Containerization 101 | Getting Started & Best Practices [On-demand Session]

Containers and Microservices architectures are no longer the new kid on the block, and it may be time to take a fresh look at your ecosystem.

Containerization 101 | Getting Started & Best Practices [On-demand Session]

Can't see the YouTube link above? Click here

Containers and Microservices architectures are no longer the new kid on the block, and it may be time to take a fresh look at your ecosystem. In this session we provide a baseline for getting started with containerization in 2023 with a strong emphasis on security. To help the novice and the seasoned veteran, we’ll navigate topics that apply to all, including:

  • An overview of containerization and what’s new in 2023
  • Maturity and adoption curves: what you need to know and areas you should be re-evaluating this year
  • Is and should security be top of mind?
  • Security improvements you can make right now

Featuring:
Rory McCune, Senior Security Advocate, Datadog
Sean O'Dell, Head of Dev Rel, Cloudsmith

Transcript:
(02:31) Welcome to the February webinar I am excited this is my first opportunity to host the cloudsmith webinar my name is Sean Odell and I just want to welcome everybody thank you for joining us today we're going to be talking about containerization or containers or whatever terminology or verb or noun or adjective whatever you might want to use uh to uh to talk about this subject and it's really about best practices and getting started and so with that I'm

(03:26) really just excited to have everyone here today A couple of things before we introduce our guest of honor uh today I want to you know mention if you were out on Twitter or out on LinkedIn on the social networks please repost the live stream uh really we we do this for for a couple of reasons number one obviously to get more folks involved and number two is to give you an opportunity to be a winner and we definitely want everybody to win at the end of the show today at the end of the you know the episode we're going to be doing a

(03:58) giveaway and so stick around uh we would love for you to ask questions in the chat uh if you have any comments anything like that and oh as always because I'm a fan of the Emoji please say hello with an emoji and welcome from where you are if I was not doing this I would actually post a welcome from the great state of Texas with the cowboy hat emoji but I can't so enough about me and let's get on to Today's show I want to welcome uh really a fantastic guest a knowledgeable a a guest that I think

(04:29) will bring a lot of insight to the conversation of containers and containerization and I'm gonna bring in Rory McCune from datadog Rory welcome to the show today man glad to have you and if you don't mind introduce yourself a little bit more because I obviously did not do enough hi Sean great stuff thanks very much for having me along I'm really glad to be here um yep so I've um I guess I've been in containers for a while now I've been doing container security uh for about I raised us about seven or eight years now

(04:58) so it has been a while um and I've been working around uh Docker kubernetes and a lot of different containerization and container security Tech uh I'm doing a variety of things there so you know it's been a while now very very cool and uh we're glad to have you did you ever do any work with mesos at all at any point in time I didn't I kind of came into Docker just as as it was taking off and then I got then that could led to kubernetes so I just kind of I kind of saw that that container orchestration war from the

(05:25) other side and didn't really get too heavily involved with the other ones yeah you know there's obviously a lot uh there's a variety of flavors I mean even Amazon has a variety of flavors of how they Implement kubernetes and containers and containerization right um and and really every organization does it differently yeah oh yeah it's amazing I think that's one of the biggest challenges I see when people say things like oh kubernetes security I say which of the 140 different kubernetes did you mean when

(05:52) you said that because they're all different to some extent and that that is part of the challenge yeah absolutely and and we're going to get into some you know questions here today and really just a dialogue about about containers and and you know before we do that can you give a little bit of you mentioned this a little bit in your introduction and I'll close out a little bit with it later on but if if you can kind of tell us a little bit about your involvement in kubernetes and kubecon uh in some of the sigs and and a little bit

(06:21) about your uh your knowledge and depth there yeah so kubernetes I've been doing for a while now I said this has been about 2016 I probably got involved and I've done a number of things there's a couple things that could be interesting I've done the CIS benchmarks so people haven't come across the CIS Benchmark they're a vendor neutral hardening guide and I've been helping all the kubernetes and Docker ones for about five years now um and that's been very interesting to see how that's evolved and changed

(06:44) um and yeah I've been lucky enough to present a kubecon a couple of times and I think as my claim to fame uh I'm a member of the only unofficial kubernetes Sig who have ever keynoted cubecon which is sick honk um so that was a lot of fun and we've had a chance to do that a couple times now that's a honk for anybody in the kubernetes world there's some fun connotations and some interesting individuals behind that and uh just just love to have that when uh you know we were having a little bit of dialogue

(07:12) obviously getting prepped for this show and I noticed Sig honk and I was like I've gotta I've got to bring that up and uh and let it be a part of the conversation uh you know my background in kubernetes is extensive as well um having having been a part of VMware really when the rise of kubernetes uh began uh it was it was interesting even even pre-heptio pre-pivotal uh you know we we were doing things within the kubernetes space focused on even creating our own kubernetes engine there was an announcement made at one time and

(07:42) I happen to be on the beta of that uh from an internal team perspective right so it's it's always interesting when we talk kubernetes we talk containers and talk containerization now the other thing you know I think we'll we'll kind of hear about today is you can do containers without kubernetes right this is nothing new for everybody on the call today you're on the on the webinar today you're probably now we we started here we started there right um oftentimes these terms these phrases really just a

(08:09) different uh things that we're discussing around this space often kind of mesh and sometimes they don't have to and so to the conversation on that no I think it's interesting actually because you say that it's a good point A lot of times I used to be a pen tester and I used to advise customers about containers and container security and they'd say no we're doing kubernetes and I would spend time with them and go do you really really need kubernetes because it's quite complicated yeah you

(08:33) could maybe just start with Docker and get some containers out there and I think that for a while has been that sort of thing where it's become kubernetes is very front of Mind people start there and perhaps sometimes you know yeah start with something simpler start with serverless containers start with the offer you might find that does what you need and if it doesn't sure then kubernetes is there you know it's not going away absolutely and you've you're funny we already mentioned serverless

(08:55) and containers and kubernetes and orchestrators versus Docker right like at the end of the day um there's a lot of ways to solve challenges problems within this space and I think that's what this conversation is about today so let's uh let's jump into it my my favorite question um by far is uh what is container or what is containerization or what are containers and a preface to that what is the 2023 definition because that's going to be the interesting one so go for it yeah let me try and see what I can think

(09:28) of for this containers always come across to me the way they've ended up they've been used for lots of different things but it's all about delivery and management of apps and being this portable independent way of doing that and what I always think of containers or Dockers being or containerization is being it's like the Goldilocks solution right so it's it's lighter weight than virtual machines and physical servers but anything lighter than that and you start to have to man it you have to

(09:52) change your app and like change the way it works whereas I think the Delight of containers the reason I like them so much is you can take pretty much any application drop it in a container and it works you get that kind of like you know it just works feeling and that's honestly where I said even now after all these years of computers it's like that's the real thing it's like yeah I did this in the world which is nice yeah and I appreciate the fact that you started the definition off with why we

(10:17) are doing this anyway it is the delivery and management of applications um if if if I was to look everybody's had this conversation whether even a kubecon or talking with other you know peers or different you know customers and so on but at the end of the day we often have a lot of opinions about the technology we have to have a lot of opinions about why we love our certain you know piece of technology but really we are talking about delivery of applications and we were talking about management of applications so

(10:51) why why make that distinction in your mind that this is a that are that the fundamentals of this is about application delivery and you know bringing value versus let's just jump to the tech yeah yeah I mean I think I suppose I kind of come up from that point of view because that's it's like this is It's a use case it's what you actually want to get out of it at the end of the day um and I love the tech as much as everyone else you know I I can spend hours um like tinkering around with the

(11:16) details of exactly how you can figure them and for me it's like how you secure them or break them all this sort of stuff but but yeah you can get you can I think you can lose yourself there um and and um and I think whatever you do it's about solving a business problem and and that is to me that's the business problem container solve and hope the one they will I don't see it changing you know you kind of get this hype cycle Affair where people like you know it's gonna go up and it's going to die for me

(11:38) containers have come through that now and it's a steady state where I don't see anyone saying we're going to replace containers I don't know what you replace them with they're here to stay yeah absolutely you know and it's funny you come from your point of view I'll bring my point of view I started as an infrastructure admin and architect right and and really my entire world was Central or it was centralized and focused on infrastructure and and I think what's what's what's occurred over

(12:05) you know history I always laugh because you know look I worked in in a fortune 150 organization my job was infrastructure and insecurity and Enterprise management and that was definitely a little bit of a love-hate relationship with application owners and application teams at the time but what's evolved is there's now almost a I don't want to say a marriage but there's a closer knit um you know relationship between the infrastructure and the applications that has occurred just whether it's

(12:35) technology or you know bringing down of barriers and so on but I actually think containers have actually helped bring that closer together right that marriage or that that partnership uh is is even more solid today between the application owners and the infrastructure or or now even devops or platform teams so I I love to talk about kind of the maturity of containers and containerization yeah I mean I mean I go back far enough was in in IT

(13:06) Security in Banks a world where you know everything was on Prem the content of cloud was that and you're right that the move there I mean I also remember that when we did projects there you would talk in months to do a prototype and years to get a project and now it's hours or even less than hours to you you can launch an entire application and a cloud account using a container you could have it done in you know 10 20 minutes tops no problem and that changes just vast and that and it's good because it obviously means everyone

(13:32) could do things quickly but the security person is bad because things change so quickly knowing what's going on is much more difficult than a world in which you could have static firewalls where there's a change request that goes through it's changing that world is long gone and I think hopefully now when people in kind of the world I come from have kind of realized that's not for coming back right we're not going back to that World level thing yeah I have no desire to go back to the weeks or even

(13:56) hours of time it takes to get applications and infrastructure deployed and provisioned uh and and since we're talking about dating ourselves you mentioned it earlier I was I was working on CIS benchmarks over 20 years ago for physical servers in Windows and Linux machines so you know yeah you know it's funny how our the technology changes but as I mentioned applications and and management of those applications and providing value to the business as you said is really what this is all about so very very good

(14:28) one last comment on that um no I think yeah well actually I thought the other thing you have to continue with what they are now and it's funny how the other thing that struck me is the complete merging of terms so if you look at serverless serverless and containers used to be distinct and now they're not distinct anymore right because you can run containers in Lambda quite happily and any other serverless service you choose to use most of them will allow containers and that's where it comes down to this piece of it

(14:53) literally being this app packaging because the underlying Tekken is now yeah pick your underlying Tech there's a hundred different ways to run containers but what it means constant is what you're using them for or should be what you miss constantly yep it's getting back to the basics so yeah that leads to the to to kind of this next question right containers are nothing new uh but in some cases whether it's you know culture whether it's uh you're new to the industry or you're new to the space

(15:19) um where does somebody get started with containers um and where do you believe they should begin you can be a little bit opinionated here uh and more or just kind of Flesh it out where do you think folks should get started with containers if it was me and I was going to start with containers where I would start is with a virtual machine running Docker right Docker was originally meant to run on Linux VMS that was where it came from that is the simplest and least interfering solution because you're not putting any more layers in place you can

(15:49) go and inspect everything one of the great things I love about Docker is it's all just Linux so you can use Linux tools to expect exactly what that container is doing you can build that understanding before you start adding those extra layers of complexity before you start you know trying kubernetes or serverless or anything like that I I'm a great fan of of the traditional penis it doesn't feel right calling it traditional but it has been a while now so maybe it's traditional Docker VM solution

(16:15) I don't even know where to comment on them or traditional uh some folks may not like it but it's been around for a few years right so so Docker is the starting place right simple getting started you know let's take it even up a little bit further if you're if you're um if you're an application developer if you're looking to you know get started create a small service whether it's a you know a I don't know simple API request whatever whatever you're looking to get out of it you know besides Docker

(16:47) what are some of the areas that you would focus on in kind of that initial journey of creating your first container and creating the first application in that in that case I think I probably would start off with like looking at how you build your application into into a container look at the docker file do I actually like I mean again Docker file syntax gets a bit of hate and a lot of people will talk about it and say they want to do something different but I actually like Docker faucetics because I can read them and I'm a great fan of

(17:13) simple tech make it as simple as you possibly can because when you come to debug it you're going to be happy you did and so I would keep it really simple get a Docker file get a basic base image and then just start adding statements and like try to run up each content that's what I used to do you need run up add a new stability what does that do with my container does it does it work does it fail nice and fast you know um and then once you've got that base running and you've got your image the

(17:37) way you want it then you start thinking about compose and you can start thinking about like I want a database I want multiple containers but just slowly building that up from that kind of solid base but do take time to understand like Docker files I wouldn't just take them off the shelf and just reuse them it's not that my hardest syntax I think so it's worth doing absolutely and you know we're talking Docker we're talking containers getting started right there are so many uh containers or artifacts that vendors

(18:05) have provided uh that different providers have have created and developed whether it's for you know databases or observability or you know any of the you know Tooling in and around this space and obviously at Cloud Smith the concern is is definitely the proliferation of packages including Docker including you know everything that goes into a uh into a container or into an application right it's it's the artifacts it's the package management so what are what are some of the things that you think you know in that getting

(18:37) started right besides obviously using Docker in the in the in the kind of the beginning of the journey what are some additional areas that maybe outside of Docker or even into maybe some of the open source areas uh that fit into this space that maybe someone he should begin to look at maybe as that Next Step Beyond Docker yeah I think The Next Step Beyond Docker I suppose well it depends on your on your goal of that point I mean if you wanted to go to the cloud then you want to start looking at basic Cloud stuff how am I going to hook these

(19:07) things together because a container on its own probably isn't going to do everything you want um so you're going to start looking at that and start trying to build up um one thing I would say because you mentioned kind of like you know there's a lot of artifacts that come from lots of places the issue there starts to be this issue of trust as soon as you head towards production be super careful with trust and container images because a lot of people get this one wrong you know there's ever eight million different

(19:29) images on Docker Hub and there's about 150 ones you might be able to trust depending on how you feel about it um and be super careful with that so that that's my security person I can't talk too long about it without my security person's hat going on a little bit so always be careful there and but then it's about kind of building it up and saying well you know do I need to do balancing do I need and how would I do that and and then it's kind of I feel you kind of split your journey there

(19:53) right because you probably want your cloud of choice so everyone's got cloud of choice and and at that point you get that very very complex world of cloud but that's where you probably end up next trying to start scaling to start saying about how am I going to do this I'm going to bring it to production I mean it's a production app rather than you know something sitting on my desktop um you get GCI as well and all that kind of stuff so there's a lot to think of there is a lot to think of in in in

(20:17) I think in a follow-up episode we're actually going to dig deep into the security topics um but the one thing I heard there is while there's so many you know available images out on Docker Hub uh you probably can't trust too many of them uh and we're starting to see more and more attacks and more more uh sophistication in that and so you know I think going back actually you said it my security hat will come on pretty quickly too so no matter what you're doing whether you're creating an application in in

(20:49) service and in a container on a traditional you know monolith perspective right security is always at the Forefront um so my my you know next answer would be is always take security is uh is kind of that next step um you know especially once you go to production and you start looking at issues said clouds and you know where am I going to be running this uh you know iot and in the in the industry 4 area looks for things even more uh you know kind of expanding and the expansion there right so it's interesting as we

(21:19) get started in this um that it you know it's it's let's start simple but quickly it's going to expand uh to to other areas that are valuable important and we definitely need to think about so that that leads me to the next question uh some of the folks watching today and uh that will be watching in the future they are seasoned uh they are veterans right you use the term traditional for Docker which I think is still funny but let's let's take those folks who've been using and building uh applications in and around

(21:54) the container ecosystem where should they think about uh what should they think about and what are some of the next steps that they should take on this journey I think I think it's interesting one I think there's obviously a lot going on and that's one of the great it's benefits and challenges of container ecosystem is how fast it moves how fast and you and the constancy of the new things you know I do this thing every four months there's a kubernetes release and I control through the changes every single release the printed

(22:23) ones and this this one coming up in April there are 90 new changes I'm coming through so it's a huge quantity in terms of things actually interesting which I think are if your seasons are worth looking into one is we have this concept of containers being ephemeral right we all know that containers are a federal they come and go but kubernetes clusters maybe not so much I've seen a lot of people unfortunately I've learned this trap of clusters being like pet clusters now this is really I think

(22:49) against going on this is a tricky one not just security though from like maintenance point of view people need to get practiced at destroying and recreating clusters trying to get to this like clusters as cattle concept because without that maintaining and upgrading becomes a nightmare um and if you've got a lot of clusters you know you see organizations trying to go back and I one of these things I do one of my kind of little Hobbies is I scan the internet every day for kubernetes versions because a lot of

(23:18) clusters expose the versions and the number of clusters who are falling off the supported curve and are going into unsupported versions because they're not at this kind of practice so that one of like you know how do I maintain these things is it really you know I think a key one another thing that I suppose I would be investigating is a bit more into like mixing serverless and things more into your clusters so this idea of different workloads could work differently and I think personally just a personal opinion I think a lot of

(23:45) people will end up with kubernetes plus serverless containers as their eventual solution to get away from a lot of the management headaches and a lot of the problems that underlie can like maintaining again this maintenance problem I'm trying to get down the amount of mid time you have to spend on maintenance it has its own sets of problems but I just have this feeling that the happy place will end up being there so if I was you know I had clusters and I was thinking what I want to do this year I'd be investigating

(24:06) serverless containers if I hadn't already um I think that's kind of an interesting area yeah you know it's it's uh you know we talk about businesses you know needing applications and delivering of applications from uh from a from an application delivery perspective you bring up the topic of just because you think you need to run it on kubernetes or on this particular piece of infrastructure doesn't necessarily mean it has to I mean there's even a question in the chat um you know and the question is from uh

(24:35) I believe it's bibik if I'm if I'm mispronouncing it I apologize for a front-end app using react do we use a container or a CDN now I don't think there's a perfect answer for this I don't I know I don't think you're going to be able to be like you should use X or you should use y but I think what's interesting and we'll talk about this a little bit I'm curious your opinion I've always been a fan of run the application where it makes the most sense for your business for the requirements

(25:03) for the security right for the touch like there's just obviously that you know data resiliency there's lots of things that go into it but that being said just because you're running or creating an application it doesn't necessarily have to be a container or maybe it is serverless or maybe it's a function or maybe it's you know those types of things so what are some ways uh that not only the audience but just in general we in the in the in the in the in this space What are some steps we can

(25:31) take to get to the right answer or to the closest to the correct or right answer for our organization I think you end up having to look at the trade-offs you're going to make and there are quite a few of them so in the advantage of containers and this is the big promises you can run the app in test and Dev and CI all the same way serverless that's that's trickier but serverless has huge advantages for bursty applications you know I I want to do suddenly I need to do a thousand um requests where previously it's

(25:59) running quite slow and and that so that's the kind of thing where you start thinking of it's to do with you know this style of application what sort of coding you're using is it Greenfield or are you Legacy are you porting a legacy at which case containers or VMS is probably going to be your answer because yeah it won't take being good to save that's why I always think with serverless is like where serverless has its place I could never see it replacing containers or VMS until everyone gets

(26:23) rid of legacy and I love to be in that day with all the Legacy it goes bye bye don't think I'll see that one ever uh no I I I so yeah I don't think Legacy is going anywhere um it would be nice it would be really awesome but there's a reason mainframes in the as400s and all of these things are still sitting in data centers um and hey it is what it is right we we have to we have to I think that's the key right we're we're still trying to solve business problems you know deliver value to the business but at the end of

(26:57) the day just because we needed to run in kubernetes doesn't mean it needs to run in kubernetes right uh and I actually put that in in one of my uh I wrote a predictions blog a couple weeks ago and in that I actually talked about we we have made our lives so complex just because of our opinions or our technical choices which has nothing to do with what we're actually trying to do which is deliver applications yeah the complexity point you make is really really good and it's the one that always worries me because even kubernetes is an

(27:28) important thing to know about it is it's not a full solution it's by Design they they say certain parts of this stack are not our concern you need to go and get additional things so you're going to need cni you're going to need storage you're gonna need networking you're going to need authentication Solutions you're going to need admission control there's just a whole stack of additional and I look at that go that's horribly complicated for a new company and that's coming up to this point I probably don't

(27:50) want to start with kubernetes unless you kind of have to start with something somewhere around containers you know serverless container solution that let you scale it doesn't have all the additional complexity um and and yeah so that the complexity one probably the bit that would worry me the both most about how people are doing containers is I've been doing this for I said you know eight nine years now containers I still learn things every week oh yeah you will never stop but it's interesting you you didn't even

(28:19) mention observability and monitoring and traces and all of that fun stuff um there really is right you know I've I've had a in-depth view of the service mesh world for years now uh you know obviously you know observability in the different components of pieces complexity is not necessarily a bad thing and I want to be careful with that actually as I as I reread my predictions blog after I got posted I was like wait some folks might actually see that I was negative in some way towards containers or or kubernetes or you know in that

(28:52) sense but at the end of the day delivering value to the business and and helping reduce that complexity however you choose to solve it is is always the right answer for the organization and obviously we have opinions uh and and there's going to be trade-offs and we've been doing this for a long time um and so it's definitely fun to see kind of the maturity but really that is kind of that next step in the uh in the uh for the season veteran is how to maybe reduce some of those complexities uh and and and make their lives a little

(29:21) bit easier um you know you you mentioned something and I want to go back to this because you actually said uh containers or the ecosystem whether it's kubernetes or serverless or all of the necessary components in and around containers it moves so fast what are some what are some practical ways that you have found to stay on top of the very fast uh you know moving uh I would call it a a a a large ship at this point yeah sorry kubernetes joke in there um but uh What uh you know how do you how do you handle that what are some

(29:58) tips and tricks for for moving so fast and staying on top of it I guess I guess it depends on like how focused you are if you're super focused on it weirdly one of the best ways is actually participating in the project so if you actually there's there are slacks for kubernetes um as and you can join six so if you're like interested the best ways to actually find it I found so much information I wouldn't find otherwise by being in the right channel on the kubernetes slack um and there's some really great people

(30:24) there who are very helpful that's a good one um social media is all is a perennial favorite um whichever social media platform you're on these days and there are you know there's people on different ones um but places like LinkedIn Twitter Mastodon started to become more popular I found certain you know technicians um The Challenge there is now you've got like three to four different social networks to hang out on um and even places like Reddit as well you know the reddit's a great there's

(30:48) lots of good information if you find the right subreddit um there's good info so is kind of this journey where you're just like sucking in information and then it's like where do I focus because you can't yeah cover it all um and then just like trying to nail it and the other one if you get super like if you get super deep with kubernetes especially at Docker as well you will find GitHub is weirdly the best sometimes the only place to find your answer I have on multiple occasions now you spend some hours in other GitHub

(31:15) issues or the code itself belonging around trying to find what I want um so that is like that's generally you know if you really want to know the depth that's probably where you have to hang out is GitHub and actually start looking at PRS and issues which you know you have to be kind of like either very interested or you know really needing that information though speaking of social media this would be a good opportunity to plug uh your what's your Twitter handle if you don't mind and Mastodon right my Twitter handle and

(31:42) generally my handle almost is the same thing it's Racine which is r-a-e-s-e-n-e for a very geeky reason um which is basically when I started getting into to kind of like the internet um it was a handle of a game I was playing I was a name in a game and it was the one thing I could find that no one had taken so you could go to any given website and have that name um and and that lasted me like for you know last 20 years so it's been you know it's worked out pretty well you don't have a very common you know

(32:12) name I would say in the tech space uh neither do I by by chance uh maybe maybe because of of our lineage and Heritage um and where we come from uh my handles are not as cool as yours uh I chose my handle because there was a photographer who beat me to it at one point in time uh he had Sean or at Sean Odell so I am the Sean Odell that was long before anybody at a d before so I'd like to consider myself I was cool in that sense uh but that mind does also stretch across Mast and on GitHub uh LinkedIn all of the uh you know necessary mediums

(32:51) and and platforms so definitely Rory is is a is a great follow I'm kind of a terrible follow at times because I like to delve into other things that have nothing to do with technology um but you should follow anyway it's always kind of fun all right let's get back to the topic at hand what are some of the challenges and this is so broad so I almost wanted to narrow this down um because even even in the chat some of the folks are actually already articulating some of the challenges that they are saying but what are some of the

(33:19) let's start with let's start with two top challenges that still remain with containers and containerization uh and then how do you think they will be solved or overcome so let's just start with one let's talk about the first one we'll discuss it and then we'll shift to the second one so I mean I think to be honest with you we've already covered I think we've touched on these because I think these these go all the way through it the the one that I probably find the hardest or the the one of the biggest

(33:45) challenge is complexity is that we're building ever and every month it was by we had a new thing that comes in and it's more complexity and I think that there's gonna have to be a point where companies you know they rationalize and say actually do I need this 20 you know I mean I know you said before it's like if it's building business value to the business great but but is there something that complexity that maybe isn't bringing value to the business or maybe could be done in a more simple way

(34:09) um that from my money is is how I would be what I'd be thinking about because I just look at some of the stacks now and go how does anyone you know get their head around get down to their head uh and understand what's going on they have a massive team uh attempting to solve the infrastructure operational platform challenges instead of focusing on their Core Business value we're just delivering applications right it's I know that one gets on some people when you start to talk about that like we've we might have

(34:40) we might have overdone some of this um in in a lot of ways uh and you know we talk about challenges I think that's actually true you mentioned you know whether it's complexity right we've talked a little bit about security we're not going to dive too far down into that one but security comes up in every conversation every day there are so many different surface you know attack you know as attack points there are new um you know whether it's uh you know benchmarks or new findings or new this

(35:12) right and it moves fast so if if you want to if you let's let's talk a little bit about security we'll actually look at this a little bit in the follow-up question as well but just what are some things that if if you were to look at the security challenges of of containers today um can you can you rattle off a few of those that you think might be super valid and important you don't have to go too far in the weeds but just kind of at the surface what are some of those challenges that you can see the fox I

(35:40) mean the first one that is a kind of a everything Exposed on the Internet is the kind of way I would put it to begin with so we've gone for this world where things were not directly exposed and the problem with everything exposing the internet kubernetes is a good example so there are around 900 000 kubernetes hosts directly connected to the internet and that means that one mistake in your authentication one mistake or one bug in in kubernetes right it's a software everything a CVS inbox that will get you

(36:06) in trouble and that we've gone through this very hyper-connected World um and at quite timely at the moment you've seen companies um essentially like losing staff and they've been revoking their access thank you well all your clusters are right there on the internet so you know how careful are you being so there's lots of different threads and we've seen that a lot of attackers doing things like compromising developer laptops as a wave again all your stuff straight on the internet so before you could maybe cut off all their

(36:30) access by getting rid of a VPN right that's the old way it used to work everything went through the VPN now you can't do that anymore if someone compromises one of your developers laptops you're gonna have to scramble across how many systems do you even know where they are yeah do you talk you mentioned observability you even know every service that your people got access to though so that when that happens you can react quickly so that part of a combination of exposure plus attackers is Big the other one which obviously is

(36:56) getting a lot of press and rightly so at the moment is supply chain which is kind of it's another complexity problem because we've got all these applications that have hundreds of libraries as you know sitting underneath the actual code you've written and now it turns out that attackers have worked that out and I I weirdly I always think of security people you know you're right like Cassandra right you make prophecies that no one will believe um but and I actually did a talk in 2015 about this exact problem about supply

(37:24) chain security but what happens if an attacker takes out one library that you use and how there's really no great solution luckily there are people working on that now uh and it's getting better but still that's the one that like you know do you know about every application Library that's read you know who wrote it you probably don't know who wrote it do you know what their situation is who they work for what their background is how secure are they no you don't know that either you don't

(37:48) probably know who they are even if you know all of the versions you've got so it's that kind of lesson of the complexity problem right um but those are the two ones I think that really I think about a lot when we're looking at this space yeah absolutely and it obviously Cloud Smith from from our perspective this is the this is the question we get asked on a you know hour to hour basis talking with customers and prospective customers and Prospects and all of that look supply chain is is like in some ways we solve some complexity

(38:17) challenges with CI CD and continuous you know integration continuous delivery continuous testing and building run books and we've we've actually solved a lot of the complexity um by automation but when you inject as you said one compromise Library that entire that entire uh you know process and Pipeline and supply chain is now compromised and the challenge I see is nobody has a clue where it is right where did this happen why did this happen What systems were affected right how many containers do I have running

(38:55) out there that are now compromised because of this and so this is probably you know I don't want to go too far in this guy we could we could sit here and talk for hours about this specific subject um in our internet in our follow-up to this we will actually dive deep and and actually drill into some of those challenges uh and and talk about a lot of the like the intricacies um I mean we haven't even mentioned s-bomb yet right we have to we've we've actually mentioned the concept we haven't talked about

(39:23) um or or the the components of an s-bomb uh but we haven't actually talked about it in general right so it's it's it's interesting how all of this goes back to just kind of a new introduction of technology in this containers we solved a problem here then we introduced a little bit more complexity that we solved another problem here right and it's just this continual you know process that we're on uh which I think is a good thing but at the same time it can also be a struggle and a bad thing

(39:50) so um you know any final comments on the topic around you know container security uh you know the problems that we're trying to solve and obviously supply chain uh attacks that you mentioned I think I I think yeah we're right we have got supply chain problems right now it's good to see and I'll mention the open ssf if people haven't looked into what Mrs have Good Foundations are doing a lot of great work on kind of residence problem it's not a quick fix this is the thing that I think is a big challenge

(40:15) with supply chain is no one can tell you just do this and you fixed it they can help they can provide you with tools they can provide you with advice but they cannot fix it quickly it's it's a it's going to be a problem for you know forever um and again I actually would bring it back to the message I had before about complexity of trying to reduce complexity I try to think of of Library dependencies as being kind of like is that nuclear power right it's great you use them they get you there faster they

(40:41) do something for you but then you have to manage the radioactive waste and that's all the maintenance you have to do on all these libraries so every time you add another library for a project think about that's the more radioactive waste I then have to manage it's you know it's not it's a cost and it's that that hopefully that might I think for me the one of the best things you can do to help your supply chain Securities say you know do I need 500 libraries here can I maybe get that down by 100 if I

(41:05) have been fantastic I've just made my life easier you know I will not have that that report that says hey these vulnerabilities will be somewhat smaller it's all about that journey to try and like reduce your complexity again yeah limiting the attack surface is is is the uh is the biggest challenge uh in that sense um so so to close things out right we have you know we we've talked a lot about containers kubernetes you know obviously exploring serverless containers and and really just in general about application

(41:37) delivery and and the challenges in and around the space so as as you you know kind of last question I'll give you an opportunity to to kind of open this up and just you know talk about the your your remainder for 2023. what are some things that you're going to be focusing on in and around this space that maybe we've talked about but if you could detail maybe where you um are are looking to focus or or maybe some of the things that you're hoping we solve in and around this ecosystem uh based upon these challenges we've

(42:06) discussed yeah I think in terms of the focus I'm going to have it's going to be um it's going to be around intended complexity kubernetes one of the things I'm actually interested to do and I talked about fundamentals is I actually started doing some post around fundamentals so trying to do some stuff around here is containers and here's how they work because I think the best thing I ever did when I learned containers was went down to the basics and worked my way up because now when I get a new

(42:30) thing it's just like a little bit extra and I kind of have this space to sit on so if I was advising people you know that's the thing to do is to work from that base and work your way up know what's going on underneath the covers um in terms of stuff that will be one for me is trying to explain more to people about that I think the other thing is just trying to keep up with kubernetes there's a new so the way kubernetes is Mission Control there's a new inbuilt version of that um coming along which is going into

(42:53) Alpha in the next release so it's going to be that that constant process of what's coming with kubernetes now and can you keep up along with keeping up with all the other things I think we've been doing yeah there's just so much to do uh in in finding finding that focus and I think he actually said it a couple times is nobody can solve every problem right there are variety of challenges some of them take very specific focus and Niche um I I laugh back in the day you know and when when we started getting into

(43:23) you know traditional monitoring tools and that the Microsoft op you know the Microsoft's mom and you know just kind of the the the build out of of all of those tool sets there's always this idea of having a single pane of glass and I've never prescribed to that I do not believe in that it's it's nearly impossible uh and so is is we go into 2023 I look forward to every organization every open source project whether commercial organizations right um uh you know governing bodies or cigs uh obviously you know

(43:56) really just everybody in this ecosystem is solving what they know best and and and and and focusing on that uh obviously some folks are far better at different areas than others um you know different individuals have different uh you know all of us have different um expertise and different focus and so to me that's going to be the biggest thing for 2023 is not trying to solve every problem but trying to solve each of the little you know kind of here and there and and as we solve each of those smaller problems or chunks right it's

(44:30) going to take a big you know effort by a lot of different folks to uh to do it but I think we can get better than where we are today and so that that will definitely help out in this idea in an area around containerization so really really excited really for for what is happening in this space and and really want to thank you for the uh for the time coming in and talking uh and as I close out today I want to you know I want to bring up a few things uh especially For You Rory because we have kubecon coming up in April so if you

(45:00) don't mind kind of tell us about what your uh what you're going to be doing at kubecon any sessions you might have a you know a part of or any of the sigs and the different things that you will be taking uh taking part in so yep the main thing um are we doing a talk at qcon um with a sick honk uh so it's myself uh Brad gizman uh Ian Cool Water and Duffy Cooley and we're gonna be talking about container vulnerability scanners and how potentially to work out what's called malicious compliance or

(45:27) talk and it's about how could clever people try and get past all those nice controls we put in place or a container uh vulnerability scanners and and controls so it should be interesting I'm looking absolutely yeah no I I am as well and obviously you mentioned some fantastic folks uh besides yourself on that team I I I had the privilege of working with Duffy at uh at VMware fantastic and obviously Ian well-known well respected and if you ever see Ian obviously Hong because very uh very important uh to them uh and so

(45:58) definitely bring that up a couple other things you know from a cloud Smith perspective we we obviously are super excited and thankful to have all of you here today and some of the things we are going to be doing we will be at kubecon as well I will be there I'm looking forward to that uh we we as as an organization have updated our terraform providers so you could manage Cloud Smith with uh with terraform and then a fun one is as we continue to add and expand into upstreams which is something that we're looking to do and we've had

(46:26) an npm in Python from an from an upstream perspective they're both in Early Access and uh you know as of now we support 28 different packages and we're going to continue to expand that and obviously up offer upstreams in that and so it really excited you know our customers are loving that really it's it's becoming a a common theme hey we need upstreams we need X right um and so it's good to hear and then the other thing is not only will it be a kubecon we will be at the London Tech show next

(46:53) week and then I will be in lovely New York City uh the week after uh but the other thing that we want to announce today we are announcing unpacked unpacked as a conference uh that we are excited about the class with is putting on focused on devops package management supply chain security and this will be virtual and uh we're going to be having this in a couple of months so if you go to unpackedconference.com

(47:48) We would love to have you sign you know go check it out we haven't announced a full speaker list yet but we're going to be getting there I'm excited about that as well and so with that in mind Rory I just want to say thank you you've been a fantastic guest appreciate the opportunity to be uh to speak with you and have you uh provide your expertise today thanks very much absolutely well uh thank you everybody have a great rest of the day wherever you are morning afternoon and we look forward to seeing you next time.

Liked this article? Don\'t be selfish (:-), share with others:  



The source of truth for software everywhere.

Cloudsmith optimizes your software supply chain from source to delivery — with complete trust, control, and security.

Start Free Trial