Manage Secure Access to Kubernetes With Rafay's Paralus

Rafay Systems is in the Kubernetes operations space, and their SaaS platform helps organizations get control over their Kubernetes fleet. Their new open source project called Paralus, aims to help manage secure access to Kubernetes from anywhere.

One of the challenges of the pandemic was developers working from home struggling to access their Kubernetes clusters that were behind firewalls with VPNs and Bastion. Rafay Systems created their enterprise zero-trust access solution to tackle this problem, but the company saw it also as an opportunity to give back to the community, and Paralus is the result of this.

In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Mohan Atreya, SVP of Product and Solutions, Rafay Systems, to introduce us to the company and tell us about their enterprise zero-trust access solution and why they decided to offer it as an open source version.

Developers working from home during the pandemic were struggling to access their Kubernetes clusters running behind firewalls, having to run VPNs and Bastion. This led to creating their enterprise zero-trust access solution. Atreya explains how they are helping tackle this challenge and why they decided to create Paralus.
Rafay Systems is planning on contributing the open source project to CNCF. Atreya discusses what stage in the process they are at. He hopes that it will attract other companies’ contributions and new use cases.
Unlike other companies who may offer fewer features with an open source offering compared to an enterprise version, or add in a support license, Rafay Systems wants to provide the same features for both the open source and enterprise versions. Atreya tells us why the company decided to take this approach.
Atreya feels that for Ops and SREs, their focus is mainly on availability, uptime, and automation, and security can come after that. It can be challenging to navigate the security issues, particularly with more users needing access. Atreya explains why he feels security needs to be part of the package rather than an afterthought and why access control is so critical to get right.
It can be complicated for organizations to manage many users needing access to Kubernetes clusters, when they are constantly moving across business units and changing roles, or having a fleet of clusters to manage. Atreya discusses the reasons why organizations may need access control and how their solutions can help.

Connect with Mohan Atreya (LinkedIn, Twitter)
Learn more about Rafay Systems (Twitter)

The summary of the show is written by Emily Nicholls.

[expander_maker]

Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.

Swapnil Bhartiya 0:00 Hi, This is your host, Swapnil Bhartiya. And welcome to another episode of TFiR Let’s Talk. And today we have with us once again. Mohan Atreya, SVP of Product and Solutions, Rafay Systems. Mohan. It’s great to have you on the show.

Mohan Atreya 0:12 Thank you very much. Thanks for the opportunity.

Swapnil Bhartiya 0:15 We have, of course, covered you folks earlier in the past, but it has been a long time. So I will just refresh the memory of our viewers quickly remind us what Rafay Systems is all about?

Mohan Atreya 0:26 Yeah. So we are in a category called Kubernetes operations. So we are a SaaS platform that helps organizations get control over their Kubernetes fleet, and get everything organized and managed organizationally.

Swapnil Bhartiya 0:44 Perfect. And today, we are going to talk specifically about a new Open Source project called Paralus. So first of all, give us a quick overview, what is this project all about? Why you created it is because if you do look at zero trust, you know, access, which is going to be the focus of this project. I mean, this kind of seems like a solved problem. So what unique challenges that you still saw there that you felt, hey, we need to come up with a project?

Mohan Atreya 1:18 Yeah, absolutely. Yeah, this was actually created as it was a contribution the company decided to make to the community based on a service that we offer on our platform. So about two and a half years ago, literally just before COVID started, we had a lot of people in the company come from the axis background, including me. And I used to work at a company called Okta before the access management space. And the rest of the company, the engineers and leadership also worked in a related space as well. So he doesn’t need the space very well. So the problem we heard from customers at that time is, you know, developers are at home, they want to access their Kubernetes clusters that are running behind a firewall. And they really hated using VPNs, and bastions and all of that. And then when there was a fleet of clusters, 1020 clusters, the security team would come and say, Hey, I have no idea who is doing what, on these clusters, right? And then who did what, on these clusters. And it’s in some ways, if you think about Kubernetes, Kubernetes is essentially your new data center. Right? So if you don’t have this question answered, and you can have the right balance between the user experience or developer experience and the right controls in place, when you’re in a terrible state at that time, right, you have an impractical deployment at that time. So when we launched this service, we saw the problem using our enterprise zero trust access solution, and it, you know, then COVID came in, gonna force everyone to work from home. And it became the fastest growing and most heavily utilized service in our enterprise platform. And one organization came and told us, this is fantastic. But, you know, I may not always be able to become a customer of Rafay, why can you know, the great guys in contemplate, you know, in helping others as well. And, you know, their platform is built on a bunch of Open Source technologies, we leverage Open Source, and it’s our opportunity to give back, right, you know, we are now you know, CDSP funded company, we are pretty far along, we have large enterprise customers, we felt the right time to take that thing we built and financed and tuned and package it, and give it to the rest of the world to us if they have this problem. So that was the genesis behind it. For the catalyst project, we named it appropriately right, like, if you look at panelists, it’s, it’s, you know, it’s named after a Greek ship. And you look at the history there, I mean, it’ll be pretty interesting if you do a Wikipedia search, you’ll see some interesting tenets there and characteristics and we believe in that vision as a company and we hope this Open Source solution will help customers achieve those goals. So, the name was very deliberate Yeah,

Swapnil Bhartiya: Most Open Source projects, there are a couple of you know approaches one is that project can be a company owned or managed project can move to a neutral foundation. So what is your plan for the project long term plan it’s too early but it’s still

Mohan Atreya 4:50: So we’ve been working with CNCF and we want to contribute this to CNCF, usually many 100% Right. When just because something is Open Source means nothing, right? It has to be governance for Open Source projects is really important. So the ideal approach for this is to contribute it to CNCF, which, you know, a lot of projects tend to go there. And but CNCF requires us to check a bunch of boxes before, you know the tickets or the process, right. So we’re working on that process right now. But the intention is to contribute it to CNCF, and then even bring in other people who can contribute because the advantage of Open Source is, it doesn’t have to be just us contributing, it can be the whole world and other companies contributing, right. And so this is a problem that everybody has. So we think as awareness increases, as adoption increases, there’ll be contributions and new use cases that many of you haven’t even thought about that will come in. And that has to be governed and and managed and CNCF would be the right place to do that. So that’s kind of what we are pushing for right now. Great question, though. Yeah, and

Swapnil Bhartiya 6:02 I think that’s a nice approach, because it solves a lot of problem number one is that folks don’t have to worry about you pulling the plug tomorrow, you change the license tomorrow, or also, competitors don’t have to worry about being logged in, or logged out. It’s a neutral place. So everybody can contribute. And you also don’t have to carry the whole, you know, luggage and baggage on your own shoulders. The brightest folks from the community can come in and contribute to the project. So that’s the right approach for any project. Now, when we look at a lot of Open Source projects, Open Source solves the one problem. Day two is the real challenge. And that’s very commercial support behind Open Source projects come into play where either you offer additional features or support that not everybody wants it, the community will not be interested in it, but few customers will be interested in, you want to log on somewhere, or do you want update and maintenance? So do you also have any commercial plans around Paralus also?

Mohan Atreya 6:54 Yeah, so many opens is actually a very good question. So given the history, and the journey explained, right, like when we attempted to solve this problem in our platform, and then realize the world needs it, and we decided to create a derivative Open Source out of it, we kind of have had reverse journey compared to many of the other Open Source projects that exist, right, because a lot of others is part with Open Source. And then they take one or two options, they basically say, here’s a support license, pay me money, right? Or they may take a position that, Hey, Open Source has fewer features than an enterprise version, we decided we don’t want to do any of that. Because you know, all of those feel like it’s a bait and switch for us. Right. So they kept this distinctly separate, an organization that decides to use parallels, right, they get the pure upstream version of the software, and there is no, there is no reason for them to move to a Rafay supported version or someone else, right. In fact, someone else could potentially take this thing and build a service themselves. On top of it, that option also exists. Now we provide a small part of our platform, Scotland. So its zero trust access is one out of the several services we offer on the platform. And the reason why people use our enterprise version is the simplicity, the ease of use. And when I say Simplicity is the operational simplicity. There’s nothing to install, nothing to manage and rescale it. So when people come to that they come for those reasons, right. And then of course support, they can come and scream at us if there’s a problem, or we can help them quickly. But there’ll be a suite of customers who will not want that and they will say I want to run this myself. And Paralus is well designed for them. And there is not going to be a bait and switch, kind of a licensing model. Everything that is available in our enterprise version, the equivalent thing will be contributed back to panelists, we’re trying to keep this pure, right and follow the CNCF model where there is not a bait and switch kind of approach. But yes, customers do have an option to commit to Rafay for the enterprise solution if they want to.

Swapnil Bhartiya 9:16 Perfect. Thanks for explaining that in detail. Now. Let’s just, you know, we have a very good understanding about the project and what you folks are going to do there. I also want to quickly talk about the whole security landscape because there is an increased focus on security. The interesting thing is that we keep reading reports where despite all the focus on security, there still seems to be a lot of worrying trends. Where instead is still a gap between preaching and practicing. What have you seen in space that how secure of course you know, once you move to cloud, a lot of people’s sins is a magical place, you know, assault on a problem, but that’s not the reality but it does help a lot with a lot of things. Do you think 100? So what I want to understand from you is what have you seen in these two years? When it comes to security?

Mohan Atreya 10:09 Yeah, yeah. So there seem to be two approaches people end up taking. And this is predominantly driven by the typical personas in MCs. If you think about a typical ops and SRE person, they are predominantly focused on availability, uptime, automation, you know, being able to reproduce stuff, right. And security kind of becomes like a number two item, it’s not job number one for them. Although it’s top of mind, it’s not number one on the list, right, because everything else trumps it. And then there’s a security team, typically, that is looking at a very wide spectrum. Kubernetes is one of the many silos that to worry about right? is typically a newer thing for them. Right? So what we find in the market is when these two themes kind of land up, intersecting, that’s when this concern and problem lands up surfacing. Right. Now, there’s a third angle here, as adoption of Kubernetes lands up increasing in an organization, there’s more and more users, internal users, whether the developers and other people who need access to stuff, right. And they expect a great user experience, right? Like, they don’t want to slow down, right, they expect to move really fast. So when the combination of these three things come together, that’s when the organization lines up realizing that, hey, I need to, in a security becomes like, it needs to be part of my package, not not like an afterthought. And it actually, if done well can actually result in a transformative experience for the developer. This is kind of what results in when people say zero trust, you know, why is that energy behind it? Why is there momentum behind it, because it’s an opportunity not just to be secure, but also do it in a transformative way, simple way, low cost way lower anyway. So now, having said that, the the we do meet some organizations that sometimes are, in my opinion, correctly, breaking up the problem into what I would call as solving the table stakes basic problems for security first, and then dealing with a more complex use cases later, because for security is a journey, right? You don’t have to solve this one problem. It is a big list of 2030 things you got to solve. And sometimes taking care of the basics is really important. And we believe axis is a foundational aspect, because he can live without it when you have a cluster. And if you can access it is game or right? And if you don’t know who is accessing your cluster, and you haven’t right open on the internet is game over again. It’s such a foundational piece that organizations need that. We believe it’s seminal to security, right? Sure, you can do Container scanning and all of that those are also important, but the need to do that day one is the million dollar question.

Swapnil Bhartiya 13:12 Excellent. Once again, thanks for explaining in detail. I think I mean, to be honest with you, this is a topic where we can sit for hours and have a discussion. I think from the perspective of this announcement, we do have everything that we need. We talk about the product, we talk about the future, we talk about whether it’s going to a foundation, we talk about the commercial angle, as well. Is there anything else that you feel enough personally, where you’re also there that hey, Swapnil, we should have talked about that. Also, you think that we have everything covered?

Mohan Atreya 13:40 I think at a high level, I think we have most of it. I think one particular thing maybe we didn’t talk about is why is this difficult?

Swapnil Bhartiya 13:54 Right?

Mohan Atreya 13:56 At what point is it lambda getting complicated for people that they say I need something like this, right? Is that like a compelling point? Right? Like an inflection point, very becomes so obvious that I gotta have something like this, maybe maybe a quick one minute thing that might be useful.

Swapnil Bhartiya 14:18 You can you can so yeah, go ahead.

Mohan Atreya 14:21 Yeah. So from an organizational perspective, you know, many organizations, is this just starting out, right? with Kubernetes, some of them are very mature. Not everyone is there yet, right? So typically, what we find is, that is an inflection point, when it becomes apparent that they had to solve this access problem for Kubernetes. And it usually happens when one of the two are true or both are true when they have many users, like think of developers that need access to, you know, hundreds of people who are constantly moving across business units, moving roles. was changing roles, then it became a nightmare for people, right? Because, you know, how do you configure this? How do you make this all work? It all has to tie in with a source of truth, typically someplace where you might manage your identity, right, like an HR system and Active Directory or Octa or something like that. The second compelling event is when they have a fleet of clusters when they have many clusters, you know, five clusters, six clusters, 100 clusters. And these are running in separate security domains like think one in a data center in the US, one in the data center in Europe, one in Asia, back etc. Right? Now you have a different level of pain. At that point. Something like a Paralus becomes super obvious for people. If people are only one cluster and two users. They may not really feel the pain, as in panelists. Think of it like Advil or paracetamol. When you feel the pain, that pain happens when you have those too many users, many clusters. That’s when you feel the pain and you need the Advil or Paralus.

Swapnil Bhartiya 16:06 Thank you so much for taking time out today. And not only talking about this product, but also sharing, you know the pain point that folks feel with clusters and how this product is going to help them solve the problem. Thanks for sharing those insights. And as I said earlier, we should have these discussions more frequently, not as such huge guests so I will look forward to it. I look forward to having our next discussion soon. Thank you.

Mohan Atreya 16:28 Thank you Swapnil. Good to talk to you again. And looking forward to chatting again.

[/expander_maker]

You may also like

Cosmonic contributes Kubernetes operator to CNCF wasmCloud ecosystem

Why AWS backs Valkey, an open source alternative to Redis | David Nalley

LF Energy leads digitalization efforts to tackle decarbonization challenges

Carbon Data Specification Consortium helps drive climate solutions with carbon data standardization

PRAGMA aims to foster Cardano’s growing open source ecosystem

Tackle data complexity with Hasura v3