Platform engineering is a long and personalized journey, the growth of CEL adoption - beyond Admission Policy, and software supply chain, SBOMs and Cloud Native security

With over 9,000 attendees in person and an additional 5,000 joining virtually, the conference showcased once again the rise of cloud-native technologies and the importance of community collaboration.

This year marked Getup Cloud’s fifth time attending KubeCon in person and first time at the Kubernetes Contributor Summit. It was also the first time we came with our very own OSS projects to show off open-source projects and engage with the community ahead of CEL initiatives. In particular, CEL Playground made its debut at KubeCon/NA and proudly wore our purple CEL Playground tee-shirts and took feedback from our amazing user community!

And talking about engaging with the community, what a proud moment when CEL Playground was mentioned by Google’s Cici Huang in her talk on The Path to Self Contained CRDs. It is gratifying knowing that CEL Playground is fulfilling its goal of supporting and helping Kubernetes practitioners to work with CEL Expressions.

Let's get to our Key Takeaways from the event.

The Rise of CEL 

First some background if you don't know CEL yet. CEL (Common Expression Language) for Kubernetes is a relatively recent addition to the Kubernetes ecosystem. Developed at Google and open sourced in 2019, CEL has its roots in the broader context of cloud-native policy enforcement and was integrated into Kubernetes to provide a versatile expression language for defining and enforcing policies within Kubernetes clusters.

Originally created for enforcing policies in Kubernetes, CEL now extends beyond Validating Admission Policy and encompasses various initiatives. CEL has been extended to authentication, Istio, OPA, Kyverno, and many other projects, showcasing its versatility and widespread adoption.

Goggle’s Jordan Liggitt and Microsoft’s Mo Khan delivered a great talk on the The Future of Kubernetes Auth and Policy Config: Common Expression Language discussing the various places we have adopted CEL to make auth and policy config more dynamic and featureful.

At Getup, we have two projects around CEL, CEL Playground for learning and testing CEL Expressions, and Marvin, our CLI tool for misconfigurations and vulnerabilities scanning in Kubernetes, including 30+ built-in checks from well-known frameworks (PSS, NSA & CISA Kubernetes Hardening Guidance) plus your own custom checks written in … guess what, CEL Expressions.

Security is Top of Mind for Everyone

One of the most significant highlights of this year's conference was the emphasis on security. The number of presentations around security, SBOMs, and software supply chain has grown significantly as security has become a paramount concern in Kubernetes and cloud-native computing environments, with attacks on commonly used OSS growing over 300% since 2021. 

Brands like Boeing, American Airlines, and Volvo were on stage sharing their experiences and lessons learned in addressing security challenges. 

I'd like to highlight the presentation from David Hadas, IBM Research & Roland Huß, Red Hat - All Cloud-Native Services Are Vulnerable, where they introduced how Security Behavior Analytics (SBA) technology can detect exploit delivery sent during client interactions and the project Guard, which uses machine learning to auto-learn micro-rules, quickly learning what deviates from the norm.

It was a great talk and has inspired us at Getup to consider integrating Guard into Zora, our OS project that periodically checks all of your Kubernetes clusters through kubectl looking for potential issues or vulnerabilities in deployed resources and configurations, helping to ensure that you are in compliance with best practices related to security, allocation and misconfiguration.

Platform engineering 

Platform Engineering emerged as a significant theme at this year's KubeCon. This approach, although very popular for reducing the complexity from developers and operations staff by creating a golden path for deploying and maintaining applications, also presents promising opportunities for security, as security can be built into the infrastructure itself. From RBAC, to network policies, secure images, and automated patching. 

It is always good to invest in developer experience and security, but this can be a long journey, very costly, and personalized, so be careful with recipes. For a successful Platform Engineering endeavor, as explored by Rosemary Wang, HashiCorp in her lightning talk Choose Your Own Abstraction: Iterating on Developer Experience, it is very important to choose the right level of abstraction for each step as each one has its own tradeoffs and benefits. 

Generative AI in Cloud-Native environments is not a big thing (yet)

Although it is a hot topic, there weren't so many AI related talks happening inside KubeCon. It is as if it didn't exist, or my expectations were too high. Most of the talks about it were focused on the infrastructure for AI/LLM rather than using it to solve day to day Kubernetes challenges. I could spot a few ChatGPT-like solutions, but not quite there yet. So if there's an AI revolution coming for the Kubernetes world, perhaps it will emerge at Kubecon/EU in Paris!

See you in Paris! 

We hope to see you in Paris in March and look forward to incorporating all the great feedback we received from the community into the next releases of CEL Playground, Marvin and Zora! Until then feel free to try out the CEL Playground and give us feedback or request new features via by logging an issues via github! 
And don’t forget to to check out our other Open Source project Marvin, our Open Source CLI tool for scanning Kubernetes cluster and Zora, our Open Source multi plugin tool for looking for potential issues or vulnerabilities in deployed resources and configurations, helping to ensure that you are in compliance with best practices related to security, allocation and misconfiguration!