium, powered by eBPF, to monitor traffic flows, generate real-time traffic events and construct a comprehensive dependency graph of microservice interactions across hundreds of K8s clusters.
The presentation will cover:
The innovative use of eBPF and Cilium to monitor traffic events in near real-time
How traffic events are mapped to different microservices
The architecture and design of the scalable solution to handle the large volume data
The integration of OpenTelemetry for efficient traffic event stream processing
Key challenges and solutions in building and maintaining the dependency graph
Insights and lessons learned from integrating eBPF and Cilium into eBay’s infrastructure
Software engineer interested in distributed systems, currently working on securing large scale kubernetes infrastructure at eBay Inc meandering between all layers from linux kernel to distributed control planes.
Sudheendra is a Principal Engineer and Cloud Architect in the Cloud Infrastructure group at eBay. He has more than 14 years of experience in cloud technologies including Kubernetes, Micro-segmentation, SDN, OpenStack and designing highly scalable and performant systems.
Conway’s Game of Life is well known in computer science as a Turing complete zero-player game. In this keynote you’ll see Game of Life implemented in eBPF, and explore what this means for the evolution of eBPF as a powerful platform for infrastructure tools.
Liz Rice is Chief Open Source Officer at Isovalent, the creators of the Cilium project, and now part of Cisco. Currently on the boards of the CNCF and OpenUK, she was chair of the CNCF's Technical Oversight Committee 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →
Least privilege is a very old concept that is well understood and already implemented in the cloud native landscape by Security Teams. It is often encountered when they deploy an application and will be asked: what privileges does this workload require? Join John and Natalia to learn how eBPF allows to implement least privileged policies by injecting code inline into the kernel and keeping the application overhead minimal! This will be a fun talk which evaluates eBPF-based least privileged policies against a list of known CVEs by showing a live demo. We will show how eBPF can be used to implement the least privileged principle by monitoring every process and system call execution, networking and file access, or even stack traces combining this data to create a known ordering and making the attacker's job immensely harder. We will finish by explaining where this technology shines and where we are continuing to improve to block the next generation of security attacks.
Natalia Ivanko is a Sr. Product Manager at Isovalent, and now part of Cisco, leading an eBPF-based Runtime Security Product, Tetragon. She has been previously a Security Engineer with a strong background in Linux, Container and Cloud Security. Passionate about building things that... Read More →
Seccomp has long been a critical security feature in the Linux kernel, as a powerful tool for access control. With the emergence of eBPF, the landscape of kernel security has started evolving rapidly. It offers opportunities for improving and extending security policies. In this talk we will show how to achieve some of seccomp's capabilities and extend them using eBPF and KRSI in security use cases. The talk will give an overview of Seccomp in general and in Kubernetes, focus on its importance in securing containerized workloads. We will review applicable eBPF capabilities, showing how it changes the way we can inspect and filter syscalls at runtime. We will introduce KRSI and LSM, showing how they can enhance kernel security. The session will end with a demo of our PoC that leverages eBPF and KRSI to create a modern alternative to seccomp. Illustrating a real-world option, will provide attendees with practical knowledge on how to reinvent Seccomp for enhanced security.
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is CTO and co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches... Read More →
Dor Serero is a Principal Software Engineer at Microsoft. Dor is passionate about distributed systems and security. Outside of work, you can find Dor spending time with his wife and two daughters or holding a video game controller.
Cloud-native security requires a shift in mindset. Workloads are ephemeral, the attack surface has grown and with it, the complexities. eBPF has emerged as a powerful technology, enabling deep visibility and dynamic security capabilities within the Linux kernel. This panel will explore use cases in which eBPF enhances cloud-native security. We will explore how eBPF can be leveraged to perform real-time monitoring, threat detection, and mitigation across containerized applications and microservices. Our expert panelists will share insights on using eBPF for network security, application profiling, anomaly detection, and enforcing security policies at the kernel level. Additionally, we will discuss the integration of eBPF with popular cloud-native tools and platforms, showcasing practical implementations.
Whitney is a lovable goofball and a CNCF Ambassador who enjoys understanding and using tools in the cloud native landscape. Creative and driven, Whitney recently pivoted from an art-related career to one in tech. You can catch her lightboard streaming show ⚡️ Enlightning on her... Read More →
Anna is a software engineer at Isovalent, focusing on eBPF-based observability and security. Her previous roles span the industry: she wore both developer and SRE hats, and worked in AdTech, FinTech, public healthcare, end-user SaaS company and a hosting provider. On good weather... Read More →
Oshrat Nir is the Developer Advocate at ARMO, where she helps customers adopt Kubernetes security. She has over 20 years of IT experience, including roles at Amdocs and Giant Swarm. She is a big believer in transparency and community, and she loves telling stories. She excels at bridging... Read More →
Maya is a Product Manager at Microsoft who is passionate about data driven product development. With experience in financial services and Ed-tech she is excited to now delve into all things open source. Maya holds a Bachelor's degree in Biomedical Engineering and an MBA, both from... Read More →
Cortney is a Developer Advocate at Kubeshop and a co-organizer of the CNCF Bilbao Community. Initially, a non-techie turned tech lover, she began her career as employee number 7 at a DevSecOps startup (acquired by DataDog) and wrote the newsletter and other content for the Data on... Read More →
To keep up with infrastructure growth, companies around the world are managing an increasing number of kubernetes clusters. Enforcing kubernetes native network policy at scale is already hard enough within a single cluster. Extending this to multiple clusters is even more challenging. Depending on the shape of your infrastructure, your cross-cluster policy requirements may be unique, and there’s no one-size-fits-all configuration. In this talk, we’ll dive deep into how different solutions work in cilium to understand sources of potential bottlenecks. We’ll discuss Clustermesh, KVstoremesh, DNS-based FQDN policy and a custom variant of KVstoremesh Datadog leverages while meshing at scale. Specifically, we’ll discuss how factors like the number of pods, identities and pod churn will impact scalability and time to policy enforcement. Join us if you’re curious about understanding the latest in cross-cluster policy and leave with actionable insights you can apply to your infrastructure.
Hemanth Malla is a Senior Software Engineer working on Kubernetes and container networking at Datadog. He is also a Cilium CNCF maintainer. Previously he worked on various distributed systems in industries like e-commerce, fintech and high frequency trading. Apart from computers... Read More →
Maxime is an experienced systems and software engineer known for his passion in building robust infrastructures for small to large businesses. Having successfully led his startup to acquisition by Twitter in 2021. He is currently leading teams at Datadog where he brings a wealth of... Read More →
The techniques used to increase IPSec network performance are often kept as secrets because they act as a competitive advantage and a lucrative product offering. This talk transparently presents a technique for massively boosting IPSec performance that is simple to implement (less than 200 lines of C), and based entirely on open-source work. An early Proof of Concept (POC) implementation showed an increase in p99 throughput by 412%! This talk will take a deep-dive into how it all works, covering: the implementation, the pros and cons of the design, and an analysis of benchmark results. As transparent encryption becomes more crucial for securing data in transit, we hope this talk will enable users required to use IPSec for compliance or infrastructure reasons to learn how to speed up their network without having to compromise their security.
Ryan Drew is a Performance and Scale engineer at Isovalent, based out of the United States in Colorado. He has a passion for learning and building amazing technologies and collaborating with his colleagues to help make a positive impact.
Engineers may be tasked with rolling out a new Container Networking Interface (CNI) to their environment. Sounds easy enough! Delete the old one, deploy the new one. Or maybe just deploy a brand new cluster! What if... there was another way? The talk will show how a live, in-place migration of the CNI plugin was performed in production clusters. It will highlight a few approaches that were considered, and what approach was eventually selected before proceeding with the migration process. Lastly, the procedure and steps taken to execute this migration will be shared, along with any lessons learned.
Hubble is a great solution for finding and fixing network problems in a Kubernetes cluster. However, we noticed that one of the main barriers for people to use Hubble is its dependency on Cilium as the dataplane. In this talk, we'll demonstrate how to decouple Hubble from Cilium, and use Hubble as a powerful Observability/metrics platform on top of any custom data plane. We will show you how to make Hubble work with any data source you want, without changing any code in Hubble. We'll show you an example of one such open source project called Retina and compare how key features work with both Cilium and custom CNI. In a live demo, we will show that you can get the same experience with Hubble regardless of what CNI you use.
Kepler needed to migrate its old eBPF probes developed with BCC to probes that were compiled ahead of time. Maybe you do too? While performing this migration we were able to use some modern features of eBPF, the cilium/ebpf Go library, and bpf2go to make our probes multi-platform. Kepler (Kubernetes-based Efficient Power Level Exporter) is a CNCF project focused on measuring the environmental impact of software. At its core, Kepler uses eBPF to gather metrics from the Linux Kernel, which feed into an ML model that estimates power consumption for processes, VMs, and Pods. By the end of this session, you’ll gain a deeper understanding of eBPF, practical insights into its application in power consumption monitoring, and strategies for modernizing existing eBPF programs. Join us to learn from our experience and take away actionable best practices for your own projects!
Dave is a long-time networking nerd, turned software engineer at the dawn of Software Defined Networking (SDN). A passionate Rustacean who currently helps to maintain Aya - a pure Rust eBPF library - alongside the Rust Compiler's BPF target, which allows users to program in Rust as... Read More →
A lot of eBPF programs fall into the category of observing the Linux system, i.e the kernel, system libraries or user-space programs. For the purpose of observing the system, we mostly rely on reading memory with eBPF, either kernel or user-space memory. However, sometimes various eBPF use cases require writing memory, for example propagating W3C context for various application protocols. This talk focuses on our journey to implement W3C trace context propagation with eBPF at various levels of the protocol stack. We explore what memory write eBPF APIs are available to us today, along with their implications to system security, stability, required permissions and implementation difficulty. We’ll present two working solutions with their pros and cons, a lot of dead ends, as well as explore what a new approach might look like by leveraging the “BPF arena” feature in kernel 6.9.
Nikola Grcevski has worked as a software engineer for more than 20 years, mostly in the field of compilers, managed runtimes and performance optimization. Most recently he's working on low level application instrumentation with eBPF at Grafana Labs.
This talk will dive into five common configuration pitfalls that beginners encounter when using Tetragon for runtime observability on their workloads. We'll explore the implications of each gotcha and provide clear steps to avoid them. The talk will also cover best practices for configuring Tetragon in a Kubernetes environment.
Pratik Lotia is an infrastructure security engineer at Reddit, where he is responsible for building tools and processes for implementing security best practices for cloud native environments. He has extensive experience working on security projects for public & private clouds and... Read More →
Applications at edge environment can be platform dependent, complicated and distributed in regions, and the number of devices significantly increases. Our final goal is to create the infrastructure that can be applied to the entire environment crossing over the cloud and edge in common. Working with KubeEdge and Cilium, we are now successfully able to use Cilium with KubeEdge hosted nodes at edge environment. This means, enabling wireguard VPN with Cilium can provide the transparent network connectivity with the nodes running in the cloud infrastructure, so that edge nodes running at edge environment just appear to be a member of cluster system but with edge autonomy feature provided by KubeEdge. We would like to share our technical insights and experience with using Cilium at edge with KubeEdge, and what are the future development and contribution with Cilium community.
Senior Staff Software Engineer, Sony Corporation of America
Software Engineer, Sony Corporation of America System software architect and developer in Sony Corporation R&D Center. A member of ROS(Robot Operating System) TSC(Technical Steering Committee): https://index.ros.org/doc/ros2/Governance/ Github: https://github.com/fujitatomoya
Bill Mulligan is a cloud native pollinator and community builder. He has given talks, written articles, and appeared on podcasts on a wide range of topics around cloud native. While at CNCF he restarted the Kubernetes Community Day program. He is currently at Isovalent growing the... Read More →