Radio Cloud Native - Week of June 29, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week we discussed:

• Docker and Kubernetes earn high marks in the 2022 StackOverflow Developer Survey

• Rust is coming to the Linux kernel

• Developments in AIOps

• 900,00 Kubernetes clusters improperly exposed to the Internet

• Check out the podcast for much more.

You can download the podcast from Apple Podcasts, Spotify, or wherever you get your podcasts. If you'd like to tune into the next show live, follow Mirantis on LinkedIn to receive our announcement of the next broadcast.

Eric: The 2022 StackOverflow developer survey released results this week. The survey gets a huge response–more than 70,000 developers this year–so it gives us a good sense of trends across the community and how those trends evolve over time. As always, there are a ton of fun facts to pore over here:

• VS Code dominates IDEs, used by 74% of respondents. The next most widely used is old-school Visual Studio at 32%.

• In the “other tools” section, which separates out miscellaneous tooling from languages or web frameworks, Docker made a huge show of ubiquity, ranking as the most-used tool among professional developers, at 68%. 

• Among professional developers, Kubernetes came in fifth at 25%. To me, that is absolutely staggering given the complexity of the tool. Right above it we have things like Homebrew, at 29%, or npm at 66%, both of which are trivial to install and use. Honestly it seems kind of weird to put Kubernetes alongside, say, Unity and Unreal Engine and some package managers, it’s a weird list of tools, but it does speak to the scale of Kubernetes adoption.

• So okay, that’s what we’re using, but what do we love? Interestingly, both Docker and Kubernetes scored very high marks here as well. Docker is the #1 most-loved “other tool” at 77%, and the most wanted other tool at 37% – meaning those 37% aren’t using Docker now, but want to be. And that number is up from 30% last year. Kubernetes comes in second for most loved and most wanted, at 75% and 24% respectively. So the love and drive for using containers is huge.

• Meanwhile, Rust continued its seven year streak as the most-loved programming language, while JavaScript remains the most used.

Speaking of Rust, last week Linus Torvalds indicated that Rust may be brought to the Linux kernel as early as Linux 5.20, the next release. Speaking at the Open Source Summit in Austin, Torvalds said Rust was coming “real soon now.” 

Right now there’s some angst in the community over compatibility issues between Rust and the gcc compiler, which we means at the outset we might see some fragmentation in how the kernel is compiled depending on whether you want a Rust-y kernel or not. But this is just the beginning of a long road, and the real rainbow on the horizon here is that Rust, as a memory-safe language, can be used to write replacements for a lot of widely used Linux tooling written in C, which you might remember is part of the big, ambitious open source security mobilization plan from the Open Source Security Foundation. So if you want to run off and join the Rustaceans, hey, maybe now’s a good time.

Nick: In AIOps news, StormForge, which does intelligent, cloud-native application performance testing and resource scaling and optimization, has received the 2022 AI Breakthrough Award for AIOps Platform of the Year. The company's platform automatically improves the efficiency of cloud native environments by analyzing observability and performance testing data, then uses machine learning to recommend real-time configuration changes that reduce resource usage and cost while ensuring application performance. The platform includes the recently announced StormForge Optimize Live solution, which eliminates any gaps between pre-production and production optimization, proactively and continuously ensuring peak efficiency for organizations using Kubernetes.

Meanwhile, in a less braggadocious but perhaps more meaningful move, AIOps vendor DataStax has secured $115M in additional funding from the Growth Equity business within Goldman Sachs, as well as RCM Private Markets and EDB Investments.  This brings total funding for the Cassandra vendor to $343 million, giving it a valuation of $1.6 billion. DataStax is a heavy contributor to the Cassandra database platform, which is increasingly replacing traditional databases such as Oracle.

Eric: Back in May we discussed a report from nonprofit security group the Shadowserver Foundation finding that almost 400,000 Kubernetes API servers were open to the Internet. Now cybersecurity firm Cyble is upping the ante with a report finding that 900,000 clusters are in fact exposed to the Internet at large.

Like the Shadowserver Foundation, Cyble acknowledged that not all of these exposures are active vulnerabilities, they do represent an unnecessarily exposed attack surface and are suggestive of misconfigurations throughout the cluster. Cyble writes, “Misconfigurations like utilizing default container names, not having the Kubernetes Dashboard protected by a secure password and leaving default service ports open to the public can place businesses at risk of data leakage.”

So what’s the deal here? Why are there so many exposed clusters? Last time we talked about this, we noted that a lot of these clusters probably aren’t meant for production, and that’s part of the picture, but the point I want to emphasize here is that when you’re manually configuring a vanilla Kubernetes cluster, the mistake surface can be quite large. As you set up each node, as you set up the core components on each node and on the control plane, as you set up tools outside of core Kubernetes, there are a lot of junctures where you can make a configuration error that leaves the cluster exposed. You remember back in 2018, misconfigured web dashboards led to crypto-jacking attacks on Tesla and other companies, and that was possible in large part because the dashboards were improperly exposed to the internet. 

So okay, how do we avoid these kinds of exposures? I guess approach #1 is to be perfect and make no mistakes, but obviously that’s not working out super-well. 

Approach #2 is to consider using Kubernetes distributions that simplify setup and are more opinionated about configuration. This isn’t a panacea, but it can at least reduce the number of opportunities for mistakes. We’re big fans of k0s, the open source distro that Mirantis maintains, and a big part of the value there is that it’s lightweight, only includes what you need, and minimizes the complexity of setup.

But even then, a DIY approach isn’t right for many organizations. Kubernetes clusters are critical infrastructure—in the same way that you’re probably not going to try to build an on-site power plant yourself, you might not want to guesswork your way through bootstrapping a cluster. And in that case, bringing in experts or using managed Kubernetes services can really help you set worries about configuration errors aside.

If you’ve already got a cluster running and you’re worried that it might be exposed, double and triple check that you’re blocking or controlling access at the firewall level. And it’s also worth noting here that a lot of these problems are coming from the Kubernetes web dashboard—as an alternative, consider using the Lens IDE, which will give you much more robust visualization and control without the risk of another internet-exposed service on the cluster.

Check out the podcast for more of this week's stories.