Struggled to block 4 days to follow all of the exciting developments in the cloud native space? Fear not! Read our main takeaways from KubeCon+CloudNativeCon Virtual Europe 2020.
The current pandemic forced us all to change our habits. Large in-person conferences feel like a luxury of the past. The Cloud Native Computing Foundation (CNCF) showed its resilience and commitment to keeping the community together: KubeCon moved virtual and was as good as a virtual event can get. The virtual lobby (illustrated below) welcomed attendees with the usual rooms — e.g. keynotes, sessions and expo hall — with long walks replaced by mouse clicks.
As with each KubeCon, the CNCF took diversity to the next level. Not only were women and other tech minorities given important roles within the CNCF and KubeCon, but the virtual nature of the conference gave access to participants that were previously excluded from KubeCon due to family commitments or prohibitive conference fees and travel costs. CNCF expects to publish its transparency reports next week.
Let us now focus on the major topics.
Newly graduated and incubated projects
The CNCF classifies projects as sandbox, incubating or graduated, by assessing their technical and organizational maturity. Graduated projects solve a pressing need, feature a rich and diverse contributor base, and are battle tested in many production environments.
This year, we have two newly graduated projects:
- Helm, the Kubernetes package manager and
- Harbor, the container registry with integrated vulnerability scanner.
Several new projects have reached incubation status:
- Contour, the Envoy-based Ingress controller;
- Cortex, a horizontally scalable, highly available, multi-tenant, long term Prometheus;
- Operator framework, a foundation for extending the Kubernetes API;
- K3s, the lightweight Kubernetes distribution;
- Argo, a GitOps framework (more on GitOps below).
More focus on end-users
End-User Members are CNCF members that use cloud native technologies, but do not directly sell them. The more than 140 members include online shops, payment processors, and banks.
This year, the CNCF placed even more focus on end-users. Zalando was given the end-user award, to recognize its contribution to cloud native projects as an end-user. End-users with special requirements now have dedicated user groups, such as the telco user group and the financial user group. Finally, the CNCF published the first Technology Radar on GitOps (bear with me). This complements the CNCF-assessed project maturity, with end-users’ view on adoption.
ClusterAPI: Use K8s to create K8s clusters
ClusterAPI is a declarative API to allow a manager Kubernetes (K8s) cluster to create/destroy/update target K8s cluster. The API is currently in v1alpha3, but is expected to hit beta soon. Its core idea is to replace cloud-provider-specific cluster creation APIs, such as AWS’s EKS, Google’s GKE or Azure’s AKS, with a cloud-agnostic one. ClusterAPI currently supports AWS, Google Cloud, VMware (kudos the sponsor demo!), Exoscale, and even bare-metal providers, like Baidu, Alibaba and Tencent.
ClusterAPI enables the increased tendency to see whole K8s clusters as throw-away, and is expected to become a key GitOps building block.
GitOps: All system changes via Git commits
Let us finally talk about GitOps. In brief, GitOps means making system changes via git commits. Besides producing a free audit trail of who did what, GitOps reduces tedious and error-prone human operations. System changes can be tested, can be reviewed, can be reliably applied and automated.
DevSecOps: Secure development at the speed of cloud native
Kubernetes and Cloud Native technologies have demonstrated the ability to increase the velocity of software delivery. Now they need to prove that they can do so securely. As with previous years, “shift left” security continues. In essence, the security team no longer handles “low-level” security tasks, such as upgrading vulnerable packages, but rather empowers and supports developers to take care of security themselves. Hence, the security team is freed up for maintaining high-level security-related policies and tooling.
Major security topics at KubeCon included network policies, vulnerability scanning, intrusion detection and key management. Aqua Security gave an absolutely amazing tutorial on how to use Trivy and OpenPolicyAgent to keep your production environment free from known vulnerabilities. Shopify and Sysdig showcased intrusion detection using Falco. Cisco held a sponsor demo on how a single policy database can open up traffic in various locations, such as load-balancers, firewalls, security groups and cluster Ingress. When it comes to key management, SOPS provides easy Kubernetes secrets encryption/decryption via the cloud provider’s Key Management Service (KMS), while SPIFFE/SPIRE assigns attestable identity to nodes or containers in the K8s cluster.
I could go on and on and write about storage, edge native computing and telco-grade networking, but then I wouldn’t probably need to block 4 days of your time. ☺
If you want to hear more details, listen in to our video where we summarize the major take-aways from KubeCon + CloudNativeCon Europe 2020.