#023 – Kubernetes for Humans Podcast with Liz Rice (Isovalent)

Itiel Shwartz: Hello everyone, and welcome to a special episode of Kubernetes for Humans podcast. Today with me on the show, we have Liz Rice. Liz, can you please introduce yourself?

Liz Rice: Hi, yes, I’m Liz Rice. I am Chief Open Source Officer at Isovalent, which is the company that originally created Cilium, which a lot of people know for networking and security in Kubernetes.

Itiel Shwartz: Liz, maybe give a bit of a background. You’re very strong in the security and Go community, so maybe a very brief overview of your background.

Liz Rice: Sure. My original background, back when I graduated, was really in network protocols. I spent a bit of time doing consumer-facing things, and then probably around 2015-2016, I got into the world of containers. I became interested in how containers work, and that naturally led to thinking about how you could attack them. I wrote a book about container security, and early on in my container journey, I saw Thomas Graf talking about eBPF. I remember thinking, “That’s super interesting technology,” but it was very early days. A few years later, I became obsessed with eBPF and joined Isovalent.

Itiel Shwartz: So maybe give me the TL;DR: I’m using Kubernetes with AWS EKS, and I’m quite happy with that. Why would I want to use something like eBPF?

Liz Rice: eBPF gives us this incredible platform for building infrastructure tools. It allows us to run custom programs in the kernel, which means we’re in this incredible position to observe and influence things that are happening in the networking stack, when people are accessing files, and other kernel-involved activities. Cilium takes advantage of that to make the networking stack more efficient, so you get incredibly good networking performance for container networking. We also use it for network policy enforcement, and you get this very granular ability to protect traffic that’s flowing between workloads. You can have layer seven policies, FQDN policies—there’s a lot of ability to protect your workloads and limit your traffic to what you’re expecting.

Itiel Shwartz: I feel like networking is one of the areas that developers don’t really like. They usually don’t want to think about it, they just want it to work. Who typically brings Cilium into the organization? A developer is not going to say, “I want to replace all of the underlying network layers.”

Liz Rice: That’s exactly right. Developers shouldn’t have to think about the network. It should be part of the platform where they’re writing their applications, but they shouldn’t have to think about it. Maybe they’re thinking about their frontend service talking to a backend service, but they shouldn’t have to be thinking of that in terms of the network. We believe that’s true not just in the Kubernetes world, but also for connecting your Kubernetes workloads with existing legacy workloads. To the greatest extent possible, you want to be able to do that seamlessly. But to answer your question, a lot of organizations will have a platform team, a network team, or often a security team as well, because of Cilium’s ability to protect your traffic with network policies. More recently, we’re also doing runtime security with the Tetragon project.

Itiel Shwartz: How does that work? You’re already sitting there, you’re able to detect things, so share a bit about that.

Liz Rice: The history of this is that some of the Isovalent enterprise customers were using network policies and were seeing this traffic—potentially malicious traffic—being protected. But if you do get compromised, you want to know how the attack happened, where it came from, what’s the compromised pod, what’s the compromised application. They asked us, “Is there anything you can do to help?” And with eBPF, there is. We can very efficiently keep track of events that are interesting for forensics, and we can filter them in the kernel. Instead of every single file open event going to user space and then to a SIEM, and then someone having to sift through all that information, we can filter it down to only send events for a specific set of sensitive files. It makes it much more efficient and easier to deal with.

Itiel Shwartz: I remember Cilium as a very raw project a couple of years ago. Networking is super sensitive—this is the bloodstream of the organization, in a way. Do you think five years from now everyone will be using Cilium or eBPF-based networking? What does the future hold in terms of networking?

Liz Rice: We increasingly see all the major cloud providers with some networking layer that is based on eBPF in some shape or form. Google’s Dataplane V2 is based on Cilium—it is Cilium. Microsoft has Azure CNI for Cilium. AWS uses Cilium for EKS Anywhere, so it’s pretty much everywhere in some shape or form. I think we’ll see that increasingly.

Itiel Shwartz: In Komodor, we use AWS EKS—not EKS Anywhere at the moment—but our biggest pain point is EC2 and the associated network costs, especially across different regions. Does Cilium help with that? Do you hear network cost as a problem—distributing the network efficiently to save money?

Liz Rice: One thing you could do—there’s a feature called service affinity, which is really about saying, “If I have a service, I can distribute it across regions for high availability,” but you can prefer local services. So you say, “Only if there is no local service available, use a remote one.” At that point, you’ve got inter-cluster communication, but it helps manage costs.

Itiel Shwartz: Is that becoming more common?

Liz Rice: Yes. I remember back in the day when people said multi-cloud wasn’t really a thing, but now it’s absolutely a thing. Everyone is trying to do multi-cloud, but not everyone has figured out how to do it efficiently yet.

Itiel Shwartz: But you help mainly around the network, right? That helps with multi-cloud too. As big organizations move to Kubernetes, we see more and more legacy software that wasn’t designed to run in Kubernetes. How do we bridge that gap?

Liz Rice: Yes, there are lots of angles to this. There are security, networking, observability, and reliability considerations. The industry is maturing, and as Kubernetes adoption grows, the ability to connect Kubernetes workloads with legacy systems is improving.

Itiel Shwartz: Where do you think the industry is going in the next three to four years—beyond just networking, or other things happening in the space? We’re just finishing up KubeCon right now—they’re closing the booths on us as we speak. What do you think are the biggest trends that are apparently happening here?

Liz Rice: You can’t have missed AI at this conference. AI is everywhere. I think it’s a little bit over-hyped at the moment, but it’s clearly very important. People want to run their AI workloads on top of Kubernetes, which is definitely something people want to do. In terms of trends, I think we’re going to see a bit of a reality check after the hype dies down.

Itiel Shwartz: Other than AI, did you see anything else interesting at this KubeCon compared to the previous ones?

Liz Rice: I think the energy is back. This is the biggest KubeCon to date—twelve and a half thousand attendees. It’s massive, and the energy is high. People are here looking to deploy real-world solutions. There’s much less “science project” talk and much more practical implementation.

Itiel Shwartz: So the industry is growing up—the experts are becoming the end users.

Liz Rice: Yes, we have an end-user technical advisory board now for the CNCF, and those are the people with real expertise in operating Kubernetes. They know what the day-two problems are and how all these different components fit together. The maintainers, who were the specialists five, six, seven years ago, are now niche specialists. It’s the users who have the experience of putting it all together.

Itiel Shwartz: What will happen for Kubernetes in five years? Other than networking, which everyone will use, and AI, which will be something—any other trends you’re observing?

Liz Rice: We talk about Kubernetes being everywhere and the pervasive environment for running workloads. I’ve heard more people talking about using Kubernetes where they used to use VMs. It’s interesting to see more and more people choosing Kubernetes as the right choice, especially when combined with legacy workloads and edge devices.

Itiel Shwartz: We’re seeing more use cases that we didn’t think about a few years ago. One of the biggest food chains in America is now deploying Kubernetes in each of their branches—five or six thousand branches. Do you think edge will be a thing?

Liz Rice: Absolutely. I’ve seen case studies where people are talking about having Kubernetes in their stores or other edge environments. Networking is crucial for connecting those edge terminals.

Itiel Shwartz: We’ve talked a lot about how great Kubernetes is, and I agree, but what do you think are the biggest problems at the moment from a platform perspective? What is not working as expected?

Liz Rice: One hot topic is platform engineering and how you provide a consistent experience for developer teams. There’s been a lot of progress—things like Backstage and Portainer are tackling that problem, but it’s clearly something that still needs work.

Itiel Shwartz: Platform engineering is really on the rise. At the end of the day, developers are writing the programs that really move the business. Kubernetes is a lot of magic layers for them, and it’s a problem. Networking is never an issue until it is an issue—load balancing spikes, machines that don’t have enough bandwidth, things like that.

Liz Rice: Yes, DNS—because it’s always DNS.

Itiel Shwartz: We had a DNS issue not that long ago. It happens to everyone.

Liz Rice: Yes.

Itiel Shwartz: Okay, Liz, I think we can wrap it up with that. Any last words you want to share?

Liz Rice: I hope everyone who was here had a wonderful KubeCon, and I’m looking forward to the next one in Salt Lake City.

Itiel Shwartz: Me too. Thanks for having me here. Let’s hope we wrap this up.

Liz Rice: Yeah, I think someone already wanted to kick us out.

[Music]

Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent , creators of the Cilium cloud native networking, security, and observability project (recently acquired by Cisco). She was Chair of CNCF’s Technical Oversight Committee  in 2019-2022, and Cochair of KubeCon + CloudNativeCon  in 2018. She is also the author of Container Security , published by O’Reilly. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine. 

Itiel Shwartz is CTO and co-founder of Komodor, a company building the next-gen Kubernetes management platform for Engineers.

Worked at eBay, Forter, and Rookout as the first developer.

Backend & Infra developer turned ‘DevOps’, an avid public speaker who loves talking about infrastructure, Kubernetes, Python observability, and the evolution of R&D culture.  He is also the host of the Kubernetes for Humans Podcast. 

Please note: This transcript was generated using automatic transcription software. While we strive for accuracy, there may be slight discrepancies between the text and the audio. For the most precise understanding, we recommend listening to the podcast episode