Meeting Kat Cosgrove at KubeCon EU Amsterdam 2026
At KubeCon EU 2026 in Amsterdam, I had the pleasure of sitting down with Kat Cosgrove β one of the most influential people in the Kubernetes ecosystem right now.
Kat is Head of Developer Advocacy at Minimus, an elected member of the Kubernetes Steering Committee, technical lead for SIG Docs, and owner of the Kubernetes Release Team subproject. So yes β she is very busy.
We talked about one of the biggest topics in the cloud native world right now: security.
Open source is part of your security posture
Kat shared a perspective that every platform team needs to hear: open source projects must be considered part of your security posture, especially when companies rely on them in production.
This is not about blaming open source maintainers. It is about acknowledging reality β your production stack depends on projects maintained by volunteers, and if you are not tracking what is running inside your clusters, you have a blind spot in your security model.
The conversation started with a concrete example that shook the Kubernetes community earlier this year.
The Ingress NGINX shutdown and what it means
We discussed the shutdown of Ingress NGINX β one of the most widely deployed components in the entire Kubernetes ecosystem. When a critical project like this reaches end of life or loses active maintenance, every cluster running it instantly has an unsupported component in production.
Kat was direct about the implications:
- Unsupported components become a real risk fast β no security patches, no bug fixes, no one watching for CVEs
- Organizations need to proactively audit what is running inside their clusters, not discover deprecated components during an incident
- Migration is not optional β it is a security requirement
This is a pattern we see repeatedly in cloud native. A component becomes ubiquitous, maintenance slows, and suddenly thousands of production clusters are running something nobody is patching.
Migrating away from deprecated components
We explored the practical challenges of migrating away from deprecated components like Ingress NGINX:
Keeping Kubernetes versions up to date is the foundation. Running an old Kubernetes version means running old APIs, old defaults, and old vulnerabilities. Every version you lag behind compounds the migration debt.
Choosing alternatives requires careful evaluation. The two main paths for ingress migration are:
- Gateway API β the next-generation Kubernetes API for traffic management, with broader routing capabilities and better multi-tenancy support
- Other ingress controllers β Traefik, Envoy, HAProxy, or APISIX depending on your requirements
The key insight from Kat: migration is not just a technical task, it is a security task. Every day you run an unsupported component is a day you are accepting unpatched risk.
Supply chain security β from SBOMs to CVE reduction
In the second part of our conversation, we went deep on the security supply chain. This is where Katβs work at Minimus directly addresses the pain platform teams face daily.
Software Bill of Materials (SBOM)
An SBOM is a complete inventory of every component, library, and dependency inside a container image. Without one, you are running software you cannot audit.
Kat explained how SBOMs are becoming a baseline expectation β not a nice-to-have. Government regulations, enterprise procurement requirements, and insurance policies are all starting to mandate SBOM transparency.
CVE reduction through minimal images
The simplest way to reduce your CVE count is to reduce what is in the image. Every package, library, and binary in a container image is a potential vulnerability.
Minimus builds minimal, hardened container images that strip out everything unnecessary:
- Fewer packages means fewer CVEs
- Automatic rebuilds when upstream patches are available
- Continuous scanning and verification
- No shell, no package manager, no unnecessary binaries in production images
FIPS and STIG compliance
For regulated industries β government, defense, financial services, healthcare β compliance is not optional. Kat walked through how Minimus handles:
- FIPS 140-2/140-3 compliant cryptographic modules
- STIG (Security Technical Implementation Guide) hardened configurations
- Air-gapped environments where images cannot be pulled from public registries
- Private registry integration for organizations that must control their entire supply chain
Automatic rebuilds
One of the most underappreciated aspects of supply chain security is keeping images current. A container image that was secure when built can accumulate CVEs within days as new vulnerabilities are disclosed.
Automatic rebuilds ensure images are continuously rebuilt against the latest patches β not when someone remembers to run a pipeline, but as part of the platformβs operating model.
Security should not be difficult to implement correctly
This was the theme that ran through our entire conversation. Security teams are overloaded. Threats are increasing. Infrastructure is becoming more complex with every layer we add β service meshes, AI workloads, multi-cloud, edge deployments.
The answer is not asking security teams to work harder. The answer is building security into the platform so that the default path is the secure path:
- Default to minimal images instead of bloated base images
- Default to signed, verified artifacts instead of trusting
latesttags - Default to SBOM-transparent components instead of opaque binaries
- Default to automatic patching instead of manual vulnerability management
Katβs perspective from the Kubernetes Steering Committee, SIG Docs, and the Release Team gives her unique visibility into where the ecosystem is heading. And the direction is clear: security is shifting left, into the platform, and into the build pipeline.
Key takeaways
- Open source in production is a security responsibility β track it, audit it, plan for deprecation
- Ingress NGINX shutdown is a warning β proactively migrate unsupported components
- Gateway API is the future for Kubernetes traffic management
- SBOMs are becoming mandatory β if you do not have one, start now
- Minimal images dramatically reduce CVE exposure β less code means less attack surface
- Automatic rebuilds are essential β images go stale in days, not months
- Compliance (FIPS, STIG) is achievable β purpose-built platforms make it tractable
- Security should be the default path β not an additional burden on overloaded teams
Big thanks to Kat for sharing her time and insights at KubeCon EU Amsterdam 2026.
