What I Learned at fwd:cloudsec North America 2025

At the end of June, I had the chance to attend fwd:cloudsec North America 2025 in Denver, Colorado. For those unfamiliar, fwd:cloudsec is a community-driven, non-profit conference focused on cloud security research, offensive techniques, and defensive strategies. What makes it unique is its vendor-agnostic spirit: you won’t find flashy marketing keynotes or sales pitches here just practitioners sharing what really works (and what doesn’t) in securing the cloud.

The conference ran June 30 – July 1, with two packed days of deep technical talks, hallway discussions, and a strong community vibe. All talks are recorded and available on the official YouTube playlist

Why I Attended

As someone who spends most of my time on Kubernetes, Azure, and multi-cloud security strategy, fwd:cloudsec is one of the rare conferences that consistently delivers fresh, practical insights. My goals this year were to:

  • Learn from the latest offensive research and translate it into stronger threat models.
  • See how others are balancing platform guardrails vs. application-level controls.
  • Connect with peers facing similar large-scale challenges in runtime security, IAM complexity, and SaaS integrations.

Sessions That Shaped My Thinking

Maxime.

Kubernetes 1.34: What’s New in Security

Released on August 27, 2025 under the theme « Of Wind & Will (O’ WaW) », Kubernetes v1.34 brings a strong security focus, reinforcing zero-trust principles, secure defaults, and identity-aware operations across the platform.

Projected ServiceAccount Tokens for Image Pulls (Beta)

– What’s new: The kubelet can now use short-lived, audience‑bound ServiceAccount tokens to authenticate with container registries, eliminating static Secrets on nodes.

– Why it matters: This significantly shrinks the attack surface by eschewing long-lived credentials, aligning registry access with workload identity rather than node-level secrets.

Scoped Anonymous Access for API Endpoints

– What’s new: Administrators can now safely expose health endpoints (/healthz, /readyz, /livez) to unauthenticated access, while denying broader anonymous access via narrow configuration in AuthenticationConfiguration.

– Why it matters: Prevents accidental overexposure of API capabilities, balancing observability/open health checks with tightened security controls.

Pod Identity & mTLS with PodCertificateRequests (Stable)

– What’s new: Pods can now obtain X.509 certificates via PodCertificateRequests, allowing kubelet-managed issuance for use in mTLS authentication.

– Why it matters: Embeds strong, workload-specific identity into the platform, reinforcing secure communication patterns among services.

Field or Label-Aware RBAC (Enhanced Least Privilege)

– What’s new: Although not yet GA, emerging enhancements allow RBAC rules that consider node or pod-specific attributes (fields or labels) to enforce least-privilege access.

– Why it matters: Granular permissions reduce risk from overbroad role bindings, tightening control over what pods or nodes can access and do.

CEL Mutation Policies & External JWT Signing

– CEL Mutation Policies: Introduce native support for rule-based mutation using Common Expression Language (CEL), enabling secure, declarative policy enforcement within Kubernetes.

– External JWT Signing: Facilitates signing JWTs via external key management services, removing local key storage and enhancing auditability and security.

Mutual TLS (mTLS) for Pod-to-API Traffic

– What’s new: Kubernetes is ramping up mTLS support to secure pod-to-API server communications, though details are still unfolding.

– Why it matters: Ensures encrypted, authenticated channeling between workloads and the control plane, a key zero-trust tenet.

OCI Artifact Volumes & Image Pull Security

– What’s new: Ability to mount OCI images directly as volumes, ensuring secure, versioned delivery of external files to pods.

– Why it matters: Reduces reliance on sidecars or manual injection methods, streamlining configuration while preserving integrity.

Conclusion

Kubernetes v1.34 represents a meaningful step forward in embedding robust security into the platform itself. From per-pod identity to safer defaults, explicit anonymous access handling, and fine-grained policy enforcement, it advances Kubernetes toward a more zero-trust architecture.

Organizations should explore upgrading thoughtfully, especially leveraging the projected ServiceAccount tokens, pod-level certification, and scoped anonymous access to immediately elevate cluster security.

Maxime.

Behind the Scenes of Global Azure Quebec 2025: Organizing, Speaking, and Securing the Future of AI

This year, I had the privilege of organizing Global Azure Quebec 2025 and it was without a doubt one of the most energizing, rewarding, and thought-provoking events I’ve ever been part of.

What started as a community gathering has grown into something truly special. We welcomed cloud engineers, architects, developers, students, and security professionals from all across Quebec (and beyond), all coming together to share knowledge, connect with peers, and dive deep into the future of Azure, AI, and cloud security.

A Community-Driven Event with Real Impact

Organizing this year’s event was no small feat—but every late-night planning call, every speaker coordination thread, every sponsorship pitch… it all paid off. Seeing a packed room full of curious minds, people asking the hard questions, and genuine hallway conversations made it worth every second.

Our sessions spanned everything from cloud-native app development to AI tooling, governance, platform engineering, and cybersecurity. The local talent we had on stage was simply incredible. I’m proud we could give them a platform—and equally proud of the strong turnout and engagement from the audience.

Alongside organizing, I also had the chance to present one of my current research interests: AI Red Teaming.

My session, titled « Security Risks for Generative AI », explored how we can build autonomous, LLM-powered agents to simulate adversarial behavior and proactively test the security of GenAI workloads.

In short, the AI Red Teaming Agent is designed to:

  • Simulate prompt injection and data leakage scenarios
  • Stress test model outputs for toxicity, hallucination, and jailbreaks
  • Integrate into security pipelines for continuous red teaming
  • Generate structured findings and map them to frameworks like MITRE ATLAS

The idea is simple but powerful: if AI is going to be used to build things, it should also be used to break them ethically, of course.

The feedback was amazing. Many attendees were intrigued (and maybe a little concerned) by the offensive potential of AI. But more importantly, there was a strong appetite for building defensible, auditable, and secure GenAI pipelines.

Chargeur En cours de chargement…
Logo EAD Cela prend trop de temps ?

Recharger Recharger le document
| Ouvert Ouvrir dans un nouvel onglet

Looking Ahead

Global Azure Quebec 2025 confirmed what I already knew: our community is ready for the next phase of cloud innovation—but it must be built with security in mind.

As we embrace AI, we also need to invest in the offensive side of security research to understand our weaknesses before attackers do. That’s where AI red teaming comes in. And that’s the conversation I’ll keep pushing forward.

To everyone who attended, supported, or helped behind the scenes—thank you. I can’t wait to see where we take this next.

Until then, stay curious, stay secure.

Maxime.