KubeCon events can be hard to assess. Whether live or virtual, they’ve become a sprawling mix of old-school tech trade show, open source project maintainer meetup, and independent user group. KubeCon + CloudNativeCon Europe 2021 was no different. My colleague Brent Ellis led Forrester’s initial appraisal of the online event, noting greater maturity in Kubernetes as evidenced by user-led sessions and noteworthy vendor announcements. We got together again to go further with our colleague Andras Cser. This blog takes a closer look at how KubeCon highlighted the developments driving that maturity, including:
- Enabling collaboration across groups.
- A multipronged effort to improve Kubernetes security.
- Efforts to improve observability.
- Data protection in support of stateful applications.
Here’s the Forrester take:
When we think enterprise-ready, we think packaging, products, and services. This packaging/productization is well on its way, with 200 certified K8s providers. However, most K8s participants still view the DIY element as a feature, not a bug. This has allowed innovation and fast development in the community rather than solo customization accruing technical debt. This also ensures the spread of Kubernetes options, a trend that is likely to continue: KubeCon’s closing keynote focused on hardware heterogeneity driven by the rise of ARM chips and the need for Kubernetes at the edge. SUSE Rancher participated in the discussion to highlight K3s’ (lightweight K8s) acceptance by the Cloud Native Computing Foundation (CNCF), a de facto recognition that K8s can — and must — be cut down to enable edge implementations.
But making Kubernetes (K8s) enterprise ready won’t be determined by K8s’ productization, upgrades, and new tools alone. More importantly, it will be measured by organizational shifts that enable new ways of working collaboratively across multiple teams/stakeholders: developers, infrastructure and operations professionals, and security and risk (S&R) teams.
Isovalent’s session proposed that security pros tasked with locking down K8s follow the approach of site reliability engineers and start with observability to identify anomalous activity beyond what is typically available in security tools that scan container images and container runtimes. That’s a great example of problem-solving for the classic development, security, and operations (DevSecOps; or if you prefer, app security) challenge. However, this logic goes further to entirely different groups in the organization, such as R&D, customer support desks, and supply chain. Case in point: Another session featuring Citi and VMware discussed the challenges of securing the software supply chain in the wake of the SolarWinds breach. Given the speed and scale of application deployment enabled by Kubernetes, several speakers noted that a software bill of materials has become integral to their K8s security plan.
Security developments weren’t limited to collaboration. In general, the KubeCon security sessions highlighted the importance of a risk-based, programmatic approach — one that’s consistent with Forrester’s Zero Trust security model. Supporting this vision were a series of sessions and announcements:
- Kasten by Veeam’s anti-ransomware solution announced at KubeCon.
- Debut of the CNCF Kubernetes Special Interest Group Security.
- Sysdig led a session on successful intruder detection requiring more K8s-specific tooling. Rather, successful defense depends in large part on S&R professionals improving their understanding of key components, such as etcd, the key value store that’s often called the “brains” of Kubernetes.
- NetApp’s session described how to prevent an unauthorized user from grabbing data from a persistent volume.
- The Mirantis-led session discussed how to work around Kubernetes’ granting of permanent client certificate access to clusters — something that container secrets management vendors (CyberArk, HashiCorp, etc.) also have been providing.
Observability — a must-have for any operations team expected to run Kubernetes at scale — is improving, too. Observability in Kubernetes will continue to develop, but it seems to have reached an inflection point. Certainly Amazon Web Services executives seem to think so, having joined the Prometheus/Grafana bandwagon at the online re:Invent last autumn. The most notable aspects from KubeCon Europe:
- Riskified did a side-by-side comparison of three tools to improve scalability for the Prometheus open source monitoring tool that’s often paired with Grafana dashboards.
- New Relic, the software-as-a-service application performance monitoring vendor, is joining the CNCF governance board as a top-tier “platinum” member less than six months after acquiring Pixie Labs, makers of software that provides observability for developers troubleshooting in a K8s environment.
Kubernetes support for stateful workloads is growing, especially in terms of data protection for these workloads. Traditional storage vendors as well as startups recognize persistent global storage to be a requirement for moving beyond niche deployment in many organizations. The Data Protection Working Group highlighted ongoing efforts to improve storage options as part of an effort to establish patterns and solutions needed to implement stateful Kubernetes applications at scale.
All in all, the outline of an enterprise Kubernetes started to become visible at KubeCon Europe 2021, as the K8s’ success in orchestrating containers at scale has prompted efforts to provide additional tools and solutions that can pass muster in mainstream IT environments undertaking modernization efforts. Although there are many examples of Silicon Valley startups and Fortune 100 companies using Kubernetes, we’re also seeing job postings and stories from the everyday organization, with over 24,000 US job postings requiring K8s skills today.
Reach out to Forrester to schedule an inquiry to help guide your Kubernetes strategy in your move to cloud-native technologies.