 From around the globe, it's theCUBE with coverage of KubeCon and CloudNativeCon Europe 2020, virtual brought to you by Red Hat, the CloudNative Computing Foundation and ecosystem partners. Hi, I'm Stu Miniman and this is theCUBE's coverage of KubeCon, CloudNativeCon, it's the Europe event, which of course this year has gone virtual. Really lets us be able to talk to those guests where they are around the globe. Really happy to welcome back to the program, Liz Rice. First of all, she is the vice president of open source engineering at Aqua Security. She is also the chair of the technical oversight committee as part of CNCF. Liz, it is great to see you. Unfortunately, it's remote, but great to catch up with you. Thanks for joining. Yeah, thanks for having me. Nice to see you, if, you know, across the ocean. So, you know, one of the big things of course for the KubeCon show, it's the rallying point for the community. There are so many people participating. One of the things we always love to highlight is it's not only the vendor ecosystem, but there's a very robust engaged community of end users that participate in it. And as I mentioned, you're the chair of the technology oversight committee. So maybe just, you know, give our audience a little bit of, you know, in case they're not familiar with what the TOC does and, you know, let's talk about the latest pieces there. Yeah, so the TOC is really here to kind of qualify the different projects that want to join the CNCF. So we're assessing whether or not they're cloud native. We're assessing whether they could join at Sandbox or incubation or graduation levels, which are the different maturity levels that we have for projects within the CNCF. And yeah, we're really there to also provide a kind of steering around the, what does cloud native mean and what does it mean to be a project inside the CNCF community? We're also a voice for the projects, not the only voice, but, you know, part of our role really is to make sure the projects are getting what they need in order to be successful. So it's really around the technology and the projects that we call cloud native. Yeah, and I'm glad you said cloud native because when people first heard of the show, of course, Kubernetes and KubeCon was the big discussion point, but as you say, cloud native, there's a lot of projects there. I just, you know, glanced at the Sandbox page and I think there's over 30 in the Sandbox category and, you know, they move along their process until they're fully mature and reach that 1.0 state, which is the stamp of approval that this can be used in production. I understand there's been some updates for the Sandbox process. So help us understand, you know, where that is and what's the new piece of that. Yeah, so it's really been because of the growth of cloud native in general, the popularity of the CNCF and so much innovation happening in our space. So there've been so many projects who want to become part of the CNCF family and we used to have a sponsorship model where members of the TOC would essentially back projects that they wanted to see joining at the Sandbox level, but we ran into a number of issues with that process and also dealing with the scale, the number of applications that have come in. So we've revamped the process, we've made it much easier for projects to apply, it's much simpler form. We're really not making so much judgment. We're really saying, is it a cloud native project? And we have some requirements in terms of some governance features that we need from a project. And it's worth mentioning that when a project joins the CNCF, they are donating the intellectual property and the trademark of that project into the foundation. So it's not something that people should take lightly, but we have tried to make it easier and therefore much smoother. We're able to assess the applications much more quickly, which I think everyone, the community, the projects, those of us on the TOC, we're all pretty happy that we can make that a much faster process. Yeah, actually it brings up an interesting point, Liz. So I've got a little bit of background in standards committees, as well as I've been involved in open source for a couple of decades now. Some people don't understand, when you talk about bringing a project under a foundation, you talked about things like trademarks and the like, there are more than one foundation out there. Of course, CNCF falls under the Linux Foundation. Google, of course, brought Kubernetes in fully to be supported. There's been some rumblings I've heard for the last couple of years about Istio and Knative. And I know about a month before the show, there was some changes along Istio and what Google was doing there. Maybe without trying to pass too many judgments and getting into some of the political arguments, help us understand what Google did and where that kind of compares to the projects that fit in the CNCF themselves. Yeah, so I guess two years ago, around two years ago, Istio was very much the new kid in the cloud native block. So much excitement about the project. And it was actually when I was a program co-chair that we had a lot of talks about Istio at KubeCon Cloud Native Calm, particularly in Copenhagen, I'm recalling. And I think everyone just saw a natural fit between that project and the CNCF. And there was an assumption from a lot of people across the community that it would eventually become part of the CNCF, that was its natural home. And one of the things that we saw in recent weeks was a very clear statement from IBM who were one of the sort of big contributing companies towards that project, that that was also their expectation. They were very much under the impression that Istio would be donated to the CNCF at an appropriate point of maturity. And unfortunately, that didn't happen from my point of view, I think that has sewn a lot of confusion amongst the community. Because we've seen so much, it's very much a project that fits service mesh designed to work with Kubernetes. It really does fit naturally with the other CNCF projects. So it's created confusion for end users who many of whom assume that it was part of the CNCF and that it has the neutral governance that the other projects, it's part of the requirements that we have on those projects. They have to have an open governance that they're not controlled by a single vendor. And we've seen that confusion and frustration around that confusion being expressed by more and more end users as well as other people across the community. And yeah, the door is still open. We would still love to see Istio join the community. Clearly there are different opinions within the Istio maintainers. I will have to see what happens. Yeah, Liz, you bring up some really good points. You know, absolutely some of that confusion out there, absolutely I've heard from customers that if they're making a decision point, they might say, hey, maybe I'm not going to go down that Istio path, maybe I'll choose something else because I'm concerned about that. Istio Front and Center, K-Native, another project currently under Google that has a number of other big vendors in the community that are participating in that. So hopefully we will see some progress on that going forward. But back to you talked about the TOC doesn't make judgments as to which project and how they are. One of the really nice things out there in the CNCF is like the landscape just for you to help understand, okay, here's all of these projects, here's the different categories they fit in, here's where they are along the maturity. There's another tool that I read Cheryl Hungsblog about the technology radar, I believe it's for continuous delivery, is the first technology radar. Help us understand how that is, you know, not telling customers what to do but giving them a little guidance as to, you know, where some of these projects fit in a certain segment. Yeah, the technology radar is a really great initiative. I'm really excited about it because we have increasing numbers of end users who are using these different projects, it goes inside the CNCF and projects that are outside of the CNCF family. You know, end users are building stacks, they're solving real problems in the real world. And with the technology radar, what Cheryl's been able to facilitate is having the end user community share with us, what tools they're actually using, what do they actually believe are the right hammers for specific nails? And you know, it's one thing for us as more on the developer or vendor side to look at different projects and say what we think are the better solutions for solving different problems. Actually hearing from the horse's mouth, from the end users who are doing it in the real world is super valuable. And I think that is a really useful input to help us understand what are the problems that the end users still are challenged by? What are the gaps that we still need to fill? The more input we can get from the end user community, the more we'll be solving real problems and not necessarily academic problems that we haven't necessarily discovered in the real world. All right, well Liz, teeing up a discussion about challenges that users still have in the real world, if we go to your primary jobs, main hat is you live in the security world. And we know security is still something, front and center, it is something that has never done lots of discussion about the shared responsibility model and how cloud native and security fit together and all that. I know there's some new projects there but love to just give me a snapshot as to where we are in the security space. As I said, overall it's been super important topic for years this year, with the global pandemic going on, security seems to be raised even more. We've seen a couple of acquisitions in the space, of course, Aqua Security, helping customers along their security journey. So what are you seeing out there in the marketplace today and hearing from your customers? Yeah, I'm sure every business this year has looked at what's going on and it's been crazy time for everyone. But we've been pleasantly surprised at how in relative terms, our business has been able to, it's been strong. And I think what you're touching on the fact that people are working remotely, people are doing so many things online, security is ever more, online cloud security is ever more part of what people need to pay attention to. We're doing more and more business online. So actually for those of us in the security business, it has been, there have been some silver linings to this pandemic cloud. Yeah, so and in terms of technology, the open source projects and in particularly defaults in Kubernetes, things are improving. It's long been a thing that I've wished for and talked about that some of the default settings have not always been the most secure they could be. We've seen a lot of improvements over the last two or three years. We're seeing continuing to see innovation in the open source world, as well as on the commercial side and products that vendors like Aqua, we're continuing to innovate, we're continuing to provide new ways for customers to validate that the application workloads that they're going to run are going to run securely in the cloud. All right, and Liz, there's a new project that I know you and Aqua are participating in. Tell us a little bit about Starbird, what's the problem it's helping solve and where that project is today? Yeah, so Starboard is one of our open source initiatives coming out of my team at Aqua, and the idea is to take security reporting information and turn it into Kubernetes native resources, custom resources, and then that means the security information, your current security status can be queried over the Kubernetes API. So as you're querying the status of a deployment, say, you can also be querying to see whether it's passing configuration audits or it's passing vulnerability scans for the application containers inside that deployment. So the information is available through the same APIs, through the Q-Control interface, through dashboards like Octon, which is a nice dashboard viewer for Kubernetes. Starboard brings security information, not just from Aqua tools, but from other vendor tools as well, front and center into that Kubernetes experience. So I'm really excited about Starboard. I think it's gonna be a great way of getting security visibility to more Kubernetes users. All right, and Liz, we were talking earlier about just the maturity of projects and how they get into the sandbox. Is this still pre-sandbox for this project? Oh yeah, we're still very much in the early phases and acting in the open source world, we have the ability to share what we're doing quite early so that we can get feedback, we can see how it resonates with real users. We've had some great feedback from partners that we've worked with and from some Aqua customers who we actually collaborated with when we were going through the initial design, some great feedback. There's still lots of work to do, but the initial feedback has been really positive. Yeah, usually the event is one of those places where you can help try to recruit some other people that might have tools as well as educate customers about what's going on. So is that part of the call to action on this? What are you looking for for kind of the rest of 2020 when it comes to this project? Yeah, absolutely. So internally we're working on an operator which will automate some of the work that Starboard does in the background. In terms of getting more collaboration, we would love to see integrations for more security tooling. We're talking with some people across the community about the resource definitions. So we've come up with some custom resource definitions, but we'd love them to be applicable to a variety of different tools. So we wanna get feedback on those definitions. So if people are interested in collaborating on that, absolutely do come and talk to me and my team at AppRyve, we'd love to hear from you. Great, Liz, and I'll give you the final word. Obviously we're getting the community together while we're apart. So any other engagement opportunities, get-togethers, things that you want people to know about the European show this year. Well, it's gonna be really, I'm on Tinder hooks to see whether or not we can recreate the same atmosphere as we would have in KubeCon. I mean, it clearly won't be exactly the same, but I really hope that people will engage online, do come in and ask questions of the speakers, come and talk to the vendors, get into Slack channels with the community. This is an opportunity to pretend we're in the same room. Let's do what we can to recreate as close as we can that community experience that KubeCon is famous for. Yeah, absolutely. That whole way track is something that is super challenging to recreate. And there's no way that I am getting the Indonesian food that I was so looking forward to in Amsterdam, just such a great culinary and cultural city. So hopefully sometime in the future we'll be able to be back there. Liz Rice, always a pleasure catching up with you. Thanks so much for all the work you're doing on the TOC and always a pleasure talking to you. Thanks for having me. All right, lots more coverage from KubeCon, CloudNativeCon, the European 2020 show of course virtual. I'm Stu Miniman and thank you for watching the Kube.