Trick or treat with a Kubernetes cloud stack
October 31, 2021 | Words by Barak Stout
A Cloud-based software stack can be a lot like trick or treat. It can have spooky parts, and parts that work smoothly out of the gate. At scale, a cloud application will need multiple additional resources to maintain close to Five Nines of availability. Services for logging, alerting, testing, development, artifacts, notifications, and more. The Cloud Native Computing Foundation (CNCF) has a lot of helpful projects that sometimes can make life easy; sometimes it will have you puzzled for days. With almost 1,000 projects in the CNCF landsacpe, each application ecosystem is unique. Each stack is made up of similar blocks that were integrated in the easiest way possible at the time. As new projects, new features and services are created, old ones are taken down. With each change, the history and evolution of an environment becomes the learning curve newcomers must overcome. The landscape is becoming more complex, without any signs of slowing down. With the hope of making kubernetes boring
KubeCon was a few weeks ago. I am very thankful for having the opportunity to go in person and meet fellow Rafters and other friends. There were a lot of great talks and demos. It was a treat to be able to share our experiences and frustrations with the larger community. One common theme we kept circling back to was SBOMs - Software Bill of Materials. The CNCF put out a great white paper about supply chain delivery and has been working on a solution. Raft’s very own Alexander Marshall also gave a talk on updates on Supply Chain Security Reference Architecture. Ultimately, it’s up to every team to adapt the guideline to their particular environment. It is very hard to trace back every bit that makes up an application. Behind every piece of modern software, there is a myriad of libraries and dependence, hours of coding, years of community support. With the rise of cybersecurity events, environments are only going to get more restricted and tricky to navigate. We also met some friends in the ecosystem who are working on making SBOMs easier to track and trust - Dan Lorenc from Chainguard and Cole Kennedy from TestifySec.
Another common theme related to SBOMs was security. There were quite a few demos and workshops around malicious events and unintended consequences. Kubernetes is a system that brings its own stack, and it’s own trick or treat. Keeping good practices of GitOps and continuous security integration were highlighted. One of the best talks were how a run-c advisory vulnerability was found. Vulnerability was largely exploited using a malicious container or applying a particular configuration to a cluster. Security, like software, is never done. Environments are a living stack that requires constant attention to make sure they remain secure. Security has impacts on the entire stack and the application code. There are many tools in the CNCF arsenal. Use them.
Some other talks were around things that can be done using a particular stack or chain of projects. As an industry, we are shifting our thinking from data being a static lake, to an active river. Thought is given to data as it travels via a mesh to its next destination. Data pipelines, with ETL and AI/ML can be built, deployed and scaled in the cloud using CNCF projects. Real-time processing and meaningful data extraction are necessary to enable leaders in organizations to make informed decisions, backed up by data.
It was a treat to see what others have built with Kubernetes. We learn a lot by sharing what we think and allowing feedback on our thoughts. It can be tricky to share something you have built. Abstracting business logic and data is not an easy task. The environments we put together are abstracted machines, built from smaller machines that have particular tasks. They all share a similar layer composition: logging, security, databases, messaging services, etc. and they are all uniquely composed to be the stack that supports a particular application and user base.