KubeCon 2017 Recap: Community, Service Meshes, and Security

“Keep Cloud Native Weird.” That was the motto of KubeCon + CloudNativeCon 2017, which I had the opportunity to attend last week in Austin. With the conference attracting more than 4,100 participants, hundreds of technical sessions, new project announcements, and key updates on existing initiatives, it is clear that the cloud native computing revolution continues to accelerate. Here are some of the highlights I found most interesting.

KubeCon welcome mural KubeCon welcome mural

KubeCon motto KubeCon motto

Kubernetes Takes Off in the Enterprise

I kicked off the week at the Red Hat OpenShift Commons Gathering, where a group of enterprises gathered to share how Kubernetes is helping them tackle the biggest challenges related to digital transformation. Organizations like Telus Digital, NTT Labs, and Rackspace presented on use cases such as continuous delivery, hybrid cloud, and workload consolidation – all enabled with Red Hat OpenShift.

OpenShift overview at Commons Gathering Openshift overview at Commons Gathering

Upstream Kubernetes panel Upstream Kubernetes panel

.gov OpenShift panel .gov OpenShift panel

Red Hat talked about their efforts to make Kubernetes increasingly stable and reliable for broader enterprise deployments. A panel of leaders from Red Hat, Google, and Microsoft shared their thoughts on the direction of upstream Kubernetes, analogizing it to a rocket ship. Additionally, a .gov panel brought together IT leaders from U.S. Treasury, U.S. Courts, U.S. Citizenship and Immigration Services, and Oak Ridge National Laboratory to discuss the role of OpenShift in modernizing their application environments.

A Community Leaps Forward

This year’s KubeCon was the biggest one yet. At his morning keynote, Dan Kohn, Executive Director of the Cloud Native Computing Foundation (CNCF), emphasized how much the Kubernetes ecosystem has grown. The CNCF has fostered an open, inclusive community of builders that, in just the past two years, has grown to 4,100+ attendees, from a single CNCF initial project (Kubernetes) to 14 projects, to 150+ members, 29 end user organizations, and 25 Kubernetes-certified service providers. By some measures, Kubernetes is now the second biggest open source project of all time, second only to Linux.

Opening keynote slide Opening keynote slide

CNCF projects CNCF projects

Kubernetes open source momentum Kubernetes open source momentum

KubeCon attendee growth KubeCon attendee growth

CNCF membership growth CNCF membership growth

CNCF end-user organizations CNCF end-user organizations

Larger companies are deepening their involvement with the Kubernetes ecosystem as well. AWS showcased their new Kubernetes-based services. Intel announced the Kata Containers Project that aims to unite the best of containers and virtual machines.

AWS and CNCF collaboration AWS and CNCF collaboration

Launch of Kata Containers Project Launch of Kata Containers Project

Red Hat keynote slide Red Hat keynote slide

Red Hat talked about Kubernetes finally maturing to the point of being “boring.” And Alibaba Cloud talked about how they use Kubernetes at large scale. Key end-user organizations took the stage to talk about how Kubernetes has changed their entire businesses. For example, HBO emphasized how it uses Kubernetes to power the delivery of Game of Thrones.

HBO engineers talking about Kubernetes HBO engineers talking about Kubernetes

 Kubernetes’ scalability helps serve HBO traffic Kubernetes' scalability helps service HBO traffic

Netflix stressed how cloud native principles underlie a culture of continuous software delivery. GitHub talked about how it already runs 20% of its services, including github.com, in production on Kubernetes.

Netflix presenting on cloud native continuous delivery Netflix presenting on cloud native continuous delivery

GitHub keynote slide GitHub keynote slide

It’s More Than Just Kubernetes

Two years ago, the CNCF was home to just a single project: Kubernetes. Today it is now the steward of 14 projects. The CNCF landscape now has hundreds of projects, products, and companies that span the entire stack. Existing CNCF projects continue to mature quickly: containerd, fluentd, CoreDNS, and Jaeger all announced their v1.0.0 releases last week. Chen Goldberg, Director of Engineering at Google Cloud, presented on how the “superpower” of Kubernetes is that it is much more than just container orchestration. It provides extensibility for new types of services. Craig McLuckie, CEO and co-founder of Heptio and co-founder of Kubernetes, gave a shout-out to StackRox as an example of a company driving security innovation on top of Kubernetes by taking advantage of its extensibility.

Kubernetes: more than orchestration Kubernetes: more than orchestration

Kubernetes’ superpower: extensibility Kubernetes' superpower: extensibility

Service Meshes Take Off

If there was one topic that set the entire community abuzz at KubeCon, it was service meshes. Service meshes were mentioned in just about every talk I attended throughout the week, and some went so far as to predict that 2018 would be “The Year of the Service Mesh.”

Istio roadmap Istio roadmap

 Istio architecture Istio architecture

Buoyant launched a new service mesh called Conduit, while a lot of focus remained on Istio and Envoy, and the benefits they provide when it comes to handling connectivity and monitoring of microservices at scale.

Threat Vectors and Attack Patterns in Kubernetes

Security was in the spotlight throughout last week, as several breakout sessions included presentations and demos of new threats in Kubernetes environments. Greg Castle and CJ Cullen, engineers on Google Cloud’s security team, showed three demos that encompassed privilege escalation, secrets misuse, and lateral movement within a Kubernetes cluster. In one example, they demoed how an attacker could start with a shell injection on a web-facing front end pod. This can allow an attacker to utilize a service account to extract secrets, then perform an unauthorized execution in a Kubernetes pod, and subsequently gain access to an API key for a payments service.

Google security team presentation Google security team presentation

Demos of Kubernetes attacks Demos of Kubernetes attacks

Next, a security researcher from Symantec demoed how a malicious user in Kubernetes could exfiltrate source code, keys, tokens, and credentials; gain root access to underlying cluster nodes; and quickly expand the blast radius of an attack to compromise services outside the container cluster.

Threats in Kubernetes environments Threats in Kubernetes environments

Potential Kubernetes attack vectors Potential Kubernetes attack vectors

Organizations using Kubernetes also talked about their approaches to security. Shopify highlighted the “security tiers” it uses to protect its Google Kubernetes Engine (GKE) clusters, and Databricks talked about the critical Kubernetes security concerns they have had to address through a combination of access control, secrets management, and audit logging.

Shopify’s security tiers Shoplify’s security tiers

Databricks’ security concerns Databricks' security concerns

The focus on security for Kubernetes reflects the increasing need to address threats as organizations continue to scale up and run containerized applications in production.

A Partnership with Google Cloud

Finally, StackRox announced a partnership with Google Cloud that delivers end-to-end security for enterprises running containers on Kubernetes. We look forward to working closely with the Google Cloud team to provide customers with best-in-class security for Kubernetes environments on GKE and GCP.

KubeCon sponsor showcase KubeCon sponsor showcase

KubeCon community KubeCon community

From the sponsor showcase to salon talks to parties, a vibrant community made it clear that it is having a significant impact on the future of software. Thanks to the CNCF and broader Kubernetes community for putting on a fantastic show. Catch you at KubeCon in 2018!