KubeCon North America has always been a beacon for innovation and networking in the cloud-native industry. This year’s event was no different, offering a mix of nostalgic reunions, new connections, and of course, a convening of the vast community we’ve all shaped and built to support the next wave of innovation. But what truly stood out this year was the palpable shift in focus towards software supply chain security—a topic that has evolved from obscurity to a cornerstone of cloud-native technology discussions. Perhaps, this is in part to our community seeing the critical role we all play in securing open source software and everything that is built or born out of the industry.
1. Growth and Evolution of KubeCon
It’s just baffling to see how much the event has grown over the years, it’s quite easy to get lost on the showfloor. KubeCon started as a small gathering for early adopters and contributors of Kubernetes.
Over the years, as Kubernetes became mainstream, the event grew significantly. The original informal ‘hallway track’ discussions among contributors are now a part of a much larger picture.Today, KubeCon is a major event, reflecting the widespread use of Kubernetes in various industries and enterprise environments. With Kubernetes nearing its 10th anniversary and as it grows to power critical workloads globally, security discussions have become a key focus at the event. This evolution of KubeCon highlights the journey of Kubernetes from a niche project to a vital industry tool that has already changed our world and will continue to do so.
2. Rising Awareness of Software Supply Chain Security
The biggest change I’ve seen from the last few KubeCons is the growing understanding of software supply chain security related challenges. Rewind a few Kubecons back, and most folks were not aware of Software Bill of Materials (SBOMs), digital signatures, and attestations to name a few.
Nowadays, most folks are not only aware of them, but understand how they can be used to help their security posture, mitigate security risks and reduce their attack surface.
3. Transition from Awareness to Implementation
There’s way more interest in putting in the tools and processes in place that help with security, but also in a way that they are part of the natural software development process, so it’s not “just one more thing” that the developers need to do.
Most folks have shifted from “What’s that?” to “What’s the best way to do that?”, which will benefit everybody in the software supply chain security ecosystem, and that’s awesome to see.
4. Personal Experiences as a Sigstore Contributor
Wearing my Sigstore contributor/on-caller hat, it was great to have so many conversations with developers who are using it to harden parts of their software supply chain, and hopefully I even roped a few of them to come and contribute to Sigstore. This is one thing I love about KubeCon — building connections, getting more contributors involved and spreading the word about important technologies.
In particular, I am very curious about their learnings from operating it in their own deployments, so that folks can also share from their experiences and hopefully we’ll all end up with fewer scars through enhanced security measures for software products.
5. The Buzz Around Wolfi
James Rawlings (see image above) gave a well attended and great talk about Wolfi, which resulted in lots of conversations for the next few days. He provided an introduction to Wolfi, an innovative community project aimed at reimagining the way we approach Linux distributions for the cloud by removing the unnecessary components used by other distributions.
He also touched on how Wolfi fosters the creation of hardened images with minimal attack surfaces, significantly reducing the likelihood of common vulnerabilities and exposures (CVEs) and software supply chain attacks. It added to the already growing interest and excitement about Wolfi, and just seeing more people in the community get pumped about what Wolfi can do was really great to see.
As we wrap up another remarkable KubeCon, it’s evident that the industry is making significant strides in securing the software supply chain. While there’s still a long road ahead, the collective efforts and enthusiasm observed at the event are promising indicators of progress.
For those who maybe have yet to start, the journey towards a secure software supply chain might seem daunting, but it’s a journey well worth embarking on. By better understanding where you currently are in the journey, you can more easily put together a plan of action to create a more secure digital future.