KubeCon + CloudNativeCon India 2025

In today's complex service mesh environments, ensuring secure and efficient network traffic management is a significant challenge. Many developers struggle with implementing robust, context-aware access control policies without disrupting existing systems. The Kyverno Envoy Plugin offers a solution by integrating with the Envoy proxy and leveraging the Kyverno Authz Server within the cluster, along with a cluster-wide resource called AuthorizationPolicy. This resource utilizes the CEL language to process these requests seamlessly, allowing you to authenticate and enforce policies seamlessly on all traffic.
In this hands-on session, the speakers will leverage this plugin to enhance the security and control of applications, ensuring they are protected from unauthorized access and threats without requiring changes to your microservices. They will also showcase how the plugin seamlessly integrates with various service meshes such as Istio, to extend its functionality across environments.

Sovereign deployments operate in geographically or network-isolated environments where data at rest and in transit is highly sensitive and tightly controlled due to jurisdictional regulations. These deployments come with strict security and compliance requirements.

At Adobe, we manage multiple sovereign Kubernetes deployments across different regulatory frameworks, each with unique constraints and challenges. We have to keep operational overhead minimal while ensuring compliance and security at scale.

This talk will cover key compliance and security requirements, such as vulnerability reporting, runtime container scanning, and policy enforcement. We will dive into the challenges we faced and the solutions we developed, including:
- Building a secure and efficient image distribution system
- Automating image vulnerability scanning
- Using Falco for real-time threat detection and response
- Enforcing compliance with Kyverno and Falco

Securing data access for AI agents has become a critical challenge. Traditional access control approaches fall short when AI systems need contextual, document-level permissions at scale and speed.

This talk demonstrates how Fine-Grained Authorization (FGA) provides robust security for Retrieval-Augmented Generation (RAG) and agentic AI systems. Learn how to implement permission models that protect sensitive information while enabling AI to access only authorized data.

The talk explores implementations using OpenFGA and LangChain, showcasing how to build security directly into AI retrieval pipelines.

The presenters will provide real world case studies to discover how enterprises can prevent data leakage, implement multi-tenant isolation, and maintain audit trails while scaling to billions of access decisions.

Thus join us to understand how one can maintain security without sacrificing performance or user experience in Agentic / Gen AI applications.

Resilience in Kubernetes often relies on pod restarts, but what if we could checkpoint running containers for forensic analysis and seamless recovery? This is where Checkpoint/Restore in Userspace (CRIU) and its integration with CRI-O and Containerd come into play.
When applications fail, are compromised, or need migration, traditional recovery methods lose valuable runtime data, making debugging, forensic investigation, and live migration difficult. CRI-U enables container-level checkpointing, allowing us to snapshot an application’s complete state, including memory, processes, and open files. This unlocks new security forensics, failure recovery, and workload resilience possibilities.
This session will explore how forensic container checkpointing enhances Kubernetes resilience. Attendees will learn how to securely capture, analyse, and restore container states, ensuring minimal downtime and improved security

LSMs provide kernel-level security mechanisms that can be used to address the dynamic challenges of cloud native security. KubeArmor, a runtime security engine and CNCF sandbox project uses LSMs to protect cloud workloads at runtime.

As a maintainer of KubeArmor, I will share my understanding working with LSMs to implement a robust runtime security engine to protect cloud workloads through the lens of KubeArmor.

While all LSMs provide crucial security benefits, their effectiveness varies significantly based on use-case, deployment context and operational requirements.

In this session, I'll be evaluating LSMs including SELinux, Apparmor and BPF-LSM across three critical dimensions:
Performance impact: The overhead each LSMs introduce.
Security capabilities: Each LSM's effectiveness against common attack vectors through live demonstrations.
Operational complexity: Highlighting the learning curve, complexities in implementation and maintenance.

Security often takes center stage—only after “something” goes wrong. When DevOps teams return a DevOops response! Teams scramble after breaches, misconfigurations, and compliance failures only to realize too late that preventive measures had been missing all along.

For the millions of marketing dollars poured into Shift-left and DevSecOps, security shouldn’t be an afterthought—it needs to be woven into every stage of the Software Development Lifecycle (SDLC).

In this panel, we will share real-world stories and discuss how to build a more security-conscious team culture. Security issues span a spectrum of causes ranging from communication breakdowns, lack of training, and plain old human error. We'll cut through the marketing noise and explore the tools and techniques that make a difference. No buzzwords. Just actionable advice you can take home and implement. Honest narratives, shot straight from the heart.