I didn’t attend Detroit last year, but did attend Valencia, and while it was great to be back at a reasonably large in-person event again, the event did feel slightly subdued.
I worried that the past few months of leaner times and layoffs for the tech industry might mean that this year’s KubeCon EU might also feel muted for different reasons. I couldn’t be more wrong.
I admit that my memory of pre-2020 EU KubeCons (and I’ve been to most of them) is a little hazy, but this year in Amsterdam felt like the biggest and liveliest I’ve attended.
I have a podcast version of this post featuring interviews with Slim.ai, minIO, Incident.io, and HiveMQ below.
As every year, let’s start KubeCon with some stats.
KubeCon + CloudNativeCon Europe 2023 had 10,000+ onsite attendees and 5,000+ virtually. 58% of attendees were KubeCon first-timers, which is an astounding statistic but possibly reflects how many engineers got into cloud-native over the past few years when it wasn’t possible to get to any events. It actually felt like more people, but the venue (RAI) is a well run venue and only occasionally did you notice any bottlenecks. One of the main places you noticed too many people was actually at the after parties. Possibly a sign of those aforementioned cutbacks, but there weren’t enough parties and they were all too small to meet demand. but there’s not really much KubeCon can do about that, it’s very much up to the companies that organise them.
The CNCF now has:
- Over 800+ members
- 1,300 maintainers
- 200k contributors
- 159 Graduated, Incubating, and Sandbox projects
- 12.2 million contributions
- 52K+ community group members
I don’t feel there were any obvious new trends this year, but more consolidation and growth of established trends, especially around the stabilising of Kubernetes clusters.
Security, security, security
There were so many mentions of security analysis and security policies, I’ve written a separate post on the subject. But in summary, Kubernetes and security is no longer just a case of access control and secure connections. It now includes defining cluster policies on all sorts of topics and the big topic in the room of “software supply chain security”, that is ensuring that you know what is running in your cluster and that is vulnerability free.
One announcement I won’t mention in the separate post is that the CNCF is increasing its work in fuzzing many of its key projects with OSS-Fuzz. Fuzzing can help find bugs that tests don’t find by providing invalid and random data to applications and is a fairly well proven method for increasing software stability.
Similarly, the CNCF took the opportunity to asses two of the key projects for supply chain security. The assessments of Argo and Prometheus were based on Supply-chain Levels for Software Artefacts (SLSA), which provides a framework for software supply chain integrity. In both cases, results were generally positive and you can read more in the offical blog post. And finally, they also added to the list of projects that have received an independent third party audit and re-audited Kubernetes. You can read the results in this blog post.
As I had spoken with them before, I grabbed a few minutes with… , a developer advocate at Slim.ai for my podcast. Listen below.
Continuing the theme of what I will term “Kubernetes responsibly”, in the past year, the environmental impact of cloud native went from a back of the mind concern to an active undertaking. This is a topic I have done some work in over the past year, so any recent advancements peak my interest.
Currently, many sustainability tools operate on a provider level, with the three main companies all offering their own solutions.
Released last last year, and mentioned extensively was the Green Software Foundation’s Carbon Aware SDK that offers APIs to allow organisations to audit carbon impact in a central location.
One other project comes from Red Hat, Kepler uses eBPF to export Prometheus compatible metrics on energy related statistics.
The AI-shaped elephant in the room
Strangely AI wasn’t explicitly present at KubeCon, but many Kubernetes practitioners know that Cloud Native is the power behind AI model learning and interaction. I did see a few “CloudGPT-powered-X” booths and products here and there, but they were the exception, and generally smaller.
However, the question did come up during a press conference and the discussion around it ended up crossing over with other topics I cover here.
The argument was that the potential proliferation of AI-generated code could mean an even more crucial role for security and policy analysis. Companies will need to detect what code is actually running in their containers, and its provenance.
That aside, there was the wider discussion on how open source developers should handle models consuming their code and it seems that the CNCF and the linux foundation more widely are still figuring out their stance.
Other news and interviews
Ahead of the event I arranged some interviews with companies that piqued my interest and don’t all fit under the headings above.
I previously covered the slim toolkit from Slim.ai and in the interview I am joined by Nnenna Ndukwe, developer advocate at the company, to discuss their new vulnerability scanning and hardening features.
Another company I covered previously, I speak with Daniel Valdivia, MinIO’s Kubernetes expert to cover how their S3 compatible API helps users streamline object storage.
I speak with Christopher and Stephen about their new(ish) company that attempts to solve the human side of incident management. The company also had some awesome T-Shirts that channeled their english roots with “Don’t Panic” emblazoned across them.
Dominik Obermaier joins me to explain why message queues may not be new, but there are still many niche use cases where companies like HiveMQ can excel, and for them it’s IoT end edge computing.