In-person + Virtual
18-21 April
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
Back To Schedule
Wednesday, April 19 • 11:00 - 11:35
Cert-Manager Can Do SPIFFE? Solving Multi-Cloud Workload Identity Using a De Facto Standard Tool - Thomas Meadows, Jetstack & Joshua Van Leeuwen, Diagrid

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

If you’re like me, your Kubernetes journey started well. Booting up a cluster and deploying a demo application, only to find the dreaded “Your connection is not private” message in your web browser. Attackers could be stealing your information, credit cards and passwords? Frankly, your sock shopping addiction should be nobody's business. Luckily I found the cert-manager project. As if by magic, this clever controller made my security woes fold away. What about secrets? API and service account keys. This highly sensitive data must be bolted to your pod to ensure it can access databases, api-servers and more. After accidentally committing raw secrets to Github (nobody got time for that), I grew tired. I crawled away into the wonders of Google Cloud Workload Identity. But wait? Haven't I given up on the wonder of multi-cloud Kubernetes? If only identity could come batteries included. As an encore in the machine identity space, cert-manager now leverages SPIFFE to solve this problem. Pods are empowered to enter the VIP lounge of their choice in whatever cloud, provided they are on the guest list. Don't believe me? Call me on my bluff. Join me as I explore how this industry problem has been solved using the same magic that gave us TLS on Kubernetes only a few short years ago.

avatar for Josh Van Leeuwen

Josh Van Leeuwen

Senior Software Engineer, Diagrid
I am a software engineer working at Diagrid. For the past 5 years I have worked on open source software in the Kubernetes ecosystem, including cert-manager and more recently Dapr. I’m most interested in securing distributed systems and workload identities.
avatar for Thomas Meadows

Thomas Meadows

Solutions Engineer, Jetstack
Tom is an engineer who works for Jetstack as a Kubernetes and Cloud Native consultant. After becoming intrigued by the space, he decided to dive into the world of supply-chain security (mostly software, but also some strange food analogies). By being enabled by initiatives like the... Read More →

Wednesday April 19, 2023 11:00 - 11:35 CEST
Emerald Room | First Floor | Congress Centre
  Security + Identity