Kubernetes and CloudNative Conference (KubeCon + CloudNativeCon) covers Kubernetes and related projects from the Cloud Native Computing Foundation (CNCF) — part of the Linux Foundation. This year, the North American conference was held at Huntington Place conference center in Detroit, MI, from October 24-28. Over 16,000 registered attendees showed up. AvidThink did as well — contributing analyst Shivaram Mysore (an active member of the software-defined networking open-source community) files his report from the ground. We appreciate the Linux Foundation‘s help in making it possible for Shivaram to attend!
Historically, open-source software (OSS) usage has been an afterthought for many large enterprises. With Linux, Apache and many revolutionary OSS, the model of use was to contract with well-known vendors for support. Today, organizations have embraced CNCF projects (especially Kubernetes) for internal use and are upstreaming their contributions back to the community. This transformation is healthy for the community and accelerates the adoption of OSS.
Per Jim Zemlin, Executive Director of Linux Foundation, in the last couple of years, $24 Billion has been invested by venture capitalists and private equity into 360+ open source focussed startups. About 80 to 90% of modern software code bases are OSS. Zemlin also notes that Linux Foundation and CNCF have partnered with governments worldwide to actively manage cybersecurity issues across software supply chains and in specific open-source projects.
To address these problems, Linux Foundation conducted a study in collaboration with Harvard University to get a census around OSS, key maintainers and essential projects. The study helps with tracking projects and funding the same. The study also identified around 1,200 maintainers of core open-source software.
Today, around 790,000 developers contribute to projects at Linux Foundation. 80 to 90% of them work for organizations. These developers’ main requirement is that employers provide them with support and time to work on OSS. Typically when organizations pay money for software development, they would want features. But, with the contribution to OSS, features are built and ably supported with bug fixes, documentation and industry peer review. Additionally, there is consistency among best practices, tooling, and methodologies. The OSS approach dramatically reduces onboarding time for new developers and increases code quality.
Contributing to OSS has become a feather in the cap for organizations and individuals. This win-win scenario has helped CNCF’s Kubernetes-related OSS projects accelerate their development.
To improve cyber resiliency, Linux Foundation, with the technology industry, met with US policymakers and developed a 10-point plan under the umbrella of the Open Source Security Foundation (OpenSSF). The program includes tools, training, services, software bill of materials and distribution. On average, $4-5 Million is spent on addressing and managing an exposed cybersecurity breach. Under the Alpha-Omega project, there is a $160 Million budget for a multi-year initiative to audit the top 200 of around 10,000 critical open-source projects to find and fix vulnerabilities. As a side note, insurance companies are dropping coverage for state-sponsored cybersecurity terrorism — meaning companies are financially exposed. Also, fixing vulnerabilities is not just about security – it can have the side effect of optimizing the code and reducing energy use.
Current Status
More than ever, enterprises are bringing in a much more complex software infrastructure into their engineering process to provide their customers with software-enabled services. Kubernetes has been the main infrastructure ingredient for this transformation.
Kubernetes (K8s) and over 200 open-source software projects are the systems for automating deployment, scaling, and managing containerized applications. Most of these open-source projects are housed under the Cloud Native Computing Foundation (CNCF) umbrella. Per Priyanka Sharma, Executive Director, today, CNCF has 835+ members, 1000+ maintainers, 175k+ contributors across 187 countries, 140 Graduated, Incubating and Sandbox projects, and 7+ million cloud-native developers. 100s of organizations use K8s for their internal engineering development and customer-facing production services. They include Apple, Tellus, Siemens, Cruise, Google, Robinhood, Intuit, Netflix, Home Depot, Sephora, Lyft, Uber, and Fidelity Investments, and the list is growing by the day.
With over 200 projects at CNCF, there are quite a few of them that compete with each other in terms of technology. But, there are variations in the use cases addressed. One of the challenges for organizations is selecting the right set of projects that would address their requirements. Many organizations get involved in CNCF projects relevant to them by contributing money to CNCF by becoming members and contributing code and developer resources.
K8s Usage
Organizations primarily use the managed K8s on AWS and GKE (Google Kubernetes Engine) or deploy it in-house on bare-metal or Vmware hypervisors. Some use a hybrid model of engineering development using managed / in-house and production exclusively on public cloud infrastructures. Many organizations are also moving from using Apache Mesos stack to K8s.
Organizations running K8s have built strong in-house engineering teams for development, deployment and operation. As a part of this process to incorporate software teams at various levels, lots of abstractions are constantly being added to build software consistently and with quality. They also have developer onboarding programs lasting a few days to a couple of weeks. DORA (DevOps Research and Assessments) metrics measure developer productivity granularly.
With a goal to address a consistent developer environment for engineers, including remote work, Organizations are looking for consistent CI/CD tools and running Infrastructure as Code (IaC). Many have standardized K8s to develop and run these workloads for such consistency. Organizations running IaC look to build on top of commercially off-the-shelf (COTS) products from companies such as Pulumi, GitPod, HashiCorp Terraform, Crossplane, GitLab, and CloudBees, CircleCi are considered apart from AWS CloudFormation, GitHub Actions and RedHat Ansible.
Testing automation is an area of constant interest. SpeedScale collects production network traffic for Rest API calls. These APIs are captured, and automated test cases are developed. The collected network traffic, which has real data alongside the APIs, is used against the test cases for validation and then incorporated into the DevOps workflow as smoke tests. This automation saves test development time and enables captured production traffic to be applied to developed code to capture code regression.
Top Cloud Native Trends
eBPF
eBPF is a Linux Kernel technology that enables programmatic networking rules to execute without needing to add additional modules or modify the kernel source code. It is also described as a lightweight, sandboxed virtual machine (VM) within the Linux kernel. This is now available on Windows OS. Common use cases addressed include networking, security and observability. Notable related projects include Cilium (from Isovalent, creators of eBPF), Katran (Facebook/Meta), Falco (Sysdig), and Calico (Tigera).
WebAssembly (WASM)
WebAssembly (WASM), a W3C Standard, is a binary instruction format for a stack-based virtual machine. It was designed with the goal of running high-performance applications securely on a browser’s web page. JavaScript on web pages is compiled on the fly every time a page loads. This is expensive (RAM, parsing, decoding, time to compile) and power-hungry. Mobile devices suffer even more with JavaScript. With WASM, the binary-coded format delivered is ready for execution with browsers implementing the same inside its existing JavaScript engine. WASM supports over 20 different programming language support offering developers flexibility and productivity.
Server-side WASM is in the early stages of development as a way to run native WebAssembly container images on Docker or Podman. Docker/Podman also acts as a single tool to build and run WASM applications. Some refer to them as WASM Containers as they are very lightweight and built on top of containerd.
WASM Cloud is a platform for writing portable business logic that can run anywhere from the edge to the cloud. Companies such as Cosmonic have expanded on WASM Cloud to provide WASM PaaS (Platform as a Service) to enable simplified application development and deployment.
K8s for the Edge
Edge deployments, which include container services being available close to clients, are rising with the growth of IoT, branch usage scenarios and reducing network bandwidth usage to the cloud. Telcos and media solutions use Edge deployments over multiple geo locations, allowing them to reach a more significant consumer base from humans to devices. Organizations using K8s to deliver services need a way to consistently deliver and manage at scale a similar set of services to the edge. To enable this, KubeEdge is one of the open-source projects being developed at CNCF. KubeEdge is expected to handle networking, deployment, built-in MQTT client and data synchronization between edge and cloud infrastructure.
CNCF edge projects of interest include K3s, KubeEdge, and K0s. There are, in addition to traditional Linux distributions that have their versions, such as MicroK8s (Canonical) and MicroShift / Project Flotta (RedHat / IBM), based on K3s (Rancher / SUSE).
Source Code Supply Chain Security
With more and more internal or other open-source projects using open-source software, project owners need a clear understanding of what pieces of software they are dependent on and the source of such software. Software and its ingredient component listing is referred to as Software Bill of Materials (SBOM)
One motivating factor in answering these questions is to be aware of and address vulnerabilities so that their applications can be protected from potential compromise. Additionally, bad actors get involved in open-source projects and push malicious code (malware, botnet, backdoor access) to a component now inherited by upstream-dependent projects. This is commonly referred to as a software supply chain attack. These attacks are rare, very targeted and most likely funded by rogue nation-states or hackers, but the impact if one happens is enormous. Unpatched software continues to be a leading threat vector for compromise.
Project SigStore automates the process of digitally signing and verifying components. Maintainers of the projects use this tool by incorporating them into their DevOps process on their production releases.
FinOps
FinOps is an operating model that brings financial accountability to variable spending in the cloud.
Using FinOps, technology, finance and business teams share the same language and processes to manage cloud spending while maintaining development velocity. This model involves understanding the cost of resources currently used, recommendations for cost optimization, and increasing operational efficiency, all to improve the unit economics of the cloud by increasing usage without increasing cost.
Incorporating the FinOps model with K8s gives clear visibility and cost metrics at a granular level toward better operations and capacity/budget planning.
Kubecost is an open-source K8s cloud cost modeling tool, and the installation is quick.
Observability
OpenTelemetry is a CNCF project formed with the merger of OpenTracing and OpenCensus projects. The goal is to provide a set of standardized vendor-agnostic SDKs, APIs, and tools to instrument, generate, collect, and export telemetry data (metrics, logs, and traces) for analyzing software performance and behavior. OpenTelemetry has broad industry support and adoption from cloud providers, vendors and end-users. Many software projects already support OpenTelemetry today. Prominent observability tools such as Prometheus, Grafana and Kafka can consume OpenTelemetry.
OpenTelemetry is implemented over gRPC and HTTP 1.1 transports and specifies Protocol Buffers schema that is used for payloads.
K8s Challenges
Organizations with large-scale production deployments are looking for solutions to technical problems in the clustering of K8s clusters. Problems include performance, scaling, and management. CNCF’s ClusterAPI project is trying to address the clustering challenges. Another area of interest is the ability to pin network interface cards to specific containers to get high network performance for particular container applications. Configuring and managing this via K8s tools is a challenge. All of these challenges are now being addressed.
The cloud-native juggernaut, helmed by K8S and related projects, continues its steady march, gathering ever more members of the community. Early-majority enterprises are showing up, and it’s just a few more years before we see cloud-native approaches displace the early VM-centric virtualization platforms prevalent in Global 2000 organizations. Stay tuned for KubeCon +CloudNativeCon 2023!
Photo credit: Alex Brisbey (Unsplash)