Cloud Native and Industry News -- Week of February 16, 2022
Every Thursday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.
This week they discussed:
- The explosion in Kubernetes adoption
- New open source tools for Kubernetes
- Security fixes in cloud native tooling and WebKit data
- Privacy issues around the world
- New developments in metaverse and NFT initiatives
- Intel’s acquisition of Tower Semiconductors
You can watch the full replay here. (You’ll just need to register.)
To join Nick and Eric next Wednesday, February 23, at 1:00pm EST/10:00am PST, register here.
CNCF reports record usage of Kubernetes
Nick Chase: The Cloud Native Computing Foundation has released its 2021 Cloud Native Survey, and unsurprisingly, Kubernetes use is at its highest level ever. CNCF reports that 31% of backend developers, that's 5.6 million developers, are using Kubernetes.
In addition, Datadog reports that nearly 90% of Kubernetes users leverage cloud-managed services, up from nearly 70% in 2020, and companies are beginning to adopt less mature technologies to solve problems higher up the stack.
But perhaps the most interesting number is the claim that a whopping 96% of all organizations are using Kubernetes in one form or another, leading to the claim that Kubernetes has "crossed the chasm," so to speak.
All of this is in line with a general increase in cloud native spend. Gartner’s ‘cloud shift’ research suggests that of those enterprise IT categories that can transition to cloud, within the application software, infrastructure software, business process services, and system infrastructure markets 51% of IT spending will have shifted from traditional solutions to the public cloud by 2025, compared to 41% in 2022. Almost two-thirds (65.9%) of spending on application software will be directed toward cloud technologies in 2025, up from 57.7% in 2022.
Let's put those numbers in perspective for a moment. Canalsys reports that in Q4 of 2021 cloud spending topped $50 billion for the first time, and Gartner reports that in 2022, we're talking about an overall enterprise IT spend of 1.3 trillion dollars—that's Trillion with a T—growing to 1.8 trillion by 2025.
All of this is driven by a few trends, such as digital transformation accelerated by the pandemic, as well as edge computing and security.
I suppose it's no wonder that companies are having so much trouble finding Kubernetes talent, and managed services are becoming so widespread.
New open source tools for Kubernetes
Nick Chase: There are several items this week in open source cloud native news. First, we see the introduction of the Trousseau project, which intends to plug a security problem many people have when working with Kubernetes, which is secrets management. See, when you're building an application that has, say, a username and password, you don't want to embed that in the container image, so you keep it separate, as a secret. But then how do you manage that secret? There are some solutions, such as Hashicorp's Vault but then you have the complexity of integrating THAT. Trousseau aims to solve that problem by providing a standard interface to these types of secrets management systems.
Also on the "making Kubernetes easier" front we have ValidKube a new open source tool from Komodor and Aqua Security, which combines several open source tools to make it easier for developers to take that giant glob of YAML and clean it up, analyse it for security flaws, and so on. (And by the way, "giant glob of YAML" would be a great band name, so if anybody wants it, let me know.)
ValidKube is a browser-based solution, but you do have to host it yourself. The code is available on GitHub.
Security fixes in cloud native tooling and WebKit data
Eric Gregory: Istio announced a forthcoming security fix for versions 1.11.7, 1.12.4, and 1.13.1, aimed at patching what they call “numerous security defects.” According to Istio, “the highest rated security defect is considered high severity.” The patch is coming on February 22nd, but Istio says that it will release no fixes or additional details before then. So while we’re not entirely sure what it’s addressing, Istio users will want to be on the lookout for that update.
Elsewhere in open source Kubernetes tooling, a high severity zero day vulnerability was uncovered this month in Argo CD. Designated CVE-2022-24348, the vulnerability lets attackers load malicious Helm charts that could enable them to extract sensitive data outside of their original scope including secrets, tokens, and configuration data. In theory, an attacker could use this to not only acquire sensitive data but also escalate their privileges and expand their cluster access. Fortunately, there is already a patch available. Argo users can find more patching information on the Argo project’s GitHub page.
Out in the wider world of emergency fixes, Apple pushed out a patch for WebKit to address a high security vulnerability that, “may have been actively exploited,” according to Apple. WebKit is the web browser engine underlying Safari on all platforms—and due to Apple’s App Store requirements, it is used in all other iOS web browsers as well.
While details from Apple are somewhat scarce, the vulnerability, CVE-2022-22620, makes it possible for a web page to trigger arbitrary code in a use-after-free pattern that exploits recently freed, improperly managed memory.
The vulnerability reignited already-smoldering controversy over Apple’s insistence that all iOS browsers utilize WebKit—a policy that is currently under antitrust investigation in the US and UK. Apple claims that this requirement allows them to comprehensively remediate flaws in one fell swoop, while detractors argue that WebKit presents a single point of failure and its requirement gives consumers no way to sidestep vulnerabilities with an alternative browser engine.
Privacy issues around the world
The state of Texas is seeking penalties from Meta over its now-discontinued use of facial recognition technology. Texas law forbids the collection and sharing of biometric data without explicit consent.
Controversy over facial recognition isn’t limited to Meta, or to the private sector–the U.S. Internal Revenue Service has backed off of a proposal to use the technology for verifying the identities of taxpayers. The initiative came under bipartisan fire after the IRS proposed to use private contractor ID.me to verify logins to IRS.gov.
Lawmakers opposed to the plan cited the potential for data leakage or theft, noting a 2019 incident in which a cyberattack on a U.S. customs and border control contractor led to the exposure of U.S. traveler data, including photos and license plates.
In the U.S., state laws may form the major legal framework on data privacy for the foreseeable future, as efforts to pass a federal data privacy law appear to have stalled. Lee Tien, senior staff attorney for the Electronic Frontier Foundation, told TechTarget that, “All of the energy on privacy has sort of flattened out. There's a certain amount of mental fatigue on privacy right now."
There are a number of bipartisan bills in the works, including Social Media Privacy Protection and Consumer Rights Act from Sens. Amy Klobuchar (D-Minn.), John Kennedy (R-La.), Joe Manchin (D-W.Va.), and Richard Burr (R-N.C.), and the Information Transparency and Personal Data Control Act proposed by former Microsoft executive Rep. Suzan DelBene (D-Wash.) But progress on the bills has reportedly been stymied by unresolved questions about enforcement and precedence of state laws.
Meanwhile, in Cambodia, the government is activating its National Internet Gateway today, bringing constant surveillance to all Internet traffic in the country. The regime has threatened ISPs and carriers with license revocation and bank account suspension if they do not route traffic through the gateway, and individual citizens may be arrested, blocked, or otherwise harassed based on their internet activity.
Even before the introduction of the Gateway, the ruling military regime has a history of abusing citizens due to statements online. The Register reports that after some Cambodians made Facebook comments on slow firefighting services, the regime forced them to make public apologies.
Nick, do you see any major themes or throughlines running through all of this motion in the data privacy world?
New developments in metaverse and NFT initiatives
Nick Chase: Meta, Facebook's parent company, has added an "anti-grope" gap to its Horizon Worlds in order to prevent, well, unwanted touching in the metaverse. This kind of thing has actually been a problem since long before graphical worlds came online, but it's kind of a warning shot over the bow of companies considering using the metaverse of the need to seriously consider the various issues that can come up.
These issues include both cultural issues and security issues, from traditional vulnerabilities in the software such as Log4J to some things you might not think of, such as a person sort of "hiding" in your virtual environment and listening in on private conversations, or even manipulating data to put someone in physical danger, such as causing them to walk into furniture, or worse, tumble down a flight of stairs.
Also in Metaverse news, Venly's new MetaRing is an NFT that purports to act as a membership pass across metaverses, which is a little ... I don't want to say disingenuous, but it seems like they want you to think that if you have that NFT you can get into multiple metaverses, but it's more like a card you can show to partner experiences when you're actually IN those multiple metaverses. What I want to see is interoperability so you can move your avatar between worlds.
But like the metaverse, NFTs keep rolling along. Vivid Labs has announced a carbon neutral expansion to its Vivid platform, with the idea being that they plant trees to offset the electricity use of creating these NFTs, but there's some question as to whether that's really feasible. An example given is that a 10 second NFT generation uses enough electricity to, “boil 100,000 kettles.” So I'm not sure how that's going to work.
But there's still a lot of interest, with perhaps the biggest news being the announcement by Salesforce that the company was launching an NFT trading platform, but I'm not 100% sure that it's what we all think of when we say that. Mathew Sweezey, director of market strategy, said in a blog about 2022 predictions that, "In 2022, you're going to hear a lot more about NFTs, and there will be winners and losers. Winners will move past NFTs as simply collectable to find greater utility through the token." He gives the example of a Time Magazine token that gives you access to Time content, but I suspect that smart contracts, which can programmatically execute some action when some condition is true, may come into play here as well.
All of this comes at a time when there's still uncertainty about what NFTs actually are or do. For example, we talked last week about an NFT based around a famous meme that someone paid ridiculous money for, but it's really about bragging rights, because the meme is still out there. There's also some legal uncertainty, as companies are finding artists creating virtual versions of their products then creating NFTs off of them. Is that a copyright violation? There's no settled case law yet.
Intel to acquire Tower Semiconductor
Eric Gregory: Shifting gears to infrastructure, the big news in semiconductors today is Intel’s announcement that it plans to acquire Israeli chip manufacturer Tower Semiconductor for 5.4 billion dollars.
According to Intel, the move will leverage Tower’s specialties in radio frequency (RF), power, silicon-germanium (SiGe) and industrial sensors to create a more diverse manufacturing capacity. This comes amid a broader effort on the part of Intel to expand manufacturing—currently, the company outsources a large percentage to Taiwan-based TSMC.