As true cloud natives, attending KubeCon 2023 was a no-brainer for us. During the four-day event, several of our Consultants visited the RAI Convention Centre in Amsterdam and enjoyed inspiring talks, connected to interesting people and discovered awesome projects. Below we’ve summarized the key takeaways for you.
Our key takeaways from KubeCon 2023
- KubeCon is way more than just technology; it’s the community, the people, and the open collaboration.
- The focus is shifting towards application delivery and end-user experience across the board. The work being done by TAG App delivery is of particular note, as they produce guidance and best practices for not just CNCF projects, but for end-users as well.
- KubeCon 2023 showcased a growing trend toward GitOps adoption among companies, reflected by the abundance of talks on the subject. Additionally, AI integration within Kubernetes is becoming more prevalent, marking a potential shift toward increased automation in the future.
- eBPF / WASM technologies are growing, these two technologies will find more use cases and adoption in the future. eBPF is the darling of the moment. Many new tools and projects are based on eBPF.
- Community = key. The CNCF started only in 2015 and by now they are shaping the world of open-source software. One major aspect of how they achieve this is by putting massive effort into building and sustaining an inclusive community. Their governance on maturing projects is well defined and acts for me as an inspiration on how to organize and facilitate projects I’m involved in myself.
Our favorite talks/keynotes at KubeCon + CloudNativeCon Europe
- Zero privilege architectures – Thijs Ebbers and Diana Iordan from ING
- In this talk we started off with some Dutch folklore, and were presented with a series of war diplomacy tactics, from which we could draw lessons learnt when it comes to modern IT security. The main message of the talk is that the traditional approach of “least privilege” and “zero trust” is insufficient, and calls for a paradigm shift in the way we think about security. We’re presented with a non conventional security architecture, which does make total sense.
- Malicious Compliance: Reflections on Trusting Container Scanners – Ian Coldwater, Independent; Duffie Cooley, Isovalent; Brad Geesaman, Ghost Security; Rory McCune, Datadog
- This talk, while totally different from the one we previously mentioned, totally complements it. The crux of the talk is how the current crop of vulnerability scanning tools is not always totally reliable. We are walked through a demo where the same container image is scanned with 4 different tools. The Dockerfile is then manipulated in a series of steps to ensure the tools are tricked into seeing total compliance.
- Confidential Containers Made Easy – Fabiano Fidencio, Intel & Jens Freimann, Red Hat
- Confidential Containers (CoCo for short) is built to provide confidential computing capabilities for Kubernetes workloads. K8s is more and more adopted for major and mission-critical workloads. Not being able to securely and confidentially process sensitive data can be a blocker for these companies.
- Running Confidential Containers can be a game changer and enabler for running K8s workloads either in cloud or on prem for organizations that handle sensitive data.
- During this session, we learned more about the architecture of CoCo and how it extends Kata containers (Kata containers aim to provide isolated workloads). This session also demonstrated a complete vertical view of the compute stack in K8s: in order to run workloads in a confidential container (top level, processes visible to the user), you need to change your operations all the way down on CPU level (most basic compute block, invisible to user).
- Cloud-Native Quantum: Running Quantum Serverless Workloads on Kubernetes – Paul Schweigert & Michael Maximilien, IBM
- The rise of quantum computing will have a significant impact on the cloud-native landscape and threaten modern web cryptography, but Kubernetes will play a crucial role in managing and running quantum workloads.
- Quantum computers will soon be accessible to everyone, making password cracking easier for those with access to quantum workloads, highlighting the need for secure cloud-native solutions.
- Quantum computing will accelerate scientific fields by providing easier access to quantum resources, and quantum serverless will become an essential part of the future of cloud computing.
- The Compliance Business Case for Kubernetes in the EU: Get Ready for EUCS – Robert Ficcaglia, SunStone Secure, LLC & Anders Eknert, Styra, Inc.
- This session demonstrates how EU enterprise, government, health care, and education organisations can design and build cloud native apps on Kubernetes in compliance with new EU Cybersecurity Scheme for Cloud Services (EUCS) requirements. The session will help users to plan for, enforce and audit EUCS requirements in a Kubernetes cluster using Open Policy Agent (OPA) and other CNCF tools. All cloud native architects, application developers, IT systems operators and mission owners in the EU who plan to host critical workloads on Kubernetes in the cloud must understand these important new regulatory requirements and how OPA can relieve the headache of compliance by allowing policy-as-code collaboration across stakeholder SMEs. The EUCS defines EU-wide rules for the security controls, levels of assurance, and assessment processes. The EUCS is legislation under the EU Cybersecurity Act aiming to increase trust and security in cloud products and services, and to counter fragmentation between member states, facilitate trade and transparency of security features. This is a live, hands-on demo session showing real world examples of “governance ops” for both business and technical stakeholders to understand how to build on Kubernetes confidently with EUCS compliance in the EU.
- Past, Present, and Future of eBPF in Cloud Native Observability – Frederic Branczyk, Polar Signals & Natalie Serrino, New Relic
- This was a timeline of how BPF evolved into eBPF and the possibilities to come. eBPF allows us to hook in a secure manner to the kernel to get low-level statistics and to build applications on top of it. This is not only particular to containers / Kubernetes, i.e. Nginx makes use of eBPF for DDoS protection, while Pixie and Polar Signals use eBPF for infra observability. Although eBPF has a steep learning curve, more applications will find solutions that abstract away the complexities and will we could see more adoption of eBPF.
- InSPIREing Progress: How We’re Growing SPIFFE and SPIRE in 2023 and Beyond – Daniel Feldman, Hewlett Packard Enterprise & Andrés Vega, ControlPlane
- This talk was about a new way, more secure way of identity management and achieving zero trust. While organizations and their IT landscape grow, it becomes more difficult to provide secure communication across the board. SPIFFE (the protocol), featured on TechRadar by Devoteam, and SPIRE (the implementation) provide new mechanisms to secure workloads and provide better identity management. For example, it can make use of TPM to authenticate services to each other, and to make workloads are running what they are supposed to be running. With this technology, passwords could become a thing of the past.
- Interactive Playground to Learn Kubernetes and Cloud Native Security – Madhu Akula
- This session demonstrates Kubernetes Goat which is a Kubernetes Cluster environment designed to be vulnerable for security learning and practice.
- It is “vulnerable by design,” meaning it intentionally includes vulnerabilities to help users learn about Kubernetes security.
- We practiced and learned about different vulnerabilities in Kubernetes Cluster and Containerized environments using Kubernetes Goat.
- Hacking and Defending Kubernetes Clusters: We’ll Do It LIVE!!! – Fabian Kammel & James Cleverley-Prance, ControlPlane
- During this session, Fabian and James demonstrated common attacks and offensive techniques against Kubernetes clusters and workloads through a series of live demos.
- Many Scenarios were covered including leveraging a compromised container to attack the underlying node, pivot across the network, or abuse accessible secrets and tokens.
- Another scenario covers a malicious insider exploiting common RBAC misconfigurations.
- The demo also includes scenarios, using a single node to hijack the entire cluster.
- The talk also explains how to use these resources, and the demonstrated attacks and controls to threat model, security test, and defend Kubernetes Clusters.
- Linux Foundation Europe Panel + BoF: Real life consequences of the Cyber Resiliency Act – Moderated by Gabriele Columbro, Linux Foundation
- During the 1.5-hour panel, the EU Cyber Resilience Act (CRA) was discussed. The CRA aims to improve the security of the software supply chain. At the same time, the CRA can impact the IT market by defining obligations that are not easily applied to free and open-source software projects. A nice point that was discussed, and not just related to the CRA, is how to get companies, who are dependent on open-source in their core business and have the power to influence laws, to advocate for the open-source industry, and how to make them realize that this is something to care about?
- Keeping It Simple: Cilium Networking for Multicloud Kubernetes – Liz Rice, Isovalent
- Cillium seems to be a nice tool to connect clusters between different cloud providers and on-premises clusters to give a next step in resilience. Cilium Multi-cluster is cloud agnostic.
Exciting projects we loved at KubeCon + CloudNativeCon Europe
- https://opentelemetry.io/
- Along with Backstage, Argocd and OPA, OpenTelemetry (OTel) was one of the most discussed projects at this KubeCon. OTel is currently the second most popular CNCF project in terms of contributions. The project aims to standardize the very fragmented observability space and make high-quality, ubiquitous, and portable telemetry accessible to all. The announcement of convergence towards a common schema along with Elastic is a major step in this direction. From discussions at the OTel maintainers’ track and various other sessions at KubeCon, it’s clear that the focus is now on making OTel more easily accessible to end users, which should in turn drive adoption.
- Kepler
- Kepler (Kubernetes Efficient Power Level Exporter) uses eBPF to probe energy-related system stats and exports them as Prometheus metrics (github)
- This can be used to increase awareness on sustainable operation of K8s. It also treats power consumption as metric or KPI, making it easier to set goals around sustainability.
- What I’m looking forward to is the discussion around how these metrics may or may not impact the way of working for Cloud Native teams and how they manage Cloud operations going forward.
- https://openfeature.dev/
- OpenFeature is an open standard that provides a vendor-agnostic, community-driven API for feature flagging that works with your favorite feature flag management tool.
- https://spacelift.io/
- Spacelift is a sophisticated, continuous integration and deployment (CI/CD) platform for infrastructure-as-code, currently supporting Terraform, Pulumi, AWS CloudFormation, and Kubernetes. It’s designed and implemented by long-time DevOps practitioners based on previous experience with large-scale installations – dozens of teams, hundreds of engineers, and tens of thousands of cloud resources.
- https://www.getport.io/
- Port is a developer portal that simplifies the process of deploying and managing your services and IT landscape. It offers a no/low code solution, making it accessible to developers with different levels of coding expertise. With GetPort, you can quickly create, document, and test your services and share them with others. It’s a flexible and versatile solution for service management. Overall, Port provides you with an easy-to-use solution for deploying, viewing and managing your services and IT landscape.
- https://www.chainguard.dev/
- ZERO CVE containers/images: Chainguard Dev is dedicated to providing containers and images that have zero known cybersecurity vulnerabilities. By using ZERO CVE containers/images, developers can have confidence in the security of their development environments and reduce the risk of security breaches.
- More images available: Chainguard Dev is continually adding new images and containers for various applications and software, providing developers with a wide range of pre-configured environments. This helps developers save time and effort in setting up their development environments and focus on writing code instead.
- Almost completely Open Source: Chainguard Dev is committed to making its software as open-source as possible, giving developers access to source code for customization and modification. This fosters greater collaboration and innovation within the development community.
- https://wasmedge.org/
- Low overhead applications at the Edge.
- In this era of IoT devices that are constrained in resources, WASM will provide a way to still build full-fledged applications at the Edge.
- https://rook.io/
- Rook is the Storage Operator for Kubernetes.
- Rook turns distributed storage systems into self-managing, self-scaling, and self-healing storage services.
- It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.
Curious to discover more Cloud Native technologies?
Navigating the digital jungle and choosing the right technologies is no easy task. Devoteam’s TechRadar is a go-to guide that provides a comprehensive overview of what’s happening in the ever-changing technology landscape.
What can you expect from this edition?
The 150 difference-making technologies that matter, six industry-shaking trends that every tech expert should be aware of and six client use cases who have successfully met their digital challenges.
Cloud Native|Cloud Native Architecture