KubeCon 2021 Top 3 Announcements: APIClarity, HashiCorp Waypoint, and Dell EMC CSM
The cloud native landscape, as mapped out by CNCF comprises 1,776 products and projects created by 925 organizations. CNCF divides this universe into the 9 categories and 38 subcategories shown on the chart below (source: GitHub). At KubeCon 2021 in Los Angeles there were three new products that caught my eye due to their high potential of pushing back roadblocks that are currently slowing down application modernization.
1. APIClarity — Continuous API Security
The quickly growing number of microservices applications within an enterprise has led to the rapid increase in the number of APIs and overall API traffic. The chart shows the resulting increase in API-related security vulnerabilities recorded in the CVE database. With an estimated 75% of enterprise applications still in line for modernization the number of API related vulnerabilities will increase further unless enterprises start implementing guardrails for API governance.
APIClarity is a new open source project, led by Cisco developers, that automatically identifies, captures and parses API traffic within the Kubernetes service mesh. APIClarity compares the identified API requests to the organization’s current API specifications and alerts operators of any undocumented APIs. This ability to automatically surface undocumented APIs within rapidly changing cloud native environments makes enterprises aware of potential security and compliance risk that requires further investigation and, sometimes, remediation.
Wherever possible, the platform automatically creates Open API compliant specifications for undocumented APIs and enables human operators to review and adjust these specifications. Human operators will also take these new specifications as the basis for requesting changes to APIs that may present compliance challenges or even constitute direct security vulnerabilities.
My Take on APIClarity
Most API-related security vulnerabilities recorded in the CVE database are related to authentication and authorization problems. Like most security vulnerabilities, the issues quickly appear when development teams work under tight deadlines and try to speed things up by taking shortcuts when it comes to granting access rights to specific API endpoints. Simply forgetting to turn off legacy APIs constitutes another source for vulnerabilities. Every time one of these vulnerabilities stays under the radar of corporate security engineers, the risk of successful exploits and failed compliance audits increases. APIClarity continuously surfaces all of these undocumented APIs for security operators to deal with. Beyond this immediate value, these API specifications can be ingested by security and compliance platform as part of their much broader analysis of the enterprise application portfolio.
2. HashiCorp Waypoint — Build Once, Deploy and Release Anywhere
HashiCorp Waypoint is an open source project that aims to automate the build, deployment, and release process of cloud native applications (typically on the Kubernetes container orchestration platform). Instead of creating, configuring and continuously tweaking configuration files for packaging, networking, security, ingress control, logging, container runtime, and publication, developers only need to create one file that contains simplified instructions for Waypoint to take care build, deployment, and release. Considering many developers spending half of their day on deployment and release workflows for different infrastructure platforms, the promise of “code once, build, deploy, and release anywhere” sounds very intriguing.
How Does it Work?
Developers create one YAML file (waypoint.hcl) that includes a set of declarative instructions in terms of how the application should be built, deployed, and released.
The waypoint.hcl file can then be called via CLI or as part of a GitOps workflow to start the application build, deployment and release. Operators receive a GUI to centrally access logs, versioning data, release data, etc. Currently Waypoint supports AWS, Google, Azure, Docker, Kubernetes, and a few more target infrastructure types.
My Take on HashiCorp Waypoint
Waypoint is easy to try out for developers, simply by installing its helm chart to any Kubernetes cluster. This simplicity should appeal to developers looking to escape having to spend a good part of their time on creating and tuning YAML files. At the same time Waypoint simplifies application operations by providing a single pane of glass for operators to understand and manage an application. This simplicity on both ends, dev and ops, is an important foundation for accelerating application modernization.
3. DellEMC Container Storage Modules — Leverage Enterprise Storage for Kubernetes
DellEMC Container Storage Modules (CSM) provide enterprise-grade block and file storage to Kubernetes applications via the Container Storage Interface (CSI). CSM includes developer and operator services that enable policy-driven storage consumption, placement, and management with the goal of allowing traditional IT admins and storage administrators to efficiently provide cloud native storage to developers and DevOps teams.
CSM is a big deal for Dell EMC as the company needs to show its customers base that Dell EMC storage can be the foundation for a viable data services platform for Kubernetes. Dell EMC led the development of CSI , an open source specification that allows the delivery of enterprise storage features through add-ons and therefore without depending on the Kubernetes release lifecycle. CSI enables critical volume level capabilities such as snapshots, volume provisioning, volume expansion, and volume cloning. CSM provides separate modules that provide higher level enterprise storage capabilities such as backup, resiliency, authorization, and observability, based on the CSI. For example, the CSM Observability module interfaces with the Open Telemetry data collector to deliver granular capacity and performance data from Dell EMC storage arrays to the Kubernetes scheduler. This data then enables the CSM Volume Placement module to optimally place applications, based on storage capacity and performance.
My Take on Dell EMC CSM
While not yet fully featured across the overall Dell EMC storage portfolio, CSM is critical for Dell EMC to gain traction in the growing market for Kubernetes on-premise infrastructure. For customers it simply makes sense to use the same storage for Kubernetes apps as they use for traditional enterprise apps, however, CSM can only be successful if it provides the same level of simplicity as is currently offered by vendors of cloud native storage solutions.