DEVOPSdigest

Kubernetes had a birthday last month and while it's odd to wish happy birthday to software, I do feel that we need to pay homage. In its six years of "life," Kubernetes has revolutionized how we build, and deliver applications.

When organizations first began the march to the cloud, it was to save time and avoid large capital outlays, but it came at the expense of vendor lock-in. Others stayed away because scaling infrastructure and applications in the cloud was anything but effortless. The introduction of Kubernetes upended what is possible in the cloud, along with conventional roles and processes.

The Benefits of Kubernetes

Kubernetes' emergence over the last six years as the de facto operating system has given companies the gift of speed and agility. Kubernetes has made it easier to create and manage application components based on containers, link services, automate scale and failover, and tear containers once they outlive their usefulness. Developers are realizing new features and applications in days. Before it would take weeks, months, or even years. By making small improvements continually, organizations can speed innovation and reduce risk.

A recent (link is external) survey from VMware found that 95% of people have seen clear benefits since adopting Kubernetes, with 56% of respondents noting utilization as a top Kubernetes benefit, along with 53% recognizing shorter software development cycles. Additional benefits recognized in the survey include containerizing monolithic applications, enabling a move to the cloud and reducing public cloud costs.

And these advantages are being realized with increased adoption. In December 2019, a (link is external) survey by the Cloud Native Computing Foundation found that four out of every 10 enterprise companies (companies with 5,000+ employees) were running Kubernetes in production environments. Even more have tiger teams testing Kubernetes in development stages. Since COVID, the number is expected to grow exponentially.

How Kubernetes Adoption is Shifting with COVID

When COVID hit, organizations that use Kubernetes and a DevOps approach were able to quickly adapt customer-facing applications to meet changing requirements. Their teams were able to quickly respond to the new needs, along with the additional scalability requirements. (link is external) According to a May 13 report from analysts at Gartner, Worldwide IT spending in 2020 is projected to be down 8% from 2019 in response to COVID-forced budget cuts; however, spending on public cloud services is expected to grow 19% this year. A quick Google search will result in dozens of articles outlining how COVID has accelerated adoption.

When Kubernetes is utilized for projects that need to scale, it delivers, which is why we haven't heard of a lot of issues from companies that saw sudden spikes in usage, such as gaming and large delivery services. Properly architected Kubernetes-based applications can handle massive volume, and they can immediately scale when hosted in the public cloud.

However, Kubernetes comes with its own challenges, and adoption requires new processes, tools and a shift in job roles. Operating a cloud-native environment with thousands of hosts and services requires a fundamentally different approach than running a handful of monolithic applications on virtual machines. Containers are black boxes that work well as application building blocks but obstruct visibility for traditional security and monitoring tools. As organizations deploy business-critical applications using Kubernetes, they need to ensure availability, security and compliance.

Securing Kubernetes Requires a "Shift Left" Approach

Until recently, the security team was seen as a "gate," the last stop, and implementing security checks was a manual step before deployment. This is fine when updates are pushed monthly, but when the cadence shifts to weekly or daily, manual security configuration and checks are not feasible. On top of that, if a vulnerability or configuration issue is identified, retroactively addressing it takes time.

Instead, you need to build security checks into the development pipeline, so issues are addressed before the container is deployed in production. By prioritizing security early and creating a shared approach across the security and development teams, you will be able to ship applications faster.
According to the 2019 Accelerate State of DevOps Report, elite DevOp teams, those seeing the most success, automate and integrate tools more frequently into their toolchains. This includes integrating production monitoring and security checks. According to Gartner analysts, "By 2021, DevSecOps practices will be embedded in 60% of rapid development teams, as opposed to 20% in 2019."

What a secure DevOps or DevSecOps approach includes:

1. Scanning for vulnerabilities in the build process: This will help to ensure you are not putting vulnerable code into production and increasing your security risk.

2. Runtime protection: Shifting left will help ensure the container is not deployed with vulnerabilities, but you also need to protect against unknown threats by detecting and preventing anomalous behavior.

3. Continuous compliance validation.: Meeting stringent compliance guidelines, such as GDPR, PCI-DSS and HIPAA can be complex in fast-changing container environments. By mapping regulations and policies to specific controls, you can automate checks during the build and run phases of the software development lifecycle to ensure continual compliance.

4. Security monitoring: In container environments, visibility is a major challenge. You cannot secure what you cannot see. DevOps teams can leverage a single tool for monitoring to identify potential security, performance and availability issues.

5. Incident response and forensics: Capturing a detailed activity audit is critical for responding to alerts and conducting forensics investigations. You need access to detailed container activity records for a single source of truth across DevOps and security teams in order to effectively identify what happened and quickly respond.

In six short years, Kubernetes has moved from being the brainchild of three talented developers looking to create a minimally viable orchestrator to the standard platform for deploying applications in the cloud. The next stage for Kubernetes adoption will focus on maturing DevOps workflows by increasing automation, including addressing visibility and security earlier in the application lifecycle. Now, more than ever, successful companies will be defined by their ability to use Kubernetes and cloud to accelerate innovation for competitive advantage.