 Live from Copenhagen, Denmark, it's theCUBE, covering KubeCon and CloudNativeCon Europe 2018, brought to you by the CloudNative Computing Foundation and its ecosystem partners. Hello everyone, welcome back to theCUBE's exclusive coverage here in Copenhagen, Denmark for coverage of KubeCon 2018, part of the CNCF, CloudNative, Compute Foundation, part of the Linux Foundation. I'm John Furrier, my co-host, Lauren Cooney, the founder of Spark Labs here at Kelsey Hightower, co-chair of the program as well as a staff engineer, developer, advocate at Google Cloud Platform, celebrity in the industry, dynamic, always great to have you on. Welcome back. Awesome, good to be back. How are you feeling? Tired? You get the energy? I'm good, I finished my keynote yesterday. My duties are done, so I get to enjoy the conference like most attendees. Great, keynote was phenomenal, got good props, great content from a very tight movement, things along, a little bit of a jab at some of the cloud providers, someone say, oh Kelsey took a jab at the cloud guys. What was that about? I mean, what was, there's some good comments on Twitter, but keeping it real? Honestly, so I work at a cloud provider, so I'm part of the cloud guys, right? So I'm at Google Cloud, and what I like to do is, and I was using Amazon's S3 in my presentation, and I was showing people basically like the dream of, in this case, serverless, here's how this stuff actually works together right now. We don't really need anything else from the cloud providers, there's what you can do right now, so I like to take a community perspective when I'm on the stage, so I'm not here only to represent Google and sell for Google, I'm here to say, hey, here's what's possible, and my job is kind of up-level the thinking. So that was kind of the goal of that particular presentation, it's like, here's all this stuff, let's not lock it all down to one particular provider, because this is what we're here for, KubeCon, CloudNativeCon is about taking all that stuff and standardizing it and making it accessible. And then obviously people are talking about the outcome that's preferred right now in the future, which is a multi-cloud workload portability, Kubernetes is playing a very key role and obviously the DevOps, people who have been doing it for many, many years have eaten glass, spit nails, custom stuff, but reap the benefits. But now that they want to make it easier, they want to repeat that, so with Kubernetes nice formation, a lot of people saying here on theCUBE and in the hallways that a de facto standard, the word actually said multiple times here. Interesting. Yeah, so you got Kubernetes becoming the de facto standard for compute, but not events, not data, not the way you want to compute those events or data, so the job isn't complete. So I think Kubernetes will solve a large portion of compute needs. Thumbs up, we're good to go. Linux has done this for the virtualization layer. Kubernetes is doing for the containerization, but we don't quite have that on the serverless side. So it's important for us all to think about where the industry is going, so it's like, hey, where the industry is moving to, where we are now, but it's also important for us to get ahead of it and also be a part of defining what the de facto standard should be. That's great. And you mentioned community, which is important because I want to just bring this up because a lot of startups in the membership of CNCF, and when you have that first piece done, you mentioned the other work to be done, that's an opportunity to differentiate. This is the commercialization opportunity to strike that balance. Your reaction to that, how do you see that playing out? Because it is an opportunity to create some value. Honestly, I'm wearing a serverless.com t-shirt right now. There's a startup in the space, they're trying to make serverless easy to use for everyone regardless of the platform. I think no matter what side of the field you stand on, we need these groups to be successful. They're independent companies, they're going for ambition, they're trying to fill the gaps in what we're all doing. So if they're successful, they just make a bigger market for everyone else. So this is why not only do we try to celebrate them, we try to give them this feedback like, hey, here's what we're doing, here's what the opportunities are. So I think we need them to be successful. They all die out every time they start something. Then we may not have people trying anymore. And I think there's actually a serverless SIG in the CNCF, right, and I think that they're doing a lot of great work to kind of start to figure out what's going on. I mean, are you aware of what those guys are up to? Exactly, so the keynote yesterday was largely about some of the work they're doing. So you mentioned the serverless SIG and CNCF. So some of the work that they're doing is called cloud events. But they want to do a standardized way we take these events from the various providers. We're not going to make them all work the same way. But what we can do is capture those events in a standard way and then help define a way to transport those between different providers, if you will, and then how those responses come back. So at least we can start to standardize at least that part of the layer. And if Google offers you value or Amazon offers you value, you own the data. As the data generates events, you can actually move it wherever you want. So that's the other piece and I'm glad that they're getting in front of it. Well, I think the goal is obviously if I'm using AWS and then I want to use Azure and then I want to go to Google Cloud or I want my development teams are using different components and features and all of them, right? You want to be able to have that portability across. And we sit together. So the key part of that demo was if you're using one cloud provider for a certain service, in this case, I was using Google Translate to translate some data. But maybe your data lives in Amazon. The whole point was that be notified that your data's in Amazon so that it can be fired off an event into Google, function runs the translation, writes the data back to Amazon. There are customers that actually do this today, right? There are different pieces of stacks that they want to be able to access. Our goal is to make sure that they can actually do that in a standard way and then show them how to do it. A lot of big buzz too, also going on around Kubeflow, but Google co-chaired or co-founded now part of the CNCF. Istio, service meshes. Again, this points to the dots that are connecting, which is okay, I got Kubernetes, got containers. Now Istio, what's your vision on that? How did that play out? An opportunity, certainly, to abstract away some complexity. What's your thoughts on Istio? So I think there's going to be a certain things. Things like Istio, there are parts of Istio that are very low level. That if done right, you may never see them. That's a good thing. So Istio comes in and says, look, it's one thing to connect applications together, which Kubernetes can help you do with this built-in service discovery. How does one app find the other app? But then it's another thing to lock down security and implement policy. This app can talk to this app under these conditions. Istio comes in and brings that to the playing field. Great, that's a great addition. Most people will probably wrap that in some higher level platform and you may never see it. Great, then you mentioned Kubeflow. Now this is a workflow, or at least an opinionated workflow for doing machine learning or some analytics work. There's too many pieces. So we start naming every single piece that you have to do, or we can say, look, we know there's a way that works. We'll give it a name, we'll call it Kubeflow. And then what's going to happen there is the community's going to rally around and actually more workflow. We have lots of great technology wrapped underneath all of that. But how should people use it? And I think that's what I'm actually happy to see now that we're in year four or five of this thing is people are actually talking about how do people leverage all of these things that fall below? As the IQ starts to increase with cloud native, you're seeing enterprises, and there's levels of adoption. The early adopters, the shiny new toy are pushing the envelope, fast followers coming in, then you've got the mainstream coming in. So mainstream, there's a lot of usage and consumption of containers. Very comfortable with that. Now they're bumping into Kubernetes. Oh, wow, this is great. This, different positions of the adoption. What's your message to each one? Mainstream, fast followers, early adopters, the early adopters keep pushing, keep bringing that community together, form the community, fast follow up. What's the position? What's your, the Kelsey Hightower view for each one of those points of the evolution? So I think we need a new model. So I think that model is kind of out now. Because if you look at the vendor's relationships now, so the enterprise typically buys off the shelf when it's mature and ready to go. But at this point now, a lot of the libraries you saw in the programming languages, if you see a language, a library that you need, if it's on GitHub, you look around and it's like, we're going to use this open source library because we got a ship, right? So they started doing early adoption, maybe at the library level. Now you're starting to see it at the service level. So if I go to my partner or my vendor and they say, hey, the new version of our software requires Kubernetes. Now that's a little bit early for some of these enterprises to adopt, but now you're having the vendor relationship saying we will help you with Kubernetes. And also a lot of these enterprises, it's early, guess what, they have contributors to these projects. They helped design them. I remember back in the day when I was in financial services, JPMC came out with their own messaging standard so banks communicate with each other. They gave that to Red Hat and Red Hat turns it into a product and now there's a new messaging standard. That kicked off 10 years ago. And now we're starting to see these same enterprises contribute to Kubernetes. So I think now there's a new model where if it's early, enterprises are becoming the contributors, donating to the foundations, becoming members of things like CNCF. And on the flip side, they may still use the product, but they want to stay in their future. So you can jump in at any level as a company. You don't need to wait for the mainstream. You can have a contributor in the front wave to help shepherd through. Yeah, you need more say. I think when people bought typical enterprise software, if there wasn't a feature in there, you wait it for the vendor to do it. The vendor comes up with a feature and tells you it's going to cost you another $200 million for this add-on and you have no say into the progress of it or the speed of it. And then we moved to a world where there was APIs. Look, here's APIs, you can kind of build your own thing on top. Now the vendor's like, you know what, I'm going to help actually build the product that I rely on. So if vendor A is not my best partner right now, I can pick a different vendor and say, hey, I want a relationship around this open source ecosystem. You have some features I like right now, but I may want to be able to modify them later. I think that's where we are right now. Well, I think also the emergence of open source offices and things like that in enterprises that are more monolithic have really helped to move things forward with their users and their developers. I'm seeing a lot of folks here that are actually coming from larger companies inside of Europe and they're actually trying to learn Kubernetes now and they are here to bring that back into their companies that they want to know about what's going on. That's a good observation because that open source office is replacing the, I'm the vendor management person. Well, you need legal and you need all of those folks to just get the check marks and get the approval so that folks can actually take code in and if it's under the right license, which is super important, or put code back out. And it seems to be some of the same people that were managing the IBM relationship, the people that were managing the big vendor relationship. This thing is going to cost us all this cash. We're going to make sure that we're getting the right, we're compliant with the licensing model that we're not using more than we paid for in case we get an audit. The same group has some of the similar skills needed to shepherd their way through the open source landscape and then, in many cases, hiring in some of those core developers to sit right in the organization to give back and to kind of have that first tier support. That's a really good point, Lauren. I think this is why I think C&C has been so successful is they've kind of established the guardrails and the kind of the cultural notion of commercializing while not foregoing the principles of open source. So the operationalizing of open source is really huge. Well, I'm kind of laughing over here because I started the open source organization at Cisco and Cisco was new to open source. And we had to put Open Daylight into the Linux foundation and I just remember the months of calls I was on and the lawyers that I got to know and, you know, I do, but I think, you know, when we did CNCF, I was talking to Craig years ago when we kind of kicked that off. It was really something that we wanted to do differently. We wanted to fast track it. We had the exact license that we wanted. We had the players that we wanted to, you know, and we really wanted to have it to be something community-based, which I think, you know, Kelsey, you've said it right there. It's really the communities that are coming together that you're seeing here. You know, what else are you seeing here? Like, what are the interesting projects that you see that are kind of, you know, popping up? You know, we have some, but are there others that you see? Well, so now these same enterprises, now they have the talent, or at least not letting the talent leave. The talent now is like, well, we have an idea and it's not core to our business. Let's open source it. So Attuit just inquired this workflow, small little starter project, Argo. They are Attuit now and maybe they had a need internally, suck in the right people, let the project continue, throw that Attuit logo there, and then sometimes you just see tools that are just being built internally also be productized from this open source perspective, and it's a good way for these companies to stay engaged and also to say, hey, we're having this problem, so are other people. So this is new, right? This open source used to come from the vendors, maybe a small group of developers, but now you're starting to see the company say, you know what? Let's open source our tool as well and it's really interesting because those tools are pretty mature. They've been baked, they've been used, they're real, someone depends on them, and they're out. Interesting to see where that goes. Well, you know, Dirk von Del from VMware, former Linux early guy, brought the same question. He says, don't confuse project with product. That's right. And to your point about being involved in the project, you can still productize. That's right. And then still have that dual relationship in a positive way. That's really a key point. Exactly, we're all learning how to share and we're learning what to share. Okay, so let's get, let's do some self-awareness here for you. Program's great, give you some props on that. You did a great job, you guys are a team, a lot of high marks, question marks that are here that we've heard is security. Obviously, love Kubernetes, everyone's high-fiving each other, getting back to work with reality. Security is a conversation. Your thoughts on how that's evolving, obviously front and center conversation with all the service meshes and all these new services coming up, security is now being fought in the front end of this. What's your view? So I think the problem with security from certain people is that they believe that a product will come out that they can buy to do security. Every time some new platform, oh, virtualization security, Java security, any buzzword then someone tries to attach security. It's a bull-on. Yeah, so most people think it's a practice. A lot of stuff that I've seen in security space still applies to the new stack. It's not that the practice changed. Some of the threat models are the same. Maybe some new threat models come up or new threat models are aggravated because of the way people are using these platforms. But I think a lot of companies have never understood that. It's a practice. It will never be solved. There's nothing you can buy or subscribe to. Not a silver bullet. Like antivirus, right? Oh, I'm going to buy antivirus. As long as I run it, I should never get a virus. It's just like, no, that's not how that works. The antivirus will be able to find things it knows about. And then you have to have good behavior to prevent having a problem in the first place. And I think security should be the same way. So I think what people need to do now is they're being forced back into the practice of security. Security everywhere, basically. It's a thing you have to do no matter what. And I think what people have to start doing with this conversation is saying, if I adopt Kubernetes, does my threat model change? Does the container change the way I've locked down the VM? In some cases, no. In some cases, yes. So I think when we start to have these conversations, everyone needs to understand the question you should ask of everyone, what threat model should I be worried about? And if it's something that I don't understand or know, that's when you might want to go and look for a vendor or go get some more training to figure out how you can solve it. Yeah, and I think Tyler Jewel was on from Ballerina. And he was talking about that yesterday in terms of how they actually won't, they assume that the code is not secure. That is the first thing that they do when they're looking at Ballerina and their programming language and how they actually accept code into it. Is they just assume it's not secure? Oh, exactly. That's the thing, like at Google, we had a thing, we call it BeyondCorp. And there's other aspects of that. If you assume that it's going to be bad if someone was inside of your network, then pretend that someone who's already inside of your network can act accordingly. Yeah, exactly. It's almost the reverse of doing a white listing. All right, so we're going to ask you a question. So, An, you're in a unique position. Glad to have you here in the queue. Thanks for coming on and sharing your insights and perspective. But you're also the co-chair of this program. So you get to see the landscape. You see the 20-mile stair. You have to have that long view. You also work at Google, which just gives a perspective of things like BeyondCorp and all the large-scale work at Google. A lot of people are buying into the cloud native, no doubt about it. There's still some educational work on the people side and process and operationalizing it with open source, et cetera. But they want to know where the headroom is. They want to know, as you said, where is the directionally correct vector of the industry? So I got to ask you, in your perspective, where's all this going? For the folks watching who just want to have a navigation, paint the picture. What's coming directionally? Shoot the arrow forward as service matches, as you start having this service layer, highly valuable, creative freedom to do things. What's the Kelsey vision on? So I think this is where the computing, after the mainframe. The mainframe, you want to process census data. You walk up, give it, spits it back out. To me, that is beautiful. That's like almost the ultimate developer workflow. In, out. Then everyone's like, I want my own computer. And I want my own programming language. And I want to run it in my basement without the proper power or chords or everything. And we're all going to learn how to do computing from scratch. And we all learned and we have what we call it legacy. All the mistakes I've made, but I maintain. And that's what we have. But the ultimate goal of computing is like the calculator. I want to be able to have a very simple interface and the computer should give me an answer back. So where all this is going, Istio, service mess, Kubernetes, cloud native, all these patterns. Here's my app. Run it for me. Don't ask me about auto scale groups and run it for me. Give me a security certificate by default. Let's encrypts. Makes it super easy for anyone to get a Taylor certificate rotated to all the right things. So we're slowly getting to a world where you can ask the question, here's my app. Run it for me. And they say, here's the URL. And when you hit this URL, we're going to do everything that we've learned in the past to make it secure, scalable, work for you. So that may be called OpenShift in this current implementation with Red Hat. The Amazon may call it Lambda. Google Cloud may call it GKE plus some services. And we're never going to stop until the experience becomes. Here's my app running for me. A resource pool, just programmability. And it's good. I mean, I think the enterprises are used to lifting and shifting. I mean, we've been through the evolution of IT. Used to build the legacy. Okay, consolidation. Server consolidation, oh, hello VMs. Now you have lift and shift. This is not a lift and shift kind of concept cloud native. It is a- It doesn't have to be a lift and shift. So some people are trying to make it a lift and shift thing where they say, look, you can bolt on some of the stuff that you're seeing in the new. And some consultants are like, hey, we'll sit there and roll up the sleeves and give you what we can. And I think that's an independent thing from where we're pushing towards. If you're ready, there's going to be a world where you give us your code and we run it. And it's scary for a lot of people because they're going to be like, well, what do I do? What now do whites twist in that world? So I think that's just, that's where it's going to- Well, in a world of millions of services coming out on the line, it's an operating, automation's got to be key. These are principles that have to get bought into. You got to understand, administration is the exception, not the rule. This is the new world. It's kind of the Google world and large scale world. So it could be scary for some. I mean, you just get bump into people all the time. Hey, Kelsey, what do I do? And what do you say to them? Say, hey, you know, what do I do? What's the playbook? Well, I said, and so it's early enough. I wasn't born in the mainframe time. So I'm born in this time. And right now when you look at this, it's like, well, this is your actual opportunity to contribute to what it should do. So if you want to sit on the sidelines, because we're in that period now where that isn't the case. And everyone right now is trying to figure out how to make it the case. So they're going to come up with their ways of doing things and their standards. And then maybe in about 10 years, you'll be asked to just use what we've all produced. Or since you're actually around early enough, you can participate. That's what I tell people. So if you don't want to participate, then you get the checkpoints along the way. Here's what we offer, here's what they offer. You pick one, and then you stay on this digital transformation to the end of the time. Or you jump in and realize that you're going to have a little bit more control over the way you operate in this landscape. Well, jumping in the deep end of the pool has always been the philosophy. Get in, learn, and you'll survive without a community to support you. Kelsey, thanks for coming on. Final question for you. Surprises, you're no longer going to be the co-chair. You've co-chaired at this point. You've done a great job. What surprised you about KubeCon? The growth, the people, what are some of the things that have jumped out at you? Either good surprise, what you did expect, not expect. Let's share some commentary on this movement, KubeCon and how it's created. Definitely surprised that it's probably this big, this fast. Right, I thought people, definitely when I saw the technology early on, I was like, this is definitely a winner regardless of who agrees. So I knew that early on. But to be this big, this fast, and all the cloud providers agreeing to use it and sell it. That is a surprise. I figured one or two would do it. But to have all of them, if you go to their website and you read the words Kubernetes, strong competitors. All right, we all agree that Kubernetes is okay. That to me is a surprise that they're here, they have booths, they're celebrating it. They're all innovating on it. And honestly, this is one of those situations that no matter how fast they move, everyone ends up winning on this particular deal just the way Kubernetes was set up and the foundation as a whole. That to me is surprising that it's still true four years later. I mean, rising tide floats all of Boston. You have a booths when you have an enabling disruptive technology like Kubernetes that enables people to be successful. There's enough cake to be eating for everybody. Awesome. Kelsey Hightower, big time influencer here inside the Kube cloud computing influencer also works at Google as a developer advocate, also co-chair of KubeCon 2018. I wish you luck in the next chapter. You're stepping down from the co-chair role. Stepping down from the co-chair, but always in the community. Always in the community. Great voice, great cut I have on the Kube. Check them out online, great Twitter feed. Check them out on Twitter. Kelsey Hightower here in the Kube. I'm John Furrier, Lauren Cooney. Be right back with more coverage here at KubeCon 2018. Stay with us, we'll be right back.