Archive for DevOps

Google Grants $9M in GCP Credit to Kubernetes project

Kubernetes Logo

This was also published on Amalgam Insights.

Kubernetes has, in the span of a few short years, become the de facto orchestration software for containers. As few as two years ago there were more than a half-dozen orchestration tools vying for the top spot and now there is only Kubernetes. Even the Linux Foundation’s other orchestrator project, CloudFoundry Diego, is starting to give way to Kubernetes. Part of the success of Kubernetes can be attributed to the support of Google. Kubernetes emerged out of Google and they have continued to 0the project even as it fell under the auspices of the Linux Foundation’s CNCF.

On August 29, 2018, Google announced that it is giving $9M in Google Cloud Platform (GCP) credit to the CNCF Kubernetes project. This is being hailed by both Google and the CNCF as an announcement of major support. $9M is a lot of money, even if it is credits. However, let’s unpack this announcement a bit more and see what it really means.

  • Google Already Hosts the project’s Development. The Kubernetes project’s development is currently hosted on GCP. The donation helps to ensure that the project does not migrate to a different cloud platform. Google’s donation ensures that it will pretty much stay where it is. So, for the immediate future, one would not expect disruptions such as migration to other platforms.
  • $9M now but what about later? Google is allocating $9M to the project now, but what will happen when the credits run out? There are a number of options. First, Google may give more credits to the CNCF. Or, they might not. If they don’t then the CNCF will have to start paying for the Kubernetes project to continue to be hosted on GCP or migrate to another platform. The latter would be disruptive but may happen if someone else ponies up free or cheap resources. $9M represents a lot of cloud resources but it’s not forever.
    The $9M in credits is also over three years. That suggests that after that period of time CNCF or sponsors will have to start paying for these resources themselves or that Google will get to make another announcement.
  • Might they pull the rug out from under the CNCF? Probably not. While it’s possible Google might shove the Kubernetes project off the GCP when the $9M runs out, it would be incredibly stupid. Google is many things but stupid isn’t one of them. The reputational risk and negative PR alone mean they wouldn’t do this. They would risk losing much of the influence they have over Kubernetes and Kubernetes is important to them. So, no they won’t do something like that.
  • What does “opening the Kubernetes project’s cloud resources up to contributors” mean? This was the terminology used in the Google press release. Google goes on to say that it had provided “CI/CD testing infrastructure, container downloads, and other services like DNS” but doesn’t explain how that affects the Kubernetes project. CNCF expresses this a little differently. They say that “CNCF and Kubernetes community members will take ownership of all day-to-day Kubernetes project operations. Responsibilities will include operational tasks for the development of Kubernetes such as testing and builds, as well as maintenance and operations for the distribution of Kubernetes.” This suggests that Google has been managing the actual project operations despite this being a CNCF project. When the community doesn’t control the operations of an open source project, the source may be open, but the project really isn’t.

Ultimately, it’s a positive development for the Kubernetes project. The CNCF will take more responsibility for the Kubernetes project which, in turn, makes them less reliant on Google. This makes the Kubernetes project an open project and not just open source. There is, however, some risk. If the cost of the Kubernetes project grows or the community finds itself at odds with Google, they may find themselves searching for more money or donated resources. Given the three year outlook, project leaders have plenty of time to de-risk the project resources.

This change in project responsibility makes sense for Google as well. They get some positive PR while removing themselves from long term responsibility of the project. They also shield themselves from claims that they are using their resources to maintain control of the project to the detriment of their competitors. The Free and Open Source (FOSS) community can be suspicious of the motives of large companies even while benefiting from those same companies.

Open source projects are a little like children. They need parents to nurture them through their formative stages of development. After awhile though, they need to fully leave the nest and become grownups. Kubernetes has grownup and it’s time for it take charge of its own future.

Infrastructure as Code can Help with Compliance

IaC cycle

This was originally published on Amalgam Insights.

 

Companies struggle with all types of compliance issues. Failure to comply with government regulations, such as Dodd-Frank, EPA or HIPPA, is a significant business risk for many companies. Internally mandated compliance also represents problems as well. Security and cost control policies are just as vital as other forms of regulation since they protect the company from reputational, financial, the operational risks.

IT helps to manage compliance risks in two ways. First, by deploying systems that detect and assist the company in complying with risk. For example, an analytics system designed to discover Dodd-Frank violations in a bank is a way for IT to help remove some regulatory risk. The second way is to design systems that are compliant with internal and external regulations. That may mean configuring networks such that they address common security holes or data storage so that privacy is maintained. Systems must be configured to meet the needs of regulations and policies.

One of the more important methods of ensuring that systems are compliant is through audits. Different audits are conducted for different purposes, but they operate similarly. The state of a system – business or computer – is evaluated against a series of policies. Policies are statement that describe a required state in a system that ensures compliance. For example, a data privacy policy may require that customer data be only housed on encrypted drives. A security policy may require two-factor authentication for all external logins to a system.

Systems in place can be audited using a variety of tools that match the system state to policies and detect areas out of compliance. The problem with this approach is that it is post-hoc. Finding compliances issues in production is good but finding them before they are in production is better. Pre-production audits often rely on design documentation. This is a limited method because last minute changes or mistakes with configuration can lead to the final state diverging from production.

This is where Infrastructure as Code(IaC) can be helpful. Central to IaC is the idea that a plaintext script – the code part – describes the desired state of the system. The automation server then configures the system to the state indicated in the script. IaC systems may provision and configure both hardware and software components.

IaC presents an advantage when auditing for compliance. The script is the documentation and what is in the script will become the final system state. This makes it easy for compliance and security professionals to understand the system state before it is created. They can then analyze these scripts for potential violations of policy and prevent them from becoming part of the production system. Using IaC allows companies to more easily move from reactive compliance to proactive compliance. Non-compliance can be detected early and corrected before they become the production state. In rapidly changing environments, this is a safer and quicker approach than detecting problems after the fact and correcting them while in production.

Dealing with regulatory, security, and operational compliance of at scale is much becoming more difficult as policies proliferate and systems become more complex. IaC is a tool to deal with systems and their compliance issue in these environments.