Masaya Aoyama Senior Software Engineer, CyberAgent

Kubernetes has been undeniably successful over the last 10 years. That said, the world is changing. The things that made us successful will not keep us successful.

In this talk, I will look at a few of the things that I think could be existential risks to Kubernetes over the next couple of years.

Do you think platform engineering is too hard? Or is it just a buzzword? Is the CNCF landscape too tricky to visualize? If you’ve been in this industry long enough, you should know that platform engineering has been around for a long time. Most of us have been trying to build developer platforms for decades, and most of us have failed at that. That begs the questions: “What is different now?” “Why will this time be different?” and “Do we have a chance to succeed?” We’ll take a look at the past, the present, and the future of platform engineering. We’ll see what we were doing in the past, what we did wrong, and why we failed. Further on, we’ll see what we (the industry as a whole) are doing now and, more importantly, where we might go from here. Get ready for the hard truths and challenges you will face when trying to build a platform based on Kubernetes. Join us for a pain-infused journey filled with challenges teams will face when building platforms to enable other teams.

This session explores the security enhancement KEP-3619: "Fine-grained SupplementalGroups Control" graduated to beta in Kubernetes v1.33. This KEP addresses the previous mysterious behavior of managing supplementary groups, which could introduce security risks in accessing volumes. The feature enables more precise control over supplementary groups, strengthening the declarativeness of Pod configurations. Additionally, it enhances the transparency of UID/GID details through Pod manifests, offering improved oversight of security settings. Attendees will learn how these advancements can simplify and strengthen their security strategy regarding supplementary groups management.

Concerned by the evolving threat landscape? Frustrated by the number of different tools required for runtime security? This session explores in detail how Tetragon, powered by eBPF, can observe and enforce network and application runtime behaviours. This allows Tetragon to observe and enforce application and runtime attack vectors. Learn how to build out an operating system hardening policy, observe and mitigate vulnerabilities discovered in running workloads with compensating controls and combine it all to protect workloads from nation-state threats such as BPFdoor or xz/liblzma.

This practical, detailed, and extensive session will give you a strong head start in protecting your workloads from the core of your application runtimes wherever they may run thanks to the power of eBPF.

In this session, you'll learn how to troubleshoot the OpenTelemetry Collector.

From validating YAML configuration to enabling debug logging and visualizing your data pipelines, learn how to avoid common problems and how to get more data so you can deploy OpenTelemetry faster.

You'll also see examples of zpages and OTelBin - two tools that can make Collector configuration and troubleshooting much easier.

In the vehicle world we have a variety of secrets that exist on disk that often need to be managed carefully. This problem is not unique to vehicles, many client devices such as phones, gaming consoles, and other types of small devices often need to maintain a secret sync between the cloud and the device. This talk will cover strategies for having an effective sidecar in the cloud, how to maintain synchronization with the client devices, and usefulness of said sidecars.

(Some) Technical Details: First, an explanation of sidecars will be given. This will include a look at embedded capabilities such as attestation that is available from some trusted execution environment operating systems such as OpTEE and QTEE. This embedded capability enables secure communication with the cloud and a trusted sidecar via the use of key wrapping technologies.

Next the talk will examine a few different options for security sidecars or digital twins in the cloud • Kubernetes pods • AWS Nitro • Azure Confidential Compute These options will be explained in detail, some advantages and disadvantages of each one and how they would integrate in with a proper side car solution. Further exploration into the IOT defensive strategies of the major cloud vendors will also be briefly touched on (such as AWS IOT Device Defender).

An end to end scenario of why a sidecar should be used and how when implemented properly will be shown from an embedded device. Potential threats, weaknesses and challenges will be shared.

This session will use simple and understandable analogies to explain the basic goals and properties of the graduated CNCF security projects: TUF, in-toto, SPIFFE, Cert-manager, OPA, and Falco. The goal will be to build a basic understanding of each project so attendees can understand if they want to dig further.

For example, in-toto is like an inspector that takes pictures (in-toto attestations) of what is happening as software is made. You can also tell it what the pictures (via an in-toto policy) should look like so that if something went wrong, bad software isn't produced. This makes it so the factory makes the software we expect even if there are bad guys trying to mess it up.

I plan to have this be a very visual talk and say the simple descriptions in both English and Japanese as a way to test whether I really can use simple enough phrases and words.

containerd is a CNCF-graduated container runtime project. In this session, Kohei, a reviewer of containerd, will provide an overview of the project, including how it's used by tools like Docker, Kubernetes and other tools through its API. He'll also cover its extensibility via the plugin system, such as the faster pulling of images by "lazy pulling" with Stargz Snapshotter plugin.

LT1: [Introduction to “Backstage”, Hitoshi Kamezaki] LT2: [You Need Help?Nutanix Kubernetes Platform!!, Koki Nakahata]

Masaya Aoyama Senior Software Engineer, CyberAgent

Kubernetes has been undeniably successful over the last 10 years. That said, the world is changing. The things that made us successful will not keep us successful.

In this talk, I will look at a few of the things that I think could be existential risks to Kubernetes over the next couple of years.

本セッションでは、XDPとtc-bpfを組み合わせた構成により、Linuxカーネル上でeBPFを活用してトラフィックの帯域制御を行う方法について解説します。パケットへのメタデータ付与を通じたクラス分けと整形処理の連携、ユーザー単位のQoS実装やスケーラビリティ対応まで、実践的な知見を交えてお伝えします。 / In this session, we will explain how to implement traffic shaping using eBPF on the Linux kernel by combining XDP and tc-bpf. We’ll walk through a practical approach where metadata is attached to packets for class-based traffic control and shaping, and discuss how to build scalable QoS mechanisms per user. Real-world insights and implementation tips will also be shared.

TBA

Inspektor Gadget は eBPF を利用して KubernetesクラスタやLinuxマシンをデバッグするためのツールとフレームワークで、CNCFのsandboxプロジェクトの1つです。Inspektor Gadgetの仕組み、使い方やKubeCon EUでContribfestに参加してみたレポートなどを紹介します。

OpenTelemetryはさまざまなテレメトリーを共通規格で扱えるようにすることで、アプリケーションとオブザーバビリティ基盤を疎結合化してくれています。しかし、その間にあるOpenTelemetryは何を行っているのでしょうか。本セッションではOpenTelemetryが各種コンポーネントで扱っている内部的なデータ構造や仕組みを解説します。本セッションによってOpenTelemetryの理解をより一層深められることでしょう。

WebAssembly (Wasm) is known for its platform-neutral execution, letting the same program run across devices, edge systems, and the cloud without platform-specific changes. Thanks to an active and growing community, we now have a rich set of runtimes optimized for various environments—making Wasm more versatile and efficient than ever. But what if Wasm could go beyond static portability and become truly dynamic? In this talk, we explore live migration between different Wasm runtimes, allowing workloads to move at runtime—for example, following a user across networks or shifting to another platform under high load. This isn't easy. Runtimes differ in how they represent execution state, and optimizations like JIT or AOT make migration tricky. To tackle this, we're experimenting with two research approaches: (1) converting runtime-internal execution states, and (2) adding migration-aware features through a self-hosted Wasm runtime. We'll share what we've learned and the challenges we've faced, as we explore how we can help advance the Wasm ecosystem.

In this session, we will present the results of a comparison of Keycloak and other authorization server products, examining their functionality and compliance with security standards through an investigation of the server metadata publicly available from each product. Currently, there are over 100 services among authorization servers that have received the Basic OP certificate from the OpenID Foundation. Developers considering implementation need to accurately understand and compare the features of various authorization servers. One method to quickly grasp these features is by reviewing the server metadata presented in an easily interpretable JSON format. The server metadata provides information about the features of the authorization servers and their compliance with security standards such as specifications established by OpenID Foundation, RFCs, and drafts. By comprehensively understanding the compliance with security standards and basic features of each authorization server product, it is possible to identify differentiation factors which can contribute to the future development of Keycloak. In this presentation, we will report on the results of investigating the server metadata of authorization server products such as Keycloak, Auth0, Ping Identity, Connect2id, Okta, Microsoft Entra, and ForgeRock. In addition, we will discuss and compare Keycloak's features and compliance with security standards with those of other authorization server products.

We have developed AILERON Gateway, a small-footprint, open-source reverse proxy designed to expand OAuth2 and OIDC client options in both Kubernetes clusters and traditional on-premises environments.

A single binary and one YAML file provide: • AuthN & AuthZ client features (OIDC/OAuth2 and FAPI) • Authorization hooks for Casbin and OPA • Basic web security—CORS, CSRF • Traffic controls—rate limiting and round-robin load balancing

https://github.com/aileron-gateway/aileron-gateway https://aileron-gateway.github.io/docs/concepts/

In this five-minute session we’ll cover: • Why we built it—gaps we hit with existing AuthN/AuthZ clients such as mod_auth_oidc and OAuth2-Proxy • What it means for you—sample use cases and configuration snippets • What’s next—the project roadmap

This presentation will cover the latest updates on Podman and CRI-O as of summer 2025. Podman is a daemonless container engine for developing, managing, and running OCI containers on your Linux system, while CRI-O is a lightweight container runtime specifically designed for Kubernetes. In addition to these core container technologies, we will also introduce RamaLama, a local development and serving tool for AI models based on container technologies. Join us to learn about the latest container ecosystem updates and discover how you can easily develop and serve AI models locally with RamaLama.

The use of cloud, SaaS, and generative AI is growing rapidly. Running these workloads across multiple clouds now hides true costs, leaves unused resources, and unclear who is responsible for the bill, slowing release cycles and shrinking profits. With each department tracking different metrics, organizations struggle to correlate cloud spend with business value, leaving leadership to make decisions with incomplete insight. In this "Cloud+" era, FinOps solves this problem by giving finance, engineering, and business the same real-time cost data and a common playbook.

In this session, we explain the core principles of FinOps and its three-phase cycle - Inform → Optimize → Operate. And, we outline the respective roles as a community of the FinOps Foundation-which leads framework development, standardization, certifications, and global events-and the FinOps Foundation Japan Chapter, which localizes resources, supports implementations, and builds community.

Kubernetes Upstream Training in Japan は Kubernetes コミュニティでコントリビューションを始めたい方のためのコミュニティ参加入門講座です。Kubernetes コミュニティの説明、参加のための心構え、様々なコントリビューション方法、Kubernetes コミュニティ公式の Slack や練習用リポジトリを用いたコントリビューションの練習を日本語で紹介しています。簡単な事前課題があります。実施の上、ご参加ください。

Only available in japanese

サステナビリティ技術を推進するコミュニティの紹介

このセッションでは、クラウドネイティブのサステナビリティ分野で活動している主要なコミュニティグループを紹介します。これには、CNCJ SIG Sustainability、CNCF TAG Environmental Sustainability、Green Software Foundation（GSF）、FinOps、およびIOWNイニシアティブが含まれます。参加者は、各グループのミッション、活動、貢献について学び、クラウドネイティブエコシステム内でのサステナビリティ推進に向けた取り組みを知ることができます。また、参加者がこれらのコミュニティにどのように参加し、サステナビリティ活動に貢献できるかについても理解を深めることができます。

In this session, we will introduce key community groups working on environmental sustainability in the tech field. This includes CNCJ SIG Sustainability, CNCF TAG Environmental Sustainability, the Green Software Foundation (GSF), FinOps, and the IOWN Global Forum. We will share our activities, contributions, and learned insight on promoting sustainability within the cloud-native ecosystem. Additionally, attendees will deepen their understanding of how they can engage with these communities and contribute to sustainability initiatives.

Informal networking session where attendees can continue conversations, explore collaboration opportunities, and discuss potential follow-up actions.

参加者が会話を続け、協力の機会を探り、今後のアクションについて議論できるカジュアルなネットワーキングセッション。

【Doc Sprint 〜みんなで翻訳！Kubernetes日本語ドキュメント〜】

KubeCon開催に合わせて、Kubernetesの日本語ドキュメント翻訳に貢献するイベント「Doc Sprint」を開催します！

Kubernetesのドキュメントは、ユーザーや開発者にとって重要な情報源です。その日本語翻訳を一緒に進めてみませんか？ 「技術的に貢献してみたいけど、コードはちょっと…」という方にもピッタリ。翻訳という形で、Kubernetesコミュニティに貢献することができます。

このイベントでは、Kubernetes Docs-jaチームのapproverが参加者をサポート。初めての方でも、コントリビューションの手順や、翻訳ルールなどを丁寧にお教えします。わからないことがあっても大丈夫。みんなで楽しく、少しずつ進めていきましょう。

【対象者】 Kubernetesドキュメントの翻訳に興味がある方、 コミュニティ活動に参加してみたい方、 ドキュメントを通じて技術を学びたい方、 初心者・未経験者も大歓迎！

【持ち物・事前準備】 ノートPC、GitHubアカウント (事前に作成をお願いします)

※ランチボックスが提供される予定です。 【お申し込み】 画面上部の「RSVP」をクリックし、「Doc Sprint by KUTJ (in-person)」を選択してください。

【Only available in Japanese】

Small group discussions focused on key topics, including:

• Organizing APAC time zone meetings and gauging interest in the APAC region.
• Balancing performance with sustainability in cloud-native applications.
• How to contribute to sustainability-focused projects and raise visibility in the TAG ENV community.
• Additional sustainability topics raised by participants.

Each group will share their findings with the broader audience. We will prioritize actionable ideas and determine the next steps for addressing key issues, including potential pull requests (PRs) or issues to raise in the TAG repository.

グループに分かれて、以下の重要なトピックに焦点を当てたディスカッションを行います：

• APACタイムゾーンのミーティングの組織方法と、APAC地域での関心の測定
• クラウドネイティブアプリケーションにおけるパフォーマンスとサステナビリティのバランス
• サステナビリティに焦点を当てたプロジェクトへの貢献方法と、TAG ENVコミュニティでの認知度向上
• 参加者から提起されたその他のサステナビリティに関するトピック

各グループが自分たちの発表内容を広い参加者と共有します。実行可能なアイデアを優先順位付けし、TAGリポジトリで取り上げるべき主要な課題に対する次のステップを決定します。

The content will be announced at a later date. If you have a topic you would like to present, please contact us at cncj@googlegroups.com or on X (@amsy810). コンテンツは後日公開予定。開催したいトピックがあれば cncj@googlegroups.com またはX @amsy810 までご連絡をお願いします。