The European version of KubeCon+CloudNativeCon will take place in Amsterdam until April 21st. The rush to the Cloud Native Computing Foundation (CNCF) in-house exhibition this year was greater than ever before: over 10,000 participants came to the Dutch capital, another 2,000 only made it onto the waiting list, many of whom are online.
With these numbers, this conference is the largest open source conference in Europe. It is remarkable that more than half of the participants are taking part for the first time. And the other figures of the CNCF are also steadily increasing: almost 160 projects are now under the patronage of the CNCF. Over 200,000 developers from more than 180 countries are involved, said the organization under the umbrella of the Linux Foundation, which originally came into existence to manage Kubernetes code.
In the opening speech, Chris Aniszczyk, the CTO of the CNCF, announced new solvent members at gold and platinum level. The former includes the auditing firm EY (Ernst & Young) and the Japanese industrial conglomerate Hitachi. The Indian IT service provider HCLTech was already a Gold member and decided to upgrade to Platinum status. Market competitor Infosys entered directly at this highest level. The list of new Silver level members includes more than 50 companies.
Kubernetes security audit
Kubernetes is the CNCF’s best-known project and was the first to receive Graduate status from the CNCF. Since 2018, the container orchestrator has had to undergo regular security checks by an external company. During the conference, the CNCF will publish the current version of the security audit report.
The basis of the audit is version 1.24 of Kubernetes. The auditors highlighted four points: The complexity of authorization control is less of a technical problem and more of an organizational one. Reviewers raise general concerns that admins get all the details right – bugs manifest themselves in unnecessary permissions and avoidable gaps. Vulnerabilities in the communication between various Kubernetes components can be exploited to gain administrative access. This goes hand in hand with inadequacies in the logging or verification of events. The last point is very specific and is even documented under CVE-2022-3162. An error in the processing of user input allows certain authorization checks to be bypassed and thus access to data that should not actually be accessible.
The CNCF strives to make Kubernetes and projects from the ecosystem known and understandable to an ever wider audience. The extensive training program has now been expanded to include two new certifications: “Cloud Native Security Associate” and “Certified GitOps Associate”.
In his opening speech, Aniszczyk again advertised the in-house mentoring program. This also includes events such as Google’s Summer of Code. Typically, mentee and mentor work together on a project. In addition, the program gives tips on how to fill the respective role particularly effectively and usefully. During the opening speech, the participants were able to see a concrete example of how a developer developed from a complete Kubernetes newbie to a mentor. A well-known hurdle for getting started with any technology is the unfamiliar technical vocabulary or abbreviations. For some time now, the CNCF community has been maintaining a glossary for the “Cloud Native” area. This is now available in 10 languages - German is also included.
KubeCon Europe 2023 will not be the last of its kind and the CNCF has already announced the date and location for the event in 2024. From March 19th to 22nd, Paris will be the meeting place for the cloud native community. The North American version of the conference will take place in Chicago in early November 2023. For the first time since 2019, China is also part of the schedule: At the end of September, the CNCF will welcome the community in Shanghai.