The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon India 2026 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in India Standard Time (UTC+5:30). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
Kubernetes has long struggled with safe container isolation where `root` in a pod meant `root` on the node. This session shows how KEP‑127 and user namespaces finally make root inside a container harmless.
Real scenario: Your container needs CAP_SYS_ADMIN for FUSE mounts. An exploit succeeds. Without user namespaces: attacker = root on node, full cluster access. With user namespaces: attacker = UID 65536 - relatively powerless.
This talk chronicles the 9+ year journey mapping your pods "root" to an unprivileged nobody on the host.
Why it took 9 years: - Early attempts (2016) failed-no kernel support - v1.25-1.28: Three alpha rewrites - v1.27: idmap mounts breakthrough - v1.30: off-by-default Beta after CRI overhauls - v1.33: Default beta-production-ready - v1.34: Observability (metrics added)
Sr DevSecOps Engineer & Tech Architect, Broota Enterprise
An independent DevSecOps and Tech Architecture consultant, kubestronaut, and cybersecurity and FOSS enthusiast, currently running Mumbai’s largest cybersecurity community -BreachForce.
Thursday June 18, 2026 12:40pm - 1:10pm IST 205 (Level 2)
