Open Source Summit + Embedded Linux Conference North America 2026

Several guidelines such as FinOps Framework and Green Software Patterns provide principles for cloud optimization, but they include both abstract ideas and practical details with multiple concerns like cost and sustainability. This makes human reviews inconsistent. In this talk, we show how such guidance can be evaluated consistently in CI using Open Policy Agent (OPA).

We present a two-layer policy design: evaluation logic stays small and readable in Rego, while policy rules such as thresholds and exceptions are defined in structured JSON. This separation makes policies easier to maintain by contributors without Rego expertise. CI checks consume an input schema derived from configuration or IaC artifacts and return review-ready decisions—allow, warn, or block—along with a rule identifier, rationale, and a suggested follow-up.

What you will learn:
・How to extract checkable criteria from abstract guidance
・How to design a stable input schema
・How to structure a rules catalog so that policy evaluation remains possible even when multiple concerns interact
・How to run a policy change process that does not depend on a small set of Rego experts

Running production-grade databases on Kubernetes is becoming increasingly common, but managing their lifecycle remains fragmented and complex for SRE and DevOps teams. Critical operations—scaling, RBAC, monitoring, backup, and restore—currently require navigating distinct, database-specific APIs and tools. This complexity prevents teams from fully realizing the operational efficiency and uniformity that Kubernetes provides.

This talk introduces OpenEverest, the open-source platform designed to address this operational gap. OpenEverest provides a single, unified UI and CLI to manage SRE functions for popular open-source databases such as PostgreSQL and MySQL deployed on Kubernetes. It abstracts away database-specific differences, offering standardized control for scaling, integrated observability, granular RBAC, and reliable data protection.

Join us to learn how OpenEverest simplifies the path to production readiness, reduces operational toil, and is building a pioneering open-source database management layer.

In many rural communities, the hardest part of funding education is not raising money. It is knowing with confidence that resources reached the right school and were used as intended.

In this session, I share a real-world, open-source reference architecture for a pay-on-proof delivery pipeline where sponsor funds are released only after delivery can be verified. The system is designed for low-bandwidth and intermittent connectivity environments and uses Kubernetes, event-driven workflows, cryptographic proofs, and auditable logs to close trust gaps between sponsors, vendors, and schools.

We will walk through key design decisions, how to think about offline-first systems, and where trust commonly breaks in real deployments, along with practical ways to address those gaps without heavy infrastructure.

Attendees will learn:

- How to model sponsor to vendor workflows using events and state
- Patterns for building offline-friendly, cloud native systems
- Practical digital trust controls including identity, auditability, and proof of delivery

This talk is for platform engineers, SREs, and open source practitioners building systems that must work in real-world conditions.

Managing a single Kubernetes cluster is a solved problem. However, extending Kubernetes to the edge introduces a fundamental systems crisis. In remote environments, network partitions are guaranteed. When orchestrators demand real-time synchronization, routine network drops lead to configuration drift and control-plane breakdown.

This session analyzes how KubeStellar (a CNCF Sandbox project) attempts to solve this reliability crisis. Evaluated from a systems and network perspective, we dissect how KubeStellar abandons synchronous replication for an asynchronous, hub-and-spoke model. By decoupling its Workload Description Space (WDS) from the transport layer, it leverages eventual consistency to treat disconnected edge nodes as expected, not a fatal error.

To ground this theory in reality, we explore our ongoing research at Cornell University’s Smart Farms. In remote agriculture, long-term partitions are daily realities. We will outline our progress using KubeStellar to manage geographically dispersed clusters, presenting an architectural roadmap for how eventual consistency can ensure local workloads survive extended disconnects and deterministically reconcile upon reconnection.

With the growth of CPU compute and larger memory heaps, many cloud-native workloads that traditionally relied on remote caches like Redis and Memcached can now benefit from in-process caching using open source libraries.

In this session, we focus on Java-based cloud-native services and show how local caches, such as Caffeine, can colocate cache with application logic, reducing network overhead, simplifying consistency management, and improving latency. Drawing on large-scale production experience, we’ll explore cache invalidation, freshness guarantees, near-cache patterns, and scalability trade-offs, along with practical lessons for handling staleness, TTLs, and other caching challenges while reducing operational complexity and cost.

Finally, we’ll discuss how emerging open source tools like Databricks’ Dicer apply these caching and orchestration principles at scale for real-time services, representing the next frontier. Attendees will learn methods to design low-latency, high-throughput, maintainable, and cost-efficient caching solutions for cloud-native architectures using open source tools.

Multi cloud deployments and shared infrastructure enhance data privacy and security issues, with containerized workloads becoming mainstream in Kubernetes, there is a need to host containers securely in addition to virtual machines (VMs) to safeguard hardware-level workloads.
KubeVirt is a cloud native virtualization platform that comes with Confidential Virtual Machines for the most sensitive use cases. They take advantage of Trusted Execution Environments such as AMD SEV, Intel TDX, and IBM Secure Execution to provide data-in-motion encryption for their workloads and defend against subverted host admins as well as against system attacks.
In this session, we will cover KubeVirt methodology for Confidential VMs, including the design of the architecture, challenges of implementation, and deployments. We will examine how the VMs protect sensitive workloads using memory encryption, workload isolation while being placed within Kubernetes orchestration and automation.

This session explores a dual-phase strategy for hardening the QEMU Virtual Machine Monitor (VMM) through advanced fuzzing and AI-driven automation. We begin by detailing a manual hardening effort that expanded QEMU’s testing surface from 18 to 60 active targets, increasing device line coverage by more than 30%. While effective, manual target creation is a resource-intensive process that struggles to scale across the hundreds of virtualized devices supported by QEMU.

To address these scaling challenges, we introduce an AI-driven agentic pipeline designed to automate the generation and validation of fuzzing targets. This system leverages Large Language Models (LLMs) to analyze device source code and memory regions, generating candidate C++ targets for the QEMU fuzzing engine.

We will discuss the implementation of a self-correcting feedback loop where the agent captures compilation and runtime errors to iteratively refine its output until a stable target is produced. Attendees will see how this approach aims to reach >80% device line coverage by automating the remaining hardware targets that currently lack dedicated fuzzing.