CNCF makes inroads on efforts at KubeCon & CloudNativeCon Europe 2022
The Cloud Native Computing Foundation’s (CNCF)’s KubeCon & CloudNativeCon Europe 2022 event in Valencia, Spain (and online) this week is the backdrop for announcements aimed at making Kubernetes easier for cloud app developers to use. There is good news for Communication Service Providers (CSPs) and network operators too: The CNFC announced a new certification program for Network Equipment Providers (NEPs) who follow CNCF’s cloud-native best practices.
The Cloud Native Network Function (CNF) Certification Program incorporates an open-source test suite, which will help operators validate how well their vendors follow cloud native principles and best practices like immutable infrastructure and declarative Application Programming Interfaces (APIs), the CNCF said.
“It leverages 10 CNCF-hosted projects and several open-source tools, including Fluentd, Helm, Jaeger, and Prometheus. Currently, the CNF Test Suite can run approximately 70 workload tests,” said the CNCF.
Those tests are segmented into seven different categories: Compatibility, Installability & Upgradability; Microservice; State; Reliability, Resilience & Availability; Observability & Diagnostics; Security; and Configuration.
Noting that telco giants like Huawei, Nokia, T-Mobile and Vodafone already use Kubernetes and other cloud-native technologies, Priyanka Sharma, executive director of the CNCF, said the CNF Certification Program will make it easier for others to follow suit.
“Moving to cloud native infrastructures has long been difficult for telecom providers who have transitioned to VNFs and found themselves with siloed resources and specialized solutions not built for the cloud,” said Sharma.
Klein believes the most important contribution Envoy Gateway will make is to standardize the APIs for Kubernetes ingress.
“As the industry converges on specific Envoy Kubernetes Gateway API extensions, it will allow vendors to easily provide alternate SaaS [Software as a Service] implementations that may be preferable if a user outgrows the reference implementation, wants additional support and features, etc. Clearly, there is much work to do around defining the API extensions, determining which APIs are required versus optional for conformance, etc. This is the beginning of our standardization journey and we are eager to dive in with all interested parties,” he wrote.
Making Kubernetes service mesh easier
Service meshes manage communications between individual cloud app microservices. They enable better cloud app security, observability and reliability. According to a new report from the CNCF, 70% of those businesses polled are already running a service mesh to manage their Kubernetes deployments. But the majority of those polled also point to service mesh headwinds. At the top of the list is a lack of in-house service mesh engineering expertise, but right behind it is service mesh’s general architectural complexity, along with a relative dearth of published guidance and best practices.
Bearing that in mind, a CNCF steering committee this week announced Envoy Gateway. It’s a new effort to make Envoy, the open-source edge and service proxy, easier to use. Envoy helps wrangle load balancing and other networking complexities specific to cloud app microservice management. Envoy enables cloud developers and network operators to more easily observe and tune overall cloud app performance.
Matt Klein, Envoy’s developer, said that the software has seen a large vendor ecosystem spring up to support it. The downside, Klein explained:
“The flip side of Envoy’s success as a component of many different architecture types and vendor solutions is that it is inherently low level; Envoy is not an easy piece of software to learn. While the project has had massive success being adopted by large engineering organizations around the world, it is only lightly adopted for smaller and simpler use cases, where nginx and HAProxy are still dominant,” Klein wrote.
Envoy Gateway adds a simplified deployment model and API layer aimed at lighter use cases, Klein explained. The new effort also merges two existing CNCF API projects: Contour and Emissary, into a common core, Klein said.
Klein first developed Envoy for use at Lyft, the popular ride-share service. Envoy was released as open source, adopted by the CNCF first as an incubating project in 2017, then “graduated” in 2018 alongside Kubernetes itself. For Envoy Gateway, Klein has aligned with Ambassador Labs, Fidelity, Tetrate, and VMware to form the CNCF Envoy Gateway steering committee.
“Envoy Gateway will support a multitude of ingress and L4/L7 traffic routing use cases and contains design elements from Emissary-ingress and Contour, as well as new elements. The project is being built using Golang, the existing Envoy go-control-plane, and will use Kubebuilder-based APIs,” wrote Richard Li, Ambassador Labs CEO.
Envoy Gateway will be exposed as a basic API gateway “out of the box,” according to the group, which should make it easier for developers to manage Kubernetes service meshes.
“Exposing a simplified set of APIs, and implementing the Kubernetes Gateway API, EG makes it easier to extend Envoy. Developers will now have a cost-free, unfettered way to provide external access to their work in progress. At the same time, Envoy Gateway will not replace API management features currently found in commercial products,” said the group.
Updating cloud app security practices
The CNCF’s Technical Advisory Group (TAG) this week released an updated Cloud Native Security whitepaper to replace their 2020 edition. The updated version adds new information and best practices the group has added, with help to demystify security assurance and compliance and understand EU regulatory frameworks, the CNCF TAG said.
New sections have been added to help stakeholders better understand secure defaults; mapping the U.S. Department of Commerce National Institute of Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) to the CNCF TAG’s Cloud Native Security Application Lifecycle; a container-specific MITRE ATT&CK threat matrix and more.