18 April 2023
Learn More

The Sched app allows you to build your schedule, but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2023, and have an All-Access pass in order to participate in the sessions.

The KubeCon + CloudNativeCon Only virtual pass is still available. With this pass you get all the fantastic content you’ve come to expect from KubeCon + CloudNativeCon but from the comfort of your own home!  *Observability Day + CiliumCon will be available via livestream on the virtual platform, all other co-located events recordings will be available 24-72 hours post-event on the CNCF YouTube channel.

Thank you to our CiliumCon livestream sponsor, Isovalent and our Observability Day livestream sponsor, Lightstep! Join the conversation on Cilium Slack.

Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

To view the full event schedule for a specific CNCF-hosted Co-located event, you can use the right-hand navigation bar to sort and filter.

The schedule is subject to change.
Back To Schedule
Tuesday, April 18 • 11:25 - 11:50
The Negatives to a Per-Host Service Mesh, the Sidecar Model Being a More Ideal Solution for Providing a More Robust Security Boundary - Chad Crowell, Raft

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In our quest to improve the security of our service mesh, eBPF seems like a logical solution. In particular, a per-host proxy which would eliminate the need for a sidecar as a part of our service mesh implementation. But, there are security implications that we need to consider which would leave us more vulnerable if this decision was carelessly made. The sidecar proxy is actually an integral part of providing a reliable and scalable service, whilst providing necessary security constraints. Eliminating the sidecar proxy in favor of a per-host proxy is a bad idea and in this talk you'll discover why. In this talk, we'll discuss the footprint of a proxy at low traffic levels, the existing mechanisms that you can leverage already built-in to Kubernetes, the blast radius of a sidecar proxy, and most importantly, the controlled security boundary. The alternative per-host proxy introduces complexities and unpredictability into your cluster, as the blast radius is large and ever-changing. The security landscape is now more complex, and introduces an increased attack vector.

avatar for Chad Crowell

Chad Crowell

Kubernetes SME, Raft
Chad Crowell is a Kubernetes SME at Raft, CNCF Ambassador, and author of "Acing the Certified Kubernetes Administrator Exam" and enjoys helping people learn Kubernetes via KubeSkills community.

Tuesday April 18, 2023 11:25 - 11:50 CEST
Hall 7, Room D | Ground Floor | Europe Complex