And it’s over, another rendition of KubeCon has come and gone. This year’s KubeCon EU was in Amsterdam. Lovely city, if you get a chance to visit you should definitely take it. Thanks to all the talkers, sponsors and attendees for making our visit such a joyful one.
It’s always interesting to meet and talk to the users of cert-manager and all the projects that we often advise our customers on within our professional services. These are things we found most interesting this time around:
This year you could see a lot of discussions about Cilium. It’s a Container Network Interface (CNI) project, built on eBPF. This year, Cilium and eBPF got a lot of mentions in both talks, around the booths and in the project pavilion. It’s really interesting to see the project become more and more of a staple in the landscape. The work we’ve done with Cilium has definitely shown us the potential of it.
Cilium is a product designed to address the complex networking and security requirements of modern microservice applications running on Kubernetes. It provides a unified data plane that handles both L3/L4 and L7 traffic, enabling features such as load balancing, network policy enforcement, and application-aware security controls.
The conference even ended on a high-note with Liz Rice from Isovalent delivering a talk on how to do managed Cilium networking in a multi-cloud environment.
With development progressing around Istio Ambient Mesh, there was a lot of attention across Istio Day, Solo.io’s Application Networking Day and KubeCon around what Ambient Mesh is, why people should care about it, and how to adopt it.
The focus was mostly on introducing the architecture, how traffic moves through Ambient Mesh and how secure Ambient Mesh is.
Ambient Mesh is a sidecar-less istio data plane. Instead, it uses a ztunnel (Rust-based) DaemonSet to route L4 traffic and create mTLS connections. For L7, Envoy Waypoint proxies for each Workload/ServiceAccount with Authz policies.
This lets you run a mesh that consumes less resources, since there’s no sidecars. Without having to distribute the Envoy sidecar config to every sidecar, operations also becomes easier.
Some of the talks that we enjoyed from KubeCon:
Is Istio Ambient Mesh Secure? - Christian Posta, Solo.io & John Howard, Google
Understanding Istio Ambient Mesh Security - Christian Posta, Solo.io
Software Supply Chain Security (S3C)
S3C continues to occupy a lot of space in the cloud native landscape. Compared to KubeCon NA in Detroit, there were fewer announcements of new initiatives or projects made. But you would still see quite a lot of talks which were more well-attended than the ones in Detroit, indicating a growing interest in this area.
As far as trends go in cloud native, supply chain security is one of, if not the most pertinent issue, and it will continue to be so in 2023. Highly visible open source vulnerabilities or in some cases the ‘weaponisation’ of software has posed uncomfortable questions around the dependencies you are running in your business at this very moment.
Sadly this is a question that should always have been asked, but for whatever reason, it wasn’t. There are many companies now struggling with the question of how vulnerable their code is and where the vulnerability has come from. We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub; copy/paste from Stack Overflow; or even generated code from LLM tools.
As more businesses adopt cloud computing, it has become increasingly important to optimize cloud spending and ensure that resources are used efficiently. Financial Operations or FinOps involves bringing finance, operations, and engineering, to manage cloud expenses; optimize resource usage; and improve cloud cost management practices.
FinOps is about striking a balance between innovation, efficiency, and cost optimization in cloud computing. Something that has become an essential practice for organizations that want to get the most out of their cloud investments.
We have seen a lot of interest in this area and our professional services also help client conduct cost optimization workshops.
SPIFFE) is something that we’re very excited about and it’s great to see it reaching a wider audience with every KubeCon.
For those of you that aren’t familiar with the framework: SPIFFE is an open-source framework that addresses the challenge of identifying and authenticating different workloads and services within a distributed system or cloud environment. It defines a set of standards and protocols for issuing and managing secure identities for workloads, regardless of where they are deployed.
This year Tom Meadows together with Josh van Leeuwen gave a talk on using the csi-driver-spiffe in cert-manager to issue multi-cloud workload identities:
Cert-Manager Can Do SPIFFE? Solving Multi-Cloud Workload Identity Using a De Facto Standard Tool - Thomas Meadows, Jetstack & Joshua Van Leeuwen, Diagrid.
SPIFFE event hosted by Venafi
Venafi hosted an event to debate a very straightforward question: will using microservices with mTLS become easier? The good news is: yes!
What we are now seeing is a real focus on innovative solutions that will help make it much easier to manage microservices using mTLS. This in turn will lead to better policy controls for Kubernetes using the combination of cert-manager together with SPIFFE.
As we build more highly distributed application environments, implementing and using mTLS will become much easier than it is right now. This is really great for security teams since mutual authentication provides the basis for workload identity - and with identity we have the power to implement and enforce better and more effective policies.
A service mesh (such as Istio or Linkerd) is one answer to using mTLS but service mesh solutions can be very complex to implement, but a combination of open source and new networking standards will make it much easier to implement mTLS. And cert-manager along with SPIFFE is at the heart of this change.
cert-manager Project Pavilion booth
As usual the cert-manager team were out in force and spent a lot of time discussing Kubernetes machine identity use cases with folks at the cert-manager booth at the CNCF Project Pavilion. We were handing out genuine personalised hand-stamped X.509 certificates, it was particularly good to hear from commercial users of cert-manager. All sorts of use cases were discussed covering using cert-manager csi-driver, SPIFFE, trust-manager and using cert-manager to deploy service mesh.
As a community project, cert-manager has now achieved more than 10,000 GitHub stars and its popularity was underlined at a packed out community gathering, where commercial users and community maintainers mixed together to discuss all kinds of issues and new feature requests. Overall, the community remains vibrant and very positive, and we’re looking forward to KubeCon North America Chicago in the Autumn.
Oh, and if you missed it, make sure to check out Ashley Davis' talk Rotate Roots Right Round: Using Cert-Manager for Safer Private PKI.
Photo by Rifad Lafir on Unsplash