Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Continuous Security: Keeping Pace in the DevOps Lifecycle w/ ARMO
1.6k Plays1 year ago
In this episode of Kubernetes Bytes, Bhavin and Ryan talk with Shauli Rozen and Craig Box of ARMO security. The discussion focuses on how security mindsets and actions are shifting left to allow developers to include security practices earlier on in the application lifecycle. Also explored is the role open source plays in securing Kubernetes in DevOps and Platform teams.
- - 00:29 Introduction
- - 04:36 Cloud Native News
- - 15:26 Interview with Shauli and Craig
- - 57:50 Takeaways
Try Nom Nom today, go to https://trynom.com/kubernetesbytes and get 50% off your first order plus free shipping.
Save $110 off the full list price of Stock Advisor for your first year, go to fool.com/kubernetesbytes and start your investing journey today!*$110 discount off of $199 per year list price. Membership will renew annually at the then current
list price.Show Links
- - https://landing.armosec.io/state-of-kubernetes-open-source-security-2022
- - https://www.cncf.io/projects/kubescape/
- - https://www.jit.io/lp/automate-cloud-container-security-by-deploying-trivy-lp
- - https://www.redhat.com/en/enterprise-open-source-report/2022
- - https://cloud.google.com/blog/products/application-development/richard-seroter-on-shifting-down-vs-shifting-left/
- - https://www.armosec.io/blog/unraveling-the-state-of-kubernetes-security-2023/
- - https://armosec.io/
- - https://github.com/kubescape/kubescape
- Craig's cast vote for "Sandra Bullock": https://en.wikipedia.org/wiki/The_Net_(1995_film)
- Shauli: https://www.linkedin.com/in/shaulirozen
- Craig: https://twitter.com/craigbox
News Links
- - https://winbuzzer.com/2023/05/30/microsoft-introduces-azure-linux-for-its-kubernetes-service-xcxwbn/
- - https://www.infoworld.com/article/3696939/yugabyte-adds-multiregion-kubernetes-support-to-yugabytedb-218.html
- - https://finance.yahoo.com/news/context-aware-kspm-pingsafe-helps-181600047.html
- - https://cloudnativenow.com/features/why-you-need-a-kubernetes-bill-of-materials-kbom/
- - ACS Cloud Service - https://cloud.redhat.com/blog/announcing-limited-availability-of-advanced-cluster-security-cloud-service
- - Teleport Assist - https://goteleport.com/features/assist/
- - Alcion - $8 million in seed funding and an AI-forward, security-heavy take on backup - starting with M365 - Kasten co-founders with another backup company - https://www.techtarget.com/searchdatabackup/news/366538893/Alcion-applies-AI-security-focus-to-Microsoft-365-backup
- - Mindsdb - https://mindsdb.com/newsroom/mindsdb-raises-25-million-led-by-mayfield-to-supercharge-developers-with-its-cloud-for-serving-artificial-intelligence-logic
- - NVIDIA - https://itnext.io/run-more-pods-per-gpu-with-nvidia-multi-instance-gpu-d4f7fb07c9b5
- - Red Hat Dev Hub - based on Backstage - EA later in June and GA later this year. https://www.redhat.com/en/about/press-releas
Recommended
Transcript
Introduction and Podcast Overview
00:00:03
Speaker
You are listening to Kubernetes Bites, a podcast bringing you the latest from the world of cloud native data management. My name is Ryan Walner and I'm joined by Bob and Shaw coming to you from Boston, Massachusetts. We'll be sharing our thoughts on recent cloud native news and talking to industry experts about their experiences and challenges managing the wealth of data in today's cloud native ecosystem.
00:00:29
Speaker
Good morning, good afternoon, and good evening wherever you are. We're coming to you from Boston, Massachusetts. Today is June 8th, 2023. Hope everyone is doing well and staying safe. Let's dive into it. June 8th, my mother's birthday. Mom, if you're listening, happy birthday. I know. Are very first listeners? Probably not, though. Let's be honest. Anyway, yeah, June 8th. How's it going, Bobbin?
00:00:55
Speaker
I'm doing good. I think after we recorded the last part, we were both at Red Hat Summit, so we got to meet in person, get some noodles.
Red Hat Summit Recap
00:01:05
Speaker
That was a good time. I know. That was a fun week, like a busy week, but a fun week just to meet everyone again.
00:01:11
Speaker
oh yeah i haven't i haven't been to a conference in boston in quite some time it was nice to just kind of re-immersed myself and see everybody i think right at summit was um really great for for me at least um i think the conversations the people and everything was um i was pleasantly surprised but i guess maybe because it's when it's your local city yeah i don't know maybe you have a different thought about it but it was good
00:01:35
Speaker
No, it was a good conference. A lot of good conversations around OpenShift. One thing that stayed back with me is a guy stopping by the Portworx booth and saying, why is everybody trying to sell me Ansible?
00:01:50
Speaker
He's like, I only set up my servers once and that's like, okay, I won't, like, I, we don't do anything with Ansible, but I won't set you Ansible. Well, to be fair, he's the outlier there. If he only set up his servers once, never touch them again. I don't know who you are, but that's probably a bad idea.
00:02:10
Speaker
Maybe you need some answer Anything else really um, it sounds no no a lot a lot a lot a lot a lot of ansible. Yeah Which makes a lot of sense the adventure of and stuff is pretty cool I really enjoyed kind of digging into that after the show because I didn't know much about it. I actually got asked today like By someone. Um, it was like hey, it's kind of like lambda for ansible and I was like, you know, it's not a terrible analogy actually Um, you know pretty different but yeah, I like that analogy like conceptually actually
00:02:40
Speaker
People already know what those terms mean, so it's easy to make that connection.
00:02:45
Speaker
Yeah, exactly. Well, it's, uh, if you're in the East coast at all, um, hopefully you're inside now out of the smoke from Canada, you know, everyone up there in the wilderness is safe, but you know, we're inside,
Upcoming Guests and Cloud Native News
00:02:56
Speaker
we're safe here. And, uh, we have a really cool show for you today. We have, uh, Shelley and Craig from Armo, but before we hit get them on the show and introduce them, uh, we're going to dive into some cloud native news. Bobbin, why don't you go first? We'll be right back after the short break.
00:03:12
Speaker
If you've ever had a puppy and raised it to become a big dog, you know that changing food and finding the right food is hard to get right. Ultimately, you want them to feel good and act happy and be okay with what they're eating. They're part of your family, after all. I have an eight-year-old golden retriever named Roscoe, and he's always had a sensitive stomach, so finding the right food is kind of a pain. That's where Nom Nom comes in.
00:03:37
Speaker
Nom Nom's food is full of fresh protein that your dog loves, and the vitamins and nutrients they need to thrive. You can actually see proteins and vegetables like beef, chicken, pork, peas, carrots, kale, and more in the ingredients.
00:03:52
Speaker
So here's how it works. You tell them about your puppy, the age, breed, weight, allergies, protein preferences, chicken, pork, beef, and they'll tailor a specific amount of individually packaged Nom Nom meals and send them straight to
Advertisement Break
00:04:05
Speaker
you. If you're ready to make the switch to fresh, order Nom Nom today and go to https forward slash forward slash trynom.com slash Kubernetes Bites. And
00:04:16
Speaker
and get your 50% off of your first order, plus free shipping. Plus, Nom Nom comes with a money back guarantee. If your dog's tail isn't wagging within 30 days, Nom Nom will refund your first order. No fillers, no nonsense, just Nom Nom. And we're back.
Red Hat Managed Services and Frustrations
00:04:36
Speaker
Yeah, I can start with some Red Hat Summit news, right? A couple of announcements that caught my eye or I wanted to share was around advanced cluster security. So Red Hat ACS, that used to be a thing that customers can buy on-prem and that came from the Stack Rocks acquisition that they did maybe two years back at this point.
00:04:52
Speaker
and they open-source the whole thing and offer it as a solution. What they announced right now was a managed service where they have a SaaS-based solution for security or for cluster security where you can connect not just your Red Hat OpenShift clusters but also your GKE, EKS, AKS clusters and
00:05:09
Speaker
deal with vulnerability management and network security and configuration management and threat detection and those kinds of use cases. Only gotcha is it's in limited availability. But again, I like where this is going, like a managed service for my security tools. I don't have to manage it on each cluster. I can just connect my clusters and just monitor my entire estate from one single dashboard. So I don't know. It looks good to me. Obviously, it's security very appropriate for today's topic. You know what I was trying to figure out?
00:05:37
Speaker
We've gotten it as like an entire ecosystem or market, I guess. Yeah. I see that there's a lot of companies announcing stuff that doesn't exist. And I don't know how I feel about it. Right. And like the my day job, like, we're guilty, right? Like, I'm not saying I don't do that, or the represent someone who doesn't do that. But I don't know how I feel about that. Like, I just do now something to make it.
00:06:00
Speaker
I know or like do what like maybe other companies did right in the past where they announced something and maybe in a month things were real now I don't know I have to look in historically if this has always been a thing for release and like networking and kind of marketing but you know
00:06:19
Speaker
I don't know, maybe it bothers me now. If it was always a thing, it's a new thing that bothers me, that grinds my gears episode. Anyway, moving on to your next episode. No, no, no, I agree. I think it's frustrating to hear about something and not see that thing become a reality for six to nine months. That's definitely frustrating. But it's not even just the tech industry. You know, motorcycles, for instance. And the only reason I picked that one is because I read a lot about them. But all the time, it's like,
00:06:47
Speaker
It's April in 2023. Well, it was. Yeah, at some point. Yeah. And they're announcing 2024 models, right? Cars do the same thing. And I'm just like, I don't get it.
00:06:59
Speaker
I don't know. I probably just need to be schooled on why that is a thing, but anyway. I read a VC article around it, right? There is this philosophy that you sell first and then you build it. I think more and more people are going there like, yeah, make sure somebody's ready to buy what you want to build.
00:07:18
Speaker
It's announced, and then you wait for that, and by the time you get it, the next one is, when do you start? I know. I think I was listening to another podcast, a non-tech podcast, acquired if people haven't listened to it, but they covered Lockheed Martin for three hours and how they do government contracts. One thing that they raised was, these defense companies bid for contracts, and once they actually have that contract, that's when they start ramping up stuff and figuring out what to build. I think that's
00:07:46
Speaker
Maybe the cycles are so much longer. Yeah. Yeah. Yeah. So obviously we shouldn't do that. Like not, but you have to find a balance. That's bad for, for human. Yeah.
Developer Hub and AI Innovations
00:08:02
Speaker
Now, the second announcement from Red Hat Summit, they announced like a developer hub portal or Red Hat developer hub, which is based on the open source backstage project. I know backstage is super popular. This is just Red Hat's flavor of it with the same plugins that work with backstage can now work with Red Hat developer hub. I guess Ryan will be pissed because it's going to be early access in June and then GS sometime later in 2023. I really can't be because it's everything. Everything that comes out is before.
00:08:32
Speaker
So that was another project that came out. And then the third one was Red Hat released their Podman desktop 1.0, which is a GUI-based client for creating, deploying, managing containers. And it's available as a Windows, Linux, or Mac client. After reading this article, I downloaded it. And I didn't even know I had a container image taking up seven gigs of storage. Obviously, that shouldn't be the case. On my laptop, I was like, OK, I need to delete that.
00:08:59
Speaker
So just if you want to identify if you have some older container images running on your laptop, just download it from podman-desktop.io. So yeah, Podman is cool. I think that covers the Red Hat part of my news. I wanted to cover like funding grounds.
00:09:16
Speaker
and new companies that I have heard about. So, Alcyon, again, we knew of Alcyon existing as a company, but we didn't really know what they were trying to do. Alcyon was founded by, I think, the cast and co-founders or the cast and co-founder and the chief product officer. It came out of stealth last week or a couple of weeks back.
00:09:39
Speaker
announcing an $8 million in seed funding. And their one-liner is it's an AI-forward, security-heavy take on backup. And they're starting with Microsoft Office 365. So trying to protect that suite of products first, and then they'll go and take care of everything else. But yeah, I think Neeraj and Vaiba are going back to the backup roots and building something that's AI-forward and security-heavy. Yeah, I love to see it. And congrats to Neeraj and everyone. Yeah.
00:10:09
Speaker
And then talking about funding rounds, MindsDB, another interesting AI-based database company, some combination of keywords or buzzwords there. They basically announced that they have a seed funding round, which basically is an extension of their seed round that they did in February. So now, between just pre-seed and seed, like that early in the cycle, they've raised $50 million.
AI and Machine Learning Developments
00:10:34
Speaker
And basically, they want to equip developers to rapidly ship AI and machine learning applications.
00:10:39
Speaker
Again, that's the one-liner. Go ahead and look it up and what the company actually does. But look pretty cool. They have a client where you can try out their database and try out their offering. They do have a SaaS solution. But interesting, get these buzzwords in, you get 50 million in pre-seed and seed. Then finally, I think
00:11:01
Speaker
Yeah, that easy. Like talking about AI. One last thing and then I'm done. Teleport, right? I know we have some friends over at Teleport, but they announced something called as Teleport Assist, which is their new GPT-4 based or GPT-4 powered DevOps Assistant.
00:11:17
Speaker
It is still experimental, so they still have that disclosure or condition asterisk mark, use caution, validate all outputs, but it helps you troubleshoot common issues. It runs against your Kubernetes clusters. It shows you the commands that it generates to find certain information, and then when you tell it to run that command, it goes and runs it against your cluster and gives you information about your cluster. It maybe speeds up your troubleshooting cycles or root cause analysis.
00:11:43
Speaker
and helps you collect information about your infrastructure and maybe even troubleshoot in the future. Or maybe it'll make you chase rabbits and turtles.
00:11:54
Speaker
We see a lot of it. I mean, it's really exciting. I know we're talking to a few different companies that hopefully will have in the show and things like that about this space. And it's exciting. I think it certainly is. So that's really cool to see, especially since it's still pretty early. It's not like this came out as that long ago. So it's cool to see people taking advantage of companies taking advantage of it. And I plan on definitely trying to use it more now that it's out there. That's my take on it.
00:12:22
Speaker
But yeah, that's it for me from the news that I had. Nice. All right. Go to my news here.
Kubernetes and Cloud Advances
00:12:28
Speaker
The first one I have is about Yugabyte 2.18. I almost said 1.8, 2.18. They added multi-region Kubernetes support, which is something that we often talk about in the sort of persistent space, database space. It's something we've been seeing as interest for years now, I would say. And more and more kind of technology and individual
00:12:51
Speaker
databases start supporting. And I think, you know, as people actually start to use multi-cloud and hybrid cloud, and for a while it felt like we talked about it, but didn't see it that much in reality, it's cool to see stuff like this. The next article is...
00:13:06
Speaker
a article about why you need the Kubernetes bill of materials. We covered S-bombs on the show, even I-bombs. I don't think we've talked a lot about I-bombs, but pretty much put a letter in front of BOM, probably a thing. But this is kind of in conjunction with the Kubernetes Security Operations Center and the Kubernetes bill of materials and everything. So anyway, really cool article about kind of breaking down
00:13:34
Speaker
why you need one, right? We've talked about it, and maybe you're not familiar with it, and I'm not, and haven't been until researching this. Just a good article about digging in about what it's actually doing, looking for, kind of.
00:13:50
Speaker
Let's go check that out. The other one is Microsoft. The NMA introduced Azure Linux for its Kubernetes service. So much like the Amazon Linux for AKS, Azure's flavor and its own distro of Linux for its AKS.
00:14:09
Speaker
service. For better or for worse, you know, a lot of times initial releases, these things can have hiccups, you know, things you normally expect to work don't, but I haven't personally tried it. I'm sure it's really cool. But anyway, this article goes into in depth of sort of what it is and why that kind of thing in terms of like, you know, they built it to make node provisioning and boot times faster and things like that. So there's obviously positives.
00:14:35
Speaker
I'm not trying to be a pessimist here. And I think that's all I'm going to cover for today. And yeah, we have Charlie Rosen and Craig Box. Charlie is the CEO and co-founder of Armo. And Craig Box is the VP of open source and community at Armo.
Guest Segment with Armo Team
00:14:57
Speaker
And they're going to come talk to us about all things sort of
00:15:01
Speaker
security, open source, what's changing in the DevOps roles, how things are shifting, et cetera. Yeah. I'm like, I'm interested in talking to Craig, right? Because like I listened to the Google Kubernetes podcast for a while. And then after he left and joined Armors, like, okay, but yeah, I've, I've heard him talk a lot and explain a lot of concepts over the years. So I'm excited.
00:15:23
Speaker
Yeah, absolutely. So let's get them on the show. Hello and welcome to Kubernetes Bites. Uh, Charlie and Craig, it's great to have you here. I won't do your intros. Why don't you introduce yourselves, Charlie? Why don't you go first? Hey, thank you for having me. And Charlie Rosen, CEO and one of the co-founders together with Ben of armor, the company behind CubeScape. CubeScape is an open source security tool for Kubernetes that has been getting a lot of traction.
00:15:52
Speaker
Happy to be here. I'm an engineer by profession. I'm kind of like doing my course of time, moved into the business side, but still like, you know, contemplating what I like better, or the Linux command line. Thanks. Craig, why don't you go next? Hi, I'm Shelly's wingman.
00:16:13
Speaker
I'm goose to his maverick. Is that the right thing to say? Yeah, I like it. Yeah, I work for Shelley as the VP of Open Source and Community and Armor. I joined about six months ago, and I came off eight and a half years at Google, which is pretty much correlated with the existence of Kubernetes. They were just starting to work on the project just when I joined.
00:16:33
Speaker
Absolutely. So, Shelley, maybe why don't we start with a little bit of the story behind ARMA. You said you're an engineer, you're doing something different now. Give us and our listeners a bit more about what you're up to and what the company's all about. Definitely. Well, the company
00:16:54
Speaker
Today, what we're doing is we provide an Adama platform, which is a Kubernetes security platform based on an open source project that we are running and maintaining. The way we got there is, you know, my co-founders, they're like, you know, super security experts.
00:17:12
Speaker
We came up with this security, random idea that we wanted to do for Kubernetes, started to pitch it around, speak with, you know, the way it works is like you're a security expert, you sell security, you speak with CSRS and we had so many discussions with CSRS where
00:17:28
Speaker
Every time, like the second, probably the second sentence is, well, let me get my DevOps team involved. You know, it's kind of like, that was kind of like always the case. And eventually we said, well, you know, let's leave the CSOS aside. If everybody's sending us to the DevOps, you know, let's go directly to the DevOps. And I think that was a very key, I would say, point in the life of Armo.
00:17:52
Speaker
where we said, OK, what will drive that? How do we get to DevOps? And we made three decisions back then. One is DevOps, they would like different problems solved than security. They do care about security.
00:18:08
Speaker
With the risk of blabbering a little bit, I think one of the biggest misconceptions is that DevOps don't care about security. I don't think that's true. I think DevOps do care about security. But CISOs don't. They like security. CISOs go to say, hey, my DevOps team care about security.
00:18:24
Speaker
Yeah. Sometimes I say that, you know, DevOps, they care about security. They don't care about security people. Okay. They don't care about CISOs, for a lack of a better term. But generally speaking, they do care about security. They see it as an engineering, as a technology problem.
00:18:40
Speaker
And it was very refreshing to actually be able to speak with people on the level of engineering. So we decided that we will start working more and more on DevOps problem, which is more around posture, reducing the amount of work, automating things around security. That was the main driver. The second thing is if you work with DevOps, we're not going to sell to them in conferences and dinner tables and golf courts. It's going to be.
00:19:08
Speaker
You know, over the air, they're going to need to be able to download, work with it, start working with it, fill it up and then go forward. And the last point was open source. We, we, we understood that you, you, you know, you need to be transparent, especially as you put things inside the cluster, you need to be very, very transparent.
00:19:27
Speaker
transparency is appreciated and we decided to go forward with that and we launched CubeScape which was our attempt at doing that. It gained a lot of success. I couldn't imagine that the success that it will be as much as it actually did.
Armo's Strategic Shift and CubeScape Success
00:19:44
Speaker
And that's, you know, that's actually I think when Craig, you... Yeah. So a long, long time ago, I used to talk to people on podcast about Kubernetes. And one of the things I would do was look and see what was happening in the industry and very closely connected to what's going on. And that was when I first noticed Arma was when Cubescape was published. It was around about three or four weeks after the NSA had published their first version of the Kubernetes hardening guidelines.
00:20:12
Speaker
And here comes a tool which basically says, here's how to validate whether or not your clusters, your environments, your workloads, and so on are in line with the guidance that they've published. And I thought, that's really interesting. First of all, it's a really good problem to be solving. And second, it shows a startup that's agile and is able to move very quickly and respond to something and bring out a tool. And I think that was good timing, obviously, in terms of popularity. I was able to pick up on this thing, which was in the news at the time, and deliver something super valuable very quickly. And that really is the start of the Cube Cape story.
00:20:42
Speaker
Yeah, absolutely. I couldn't tell you how many times, you know, um, I've been working at a company or on a platform team, even before it was called platform engineering, right? Um, where, you know, the security team was just this team that you had to like get permission to do stuff, right? On exceptions. Yeah.
00:20:57
Speaker
And so the DevOps teams, whatever the engineers used to use that team as sort of, well, let me try to use that team to allow me to do something, which meant really the DevOps team was trying to do the minimum amount to get the OK. So I like this shift that we're seeing and that Armo is really behind as well, moving the importance of everything to the DevOps team and starts there. So I guess to dig in on the open source piece a little bit, how would you say that it
00:21:27
Speaker
It really changed the role of the Kubernetes admins or cloud-native engineers or DevOps engineers. I'd almost flip it the other way around and say that the availability of this kind of tooling delegates control to lower in the org chart than ever before. People are able to call APIs to get things deployed, whereas previously you'd have to ask someone with a budget to go and order you a server.
00:21:51
Speaker
That same thing becomes true of security. Like you say, these people are able to deploy things, have them come up, come down, auto scale. They're not even necessarily deploying themselves. They're setting instructions for a machine to do that. And then that now the flexibility we have with all of these tools and systems like Kubernetes requires a new model of thinking.
Empowering DevOps with Open Source
00:22:10
Speaker
First of all, there's sort of an assumption everything will be open source these days. There is very little closed source software remaining. Even software that is proprietary, there is sort of an assumption that you as an end user, especially at a certain scale, you're going to be able to get access to the source code. So even if you're running Windows, you're a big commercial user, you can go to Microsoft and go into a deep dark room in the basement somewhere and get out the loop and look at the lines of source and do all that.
00:22:34
Speaker
It's, it's great to know with open source that someone else has done that for you and pretty much everything since Linux since definitely in the Kubernetes ecosystem is almost all open source these days. And that means someone else can do the auditing and you can trust that they've done work there that you don't have to do. And so the same is true as we need this sort of match of works with the environment people are used to today is open source because there's an expectation. And that's, I should point out that's not necessarily true in security