KubeCon + CloudNativeCon Japan 2025

Modern cloud servers are built on NUMA (Non-Uniform Memory Access) and SMT (Symmetric Multi-Threading, aka Hyperthreading) — but few engineers realize how much these technologies impact application performance.

NUMA means that your cloud server’s memory might be significantly slower to access, because it’s connected to a different CPU, while Hyperthreading makes a single CPU core pretend to be two, but not at twice the speed.

This talk will:
• Demystify NUMA & Hyperthreading — what they are, how they work, and why they matter.
• Explore Kubernetes integration—the (limited) ways Kubernetes interacts with NUMA.
• Show real-world performance impact — illustrated with measurements on AWS and Google Cloud.
• Give you visibility — how to use Prometheus metrics and Linux commands to view your servers’ NUMA and SMT configurations.

By the end of the session, you'll have an understanding of the issues, and the tools to measure and their impact on the performance of your workloads.

One of the key bottlenecks in Kubernetes pod startup is the time taken to pull container images and OCI artifacts. It’s also costly to fetch large container images from the registry often. To tackle this problem, we developed a cache system with the following features:

* New Cache Hierarchy: Images pulled by pods are shared across the entire cluster, enabling cluster-wide optimization, not only cluster-local cache.
* Ninja: Users experience faster container image pulls without any changes on their part. Just like a ninja, the system stealthily enhances performance.
* Preheating: It supports pushing images to preheat the cache for subsequent pulls.

Deployed in a production cluster, the cache system has achieved a cache hit rate of around 95%, significantly reducing pod startup times and network communication with registries. Attendees will learn practical insights into leveraging cache and CRI to optimize image and OCI artifact pulls, ultimately enhancing cluster efficiency.

At PlayStation Network, our Kubernetes platform with 50+ clusters handles massive amounts of user traffic every day, and the platform team consists of engineers in several global locations with different technological and cultural backgrounds.
Despite such scale and organizational complexity, we achieved remarkable stability in FY2024 so far, maintaining a notable 99.995% uptime for our platform.
In this session, we will share the key practices behind this success, including a controlled deployment strategy, robust scaling techniques, minimized manual intervention, and 24/7 operations spanning global regions. While these approaches may not be special individually, their consistent and disciplined application has been the foundation of our platform's stability.
Those who strive to achieve stable platform operation and organizations looking to expand or consolidate their platforms will leave with actionable strategies to enhance the reliability of their platform.

As LY Corporation transitioned to developing a new private cloud infrastructure, we confronted significant challenges in managing over 6,000 baremetal servers through Kubernetes integrated with OpenStack, resulting in increased complexity, extended deployment times, and excessive resource consumption.

This session delivers how our custom controllers enhanced our approach, automating complex configurations and addressing disruptions in ArgoCD and Ansible, Kubernetes resource shortages, and scalability constraints.

We will focus on:

- Challenges in Existing Baremetal Provisioning: Explore the operational complexities and inefficiencies caused by scale, including deployment delays.

- Implementation of Custom Controllers: How we automated configurations and leading to faster, more reliable deployments with Helm.

- Enhancements in Resource Management: Techniques that streamlined processes and enhanced OpenStack integration, ultimately boosting operational simplicity and efficiency.

"I've started to understand the basics of Kubernetes, but when it comes to running it in production, I can't quite imagine what kind of issues might arise..."
To ease these concerns, this session will use original characters, illustrations, and animations in a “cute manga” style to visually demonstrate how production applications can break and how to troubleshoot them.
In our story, the main application as a character takes center stage as the hero, venturing out on a grand journey—only to be "suddenly attacked by a monster" at the most inopportune moment. By following this storyline, you will learn both how applications fail and how to fix them. Additionally, just as an adventurer equips better armor to prepare for future battles, we will explore common issues and explain how to prevent them from happening in the first place.
Join us on an exciting adventure in "manga-style troubleshooting" and gain the confidence to tackle production Kubernetes challenges head-on!

Wasm is touted as the next generation of containers, offering a smaller, more secure, and more portable application format. However, challenges remain, particularly in achieving enough isolation for public clouds where multi-tenancy exists. This is because Wasm shares the host kernel between workloads like containers. To take full advantage of Wasm, there is still insufficient discussion on this problem.

To address the issue, we've developed a new Wasm runtime, Mewz. It runs a single Wasm module within a dedicated VM while also having a lightweight and specialized kernel (unikernel). This revolutionary execution model enables more secure and low-overhead Wasm containers. We've open-sourced the implementation, and Mewz is listed in the CNCF cloud native landscape! In this session, we'll explain the architecture of Mewz and why it's more isolated and low-overhead than ordinary Wasm runtimes. Building on this presentation, let’s discuss the future of cloud workloads powered by Wasm!

High availability in Kubernetes typically requires a 3-node setup to support etcd's Raft algorithm. But what if you could achieve HA with only 2 nodes, slashing infrastructure costs by over 30% without sacrificing reliability? This is a game-changer, especially for deployments in retail and manufacturing scaling across hundreds or thousands of locations.
Join us to explore a groundbreaking 2-node HA Kubernetes solution, built by evolving the Raft algorithm for etcd. Unlike alternatives that compromise on compatibility, our approach delivers etcd-based HA, which can tolerate both node failures and network partitioning like a traditional 3-node cluster. You can seamlessly transit between 3-node and 2-node cluster utilizing standard tools like kubeadm or CAPI. This approach requires only a simple shared storage witness.
In this session, we will unpack the mechanics of this innovation, demonstrate 2-node cluster provisioning, and showcase its resilience under real-world failure scenarios.

Got an open source project? Considering submitting it to the CNCF (or another foundation)? Whether and when to do this is one of the biggest decisions you'll make in the life of your project. Joining a foundation changes things fundamentally, and whether or not this is a good decision is going to depend on where you are in your project's development and what your goals for the project currently are.

As a community architect in the Red Hat Open Source Program Office, I help projects with this decision. During this talk, I will share common things that projects need to consider before they make this important decision. I will also talk about common benefits and challenges that projects usually experience. After this talk you should have a better understanding of whether you should contribute the project to CNCF or not.

This panel, featuring instructors from Kubernetes Upstream Training Japan, explores how this initiative has accelerated open-source involvement across the country since 2019. Our panelists will share personal stories, highlighting how the training lowers barriers, boosts motivation, and drives long-term community engagement. We’ll examine the current status of Japanese contributions to Kubernetes, discuss lessons learned from past participants, and propose strategies to strengthen future growth. Attendees can expect a candid conversation about nurturing collaboration, overcoming cultural and linguistic challenges, and fostering a thriving ecosystem. Whether you’re an aspiring contributor or a seasoned leader, join us to gain practical insights into cross-cultural community-building and discover the next chapter for cloud-native innovation in Japan.

As cloud-native applications accelerate in complexity, managing APIs end to end is a top priority. This session introduces a next-generation, Kubernetes-native approach using Envoy Proxy and WebAssembly (Wasm) for dynamic, high-performance traffic control.

We’ll show how Wasm powers real-time policy enforcement, AI-assisted traffic analysis, and advanced rate limiting—without rebuilding Envoy. Attendees will learn how to implement Zero Trust principles, secure multi-tenant API gateways, and deliver external routes with minimal overhead.

Observability enhancements using eBPF and OpenTelemetry will demonstrate how to align trace data with runtime metrics for deeper insights. Finally, we’ll discuss developer onboarding, version governance, and lifecycle management to ensure long-term API success.

A live demo will illustrate ephemeral testing environments, rapid iteration, and how to achieve a future-proof, high-throughput API management layer in Kubernetes.

Authorization is one of the most important considerations for cloud-native applications, as highlighted by the OWASP Top 10. For a long time, there was no clear standard, making authorization a significant challenge for many implementers. The OpenID Foundation AuthZEN WG is now working on standards, focusing on interfaces between PEP (Policy Enforcement Point) and PDP (Policy Decision Point), which provides some hope.
However, managing authorization data remains challenging. Since this data is closely related to authentication data, architects often struggle with how the OP (OpenID Provider) and PDP should manage and integrate it. There are multiple methods, and the best approach varies by use case.
In this session, Yoshiyuki Tabata will explain various methods for managing and integrating authentication and authorization data. He will also describe implementation using Keycloak for OP and Topaz for PDP, providing valuable insights into effective data management.

Cloud presents many advantages to users in terms of flexibility, scalability and innovation. Unfortunately compliance has become more complex as standards and regulations are used by end consumers as a proxy for security of underlying platforms whose operations are opaque. Consequently platform providers have ever increasing compliance obligations.

Compliance-as-code encompasses many activities such as automation of system configuration and general DevSecOps approaches. One perpetual challenge is how to provide machine readable workflows which span from standard to audit to allow automation in a way that scales.

OSCAL-Compass, a CNCF sandbox project, provides tooling to manage both the compliance artefacts as code and link those artefacts to executable policies. This talk will provide practical introduction to using OSCAL compass to document and enforce compliance controls using two of its tools: Compliance Trestle and C2P (compliance2policy) in the context of Kubernetes clusters.

SBOMs (Software Bills of Material) are essential for improving visibility and security in the software supply chain. As open-source code drives modern development, organizations face growing security risks due to limited transparency in software dependencies. Attacks like SolarWinds (2020) and Kaseya (2021) highlight the urgent need for stronger software supply chain security.
However, SBOMs are often inaccurate. This talk explores why these inaccuracies occur, how attackers exploit them, and how to address these issues. A key challenge is dependency management file analysis (e.g., cargo.toml for Rust), which struggles to track components effectively.
Enter SBOMit, an OpenSSF sandbox project leveraging in-toto attestations to create cryptographically verifiable SBOMs. By capturing supply chain steps as they occur, SBOMit enhances accuracy, mitigates tampering risks, and strengthens security. This talk examines SBOMit’s role in improving SBOM reliability across the CNCF ecosystem.