 Live from Barcelona, Spain, it's theCUBE, covering KubeCon CloudNativeCon Europe 2019. Brought to you by Red Hat, the CloudNative Computing Foundation and ecosystem partners. Welcome back to theCUBE here in Barcelona, Spain at the FIRA, it's KubeCon CloudNativeCon 2019. I'm Stu Miniman, my co-host for two days of live wall-to-wall coverage is Corey Quinn. Joining us back, we have two CUBE alums. Liz Rice, right to my right here, who is a technology evangelist with Aqua Security. Liz, thank you so much, welcome back. Pleasure to be here. And Jeff Brewer, vice president, chief architect, small business and self-employed group of Intuit, a CUBE alum since a few hours ago this morning. Jeff, welcome back. So we've got you back with a different hat, which everybody in our industry can definitely recognize. We wear lots of different hats. We have lots of jobs thrown at us. Both of you are in the Technical Oversight Committee, and Liz is not only a member, but also the chairperson, president. The president is definitely a promotion. Yeah, I'm chair of the committee. As it's known, the TOC. So Liz, before we get there, your shirt says plus one binding. You have to explain for us and did not get a preview before the interview, so we'll see where this goes. So it's one of the perks of being on the TOC. When we have something that comes to a vote, we want to get input from the community. So we ask anyone in the community to vote, but unless you're a member of the TOC, your vote is non-binding. But as a member of the committee, we have binding votes, and the traditional thing you write on the voting email is plus one binding. So it was a nice surprise to get a T-shirt when I joined the TOC. Can you just give us our audience that might not be familiar? The TOC, give us some of the key things about it. Yeah, so it's the Technical Oversight Committee for the CNCF, and we are really the technical curation of the projects that come into the CNCF, which projects will get support, and at what level? Because we have the sandbox experimentation stage, then incubation, and then finally graduation for the really established and kind of de-risked projects. So we're really evaluating the projects and kind of making a decision collaboratively on which ones we want the CNCF to support. All right, so Jeff, we had a great conversation with you about into its cloud journey. Tell us how you got involved in the TOC, and we always love the end users, not just using but participating and helping to give some governance over what the community's doing. Yeah, so about a year and a half ago, we made a decision to acquire a small company called Aplatics, who was actually already in the end user community, and also contributors as well. And through that acquisition, I was part of that acquisition, I led that acquisition from the into its side, and really got excited about the Kubernetes and the KubeCon story overall. Through the Kubernetes experts, I met them at a KubeCon, and they introduced me to a whole lot more of the community. And so just through some overall partnerships with AWS and also spending a lot of time with end users, that's how I really got to know the community a little bit, and then was voted onto the CNCF as an end user representative in January, so. Wonderful. As far as your concern, as you go through this, do you find it challenging at times to separate your roles professionally from working for a large company to whom many things matter incredibly? Again, as mentioned earlier, I am one of your customers. I care very much about technical excellence coming out of into it, versus your involvement with the larger project. Yeah, so like most people in technology companies, I'm extremely busy, and I would love to spend, I would love to clone myself and spend more time doing a dual role. Clone projects to the TSC, we will prioritize that one. Exactly, exactly. And the way I really balance it is that I make an explicit time carve out for those two activities. And most importantly, I attend the meetings, the TOC meetings that we have, those are extremely important. We have a lot of, we get a lot of project reviews in those meetings, Liz chairs those meetings, and that's where I always make sure that my schedule is cleared for that. Taking it, I guess, one step further, it's, do you find it challenging at all to separate out, in fact, when you're making decisions and making votes, for example, that are presumably binding, plus one binding as we go down to terminology, do you find that you are often pulled between trying to advocate for your company and advocating for the community, or are they invariably aligned in your mind? Yeah, I mean, it's, my job's the easiest because I come from an end user. And so what I use and what I consume is likely what the community at large, there might be some niches and stuff like that, but I usually don't have that conflict. I don't know, as more of a vendor, you might have more of a conflict. It's something that I have to be conscious of. I mean, I just try to mentally separate. I, you know, I have a role with a company that pays my salary, but when I'm doing open source things, you know, I, if I feel conflicted about, this hasn't really come up yet, but if I do feel that there's some kind of conflict of interest, I will always recuse myself. Actually, my previous role as the co-chair for the program committee for the Cube Hall and Cloud Native Conference, on a couple of occasions we had competitors submit and I would always just step back from those because it's the right thing to do. All right, so Liz, there's quite a few projects now under the umbrella of the CNCF. If I got right, it was like 38 different ones when Brian went on the stage this morning, 16 in the sandbox, 16 incubating, and six have graduated now. How do you manage that? And you know, there's some of the community are like, oh my gosh, you know, reminds us of like kind of big tent from some initiatives, some other things here. You know, how much is too much? How do you balance that? And what's the input of the TFC? Yeah, so one of the things that we're doing with the TFC is we've just established a thing called the SIGS, they're special interest groups, very much following the same model of Kubernetes SIGS. But the idea here is that we can kind of formalize getting experts in the community to help us with particular kind of areas. So we've already got a storage and security SIG setup. We expect there will be probably four to six more coming on board during the year. And that helps us with things like the project reviews and the due diligence to just be able to say, we would really appreciate some help. And those groups are also really enthusiastic about kind of sharing kind of knowledge in the form of things like white papers. So I think it'll be really important, you know, for end users to be able to navigate their way around these projects. Quite often there is more than one solution for a particular thing and being able to in a non-vendor way, in a neutral way, express why Project X is good in one circumstance and Project Y would be better in a different environment. There's work to be done there and I'm hoping to see that come out of the SIGS. This is one of my passions as the end user representative is that trail map or that roadmap. That's one of the reasons why we really have invested at Intuit in the Kubernetes technology. We didn't end the cloud native technology. We didn't just roll them out as is. We actually curate them and create really a paved road for our developers to navigate that space. And as we heard from your story, it's not always well if there's some overlap, use Istio and Helm and there's a fit for both of those in your environment, right? Yeah. From I guess a end user perspective, is there a waiting difference between someone like Intuit and someone like Twitter for pets where there's slight revenue, the slight revenue difference, slight scale difference, slight everything difference? Yes, yeah. Yeah, certainly there is. And I think that, but that's one of the beautiful things about the cloud native technologies is it's a, you know, you consume what you need and what you want, right? It's not one size fits all. And so a lot of people talk about, oh, there's a paradox of choice. There's so many projects, right? And actually that's a benefit. And really all you need is that roadmap to navigate your way through that rather than just adopting a paved road that might not work for everybody. It almost feels on some extent almost like the AWS service catalog. Whenever you wind up looking at all the things they offer, it feels like going out to eat at the Cheesecake Factory where there's 80 pages of menu to flip through with some advertisements. Great. And reminding yourself at times that they are not Pokemon, you do not need to catch them all. It's sometimes a necessary stab as you start to contextualize this. And that's one of the great things about having over 80 members in the end user is you can find a buddy. You can find a company like you, talk to them, get connected with them and figure out what they're doing and learn from them. So that the community is broad enough to be able to do that. All right, so Liz, let's talk about security. So, you know, you said there's a sig that started up, you know, where are we? How are things going? What can you share about where we're going in the near future? So the sig came together from a group of people who really wanted to make it easier for end users to roll out their cloud native stacks in a secure fashion. And we don't always, as a community, speak the same language about security. We don't always have the most secure settings by default. And they really came together around this common interest of just making it easier for people to secure. And I think a big part of that will be looking at how the different projects, you know, are they applying best practices from a security perspective? Is there more they should do to document how to operate their particular project more securely? So I think that whole initiative and that group of people who've come together for SIG security, I'm so impressed and so pleased that they have come together with that, that enthusiasm to help on that front. Any commentary on what you're seeing in this space? Yeah, so, I mean, as a almost a FinTech company with a lot of FinTech and, you know, we're not quite a bank, but we have a lot of the same security and compliance things. That sig is so, so important to us and having a roadmap. And I found education is really, really big part of it of the security experts, right? Cause this is somewhat newer technology. And even though it's been in use at Google, you know, for a long time, the regulators and compliance people don't totally understand it, right? And so you have to have a way to explain to them what's going on. So things like open policy agent, something that we've adopted helps us explain what's going on in our system once they get it. This is awesome, and our end users can now really, our end users, meaning the people that use QuickBooks and TurboTax can really trust that we have those guardrails in place. Yeah, I mean, at Acquare, it's a huge concern from a lot of our customers, many of whom coming from that kind of finance industry, that they're coming to us and saying, well, how can I be PCI compliant or GDPR, how do I manage these requirements with my container-based stack, with my cloud native stack? And you know, that's why there is this huge ecosystem, quite a lot of effort around security, compliance, policy. It feels very much like it's two problems rolled into one. First, how do you make sure that data is secure in these things? And secondly, how do you effectively and responsibly communicate that to a regulator who expects to be taken on a tour of a data center when they show up on site? I checked, they won't let you. Yes. There are definitely two sets of security people in my experience. There are a set of people who care about how will I get attacked, how will breaches happen? And there are other people who go, I have a checklist and I need to check the boxes in the checklist, tell me how. And you know, sometimes those two things overlap, but not always. All right. There's a lot of updates, as always. Jeff, I really appreciate your commentary there. Well, there's the paradox of choice, but we have a lot of customers out there and therefore they do. Any highlights you want to share with our audience? I think one thing that happens every year is we see more, well, we saw Kubernetes graduate I think early last year, end of the previous year. Now we've got six projects into graduation. And from my perspective, that says something about how mature this whole set of projects, this whole platform is becoming. Because graduation is a pretty high bar, not least in terms of the number of end users that have to be using it in production. So this is solid technology. Yeah. Any highlights from you? I think, like we might have touched on a little bit this morning, but I think that usually the technologies that where you're facing the big problems is pretty obvious which one to use, right? Like serverless, you're going to go to look at something like Knative or whatnot. Functions as a, there's some open fast projects whatnot like that. And Istio and services meshes is another one where it's getting mature and it's getting to the point where you can have these ubiquitous service meshes throughout it. Those are kind of the areas that we're most looking at right now. All right. Well, Liz, Jeff, thank you so much for joining us. Thanks for all the work you do on the oversight committee and appreciate you sharing the updates with our community. Thank you for having us. Thank you. All right, for Corey Quinn, I'm Stu Miniman and we'll be back more with theCUBE here at KubeCon CloudNativeCon 2019. Thanks for watching.