“Keep Cloud Native Weird.” That was the motto of KubeCon + CloudNativeCon 2017, which I had the opportunity to attend last week in Austin. With the conference attracting more than 4,100 participants, hundreds of technical sessions, new project announcements, and key updates on existing initiatives, it is clear that the cloud native computing revolution continues to accelerate. Here are some of the highlights I found most interesting.
KubeCon welcome mural
Kubernetes Takes Off in the Enterprise
I kicked off the week at the Red Hat OpenShift Commons Gathering, where a group of enterprises gathered to share how Kubernetes is helping them tackle the biggest challenges related to digital transformation. Organizations like Telus Digital, NTT Labs, and Rackspace presented on use cases such as continuous delivery, hybrid cloud, and workload consolidation – all enabled with Red Hat OpenShift.
Openshift overview at Commons Gathering
Upstream Kubernetes panel
.gov OpenShift panel
Red Hat talked about their efforts to make Kubernetes increasingly stable and reliable for broader enterprise deployments. A panel of leaders from Red Hat, Google, and Microsoft shared their thoughts on the direction of upstream Kubernetes, analogizing it to a rocket ship. Additionally, a .gov panel brought together IT leaders from U.S. Treasury, U.S. Courts, U.S. Citizenship and Immigration Services, and Oak Ridge National Laboratory to discuss the role of OpenShift in modernizing their application environments.
A Community Leaps Forward
This year’s KubeCon was the biggest one yet. At his morning keynote, Dan Kohn, Executive Director of the Cloud Native Computing Foundation (CNCF), emphasized how much the Kubernetes ecosystem has grown. The CNCF has fostered an open, inclusive community of builders that, in just the past two years, has grown to 4,100+ attendees, from a single CNCF initial project (Kubernetes) to 14 projects, to 150+ members, 29 end user organizations, and 25 Kubernetes-certified service providers. By some measures, Kubernetes is now the second biggest open source project of all time, second only to Linux.
Opening keynote slide
Kubernetes open source momentum
KubeCon attendee growth
CNCF membership growth
CNCF end-user organizations
Larger companies are deepening their involvement with the Kubernetes ecosystem as well. AWS showcased their new Kubernetes-based services. Intel announced the Kata Containers Project that aims to unite the best of containers and virtual machines.
AWS and CNCF collaboration
Launch of Kata Containers Project
Red Hat keynote slide
Red Hat talked about Kubernetes finally maturing to the point of being “boring.” And Alibaba Cloud talked about how they use Kubernetes at large scale. Key end-user organizations took the stage to talk about how Kubernetes has changed their entire businesses. For example, HBO emphasized how it uses Kubernetes to power the delivery of Game of Thrones.
HBO engineers talking about Kubernetes
Kubernetes’ scalability helps service HBO traffic
Netflix stressed how cloud native principles underlie a culture of continuous software delivery. GitHub talked about how it already runs 20% of its services, including github.com, in production on Kubernetes.
Netflix presenting on cloud native continuous delivery
GitHub keynote slide
It’s More Than Just Kubernetes
Two years ago, the CNCF was home to just a single project: Kubernetes. Today it is now the steward of 14 projects. The CNCF landscape now has hundreds of projects, products, and companies that span the entire stack. Existing CNCF projects continue to mature quickly: containerd, fluentd, CoreDNS, and Jaeger all announced their v1.0.0 releases last week. Chen Goldberg, Director of Engineering at Google Cloud, presented on how the “superpower” of Kubernetes is that it is much more than just container orchestration. It provides extensibility for new types of services. Craig McLuckie, CEO and co-founder of Heptio and co-founder of Kubernetes, gave a shout-out to StackRox as an example of a company driving security innovation on top of Kubernetes by taking advantage of its extensibility.
Kubernetes: more than orchestration
Kubernetes’ superpower: extensibility
Service Meshes Take Off
If there was one topic that set the entire community abuzz at KubeCon, it was service meshes. Service meshes were mentioned in just about every talk I attended throughout the week, and some went so far as to predict that 2018 would be “The Year of the Service Mesh.”
Buoyant launched a new service mesh called Conduit, while a lot of focus remained on Istio and Envoy, and the benefits they provide when it comes to handling connectivity and monitoring of microservices at scale.
Threat Vectors and Attack Patterns in Kubernetes
Security was in the spotlight throughout last week, as several breakout sessions included presentations and demos of new threats in Kubernetes environments. Greg Castle and CJ Cullen, engineers on Google Cloud’s security team, showed three demos that encompassed privilege escalation, secrets misuse, and lateral movement within a Kubernetes cluster. In one example, they demoed how an attacker could start with a shell injection on a web-facing front end pod. This can allow an attacker to utilize a service account to extract secrets, then perform an unauthorized execution in a Kubernetes pod, and subsequently gain access to an API key for a payments service.
Google security team presentation
Demos of Kubernetes attacks
Next, a security researcher from Symantec demoed how a malicious user in Kubernetes could exfiltrate source code, keys, tokens, and credentials; gain root access to underlying cluster nodes; and quickly expand the blast radius of an attack to compromise services outside the container cluster.
Threats in Kubernetes environments
Potential Kubernetes attack vectors
Organizations using Kubernetes also talked about their approaches to security. Shopify highlighted the “security tiers” it uses to protect its Google Kubernetes Engine (GKE) clusters, and Databricks talked about the critical Kubernetes security concerns they have had to address through a combination of access control, secrets management, and audit logging.
Shoplify’s security tiers
Databricks’ security concerns
The focus on security for Kubernetes reflects the increasing need to address threats as organizations continue to scale up and run containerized applications in production.
A Partnership with Google Cloud
Finally, StackRox announced a partnership with Google Cloud that delivers end-to-end security for enterprises running containers on Kubernetes. We look forward to working closely with the Google Cloud team to provide customers with best-in-class security for Kubernetes environments on GKE and GCP.
KubeCon sponsor showcase
From the sponsor showcase to salon talks to parties, a vibrant community made it clear that it is having a significant impact on the future of software. Thanks to the CNCF and broader Kubernetes community for putting on a fantastic show. Catch you at KubeCon in 2018!