Pulumi CEO on the Challenges with Kubernetes
In this episode of The New Stack Makers podcast, recorded during the KubeCon + CloudNativeCon conference in Barcelona, Pulumi CEO Joe Duffy discusses developers’ and operations folks’ relationship with Kubernetes and multicloud environments. Most developers “don’t want to have to think about, even, even at the level of Kubernetes, or finding is… it’s… it’s a very low-level set of instructions for developers to think about, forget the cluster,” Duffy said. “This is just the application model.”
Duffy described a bifurcation between infrastructure-management tools and Kubernetes-management tools. “People are struggling with that,” Duffy said to podcast host, TNS founder Alex Williams. “If you’re going to set up a Kubernetes cluster, you need to think about CloudWatch or ‘maybe I don’t want to host the database myself, maybe I just want to use RDS, Azure’s Cosmos DB or Cloud Spanner in Google’ — these hosted data services are really rich and easier to use than me managing my own data.”
Meanwhile, many organizations continue to struggle, such as with cloud infrastructures, hosted services and Kubernetes. “We hear people struggling with the walls of YAML, for example, or with various templates and solutions for YAML or various ways of merging this and that with YAML and we hear, at scale, that it just is breaking down and not working right,” Duffy said.
Specific to his company, Duffy described how Pulumi’s software deploys and manages infrastructure in a range of cloud and on-premise environments with a very wide range of programming languages. It “is a infrastructures code solution that sort of embraces Kubernetes in a first-class way.”
“Because of that, we can provision resources on any of the clouds. In addition to provisioning cloud native you know Kubernetes resources,” Duffy said. “So, we sit at a sort of an interesting vantage point where we are actually helping customers go into all these different managed clouds… and on-prem.”
Another key challenge Duffy said his customers are having is “going from not having a Kubernetes cluster to actually having a fully functioning Kubernetes environment that secure, ‘debuggable’ and reliable, that my team can use and that’s the hard part because that is very different in each of the cloud providers.”
Security, and its many, many facets, both for the development and operations teams within DevOps, remains, of course, a challenge. But the source of security management, in Duffy’s eyes, can be traced back to the “one principle that has always stood the test of time, which is the principle of least authority. “You do not grant access to perform an activity unless it’s explicitly requested or explicitly required, so the default is nothing should be exposed to the internet,” Duffy said. “No unauthenticated user should be able to do anything in a cluster, and then you work through and say, ‘okay, I’m going to onboard my team and I’m going to give them the least possible privilege to do their jobs.’”
It is then necessary to lock down the continuous deployment (CD) environments. “It turns out CD environments tend to be some of the most privileged — not many people kind of realize this because the CD environment is the one that’s typically going into production and manipulating resources and configuring things. Usually, you’re not going to give anybody on your team, other than super users, you know, the ability to do that,” Duffy said. “And so the idea is if you lock everything down as much as possible.”
Duffy declined to recommend one cloud provider over another, specifically between AWS, Google and Azure, noting how Pulumi is a partner with all three. However, Duffy noted how Kubernetes “came out of Google and GKE is really solid.”
“A guy on my team, Mike who used to be a core OS likes to tell a story of how he spun up a GKE cluster on day one when they launched it, and ever since, he’s been pushing that upgrade button, and it’s never failed,” Duffy said. “It’s always upgraded to the latest version and I think, you know, Amazon is definitely hearing from the customers that they want to use Kubernetes and so they’re investing and they will get there.”
In this Edition:
KubeCon + CloudNativeCon is a sponsor of The New Stack.