Loading…
10-11 June
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon China 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Hong Kong Standard Time (UTC+8:00)To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
Type: Security clear filter
Wednesday, June 11
 

13:45 HKT

Connecting Dots: Unified Hybrid Multi-Cluster Auth Experience With SPIFFE and Cluster Inventory API - Chen Yu, Microsoft & Jian Zhu, Red Hat
Wednesday June 11, 2025 13:45 - 14:15 HKT
Level 16 | Grand Ballroom I
As the multi-cluster pattern continues to evolve, managing K8s identities, credentials, and permissions for teams and multi-cluster apps, such as Argo and Kueue, has become a hassle, typically involving managing individual service accounts on each cluster and passing credentials around. Such setup is often scattered, repetitive, difficult to track/audit, and may impose security and ops complications. This is especially true with hybrid environments, where different solutions could be in play across platforms.

This demo presents a solution based on OpenID, SPIFFE/SPIRE, and Cluster Inventory API from the Multi-Cluster SIG that provides a unified, seamless, and secure auth experience. Facilitated by CNCF multi-cluster projects, OCM and KubeFleet, attendees could be inspired to leverage open source solutions to eliminate credential sprawl, reduce operational complexity, and enhance security in hybrid cloud environments, when setting up teams/applications to access a multi-cluster setup.
Speakers
avatar for Chen Yu

Chen Yu

Senior Software Engineer, Microsoft
Chen Yu is a senior software engineer at Microsoft with a keen interest in cloud-native computing. He is currently working on Multi-Cluster Kubernetes and contributing to the Fleet project open-sourced by Azure Kubernetes Service.
avatar for Jian Zhu

Jian Zhu

Senior Software Engineer, RedHat
Zhu Jian is a senior software engineer at RedHat, a speaker at Kubecon China 2024, and a core contributor to the open cluster management project. Jian enjoys solving multi-cluster workload distribution problems and extending OCM with add-ons.
Wednesday June 11, 2025 13:45 - 14:15 HKT
Level 16 | Grand Ballroom I
  Security

14:30 HKT

Guardians of Multi-Tenancy: Enhanced Authorization To Prevent Lateral Node Escape - Dahu Kuang & Cheng Gao, Alibaba Cloud
Wednesday June 11, 2025 14:30 - 15:00 HKT
Level 16 | Grand Ballroom I
Maximizing security in multi-tenant clusters while maintaining cost-effectiveness is crucial for enterprise OPS. Most enterprise clusters deploy multiple daemonsets, which are attractive targets for attackers seeking to escape and move laterally, ultimately taking over the entire cluster.

The SIG community has introduced several advanced security features recently, such as CRD Field Selectors, Field and Label Selector Authorization, validating admission policy (VAP), and Structured Authorization Config. These allow users to define more flexible authorization configurations, addressing filtering and authorization needs for CRDs, kubelet, and other resources in multi-tenant environments.

We will share the lessons learned from the node escape incidents and demonstrate how to implement these new features and show how to use the Common Expression Language (CEL) to configure customized policies in Authorization Webhook and VAP, resulting more node-specific restrictions within clusters.
Speakers
avatar for Dahu Kuang

Dahu Kuang

Senior Engineer, Alibaba Cloud
Dahu Kuang is a Security Tech Lead on the Alibaba Cloud Container Service for Kubernetes (ACK) team, focusing on the design and implementation of container security-related work, especially within the context of secure supply chain.
avatar for Cheng Gao

Cheng Gao

Senior Security Engineer, Alibaba Cloud
Cheng Gao, Senior Security Engineer at Alibaba Cloud, focuses on the Security Development Lifecycle (SDL) for cloud-native applications. With expertise in container services, observability, and Serverless architectures, Cheng has led security assurance for several internal container... Read More →
Wednesday June 11, 2025 14:30 - 15:00 HKT
Level 16 | Grand Ballroom I
  Security
  • Content Experience Level Any
  • Presentation Language English

16:15 HKT

High-Performance Cloud Native Traffic Authentication Solutions - Muyang Tian & Zhonghu Xu, Huawei
Wednesday June 11, 2025 16:15 - 16:45 HKT
Level 19 | Crystal Court II
In the rapidly evolving landscape of cloud computing and microservices architecture, efficiently and securely managing communication between services has become a critical challenge. Traditional methods of network traffic authentication often become a performance bottleneck, especially when handling large-scale data flows. This session introduces an innovative solution — leveraging Linux kernel technology XDP (eXpress Data Path) to achieve efficient traffic authentication for service-to-service communications.

We will delve into how to use XDP for rapid filtering and processing of packets before they enter the system's protocol stack, significantly reducing latency and enhancing overall system throughput. Additionally, we will share practical application experiences from projects such as Kmesh, including but not limited to performance tuning, security considerations, and integration with other network security strategies.
Speakers
MT

Muyang Tian

Operating System Engineer, Huawei
Operating system engineer of Huawei Technologies Co., Ltd., core member of Kmesh, contributor of libxdp. Enthusiastic about cloud native technology and eBPF-based high performance network.
avatar for Zhonghu Xu

Zhonghu Xu

Principal Software Engineer, Huawei
Zhonghu is an Istio Steering Committee member and has been an core maintainer of istio since 2018 and also istio TOP 3 contributors. He is also the CNCF TAG-Network Tech Lead. He is maintainer of many CNCF projects, istio, kmesh and volcano, etc. Also Kubernetes TOP 100 contributors... Read More →
Wednesday June 11, 2025 16:15 - 16:45 HKT
Level 19 | Crystal Court II
  Security
  • Content Experience Level Any
  • Presentation Language Chinese
 
Need help? View Support Guides
Event questions? Contact Event Planner
Powered by Sched Event Planning App
©2025 Sched About Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Monday, June 9
Tuesday, June 10
Wednesday, June 11
Alibaba Cloud Hong Kong Office
Level 16 | Grand Ballroom I
Level 16 | Grand Ballroom II
Level 16 | Grand Ballroom Pre-Function Area
Level 19 | Crystal Court Foyer
Level 19 | Crystal Court I
Level 19 | Crystal Court II
Level 20 | Salon 4
Level 20 | Salon 5
Level 21 | Emerald Pavilion
Level 21 | Pearl Pavilion
  • AI + ML
  • Application Development
  • Breaks
  • Building the Future of Industrial AI with Open Source (By COIA)
  • ⚡ Lightning Talks
  • Cloud Native Experience
  • Cloud Native Novice
  • Connectivity
  • Data Processing + Storage
  • Emerging + Advanced
  • Experiences
  • Inclusion + Accessibility
  • Keynote Sessions
  • Maintainer Track
  • Observability
  • Operations + Performance
  • Platform Engineering
  • Project Opportunities
  • Registration
  • Security
  • Solutions Showcase
  • Sponsor-hosted Co-located Event
  • Sponsored Demos
  • Content Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate
  • Presentation Language
  • Chinese
  • English