KubeCon London 2025 Recap: Cloud-Native Insights on Security, Wasm, and More

TL;DR: KubeCon London 2025 (KubeCon EU) showed a cloud-native ecosystem shifting from fragmentation to unification of policy, security, observability, and artifact management. Wasm is moving from hype to real-world use, OPA is expanding into FinOps, and signing everything (with SBOMs, attestations, and metadata) is becoming standard. Artifact registries are evolving fast, becoming unified platforms for governance, provenance, and automation across the software supply chain.

There’s something unmistakably electric about being at KubeCon in person. Maybe it’s the hallway chats, the animated late-night debates (helped along by the thump of House of Kube), or the shared momentum in the air – this year felt like a shift in the literal sense. Cloud-native isn’t just evolving; it’s maturing, solidifying, and meeting the pace of a world increasingly hungry for scale and simplicity.

KubeCon + CloudNativeCon Europe 2025, held at ExCeL London from April 1 to 4, brought together thousands of practitioners to explore the state of Kubernetes and the cloud-native stack. Several clear themes emerged across keynotes, breakout sessions, and late-night conversations.

This year’s focus areas included software supply chain security, the rise of WebAssembly (Wasm) in production environments, unified observability efforts, FinOps and cost optimization, and the ongoing reinvention of artifact management. Below, we’ve curated the significant highlights, with talk titles, speakers, and links to recordings and resources, plus our take on what they mean for the road ahead.

The Energy of Cloud-Native in London

The conference vibe was exuberant and technically charged. CNCF celebrated its tenth anniversary of Kubernetes with a look forward: how to keep bridging cloud-native innovation with real-world production needs. The Day 1 Keynote introduced a fun twist on professional development: the Golden Kubestronaut designation (and yes, now we want them too, at Cloudsmith).

This new CNCF program recognizes attendees completing all 13 CNCF certifications plus the LFCS Linux admin exam, showcasing their cloud-native mastery. If you saw folks wearing unique Kubestronaut beanies or jackets, now you know why. The challenging economic climate also underscored a focus on pragmatism: many hallway conversations compared notes on balancing cloud costs and complexity with on-prem solutions, highlighting that sometimes on-prem isn’t worth the trade-offs in agility.

KubeCon London 2025 in numbers: ~12,000+ attendees, 229 sessions, and countless community meetups and parties (don’t worry, the famous House of Kube party returned for those who could snag an invite, sponsored again, of course, by Cloudsmith, along with our friends at Humanitec, Tailscale, Sysdig, and Chainguard). Read on for our curated highlights of sessions relevant; we’ve organized the recap into thematic sections for easy scanning.

The Rise of Wasm in Cloud‑Native Applications

TL;DR: Wasm is no longer experimental — it’s powering plugins, policy engines, and serverless runtimes in real deployments. Tools like wasmCloud and Spin are leading the way.

WebAssembly (Wasm) emerged as a star of the show, signaling that 2025 is the year Wasm goes from promise to production in cloud-native systems. A standout session was "Was I Right or Wasm I Wrong? A Review of the Wasm Ecosystem” by Taylor Thomas (Cosmonic) and David Justice (Microsoft). Both are co-chairs of the CNCF TAG Runtime Wasm working group, and their talk gave a whirlwind tour of how Wasm has evolved from a browser technology to a building block for cloud platforms.

They reviewed Wasm’s journey and why it’s ready for prime time: Wasm offers portability, sandboxed security, and fast startup, making it ideal for cloud and edge deployments. Custom ABIs hampered early server-side Wasm experiments, but the new component model (with WASI 1.0 on the horizon) unlocks true interoperability. The talk highlighted a parade of projects leveraging Wasm today:

wasmCloud – a CNCF project enabling a cloud-native Wasm application runtime
Spin by Fermyon – a developer tool for serverless Wasm apps
Kubewarden – a universal policy engine using Wasm modules for Kubernetes admission control
Kubernetes Wasm extension – demonstrating pluggable cluster scheduling logic in Wasm
Envoy & Nginx Wasm plugins – extending proxies with Wasm filters (e.g., Proxy-Wasm SDKs)
Hyperlight – an OSS library running sandboxed functions blazingly fast via hypervisor protection
Cloudsmith – we’re experimenting with Wasm via OPA-based policy enforcement, a use case we’re watching closely as these technologies converge.

The big takeaway: Wasm is no longer niche; it’s becoming a standard layer for extensibility in many systems. Thomas and Justice’s candid discussion of the new Wasm component model (with its strengths and weaknesses) helped the audience grasp how to use it today and what’s coming next. Keep an eye out for WASI 0.3 (mid-2025) with async support and eventually a stable WASI 1.0 (perhaps 2026) that promises no breaking changes.

KubeCon London had a mini track of Wasm content for those hungry for more on Wasm. Brooks Townsend (Cosmonic) dived into wasmCloud’s road to standards in a talk cheekily titled “Wasm Whiplash: wasmCloud's Wild Ride To Standards.” And if you blinked, you might have missed a Lightning Talk by Joonas Bergius on mixing WebAssembly into Linkerd service mesh (“Meshin’ With WebAssembly: Taking Linkerd Beyond Containers,” 10 minutes of intriguing mashup). All these point to WebAssembly’s growing momentum: expect Wasm components powering plugins, microservices, and cloud functions in your architecture soon.

Security in the Software Supply Chain

TL;DR: Security was the dominant theme at KubeCon 2025. Signing, provenance, and secure-by-default registries were front and center. Tools like TUF, Notary, ORAS, and Kyverno are key to verifying that every artifact in your cluster is trusted.

Security was the #1 theme throughout KubeCon 2025. Nearly every keynote and many sessions hammered on safeguarding the software supply chain and production clusters. Multiple talks provided hands-on insights into tools and practices for artifact integrity, provenance, and vulnerability management.

One notable session was “TUF-en Up Your Software Supply Chain” by Marina Moore (Edera) and Kairo de Araujo (Eclipse Foundation). This talk focused on The Update Framework (TUF), a CNCF graduate project aimed at secure software distribution (familiar to many via its use in PyPI, Docker Content Trust, and other systems). Moore and de Araujo highlighted how to distribute container images along with their SBOMs and attestations in a tamper-evident way. They explained TUF’s core design (multi-signature trust, freshness checks, repository consistency guarantees, etc.) to ensure images and metadata remain current and unmodified in transit.

A live demo showed TUF working with in-toto for end-to-end verification, illustrating how an image’s SBOM and security attestations could be signed and verified as part of a secure CI/CD pipeline. The key takeaway is that signing everything is becoming table stakes.

As one of our team noted, the specifics of which signing framework you use (TUF, Cosign, Notary v2, etc.) may matter less than just doing it. The consensus is that supply chain attacks are rising, and every organization must be proactive in defense.

Where and how you store signed artifacts matters, especially as OCI 1.1 enables registries to store and reference metadata like SBOMs and signatures reliably. Cloudsmith (like others in the ecosystem) is exploring how to surface this metadata securely and natively inside OCI workflows.

Another must-see was “Signed, Sealed, Delivered – Sign and Verify All the Things” by Jeremy Rickard (Microsoft). In this talk, Rickard tackled several scary scenarios (image tampering, unvetted YAML in prod, registry compromises) and then showed how to fight back using an arsenal of open-source tools. He wrote a story involving ORAS + Notary + Flux + Kyverno to ensure every artifact in your cluster is trusted (KubeCon + CloudNativeCon Europe 2025: Signed, Sealed, Delivered - Sign and Ver...). For example:

ORAS – enabling OCI registry storage for arbitrary artifacts (not just container images, but also signatures, SBOMs, Helm charts, etc.)
Notary (v2) – signing artifacts and storing signature metadata in registries
Flux – GitOps operator (here, ensuring that only signed/approved configs make it to the cluster)
Kyverno – a policy engine that can validate images have known good signatures (at admission time)

Rickard walked through an end-to-end demo repository (promised on GitHub) showing how to set up production-grade signing and verification. Attendees left with a clearer idea of how to put these pieces together to “verify all the things” running in their clusters. Policy and enforcement were a common refrain across security talks this year.

Other security-related highlights included:

Project Lightning Talk: ORAS – Create and Distribute a Multi-platform Image with Security Posture by Feynman Zhou (Microsoft), covered a 5-minute demo of building a container image with SBOM and signing info as first-class OCI artifacts.
Project Lightning Talk: Protect your Kubernetes Clusters with Ratify and Attestations by Yi Zha (Microsoft) covered a quick introduction to Ratify, a Kubernetes admission controller that checks image signatures/attestations before allowing deployments.
Project Lightning Talk: Notary – Securing Binary Artifacts with Fine-grained Control (also by Yi Zha), likely covering the latest on Notary v2 project status and its integration with tooling.
“Notary Project: The Key to Secure Software Supply Chain” by Joaquim Rocha and René Dudfield. A longer form talks about how Notary v2 is evolving as a cornerstone to securing artifacts in registries.

These trends emphasize why securing the registry is so important. Cloud-native platforms are expected to handle many formats, not just containers, but Helm charts, Wasm modules, and more, while maintaining integrity, provenance, and policy enforcement.

Observability: Toward Unified Insights

TL;DR: Observability took center stage, pushing to unify metrics, logs, and traces via a standard query language and better tooling. Real-time insight is becoming essential for security, performance, and cost optimization.

Everyone at KubeCon seemed obsessed with observability, not just having data but also querying it more ingeniously. The hot topic was breaking down silos between metrics, logs, traces, and other telemetry to derive end-to-end insights.

A notable talk in this space was “From the Observability TAG: Designing a Common Query Language for Observability Data” by Alolita Sharma (Apple), Pereira Braga (Google), and Chris Larsen (Netflix). Representing the CNCF TAG Observability, these speakers unveiled progress on a unified query language spec for observability (you could call it “SQL for observability”). The idea is to reduce the toil engineers face when switching between different query syntaxes (PromQL, LogQL, etc.) across tools. Instead, why not have a common core (ANSI SQL) with extensions to query metrics, traces, logs, and profiles?

They discussed design principles and their research. The consensus is that SQL (with some “syntactic sugar” for pipes and time-series nuances) is a strong foundation. The Observability TAG’s Query Language workgroup is finalizing a spec in 2025, experimenting with pipelining syntax for more straightforward unknown data exploration. If this converges, we might soon write one query that joins data from Prometheus, Jaeger, and Loki in one go – unlocking federated queries across telemetry types. The excitement in the room was palpable; many see this as a needed evolution to make observability more accessible and powerful.

At KubeCon, visibility across your entire software supply chain came through loud and clear, something we’ve been thinking a lot about at Cloudsmith. Real-time insight into artifact usage and distribution isn’t just a nice to have; it’s quickly becoming foundational to security, performance, and cost optimization.

Other observability updates included project-specific sessions like the OpenTelemetry Project Update (with maintainers like Jonathan Smith sharing the latest on OTel’s roadmap) and deep dives on newer observability tools. eBPF continued to show its strengths in cloud-native troubleshooting. For example, Inspektor Gadget (an eBPF toolkit) was featured in a contrib session on simplifying Kubernetes observability. Across the board, the message was that “complete visibility” is the goal: knowing what is happening, where, and why, whether for security, cost, or compliance reasons.

Additionally, Kubernetes v1.33, another exciting update teased at KubeCon, with an upcoming release on April 23rd, 2025, offers a net new enhancement to Pod Generation. Until this point, pods had a metadata generation field to represent a specific desired state of a pod, but the field is currently unused on pods. With k8s 1.33, users can allow the pod status to express which pod updates are reflected in the pod status for deeper, improved pod lifecycle visibility.

What this means for practitioners: Expect the lines between logs, metrics, and traces to blur. Tooling will likely unify, and you should keep an eye on emerging standards (perhaps start with the CNCF Observability TAG discussions). It also validates why many vendors (and projects) push Observability Data Lakes and analytics beyond just dashboards.

Open Policy Agent (OPA) Everywhere – Even FinOps

TL;DR: Open Policy Agent remains central to security policy but is now expanding into cost optimization. If you’re already using Gatekeeper, adding custom FinOps policies is an easy next step — and increasingly a product expectation for cloud-native solutions.

Policy as code has been mainstream for security for a while (with Open Policy Agent (OPA) leading the charge), but KubeCon 2025 showed OPA branching into new domains. The OPA intro and deep-dive session by project maintainers (Charlie Egan of Styra, Anders Eknert, and others) drew a big crowd, which is impressive for a project that’s been around for years. OPA’s maintainers provided updates on the roadmap:

OPA’s core is stable. However, handy features like a long-awaited logical or operator in Rego and string interpolation are high on the wish list (and likely coming soon). These were celebrated since they’ll make writing policies much more ergonomic.
Performance improvements and test streaming modes are being explored to speed up policy evaluation and CI feedback.
The ecosystem continues growing: Regal (a Rego linter framework) saw significant improvements between v0.7 and v1.2, and the VSCode OPA plugin improved with new debugging capabilities.

The most buzzworthy angle was using OPA beyond security. Sathish Kumar Venkatesan gave a talk titled “Beyond Security: Leveraging OPA for FinOps in Kubernetes.” The vast audience was a testament to FinOps being top-of-mind. The idea: if OPA can enforce policies for security, why not for cost optimization, too? Venkatesan showed how you can use OPA (with Gatekeeper) to ensure cost-efficient resource usage in clusters:

Enforce that specific teams or namespaces use only cheaper instance types (e.g., prevent using expensive GPU nodes for dev workloads).
Require labels for cost allocation on every namespace or deployment (to avoid “shadow” spend).
Set up policies for budget limits – e.g., disallow new deployments if the cluster is nearing a monthly spend cap (with override processes for exceptions).
Combine OPA with OpenCost, the CNCF incubating project for K8s cost monitoring (OpenCost | CNCF), for real-time enforcement. For instance, OpenCost can feed metrics on namespace spend, and OPA can then take action if thresholds cross a line.

This “Shift Left for cost” mantra, or FinOps policy concept, resonated strongly. Attendees walked away thinking about cost as another SLO to manage via code. Integration tip: If you’re already using OPA Gatekeeper for security policies, extending it with custom cost policies could be a low-hanging fruit to improve your cloud bills.

Sathish’s slides are attached to the schedule (link below). Also, check out OpenCost’s official site; it’s now a CNCF Incubating project providing visibility into Kubernetes spend (OpenCost | CNCF). Combining OpenCost dashboards with OPA enforcement could become a familiar pattern. The overarching message: OPA isn’t just for security anymore; it’s a general policy engine that can encode business rules, compliance, and efficiency best practices in one place.

(On a related note, conversations at the OPA booth indicated a lot of interest in multi-cloud policy and using OPA for things like network policy validation and even GitOps workflow policies. If there’s a rule to enforce, OPA is being considered. It was gratifying to hear that, given our focus on integrating it at Cloudsmith, it’s part of our Policy Engine.)

Cloud-Native Artifact Management & Beyond

TL;DR: Artifact registries are evolving to meet new expectations for provenance, automation, and cost efficiency. Talks focused on treating all artifacts as OCI-native, aligning with SLSA, and integrating retention and security as standard.

KubeCon wouldn’t be complete without looking at the ecosystem of tools managing our container images and artifacts. The ‘A’ in SLSA is Artifacts, where most of the conversation landed. Artifact registries are evolving from simple stores to platforms with broad capabilities that help enforce provenance, retention, and policy. A few other talks and announcements stood out:

Artifact Hub (the CNCF-hosted index of Helm charts, OLM operators, Wasm packages, and more) maintainers discussed improvements in discovering and trusting content. There was no major talk this time, but artifact discoverability remains critical as the hub grows with new package types (including Wasm modules).
ORAS Artifacts and OCI 1.1: The move to treat everything (from Helm charts to SBOMs) as OCI artifacts stored in registries is gaining traction. Demos showed oras CLI pushing a multi-architecture image and its security posture in one go (Azure at KubeCon Europe 2025 | London, UK - April 1-4 | Microsoft Community Hub). This means your artifact management solution needs to handle more than just “docker images” – it’s now about holistic artifact sets. At Cloudsmith, we're seeing increased demand for this: attaching SBOMs and signatures as first-class citizens and treating all software supply chain components as OCI-native artifacts.
Supply Chain Levels for Software Artifacts (SLSA) and Sigstore: While not explicitly in the notes, these underpin much of what was discussed. Several speakers indirectly referenced needing provenance metadata. If you haven’t looked at SLSA levels or tools like Cosign for signing, now’s the time – supply chain security is shifting from optional to mandatory.
FinOps X Security for artifacts: A recurring idea was “don’t store what you don’t need.” Observability and cost concerns drive thinking about artifact retention policies. Platforms (like artifact registries or storage) are adding more ingenious cleanup features – for example, auto-expiring images that are untagged or enforcing quotas per team. This wasn’t a specific talk, but multiple attendees mentioned it in the context of “only paying for what you need.” We often hear this conversation, especially around retention policies and cost-aware storage.

Across the CNCF ecosystem, several solutions, from on-prem registries like Harbor to managed platforms like Cloudsmith, are evolving to meet the growing demands of artifact security and lifecycle management. The conversation has shifted from ‘Where do I store this?’ to ‘How do I secure, govern, and automate this across environments?’ The cloud-native ecosystem is moving toward giving teams complete control and insight through policy, better data, or better automation. This bodes well for platform engineering teams tasked with providing golden paths that are both secure and efficient.

Additional Recommended Talks & Resources

Beyond the sessions our attendees experienced, here are a few adjacent talks that align with the themes and are worth checking out (we’ve cross-referenced titles and speakers with the official schedule for accuracy):

“Lessons Learned From Architecting the Highest-Scale Operational Systems in the World” – Artur Bergman, Fastly. Why it’s relevant: A veteran building a global CDN shares how to design resilient platforms at scale. Touches on balancing vendor solutions vs. DIY and avoiding single points of failure. Great insights for platform engineers and SREs.
“Container Runtimes… on Lockdown: The Hidden Costs of Multi-Tenant Workloads” – Lewis Denham-Parry, ControlPlane (from the co-located Security Day). Why watch: If you care about container isolation trade-offs and sandboxing (gVisor, Firecracker, etc.), this talk delves into the security vs. performance balance for multi-tenant Kubernetes. It aligns with artifact management in how you securely run those artifacts.
“A Practical Guide to Kubernetes Policy as Code” – Bridget Kromhout (VMware). Why it’s relevant: Bridget is always an engaging speaker, and she likely covered real-world tips on using tools like Kyverno or OPA for implementing policies. It is helpful for those looking to get started with governance in their clusters.
“SIG-Multicluster: Intro and Real-World Usage” – (Multiple speakers from Azure). Why watch: As teams scale to multiple clusters and cloud regions, understanding Kubernetes multicluster APIs and patterns becomes essential. Artifact distribution (e.g., how images get to all clusters) and policy consistency are part of this story. The SIG’s update provides clues on the future of multi-cluster management.
Keynotes and Panel Discussions: Don’t miss the CNCF’s official keynote recap blogs:
- Day Two Keynote Recap (CNCF blog) – featuring an interesting panel, “Mind the Gap: Bridging cloud-native innovation with real-world use cases.”
- CNCF YouTube channel – All keynotes and sessions were recorded and will be on CNCF’s YouTube within a few weeks. Check there for on-demand videos (e.g., search for talk titles or speakers).

Conclusion: Cloud Native’s Trajectory in 2025

KubeCon London 2025 reinforced that the cloud-native ecosystem is maturing but never slowing down. Security is non-negotiable now – whether signing artifacts, enforcing policies, or adopting zero-trust principles, it’s clear that “shift left” and “shield right” are happening in tandem. At the same time, new frontiers like WebAssembly are expanding what cloud-native means, promising more portable and plugin-oriented architectures.

Focusing on FinOps and cost optimization suggests that efficiency is the next big challenge. As Kubernetes and its host of CNCF projects become the default platform for everything from web apps to machine learning, organizations are keen to ensure they’re not wasting resources (or money). Expect to see cost insights become as standard as monitoring dashboards.

Lastly, the vibe from KubeCon EU 2025 was one of convergence: previously separate concerns (security, ops, dev experience, cost, compliance) are being addressed holistically. The “here’s a tool for X and another for Y” era paved the way for standards that integrate these needs. It’s an exciting time to be in the cloud-native community. If the discussions in London are any indication, the next year or two will bring even more alignment between diverse efforts, from unified observability queries to standardized policies and plugins that work everywhere.

Where is the cloud-native ecosystem heading? Based on this, KubeCon is moving toward a world where everything is declarative and automated, from cost controls to security guardrails, and where platforms are flexible enough to incorporate innovations like Wasm seamlessly. In short, it’s heading to a place where operators and developers can work with unprecedented agility and control. If you can adapt to the new tools and paradigms (and earn your Kubestronaut badges along the way), you’ll be well-prepared for this future.

As a cloud-native company, we found the themes at KubeCon deeply aligned with where we see the ecosystem heading: security, developer experience, and cost awareness are converging to shape the next era of platform maturity. Alongside the OpenSSF and frameworks like SLSA and S2C2F, the next wave of platform maturity in the community will come from ecosystems that help unify those concerns through better metadata, compliance tooling, and visibility.

Want to chat more about these trends? Reach out to the team at Cloudsmith.

Sources: The content above was constructed from the internal notes of the Cloudsmith engineering team attending various talks. It was cross-referenced with the official KubeCon EU 2025 schedule and related resources for accuracy and additional context. Key references include KubeCon session descriptions, CNCF announcements, and project documentation. See the official KubeCon EU 2025 schedule directory for more details on specific talks.