Kubernetes’s explosive growth has come with attention paid to security and stability

growth plant

You may have noticed I write a lot about Kubernetes, the Cloud Native Computing Foundation (CNCF) sponsored open-source container orchestration program. That’s because I have no choice in the matter. Just like Docker turned containers into the way to run server applications, Kubernetes quickly overcame its rivals and became the way to manage containers. 

Practically everyone has now invested in Kubernetes. Blink twice, and another major company announces that it too is jumping on the Kubernetes bandwagon. As I write this, VMware has committed its container future to Kubernetes.

Now, the CNCF has put together the first State of Kubernetes report and it shows just how big a deal Kubernetes has become. For example:

  • Actively contributing companies is up over 2,000% from 15 active contributing companies prior to Kubernetes joining CNCF to 315 companies contributing to the project today.
  • Number of individual contributors up over 7x since Kubernetes joined CNCF, from 400 contributors to over 3,000 contributors.
  • Code diversity across more and more companies – Google and Red Hat contributed 83% of Kubernetes code prior to the project joining CNCF. Today, Google and RedHat contribute only 35% of code, even though the number of contributions they make continues to increase. 
  • Project velocity continues to increase (based on number of authors, number of pull requests and issues, and number of code commits), cementing Kubernetes’ position as one of the top three fastest growing open-source software projects in history.

That’s all good news, but it also shows one worrying trend: it is really, really hard to keep up with Kubernetes. Yes, it’s great that it’s getting better by the day, but with constant change comes constant relearning and upgrades.

So it is that even Kubernetes experts turn to commercial distributions for production. Sure, you can do it yourself, but it’s a full-time job. You need to ask yourself: “Does your company want to pay you to master Kubernetes or to get Kubernetes up and running in production?” I know the way most CEOs would answer that question!

Kubernetes’ rapid rate of evolution also means that trying to keep the program stable and secure are both real concerns. Fortunately, the CNCF recognises this. 

To deal with the conformance issue CNCF is funding conformance test development. The Kubernetes SIG-Architecture also requires new Kubernetes features to have conformance tests before becoming part of the stable API. To determine which Kubernetes APIs are used the most but lack conformance tests, CNCF-funded contractors have also developed APISnoop to capture API usage data. APISnoop data is then used to prioritize conformance test development.

To better secure Kubernetes, CNCF conducted a third-party Kubernetes security audit . You won’t be surprised to learn that the security study found,”configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls.” And, oh yes, “the state of the Kubernetes codebase has significant room for improvement.”

The silver lining here is that unlike so many software projects, especially ones that are growing by leaps and bounds, the Kubernetes crew actually has the time to stabilize and secure the program. Many others, as we know to our regret, only patch such issues after they’ve blown up in production’s face.

So, even with Kubernetes’ explosive growth, it should work out well for you… once you have it properly deployed of course. Good luck!



  1. […] it’s gone from being a project dominated by contributions from Google and Red Hat to one with thousands of contributors. Along the way, it pretty much eliminated all of its competition. There are still rivals out there, […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.