Gareth Rushgrove on Kubernetes Tooling, Platforms, and Engineering Security

In this episode of the Ambassador Livin’ on the Edge podcast, Gareth Rushgrove, Director of Product Management at Snyk, discusses the state of Kubernetes tooling, the role of application platforms and how they should be designed and managed, and the importance of engineering security.

Be sure to check out the additional episodes of the "Livin' on the Edge" podcast.

Key takeaways from the podcast included:

• APIs must be designed as user interfaces in order to both provide the most value to end users, and be easy to consume by developers.
• Many organisations are currently achieving good results with using Kubernetes as a foundation for their platform and configuring deployments via YAML files.
• For engineers working close to the K8s community, it is easy to believe that the developer experience and configurability can and should be “better”, but sometimes the simple approach (using YAML) can be very effective.
• The use of cloud native buildpacks can provide a lot of value, especially when integrated seamlessly into languages-specific frameworks and workflows. For example, the latest Spring Boot releases include buildpack support, but they hide unnecessary configuration details away from users that want to use the simple defaults.
• Micro-PaaSs such as Rancher Lab’s Rio are showing promise in providing “just enough” platform. They have potential to strike a good balance between developer-focused affordances and usability.
• Treating an organisation’s platform as a product can provide advantages. Understanding the customers of a platform, identifying what is actually required (versus what would be interesting to build), and prioritisation of work are vitally important skills for platform product owners.
• The Kubernetes-focused continuous delivery tooling space is embracing composability -- e.g. GitHub Actions, Argo workflows, the GitOps toolkit -- and although sharing of components provides a lot of value, the industry is still mostly at the “copy and paste” stage of development. Interesting standards are evolving in this space.
• Infrastructure as code (IaC) and configuration code is not always treated the same way as application code within a CD pipeline, but it is important to apply the same best practices, such as linting, (static) security analysis, and acceptance testing.
• ‍Conftest helps engineers write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code, Serverless configs or any other config files. Conftest uses the Rego language from Open Policy Agent for writing the assertions.
• It is important for all engineers to be aware of security. Scanning container images, application dependencies, and application code is table stakes.
• Baking security checking processes into developer tools so that code and configuration are automatically and continuously analysed will provide the fast feedback that engineers require.