Security for cloud native a key topic at CNCF's KubeCon + CloudNativeCon EU

September 3 2020
by Fernando Montenegro, Matthew Utter


While the worldwide health crisis caused by COVID-19 has severely disrupted economies, the conference circuit was hit particularly hard – events attracting thousands of participants from far-flung corners of the world are potential super-spreader events and unlikely to be held in person for months, possibly years, to come. Yet technology progress moves forward, making do with virtual events if real ones are not possible. The Cloud Native Computing Foundation (CNCF) just held a virtual edition of its annual KubeCon + CloudNativeCon EU, and the result was positive, with significant participant interaction and new announcements, even if with reduced sponsor participation. As the technology around cloud native grows in scope and complexity, security-related discussions grow in importance, as well.

The 451 Take

Faced with the challenge of a last-minute cancellation of its KubeCon + CloudNativeCon EU physical event, the CNCF first postponed it, and later converted it to a virtual format. The result worked well, with the event now being available to a much broader audience while retaining much of the atmosphere of previous events.

As the community came together (separately), security for cloud-native environments was one of the key themes. Between the talks and sponsors, we see not only progress in understanding how to secure cloud-native environments, but also that this challenge is increasingly being answered by security vendors and the broader technology ecosystem itself. This is important because it significantly shifts the dynamics of how customers choose technologies and partners – both internal and external to the organization – to implement security functionality.


KubeCon + CloudNativeCon EU is one of three flagship events hosted by the CNCF. It is usually the first event of the calendar year, followed by a smaller edition in China in the July timeframe and a larger North American version around November. After it switched to a virtual format this year, the conference saw approximately 18,000 participants from all over the world.

As with the in-person events, virtual KubeCon + CloudNativeCon also hosted 'day 0' events that focused on more specific themes. For this virtual version of KubeCon + CloudNativeCon EU, there were separate events focusing on serverless technology, service mesh and security.

The CNCF recently oversaw a change in executive ranks. Pryianka Sharma, formerly of GitLab, has taken over the reins as the new executive director, while Liz Rice has taken over as chair of the technical oversight committee.

As is common at CNCF events, the keynotes included relevant updates from the foundation and the broader community. Sharma emphasized the role of 'doers' as part of the broader community efforts, and shared that there are approximately 6.5 million 'cloud-native developers' across the world. There has also been a significant rise in the number of certified Kubernetes administrators and developers. The CNCF also recently announced a new security-centric Kubernetes certification.

Security a key part of smaller expo hall

As it dealt with the disruption from the pandemic, the 'virtual' expo hall at the conference shrunk substantially when compared with the live one from last year. In 2019 there were 143 vendor sponsors, excluding media partners, end-user sponsors, diversity supporters and other categories. This year, the total number was 82.

Figure 1

KubeCon + CloudNativeCon EU Sponsors (partial)
451 Research

As it relates to security offerings, though, the picture is rosier, reflecting the increasing importance of security for cloud-native environments. The chart below illustrates this point. The chart tracks three types of vendors: 'security pure-play vendors' (pure), where security offerings represent a totality or a significant portion of their offerings; technology vendors (yes) with security offerings representing part of a broader technology portfolio; and technology vendors (no) without security offerings.

As illustrated below, the combination of vendors with security offerings (pure and yes) grew from a little less than 30% of the overall number of sponsors at 2019's event to just shy of 40% this year.

Figure 2

Proportion of Sponsors with Security Offerings for KubeCon + CloudNativeCon EU
451 Research

As security functionality makes its way into broader technology vendors' offerings, these vendors start to highlight these capabilities as key use cases or key features. A subset of cloud providers and technology vendors with security offerings includes AWS, Microsoft Azure, Google Cloud, IBM, DataDog, Elastic, Hashicorp, Splunk, jFrog, VMware and Cisco, among others.

The list of pure-play security vendors includes Palo Alto Networks, Aqua Security, NeuVector, StackRox, Tufin, Styra, Snyk, Sysdig and Scytale (now part of HPE), among others. Bridgecrew is one of the newer vendors, offering a DevOps-centric approach to securing cloud-native environments.

Given the importance of open source and community projects within the cloud-native ecosystem, it's no surprise that several vendors have highlighted some of their key projects. Aqua Security's Trivy image scanner has been picking up interest, as have Sysdig's Falco runtime security engine and Styra's Open Policy Agent project.

Security trends

There was an undeniable growth in the presence of security content and conversation throughout the event. Security was one of the three topics with its own dedicated pre-conference event – it was discussed in keynotes and in different tracks.

Fueling the rise in importance of security for cloud-native environments – many of the discussions were centered on Kubernetes as the execution environment – is the fast-moving process of increased complexity and a related issue with cluster sprawl.

Kubernetes environments have numerous moving components, and the technical complexity is just part of the puzzle for many organizations as they adapt to new technology and new working methodologies such as DevOps. The inherent flexibility and expandability of Kubernetes – it supports concepts such as custom resource definitions (CRDs) and automated operators – presents an ongoing challenge for those looking to secure those environments for production use.

As organizations improve their understanding of Kubernetes environments, one common pattern has been the creation of numerous separate clusters for numerous reasons, including to make more defined 'trust boundaries' between applications or teams. This has led to significant overhead for operations teams, and has consequences in terms of sub-optimal resource utilization and potential security issues.

While the community works out better mechanisms for managing multiple clusters, vendors have responded with different offerings tackling the issue. VMware Tanzu, Google Anthos, Azure ARC, Rancher and many others offer cluster management capabilities with increased support for security use cases.

The recognized need to better codify rules for numerous scenarios – including security use cases managing clusters – has led to a swell in support for the Open Policy Agent project, which defines a separate authorization engine that can be used in many scenarios. OPA uses the Rego policy language to express the necessary business logic in code, and can be easily integrated into policy enforcement points such as Kubernetes admission controllers.

There has also been increased interest in the Falco project, which provides a runtime security module for container environments, and in the Trivy image scanner.

The virtual experience, soon to be repeated

It was sheer calendaring happenstance, but KubeCon + CloudNativeCon EU was one the early high-profile victims of the upheaval in conferences caused by COVID-19. The organizers were quick to initially postpone the physical event to the summer, and when faced with the growing pandemic, switch to a virtual format.

The timing was beneficial – the CNCF was able to learn from other online events and apply those lessons to delivering a large-scale event. The platform chosen was Instado (INXPO) for hosting and streaming, with support from Sched for scheduling and Slack for real-time communications. The combination worked very well: The overall experience was very fluid, particularly the expo hall areas; there were very few video glitches; recordings were available immediately after airing live; and scheduling annoyances were minor. The back-end communication via Slack was well done and leveraged not only the CNCF's existing use of Slack, but also the fact that many participants were already familiar with the platform.

Still, the compressed calendar imposes broader challenges: KubeCon China was cancelled this year and KubeCon North America – typically the largest gathering held by the CNCF – is scheduled barely 90 days after KubeCon EU, which may lead to some event fatigue.