Cloud computing has become synonymous with enterprise IT, but let’s not get ahead of ourselves. Though enterprises now spend roughly $545 billion annually on cloud infrastructure, according to IDC, and 41% of that spend goes to the top five cloud providers, the reality is that a substantial amount of money, even “cloud” money, isn’t being spent with the big hyperscalers. Instead, it’s being plowed into other companies pitching Kubernetes and associated infrastructure. “Open and approachable” may define the future of the $500 billion cloud infrastructure market.
If you want to see the future of enterprise IT, you’d do well to pay attention to this week’s KubeCon in Chicago. As has been the case for years, open source is driving the future of enterprise infrastructure, with projects such as eBPF/Cilium, Tetragon, and OpenTelemetry playing major roles. But it’s not just about open access to code. If anything, these projects may benefit more from how they make difficult domains accessible to mere mortals.
eBPF, Cilium, and the programmable OS
Extended Berkeley Packet Filter (eBPF) is a Linux kernel abstraction that unlocks programmability for networking, observability, and security. eBPF can run sandboxed programs to safely and efficiently extend the capabilities of an operating system kernel without requiring changes to kernel code or loading kernel modules. A common refrain is that eBPF is to an operating system what JavaScript is to a web browser. It’s very, very cool.
But it’s also very elitist, in its way. Uber-geek kernel maintainer types have revered it since its introduction in 2014, but rank-and-file platform engineers were somewhat shut out. That’s why Thomas Graf created Cilium in 2016 to extend the power of eBPF to platform engineers so that anyone could use eBPF without having to be a kernel maintainer or understand the low-level primitives of operating systems.
Today Cilium is the de facto building block for cloud-native network infrastructure and is central to efforts to bring software supply chain security visibility and enforcement closer to the Linux kernel. Its footprint is so wide, you may not even know you are using it. It’s the default container networking interface for most cloud providers’ Kubernetes offerings, such as Azure Kubernetes Service, Google Kubernetes Engine, and Amazon Elastic Kubernetes Service. Last month it became the CNCF’s first graduating project in the cloud-native networking category, and it is also currently the third most active open source community in the CNCF, behind only Kubernetes itself and OpenTelemetry (OTel).
It’s not often tech makes the big screen, but such is eBPF’s and Cilium’s impact that at KubeCon this week, an eBPF documentary will premiere. For anyone who has been wondering what’s next for Kubernetes and cloud-native, these two intertwined kernel-level abstractions have become the frontline to watch.
Tetragon and security for distributed computing
During the past 20 years, we’ve seen major shifts in computing abstractions take us from scale-up architectures on very specialized hardware, to distributed computing via scale-out Linux machines, to guardrails and isolations via virtual machines, then completely opening things back up to orchestrate workloads across fleets of servers via Kubernetes. To keep pace, security has been in a constant state of reinventing itself: The shift-left trend put more security tools into the hands of developers, and software supply chain security is finally addressing a long-neglected challenge of ensuring the provenance of software artifacts.
To date, runtime security has been limited to the scope of particular servers or nodes. But with the rise in popularity of eBPF and Cilium, the common connectivity layer that is landing across clusters and on-prem environments has opened the door for much richer telemetry data and much finer-grained enforcement capabilities.
Tetragon is a Cilium project first previewed last year, but it will reach its 1.0 milestone at KubeCon. It leverages eBPF primitives to more richly understand processes, binaries, and user contexts on nodes that it can carry across environments and to other nodes to correlate workload identities and new methods for observability and segmentation.
Network observability deeply benefits from understanding what particular process inside a Kubernetes pod caused network activity. Was it a particular sidecar container, the main application binary, or potentially a maliciously spawned shell inside a container? Runtime security deeply benefits from network-level identity by being able to differentiate whether network traffic that caused suspicious activity originated from a trusted network source or not.
It also benefits from open source, as Thomas Graf, CTO and cofounder at Isovalent, and creator of Cilium and Tetragon, said in an interview. “I would personally always prefer building security infrastructure provided via open source software as it allows me to concretely understand what security is provided, it can easily be independently audited, and limitations and flaws are difficult to hide.”
Owning your own telemetry data
Then there’s OpenTelemetry, which will be pretty much everywhere at KubeCon, with more than 15 sessions dedicated to it. This isn’t surprising, as it’s the second highest velocity project in the CNCF.
It’s a bit shocking how fast OpenTelemetry is being adopted. Sure, you’ll still find observability tools with proprietary back-end databases and query languages designed to create high switching costs, but open source tools like OpenTelemetry are on a tear. It’s heartening to see OpenTelemetry experience so much momentum. As it turns out, users want to own their telemetry data. But OpenTelemetry is also finding its way into classic observability pillars like logs, traces, and metrics, and is also being baked into efforts to make profiling data a truly polyglot application performance monitoring concern.
Central to all this is open source, but also efforts to make complicated domains like security more approachable. “The next big step for cloud-native security is to translate the incredible depth of security solutions that have been developed in the last few years into projects and solutions that can be used easily without hiring security team members with multiple years of experience in Kubernetes security,” argues Graf. In short, it’s not just open access that is making things like Cilium, Tetragon, and OpenTelemetry such forces in enterprise infrastructure, but also how they enable open accessibility.
Next read this: