Kubernetes, security and governance are really hot topics right now. To find out more about this maturing space and some of the challenges being faced, VMblog reached out to industry expert Bill Ledingham, the CEO of Fairwinds.
VMblog: Tell me what Fairwinds does and why
it's unique?
Bill Ledingham: Kubernetes
has changed how developers build and ship applications and software. Fairwinds'
core mission (and what makes us unique) is our ability to unite development,
security and operations teams through an integrated platform that enables more
productive and effective work. Fairwinds focuses on Kubernetes governance -
security, compliance, guardrails and cost - so customers can ship cloud native
applications faster, with less cost and overall risk.
We have open
source tools that developers love-Goldilocks and Polaris are two popular ones.
We discovered that as organizations grow their Kubernetes environments and
adopt open source projects, they need ways to operationalize open source across
multiple clusters and teams. They also require visibility across leadership
teams - the developers, ops and security teams. This is why we created
Fairwinds Insights, a complete Kubernetes governance platform to help DevSecOps
teams do what they do best-identify and remediate Kubernetes misconfigurations,
reduce risk, optimize cloud spend and enhance performance. It integrates
best-of-breed open source tools to ensure consistency across clusters.
VMblog: Kubernetes security is a topic we
hear a lot about. But tell us about Kubernetes governance and why that's
important.
Ledingham: If you're
building a house, what's your first step? To come up with a plan or a blueprint
of what you want. Then you hire a master builder who knows what steps are
needed at what time to ensure the foundation is secure-and can stand up to the
elements, protect your family.
The same is
true of Kubernetes. To get the speed, efficiency, cost-optimization and
security that Kubernetes offers, you have to let governance be the blueprint of
your initiative. Kubernetes governance allows DevOps, platform engineering
leaders and security and compliance teams to align on core requirements.
Governance is the overarching requirement from development through to
production that offers:
- Automated
security that's as far left as possible in the development lifecycle.
- Guardrails
and safety nets for developers to do what they love without worry about
security or compliance.
- Enforced
compliance and documentation to support the team's work.
- Optimized
cost as applications are automatically reviewed with advice on rightsizing.
Kubernetes
governance allows organizations running multiple clusters across multiple teams
to get control over sprawl that could introduce security and compliance risk,
instability or wasted money.
VMblog: Tell
us about the difficulties of managing Kubernetes between teams.
Ledingham: It's like
most things-when work is done in a vacuum, there's not much consideration for
how it affects different groups or constituencies. It's no different with
software development and Kubernetes. When teams have blinders on to just their
part of the puzzle, they are essentially siloed and left with unanswered
questions and products that likely don't meet the end goal, which is software
that's secure, fast to deploy and reliable.
So, instead
of having one team that writes code, another that deploys it to production and
yet another with responsibility for maintaining it, the industry is thankfully
moving toward the idea of Kubernetes service ownership. It started with teams
like development, security and operations working in conjunction with one
another, removing friction, and has morphed into what we now know as
DevSecOps-one team that works as a collaborative group, in a unified and
frictionless way.
VMblog: What challenges do you see developers
facing with regard to Kubernetes? How can we empower them?
Ledingham: I'm glad you
asked about empowering developers against these challenges because a lot of the
answer goes back to the Kubernetes service ownership model we discussed
earlier. DevOps and platform engineering leaders are facing a lot of
challenges, especially as Kubernetes adoption grows and more organizations
implement multiple clusters across a variety of teams. Frankly, many developers
are still coming up to speed on Kubernetes and need guidance around best
practices. Cluster security is always a concern, whether that's the Log4jShell
vulnerability impacting Kubernetes clusters or the new NSA and CISA Kubernetes
hardening guidelines
created to help DevSecOps teams meet compliance.
We have to
unite teams and give them a consistent view into their clusters to identify and
remediate issues as they appear. The Fairwinds Insights offering, which provides guardrails
around Kubernetes security, cost and compliance enables developers to own the
security, performance and cost configurations in their applications -
alleviating some of the pressure on DevOps teams. Best practices are critical
to creating and maintaining healthy clusters. Continuous monitoring of clusters
is needed to eliminate security vulnerabilities and blind spots-and the ability
to monitor and optimize Kubernetes cost. By giving them access to tools, users
are able to stay on top of these issues. And their odds of Kubernetes success
goes way up.
VMblog: It's really easy to misconfigure
Kubernetes. How much trouble can a misconfiguration cause?
Ledingham: Kubernetes
misconfigurations are happening at an alarming rate, and because the manual
work to address them is considerable, they remain a massive challenge. Problems
with configuration can create more problems and work than DevOps teams are able
to manage. Based on our recent Kubernetes Benchmark Report, where we looked at
more than 100,000 workloads across hundreds of organizations, we know
misconfigurations are currently running rampant within organizations of all
sizes. DevOps teams and security leaders don't have the capacity to manually
review and fix these misconfigurations.
When
concerns about the big three Kubernetes constructs -security, reliability and
efficiency-are not properly addressed through best practices, critical elements
like cost optimization, performance and reliability are severely impacted.
These areas must be addressed through one interconnected solution based on
proper configuration. DevSecOps teams need solutions that give a unified view
of clusters and automate some of these manual processes, from identifying
misconfigurations to triaging and addressing remediation.
VMblog: There's a lot of talk about cloud
spend. How does Kubernetes impact cloud spend?
Ledingham:
Cloud cost management is a huge industry on its own. Now throw in Kubernetes
and you can find yourself in a black hole. That black hole can waste a lot of money
unnecessarily when clusters are misconfigured.
For example, a key feature of Kubernetes
is the ability to set specific resource requests and limits on your workloads.
By setting sensible Kubernetes requests and limits on how much CPU and memory
each pod uses, you ensure smooth application performance and maximize the
utilization of your infrastructure. The problem is that many developers do not
apply any requests or limits or they set them too high.
If memory limits are too low, Kubernetes
is bound to kill the application for violating its limits. Meanwhile, if limits
are set too high, you're inherently wasting resources by over allocating, which
means you will end up with a higher bill.
To avoid this cost black hole, DevOps teams should use Kubernetes cost optimization
solutions that gather usage and offer advice on where limits and requests can
be refined to save money. On average, we find Kubernetes workloads are overprovisioned between 15-30%, but, with
the right solution, users can save significantly. For example, one Fairwinds
customer saved 25% of its cloud cost by rightsizing Kubernetes.
VMblog: You do a lot in the open source
community. Tell me about some of your experiences there.
Ledingham: Open source
is at the core of Fairwinds. We work hard to build open source projects that
help our clients innovate and enable users to craft the right Kubernetes
architecture and deployment.
Fairwinds
currently has ten open source projects, with Polaris, Goldilocks, Pluto, and rbac-manager being the best known. Polaris runs a variety of checks to ensure
pods and controllers are configured using Kubernetes best practices. It
identifies errors in Kubernetes deployment configurations to help users find
the misconfigurations causing security vulnerabilities, outages, scaling
limitations and more-and is a natural pathway for users scaling to multiple
teams and clusters into our Insights software.
Goldilocks recommends resource
requests and allows users to see suggestions on each application using the
Kubernetes vertical-pod-autoscaler (VPA) in
recommendation mode. Pluto
helps users easily find worn out Kubernetes API versions in their code
repositories and Helm releases. And rbac-manager simplifies authorization in
Kubernetes by supporting declarative configuration for RBAC with new customer
resources.
We encourage those connected with us to share ideas,
influence our open source road map and network with fellow Kuberentes users.
Developers are always welcome to chat with us on Slack or join our open source user group.
VMblog: Kubernetes has been around for less than a decade. Where does
it stand in terms of maturity?
Ledingham: Fairwinds
has focused on Kubernetes almost since it was released in 2016. Our experience
allowed us to introduce the first Kubernetes Maturity
Model to the market,
so organizations could gauge where they were presently and where they needed to
go.
Today,
Kubernetes is at a stage where interest has hit a high and organizations are
feeling some growing pains. Gartner says
that Kubernetes has both reached its peak phase on the Kubernetes Hype Cycle and fallen into the "trough of
disillusionment." We certainly see that organizations see the value in
Kubernetes, but need additional guidance, guardrails and best practices as they
scale.
This is an
exciting time for Kubernetes. Its value has been proven, and it is poised for
the steady climb out of the trough of disillusionment into the light of
maturity and even wider adoption. To be successful in this climb, we encourage
organizations to do a few things as they work with Kubernetes:
- Recognize the need for governance and best practices-and enforce policies. Strong
governance and guardrails are the blueprint for successful Kubernetes
deployments and cluster control. Once policies are defined, enforce them to
avoid inconsistency and configuration issues.
- Keep security top of mind. Include security at the front-end of application
development and give developers responsibility for it, including the robust
security practices needed to ensure the environment is properly configured.
- Unite Dev, Sec and Ops. Kubernetes requires a united team to ensure its run
reliably, securely and efficiently. Find ways to bring the teams together.
- Enable developers. DevOps teams can struggle to keep up with the pace Kubernetes enables.
Guardrails help DevOps to enable developers to self-service and own their
applications. Know that compliance, security and cost are baked in from the
start.
##
Bill Ledingham brings over 30 years of technology and
security experience to his role as Chief Executive Officer at Fairwinds. He
previously served as Chief Technology Officer and Executive Vice President of
Engineering at Black Duck Software, an open source security company acquired by
Synopsys. He has held executive / founder positions at Speechworks (acq. by
Nuance), Virtual Iron (acq. by Oracle), Avalere (acq. by Iron Mountain) and
Digital Guardian.