KubeCon + CloudNativeCon Europe 2024

One of the primary challenges of Istio's ambient mesh is its limited support for CNIs (Container Network Interfaces). Additionally, none of the Kubernetes network policies can be enforced while pods are included in the ambient mesh. This presentation introduces an innovative approach, currently in the process of being upstreamed (expected to be merged before IstioDay EU), to the Istio community. The proposed solution involves redirecting traffic from the pod to Ztunnel within the pod's network namespace. We will delve into how this approach seamlessly operates between Istio-CNI, Ztunnel, and application pods in the ambient mesh, all without requiring any restart of application pods during enrollment into the ambient mesh. We’ll also discuss potential improvements and tradeoffs in the scope of threat model, system resource, network policy and bypassability.

Cilium is quickly becoming the de-facto CNI for Kubernetes and establishing itself as an integral core of a best-of-breed cloud native stack. But how can users ensure they're operating optimally? In this keynote, join Idit as they share how Cilium is helping users achieve their network application goals with deep insights from Kubernetes. Learn how to strengthen the health and security your Cilium environment, optimally configure Cilium with Kubernetes and explore strategies on how to minimize downtime when upgrading Cilium.

Sidecar-less functionality has emerged as an alternative approach in service mesh architectures, addressing concerns related to costs and complexity associated with sidecars. Istio Ambient provides the flexibility of choosing between sidecars and sidecar-less. What about the service mesh resource usage and cost associated with either option? In this talk, Lin will discuss how to use Prometheus, node-exporter, Grafana and custom Grafana dashboard to observe the service mesh costs with both sidecar and sidecar-less options for workloads running in Kubernetes. Through interactive live demo, this talk aims to offer practical guidance and insights to help users to observe service mesh overhead and costs.

Istio ambient reached alpha as part of Istio 1.18, and the Istio community is diligently working towards driving Ambient to beta. The introduction of Ambient aims to simplify workload operations and reduce infrastructure costs. Whether you are currently using Istio or considering its adoption, you may be pondering whether to continue with sidecars once Ambient reaches production-ready status. In this panel discussion, esteemed members of the Istio Technical Oversight Committee (TOC) from Google, IBM, Solo, and Aviatrix will share their valuable insights on Istio, including ambient, and the future of Istio. Join us for a live interactive session, where our panel of experts will address your most challenging inquiries related to Istio! Initial seeding questions: - What are the current technical hurdles around Istio? - When is ambient mesh recommended for production? - How is GAMMA shaping the future of Istio? - Will ambient mesh be compatible with existing CNIs (Cilium, Calico etc)?

Get ready for an in-depth journey into IPv6 networking with Cilium! In this session, we dive deep into the powerful IPv6 capabilities of Cilium to supercharge your Kubernetes applications. Join us to uncover the extensive range of IPv6 features that Cilium brings to Kubernetes environments. From ultra-high throughput powered by BIG TCP to transition mechanisms such as NAT46/64, you'll see firsthand how Cilium elevates the IPv6 networking game in Kubernetes. Whether you're a seasoned Kubernetes pro or just getting started, this session promises valuable insights into harnessing the full potential of Cilium for IPv6 workloads.

Starting an open source project can seem deceptively simple for many engineers. Create a repository, write some code, and voila - you've launched a project and are witnessing a growing user base. But when does this escalating interest signal that it's time to transition from a side project to a full fledged company? This talk is designed to arm attendees with key indicators for determining whether it's time to seriously consider launching a company based on their open-source project. Drawing from the experience of four different founders in starting a cloud native company anchored on an open source product, this panel session will delve into essential metrics and considerations, including: - The alignment of the project's goals with feasible business strategies - Understanding that user engagement doesn't always equate to market fit - The sustainability and long-term viability of the project's development model - Assessing the market potential and crafting a unique value proposition

Service mesh is a powerful pattern for implementing strong zero-trust networking practices, introducing better network observability, and allowing for more fine-grained traffic control. Up until now, the sidecar pattern was used to implement service-mesh capability but as the technology matures, a new pattern has emerged: sidecarless service mesh. Two prominent open-source networking projects, Cilium and Istio, have implemented a sidecar-free approach to service mesh but they both make interesting design decisions and tradeoffs. In this talk we review the architecture of both, focusing on the pros and cons of implementations such as mutual authentication, ingress, and observability.

Who can resist the allure of cakes? In this session, Lin and Dims (maintainers from Istio and Kubernetes) will unveil the CAKES stack—a zero trust composition using five widely adopted CNCF graduated projects: - Cilium (C): An innovative CNI based on evolutionary eBPF. - Istio Ambient ( A): The most deployed service mesh in production with the new sidecar-less data plane choice. Kubernetes (K): The de facto platform for managing containerized workloads and services - Envoy (E): A high-performance proxy for API gateways. - Spire (S): A production-ready SPIFFE implementation to attest workload identities. They will delve into the technical requirements for establishing an effective zero trust architecture and showcase through live demo how the combining of these projects results in a powerful, open, and extensible platform, enabling developers to secure their cloud native applications with zero trust principle while ensuring consistency and reliability.

This talk will introduce the CNCF TAG Network and discuss how the TAG operates, how we work with CNCF network projects, and the work we have done to build guidance and write white papers for the ecosystem. During this session we will cover an overview of network projects in the CNCF, including the broader ecosystem, as well as projects that are currently being reviewed. We will also share updates of our latest work including the CNCF Network White Paper, Performance and Benchmarking white paper etc. Join us to find out how to contribute and participate in the CNCF network community and discover practical guidance on how to use cloud native networks in your environments.

When we started CNCF in 2015 to help advance container technology, Kubernetes was the seeding technology to provide a de facto container orchestration platform for all cloud native applications. Almost a decade later, the community has exploded with 180+ open source projects building on top of cloud native technologies. Looking ahead, what challenges will we have in the next decade? They will be vastly different for our users and contributors from today. Let us review some of the key CNCF projects today and lay out some possible avenues for where cloud native is going for the next decade, AI, sustainability, edge computing, security, service mesh, web assembly and more. Right or wrong, we’ll find out at KubeCon 2034!

Have you ever tried extending a fraisier cake with additional layers or decorations after it's baked? It's not an easy task. However, with Extended Berkeley Packet Filter (eBPF), extending the Linux Kernel can be simpler than making or extending a fraisier cake. eBPF empowers developers to extend and customize the Linux kernel efficiently, allowing them to build high-performing and feature-rich functions tailored to their business needs. Are you keen on a hands-on tutorial for eBPF to gain a better understanding of how it fits into the cloud-native ecosystem? In this tutorial, we'll delve into the fundamentals of eBPF. We'll guide you through building and running your first eBPF program from scratch. Subsequently, you'll learn how to effortlessly share your eBPF program and run it in your Kubernetes cluster. Finally, we'll explore observing your eBPF programs running in Kubernetes and visualizing your metrics in Prometheus.

In an era where secure communication in multi-cluster environments is paramount, this talk explores the implementation of mutual TLS (mTLS) using Istio and SPIRE. We'll begin by outlining the security challenges in multi-cluster setups and the role of mTLS in addressing these issues. The session will then focus on the integration of Istio service mesh for managing microservices, and SPIRE for identity issuance and attestation, demonstrating how these technologies can be harnessed to enhance security. Highlights include: - The Essentials of mTLS and Istio's Security Features: Understanding their roles in multi-cluster security. - SPIRE Integration with Istio: Practical steps for implementation in a multi-cluster environment. This talk is designed for cloud architects, DevOps professionals, and security enthusiasts seeking to deepen their knowledge of securing Kubernetes multi-cluster environments.

Like baking a loaf of Pain Poilâne, technical leadership requires a balance of ingredients and continued practice and refinement of skills to create valuable and positive change. Renowned Parisian baker Lionel Poilâne believed the process is the most important aspect of vision. Cloud native technical leadership isn't any different, it is the exemplification of cloud native values in the communications, decisions, and commitment we make to the ecosystem. As individuals, we are responsible for our “loaves” or work from start to finish. But what does it mean? How can we create a recipe for other technologists to replicate those contributions to our projects and community successes? In this Panel, Technical Leaders across the cloud native ecosystem will share their experiences, insights, and methods to provide accessible explanations on being cloud native technical leaders across an international, diverse community of cloud native technologists.