The slide#
KubeCon Amsterdam 2026 opened with a keynote to 13,500 attendees. Jonathan Bryce (Executive Director of the CNCF), Chris Aniszczyk (CTO), and Aaron Boyd (NVIDIA) presented the state of cloud native and the roadmap for AI infrastructure. By the end of 2026, two-thirds of AI compute will be dedicated to inference workloads, a reversal from 2023 when two-thirds went to training. By the end of the decade, inference is projected to consume over 93 gigawatts. The keynote called it “the biggest workload in human history.”
To support this, the keynote presented a slide: “What Running Inference at Scale Requires.” Five pillars: Distributed Systems, Orchestration, Networking, Observability, Scheduling. A subtitle: “The exact problems the Cloud Native community has solved for a decade.”
Security was not on the slide.
At 15:01, the word “secure” made the talking points. It did not make the graphic.
“How do we take distributed systems, deploy them, observe, scale, secure? These are the right skills that we have and this is exactly what the AI world needs right now.”
A slide is reviewed, approved, and projected to 13,500 people. A word in a spoken list is conversational.
The week before#
KubeCon Amsterdam opened on March 27, 2026. In the week prior:
- March 19-20: Trivy, Aqua Security’s container vulnerability scanner, was compromised. Malicious binaries pushed to GitHub Releases, Docker Hub, GHCR, and Amazon ECR. The payload stole SSH keys, AWS credentials, Kubernetes tokens, and Docker configs. Google’s mirror.gcr.io was still serving the malicious image days later.
- March 24: Credentials stolen via the Trivy compromise were used to backdoor LiteLLM on PyPI. LiteLLM is an inference proxy with 3.4 million daily downloads. The payload read all Kubernetes secrets across every namespace and deployed privileged pods to every node.
A security scanner was compromised, which was used to compromise an inference proxy, which was used to compromise Kubernetes clusters. The exact infrastructure the keynote was telling 13,500 people to scale.
A few brave souls#
At 14:23:
“What about OpenClaw? Is anyone willing to admit they’ve got their claw running? Yeah. Okay, we’ve got a few brave souls out there.”
A few hands went up. The audience laughed. One week earlier, a Meta AI agent triggered a Sev 1. OpenClaw had over 21,000 exposed instances and over 300 malicious skills in its marketplace.
Brave is one word for it.
The risk is downstream#
At this KubeCon, the CNCF announced that Kyverno had graduated. Graduation is the highest project maturity level in the CNCF. Kyverno is a policy engine. Its entire purpose is security and compliance. The CNCF promoted its own security project to the highest maturity level and presented a vision for inference at scale with no security pillar.
Inference providers host models and return completions. Nothing about that transaction puts them at risk. The exposure belongs entirely to the consumers. They are the ones who will get the breach notification letter.
The providers set the roadmap. The consumers discover the gaps.