Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Klaus Deissner, Clemens Vasters

2023-04-20

CloudEvents Discovery is a metadata document format and metadata API for creating, publishing, discovering, and connecting event flows. It defines a schema registry, a message and event catalog and an declarative model for defining producer, consumer, and subscriber endpoints. The core focus of CloudEvents Discovery is on providing a metaschema for CloudEvents, but the specification also defines metaschemas for AMQP and MQTT messages and is extensible for further metaschemas. In this session you will learn about CloudEvents discovery and the existing tooling, including code generators and transformation of endpoint information into AsyncAPI and OpenAPI.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Alejandro Saucedo

2022-10-28

The presentation discusses the need for collaboration and standardization in metadata operations for end-to-end data and machine learning platforms.

• The goal is to achieve end-to-end interoperability at scale through collaboration and standardization.
• Practitioners at every stage of the MLOps and DataOps lifecycle should collaborate to come up with standards.
• The creation of bad standards is worse than having no standards at all.
• Standardization should focus on interfaces, metrics, and operational considerations.
• Tools like ml server, seldom core, and kubernetes can help abstract data science from operations.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Michael Lieberman, Mihai Maruseac

2022-10-27

By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient. Instead, we need to think about: “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain. We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Billy Lynch

2022-10-25

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.