Virtualization Technology News and Information
VMblog Expert Interview: Fairwinds Explores Kubernetes - Security, Governance, Challenges, and Maturity


Kubernetes, security and governance are really hot topics right now.  To find out more about this maturing space and some of the challenges being faced, VMblog reached out to industry expert Bill Ledingham, the CEO of Fairwinds.

VMblog:  Tell me what Fairwinds does and why it's unique?

Bill Ledingham:  Kubernetes has changed how developers build and ship applications and software. Fairwinds' core mission (and what makes us unique) is our ability to unite development, security and operations teams through an integrated platform that enables more productive and effective work. Fairwinds focuses on Kubernetes governance - security, compliance, guardrails and cost - so customers can ship cloud native applications faster, with less cost and overall risk.

We have open source tools that developers love-Goldilocks and Polaris are two popular ones. We discovered that as organizations grow their Kubernetes environments and adopt open source projects, they need ways to operationalize open source across multiple clusters and teams. They also require visibility across leadership teams - the developers, ops and security teams. This is why we created Fairwinds Insights, a complete Kubernetes governance platform to help DevSecOps teams do what they do best-identify and remediate Kubernetes misconfigurations, reduce risk, optimize cloud spend and enhance performance. It integrates best-of-breed open source tools to ensure consistency across clusters.

VMblog:  Kubernetes security is a topic we hear a lot about. But tell us about Kubernetes governance and why that's important. 

Ledingham:  If you're building a house, what's your first step? To come up with a plan or a blueprint of what you want. Then you hire a master builder who knows what steps are needed at what time to ensure the foundation is secure-and can stand up to the elements, protect your family.

The same is true of Kubernetes. To get the speed, efficiency, cost-optimization and security that Kubernetes offers, you have to let governance be the blueprint of your initiative. Kubernetes governance allows DevOps, platform engineering leaders and security and compliance teams to align on core requirements. Governance is the overarching requirement from development through to production that offers:

  • Automated security that's as far left as possible in the development lifecycle.
  • Guardrails and safety nets for developers to do what they love without worry about security or compliance.
  • Enforced compliance and documentation to support the team's work.
  • Optimized cost as applications are automatically reviewed with advice on rightsizing.

Kubernetes governance allows organizations running multiple clusters across multiple teams to get control over sprawl that could introduce security and compliance risk, instability or wasted money.

VMblog:  Tell us about the difficulties of managing Kubernetes between teams.

Ledingham:  It's like most things-when work is done in a vacuum, there's not much consideration for how it affects different groups or constituencies. It's no different with software development and Kubernetes. When teams have blinders on to just their part of the puzzle, they are essentially siloed and left with unanswered questions and products that likely don't meet the end goal, which is software that's secure, fast to deploy and reliable.

So, instead of having one team that writes code, another that deploys it to production and yet another with responsibility for maintaining it, the industry is thankfully moving toward the idea of Kubernetes service ownership. It started with teams like development, security and operations working in conjunction with one another, removing friction, and has morphed into what we now know as DevSecOps-one team that works as a collaborative group, in a unified and frictionless way.

VMblog:  What challenges do you see developers facing with regard to Kubernetes? How can we empower them?

Ledingham:  I'm glad you asked about empowering developers against these challenges because a lot of the answer goes back to the Kubernetes service ownership model we discussed earlier. DevOps and platform engineering leaders are facing a lot of challenges, especially as Kubernetes adoption grows and more organizations implement multiple clusters across a variety of teams. Frankly, many developers are still coming up to speed on Kubernetes and need guidance around best practices. Cluster security is always a concern, whether that's the Log4jShell vulnerability impacting Kubernetes clusters or the new NSA and CISA Kubernetes hardening guidelines created to help DevSecOps teams meet compliance.

We have to unite teams and give them a consistent view into their clusters to identify and remediate issues as they appear. The Fairwinds Insights offering, which provides guardrails around Kubernetes security, cost and compliance enables developers to own the security, performance and cost configurations in their applications - alleviating some of the pressure on DevOps teams. Best practices are critical to creating and maintaining healthy clusters. Continuous monitoring of clusters is needed to eliminate security vulnerabilities and blind spots-and the ability to monitor and optimize Kubernetes cost. By giving them access to tools, users are able to stay on top of these issues. And their odds of Kubernetes success goes way up.

VMblog:  It's really easy to misconfigure Kubernetes. How much trouble can a misconfiguration cause?

Ledingham:  Kubernetes misconfigurations are happening at an alarming rate, and because the manual work to address them is considerable, they remain a massive challenge. Problems with configuration can create more problems and work than DevOps teams are able to manage. Based on our recent Kubernetes Benchmark Report, where we looked at more than 100,000 workloads across hundreds of organizations, we know misconfigurations are currently running rampant within organizations of all sizes. DevOps teams and security leaders don't have the capacity to manually review and fix these misconfigurations.

When concerns about the big three Kubernetes constructs -security, reliability and efficiency-are not properly addressed through best practices, critical elements like cost optimization, performance and reliability are severely impacted. These areas must be addressed through one interconnected solution based on proper configuration. DevSecOps teams need solutions that give a unified view of clusters and automate some of these manual processes, from identifying misconfigurations to triaging and addressing remediation.

VMblog:  There's a lot of talk about cloud spend. How does Kubernetes impact cloud spend?

Ledingham:  Cloud cost management is a huge industry on its own. Now throw in Kubernetes and you can find yourself in a black hole. That black hole can waste a lot of money unnecessarily when clusters are misconfigured.

For example, a key feature of Kubernetes is the ability to set specific resource requests and limits on your workloads. By setting sensible Kubernetes requests and limits on how much CPU and memory each pod uses, you ensure smooth application performance and maximize the utilization of your infrastructure. The problem is that many developers do not apply any requests or limits or they set them too high.

If memory limits are too low, Kubernetes is bound to kill the application for violating its limits. Meanwhile, if limits are set too high, you're inherently wasting resources by over allocating, which means you will end up with a higher bill.

To avoid this cost black hole, DevOps teams should use Kubernetes cost optimization solutions that gather usage and offer advice on where limits and requests can be refined to save money. On average, we find Kubernetes workloads  are overprovisioned between 15-30%, but, with the right solution, users can save significantly. For example, one Fairwinds customer saved 25% of its cloud cost by rightsizing Kubernetes.

VMblog:  You do a lot in the open source community. Tell me about some of your experiences there.

Ledingham:  Open source is at the core of Fairwinds. We work hard to build open source projects that help our clients innovate and enable users to craft the right Kubernetes architecture and deployment.

Fairwinds currently has ten open source projects, with Polaris, Goldilocks, Pluto, and rbac-manager being the best known. Polaris runs a variety of checks to ensure pods and controllers are configured using Kubernetes best practices. It identifies errors in Kubernetes deployment configurations to help users find the misconfigurations causing security vulnerabilities, outages, scaling limitations and more-and is a natural pathway for users scaling to multiple teams and clusters into our Insights software.

Goldilocks recommends resource requests and allows users to see suggestions on each application using the Kubernetes vertical-pod-autoscaler (VPA) in recommendation mode. Pluto helps users easily find worn out Kubernetes API versions in their code repositories and Helm releases. And rbac-manager simplifies authorization in Kubernetes by supporting declarative configuration for RBAC with new customer resources.

We encourage those connected with us to share ideas, influence our open source road map and network with fellow Kuberentes users. Developers are always welcome to chat with us on Slack  or join our open source user group.

VMblog:  Kubernetes has been around for less than a decade. Where does it stand in terms of maturity?

Ledingham:  Fairwinds has focused on Kubernetes almost since it was released in 2016. Our experience allowed us to introduce the first Kubernetes Maturity Model to the market, so organizations could gauge where they were presently and where they needed to go.

Today, Kubernetes is at a stage where interest has hit a high and organizations are feeling some growing pains.  Gartner says that Kubernetes has both reached its peak phase on the Kubernetes Hype Cycle and fallen into the "trough of disillusionment." We certainly see that organizations see the value in Kubernetes, but need additional guidance, guardrails and best practices as they scale.

This is an exciting time for Kubernetes. Its value has been proven, and it is poised for the steady climb out of the trough of disillusionment into the light of maturity and even wider adoption. To be successful in this climb, we encourage organizations to do a few things as they work with Kubernetes:

  • Recognize the need for governance and best practices-and enforce policies. Strong governance and guardrails are the blueprint for successful Kubernetes deployments and cluster control. Once policies are defined, enforce them to avoid inconsistency and configuration issues.
  • Keep security top of mind. Include security at the front-end of application development and give developers responsibility for it, including the robust security practices needed to ensure the environment is properly configured.
  • Unite Dev, Sec and Ops. Kubernetes requires a united team to ensure its run reliably, securely and efficiently. Find ways to bring the teams together.
  • Enable developers. DevOps teams can struggle to keep up with the pace Kubernetes enables. Guardrails help DevOps to enable developers to self-service and own their applications. Know that compliance, security and cost are baked in from the start.

Bill Ledingham brings over 30 years of technology and security experience to his role as Chief Executive Officer at Fairwinds. He previously served as Chief Technology Officer and Executive Vice President of Engineering at Black Duck Software, an open source security company acquired by Synopsys. He has held executive / founder positions at Speechworks (acq. by Nuance), Virtual Iron (acq. by Oracle), Avalere (acq. by Iron Mountain) and Digital Guardian.

Published Tuesday, May 03, 2022 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2022>