KubeCon + CloudNativeCon India 2025

Managing node churn in large Amazon EKS clusters posed challenges due to fluctuating workloads, leading to instability and high costs. In this session, we’ll share how we leveraged Karpenter, an open-source K8s autoscaler, to optimize node provisioning and minimize churn across multiple EKS clusters. We’ll explore strategies like Pod Priority, PDBs, and node pools, improving scheduling efficiency and reducing resource waste thereby reducing cloud costs. Additionally, we’ll discuss reducing do-not-disrupt annotations, tightening affinity rules, aligning Karpenter nodes with EC2 savings plans and using latest features of karpenter like reserved instances to enhance performance and cost savings. One can gain insights into understanding node churning and its impact on costs and stability, optimizing Karpenter to scale nodes efficiently, achieving cost savings through spot instances and refined scaling policies. Join us to learn how to make EKS clusters more efficient and cost-effective!

Teams independently provisioning and managing Kubernetes clusters often leads to silos, inefficiencies, and rising operational costs.

This presentation will showcase how NVIDIA successfully consolidated its Kubernetes infrastructure management using ClusterAPI and in-house bare-metal machines. The speakers will demonstrate NVIDIA's implementation that incorporates heterogeneous machine types, including CPU, GPU, TEGRA, and ARM, enabling high-performance workloads to run seamlessly.

By implementing a custom ClusterAPI infrastructure provider, NVIDIA made lifecycle management of Kubernetes clusters more efficient. The team enhanced ClusterAPI by wrapping its templates into Helm charts, standardizing cluster deployments across the organization. Through GitOps workflows, NVIDIA ensured cluster creation and management followed a declarative, version-controlled approach, reducing operational overhead while improving consistency in multi-environment deployments.

Securing data access for AI agents has become a critical challenge. Traditional access control approaches fall short when AI systems need contextual, document-level permissions at scale and speed.

This talk demonstrates how Fine-Grained Authorization (FGA) provides robust security for Retrieval-Augmented Generation (RAG) and agentic AI systems. Learn how to implement permission models that protect sensitive information while enabling AI to access only authorized data.

The talk explores implementations using OpenFGA and LangChain, showcasing how to build security directly into AI retrieval pipelines.

The presenters will provide real world case studies to discover how enterprises can prevent data leakage, implement multi-tenant isolation, and maintain audit trails while scaling to billions of access decisions.

Thus join us to understand how one can maintain security without sacrificing performance or user experience in Agentic / Gen AI applications.

Resilience in Kubernetes often relies on pod restarts, but what if we could checkpoint running containers for forensic analysis and seamless recovery? This is where Checkpoint/Restore in Userspace (CRIU) and its integration with CRI-O and Containerd come into play.
When applications fail, are compromised, or need migration, traditional recovery methods lose valuable runtime data, making debugging, forensic investigation, and live migration difficult. CRI-U enables container-level checkpointing, allowing us to snapshot an application’s complete state, including memory, processes, and open files. This unlocks new security forensics, failure recovery, and workload resilience possibilities.
This session will explore how forensic container checkpointing enhances Kubernetes resilience. Attendees will learn how to securely capture, analyse, and restore container states, ensuring minimal downtime and improved security

LSMs provide kernel-level security mechanisms that can be used to address the dynamic challenges of cloud native security. KubeArmor, a runtime security engine and CNCF sandbox project uses LSMs to protect cloud workloads at runtime.

As a maintainer of KubeArmor, I will share my understanding working with LSMs to implement a robust runtime security engine to protect cloud workloads through the lens of KubeArmor.

While all LSMs provide crucial security benefits, their effectiveness varies significantly based on use-case, deployment context and operational requirements.

In this session, I'll be evaluating LSMs including SELinux, Apparmor and BPF-LSM across three critical dimensions:
Performance impact: The overhead each LSMs introduce.
Security capabilities: Each LSM's effectiveness against common attack vectors through live demonstrations.
Operational complexity: Highlighting the learning curve, complexities in implementation and maintenance.

Security often takes center stage—only after “something” goes wrong. When DevOps teams return a DevOops response! Teams scramble after breaches, misconfigurations, and compliance failures only to realize too late that preventive measures had been missing all along.

For the millions of marketing dollars poured into Shift-left and DevSecOps, security shouldn’t be an afterthought—it needs to be woven into every stage of the Software Development Lifecycle (SDLC).

In this panel, we will share real-world stories and discuss how to build a more security-conscious team culture. Security issues span a spectrum of causes ranging from communication breakdowns, lack of training, and plain old human error. We'll cut through the marketing noise and explore the tools and techniques that make a difference. No buzzwords. Just actionable advice you can take home and implement. Honest narratives, shot straight from the heart.