At KubeCon North America in San Diego today, Microsoft announced several Kubernetes updates. The company is bringing Confidential Computing to Kubernetes, supporting both IPv4 and IPv6 addresses for the same Pods; releasing KEDA 1.0; and debuting Azure Event Grid support for CloudEvents 1.0.
Kubernetes is an open source container-orchestration system for automating application deployment, scaling, and management. At Kubecon EU in May, Microsoft launched the Service Mesh Interface (SMI) specification, its new community project for collaboration around Service Mesh infrastructure. While the announcements today are more iterative, they’re still relevant for developers, IT pros, and businesses investing in their infrastructure.
Confidential Computing for Kubernetes helps secure the entire supply chain via Kubernetes. It is complementary to projects like gVisor and Firecracker, which handle security for sensitive workloads at a higher level. Furthermore, confidential computing lets organizations protect integrity while data is processed in the public cloud. This means sensitive data remains confidential for scenarios ranging from line of business workloads, such as payments processing, to novel workloads, such as multi-party machine learning for medical research.
Trusted Execution Environments (TEEs) or “enclaves” are a hardware-backed secure execution environment that can ensure processes and their memory are secure while they execute. Microsoft is bringing TEEs to Kubernetes via the Open Enclave SDK. The company is also releasing the Open Enclave Kubernetes device plugin (in alpha) that makes Encrypted Page Cache RAM a resource that the Kubernetes scheduler can use for scheduling decisions.
The Open Enclave SDK allows you to verifiably guarantee that your data, secrets, and code are isolated by the hardware itself. Kubernetes developers who want to enable data confidentiality for their workloads can use the Open Enclave SDK inside their containers now. This means that pods in these clusters can use the SDK inside containers to create TEEs and leverage the benefits of confidential hardware for their computation. Microsoft donated the Open Enclave SDK to the Confidential Compute Consortium, a community effort under the Linux Foundation to secure data in use.
The Open Enclave Kubernetes device plugin allows Kubernetes app developers to use hardware-backed TEEs to ensure that their processes and data are secure, even during execution. The number of enclaves on a CPU is limited, and the plugin ensures that Pods that need enclaves will be guaranteed to land on a node with an enclave available.
IPv4/IPv6 dual-stack, KEDA 1.0, and more
Next up, IPv4/IPv6 dual-stack is now in alpha with Kubernetes 1.16, allowing Kubernetes Pods and Services to utilize both IPv4 and IPv6 IP addressing simultaneously. This lets developers provide larger blocks of contiguous IPv6 address space and present services via both IPv4 and IPv6 addressing.
The Kubernetes Event-Driven Autoscaler (KEDA) is an open source collaboration between Azure Functions, Red Hat, and others. KEDA has now hit the 1.0 milestone, meaning it is stable and ready for production use. Developers can scale apps to and from zero, and rapidly scale out based on the rate of events.
In related news, the Cloud Native Compute Foundation (CNCF) recently released CloudEvents 1.0. Microsoft has now added support for version 1.0 to Azure Event Grid. Last week, Microsoft released Helm 3.0 — Helm 3.0 alpha arrived at Kubecon EU. Arguably the biggest improvement is the removal of Tiller from the cluster, making Charts more Kubernetes native and more secure by default.