KubeCon + CloudNativeCon India 2025

In today's complex service mesh environments, ensuring secure and efficient network traffic management is a significant challenge. Many developers struggle with implementing robust, context-aware access control policies without disrupting existing systems. The Kyverno Envoy Plugin offers a solution by integrating with the Envoy proxy and leveraging the Kyverno Authz Server within the cluster, along with a cluster-wide resource called AuthorizationPolicy. This resource utilizes the CEL language to process these requests seamlessly, allowing you to authenticate and enforce policies seamlessly on all traffic.
In this hands-on session, the speakers will leverage this plugin to enhance the security and control of applications, ensuring they are protected from unauthorized access and threats without requiring changes to your microservices. They will also showcase how the plugin seamlessly integrates with various service meshes such as Istio, to extend its functionality across environments.

Sovereign deployments operate in geographically or network-isolated environments where data at rest and in transit is highly sensitive and tightly controlled due to jurisdictional regulations. These deployments come with strict security and compliance requirements.

At Adobe, we manage multiple sovereign Kubernetes deployments across different regulatory frameworks, each with unique constraints and challenges. We have to keep operational overhead minimal while ensuring compliance and security at scale.

This talk will cover key compliance and security requirements, such as vulnerability reporting, runtime container scanning, and policy enforcement. We will dive into the challenges we faced and the solutions we developed, including:
- Building a secure and efficient image distribution system
- Automating image vulnerability scanning
- Using Falco for real-time threat detection and response
- Enforcing compliance with Kyverno and Falco

Do you often find yourself upgrading various resources in k8s cluster? may be some 3rd party helm chart?

Do you get a feeling of shooting in the dark? That you do not exactly know what all changes are being brought in due to new helm chart version?

Have you faced broken deployments because 3rd paty helmchart maintainer changed the values.yaml layout and you did not change the overrides.yaml to adjust to changed structure?

Yes? Yes? Yes? Well... then you have come to right place find solution to such problems!

I will introduce you to Kyverno Chainsaw, which aims to help us reliably verify the deployments!

With Chainsaw, you define test steps (which can changes / delete existing resources / add new resources) and write assertion to verify that all changes have been reflected in the cluster.

During the session - lets explore Chainsaw via few demos and integrate it in CD pipelines and use reports.

Bonus: I will share small generator I wrote to create Chainsaw testcases quickly.

Are you experiencing performance issues with your Kubernetes control plane? Symptoms such as rising CPU/memory usage, 429 TooManyRequests errors, and delayed responses from the APIServer or ETCD can significantly degrade cluster responsiveness, especially in large environments, ultimately threatening infrastructure reliability.
In this talk, based on our experience managing tens of thousands of production clusters, we will explore how to leverage observability to identify performance bottlenecks and root causes. We'll compare logging, monitoring, and tracing within the Kubernetes control plane, using real-world example - analyzing LIST request.
We will introduce best practices for observability, discuss common performance pitfalls such as APF flow control issues, misconfigured APIServer webhooks, and the heavy burden of excessive LIST requests on control plane, etc. Additionally, we will share optimization solutions for these scenarios, empowering you to enhance cluster performance.

APIs helped define cloud-native—but agentic systems need more.

In this talk, we introduce MCP (Model, Context, Protocol)—an architectural framework built for adaptive, AI-enhanced, agentic systems. You'll learn how MCP extends API-centric thinking to define not just interfaces, but also capabilities, environment-aware behavior, and reflective discovery.

We’ll explore:

How MCP aligns with Kubernetes' dynamic, declarative model
Why JSON-RPC (not REST/gRPC) is the best fit for dynamic agent tooling
Real-world examples of LLM-driven clients discovering tools, prompts, and commands at runtime
How to structure MCP clients and servers using C# or Go for cloud-native deployment
You'll leave with code samples, a conceptual model, and a UML-driven design for building MCP-based systems—ideal for Kubernetes-based platforms, autonomous agents, and AI-enhanced developer tools.

In Kubernetes, DNS resolution is vital for service discovery. CoreDNS, the default DNS provider, can face performance issues such as timeouts, latency, and scalability challenges, which increase reliance on upstream DNS and lead to unreliable service discovery. To enhance DNS reliability, we propose integrating Node Local DNS Cache.

We'll discuss implementing node-local DNS caching in 270 clusters with over 18,000 nodes, effectively resolving DNS issues, boosting resolution reliability, reducing CoreDNS load, and minimizing dependency on upstream DNS sources. Attendees will gain insights into the technical approach, including performance assessments and testing scenarios emphasizing latency improvements. We've achieved a 30x performance enhancement and greater dns query-handling capacities through node-local DNS cache deployment. This session will provide valuable understanding of techniques to ensure robust DNS resolution in large-scale Kubernetes environments.

Kubernetes administrators often struggle with maintaining consistency across distributed nodes, managing OS updates, and preventing configuration drift in large-scale containerized environments. Wouldn't it be great if there is a way to generate the distribution using a container file like we do for application images? With bootable containers (bootc) you can do it.

In this demo-centric presentation, we will explore how bootc can simplify operating system management by treating itself as an immutable container image. Using a local Kind cluster on Podman Desktop, we will demonstrate how to create and deploy images, showcasing its advantages in maintaining consistency and security across clusters and edge nodes. By treating the OS as a container image, we can take advantage of existing container workflows, making updates and rollbacks atomic and version-controlled.

Attendees will learn how they can use their container-building skills to manage their distro images as well.

Managing node churn in large Amazon EKS clusters posed challenges due to fluctuating workloads, leading to instability and high costs. In this session, we’ll share how we leveraged Karpenter, an open-source K8s autoscaler, to optimize node provisioning and minimize churn across multiple EKS clusters. We’ll explore strategies like Pod Priority, PDBs, and node pools, improving scheduling efficiency and reducing resource waste thereby reducing cloud costs. Additionally, we’ll discuss reducing do-not-disrupt annotations, tightening affinity rules, aligning Karpenter nodes with EC2 savings plans and using latest features of karpenter like reserved instances to enhance performance and cost savings. One can gain insights into understanding node churning and its impact on costs and stability, optimizing Karpenter to scale nodes efficiently, achieving cost savings through spot instances and refined scaling policies. Join us to learn how to make EKS clusters more efficient and cost-effective!

Teams independently provisioning and managing Kubernetes clusters often leads to silos, inefficiencies, and rising operational costs.

This presentation will showcase how NVIDIA successfully consolidated its Kubernetes infrastructure management using ClusterAPI and in-house bare-metal machines. The speakers will demonstrate NVIDIA's implementation that incorporates heterogeneous machine types, including CPU, GPU, TEGRA, and ARM, enabling high-performance workloads to run seamlessly.

By implementing a custom ClusterAPI infrastructure provider, NVIDIA made lifecycle management of Kubernetes clusters more efficient. The team enhanced ClusterAPI by wrapping its templates into Helm charts, standardizing cluster deployments across the organization. Through GitOps workflows, NVIDIA ensured cluster creation and management followed a declarative, version-controlled approach, reducing operational overhead while improving consistency in multi-environment deployments.

Securing data access for AI agents has become a critical challenge. Traditional access control approaches fall short when AI systems need contextual, document-level permissions at scale and speed.

This talk demonstrates how Fine-Grained Authorization (FGA) provides robust security for Retrieval-Augmented Generation (RAG) and agentic AI systems. Learn how to implement permission models that protect sensitive information while enabling AI to access only authorized data.

The talk explores implementations using OpenFGA and LangChain, showcasing how to build security directly into AI retrieval pipelines.

The presenters will provide real world case studies to discover how enterprises can prevent data leakage, implement multi-tenant isolation, and maintain audit trails while scaling to billions of access decisions.

Thus join us to understand how one can maintain security without sacrificing performance or user experience in Agentic / Gen AI applications.

Resilience in Kubernetes often relies on pod restarts, but what if we could checkpoint running containers for forensic analysis and seamless recovery? This is where Checkpoint/Restore in Userspace (CRIU) and its integration with CRI-O and Containerd come into play.
When applications fail, are compromised, or need migration, traditional recovery methods lose valuable runtime data, making debugging, forensic investigation, and live migration difficult. CRI-U enables container-level checkpointing, allowing us to snapshot an application’s complete state, including memory, processes, and open files. This unlocks new security forensics, failure recovery, and workload resilience possibilities.
This session will explore how forensic container checkpointing enhances Kubernetes resilience. Attendees will learn how to securely capture, analyse, and restore container states, ensuring minimal downtime and improved security

LSMs provide kernel-level security mechanisms that can be used to address the dynamic challenges of cloud native security. KubeArmor, a runtime security engine and CNCF sandbox project uses LSMs to protect cloud workloads at runtime.

As a maintainer of KubeArmor, I will share my understanding working with LSMs to implement a robust runtime security engine to protect cloud workloads through the lens of KubeArmor.

While all LSMs provide crucial security benefits, their effectiveness varies significantly based on use-case, deployment context and operational requirements.

In this session, I'll be evaluating LSMs including SELinux, Apparmor and BPF-LSM across three critical dimensions:
Performance impact: The overhead each LSMs introduce.
Security capabilities: Each LSM's effectiveness against common attack vectors through live demonstrations.
Operational complexity: Highlighting the learning curve, complexities in implementation and maintenance.

Security often takes center stage—only after “something” goes wrong. When DevOps teams return a DevOops response! Teams scramble after breaches, misconfigurations, and compliance failures only to realize too late that preventive measures had been missing all along.

For the millions of marketing dollars poured into Shift-left and DevSecOps, security shouldn’t be an afterthought—it needs to be woven into every stage of the Software Development Lifecycle (SDLC).

In this panel, we will share real-world stories and discuss how to build a more security-conscious team culture. Security issues span a spectrum of causes ranging from communication breakdowns, lack of training, and plain old human error. We'll cut through the marketing noise and explore the tools and techniques that make a difference. No buzzwords. Just actionable advice you can take home and implement. Honest narratives, shot straight from the heart.