Open Source Summit Europe 2024

In today's world, where disability affects a significant percentage of the population, it is crucial for open-source communities to address the challenges faced by persons with disabilities (PWDs) and work towards their inclusion. This talk will delve into practical measures such as referral programs, internal disability disclosures, and integrating disability into existing agendas rather than treating it as a separate issue. We will dive into disability mainstreaming with a focus on its role in promoting universal design and inclusivity. Attendees will gain insights into establishing disability mainstreaming committees, formulating action plans, implementing best practices, and monitoring and evaluating progress.

More and more Operators automate deployment of cloud native applications in Kubernetes. Operators often automate the whole process of setting up and maintaining applications, including setting up the necessary workload resources, such as Deployments, StatefulSets and more. This poses a challenge for us Operator developers. Oftentimes, users of our Operator have specific requirements for the deployed workloads, restricting them to specific nodes, requiring additional configuration, added sidecar containers and many more. This talk shows how using kustomize in our Operator, we can simplify our own Operators while still allowing users the full range of customization. This even also allows for quick iteration during feature development.

The first flexible-array transformation we implemented in the kernel, as part of the Kernel Self-Protection Project, took place back in March 2019. At the time, our work on preventing integer overflows during memory allocations led us to discover an 8-year-old bug. Addressing this bug not only resolved a longstanding issue but also initiated the work of flexible-array transformations across the whole kernel tree. This marked the beginning of a challenging yet rewarding journey to add bounds-checking on trailing arrays in the Linux kernel. Five years have passed since then, and we've come a long way. We have now new Clang and GCC hardening compiler options and attributes, that significantly improve the security of the Linux kernel, particularly in the spatial-safety area. We have new hardening helpers that make traditional methods less prone to error. In general, we have new and safer ways of doing things, which usually require a learning curve, even for seasoned kernel developers. In this talk, we will walk through the most recent challenges and history of our quest to improve spatial safety in the Linux kernel, and with that, get rid of out-of-bounds bugs once and for all.

In the forefront of 5G deployment, Swisscom leads by evolving GitOps through the adoption of the Kubernetes Resource Model (KRM), setting a new standard for dynamic configuration management and abstraction in 5G core networks. This strategic enhancement leverages the strengths of GitOps while introducing the flexibility and scalability of Kubernetes, aiming for increased deployment agility and operational efficiency. Our initiative extends Kubernetes API by integrating with custom Kubernetes Operators, alongside CI/CD advancements through Flux, to refine and empower GitOps practices. This talk will delve into our journey of merging GitOps with KRM, showcasing the transformative impact on 5G network operations, from increased reliability to seamless automation. Join us to explore how Kubernetes is reshaping the future of network management and GitOps methodologies.

Almost seventy years ago, wilderness firefighters who reeled from major losses developed a set of rules with the goal of improving incident management. These rules came to be known as the "Ten Standard Firefighting Orders" and have been the authoritative way of preparing and training for critical operations. In this talk, Kerim explains how the systematic approach of these orders can be adapted to a software engineering context, with the ultimate goal of improving operational reliability and, in the case of an outage, limit damage to human operators and (IT) infrastructure.

ASML is building a self-service, multi-tenant data platform that enables teams to work independently on data products and applications. In a secure multi-tenant Kubernetes setup, tenants get an isolated view of the cluster, allowing them to deploy workloads independently of each other. Data sharing among tenants is governed by a global policy-based access control layer. Our challenge was to introduce a shared Kafka cluster into this setup, with proper tenant isolation and seamless integration with the global access control layer. We used Istio to enable zero-configuration authentication for Kafka clients operating inside the Kubernetes cluster. This allows Kafka authentication to be done with the Kubernetes-native tenant/namespace/serviceaccount idiom. A custom operator reconciles the tenant's topic definitions and topic access requests with the platform administrator's resource allocations and the global data sharing policy, and dynamically configures the right Kafka ACLs and resource quota.

As policy makers are rushing towards standardizing open source security best practices, it is critical to make sure that the standards developed to organize open source software development and mainteance are themselves open source-compatible. Why is this important? What makes a standard open source-compatible? What can we learn from previous efforts such as OpenStand and what can we improve? We'll cover this and more in this talk.

Are you interested in building distributed applications or microservice architectures, but don't know where to start? Join this session and learn how the Dapr building block APIs can make your life easier! Dapr, the Distributed Application Runtime, provides a set of common APIs that makes building microservices a breeze. As the 10th largest CNCF project, Dapr is used in production by companies like IBM, Alibaba Cloud & Microsoft and is a trusted OSS technology backed by a vibrant developer community. This code heavy session covers the most popular building blocks of Dapr: service invocation, pub/sub messaging and state stores. In addition, the built-in cross-cutting concerns such as resiliency, observability, and security are covered. Code samples & live demos will be provided in .NET and JavaScript. After this session, you'll have a good understanding how Dapr can help you build reliable distributed applications faster.

The first half of 2024 saw an entirely new category of threat against open source, one that rocked its trust-based system at its core: social engineering takeover attempt of critical open source projects. These attacks uncovered a systemic gap in open source security management. Up until now, the open source community wasn’t thought of as a potential cyber attack target. But when critical open source projects become stepping stones for industrial espionage, ransomware attacks, or cyberwarfare, maintainers need to adopt comparable security practices to those found in target organizations. This creates a unique set of challenges for open source because of its highly distributed nature and volunteer-based model. In this talk we'll do a post-mortem of the social engineering takeover attempt at the OpenJS Foundation. Without revealing confidential information, we'll still be able to outline critical industry gaps uncovered during this attack and suggest ways to meaningfully improving security at scale while preserving the ethos, culture, and diversity of communities that characterize open source.

One of the greatest out of the box features of K8s is its auto-scaling capabilities, which has a naive implementation or more advanced scheduling capabilities through native tooling. However, both of these models are reactive and not proactive in nature. What if we could employ proactive event-driven scaling of our clusters?! Over our many years of cloud native operations at scale, with the right tools we could! Enter KEDA (AKA Kubernetes Event-Driven Autoscaling). KEDA was built to make just this type of intelligent auto-scaling possible - this includes everything from event-driven and predictable actions like scaling up and down for predictable bursts of usage or shutting down dev clusters during specific and non-working hours, to managing scaling based on your workloads and message queues, or even your APMs and based on the metrics it ingests. In this talk we’ll walk through auto-scaling on steroids with KEDA, how it can be supercharged through CRDs, and in particular the cluster-API which now makes it possible to provision, update, customize and delete K8s clusters declaratively––that together are a game changer when it comes to the infinite scale K8s makes possible.

For the modern computing architectures involving multiple independent workloads and following the zero trust model, it is important that the calls between the workloads be properly authenticated and authorized. SPIFFE/SPIRE does solve the authentication part; however, it does not take into account the request context and other dynamic data. A new Internet draft called Transaction Tokens has been adopted by the IETF OAuth Working Group, which addresses the authorization part. A transaction token is a short-lived, cryptographically signed, request-specific token obtained from the new Transaction Token Service in exchange for the external OAuth/OIDC access token and other context-dependent data. The token is then included into every inter-workload call, which guarantees that only non-spurious calls between the workloads can take place. From this talk, the attendees will learn about how Transaction Tokens work, how they help to make the internal perimeter more secure, how we implemented this upcoming specification using a customized version of Keycloak, what challenges we faced and how we solved them.

Learn how combining traditional NLP techniques with LLMs can solve 'hallucination' issues and create robust applications. This session offers practical insights into leveraging foundational NLP principles alongside advanced LLM technology. It's based on a business problem where the need is to craft technical content that directly tackles the key challenges customers encounter. Rather than wading through hundreds of public forum posts or customer complaints manually, why not harness the combined power of traditional, explainable Natural Language Processing (NLP) techniques integrated with the advanced language generation capabilities of Large Language Models (LLMs). This session will provide architecture and lessons learned in the journey to uncover insights from our users' feedback. Centered around a topic modeling use case, this session offers actionable insights that go beyond mere buzzwords. At the end the audience will learn how to leverage text analytics and the strengths of Open Source LLMs to tailor content that resonates with their audience's needs and pain points. Bonus points: This use-case architecture is completely automated using CI/CD principles.