Microsoft has always been a big innovator, but it is also well-known known for taking ideas from other sources and refining them to be used by a wider audience. View in browser »
The New Stack Update

ISSUE 237: Azure Kubernetes Service Start Stop

Talk Talk Talk

“The lack of access and visibility into the control plane ultimately made it clear we had outgrown our initial setup and needed to manage our own Kubernetes clusters.”

Render Senior Software Developer Shantanu Joshi on building a private platform to run across multiple clouds.
Add It Up
57% ofAppSec Specialists Think Developers Frequently Deploy Vulnerable Code. Developers Are More Optimistic.

Developers and security professionals are often in conflict, and this state of affairs is not going to change anytime soon, in this author’s opinion. Now here are some facts about the current state of affairs.

The Ponemon Institute conducted two surveys sponsored by ZeroNorth in May and June of 2020, one consisting of 581 application security (AppSec) professionals and the other with 549 application developers. Three-quarters of the AppSec respondents believe there is a cultural divide between them and developers, while only 49% of developers feel the same way towards the AppSec function. The difference in opinion is not because of DevSecOps has taken hold among developers — adoption is almost the same among both respondent categories.

Almost half (48%) of developers have bought into the idea that their organization is actively working to help developers and security teams work together. At 32%, AppSec is more skeptical. One has to wonder, is this because corporate leadership isn’t doing anything, or are security pros jaded by past experience? Developers are more optimistic about a raft of other security topics, most notably application vulnerabilities.

As compared to AppSec professionals, developers are significantly less (39% vs 60%) likely to believe application security risk at their organization has increased. At the core of the matter, AppSec professionals think the development team is difficult to work with because they push code with known vulnerabilities, with many also complaining that developers accept flaws if they believe an app will be a big seller. Whether or not developers are actually pushing a lot of serious vulnerabilities is up for debate, but their self-perception is incredibly different from that of their AppSec peers — only 27% of developers code is frequently being published with known vulnerabilities, compared to the 57% of application security specialists that estimate likewise.

What's Happening

Kubernetes has many built-in security features, but that doesn’t mean it’s secure right out of the box. Security for dependency management is still lacking, and new attack vectors, such as malicious containers, are emerging. Despite advances in security, the API remains Kubernetes’ main entry point for attackers.

The good news is that security teams have learned a lot about how to protect Kubernetes deployments and applications running on containers over the past few years. Such threats can be more easily addressed through a combination of workflows and tooling that span developers, security teams and IT operations (“DevSecOps”). For example, malicious containers and other attack vectors are easy to spot through anomaly detection and scanning tools.

In this edition of The New Stack Makers podcast, Robert Haynes, cloud security evangelist for Palo Alto Networks, discusses Kubernetes security above and beyond the native features, as well as the evolution of the Kubernetes vulnerability landscape since the first API attacks took place a few years ago. Alex Williams, founder and publisher of The New Stack, hosted this episode.

How Kubernetes Vulnerabilities are Shifting Since the First API Attacks

Azure Kubernetes Service Start Stop

Microsoft has always been a big innovator, but the Seattle software giant is also well-known known for taking ideas from other sources and refining them so they can be used by a wider audience. Dan Bricklin, for instance, invented the spreadsheet, and his VisiCalc spreadsheet software provided the template for Microsoft’s own Excel, which has, of course, become the world’s most widely used data analysis tool.

Watching the news from the company’s Ignite conference last week, we see that Microsoft remains in good form in terms broadening the base of a technology. In this year’s case, that new technology is Kubernetes. Our U.K. correspondent Mary Branscombe caught all the interesting K8s news coming from the show. The new feature of the Azure Kubernetes Service that first caught our eye was the ability to pause and unpause a running Kubernetes cluster with a set of simple commands. One command starts a cluster, the other one stops a cluster. How come no one thought of this before?  According to Branscombe, “you can stop a cluster when you don’t need it and restart it again when you do — the way you can stop a VM, pause a video or hibernate a laptop. Scaling a cluster to zero still leaves the system pool running (and running up a bill); turning it off stops the control plane and agent nodes completely so there’s no cost, but you don’t need to create the cluster and reinstall images when you want the cluster back.” This feature takes advantage of the fact that AKS is already backing up the cluster state for resiliency, and can be really handy for developer testing and for bursty workloads.

At the show, Microsoft also showed off its solution for one of the trickiest problems for the enterprise: confidential computing. Confidential computing involves encrypting all data as it is being worked on in the server’s memory, typically by using processor extensions, such as Intel SGX and Arm TrustZone. This is difficult to set up in a data center, so for Microsoft to offer this as a service for Kubernetes is a big step forward in terms of usability for the industry. 

This work also shows how attuned Microsoft is to its enterprise customer base. Last year, Microsoft won the $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract, which will provide the IT cloud infrastructure for the U.S. Department of Defense (DoD) services. As Branscombe pointed out, the DoD has been pushing for more stringent security controls, and no doubt Kubernetes-based confidential computing will help. 

VMware to Acquire SaltStack for Advanced Multicloud Automation

VMware’s pending purchase of SaltStack, announced Tuesday, should help it plug large missing components into its automation capabilities. VMware’s portfolio consists of Tanzu as a management layer for cloud native applications, with large support for Kubernetes. The vRealize Automation platform serves as the cloud consumption layer on top of VMware virtualization — such as compute, network and storage — similar to what a public cloud provider might offer. For both of these technologies, Salt could offer a very strong set of automation capabilities for doing software configuration automation, or so analysts argue.

The Cloud Native Landscape: The Runtime Layer Explained

This post is part of an ongoing series from Catherine Paganini and Jason Morgan that focuses on explaining each category of the cloud native landscape to a non-technical audience as well as engineers just getting started with cloud native. This article zooms into the runtime layer encompassing everything a container needs in order to run in a cloud native environment: the code used to start a container, the tools to make persistent storage available to containers, and those that manage the container environment networks.

Druva Introduces Software as a Service Data Protection for Kubernetes

Druva’s new beta data protection service, offered through its Druva Cloud Platform, delivers application protection which can quickly recover, migrate, or clone Kubernetes workloads from a unified interface. It’s designed to protect Kubernetes workloads against such data threats as user error, site outages, and ransomware attacks, the company states.

Party On

La Treece Butler-Morton, director, operations, VMware, highlighted key moments during VMworld 2020.

Dr. Aparna Sinha, director of product of Google Cloud, gave a keynote about how the cloud can help DevOps teams deploy not only faster, but more securely, during DevOps World 2020.

VMware’s Guru Venkatachalam, vice president and CTO for APJ for VMware, said 5G is at the stage where we are “figuring out how we execute.”

Joe Baguley, vice president and CTO EMEA, VMware, said during VMworld 2020: “There's a bunch of us here at VMware that believe we truly are building into security rather than bolting it on.”

On The Road
Chaos Conf 2020 // OCT. 06-08 // VIRTUAL

OCT. 06-08 // VIRTUAL

Chaos Conf 2020

Chaos! It’s time for the gremlins to play. Join The New Stack at Chaos Conference, the world’s largest chaos engineering event. This year’s event will feature talks by Adrian Cockroft, VP of Cloud Architecture Strategy at AWS, Rachel Obstler, VP of Product at PagerDuty, and Gene Kim, author of The Phoenix ProjectThe Unicorn Project, and co-author of Accelerate. Brought to you by Gremlin, Chaos Conference runs online: October 6-8. Register for FREE now

The New Stack Makers podcast is available on: — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Pre-register to get the new second edition of the Kubernetes ebook!

A lot has changed since we published the original Kubernetes Ecosystem ebook in 2017. Kubernetes has become the de facto standard platform for container orchestration and market adoption is strong. We now see Kubernetes as the operating system for the cloud — evolving into a universal control plane for compute, networking and storage that spans public, private and hybrid clouds. In this ebook you’ll learn:

  • Kubernetes architecture.
  • Options for running Kubernetes across a host of environments.
  • Key open source projects in the Kubernetes ecosystem.
  • Adoption patterns of cloud native infrastructure and tools.
Download Ebook
We are grateful for the support of our ebook sponsors:

Copyright © 2020 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp