Analyst opinion. Event highlights from the Cloud Native Computing Foundation’s flagship conference, KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain, 16–20 May.
Omdia view
Summary
The 2022 European meeting of KubeCon and Cloud Native Conference took place in Valencia on 16–20 May. The opening keynote showed how the Cloud Native Computing Foundation continues to grow, hosting 128 open-source projects (of which 15 are graduated, achieving a significant level of maturity and adoption), over 158,000 contributors in 187 countries, and over 800 members across the vendor community. This meeting, the first CNCF physical event after the pandemic, had 7,000 in-person attendees and 10,000 online. These are some highlights of the event.
Software bill of materials (SBOM) to help secure the software supply chain
The need to secure software is uppermost in the minds of the US government following the malware infiltration that occurred with performance management software provider SolarWinds; the malware used SolarWinds as a Trojan horse, allowing it to infect SolarWinds’ customers’ IT environments. This is an example of an insecure software supply chain issue, and the US government is working with the software industry, including CNCF and its parent the Linux Foundation, to create an SBOM that is linked to a software product and verifies what it contains. SBOM will work with open source software but will not apply to closed source software unless the provider reveals what is used inside its software. The issue is to keep track of which libraries have been integrated in a software product. Security is a dynamic aspect of software: a library may pass as secure today and be declared insecure tomorrow (e.g., because of subsequently discovered holes in the software). Knowing which libraries have been integrated into a software product is therefore essential.
Omdia spoke with Deepfence (deepfence.io), a company that offers a free analysis tool, ThreatMapper, which analyzes the libraries that are linked in a software application and provides a risk analysis based on known issues. The tool then goes on to prioritize the security weakness based on its proximity to the attack surface. An enterprise license of the tool, ThreatStryker, provides network analysis to indicate if an attack is in progress and can intervene by quarantining the vulnerable component and blocking attack traffic.
In discussion with US government experts and the private sector, the Linux Foundation is doing more on security. It launched Open Source Security Foundation (OpenSSF) in August 2020 and recently produced a whitepaper “The Open Source Software Security Mobilization Plan” with a 10-point plan to secure OSS production, improve vulnerability discovery and remediation, and shorten ecosystem patching response time. The OpenSSF has also launched the Alpha-Omega project, which aims to find new vulnerabilities in open source software and get them fixed. The Linux Foundation and CNCF are also working with the security framework project Supply chain Levels for Software Artifacts (SLSA) which offers an industry security standard with four levels.
Securing the software supply chain through SBOM is an important step forward, indicating how the software industry is maturing, and a recognition of its importance in modern society—software runs almost everything today. However, SBOM is just part of the solution to secure software: it is an addition to baking in security at the design stage, least privileges by default, secure software development lifecycle, and cryptographic attestation; there is also a need to check for vulnerable dependencies using tools like Deepfence, Sysdig and more. The SLSA and Alpha-Omega projects are in their early stages but show the efforts being made to improve software security.
Digitization of the telco industry continues with Cloud Native Network Function (CNF)
The move from physical network functions (PNFs) to virtual network functions (VNFs) is the aim of network function virtualization (NFV) architecture. The challenge with the VNF instantiation of NFV is that the VNFs were not cloud native: they lacked agility and were not compatible with the advances in Kubernetes, microservices, and containers. CNF is designed to correct that, moving the functions from virtual machines to containers, and the telco industry is in the process of moving to a CNF instantiation of NFV. This type of standardization will lead to technology efficiencies and will transform the space; the telcos see this culminating in their industry being described as digital service providers, and they will be able to take advantage of the progress being made with cloud native technologies, leveraging open source software.
In the KubeCon keynote, it was announced that a new CNF Certification program has been launched. Organizations can self-certify using the CNF Test Suite, certifying that the underlying telecom platform adheres to cloud native principles and best practices. This will help accelerate the move to CNF and bring the telco industry into the cloud native space.
There is renewed activity in serverless as Knative joins CNCF incubating project
Knative joining CNCF is two-months-old news but worth mentioning to make the point of renewed interest in serverless computing: Knative offers serverless containers running in Kubernetes and combines two cloud native technologies that some developers saw as separate. Essentially, by offering serverless containers, Knative brings the serverless concept into the Kubernetes environment: all the Kubernetes and container-related infrastructure management concerns of scaling, maintenance, provisioning, and so on, are automated by Knative, which connects to the cloud provider’s serverless services. What runs in the container is independent of Knative; the application can be tapping into the cloud provider’s serverless services, run microservices, or other architecture-type code.
IBM Cloud Code Engine (www.ibm.com/cloud/code-engine) is another new type of serverless solution, offering a Containers-as-a-Service platform that is billed pay-as-you-go. It combines the serverless model with a cloud container platform. IBM has a strong play here: it owns Red Hat which offers OpenShift targeted at the enterprise, making running Kubernetes easy. Code Engine also makes it easy to be up and running with containers, hiding the complexities of Kubernetes, but in a serverless model.
The Webassembly (Wasm) tremors could presage an adoption tsunami
Talking to various attendees (a VC, vendors) at the event, one topic that rumbled in the background was the promise of WASM to transform application development. WASM is a W3C standard (and that in itself is significant as W3C standards tend to grow very big) that offers a declarative development stack (polyglot, so agnostic to your choice of programming language) that can run on any device (in applications on the edge, cloud, Kubernetes, browser, and various devices); it is highly secure by design (has a secure sandbox), is highly portable, has a tiny footprint, and is a host for applications to run in (just like containers). It fills many gaps, including one created by the absence of development browser engines such as Silverlight and Flash (JavaFX still has a life under openjfx and Gluon but has had limited adoption) and can deliver a “write once, deploy multiple times” promise for developers.
Cosmonic (cosmonic.com) has created wasmCloud and donated it to the CNCF as a sandbox project (the youngest of the three CNCF project stages). wasmCloud is a platform for writing portable business logic that can run anywhere from the edge to the cloud, with a secure-by-default, boilerplate-free developer experience.
WASM and wasmCloud fill many gaps in the software application space and have the potential to transform the developer experience. While containers have abstracted away so much infrastructure concern, giving developers new freedoms, WASM goes further, adding a secure and portable host that includes common libraries built into the platform: there are many shared components, non-functional requirements related to security, data, message queues, that make up a large chunk of every application and are repeated over again. This is boiler-plate code; for example, logging, telemetry, tracing, web servers, and databases are pulled out of code and put into a platform. With wasmCloud as the host, a cloud-based serverless service is introduced that offers tight connections between apps and libraries, requiring the developer to just compose the application logic. WASM could naturally become the basis for the next wave in software development.
High-performance computing (HPC) gets the cloud native treatment through batch processing capabilities
Finally, worth mentioning the Volcano project that became an incubating project in 2020 but received some attention in the Valencia keynotes, for example from Boeing, which became a platinum CNCF member. Volcano adds batch job scheduling to Kubernetes, which it currently lacks; is essential for some HPC applications in AI, genomics, and more; is compute-intensive; can be very long-running, sometimes over days; and may need to be processed in a fixed order. Without Volcano, such batch jobs could be disrupted in the Kubernetes environment.
These trends do indicate how the cloud native paradigm is going to become central in software development (with WASM becoming the new kid on the block). It does not necessarily mean microservices everywhere (because that is not always the right choice) but it does mean containers everywhere.
Appendix
Author
Michael Azoff, Chief Analyst, Cloud and Data Center Practice
