Kubernetes catches up with operational reality

With Kubernetes now established in many organisations as the container orchestration platform of the future, are cracks already starting to show? Well, not exactly – but if I could pull out one common theme from what’s hot in the world of cloud-native, it’s the dawning light of Day Two.

That’s a shorthand term used for when this stuff goes live – the Ops end of DevOps, if you like. Going live was only to be expected, yet as so often with these things, it seems to have caught some early-adopters on the hop. The risks? Either you deploy containers into production without all the underpinnings needed to keep them fit and safe out in the wild, and they get exploited, or your high-profile project is embarrassingly terminated before launch due to its security failings.

Building for Day Two

However, Kubernetes – and cloud-native more broadly – is one of the fastest-growing areas of the whole IT industry. The result is a frenzy of activity as open-source, freemium and commercial projects jump in to build that necessary Day Two infrastructure. Here’s some of the key areas of development to watch, and a few of the vendors and projects we’ve looked at recently:

Security: The ‘shift left’ that builds container security into the dev pipeline is essential – restricting container privileges and API access to the minimum needed, for example, using only trusted open-source components, keeping containers simple, and so on – but there’s more. So among other things, you should explore vulnerability and misconfiguration scanners (e.g. Aqua Security), container hardening and compliance (e.g. Twistlock, now being acquired by Palo Alto Networks), and tools to help deliver a secure Kubernetes service (e.g. Rancher Labs).

Storage: Containers are inherently stateless, and it’s safer if you make them immutable too. That means some careful thinking is needed when you containerise a stateful application and give it persistent storage to consume (we’ve a paper on this topic here). Once you’ve abstracted the physical storage as software-defined storage (SDS) using the likes of Ceph or Robin, which can of course themselves be deployed as stateful apps on Kubernetes, you then need to orchestrate and automate it, which is where the popular Rook project comes in.

Data management: As mentioned, the container may be stateless but if the running application is stateful then you still have data to manage, protect and migrate. Most traditional data management tools aren’t well suited to protecting containers, although their suppliers are working to catch up. In the meantime, new ideas and tools are emerging, such as Kasten for stateful app backup and migration, and the highly-resilient distributed database CockroachDB.

Governance and cost management: As the use of Kubernetes grows, so does the risk of container sprawl. So we see projects such as Replex.io, aimed at keeping an inventory, rightsizing containers and managing costs, and Razee from IBM, which can enforce profiles and rules on containers, clusters and clouds – you could call it continuous delivery and auto-updating for Kubernetes clusters.

Runtimes and meshes

There’s lots more going on though, including new container runtime engines such as CRI-O and Containerd. Their aim, as Red Hat’s Urvashi Mohnani, speaking at Kubecon Barcelona, said of CRI-O, is “to make running containers in production secure & boring.”

And then there’s service mesh architecture, where the emerging duopoly between Istio and Linkerd has recently been disrupted by the arrival of the Service Mesh Interface, an interoperability project led by Microsoft but also including service mesh developers such as Buoyant, Solo.io and VMware.

What do you think – are your Kubernetes projects ready for Day Two? What’s missing, if anything, or what more might be needed? Tell us in the comments below…

CIO
Security
Networking
Data Center
Data Management
Close