February 27, 2020
Building Securely for User Privacy
HackerOne CEO Marten Mickos discusses app sec strategies for building securely and ensuring user privacy from the earliest stages of your co...
About the Guests
Jason McGee is an IBM Fellow and the VP and CTO of IBM Cloud Platform where he is responsible for IBM Cloud foundational developer services, including containers.
Brian Douglas: Welcome to another installment of JAMstack Radio. On the line I've got Jason McGee from IBM. Hey, Jason.
Jason McGee: Hey, how are you?
Brian: Good. You are an IBM Fellow, VP/CTO of the IBM Cloud Platform. That's a mouthful.
Jason: It is.
Brian: Do you want to explain what those acronyms mean, and also what you do at IBM?
Jason: Sure. Let's start with what I do. I'm the technical lead for platform as a service space on our public cloud. I do all things Kubernetes, serverless, and application platform for IBM. I'm an IBM Fellow, which is the most senior technical of a rank within IBM.
Brian: Nice. I recently learned what IBM Fellow, the term "Fellow," is. I don't who it was and what article it was but Microsoft specifically, for whatever reasons why I would know that, they have Fellows that, as they absorb companies they come out and they get-- It's higher than Principal, is that correct?
Jason: Every company has a different thing, but Fellows are usually on the technical side and they're usually the top of the pile on technical leadership within the companies. IBM has had the Fellow program since 1963 or something, so we've been doing it for a while.
Brian: Awesome. I know we talked earlier, as we were preparing for the podcast, that you've been at IBM for a good amount of years. How did you navigate yourself in the serverless computing space? Because I know that wasn't a thing 20 years ago.
Jason: Yeah, sure. I started my career in IBM 20-ish years ago in the app server space. I was the technical leads and chief architect for WebSphere app server, which was a Java application server platform. I did that for half my career, and then I have always been the guy doing the new startup technologies within IBM's software business.
I did convert systems for a while, I did virtualization in the app server space. Over the last four years I've been in cloud, and specifically containers and container-related technologies.
You can always help us blaze a course on new ways that people build apps.
Brian: Serverless and containerization and everything, that's definitely a pretty hot buzzword as of now, within the last couple years. It is definitely a space that a lot of people want to be in. I actually had you come on to talk about specifically the Knative project, and how that project correlates in space. What is that project?
Jason: Sure. The Knative project is a pretty new thing. The simple way to think about it is it's building blocks to help us do serverless and applications on top of Kubernetes. If we zoom out for a second, what I think is happening in the industry is we're all working together to build a new platform for application development. 20 years ago we were doing app servers, either in Java or .NET, and that was the main way people were building new server-side applications.
In the cloud era that's happening around containers, and over the last few years we've all agreed on a few layers. We all agreed on Docker and containers as a way to package software. We've all agreed on Kubernetes as the way to manage a whole bunch of containers, and keep them up and running, and scale them. With the Istio project, we're starting to all agree on how container applications talk to each other over the network, and how we can control that.
The next layer that needed some focus was, "All right. What about serverless? What about Twelve-Factor applications? How do we bring that all together?" Because those were container-based things, but they weren't sitting on top of the same stack. So the idea with the Knative project was, "Put in place some building blocks we can all agree on to help us build those kinds of apps on top of Kubernetes."
Brian: OK, so is Knative a better way to get started? Is that the approach we're trying to accomplish with the project?
Jason: I think of it as a way to teach Kubernetes how to handle these different kinds of applications. Serverless apps look a little bit different than a traditional container app, they might not be running at all until you send in an event. They have to start very quickly and scale in a different way. My view on it is, if you look at how real apps will get built, there'll be a blip. You'll build some of the application in containers, you'll build some of it in serverless.
You're going to mix these technologies together and today that's hard, because a serverless platform and Kubernetes are completely different from each other.
With native, we can bring them together. We can stack them on top of each other and we can do that in a way that's common, so that as a developer you don't have to pick a proprietary serverless platform that only works in some places. native will let us do that in a common way.
Brian: Interesting. I read a couple of the articles before our conversations so I could get up to speed on the actual project. When you mentioned it can work with other platforms for serverless, so we're not stuck with OpenWhisk or Google Cloud functions, or something like that. You can plug and play different solutions into this project?
Jason: That's where it will enable us to go, yes. That's part of the goal. If you look at serverless platforms today, the big ones, the ones that are coming out of the cloud providers. So Lambda, Google Cloud functions, IBM Cloud functions which is based on OpenWhisk, they're all essentially proprietary, in the sense that they were developed on those platforms an then we work on those platforms.
The one exception is OpenWhisk which we created at IBM, and then open sourced and have RedHat and some others working with us on. With Knative, what will happen is we can start to make those things more common. Look at how you build the code and how you register a function and an event, and how you trigger execution and do those in a common way. That will allow those serverless frameworks to be more consistent with each other.
Brian: OK. Some more features that I wanted to touch on too, is there involvement with other companies as well? I saw Google's name dropped in a lot of the information and blogs posted out there. Are you guys in partnership with any other companies to make sure that these things collaborate with each other?
Jason: For the Knative project in particular?
Brian: In particular with Knative, yes.
Jason: Yes. Google's part of it, IBM obviously, RedHat's involved, Pivotal is involved. There's others that are looking in the background and are working on getting there. There's a pretty diverse consortium of people who have already said, "Let's go work together on this." It's early, it's an early project but we're already seeing a lot of people rally around that platform. It's been interesting to watch that in general, the cloud-native open-source space.
There's a lot of common view on how to move forward with that. A lot of these projects, Istio is another great example where Google and IBM founded that project and then we launched it, and we had five or six more big players on launch day and tons of adoption right away.
People are collaborating very quickly together in this space.
It sounds like Knative, if I can plug two different architectures together, which is serverless and containers, and have an idea what I'm supposed to be doing with it. It makes it a lot easier to have more people adopt technologies.
Jason: I agree. If you look at Kubernetes in particular, it's an incredibly powerful platform. One of the criticisms with Kubernetes is that it's got a big learning curve. There's a lot of concepts. Part of what Knative is also helping do is say, "All right. for certain kinds of applications like serverless apps, like Twelve-Factor applications. How do we give a simple adoption of that platform?" If you look within Knative there's three big subprojects today inside of Knative, they're called Build, Serving and Eventing. Build is, "How do I go from source code to an image? To a container image automatically?"
As the developer it's like, "Here's my code. Turn it into a container for me. I don't want to know how to do that." That's what the Build project is standardizing. Serving is like, "I have an application, I have a URL I want to put it on. I'm going to make changes to it. Run this for me." Then Eventing is, especially in the serverless space, how do we agree on what the format of an event is, and how do we trigger events? So we can wire service applications together?" It's trying to provide another layer that simplifies how you use these technologies.
Brian: Nice. So, if I was myself, naive into this whole serverless space, and container space. What's a good way to get started if I don't have the experience of-- I don't have the experience of Kubernetes yet. How would you recommend me approach Knative in this cloud native space, as a new intro into serverless competing and stuff like that?
Jason: Sure. The best way to learn something is to go do it, right?
One of the great things about the era we're in right now with cloud is you can go try things without having to be an expert in them.
The easiest way to get started, whether it's with Knative or Kubernetes directly, is go pick a platform that you like and try it out on that platform. You can get Kubernetes environment without knowing how to install and run Kubernetes.
Obviously I work at IBM, so on IBM Cloud we have a managed Kubernetes service. In a few minutes you can click a button and get Kub and have that environment to play with. With Knative, go to the GitHub project and you should be able to follow some simple instructions on how to get going with samples to really understand the concepts. It's pretty straightforward to learn, at least, what these things are doing.
Brian: The next step after you've gone through that process of sourcing the documentation at the GitHub project, are there any common "hello world" apps that you've seen since the launch? Or, even while developing Knative as a platform?
Jason: For Knative itself, there are definitely a bunch of samples as part of the project that are trying to demonstrate how to exploit different capabilities. The challenge, at least right now with Knative, is it's a little bit of a plumbing project if you know what I mean.
It's building blocks that would be used to build other things more than I think it is a direct piece of technology you would use as an end user.
That may change over time, the project may have more involvement and experience. For example at IBM we have OpenWhisk as our functions platform, and you can go there now and you can play with Serverless. You don't have to know anything about how it runs behind the scenes, but over time what works is, "How do we use Knative as part of the stack underneath Whisk? OpenWhisk?"
So as the developer you can use the more standard artifacts for interacting with OpenWhisk that would be common across other projects. For Knative, you can go play. If you really just want to understand how the project works, it's easy to go do that. But it isn't maybe the first place you would start in the Cloud Native space.
Brian: I want to sidestep and zoom out a little bit, because it's not every podcast that I get such a high level engineer/VP on my podcast, and you also have the experience. I'm curious of what's your opinion of the space and how it's grown so far, and where do you think it's going to go next as far as Cloud Native?
I think now people are starting to get Docker and they're starting to get, like the last company I worked for, they just announced they got Kubernetes working as part of the deployment structure. What do you think is next? How is Knative going to champion the next thing?
Jason: Sure. It's been really tremendous to watch the growth of the space, and one of the big challenges for somebody like me who's deeply engaged everyday in building these technologies and delivering them, is keeping your finger on the pulse of where real users are in adopting the technologies.
You assume people are much farther along than they are. But I do feel like almost everyone I talk to, whether it's startups or our huge enterprise companies, they're doing containers today, most of them are doing some form of Kubernetes today, they've at least all decided on Kubernetes.
For Kubernetes itself, the next couple of years is going to be a massive tidal wave of adoption of that technology stack. What's been interesting is, we talk about that a lot as cloud native which is sometimes code for building new applications, and there'll be a lot of that, for sure. But Kubernetes and containers is also interesting for Google because they can take existing applications and re host them in a better way on a more modern platform.
When you look at something like serverless, there's a lot of use cases where serverless is a really interesting way to build an app.
But companies are trying to figure out, "How do I do that in the diverse environments that I'm in?" Most big companies, they use more than one public cloud, they have some stuff in their data center and in public cloud. So they're like, "How do I use serverless when it's different everywhere?" Knative will influence that, and will help accelerate the adoption more broadly of serverless across the industry, because it will help make it more consistent across the industry.
Brian: Which is great to hear too, because again I had another firsthand experience of, I'll just say it. We got free AWS credits to run certain projects, and we locked ourselves into that infrastructure. Then we had another project that we got free Google Cloud credits, so then we locked ourselves in that infrastructure where those two projects could never talk to each other.
I hear that a lot too, because I'm sitting here in Heavybit and we've got lots of new companies up and starting in there. No one's building their own servers, everybody's paying with their free accounts to get started. So it's powerful to get people locked in earlier on, but it's also way more powerful to be able to say, "Here's a platform you could potentially have those two projects talk to each other, or even if you wanted to switch you could. It's not going to take six months of prep and then downtime of shipping features."
Jason: I think that, and it depends which part of the industry you're talking about, certainly in the higher end, larger companies part of the industry, those kinds of concerns are real. It's been one of the things holding people back on cloud: "I need the flexibility to have apps talk to each other and to move things around." That's for venture people. It's part of the reason why containers and Kubernetes in particular is so powerful.
As you said in the beginning, I have been in the industry a long time. It's the first time in the 20-plus years that I've been in this industry that a single technology platform has been supported by literally everybody. Every public cloud, every private cloud software stack, every virtualization stack, every operating system. That's never happened. As an end user you now have a way to build a container based app and run it anywhere you want, with relatively low cost to switch.
I want the same thing to happen in serverless. For serverless to become a mainstream thing, you need the same characteristic, and that's part of why IBM decided to participate in the Knative project. To help make that real. Our whole strategy is built on top of open source, so we spend a lot of time on fostering these projects.
Brian: Awesome. Speaking of open source, is the Knative project-- obviously we can look at the GitHub project, but how much of that is open source? Can the listeners start picking around and piece together how it works?
Jason: It's all open source. There's no private code branch anywhere, since we've launched. You can go to GitHub, go to the Knative project, you can start playing around or you can contribute. There's some pretty good documentation already out there on how to get Knative installed and running on the Kubernetes platform of your choice, and there's a whole bunch of samples out there. Absolutely, you can get started.
Brian: Awesome. That sounds enticing. Hopefully listeners will give it a look and see if it works for them. Or if not if it doesn't, see if you can contribute back and make it work for you as well as everybody else. There's one more thing I didn't touch on, I discovered there's a Cloud Native Computing Foundation. Is that something you're a part of, or IBM is a part of, and what is that?
Jason: Absolutely. We are absolutely part of the Cloud Native Computing Foundation. In fact, the executive committee chairman is an IBM employee. The Cloud Native Computing Foundation is a governance body for governing the collection of technologies that are happening in the Cloud Native space. One of the maybe less visible parts of open source is, "How do you actually have a governance model around open source that allows everybody to contribute fairly?"
Lots of technologies that are open source are not openly governed.
In the container space for example, everyone is using Docker. Docker was open source, but Docker was run by the Docker company. We worked with Docker, and Google and RedHat and a bunch of other people and we created some of these foundations. The Cloud Native Computing Foundation now is crazy lane, there is so much activity there.
They're going to have their US conference in December, it's probably going to be 7,000 people. Kubernetes is obviously there, containerd is there, all the big projects that make up this modern stack I talked about are being governed out of CNCF. It's a pretty important space, it's the place to watch for where the key technologies that we're all going to build are our apps on going forward.
Brian: I'll definitely keep an eye on that foundation. I am intrigued about the space. I'm not as heavily involved, again my experience is mainly Docker. I haven't gotten the orchestration side of it because hasn't been my day to day job, but I definitely encourage listeners to keep an eye on the foundation, keep an eye on what's going to be shipped. Is there a Pinnacle conference for Cloud Native as well?
Jason: Yes. That conference I mentioned in December, it's called CloudNativeCon or KubeCon. It's the same conference. It's in December in Seattle this year. They have it in the US and Europe and in Asia every year, and it's the Pinnacle place to go to learn about this.
If someone's new to the space, one of the things I would encourage them to do is go to the CNCF website. They have this thing called the CNCF landscape, which is a view of all of the products and technologies in the space and how they relate to each other. I've never seen a picture of many logos on it in my life, but it's a pretty good overview of all the activity that's going on and all the problems that are being solved for people around app development.
Brian: Awesome. Jason, I appreciate your time. I do want to transition us to picks. Listeners, and Jason. These are JAM picks, these are picks that keep us going. Perhaps a song you listen to while programming or exercising in the morning, or maybe some sort of ritual you do while cutting fish, or even a technology that you found interesting. If you don't mind, I'll go first. My first pick is going to be coming up.
My next pick is the last few episodes I mentioned I'd had some paternity leave, had a new child come into the family and join us, and now we're doing man-to-man coverage. With that I spend a lot of time with my preschooler and I rediscovered Pokemon and Pokemon Go.
A lot of people probably played Pokemon Go about 2 years ago, for the week it was popular, including myself. For whatever reason because of preschool my son was telling me all about Pokemon. I was like, "I know that."
So we went to the library, got books to learn about Pokemon. Then I remembered there was a game that everybody liked, so I've gotten knees deep into Pokemon in Pokemon Go and I've been collecting Pokemon without my son. I do admit, I am a level 25 trainer. If anybody plays, you know what that means.
Jason: Are you cheating, or playing for real?
Brian: I'm playing for real. I live in Oakland and I live on a pretty popular street, there's a lot of pokestops and lot of gyms that are highly competitive. I also live down the street from UC Berkeley, too, so we do get a lot of college students that come down my way that I have to battle in gyms. It's brutal, but I'm winning.
Jason: That sounds time consuming, I don't know.
Brian: I had about seven weeks off. Three weeks in, we figured out how to get the sleeping patterns working and the whole breastfeeding thing. Then I spent a lot of time just hanging out with my son. I'm like, "Do you want to walk to the park and go fight at a Pokemon gym? Or play at the playground?"
Jason: That's cool.
Brian: That's my life for the past four weeks, it's been Pokemon Go.
Jason: Awesome. It's a good way to burn the time when you just have to keep walking around to keep someone entertained.
Brian: Exactly. So that's it for my picks. Jason, do you have any picks that are keeping you going?
Jason: It's completely random and off topic, but my little side project lately has been 3D printing.
Jason: I've been getting into 3D printing with my son. So my pick right now is the Creality CR-10 3D printer. It's a low cost, awesome, home 3D printer. That's a pretty cool device. Pretty amazing. Another great example of the power of open source. It's all open source firmware. Pretty cool space.
Brian: That's awesome. Jason, I appreciate your time.
Brian: Thanks again for coming on. Listeners, keep spreading the jam.