Shanghai, China
June 24–26, 2019
Click here for more information and registration

Simultaneous translation will be provided for all keynote and breakout sessions.

To view the Chinese version of this schedule please go here.

Venue + Sponsor Showcase Map
场馆 + 赞助商展示区地图

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

KC+CNC - Security + Identity + Policy [clear filter]
Tuesday, June 25


Protecting Sensitive Code with Encrypted Container Images on Kubernetes - Brandon Lum & Harshal Patil, IBM
Many enterprises are driven by trade secrets in their code - whether it is a proprietary AI model, or a secret high frequency trading strategy. It is of utmost importance that critical algorithms, proprietary code, or other content that is highly sensitive have minimum exposure unencrypted.

In this talk, we will show the end-to-end process of how users can create an encrypted container during the build process, to running encrypted container images on a Kubernetes cluster with the proposed ImageDecryptSecrets. We will show how the Encrypted Images OCI spec allows fine-grained encryption through leveraging layering of container images. Finally, we will talk about how Image Encryption will integrate into the container ecosystem, and talk about several possibilities for innovation in the container DevSecOps pipeline.


Harshal Patil

Advisory Systems Software Engineer, IBM
Advisory Systems Software Engineer at IBM, Linux Technology Center, works on containers and technologies around it. Currently works on Encryption in Container Images.
avatar for Brandon Lum

Brandon Lum

Software Engineer, IBM
Brandon loves designing and implementing computer systems (with a focus on Security, Operating Systems, and Distributed/Parallel Systems). He enjoys tackling both technical and business challenges and has a side interest in organizational behavior and leadership. At IBM Research... Read More →

Tuesday June 25, 2019 16:00 - 16:35


Upgrade Images by Digging Out and Automatically Fixing the Vulnerabilities - Lin Ru, DaoCloud & Yan Wang, VMware
As container technology become widely adopted in the industry, how to effectively protect the operating environment from the destruction of related potential vulnerabilities poses new challenges to the platform and/or security administrators.

In this presentation, we'll share the ideas of improving the security of the container images managed in the image registry:
1. A pluggable scanning mechanism to quarry out the vulnerabilities of the images and export the scanning reports with kinds of formats to the interested parties;
2. Controlling policies based on the scanning results applied to images to guarantee a secure distribution channel from the image registry to the operating environments;
3. A way to automatically fix the vulnerabilities found in the image to improve the security of the images;
4. A fantastic demo to let you easily understand the solution presented in this talk


Yan Wang

Senior Software Engineer, VMware
Yan Wang is a Senior Software Developer currently working at VMWare, living in Peking. I have a Master of Science in Computer Science from Beijing JiaoTong University and started my career in Adobe System 8 years ago. I am a core maintainer of open source project Harbor, which is... Read More →

Lin Ru

DevOps Architect, DaoCloud

Tuesday June 25, 2019 16:45 - 17:20


How SPIFFE Helps Istio in Service Mesh Federation - Yonggang Liu & Wencheng Lu, Google
This proposal resolves the fundamental identity federation problem between different trust domains, using the trust domain and bundle standard proposed by SPIFFE. As an important collaborator of SPIFFE/SPIRE, Istio adopts this standard to support federations with SPIRE and other identity systems.

The newly proposed standard enables multiple service meshes to securely establish trusts for cross-mesh secure communications. In this talk, we will explain how this new standard can help on federated service meshes and how Istio supports the standard. Finally, we will demonstrate how the federation can be set up between Istio and SPIRE systems.

avatar for Wencheng Lu

Wencheng Lu

Senior Staff Software Engineer, Google
Dr. Wencheng Lu is a senior staff software engineer at Google. He has been with Google for 12 years. He is currently a tech lead manager overseeing Istio Security.
avatar for Oliver Liu

Oliver Liu

Senior Software Engineer, Google
Dr. Oliver (Yonggang) Liu is a senior software engineer in Google. He is one of the early developers and core engineers of Istio. Oliver has 10 years of experience in research and development of distributed systems and service mesh. Oliver received his PhD degree from University of... Read More →

Tuesday June 25, 2019 17:30 - 18:05


Gatekeeper: Flexible, Shareable Policy for Kubernetes - Craig Peters, Mircosoft
How do you ensure your Kubernetes resources conform to your internal policies and procedures? Every organization defines rules governing where images can be deployed from and what labels all resources must include. These rules are essential to meet security, legal, and operational requirements.

Join us for an introduction to the new Gatekeeper project being jointly developed by Google, Microsoft, the CNCF's Open Policy Agent (OPA) project, and the community. You will learn how to get started with the upstream policy library that includes rules for common scenarios like image registry whitelisting, label management, and more. You will also learn how you can extend Gatekeeper with your own custom rules and then contribute them back to the community. Finally, you will see how the same policies can be applied at different phases of your software's lifecycle like CI/CD and audit.

avatar for Craig Peters

Craig Peters

Principal Program Manager, Microsoft
Craig is a Principal Program Manager on the Container Compute team at Azure focused on container infrastructure projects. Craig is active in many Kubernetes Special Interest Groups and contributing to Windows nodes in Kubernetes. He is a technology generalist interested in making... Read More →

Tuesday June 25, 2019 18:15 - 18:50
Wednesday, June 26


Secure Container with SGX: Protecting Secret in Cloud Environment - Isaku Yamahata, Intel & Xiaoning Li, Alibaba
In cloud computing container is widely adapted, but its isolation is weak. It's important to protect secrets even from cloud service provider. Software Guard Extention(SGX) provides Trusted Execution Environment(TEE) where only Intel and SGX implementation is trusted with untrusted OS/VMM/BIOS. It
requires to modify applications which is sometimes difficult for various reasons. Ideally unmodified user binary can run in SGX enclave.

In this talk, Library OS to allow unmodified binary to run within SGX TEE is introduced. It hooks system call by replacing shared library. Go is most popular language for cloud native applications with
uniqueness to use static link. We enhanced Graphene LibOS to support golang binary and hardened it for production use. We will share our experience to add golang support to Graphene-SGX LibOS and our future plan.

avatar for Isaku Yamahata

Isaku Yamahata

Software Engineer, Intel
Isaku Yamahata is a Software architect in the Open Source Technology Center, Intel. His main focus is virtualization technology, network virtualization as Software Defined Networking for multiple years. Isaku is an active on Graphene LibOS and OpenStack Neutron (networking) and has... Read More →

Xiaoning Li

Chief Security Architect, Alibaba
Xiaoning Li is Chief Security Architect at Alibaba Cloud. Previously he was a Security Researcher and Architect at Intel Labs. Focused on analyzing/detecting/preventing 0 day/malware with existing/new processor features. For the past 10+ years, his work has been focusing on both hardware/software... Read More →

Wednesday June 26, 2019 11:20 - 11:55