Better interfaces, better security
As often seems to be the case in cloud native computing, disaggregation in pursuit of performance gains tends to lead to more complex issues to solve initially. When dealing with microservices, for instance, connecting them together so that they offer the functionality of the previous monolithic system has had its challenges.
However, the CNCF has tackled these routing issues by pulling in a number of projects for incubation. Linkerd and Envoy (an internal project at Uber), for instance, are both a ‘service mesh’, a proxy which sits between microservices and routes their requests.
The CNCF also supports a universal RPC framework for Kubernetes pod communication called gRPC and a DNS and service discovery tool called CoreDNS, which manages how processes and services in a cluster can find and talk to one another.
This year, the CNCF is moving on to other challenges. Kubernetes abstracts away a lot of the complexity of managing containers at scale, it still needs to integrate with services such as networking, storage and security to supply a comprehensive container infrastructure.
Alexis Richardson, Chair of the TOC at CNCF, says that the priorities are better interfaces, storage, security and easy on ramps for developers.
Probably one of most popular on ramps is Helm, a package manager. This is another CNCF-supported project that helps to simply running applications and services in a Kubernetes cluster for developers. Helm uses a ‘chart’ format which holds a collection of files detailing the resources needed for a particular application or service to run inside a Kubernetes cluster.
In regard to improving interfaces, the CNCF is focused on creating an open standard for companies to use, which is why it’s spinning out OpenMetrics from Prometheus, the open source monitoring system. Richardson says they want to evolve the exposition formats from Prometheus which are used to expose metrics to Prometheus servers “and standardise it so anyone can do it for other projects as well.”
Additionally, the CNCF is working hard on standardising the way that events are described by creating consistent metadata attributes in a common specification called OpenEvents (although it appears it may now be called CloudEvents). Events are important because they provide valuable data about actions to businesses, on the developer side (e.g. indicating new commits for auto-testing) and on the customer-facing side (e.g. customer activities like creating a new account).
The CNCF’s work on open standards is steadily bearing fruit and has enabled cloud providers, for example, to improve their own interfaces and monitoring systems. Google Cloud, for instance, released Stackdriver Kubernetes Monitoring [video]. Google’s Craig Box explained that this “ingests Prometheus data” and pulls it together with metrics, logs, events and metadata from your Kubernetes environment to give developers more oversight of their clusters, site reliability engineers a centralised place for maintenance and security engineers all the auditing data they need.
Not surprisingly, security was a hot topic in Copenhagen. From the CNCF’s perspective, Richardson highlighted a few foundation-hosted projects, such as Secure Production Identity Framework for Everyone (SPIFFE) project, which offers container authentication and end-to-end encryption for untrusted networks, and Open Policy Agent (OPA) which handles the policy and authorisation side of things.
Addressing the security issues, Brandon Philips, CTO of CoreOS at Red Hat says there are essentially three pillars of security: “The first is just security of the infrastructure software. In regard to Red Hat that’s something that CoreOS focuses on. So making sure that the operating system container runtime and the Kubernetes API server and all this stuff stays up to date and secure. That’s just about making automation happen around all those pieces.”
Philips says for a long time people have actually been very bad at this: “They would forget to run apt get update and upgrade. So the thesis of the CoreOS company was: we’re going to secure stuff by automating that basic operational cleanliness of making sure updates can apply. That’s one pillar of security. This is where companies essentially just ignore the problem, and then they eventually get hacked.”
The second pillar is application security. This is where containers have a very particular advantage, says Philips: “One of the problems with VMs – we have customers that used to have this problem – people would request VMs or file a ticket to get a VM that would show up and then IT would have no idea what happens after that; it’s just this black box. And you end up caring for inventory of hundreds of VMs or thousands of VMs. You have no idea what’s going on inside of them. But there’s probably software that’s getting out of date, middleware software that’s getting out of date.”
Philips says that containers supply more transparency about what’s inside that container:” You’re able to say, “Here’s some metadata about the container. I’m going to introspect that container and dig through what JAR files exist.” This is how something like the Equifax hack happens, he told us “because you’re not paying attention to what is actually in your application, because you have no idea. This is really nobody’s fault except for the application developer and he’s never been a security expert.”
The third pillar is application infrastructure security: “This is network policies, and making sure the application can’t talk to this application, or that secrets get injected. So like database connection streams and so on.” Kubernetes essentially provides APIs for that, says Philips: “And then those APIs can be managed by the person in charge of the app, but they can also have overrides above that, where the infrastructure people can say, ‘Actually, you can’t talk to anybody outside of your application. You can’t talk to our super-secret secure database. You can’t talk to the HR database. You can only talk inside of this particular set of application pieces.’”
“CoreOS is always trying to productise this, and then the application security stuff is a knock-on effect. We’ve added to the security scanning to containers and bubble up information metadata that is actionable. So sending you an email, like, ‘You have vulnerable software in the container image. Maybe you should not be the next Equifax.’”
