Kubernetes Security and Governance Tools on the Rise

This is an excerpt from a series analyzing the VMware State of Kubernetes 2023 survey. It’s a three part blog series that’ll be published over the next three weeks or so. I hope! Anyhow, in the meantime:

People are always interested in ("concerned with," if you prefer) security for kubernetes, as the above chart from our survey shows. This year we saw a rise in security teams taking an active role in kubernetes, up from 15% in 2021 to 23% this year. Security challenges during deployment and ongoing management rank high, if not at number one each year in our surveys.

My ongoing theory with kubernetes is that as it spreads more and more into the mainstream, all of the traditional concerns enter the picture. When an organization starts using kubernetes for more applications, there’s more applications that require closet scrutiny. I’ve yet to find a great measure of how many applications are running in kubernetes, but here’s a good one I just found: Gartner estimates that "by 2027, 25% of all enterprise applications will run in containers, an increase from fewer than 10% in 2021." So, we're somewhere in between there in 2021, likely closer to 10% than 25%.

It's little wonder that security tools have a strong focus, with 53% considering those tools  useful. The survey shows an increasing interest in policy management compliance guardrail enforcement tools. In 2022, 30% of respondents found these tools valuable. This year, that number jumped to 41%. 

What you see here is a growing focus on compliance and governance in organizations using Kubernetes. Putting their money where their mouth is, 48% of respondents indicated they are willing to pay for security and governance tools and 37% for policy management tools.

As kubernetes use grows in large organizations, we'll just see more and more focus on security and governance. Early on, developers were driving a lot of kubernetes use and, you know, developers are not always the best at paying attention to security needs. Indeed, a 2021 Forrester Consulting study commissioned by VMware found that "only 22% of developers have a clear understanding of which security policies they are expected to comply with." Of course, developers and security people tend to have a strained relationship. That same study found that "over half of developers agreed that security policies sometimes stifle innovation."

As we rebuild the app runtime on kubernetes, security people and developers have a fresh chance to work more closely together. With developers, making the right thing the easiest thing is often the path to success for security. Tools like VMware Aria Guardrails are provide a good start for getting that kind of policy enforcement in place.

Check out the rest of the survey while you’re waiting for the series.

DevOpsDays Austin is back for the 11th year! You should go for two days of DevOps, cloud computing, DevSecOps, and more on May 4th to 5th, 2023, in Austin, Texas. Learn more at https://devopsdays.org/austin, the schedule is live!

You can get 15% off the registration price when you use the code FRIENDLY_NEIGHBORHOOD_SDT_23.

AI@KubeCon EU

I did a lot of interviews (podcasts and videos) at KubeCon last week. There’s two videos with the Dell developers people, a podcast with them, and then a podcast we recorded for Software Defined Talk. There’s a long one with Hayley Grossman from Run:ai. They’ll all be out sometime, I suppose; and I’ll post them here, of course.

In the meantime, here’s a livestream with my friends from ITQ:

Everyone at KubeCon was interested in AI. I mean, it’s exciting, but I think the chattering class has got all the bases covered so far. Nonetheless, people asked about it, so I’d talk about it. You can check out my thoughts on it in that video, here.

Relevant to your interests

• Hinada Neiron - Women in Technology Spotlight - my pal Hinada talks about how she got into tech marketing, marketing in general, mentoring, and women in tech.

• CTOs’ Guide to Containers and Kubernetes, Gartner - a guide for thinking through kubernetes use, but also some good enough numbers around how many apps are actually running in kubernetes: “By 2027, 25% of all enterprise applications will run in containers, an increase from fewer than 10% in 2021.” And: “By 2027, more than 65% of commercial-of-the-shelf (COTS) vendors will offer their software in container format, up from less than 20% in 2021.” Good stuff in there.

• Total Temporal Intrusion By Work - The history of work life balance in one obscure Outlook feature.

• How Lucinda Williams Found Her Muse - Excerpt from her memoir.

• IDC’s 2022 estimate of total number of developers worldwide - “worldwide professional developer census, which IDC places at just under 16 million in 2022.”

• A Discussion on Data-Driven DevOps: How to Rethink the Measurement Approach - Cameron lists a whole lot of writing in DevOps metrics and takes a look at Gartner’s 2014 work there. Also, lots of paywalled links.

  

• Gartner Survey Finds the Need to Improve Developer Experience is Driving Software Engineering Technology Adoption - “High-quality developer experience has become a critical priority in software delivery, with 58% of software engineering leaders reporting that developer experience is “very” or “extremely” critical to the C-suite at their organizations, according to a survey by Gartner, Inc. Enhanced developer experience or productivity is cited as the top value factor for adoption of several technologies and practices across the software development lifecycle, including internal developer portals, performance engineering, the CI/CD toolchain and container management”

• What’s Golden Path? - We’ve all probably gotten a little too nutty by enthusiasm with this term. But, “approved but customizable defaults and templates for the software-drive value chain” sounds pretty boring. // “At this point, I believe a golden path is a specific journey towards conspicuous and continuous improvements in the essential toolchain for economically growing software development team velocity with increasing quality, productivity, and — frankly — joy. Just as there are many developed software applications, there will be many journeys and perhaps just as many golden paths — as a plurality.”

• The Pending Collision of LLMs and No-Code/Low-Code Platforms - “The primary difference between LLMs and low-code platforms is the output. Generally, when you tell an LLM to generate a website, it spits out actual code in an actual language that will run anywhere. When you tell a low-code platform that, it either won’t (black box) or it spits out incomprehensible and/or proprietary code that, often enough, can only be run on a single proprietary platform.”

Wastebook

• “What’s more, we now pay money into something called a pension, which I admit I had never thought about previously, being of the opinion that I’d rather have the money now than give it to some City slicker with a Range Rover and a gravel drive in the hope he will give it back when I’m old.” Here.

• “Thinkbait” Here.

• “I am able to pause between my reaction and my action” Day 843.

• “My boots were so solid and new that I had confidence in them. I set off on the most direct route to Paris, in full faith, believing that she would stay alive if I came on foot. Besides, I wanted to be alone with myself.” Of Walking in Ice, Werner Herzog

Logoff

My travel has pretty much halved this year, and probably last. I’ll jus barely qualify for the middle-tier status on KLM, which is fine really: I’ll still get priority security line access which, really, is all I want. After meeting all of my old friends at KubeCon Amsterdam last week, I’ve realized what a part of my life, my identity, business travel has been. I used to see all my old friends on the road: road friends!

Dropping travel during COVID, then after, and now with tech industry budget cuts (the first my team has had…ever, for the eight years I’ve been here)…that sudden disappearance of my friends has really created a hole in my life that I don’t think I’ve really recognized more reconciled. It’s good to be at home more, and traveling has its own toll, but I’d sure like to have my cake and eat it with friends too.

Next up, I’ll be at Devoxx UK in London May 10th and 11th, giving my platform talk on May 11th at 10am. And then TEQnation in Utrecht on May 17th. Maybe I’ll see you there :)

See y’all next time!