Let's get to thinking
News and themes from KubeCon NA 2022 and the last few weeks
All journalists need an angle. Last week Silicon Angle’s angle was “industrializing the Kubernetes platform”, commenting on the fact that KubeCon was held in Detroit. Is there more truth to that than a throwaway statement? Is Cloud Native an ecosystem, a term many would use, or is it an industry? Who is KubeCon for?
The CNCF cited Gartner research from last year claiming 95% of new projects will be based on cloud native technologies. I’m not convinced, reading the source, that Gartner means “container packaged and microservices oriented” when they say “cloud-native” (with a hyphen). The article reads better if you just consider it “running on a cloud”. Does “cloud native” now just mean “cloud”, or “software run on servers”?
Does the cloud industry need an industry body? At first glance, the CNCF could be seen to fulfil that role. However, their goal has to be to promote the needs of their projects and their members: if you are a relevant project and you’re, ahem, “outside the big tent1”, KubeCon can’t really make the space for you.
The keynote of the Detroit event could be seen as a thinly veiled plea to the companies that make up its membership, vendor or end-user alike. There are only 1,000 maintainers! That’s not nearly enough. If, say, there was an outbreak of a disease at a conference, you could seriously impact the productivity of the industry.
I like to apply the 1% rule2 to open source projects, and it feels like we can extrapolate it to the industry at large. 1,000 maintainers, 8,000 in-person KubeCon attendees. 176,000 contributors, 7 million Cloud Native developers. Round a few up and a few down. KubeCon in-person hits 0.1% of the audience, and if we round up to the 17,000 people that the CNCF say attended either virtually or in person, that’s about 10% of the total number of contributors.
(We haven’t yet started to consider the number of people who attend on behalf of a vendor: around 300 exhibitors, average of 5 staff each? That’s 20% of your audience right there.)
But what of the other 6.9 million people who use, but don’t build, Kubernetes? The other 160,000 developers, who are never going to be famous enough to feature on Contributors in Cars Getting Coffee? How do people reach the long tail? Why, online, of course. People send out press releases hoping to be featured in publications even as niche as this newsletter. Media invited to KubeCon were sent 110 press releases in advance of the show3. I read them all so you don’t have to4.
Who is this newsletter for? If you’re anywhere in the 7 million, it’s for you.
Edge of glory
There were few announcements from the big players at KubeCon proper. This is not a surprise, given that they all have their own events, which have just happened (Microsoft, Google) or are just about to happen (AWS). But, given that Gartner says that 75% of computing will happen at the edge by 2025, everyone is hard at work on their edge solutions.
Microsoft’s AKS Lite - formerly known as Project Haven - is now in public preview5. Both Windows and Linux images are supported, and the clusters are managed centrally by Azure Arc.
AKS Lite is built on K3s. One may assume that the new SUSE Edge 2,0 is similarly based.
Red Hat Device Edge, on the other hand, is built on MicroShift; Red Hat is working with Lockheed Martin, presumably to ensure they support cases where the edge is moving very fast6.
A recent announcement from Broadcom CEO Hock Tan says he “sees Tanzu as a strategic part of the VMware software portfolio” and that VMware customers “should feel confident in Broadcom’s commitment going forward”. The Tanzu team says they are at work on edge7, and are looking for design partners.
Rounding out the space, Google has a hardware and software play here, if you can tolerate continual renaming. A few years back I might have commented on AWS not acknowledging the existence of a place outside their cloud, but “EKS Anywhere for Snowball Edge will be available in 2022”, presumably at re-re-Invent.
Webs, Assemble!
Moore’s Law tells us we shouldn’t optimise our edge code too much, but rather wait 18 months and just buy faster chips. Still, a number of prognosticators8 see WebAssembly as the next evolution of Cloud Native, even though the Kubernetes vendors haven’t yet found a way to tie the concepts together as anything more than a sensible embedded runtime for more traditional applications.
The CNCF published results of a Wasm micro-survey, in which 28% of their respondents are using the technology9. Will this tip in the direction of containers or of 3D television? Only time will tell. You came here for news, not opinions.
Until then, bets are being hedged. Docker has released a technical preview of Wasm integration, by way of deploying a container running WasmEdge (big W).
The wasmCloud project (little w) says that Wasm shouldn’t stop at the edge. Its creator, Cosmonic, announced $8.5m in seed funding to accelerate the development of “the first” PaaS for Wasm.
“The first” PaaS for Wasm was also built by Fermyon, founded by the mass exodus of the Deis Labs team from Microsoft10. Fermyon recently celebrated their first birthday by announcing a $20 million Series A round. They will use the money to build out an “enterprise-ready” commercial offering.
And if you don't love me now
Supply chain security continues to be top of the hype cycle, even when a scary OpenSSL security advisory was downgraded to “damp squib11”.
The Sigstore project moved key components to General Availability, and GitHub is excited about it: no doubt due to the number of GitHub Actions people will run building and validating SBOMs.
Higher up the stack is Google’s new Graph for Understanding Artifact Composition, or GUAC; a complex backronym in aid of making a Mexican condiment joke. GUAC is a knowledge graph of software metadata. It can be used to answer security and supply chain questions like “which parts of my organisation’s inventory are affected by the Damp Squib vulnerability in OpenSSL?”
Also building a graph database for security is Mondoo, which launched two new open source projects. cnquery and cnspec let you inventory your containers and perform security assessments against them, in a similar vein to the osquery project for devices.
You will never love me again
Security at the other end of the chain — the demand chain? — is still very relevant, given recent announcements.
GKE introduced a new security posture dashboard, Datadog launched a cloud security management solution, and ARMO added CIS benchmarks to their open source Kubescape platform12. Red Hat also launched a vulnerability insights service, though that’s to check the OpenShift components themselves, and not customer workloads.
All going well, these will save you from such wonderfully-named vulnerabilities as “Kiss A Dog”, discovered and publicised by Crowdstrike. The writeup talks about the inner workings of the exploit, which will attempt a container escape. Hacked nodes contribute their mining efforts to anonymous “pool servers” so you can’t even tell if you managed to strike it lucky and contribute anything of value while burning your CPU cycles.
Cost management is also a big deal in these times of economic downturn, with myriad stories of people optimising their cloud bills. Datadog releasing a cost management tool for cloud, and Sysdig releasing a cost management tool for Kubernetes.
File under “batch”
At the “useful but not hyped” end of computing, we have two announcements about batch services, from people who probably know what they’re doing building them.
Apple released a batch processing gateway for Kubernetes, which sits in front of clusters running the Spark operator and apportions jobs, presumably to display inappropriate ads on App Store pages. Just like Spark, it’s very Java.
If you prefer a managed service, AWS Batch launched support for EKS. This service makes placement decisions for workloads itself using labels and taints, bypassing the Kubernetes scheduler. Be aware it currently requires your EKS cluster to have a public internet endpoint.
Service mesh
The only service mesh news of note at KubeCon was the announcement of a free Linux Foundation Istio training course, based on a course donated by Tetrate.
I’m told the recent announcements around Gateway API dominated discussion, and sidecars vs “sidecarless” dominated debate.
Kong had the decency to delay announcing GA of Kong Mesh 2.0 and Kuma, its open source base, until it was actually ready; launching the week after KubeCon. The headline feature, is of course, eBPF, which adds a 12% improvement in latency, hopefully demonstrating to people that eBPF really is just a nicer API to expose some kernel plumbing13 and not a “feature”.14 Kong achieves this using Merbridge, a project launched by Daocloud to similarly speed up Istio.
Datadog’s recently released Container Report contains the usual up-and-to-the right graphs for Kubernetes usage, but for the first time reports on service mesh usage figures. 10% of Datadog’s Kubernetes customers are running Istio, with Linkerd in second place with 3%. No other technology made it past the margin of error for inclusion on the graph.
Project updates
cert-manager has become an incubating project in the CNCF. The project allows provisioning of TLS certificates using the ACME protocol15, commonly associated with the free Let’s Encrypt service. Congratulations especially to the lovely James Munnelly who initially created it.
Kubeflow has applied to join the CNCF. Kubeflow was, incidentally, the topic of the first interview we recorded for the old show16. Since then, it has developed into an end-to-end, extensible ML platform, with components for model development, training, and serving; as well as automated machine learning.
Google has also proposed ko, a builder for Go apps, as a Sandbox project.
Other goings-on
A few relevant developer tooling announcements:
Skaffold v2 is Generally Available; the headline features are support for Google Cloud Run, multiple architectures, and separate phases for rendering and verifying manifests17.
Gitpod landed a $25 million Series A investment for cloud development environments, led by Tom Preston-Warner, founder of GitHub. (Perhaps he just really likes Git.)
Diagrid has emerged from stealth with $20m to build managed Dapr18.
Cisco announced Zot Registry, a new OCI container registry. Zot is a single binary that runs in an unprivileged process, and includes authN, authZ, garbage collection, deduplication and more.
Josiah McGarvie, the filmmaker that produced Kubernetes: The Documentary, is back with a look at Prometheus, produced this time by “Total” Chad Torbin19.
Thanks, as always, for listening
We can’t leave without reporting on the Bird of the Year: the 2022 winner was announced as the pīwauwau rock wren, after the two-time champion, the kākāpō, was barred from competing.
And that’s the news.
While this was originally a political term, our industry widely uses it in reference to OpenStack.
The internet rule, not the Bernie Sanders rule.
The most interesting thing about some of them was the header showing the internal review process before eventual publication.
I’m four in, and literally all of them have described themselves as “leader” or “leading”.
Except it isn’t, really; it will happen “sometime in November”. This announcement came alongside the CSI for Azure Blob Storage, which is “soon to be generally available”. Pre-shame on you, Microsoft; thankfully it’s only soon-to-be the year of Linux on the desktop.
For when your edge is a track on the edge of a mountain.
As opposed to “on edge at work”, which they apparently were when they heard Broadcom bought them.
These are the kind of words I hope you subscribe for.
n=93, presumably quite self-selected?
A full nine of them are listed as “founders” on the About page.
Not “damp squid”, mind you. Think about it. All squids are damp.
This one looks interesting.
What, they had a whole conference on it at KubeCon? I’ll, erm, go watch all the videos right away.
Smarter people than me pointed out that you don’t have a large enough stack to do proper string processing. That sounds like something you might like to do to process HTTP.
Apropos of nothing else, a great read: the Rules of Road-Runner.
Probably don’t go back and listen. I trust we had improved as hosts since then.
That one was Episode 6!
You what now? I haven’t personally ever seen Dapr used in the wild, but it might be popular in the Microsoft world?
Can I get away with unexplained references to the old show? I sure hope so.