Eight years ago, at GOTO Berlin, John Wilkes announced the first release of Kubernetes.
It was like giving the flux capacitor to datacentre platform teams – the cluster management kernel that powers Google’s internal Borg system (“Borg for the rest of us”, was a common refrain at that time) and a technology that would re-write cloud-native infrastructure for the next decade.
KubeCon North America sees the evolution of cloud-native infrastructure and its ripple effects on everything from deep Linux kernel primitives, to security, to high performance microservices.
Keen to hear the vibe at ground level, we spoke to eight cloud-native specialists to understand what’s brewing in Kube-o-sphere.
The tech industry’s software supply chain security problem was first exposed by SolarWinds, then gained even more notoriety after Log4j.
Chainguard – a startup created by former Googlers – has (arguably) become the poster child of the industry rethink around how to make its software supply chains secure by default, having introduced the most momentous open source frameworks for this new developer security discipline.
NOTE: At KubeCon, Chainguard’s Sigstore standard for signing software had its own SigstoreCon event, co-located with KubeCon.
Earlier this year, Lightbend announced Kalix – said to be the ‘only’ developer platform to enable any back-end developer to build large-scale, high-performance microservices and APIs with no operations required.
Designing, building and running high-performance, low latency data-centric applications capable of handling large data volumes is challenging from both the degree of technical difficulty and skills availability. Historically, building systems of this kind required a sophisticated and complicated (and expensive) combination architecture composed of various technologies, such as enterprise application infrastructure software, distributed databases and caches.
Powered by the same Akka technology that is used by Citi, John Deere, GM and Verizon, Kalix is a Platform-as-a-Service (PaaS) designed specifically to address these challenges. Kalix creator Jonas Bonér presented at the KubeCon co-located Reactive Summit during this year’s gatherings.
StormForge is all about providing automatic Kubernetes resource management at scale using machine learning. The company recently announced the latest release of its StormForge Optimize Live product, which enables the industry’s first bi-dimensional Kubernetes pod autoscaling.
It uses machine learning to automatically right-size pods while also setting a desired target utilisation for the horizontal pod autoscaler (HPA). What does that mean to the Kubernetes user? It makes autoscaling easier and more efficient, minimizing resource usage and cost without sacrificing application performance or reliability. At Kubecon, StormForge demonstrated Optimize Live and also provided application-specific tutorials on tuning Java and .NET apps for Kubernetes.
Sysdig recently released its Cloud Native Threat Report that breaks down supply chain attacks against containers and confirms that cryptojacking remains the primary motivation for opportunistic attackers exploiting vulnerabilities and weak system configurations. It also recently announced the industry’s first cloud security posture management (CSPM) offering that aggregates security findings by root cause and prioritizes remediation based on impact.
Sysdig used its time at KubeCon to explain how its technology works and to give away copies of its newly released book, Practical Cloud Native Security with Falco, along with a Securing Containers & Cloud ‘For Dummies’ guide. Sysdig Threat Research team members also gave talks at the SecurityCon and Prometheus Day co-located KubeCon events.
Equinix Metal provides extensible, reproducible and cloud-adjacent infrastructure for cloud-native and multi-cloud environments. It offers an ecosystem of Kubernetes and cloud-native tooling, allowing customers to use or integrate with tools they already have in their environment.
Equinix has integration support for Terraform with over 20 modules, as well as Kubernetes solutions with Rancher, Gardener, Rafay, Kubermatic etc. The Equinix team uses Cluster API orchestration to reduce customer deployment time of standardised Kubernetes clusters on metal.
A CNCF Gold Member since 2019, Equinix supports the open source community with resources connected across 240+ global datacentres. It supports the CNCF Infrastructure lab with US$2M/year of bare metal automation available to open source developers and partners so that they can build and test for global scale.
A lot of eyes in the Kubernetes community are on eBPF (standing for extended Berkeley Packet Filter, eBPF is a technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module) and Cilium, cloud-native open source software for providing, securing and observing network connectivity between container workloads fueled eBPF.
These are technologies that are changing (evolving, even) how the Linux kernel behaves in support of cloud-native use cases.
By pushing security and networking instrumentation into the kernel, eBPF and Cilium are giving platform teams way more control. It is (arguably, allegedly) such a dramatic breakthrough in instrumentation of cloud-native systems that Cilium is rumoured to be closing in on becoming the default CNI (Container Network Interface) for all three major public cloud providers, AWS, Azure and Google Cloud Platform.
Isovalent, whose founders include the creators of these two technologies, is also rumored to be working on new cloud-native observability data that brings application observability closer to networking observability.
Buoyant, the creator of Linkerd, hosted ten Linkerd talks at this year’s KubeCon including a hands-on, in-person workshop. Buoyant presented both the latest zero-trust-focused Linkerd 2.12 release, as well as showcasing new Linkerd management capabilities with Buoyant Cloud.
The only service mesh to achieve graduated status in the CNCF, Linkerd’s ultralight and security-focused approach to the service mesh has garnered it adoption at organisations around the world, including Microsoft, Nordstrom, Adidas, Plaid, Timescale etc.
Buoyant’s managed Linkerd offering, Buoyant Cloud, makes it possible for anyone to treat their Linkerd deployment as a managed service, even on their own clusters.
“Linkerd makes it easy for anyone to achieve zero trust network security on their Kubernetes cluster, from enforcement at every single pod to strong workload identities to encryption between every single endpoint,” said William Morgan, Buoyant CEO and creator of Linkerd. “Unlike most service mesh projects, we focus on keeping things simple, understandable and secure. Linkerd gives you the critical network security foundations and then gets out of your way.”
Tigera is the creator of Project Calico and provides the industry’s only active Cloud-Native Application Protection Platform (CNAPP) with full-stack observability for containers, Kubernetes and cloud. Calico is the most widely used container networking and security solution, highly recommended by the Cloud Native Computing Foundation (CNCF) community.
At KubeCon North America itself this year, Tigera demonstrated how to implement zero trust principles for containers and Kubernetes for organisations developing increasingly complex applications at scale. On top of several learning sessions, the company is joining Microsoft and AWS for special events.
“With the increase in the number of security breaches and adoption of cloud native applications, organisations are looking at more preventative measures to address cloud-native security risks. The industry has become keenly aware that the reliance on detection alone is not enough. Adopting principles of zero trust is one of the only ways to protect applications running on Kubernetes from application attacks,” said Utpal Bhatt, CMO, Tigera.
Calico open source provides a robust and high-performing implementation of Kubernetes network policies alongside a robust set of security policies that protect applications from lateral movement and Command and Control attacks.
“Calico’s commercial edition build upon this foundation to provide active security from build to runtime stages of container-based applications to prevent, detect and stop security breaches,” added Bhatt.
Project Calico engineers used KubeCon to discuss the latest evolution of the project, including its enhancements to the eBPF data plane and the benefits to organisations adopting eBPF for container networking and security. Whether users opt to use Calico’s eBPF data plane, Linux’s standard networking pipeline, or the Windows data plane, KubeCon attendees got a taste of what’s possible in terms of true cloud-native scalability through this technology.
Overall look & feel
We’ve looked at eight platform and tool combos here in the hope that this byte (pun intended) out of the total KubeCon & CloudNativeCon North America partner/exhibitor list provides some kind of illustration of what is going on. The number of exhibitors across the show floor makes for a packed conference that would be almost impossible to cover exhaustively, so the quest for a wider or overarching theme will go on, but it’s likely to be the rise, empowerment, tooling up and perhaps also the formalised naming of ‘platform teams’ like never before.
At last, the cloud has something solid beneath it, maybe right?