tag:speakerdeck.com,2005:/luxas tag:speakerdeck.com,2005:Talk/1478157 2025-12-11T07:52:11-05:00 2025-12-11T07:56:46-05:00 Location: Globe of Science and Innovation, CERN, Espl. des Particules 1, 1217 Meyrin, Schweiz Schedule link: https://sessionize.com/view/rlq5we3p/GridSmart Abstract: Building fine-grained access controls into your open source project is a difficult challenge. We can reduce and amortize this challenge by centralizing the complexity in a general-purpose authorization engine. Before Kubernetes, everyone built stacks from the ground up. With Kubernetes, distributed systems complexity is centralized and shared by the community, saving everyone time and effort. Cedar Policy, an open source project proposed to be donated to the CNCF, aims to remove the heavy lifting of building access controls. Cedar supports role-, relation-, and attribute-based access controls. It can be embedded into any application or run as a service. It has a flexible, typed schema that enables syntax hints in VS Code. Uniquely, Cedar policies are analyzable, allowing answering questions like “is the refactored policy equal to the previous one?” This talk introduces Cedar and presents a case study on how it can be used in the context of Kubernetes access controls. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1466905 2025-11-17T08:19:40-05:00 2026-01-09T11:13:12-05:00 Presented at KubeCon Atlanta 2025 together with Micah Hausler. Location: Atlanta Convention Center, 285 Andrew Young International Blvd NW, Atlanta, GA 30313, USA Sched link: https://sched.co/27FdC Recording link: https://youtu.be/JBM0PRyDaPs?si=dg5DqsjUET8s-avH Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/pull/5684 Abstract: Have you ever struggled writing least-privilege access control policies for Kubernetes? Are you concerned about the wide permissions of installed Helm charts? Do you manage to regularly audit who has access to sensitive resources? In this talk, Kubernetes contributors Micah and Lucas introduce you to open source tools that help you on your defense in depth journey for securing the Kubernetes API surface. They demonstrate how to right-size your RBAC rules semi-automatically, audit who can access sensitive resources, and check whether policy refactors are correct. This talk is part of a journey to improve Kubernetes access control in core. However, to make this initiative successful, user feedback is needed throughout the process. You’ll learn about the planned Kubernetes Conditional Authorization feature, which will make authoring right-sized policies easier. By the end of the talk, you will know how to get involved, and future directions for improved Kubernetes access control. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1442431 2025-09-24T04:27:08-04:00 2025-09-25T02:30:51-04:00 Presented 2025-09-04 to Kubernetes SIG Auth Meeting notes: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit?tab=t.0#heading=h.147ygvibasgh Recording: https://zoom.us/rec/share/24DwlfWfrP7UZEMtkpk1XvpNP_sQuRrE7FQxKoJDRRbJ-vJTBarrEermV2-XSD5p.LSzKv2wS797xMYTs Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1379477 2025-06-04T16:21:09-04:00 2025-10-28T12:37:02-04:00 Presented to Kubernetes Special Interest Group (SIG) Auth on June 4, 2025. Thesis is available at: https://github.com/luxas/research Youtube: https://youtu.be/Clg-rz9qlUA?si=Ay4Dddd-iJRnC89R Meeting notes are available at https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit?tab=t.0#heading=h.hophvu703yb0 Information about SIG Auth is in https://github.com/kubernetes/community/tree/master/sig-auth Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1373270 2025-05-22T11:17:33-04:00 2025-06-16T06:11:04-04:00 Master's thesis of Science and Technology presentation at Aalto University The thesis is published at: https://github.com/luxas/research Presentation date: May 22, 2025 Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1352248 2025-04-09T11:43:23-04:00 2025-04-09T11:48:17-04:00 Presented at Cloud Native Rejekts London together with Micah Hausler Schedule link: https://cfp.cloud-native.rejekts.io/cloud-native-rejekts-europe-london-2025/talk/U99JU3/ Recording: https://youtu.be/rJacyDygVi0 Location: 116 Pall Mall, London SW1Y 5ED, Storbritannien Abstract: OpenID Connect (OIDC) and mutual TLS are popular authentication mechanisms used widely in cloud native environments, and commonly as a basis for workload identity in SPIFFE. However, OIDC tokens are prone to interception, replay, and forwarding attacks and are unable to guarantee end-to-end request authenticity. Mutual TLS solves those problems at the transport layer, but is rarely used in browsers, and seldom fully end-to-end in microservices-oriented systems. HTTP Message Signatures is a new IETF specification that aims to solve credential replay, forwarding and end-to-end integrity attacks, and be broadly deployable. This talk introduces the audience to HTTP Message Signatures and demonstrates its security benefits to authentication in cloud native, microservice-oriented, systems. Further, we’ll cover how the use of smart caching and replication allows this protocol to scale to millions of requests per second, and how this could be integrated with SPIFFE. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1347857 2025-03-29T11:24:32-04:00 2025-03-29T11:26:18-04:00 Presented at Monki Gras 2025: https://monkigras.com/schedule/ Conference Theme: Sustaining Software Development Craft, open source and AI feature significantly Location: 3 Godfrey Pl, London E2 7NT, United Kingdom Not recorded. Abstract: 10 years later, Lucas will reflect on his journey from a 15 year old enthusiast tinkering with Raspberry Pis, to shortly after becoming a Kubernetes maintainer and one of the most active contributors. What did the Kube community do well (engage, teach and give responsibility) to make that possible? Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1279141 2024-11-17T05:50:53-05:00 2024-11-17T05:56:57-05:00 Presented at KubeCon North America 2024 in Salt Lake City together with Jimmy Zelinskie Sched link: https://sched.co/1i7m9 Youtube: https://youtu.be/IXHCSSQeXBg Location: 100 S W Temple St, Salt Lake City, UT 84101, USA Abstract: Kubernetes RBAC is an effective way of managing ACLs in one cluster. However, there are many other effective paradigms out there, such as Attribute- & Relation-based Access Control. In this talk, we’ll demystify how these differ, and when to use respective paradigms, giving context and guidance. We’ll highlight how Kubernetes access control has recently evolved towards supporting lots of different use-cases. We take this opportunity to cover multiple perspectives: security within a single cluster (zooming in) and security within real-life production environments with external services and multiple clusters (zooming out). As containers became ubiquitous first with excellent tools like Docker, we believe the same can and will happen for access control, yielding uniform, interoperable and understandable authorization. Finally, we'll propose future work that could be done to supercharge Kubernetes and ensure it keeps up with the ever increasing security requirements in our industry. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1169004 2024-04-08T11:00:07-04:00 2024-04-08T11:06:32-04:00 Presented at KubeCon EU 2024 in Paris as a poster session: https://www.cncf.io/blog/2024/02/22/announcing-new-poster-pavilion-sessions-at-kubecon-cloudnativecon-europe/ Sched link: https://sched.co/1YhDq Co-presenter Madhav Jivrajani (https://twitter.com/MadhavJivrajani) Abstract: The concept of entropy is a measure of disorderliness or chaos. The second law of Thermodynamics states that the Universe evolves spontaneously towards more chaotic states, eventually to “the Heat Death”. Kubernetes started off as a container orchestrator for stateless web apps. But now, what once was an orderly list of use-cases, has become a turbulent sea of possibility and complexity. This is also the case for the CNCF Landscape as a whole. With novel use cases in e.g. AI, cloud native will also need to evolve, increasing entropy. However, as we navigate these possibilities with Kubernetes at the base, it is critical that we talk about some of the philosophies and early decisions of the project, as well as how they have fared with an evolving industry. In doing so, we understand what we can rely on it for and what we can’t. Continuing from Tim Hockin’s keynote, join us as we talk about the physics of cloud native and how our community can deal with unseen use cases and scale. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1150888 2024-02-26T10:17:58-05:00 2024-06-12T14:06:52-04:00 CFP link: https://disobey.fi/2024/profile/disobey2024-221-beyond-rbac-avoid-broken-acls-in-control-planes-with-declarative-relation-based-access-control Location: Kaapelitehdas, Helsinki, Finland Recording: https://youtu.be/d8lshOV9aCk Abstract: The top 1 security risk in OWASP’s latest API Security Risks lists is “Broken Object Level Authorization”, and the third one “Broken Object Property Level Authorization”. Thus, helping developers mitigate these risks through best-practices and frameworks can be highly beneficial for our community. This talk will discuss some means that could be applied to build API servers (or more generally, control plane) in a way they are less susceptible to these attacks: through * uniformity of API server structure (this is probably quite known to most security professionals, but good to cover), and * relation-based access control (ReBAC), a superset of both RBAC and ABAC, which allows for finer-grained and declarative access control. This gives us, a way to avoid “oops, I forgot to implement the authorization if check for this API resource (or field)” and escape the inevitability of an unmaintainable amount of imperative if checks in the API servers such as “if the authenticated user belongs to a group with magic string ‘employees’, it should have access to all documents with prefix /company_public”. A declarative model of the authorization model, and a graph based structure of the authorization state can be audited, visualized and pentested more easily than custom code for each resource in the API. In the end, Lucas will do a demo of this paradigm working in action. All code is open source and fully reproducible for anyone. The audience will after this talk have practical knowledge about how they can formalize their access control in an extensible, uniform and auditable way for their projects. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1107344 2023-11-16T10:08:57-05:00 2023-11-16T10:15:41-05:00 Talk presented at Cloud Native Rejekts in Chicago: https://cloud-native.rejekts.io Location: TeamWorking by TechNexus, Chicago Code is available on GitHub: https://github.com/luxas/kube-rebac-authorizer Youtube: https://www.youtube.com/live/tWWBzsZLrIw?t=396 Abstract as follows: The Kubernetes API server is a declarative, uniform and extensible REST API server capable of storing a diverse set of APIs for infrastructure control. API objects tend to contain parent-child and sibling relations such as “ReplicaSet owns Pod refers to Node”. However, with this graph-based structure, access control and multi-tenancy become a real challenge. The default RBAC authorizer is best for resource-scoped authorization (“allow listing all Pods”), not fine-grained authorization (“allow listing Pods of these Deployments”). OpenFGA is a Relationship-Based Access Control (ReBAC) engine inspired by Google Zanzibar and a CNCF sandbox project. ReBAC is a superset of RBAC, and empowers administrators to configure authorization in an object-scoped manner with minimal configuration sprawl. A Kubernetes contributor and a OpenFGA maintainer will demo an open-source implementation of a Kubernetes authorizer and controller that configures and queries OpenFGA for authorization decisions. In today’s world, security requirements grow ever-more more demanding and important. Kubernetes Role-Based Access Control (RBAC) is a critical piece of the security in the Kubernetes cluster, e.g. guarding all (unencrypted) Secret API objects from being accessed by unauthorized parties. RBAC is inherently best used for collection-scoped rules, as if object-scoped rules are wanted, all the API object names need to be hard-coded into the rule; which effectively creates a lot of “rule sprawl”. It is not possible to force a user to list or watch a strict subset of the API objects of a given kind in a namespace; it is all of the objects in the namespace or none. It is thus a pain point, almost impossible, to configure authorization for Kubernetes operator to only list/watch a subset of resources (the resources it manages). Kubernetes has actually implemented object-scoped authorization as a special case, the Node authorizer, which enforces that a kubelet can only access Secrets, ConfigMaps, etc. that are bound to a workload running on that given node. However, this implementation is hard-coded (written in Go) in the API server, not a generic implementation for which many other controllers and users would benefit. Thus, we are demonstrating a Proof-of-Concept implementation as a generic alternative for this problem, using the OpenFGA engine. This talk would highlight improvement suggestions for both Kubernetes and OpenFGA for increased security and increased administrator awareness. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1085799 2023-10-03T06:48:19-04:00 2023-10-03T06:54:01-04:00 Presented during HTAP Summit 2023 in San Francisco. Website: https://www.pingcap.com/htap-summit Abstract page: https://events.bizzabo.com/474592/agenda/speakers/3096751 Recording TBA Location: Computer History Museum, 1401 N Shoreline Blvd, Mountain View, CA 94043, USA Abstract: Why is Kubernetes and other popular cloud native projects so differently designed compared to previous-generation “VM-era” systems? How has the second law of thermodynamics and control theory shaped cloud native designs? How the shift from traditionally managing servers to using Kubernetes operators (such as TiDB Operator) similar to the Industrial Revolution? This talk offers the audience a unique perspective into some common cloud native patterns. Kubernetes and Google Spanner, for example, are often described as designed from “decades of experience”, but it is not as often mentioned what that means in practice. Quite conversely, many newcomers to find Kubernetes and similar technologies “too complex”. Why is it, or why is that the impression? After this talk, the audience has an improved vocabulary of cloud native philosophy terms. This by learning the fundamental design philosophies of Kubernetes and cloud native through well-known phenomena and real-world analogies. This talk can also relate the concepts presented to features in TiKV and TiDB, such as consistency control and self-healing features. After the concepts are introduced the TiDB Operator is presented as a case-study of the theory. Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1026979 2023-05-15T08:11:47-04:00 2023-05-15T08:14:10-04:00 Presented at the DevOps Finland meetup: https://www.meetup.com/DevOps-Finland Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1024801 2023-05-09T08:30:14-04:00 2023-05-09T08:33:26-04:00 Presented at Automaatiopäivät 2023: https://www.automaatioseura.fi/automaatiopaivat2023/ Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/1208892 2024-07-05T06:17:10-04:00 2024-07-05T06:22:17-04:00 How is the Kubernetes controller model similar to a taxi driver? Why is Kubernetes so differently designed compared to similar systems? How has the second law of thermodynamics and randomness theory shaped Kubernetes design? How the shift from traditionally managing servers to using Kubernetes operators similar to the Industrial Revolution? This talk offers the audience a unique perspective into why Kubernetes is designed the way it is. Kubernetes is often described as designed from “decades of experience”, but it is not as often mentioned what that means in practice. Quite conversely, many newcomers to Kubernetes find it “too complex”. Why is it, or why is that the impression? After this talk, the audience can make sense out of why Kubernetes does what it does. This by learning the fundamental design philosophies of Kubernetes and cloud native through well-known phenomena and real-world analogies. With the right mental model, hopefully it doesn’t seem overwhelmingly complex anymore. KubeCon talk recording: https://youtu.be/GpJz-Ab8R9M Sched link: https://sched.co/ytr4 Location: Av. de les Fires, s/n, Pobles de l'Oest, 46035 València, Spain Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/741057 2021-06-09T12:15:22-04:00 2021-07-20T11:01:46-04:00 In this talk, Lucas will walk you through some novel ways in which edge deployments of Kubernetes can be operated and secured. The talk will guide you through the murky waters of securing the boot process on ARM (coreboot, LinuxBoot, Trusted Firmware-A), securely downloading the OS image (The Update Framework, ORAS), and how to use a TPM for Remote Attestation. The second part of the talk will touch on operating Kubernetes clusters on the edge. Lucas will walk you through what deployment alternatives exist (Cluster API, kubeadm, k3s), how to manage the clusters’ lifecycle using GitOps (Flux v2, libgitops, kspan), and some projects which help you keep data on the edge in sync with the cloud (KubeEdge, Akri). Be prepared for quite a deep dive into cloud native and open source firmware projects at their best being combined in creative ways. Finally, Lucas will tell you more about how you can in the future get hands on with these technologies through his new open source project, Racklet. Recording: https://youtu.be/UZp9zm_YG8k Online slides: https://docs.google.com/presentation/d/1LIUEafHDGfKcCRMLo_6pHx4YDQ5RkmG8ufNrdZnq6bM/edit#slide=id.gdef92a758a_0_70 ODSC talk page: https://odsc.com/speakers/exploring-modern-and-secure-operations-of-kubernetes-clusters-on-the-edge/ Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/730036 2021-04-29T18:34:51-04:00 2021-06-16T12:56:55-04:00 “The future is already here - it's just not evenly distributed” - William Gibson We’d like to announce our latest open-source project: Racklet. It’s a fully-integrated, Raspberry Pi form-factor server rack and software stack that aims to be a scale model of hyperscaler datacenters. All layers of the stack are 100% OSS/OSH, and will be developed together with the community. It’s reproducible through open PCB designs, 3D printed casing, and commodity, off-the-shelf hardware. We want to lower the barrier of entry for becoming cloud native. Racklet aims to inspire users to explore how modern server architectures work, in a tangible and educational way. Emphasis is put on security, knowledge sharing, extensibility, and portability. The goal is to conceptually map to real environments and provide an accessible and well-documented path to welcome future talents to the world of cloud native. Youtube link: https://youtu.be/YKWtR0xOnF4 Online slides: https://docs.google.com/presentation/d/1cfVf4ZSiCef6gpWr8UMtdMPqyIdWTLaGt1du5v5Kex0/edit#slide=id.gd48a3760c5_0_2030 Lucas Käldström (@luxas) tag:speakerdeck.com,2005:Talk/579138 2019-11-30T17:05:03-05:00 2020-04-19T05:56:33-04:00 Introduction slides to the November meetup in Helsinki. Also contains a short KubeCon recap. Online slides: https://docs.google.com/presentation/d/1ioEYbVuyNG1hqV7wt6RAY2T1Bof-eVB0I73XeOrPPjU/edit#slide=id.g597882388f_0_2 Recording: https://youtu.be/S9WJnhi3moM Meetup page: https://www.meetup.com/Kubernetes-Finland/events/265529376/ Location: Intel Finland Oy, Westendinkatu, Espoo, Finland Lucas Käldström (@luxas) 2025-12-11T07:52:11-05:00