Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Secure your Kubernetes applications with Chainguard
620 Plays3 days ago
Join Ryan Wallner and Bhavin Shah for season 6 of the Kubernetes Bytes podcast. In this episode Bhavin talks to Adrian Mouat, Dev Rel at Chainguard about all things Kubernetes Security. They discuss CVEs, the different vulnerability databases, and how platform engineers can use Chainguard images to protect against CVEs. Links:
- https://www.chainguard.dev/
- https://www.linkedin.com/in/adrianmouat/
- https://slsa.dev/
Recommended
Transcript
Kubernetes Bytes Podcast Introduction
00:00:03
Speaker
You are listening to Kubernetes Bytes, a podcast bringing you the latest from the world of cloud native data management. My name is Ryan Wallner and I'm joined by Babin Shah coming to you from Boston, Massachusetts.
00:00:14
Speaker
We'll be sharing our thoughts on recent cloud native news and talking to industry experts about their experiences and challenges managing the wealth of data in today's cloud native ecosystem.
00:00:29
Speaker
Good morning, good afternoon, and good evening, wherever you are. we're coming to you from Boston, Massachusetts. Today is February 6th, 2026. I hope everyone is doing well and staying safe. Let's dive into it. Bhavan, it's been a while. umt you We'll introduce the next guest. But before we do, let's catch up a little bit. yeah I mean, we we took some time off. A lot of things have happened. I've moved three times. Three times? Okay, I think I lost track. I may have lost track as well.
00:00:58
Speaker
um I'm further away from Boston, so i we might have to, I mean, you're still right there. so Yeah, i true but i was I'm in the same town, so I think I'm the same distance to Boston as I was, maybe 0.2 miles farther away. We still qualify because of you, I think. Okay, perfect. Happy to help.
00:01:18
Speaker
Anyway, um it's it's good to be back doing the show. um What's new in your life, man? No, I think what's new, I think just being busy with work. We did a lot of travel last year moved houses. ah I don't know, man, just...
00:01:32
Speaker
by the time we took our December vacation, the year just felt like, i don't know, ah a blip. Like, hey, what did we end up doing? Like we had to go to our iPhone camera roll and then just look at pictures like, oh yeah, this was a fun trip or this was a fun day, like the moving day and yeah, making sure everything works out and the stress that we were under. So no, I think last year was crazy, but over in in ah in a jiff, I guess. i'm I'm glad to be doing this again with you.
Podcast Cadence Change Announcement
00:02:00
Speaker
How was your last year?
00:02:02
Speaker
oh i I think I blacked out for all of it. Yeah. It was chaotic. um You know, i know I've told you some stories about one of the reasons why I moved. but That's a whole separate podcast, I think, that involves detectives and crime scene tape. And I wasn't involved. Anyway, won't get into it. um And then moving here, i'm finally kind of settling, which is nice. Although, you know, the last week I was out without heat and hot water and it's been like six degrees out. So,
00:02:34
Speaker
So, you know, the biggest snowstorm mass has ever seen or Boston has ever seen. And you were without heat. So that's perfect. Yeah. You know, basically my boiler started sounding like someone was throwing frag grenades in the basement, which was really not anxiety inducing at all while you're sleeping. And eventually I after like a day of it, I was like,
00:02:55
Speaker
I saw a flame, i put a camera down there like ah like and saw a flame when it did it and I was like, all right, turn it off. I don't want the house to explode. I've seen videos that that happens. I don't want that to be my me in my house.
00:03:07
Speaker
You don't want to move the fourth time, you know? You have to draw the line somewhere. Exactly. Yeah. So, you know, I say I'm looking forward to 2026. Although ah with the boiler, it's off to a rough start. I'm getting surgery in a couple of weeks.
00:03:23
Speaker
ah Although, you know, you know, it is what it is. life Life wouldn't be yeah as interesting, I guess, if it wasn't chaotic. but I know. We wouldn't have to like we we weren enough cool stories and good stories to share on the pod, right? It's good that the life life yeah life is interesting. But I think I also wanted to share... um the the change in cadence that we are planning to implement for this year. So to make sure that we can do episodes on a regular cadence instead of once every two weeks, we'll try to do a monthly episode. so we'll still get interesting guests ah to talk about how they have been using Kubernetes ecosystem, like tools from the Kubernetes ecosystem, and then how they are maturing. And hopefully those are still interesting stories as everybody is now talking about AI.
00:04:04
Speaker
But yeah, I think that's that's the one change we we will implement as part of the pod. Yeah. You know what? um It'll help us with scheduling. I think it'll allow us to kind of plan, ah you know, ah with a little more time. In fact, we we should probably revisit a few that we've done in the past as like a, what's in the last three years? Yeah. That could be fun. So yeah, looking forward to it. But I know, um you know, show one, I missed the interview because again, the year is crazy already. um But you can do an intro of who who you had on and
00:04:37
Speaker
and stuff Yeah, no, perfect. Right. So we we had this conversation, ah come like scheduled for a long time. And eventually when we decided like, hey, hey let let's start doing this
Guest Introduction: Adrian Mote on Cloud Native Security
00:04:47
Speaker
again. Adrian Mote from who's the DevRel at Chain Guard, right? Like he was he was kind enough to give us some time again to do the episode. So this this episode will focus on like Kubernetes and cloud native security, how Chain Guard is helping the ecosystem and by By doing these base images that are super secure, how they help of customers figure out CVEs or not have any CVEs in their environment. So yeah it's a great conversation. I'm sure our listeners will like it as well.
00:05:14
Speaker
Yeah. Yeah. Security is still way up there. I know. I feel like we've been saying that for years, but that's just the reality of it. If you need job security, you need to work in security. I'm just kidding, sorry. I told this to someone recently that they were kind of going back to school and I was like, if I were to do it all over again, I'd probably dive into security. I would.
00:05:41
Speaker
I'm not gonna do that now though.
00:05:46
Speaker
Okay, with that, let's yeah let's have Adrian over and let's start the interview. So Adrian, ah welcome to Kubernetes Bytes. Welcome to 2026. Can you talk about introduce yourself to our listeners and talk about what you do and and where do you work? What do you do and how do you help the Kubernetes community?
00:06:05
Speaker
Yeah, thank you very much for having me. um So my name Adrian Mote. I'm a DevRel engineer at a company called ChainGuard. And basically, we make secure containers and do sort of supply chain security stuff.
00:06:19
Speaker
ah Yeah, we've been sort heavily involved in the Kubernetes space since we started, and I've been involved myself in the Kubernetes community quite a lot. Yeah, so I helped run, another thing I helped do is run Kubernetes Community Days in the UK. So that's a ah conference. We actually ran in Edinburgh last year, which was was great because that's where I live. So it was nice to have a conference in my hometown.
00:06:40
Speaker
Yeah. um But yeah, I mean, the the main thing that I work on at Chain Guard is just promotion and ah education around our containers product, which which is basically our secure zero CVE containers. Yeah.
00:06:55
Speaker
Okay, no, I think that's perfect, right? and and And a perfect segue into my next question. Because of your engagement with the community, because of the ah local days and and events that you run around the Kubernetes community, right? What are some of the challenges that you come across, especially when it comes to cloud native security, right? Like what are things that people are not thinking about yet?
00:07:13
Speaker
ah We know that Kubernetes has been around for 10 plus years, but there are still a lot of customers that are new to Kubernetes. So what what should they be thinking about? All right, Kubernetes security in particular. um
00:07:28
Speaker
That's a good question. One thing i would say if you're new to it, definitely go with a hosted provider. Don't try and and set it up yourself. um Although that's really educational. But like ah for a production environment, I'd definitely be looking at a hosted one, like you know your Google's ah um GKE, or whatever it's called, cetera, because they'll apply a bunch of security defaults and so on.
00:07:49
Speaker
um But yeah, in general, you know we we always see the same things with like attacks and so on. It's always things like tokens and um you know poor security, lack security um things, you know open buckets, things like that. And one thing i yeah has has been on the rise a lot in the last...
00:08:13
Speaker
decade, I suppose ah it's more like targeted phishing campaigns. So quite often you'll find an attack starts because somebody's personal details have been compromised somewhere. Yep.
00:08:23
Speaker
But, okay, can we also focus on the Kubernetes aspect, right? Like we have um both personas. One is the developers that are building these modern apps and are packaging those up as as microservices and then built using containers. And then there's the operations side, right? I know that they're supposed to be DevOps, but there's still somebody tagged with whatever the official title map might be, but still responsible for running that application.
00:08:47
Speaker
um How do those guys think about security? Yeah, I think that's a very good question. So it gets even more confusing in a lot of organizations because there's sometimes like a separate security department.
00:08:58
Speaker
um One thing i think, and you I don't know how if yeah how you feel about this, is we're seeing a lot rise. We've seen a big rise in what's now called platform engineering. So companies will have their own platform teams.
00:09:11
Speaker
Quite often you'll find a lot of security stuff falls on them. So you'll see like a defaults to be secure will be the responsibility of the platform team. um And one thing that the reason that I know a little bit about it is because quite often the platform team will say, hey, use these sort of golden images or use these set of images to start your own containers and so on. And that's one area that chain guard can be really useful in. Got you. Yeah.
00:09:36
Speaker
no No, no, go ahead, please. Continue your thought. I was trying remember what exactly the question was. Yeah, no, it's more about like with these DevOps roles or now, as you said, right, the platform engineers or the platform leaders, of security is one of the things that they have to worry about from an organizational perspective. So um how, like, what are some of the things like calling out golden images? That's perfectly one of the things that they should be thinking about. But what are the, some of the other challenges that they should
Understanding and Managing CVEs in Kubernetes
00:10:05
Speaker
be thinking about? And then I don't know, thinking six months in the future.
00:10:09
Speaker
You know, I don't think it's about thinking in six months in the future. I think it's about, you know good standard practices. I mean, there's like a couple of big things i go on and on and about, and I'm sure we'll come back to this later again and again.
00:10:22
Speaker
But one of them is keeping everything up to date. So that's the images we're running, like the versions of the images, the versions of your Kubernetes cluster, and, you know, the versions your dependencies, trying to keep all those up to date. And it's not an easy task. Keeping your GitHub actions up to date.
00:10:39
Speaker
um And it's not an easy task like because this stuff is constantly getting out of date. um And really, you've got to try and use tools like Renovate and Dependibot and so on to try and and help you there.
00:10:53
Speaker
But the second you sort of slip too far behind, that's when you get into the territory of having vulnerable software that that people can exploit. um The other thing that ah I talk a lot about in Chain Guard sometimes talk a lot about is long-lived tokens.
00:11:07
Speaker
and So that's the kind of stuff that's loved by attackers. Like the second they find you know an API token or something that they can abuse, that's you know what they live for, basically. But in a lot of cases, you don't need these long-lived tokens. There's like ways around requiring them at all these days, especially with stuff like OAuth and Federation.
00:11:28
Speaker
Gotcha. OK, so I do want to take a step back and talk about the images. right like We all have heard about CVEs being a thing. And then there there are these advisories that are being published.
00:11:42
Speaker
from not just chain guard from other vendors in the cloud native ecosystem as well. But I wanted to like start at the 101 level. like Can you talk about what are CVEs?
00:11:53
Speaker
how How do people identify them? um What's the process of fixing those and then if we go back and care about the platform engineer, right? Like how do they keep on top of these things? Obviously upgrading everything and making sure they're running the latest version is is the is greatest, but how do they figure out if they are impacted by such CVEs as well? So can you give us ah an intro or primer on what CVEs are?
00:12:18
Speaker
Yeah. Do you know, I literally had just looked up what CV stands for because always forget. It's really like a not a very useful acronym because it stands for in common vulnerabilities and exposures.
00:12:30
Speaker
But basically what it is, is you know all software has bugs. Some of these bugs are security bugs that can be exploited by attackers. So no, a really bad case would be like ah a buffer overflow in a program that gives you access to the terminal sort of thing. the can um But obviously there's much, you know, there's a whole range of um security vulnerabilities. You know, a minor vulnerability um might allow like ah resource exhaustion or something, which, you know, can be a serious vulnerability. It means that I can put a denial of service attack, for example.
00:13:07
Speaker
But anyway, there's all these CVEs. Well, all these vulnerabilities exist in software. And a CVE is basically that ah an issue that somebody has found and reported to a CVE organization.
00:13:20
Speaker
um Now, there are several CVE organizations. The most famous one is NVD, which is National Vulnerability Database in the US. Gotcha. And basically, if you report a vulnerability to them, they'll look at it, they'll assign a number and sort of try to investigate it to some level.
00:13:38
Speaker
um And one of the things they're supposed to do is a assign a severity. So they'll say, hey, this is a really bad CV and assign it like severity nine sort of thing. Or this isn't doesn't matter too much and assign it like severity one.
00:13:51
Speaker
um Now, this... Sounds fine in theory. In practice, it's become
00:14:01
Speaker
become a bit of a mess, quite frankly, because there's so many CVEs being reported all the time. And some of them, like some of them are really important. Like, you know, you get in your your heart bleeds. No, it's SolarWinds. That's what I'm thinking of.
00:14:16
Speaker
Log4Shell and things like that are all CVEs. that were hugely important and you had to take care of. But at the same time, you've got all these CVEs that are coming out that turn out to be nonsense.
00:14:26
Speaker
And all this noise threatens to like drown out the actual signal. So that there are problems with CVEs. So...
00:14:36
Speaker
um One thing, we do have all these tools, so things you may have heard of like Sneak, Grite, Trivi, that can scan your software and in you know my case, your container images, and you'll report on any CVEs they find in that image.
00:14:55
Speaker
Now, the way they work is the first thing they'll do is they'll take a So inventories, we call it Nest Bomb, software build materials of the contents of the image. And then you cross reference those contents against a database and see what CVEs are present or potentially present and report that list back.
00:15:15
Speaker
um So everybody thought, oh, this is a great idea. um If I find any CVEs, I'm not going to deploy to production. Yeah. um And that turned out... I mean, I'm kind of going back a bit and I'll explain why. and that turned out not to work very well because basically you ran these programs on any image and you ran on the base image, they would find CVEs.
00:15:37
Speaker
So it was almost impossible to create a program without knowing CVEs. So you couldn't say, don't ship a program, don't ship an image with any CVEs. It just wasn't possible.
00:15:47
Speaker
Yeah. Yeah. um But that's kind of where ChainGuard came in. So we were like one of the, well, we were the first company to start producing a wide range of images with zero CVEs. And the way we did it was we stripped down the contents of the image. So there's less stuff in there, less stuff to have CVEs. And we just updated it all and patched it all to get to zero CVEs.
00:16:12
Speaker
Yeah, I could go on and and talk about competitors, but I think you were maybe wanting to go back to the CVE point and talk about how you deal with them. so Yeah, yeah. So the problem is, if you find a CVE and it's in your base image, and you're using the latest version of the base image, well, there's not a lot you can do. like There really isn't.
00:16:31
Speaker
you know yeah You're kind of in a bad situation. You can look in it into like patching it and creating your own version, but now you're suddenly responsible for this forked version, which isn't where you want to be.
00:16:42
Speaker
um You can also look at the CVE and try and figure out if it actually affects you in your application, which is wise, but that's a lot of time. Say dozen CVEs there. Are you going to sit and investigate them all?
00:16:54
Speaker
um And that's really why ChainedGuard successful because we offered a solution there. Hey, use our image and you don't have this problem. thank you I want to interject that, right? no go ahead right if i'm If I'm not using ChainedGuard images, let's assume that and I have a bunch of CVEs, how do I even go about examining my blast radius, right? Like CVE will have a score, but then...
00:17:19
Speaker
if it's running in in my production environment, are there tools? I know you listed a few like Sneak and Trivy. Are there tools that will help me figure out like, hey, if I don't fix this, I know and NVD will have a level of severity. But ah even if it is at at an eight, but in my environment, it it has a huge impact. Are there tools out there for for me as a platform engineer to figure that out?
00:17:40
Speaker
Okay. there is a Kev catalog, KV. Okay. I think that tries to list ones that are known to be exploited in the wild. um I'm not sure how complete and useful that is, but that's the kind of sort way you can go to try and figure out, do these matter? Yeah.
00:17:58
Speaker
Yeah, I'm not convinced there's ah any very good solutions. um Another thing you can try and look at is, well, is this you know container that has a CV, is it actually exposed? Is there any way somebody could get to it and trigger that vulnerability?
00:18:15
Speaker
Gotcha. Okay. I'm not trying to get better answers than this. no The other thing I would say is like if you're not using chain guard images, you can still use like a distalist approach. distalist approach is where we try to strip out everything in the container that's not needed. So that CVE that you're worried about might be in like a you know mike dan like LS, or probably a bad example, but like find or or get or something that you don't actually need in your container. So just remove it and that CVE is gone.
00:18:46
Speaker
Okay, so then help me understand the difference between like a chain card image and then a distro-less image, right? Because in my day job, when we when we package up images to publish as part of, let's say, the Red Hat operator hub, I think one of the requirements is, hey, you have to have a distro-less image. What's that difference, right? Like, is that the better approach than selecting a distro and using chain card images or ah what what are what are the differences there?
00:19:11
Speaker
So we're going do a bit of a history lesson. So DistroList comes from a project that was started by, well, certainly Matt Moore and Dan Lawrence, um who are now the the CEO and CTO of Chinga. So when they were at Google, they started this DistroList project. And what they did was they took the Debian base container or operating system, however you think about it, and they stripped everything out that wasn't needed for the average sort of program. What you get left with is things like a temp directory, a few things under Etsy, I think, ah your SSL certificates, um time zones, maybe a couple of home directory, I think.
00:19:54
Speaker
okay And that's long everything else is gone. And what you find is most applications that you'll build and run will will be able to work in that sort of environment. um Otherwise, like say, because you can create a static executable and try and run it on what's called a scratch image, which is completely empty.
00:20:11
Speaker
um Unless you've thought about it advance, quite often you'll find that that won't work. Because, for example, you know, you make a call to create a temporary file that actually will probably expect slash temp to be available and will crash out if it's not. So sometimes scratch doesn't work.
00:20:25
Speaker
So as this this is basically sort of the most simple operating system can get away for with for sort of the majority of static executables. Gotcha. It sounds like if I start with that distro-less image, I will have to go and add things on top that I absolutely need and end up creating something that somebody else is on the hook for, right? Like it's it's not that I'm going to be secure. It's just going to be a different set of vulnerabilities. I'm moving up the stack and installing libraries that might have some vulnerabilities in them as well. and And I'll have to make sure that I'm i'm securing against it. is that
00:21:03
Speaker
Is that the right way to think about it? um I'm going to say no. So libraries will probably be at the application level. Gotcha. I mean, that's not entirely fair because obviously you can apt install sort of base libraries. academics yeah Let me go back to the story. So DistroList was created at Google by by Matt and Dan Lawrence.
Security Benefits of Distro-less and Chain Guard Images
00:21:25
Speaker
um And they started Chain Guard. And one of the first things we worked on was basically extending that, taking what they'd learned from distroless. And that's where Chain Guard images came from. That's the philosophy behind Chain Guard images. So what you find is our images are based on this distroless philosophy, where they don't contain anything more than they need to run the the container. So like our Redis container just contains, or our Nginx container just contains Nginx. It doesn't even have have a shell or a package manager inside it.
00:21:55
Speaker
um Yeah, and we extended that. We have like, you know i don't know, 2000. Yeah, I think we've got around 2000 different images now in the catalog. So we've done it for a whole bunch of open source projects. And I've been following, I think I've been following Dan on LinkedIn ah for for a few years now. And I've seen the progress that Chain Guard has made. Obviously, you guys were the pioneers in building these images. But now I think you are at Series D, so quite a big organization of your own. ah Have other vendors caught up? Are there other alternatives for customers? like Can you talk a bit more about the options that are out there?
00:22:31
Speaker
Yeah, um I will. But but ah bear of mind, obviously, in a slightly difficult situation here because i obviously i work for Chain Guard. you know And also take what I say with a grain of salt because I work for Chain Guard.
00:22:43
Speaker
But yeah, we were the leaders here. And you know there were people like... I don't want to name people. There were other people in a sort of secure image space before, but they never got to zero CVEs for whatever reason. That wasn't what they focused on.
00:22:58
Speaker
And just by doing that, we solved this problem that people are having with tools like sneaking gripe and not knowing what to do with these vulnerabilities. So we found this whole market ready for us, if you like. And we're clearly having success, as you can see by our fundraisers and so on. And that, of course, attracted competition. and So now you'll see several...
00:23:22
Speaker
probably from the outside look quite similar offerings. I would say there's a few things to be very careful about if you're comparing offerings. One thing is, like do they control the underlying operating system?
00:23:35
Speaker
So I would argue that Chainguard is a much better option than some of the rivals because a lot of them don't have don't control the underlying operating system. What they do is they take an existing distribution like Debian or whatever, and put things on top of it.
00:23:52
Speaker
The problem with that approach is they're dependent on everything, on Debian for everything under the application. Yeah. So if they need to you know update libc, they can't, right? Because that's such a fundamental component to the operating system. It's going really difficult for them to patch and make sure it works with everything. So that's really going to...
00:24:14
Speaker
very difficult in that situation, whereas we're patching things like libc the whole time. That's just what we do. Like if you go and look at how often, that's the other thing I would encourage you to look at, is how often are images updated? Not just how many CVEs do we claim there are in it, how often are they updated and what security patches are applying.
00:24:34
Speaker
So you'll you'll see like um most our images are updated every couple of days. or nearly all, basically. So but in the kind like if I'm a chain guard user, I'm basically setting the image tag to latest so that I all automatically get these things whenever you guys publish a new version?
00:24:51
Speaker
So I wouldn't set it to latest. OK. Or, I mean, that's not quite right. i would You can set it to latest, but then pin to the digest so that you're not automatically bumping over versions. Because otherwise, you'll pull in like ah the next major version and and everything will break.
00:25:05
Speaker
ah So pin to a digest. you'll say latest at and then a sha. And that will mean this specific version of that image. And then you'll use something like renovate or dependibot to update. so that's the way I would do things.
00:25:16
Speaker
and Obviously, ah if you're a customer, you can also pin to like ah a specific version, like 3.8 or whatever. um And again, I would still recommend using something renovate dependibot to keep up to date.
00:25:30
Speaker
um And you have mentioned these tools a couple of times, right? So can you talk about what these do? Like, are they open source utilities that are available for everybody? Or are these like chain guard um add-ons or or whatever you image that you might have?
00:25:44
Speaker
So we do have a tool that we use internally at at oh and some people use it in the community as well called Digest-a-Bot, which is a fairly simple tool that will update Digest. So basically what we'll do is it'll go to...
00:25:58
Speaker
and your do look at your Dockerfile, see like the from line, see it as a digest, and then it'll go to the container registry and ask, is there a newer version of the image in this digest? And if there is, that'll open a PR to update it. um Now, that's a very simple tool. The PandaBot is GitHub's sort free tool excuse me, for doing kind of the same thing. um it's It's a lot more general, um covers a lot of different file types and so on and ecosystems.
00:26:27
Speaker
Then there's a tool called Renovate, which is essentially the same thing again. um but it from a third party company. And I think it's probably a bit more configurable and it covers a few more use cases. And also if you're not on GitHub, you can also use Renovate and various different CICD systems.
00:26:43
Speaker
So all of those are great options. But I mean, I really think keeping up to date is No, really utmost importance that to to organizations. So I thoroughly recommend looking at one of those if you're not already.
00:26:57
Speaker
Okay. No, thank you for that recommendation. So what one more question, I think on on the image front, right? When I was getting started with Kubernetes and then containers, um the the basic examples were always like from Alpine image or our Debian, as you mentioned, right?
00:27:12
Speaker
oh Are Chain Guard images free for everybody to use? Like what does Chain Guard charge for? I know we are not here to do a commercial for Chain Guard, but I at least want to know like, hey, can users get started for free without having to like come to UN and start a subscription?
00:27:26
Speaker
yeah Yeah, so that we have a free tier. So there's about, don't know how many images now, is maybe 40-odd images that are on the free tier. ah yeah It's generally sort of ecosystem images, so things like Python, Java.
00:27:38
Speaker
Yeah. um And yeah, you can totally use those at the latest version for for free. um Again, although there's only a latest tag, I would recommend pin into an HS so you don't automatically bump over versions. um So obviously you can get started for free. um i can't Regarding pricing, there's pricing for different um use cases and models. So like if you're a startup or you're an enterprise, um and I'm afraid that's very much a come talk to us at the minute.
00:28:06
Speaker
Yeah, and again, people can reach out to you. We'll have your contact details in the show notes as well if they want to reach out to you and start those commercial discussions. But this is a great, great overview. Okay, so we we spoke about chain guard images. I also see that you guys have introduced chain guard libraries or chain guard packages. can Can we talk about oh what additional problems is that solving? If I'm secured at the base image layer, how how do I make this work?
00:28:31
Speaker
Yeah, I mean, so this is huge libraries thing. and of The scope is a bit scary. So i mean, we already, like we have something called a chain guard factory for building all the
Chain Guard's Secure Library Offerings
00:28:42
Speaker
software. like And we're doing like package builds continuously. And like you know there's so many builds going on all the time. that It's pretty crazy stuff. ah But we've expanded that to libraries.
00:28:54
Speaker
So libraries, what do we have? There's JavaScript, Python, and Java, I believe. And there are various stages of release. But basically, we're building the the libraries like in PyPy, Maven, or in NPM.
00:29:12
Speaker
So rather than get your deriv packages directly from one of those repos, you can come to us and get them from us. Now, what's difference? The major one is that we can we're building everything from source and verifying that it sort of matches the source, if you like.
00:29:27
Speaker
So we immediately cut out a whole bunch of attacks um because what you find in a lot of recent attacks and older attacks is people uploaded like malicious binaries. It's like, you know, you type.
00:29:42
Speaker
If I say NPM published it, possibly change the details of how that works recently, but it certainly used to be the case. You could just upload basically a blob. I didn't match the source codes in GitHub because the the two weren't really linked.
00:29:55
Speaker
Um, And we kind of cut out that attack because we're we're we verifiably only build the source code. So the source code would have to be compromised for us to pick it up and build it, which is a step that normally doesn't happen. And then, of course, we would have to not notice and et cetera.
00:30:18
Speaker
And we're also in the future. One of the things looking at CVE remediations, we're even talking about where we can remediate in CVEs that are found in libraries.
00:30:29
Speaker
Interesting. And like for the past few years, right everybody has been like i don't know talking about AI in in all aspects of product development and and production deployment and customer usage.
00:30:42
Speaker
Can you talk about, like if if i are there like agents that Chain Guard has that can help customers monitor their production and perform some of these actions? Is that something that you guys are working on? Are there ah open source ah alternatives or like, I know Kubernetes, GPT was a really big thing a couple of years back. Like, how do you think about ai and and when it comes to security?
00:31:07
Speaker
am I think that's a very good question. um Chain Guard quite big on AI. like we use The engineering team use it. um We very much, but before anybody gets scared, I don't want to like stress how much like we use it as a tool.
00:31:26
Speaker
So yeah everything is checked by humans. oh yeah um and yeah everything is tested and we have PRs and so on. So it's not like the AI is going wild at Chain Guard, but um we are heavily invested into to using it and trying it out. The CEO is like, if you go and but link it in the show notes, he posted a ah blog yesterday talking about Gas Town from Steve Yege and a how that's kind of shown us the the future of agentic programming.
00:31:56
Speaker
um In terms of products, I don't think but you're going to, in a short term, see tooling from us that, you know, of agents that um protect their system or anything like that. um we're But we're very heavily using it internally.
00:32:42
Speaker
I mean, i honestly, i can't say much here. um What I would say is I worry more about people's data or my own data, like when I give it to the LLM. Yeah.
00:32:57
Speaker
For example, if you're a company, you probably want to be paying for a license for ChatGPT or Cloud or something. Because the problem is if you're not paying for it, I guarantee your engineers are using it. so And if they're using a personal license, ChatGPT and so on may be training on that. So you're much better off buying a company license. So at least you can you know get a license that says, hey, we will not train on your data.
00:33:21
Speaker
Um, so that's one thing I'd be aware of. I mean, going you know on that point in a lot of cases, it may well be more secure to run your hill your own LLMs in a cluster than it is to use a third party when I'm just in terms of like being able to control where the data is and where it, where it goes.
00:33:43
Speaker
Um, But beyond that, I'm not an expert in this. I'm not going to to secure LLMs. No worries. I just wanted to see if if you had any thoughts around around this. right like So ah we we can definitely move on. So I think my my next question was around customer stories. So with with your involvement in in the community, or as the DevRel engineer for for Chain Guard, are there any customer short stories that you can share with us in in terms of best practices or learnings, right? Like maybe you you went into a customer environment, found all of these things that that are low hanging fruits and then but ah tier two things that you need to fix. Can you give us like a plan of action that that customers can follow?
00:34:26
Speaker
Yeah, I mean, we don't really, maybe in the very early days of Chain Guard, we would do like security reviews and so on. We won't we don't really do that. and We definitely work with customers to try and help the projects and solve their problems. But we're not going to do a review of ah their Docker files in general.
00:34:42
Speaker
um I can certainly give you some advice from a sort personal perspective. I worked on something called chips, which is container hardening priorities. And if you you Google that, you'll find a GitHub project. And I um see if I can find it, which is that github.com slash chips dash dev slash chips. um I have a chip spelled C-H-P-S, no I.
00:35:08
Speaker
Um, and that was basically, uh, a kind of standard and it gives you a way to sort grade container images in terms of security. So one of the, you know, all grade in terms of minimalism. So is there stuff in there that doesn't need to be there? Uh, configuration. So does it run as a root user when it shouldn't really run as the root user?
00:35:27
Speaker
Um, our packages pinned, uh, sort of S bombs, are there known CVEs, things like that. Um, so if that's something interesting, I totally, um, check out that project.
00:35:38
Speaker
ah What else do we see? That's perfect. I was able to pull up the the GitHub link. I love the logo for sure. I'll make sure we we include that link in in the show notes as well.
00:35:50
Speaker
was That was my boss, Lisa, that did that logo. So I'll give her a shout out. Gotcha. Yeah. So I know like it's funny, right? Because 18 months back, maybe I don't know, I'm i'm having a hard time remembering the timeline, but there was a salsa framework ah in the Kubernetes security ecosystem. And now we have the chips projects that just yeah makes everything whole again, I guess. Well, yeah. So we named it chips as a a sort of nod to salsa. Salsa is very important. I mean, that's, you know, chips,
00:36:21
Speaker
It's quite small time, just ah hopefully it can be helpful to some people. It sounds as a ah really quite important standard about you know hardening your your build infrastructure. um I totally recommend people look at that. It was updated not too long ago.
00:36:35
Speaker
They went down to three level model and added some things, which I thought was really great. Gotcha. So who owns that? Is it like part of CNCF, the Salsa framework, or those recommendations that got built around, like I don't know, of a couple of years back, White House had ah had the mandate of having S-bombs.
00:36:54
Speaker
Is it pushed down by authorities like like such, or is it like something that the open source community built? Salsa, which is, by the way, if anybody's Googling, it's SLSA.dev.
00:37:05
Speaker
um Salsa Software Level Artifacts. Is that what sounds for? Supply Chain Levels for Software Artifacts. I just, yeah, put it out. So that's actually part of the OpenSSF, which is part of the Linux Foundation.
00:37:20
Speaker
Gotcha. It's got quite you know big organizations and standards behind it. Okay. No, for sure. Yeah, we'll definitely include that link as well. So if people are getting started, they they can look at that. And then also we'll have a link for the the chips repo. um what One question I had, right, like which, which again, I'm not sure if if there is an answer to this, but ah in my day job, I talked to a lot of customers that are moving from VMware to OpenShift virtualization, like running VMs on Kubernetes. We spoke about these secure images, right?
00:37:52
Speaker
are Is there an e equivalent for these VMs on on Kubernetes through the KubeVort project or on OpenShift through OpenShift virtualization? Is is there an equivalent that's available?
00:38:04
Speaker
So is a what that's available? An equivalent solution like like base images, chain guard images, but for VMs instead of just containers. So there is chain guard VMs product. You're welcome come and talk to us about that. um
00:38:21
Speaker
I would say it's something people have looked up probably less. OK.
00:38:29
Speaker
I also, i guess it's worth, there's also another company called Adira. And what Adira do is they try to basically take the security from VMs and apply it you know at the container level as well. So you get to view isolation for for containers, I believe.
00:38:46
Speaker
okay Okay, got it. Awesome. No, I think this is this has been a ah super helpful discussion for me. and And I want to apologize. Again, I know we did that free before we hit record, but I know we were supposed to record this and get it out last year. um Yeah, Ryan and i couldn't couldn't give enough time to Kubernetes Byte. So we do apologize to our audience for that. But I'm i glad, Adrian, you were able to come back and and have this conversation with us.
00:39:13
Speaker
No, don't apologize. because i think it's been, i think you this is a really interesting time because like ah you've already mentioned our competitors. Like I said, like I don't want to talk too much about them, but it's a very interesting in time in the industry and especially with us producing libraries, which I think, you know, in the future could be a a very big thing, the library's product. and Gotcha. Okay. So last question.
00:39:32
Speaker
Last question for you. Where can users learn more about Chain Guard and keep up with everything that you guys are doing? Maybe what you personally are doing with with events in the yeah UK? where What are some of those links that that we can include?
00:39:44
Speaker
Yeah, sure. So there's a chain guard.dev is a chain guard website. And there's ah there's a nice blog there that's ah um quite well updated. Dan Lawrence, as I just said, posted a ah blog yesterday on Gastown and all the AI stuff that I thought was very interesting.
00:40:00
Speaker
um Myself, probably like Blue Sky and LinkedIn is the main places that um I'm active. I've got quite an unusual surname, M-O-U-A-T, so it's usually fairly easy to find me. Yeah, yeah I guess that's ah the main thing.
00:40:15
Speaker
Awesome. No, thank you so much for your time, Adrian. This was a fun conversation. Yeah, great. Thank you very much for having me. All right. Well, thanks, Bobbin, for that awesome interview with Adrian. I hope everyone learned a lot. um Don't forget to check us out on YouTube, and like and subscribe, and anywhere you get podcasts. Make sure to share this podcast with those. We're going to be doing a lot more episodes every month, so make sure to tune in.
00:40:41
Speaker
And with that, this brings us to the end of another episode. I'm Ryan. I'm Bobbin. Thanks for joining another episode of Kubernetes Bytes.
00:40:52
Speaker
Thank you for listening to the Kubernetes Bytes podcast.