“As Kubernetes becomes the standard, we will continue to see an expansion of the ecosystem built on it”
We have been talking for quite some time now about how Kubernetes took over the container orchestration ecosystem in the past year. We caught up with Jean-Francois Joly, Senior Product Manager at New Relic to talk about the advantages of Kubernetes, potential security risks and the future of its ecosystem.
JAXenter: Kubernetes is one of the fastest-growing open source projects worldwide. Why is Kubernetes that successful and similar platforms and tools for container orchestrations (Docker Swarm, etc.) have been left behind?
Jean-Francois Joly: Kubernetes helps you move faster. Kubernetes allows you to deliver a self-service Platform-as-a-Service (PaaS) that creates a hardware layer abstraction for development teams. By utilizing Kubernetes, teams can quickly and efficiently request the resources they need, including additional resources as necessary, because all resources come from an infrastructure shared across all teams. There is no need to fill out forms to request new machines to run your application – just provision and go! Make sure to take advantage of the tooling developed around Kubernetes for automating packaging, deployment, and testing, such as Codefresh or Helm.
JAXenter: What advantages does Kubernetes bring to companies? How is the tool used?
Jean-Francois Joly: Kubernetes is cost-efficient because it allows for much better resource utilization than hypervisors and VMs do. Because containers are so lightweight, they require less CPU and memory resources to run. Kubernetes is also portable and can run on Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP), and on-premise. Users can move workloads without having to redesign applications or completely rethink infrastructure, which helps standardize on a platform and prevents vendor lock-in.
JAXenter: Security always plays an important role while developing with containers. What security tips do you have for working with Kubernetes?
Jean-Francois Joly: Kubernetes objects are often short-lived, so they get rebuilt regularly from clean sources. This makes it much more difficult for others to tamper with. This feature is particularly important in an environment where code goes to production faster and new instances are constantly destroyed and deployed to cope with the load. Major repositories like Docker Hub and Quay both have an enterprise offering that includes security scanners. These scanners will ensure that libraries inside containers are kept up to date and don’t have security flaws.
Another aspect is to ensure that all endpoints for your microservices are secured using SSL encryption. Do not use self-signed certificates.
We are seeing an elevation of the level of abstraction with Knative that removes the need to manage container images.
JAXenter: Another level of abstraction gets implemented when working with Kubernetes because of Knative. What do you think of the new tool that links Kubernetes with Istio, among other things?
Jean-Francois Joly: Istio has been around for some time and some of our customers are building New Relic integrations for Istio to capture metrics. As Kubernetes has become the container orchestration of choice, it is natural that the ecosystem continues to be built on top of it. We are seeing an elevation of the level of abstraction with Knative that removes the need to manage container images. Container images are also a potential source of insecurity; building images on the fly directly in Kubernetes removes the extra steps and thus makes the environment safer.
Knative also streamlines the presentation layer of the service to make it available while abstracting network and security complexity of managing Kubernetes ingress rules. At New Relic, we have always advocated that visibility across the full-stack is important, especially with high levels of abstraction. Make sure every layer of your stack is performing adequately.
SEE ALSO: 8 ways the tech world will change in 2019: DevOps, Kubernetes, open source fragmentation, and more
JAXenter: Pods, Container, Cluster – all these can get very confusing at some point. What’s the best way to keep track of these things?
Jean-Francois Joly: In reality, you shouldn’t have to keep track of each object that composes a Kubernetes cluster. Kubernetes makes it easy to request the resources needed for a new application. From my experiences, developers just want to know whether the infrastructure supporting their app is healthy so that they can differentiate an issue from their code from an issue due to the platform. They also want an overview of how many resources they are allocated and consuming so that they manage their resources efficiently.
JAXenter: What are your wishes for the new year and how will Kubernetes and its ecosystem evolve?
Jean-Francois Joly: We’ve noticed a massive adoption of Kubernetes by our customers and expect that it becomes a standard for containerized workload versus more proprietary solutions such as ECS. Many containers are still running outside of Kubernetes and we expect that these workloads move to Kubernetes overtime. Setting up a cluster is still a major barrier to adoption of Kubernetes, but there are a few existing solutions that can help mitigate this, such as EKS, AKS,GKE, and Openshift. Additionally, monitoring solutions that tie the infrastructure with the application to monitor the health of the full stack so that workloads can transition to Kubernetes and the cloud with precise KPIs of the impact for the end user.
Finally, as Kubernetes becomes the standard, we will continue to see an expansion of the ecosystem built on it, such as Istio, Knative, and also open standards such as open metrics and open tracing.