Jetstack Helps Enterprises Secure The Software Supply Chain

Jetstack helps businesses to build and operate cloud-native infrastructure with Kubernetes. The company was formed back in 2015, just a year after the Kubernetes open source project was started. Matthew Bates, CTO of Jetstack, sits down with Swapnil Bhartiya in this episode of Let’s Talk from KubeCon + CloudNativeCon EU to introduce the company and its mission.

Jetstack recently released a comprehensive toolkit to help development and security teams secure the software supply chain. Bates feels that this is something we need to take seriously and people need to be made aware of the sophistication of the risks in the attacks they are seeing. He discusses what Jetstack is doing to provide a digestible means to better understand this topic.

On discussing why he thought Kubernetes was such a game changer when it was first released, Bates says, “We felt that this presented a really interesting opportunity to be able to build those systems, and also for enterprises to rethink the way that they develop, build and ship software as well. We thought it was the start of a real shift.”

Besides the opportunities Kubernetes brings, Bates gives some insights into the challenges enterprises face as they try to navigate Kubernetes and cloud-native technologies. One of those challenges, security, continues to be a critical factor to handle. However, Bates feels that security is increasingly being made a priority earlier in the life cycle.

Key highlights from this video interview are:

Bates describes what motivated him to form Jetstack and how the introduction of Kubernetes presented many opportunities for building complex, potentially stateful systems. He discusses what challenges enterprises faced as they looked to understand and embrace the new technology and how Jetstack has been helping.
Bates explains that Jetstack is an advisory and a product company. He goes into depth about the customers they are helping, particularly with very large banks and how Jetstack is helping them understand the challenges and the breadth of the tools in The Cloud Native Computing Foundation (CNCF) to help address them.
The cloud-native ecosystem is evolving, which compared to traditional IT is considerably more complex. Bates discusses the evolution over time they have seen in people consuming Kubernetes and how the ecosystem is maturing.
Security continues to be a critical consideration for cloud with zero-trust remaining complicated to implement. Bates feels that DevSecOps is prioritizing security rather than it being an afterthought. He explains the benefits Kubernetes brings for having the ability to have security built into the platform.

Connect with Matthew Bates (LinkedIn, Twitter)

The summary of the show is written by Emily Nicholls.

[expander_maker]

Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.

Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya, and welcome to another episode of Let’s Talk here at KubeCon in Valencia, Spain. Today we have with us Matthew Bates, CTO of Jetstack. Matthew, it’s great to have you on the show.

Matthew Bates: Oh, thanks for inviting me. Really glad to be here.

Swapnil Bhartiya: Of course. I’ve been to booths, and I’ve seen your booth downstairs as well, but this is the first time we are talking to each other. So, I would love to know a bit about the company since you’re also co-founder. Tell me why you created the company. The company’s also relatively old in this world of Cloud Native around. You guys are almost grandparents. You are as old as Kubernetes. So, talk about why you created the company, what problem you’re trying to solve back then, and then we’ll talk about what’s going on now.

Matthew Bates: Sure. So, we founded the company back in 2015. So this is just a year after the Kubernetes open source project was started. And at the time I worked at MongoDB, and this was a time when great growth in NoSQL, and a real demand for database as a service, to be able to consume lots of databases, and orchestrate the databases across potentially multiple clouds. And so, took a real interest in Kubernetes, because it saw it as the future of being able to build on. You almost have the substrate that you can build complex, potentially stateful systems on. So we founded the company because we felt that this presented like a really interesting opportunity to be able to build those systems, but also for enterprise, to like rethink the way that they develop, and they build and ship software as well. We thought it was really the start of a real shift. And we knew that, just like we’d seen with NoSQL, just like we previously seen with cloud, that a lot of enterprise was going to need a lot of help.

Huge amount of new technology arriving. They would need to be able to understand it, embrace it. And so, for the early years we started out with consulting in mind. So, rather than building a product, we really wanted to get close to customers, really wanted to understand, help them educate them. So, we did a lot of training. We did a lot of almost evangelizing really, of the project, and understanding where the gaps were as well. So, wanted to help them really make the most of it. And we had great number of successes with early startups. We were helping some of the hottest kind of startups in the UK, for instance, some of the Challenger Banks as an example, and they managed to really get going with our help.

And now of course the rest is history. They’re running entire banks on Kubernetes. But what we learned along the way, the gaps, we kind of realized where Kubernetes fulfilled the need, but actually there was additional requirements, or required capabilities. And one of those was around certificate management. It’s a hard problem, being able to develop, especially not keen to vector certificates and particularly to have to renew them as well. There’s a lot of toil, effectively, associated with fetching a certificate and ensuring that it remains up-to-date. So, we built in the very early days, a project we call Kube-Lego. The Lego, Let’s Encrypt Go. So we use the Let’s Encrypt Go library in order to automate the issuance of certificates using Akamai. And this is a time when Let’s Encrypt was just coming about, and quick, easy, free certificates, what’s not to like? So, we used Akamai in order to automate certificates for Kubernetes and OpenShift.

And it really, really picked up a huge amount of interest a couple years later realized actually, it’s not just Akamai, this is a problem that’s faced by enterprise and can we plug in other CA’s. How can we make this really extensible to lots of different CA’s? How can we also make it agnostic of used CA’s, because certificates get used for all sorts of purposes, X.509 Certificates get used for all sorts of purposes. So, we built Cert-Manager, we started the Cert-Manager project. It’s a project that we still maintain today as well, donated that to the CNCF last year. So it’s now a sandbox project, downloaded millions of times a day, and used by many, many developers across the Cloud Native community, and also used by ecosystem projects as well. For instance, we’ve worked with the Istio project as an example, the LinkerD project, in order to integrate it as part of their software.

Swapnil Bhartiya: Excellent. So, if I ask you in a nutshell, the way you explain the kind of problem you’re trying to solve for the ecosystem, what exactly is Jetstack today? What do you folks actually do? Do you help just with the getting started of the Kubernetes, or you help them, because now you’re doing so many different things. Who are you?

Matthew Bates: Absolutely. So, today we are an advisory, and a product company. So we continue the advisory today. We have a team that work across Europe, helping customers, we’re working with some very, very big banks at the moment, as they’re really effectively re-platforming. They’re, they’re taking entire systems, and they’re moving them across the Kubernetes at quite some scale, hundreds and hundreds of clusters, and they’re having to do so with security foremost in mind. Clearly banks, regulated industries want to be able to embrace this because they need to move fast, but they need to do it securely. So we have teams that are helping them to understand the challenges and really using the breadth of the tools in the CNCF to address that. So, advisory very important to us. Training, people are entering this ecosystem all the time for the very first time, and they need to be able to understand how to make best use of this technology.

And so, we do a huge amount of training in person. We do some really interesting war-gaming, where we actually break things and see how things look, we’re going to look on day two and beyond that, really fun, really challenging that the company’s really value. We also have now, and we’ve been building with the help of our parent company Venafi, a product for Cert-Managers. So if you’re taking Cert-Manager of the Open Source project, and you’re operating it across many clusters, potentially many clouds, and embracing things like Service Mesh as well for doing secure, service to service, Mutual TLS, as many of our customers are, we’re building, effectively, a control plane that enables you to have control, consistency of those configurations, the orchestration, and the visibility as well. And that’s really helping some of our biggest customers to take really Cloud Native zero-trust to the scale that they are now demanding.

Swapnil Bhartiya: Since you’ve been there for a very long time, the whole ecosystem has evolved, markets evolved, the used cases of the early days, it was kind of more or less, like server- less. Sorry, early days was state-less and stateful applications are there. We are talking about data production, we are talking about security, we’re talking about high availability, what you would see in a traditional IT landscape is becoming the Kubernetes, but compared to traditional IT, LAMP stack, Kubernetes is much more complicated. There are so many knobs to turn. Also, you talked about banks, of course security is important to them, but regulations are even more important, and especially if you look at European banks, they’re even more. So, how have you seen the space evolve over time as you are serving these, folks who want to consume Kubernetes?

Matthew Bates: So, I think really go back a few years, a number of those types of customers really started small. If you go back to some of the early KubeCons, a number of those customers starting small, small clusters, really generally speaking, one application perhaps only line of business experimenting with Cloud Native. Think fast forward now a number of years, and what we’re seeing, particularly in some of our biggest customers, is entire re-platforming. This is not just serving one line of business, but this is now proving value to almost the entire enterprise. They want to be able to move fast. Number of our customers, they need to keep up. They need to remain relevant, they need to be delighting their customers. And so, what we’re finding now is that as the ecosystem is maturing, it’s getting to a level where they actually can bring, mission-critical production workloads to Kubernetes, and of course OpenShift as well.

Swapnil Bhartiya: Can you also talk about, because as you’re talking about the bank’s security, traditional IT world security was someone else’s problem. We are seeing shift led movement. We talk about zero-trust, but sometimes these are more of [inaudible 00:09:02] than seeing in actual practice. Because even talking about zero-trust is easy, but implementing it, most people have no clue what it is. So, how have you, what kind of problem you see there, because you actually help customers in resolving them?

Matthew Bates: We do. We’re embedded in a number of customers who are doing this. And what we’re starting to see is a real interest in, DevSecOps, now really thinking about security first. So, rather than it being that somewhat afterthought, when you’ve built everything and you’ve then put it to the security team for approval, what we’re now seeing is security being embedded a lot sooner in the software development life cycle. And in fact, when projects kick off, applications are being built for the very first time having the security teams actually there. And I think what’s certainly a benefit of something like Kubernetes is now security can be a platform offering. It can actually be built into the platform. So developers themselves have all the tooling built into the tool chains that they already use, the controls are put in place, such that they have confidence that what they’re putting through that life-cycle is secure, it’s trustworthy, it’ reliable. So, I think certainly much more interest in DevSecOps than we’re actually beginning to even see people with those titles, in some of those customers that we have, it’s really being realized now in the industry.

Swapnil Bhartiya: So we talked about the company, we talked about the kind of problem you’re solving, we talked about the kind of customer based user, where you’re focusing on. Anything else you want to talk about, or you think we have touched some core points to understand what the company is doing?

Matthew Bates: Yeah absolutely. So, one of the things that we’ve just put out, just recently in fact just this week, is a toolkit for secure software supply chain. It’s absolutely on everyone’s lips at the moment. In fact, I’m pretty sure the SBOM and various keywords even get mentioned now in the boardroom. This is something that we need to take seriously, SolarWinds, Log4J, we’re all aware of the very high-profile attacks that have been made. And I think it’s definitely woken people up to the risk, and also the sophistication of the risks as well, in the attacks that we now see. So I think it’s really shining a light. And of course, just this morning, one of the keynotes we were hearing from Shopify about what they’re practicing, and how they’re addressing it as well.

So what we’ve done is we’ve taken a lot of the great, great guidance that’s out there, so the CNCF of course, have a white paper on this, Nest have put out some guidelines following the executive order, and a number of other materials that are out there. But, there’s kind of a lot out there to digest. I mean, if you are a company that’s got a supply chain already, a software supply chain, how do you make changes to it? How can you actually raise yourselves a level, for instance, there’s hundreds of recommendations. So what we’ve done with the tool kit, is provided a really digestible means to be able to understand, what’s the guidance, what’s high priority, and what’s low effort. And so, really using a kind of radar, what we’re able to do is point people to really actionable recommendations that they can take, linking out to those created articles from the CNCF for instance, and as well as the Venafi blueprint that is Open Source.

So really providing that means to understand what they can do. And it might well be just sort of taking the small steps, not fast forwarding over years of effort, potentially to [inaudible 00:12:47], but actually really taking the small steps that companies can take today to increase their security posture.

Swapnil Bhartiya: Matthew, thank you so much for taking time out today and talk about of course, not only the company, but you talked about some niche tech, which were like more FinTech, but it solved the broad problem as well. So thanks for sharing those insights as well. And I would love to have you back on the show. Thank you.

Matthew Bates: I’d love to be back. Thanks very much.

[/expander_maker]

You may also like

Carbon Data Specification Consortium helps drive climate solutions with carbon data standardization

Tackle data complexity with Hasura v3

New Authservice project helps simplify cloud-native authentication

Acorn Labs’ GPTScript aims to redefine coding for AI applications

Red Hat updates Trusted Software Supply Chain solutions

Kubernetes is not for the weakhearted, so we are trying to simplify it | Sudeep Goswami