KubeCon EU 2026: Kubernetes Matures – BSD, eBPF, and mTLS

Contents

From March 24 to 26, 2026, Amsterdam was once again the center of the (European) cloud-native universe. According to official statements from the CNCF, over 13,000 attendees made their way to the KubeCon EU in the Dutch metropolis to learn the latest information about Kubernetes and Co. The first day was – little surprisingly – dedicated to the topic of AI.

In the spring of 2026, you cannot host an open-source conference in Europe without significantly addressing the topic of (data) sovereignty. However, the KubeCon EU missed an opportunity in this regard. There was only a small satellite event on the topic beforehand. Although European Kubernetes users such as the IT service provider of the German Armed Forces BWI or the French railway company SNCF presented their cloud-native journey on the main stage, the impression remains that the topic was treated rather stepmotherly. The theses “Collaborate globally and install locally” and “You can always fork” are only of limited help.

CLC 2026: Conference for DevEx and Platform Engineering

The CLC conference, specializing in Developer Experience (DX) and Platform Engineering, will take place in Mannheim from November 11 to 12, 2026. The Call for Proposals is seeking suggestions for workshops and talks until April 21 – primarily practical reports.

Further information can be found on the CLC website.

New Runtimes and Platforms: Lima, urunc, and the BSD World

Although Kubernetes has existed for 12 years and has become a standard, important work on fundamental components is still necessary. Technically, container orchestration is largely linked to Linux. This applies both to the underlying infrastructure and to the applications in the containers. For the latter, there is good news for BSD fans and also for macOS users: the Project Lima (Linux Machines). This has been part of the CNCF family since 2022. The original goal was better support for containers on macOS machines. It is now also available for Linux, among other things, and focuses on lightweight virtual machines.

Version 2.1 of the project was released before KubeCon EU 2026, which now also supports macOS and FreeBSD as guests. However, the feature is still in the experimental stage. Users can use lightweight virtual machines with Lima – comparable to containers. The latter and also Kubernetes pods can be managed with Lima. The documentation contains examples for K3s, k0s, and RKE2. Alternatively, there are other projects like KubeVirt, which also treat virtual machines and containers equally.

News was also announced for OpenBSD. The Project urunc provides another runtime environment for containers that uses the unikernel concept. This is also where the project name comes from. The runc for unikernels: urunc. Instead of a process in a container, a small operating system kernel starts here in an isolated environment. This is comparable to a special virtual machine and is already known from Kata Containers and Nabla. The urunc project aims to provide a special unikernel that is compatible with BSD. In addition, there is a minimalist base system to run an application. This eliminates the need to port BSD applications for containers. They no longer need to be Linux-compatible. The only additional effort is managing the urunc runtime environment. For almost a year now, the project has been part of the CNCF family.

mTLS without Sidecars: Cilium Integrates ztunnel

An important topic in the container networking area is still mTLS (mutual Transport Layer Security). The keyword here is CNI (Container Network Interface). A well-known entity here is Cilium. The project started ten years ago and has been under the care of the CNCF since 2021. Since version 1.19, Cilium also supports mTLS, without using so-called sidecars or needing to adapt container applications. A key component is eBPF. On the one hand, the format allows comprehensive insights into the processes in containers and pods; on the other hand, it can be used to implement and enforce security policies.

The other component is ztunnel, known from the Istio service mesh. In the so-called Ambient mode, each node has a small proxy that handles TLS operations. Cilium has now also integrated this component, written in Rust. This solves some known problems with the eBPF approach. Authentication is specific to each session and not just per node. Initial packets are no longer lost during the handshake. Furthermore, the overall throughput increases, as ztunnel aggregates and encrypts larger amounts of data. Getting started is quite simple and involves three steps. First, you need to enable the ztunnel feature in the Helm charts for Cilium. Then, you need to roll out ztunnel. Finally, you need to set the label io.cilium/mtls-enabled=true on the corresponding namespace. All pods that are then placed there will automatically use mTLS.

Summary and Outlook

After three days of the KubeCon conference, it can be stated that even in its 12th year, there is still a lot of energy and passion for Kubernetes and Co., but there are also still quite fundamental problems to solve in various areas – and that without the AI hype.

Given the continuously growing visitor numbers, the CNCF must prepare the planning of its in-house trade fairs accordingly for the long term: The next KubeCon EU will take place from March 15 to 18, 2027 in Barcelona. The date for 2028 is also set: Berlin will become the center of the cloud-native universe from April 24 to 27.

(afl)