Space Panda to the Rescue!

Video size:

0:08 Miko Pawlikowski

Hello and welcome to Conf42Cast, the tech podcast from a neighboring galaxy. My name is Miko Pawlikowski. And today with me I have Rotem Refael, director of engineering at ARMO. armosec.io. The makers of the open source Kubernetes tool Kubescape. Rotem, how are you doing today?

0:30 Rotem Refael

Good morning. Here it's morning.

0:32 Miko Pawlikowski

Yeah, it's morning for me too. Even more of a morning, I think I'm a couple of hours behind you 8 am for me on a Sunday. Thank you so much. I heard the traffic was pretty bad this morning.

0:46 Rotem Refael

Yeah, it was horrible. I don't know what happened this morning. Maybe it's just Sunday morning, multiple traffic. But okay, I'm here today.

0:56 Miko Pawlikowski

That's the most important thing. You made it. Well, our conference is space-themed. So hopefully one day all of that will be irrelevant. And the only traffic you're going to have to worry about is on your way to Mars to find a parking spot. So like all the guest of this podcast, I'm going to confuse you first and ask you, if you could go faster than the speed of light, where would you go?

1:23 Rotem Refael

So I would probably visit Mars. As you said before, I will avoid traffic, of course. But anyway, it's like it's super interesting, you know, to visit the galaxy. And like, it's super interesting to visit Mars, just because of the shape and that we don't know as much as you know about this planet. So yeah, probably go there just visit, you know, make some shopping with some aliens.

2:02 Miko Pawlikowski

Some Martian shopping. But a beating the traffic first. That sounds fair enough to me. Do you think they're gonna have Kubernetes on Mars? Are we gonna move on to something else? They must. Okay, fair enough.

2:21 Rotem Refael

They need to deal with tons of traffics when people will arrive there, right. So they have to.

2:27 Miko Pawlikowski

They have to load-balance it. Okay, so for everybody who haven't, hasn't seen Rotem do talks, she speaks about Kubernetes quite a little bit. So maybe a good starting point will be to ask you, as of today, what's the good, the bad and the ugly from where you're sitting and where you work with Kubernetes?

2:56 Rotem Refael

That's a really good question. And I think that let's start with the good stuff, right? Because there are a lot of good stuff. The good stuff is that there is an orchestrator for your application called Kubernetes. And you don't need to mess with any other infrastructure, it's pretty straightforward. Every cloud vendor has their own, like, if you're installing it as a vendor, it's even easier. So your apps can run, replicate themselves. And you don't need to worry as a developer, right? Like, you don't need to worry about load balancing, you don't have to worry about replicate my application. So everything is in place. It's also open source, which I'm a big fan. So it's also very good initiative, I would say. And I think that's the thing that makes Kubernetes like a huge thing, because the developers don't need to work regarding the infrastructure manually. On the other hand. If I'll go to the bad and maybe combine it with the ugly, then just having a cluster running, it's not seamless, right? You need to work for it. And there are issues there in order to bring it all together. Make it its on premise, it's really hard. Like I've managed a couple of those and it was, I would say even horrible. It was really, really hard, not having any cloud provider running it for you and make it all as a DevOps, it was hard. And I would have to say that the the fact that Kubernetes is all by its own out there and there are no such real other competitors that will make it maybe the ugly thing? Because you have just the Kubernetes thing you don't have any other platform you can use. I mean, not a good one, in my opinion.

5:15 Miko Pawlikowski

So a monopoly is a problem here. That's the ugly part you're saying?

5:20 Rotem Refael

Yeah, I do think that, you know, when you have competitors in the market that makes you even better. That makes you think about what they're doing and what I'm doing and how to be better at what I'm doing. And in that case, it's an open source and everyone can contribute. And that's I think, again, that's the good part. That's the best part of it, I think, is that making another application or platform like Kubernetes, not just black, but with security, building things, and some other stuff can make it even better than what's now.

6:02 Miko Pawlikowski

Definitely. You opened some old wounds. In one of my previous lives, I actually run Kubernetes as a service for a large company. And yeah, it was not easy. Just get it to display, you just take the elements of the shelf, and you run them. But from like the security point of view, which I think you know, is probably like one of the most interesting aspects, because the people who are very pro-Kubernetes, will tell you that at least outside of you know, out of the box experience might be better, because at least it's containerized. Maybe we've got some better settings, out of the box. How true is that claim really, from what you're seing?

6:58 Rotem Refael

I mean, if we'll get to the security perspective, then that's really interesting, because I've heard from so many people that, 'Listen, I just moved to Kubernetes. Totally secure, right?' Wrong. People think that's the case. But it's basically not, even worse. I mean, if they're not aware of the security perspective in the cluster, then they're exposed as they can be when running it on VMs. Or in any other platform. So security perspective, you have a lot of issues, of course, you need to operate the R bug and you need to see what exposure to you know, to outside the cluster you have, which network do you have there. There are a lot of things to cover, when it comes to security, that can be covered also, when you're not running Kubernetes, right? You're running on a node on a Linux node, you have to have the SC Linux supply, the hardening things, all those things are still valid when it comes to Kubernetes. It's not like, 'Okay, I'm running on Kubernetes. And it's just the magic thing happened'. Of course, it's magical. I know that. But you still need to pay a lot of attention to security.

8:20 Miko Pawlikowski

Yeah. And in fact, for years, people were running as route inside of the containers, because hey, what could possibly go wrong? So would you say net-net? is Kubernetes a net positive, an improvement? Or is it more of a regression in terms of security?

8:41 Rotem Refael

I do think that it's an improvement when you know what you're doing. I'm operating, for example, the R bug, right. Let's take that, for example. We know who has the permissions, you don't need to manage that yourself in different platforms. You have it internally. But you need to operate it, you need to be aware of what's Kubernetes is and what's the benefits of. So in case you do know that okay, which is not that...

9:14 Miko Pawlikowski

Complicated.

9:15 Rotem Refael

I always say that. Yeah. So in case of you know what you're doing, then, of course, it's, I think it's a big lift. But again, you need to be aware, and you need to take that into consideration. If you're using that, then you're more secure than being with that Kubernetes in my opinion. But again, you need to work on that. And that's the key in my opinion.

9:44 Miko Pawlikowski

Okay. So I don't want to spoiler things too much, but there's gonna be a certain talk called, 'What we've learned from scanning 10,000+ Kubernetes clusters' that Rotem will deliver. I think by the time this airs as it will be already available. Do you want to spill a little bit the beans on what you found there?

10:09 Rotem Refael

Yeah, of course, I will give like a teaser. I would say, when checking all those clusters using Kubescape, like we rank Kubescape on all those clusters. And we've seen that 100%, within that, 100% of clusters have at least one misconfigurations. Which is, I would say, not all of them are critical. There are some medium and low. But I think that it's still under awareness that there are misconfiguration, we are writing our Helm chart where applying some other Helm charts, you know, third parties' Helm charts, and we don't know what's written in there, right? You just wanna run Prometheus, right? You just having some Prometheus and that's it, right? It's so easy, but you don't know what's inside. And you don't know, which aren't many things in which misconfiguration you're entering through clustering that moment exactly. So that's a small, small teaser of my talk, I will talk about which misconfiguration have we discovered and which vulnerabilities have we discovered and how relevant basically those vulnerabilities to your clusters? And that will be interesting.

10:51 Miko Pawlikowski

I'm definitely watching that talk. And you can find it at Conf42.com. Hopefully, we do the timing, right. And this is a true statement. So let's talk a little bit about Kubescape, because you teased that, but for everybody, well, they probably already picked up from the context that they can do some security stuff with it. But can you talk a little bit about the project? I know it's open source. I know. When I went to armosec.io, there was a nice animation, like putting things in red, kind of like an X-ray scanner. But can you talk about how the project came to be and what it's actually focusing on? And how much of a success you're having with people adopting it?

12:29 Rotem Refael

Oh, that's a really nice story. Because I think a year and a half was August. And we saw that NSA just published the, the report of what a secure Kubernetes cluster is, and then we'll check that out. And we said like, oh my god, we have that. I mean, let's just, you know, have a small tool checking that, and let's make it open source, you know, for the community, just a small thing. I mean, we just want to run some information, checking the NSA report for compliance. And then took that out. And I think in one or two weeks, we had like, 1000s of stars on GitHub, and then we knew that we're doing something that people know that is a pain, I mean, the people are asking for. And then we continue and check for compliance on the mitre framework. And also some other frameworks that we created. I mean, like armo bass and DevOps best like, tested that we know that are crucial for your clusters. And, you know, we took it even further, and we're showing you the full Arbic map on a graph and checking whoever has like a domain cluster roles, and wherever it has root access, as we talked before. So it's very, very nice to see how we grew, you know, across this, one and a half year, something like that. And we're also showing for vulnerabilities and, you know, CVE that detected inside the cluster. And like, if I can have another teaser, we're just releasing some kind of a relevancy feature that says, I don't mind about, I have like 10 000s of vulnerabilities, right? It's so many vulnerabilities inside my cluster. I'm not going to check every one of them, right? But the thing is, not all of them are really relevant, because the attacker can attack when something is in the memory. When we're actually using, you won't attack something that is just the side that's have the BusyBox for example, or things like that, that are just you know, with the container, and we're not using it at all. So everything that is in the memory, we are really checking if this image is relevant. And if this package is relevant, and then we're saying to you, 'Hey, listen, you have 10,000 CVS, but only, like 50 of them are really, really relevant and can have like, a solid ground for the attacker. And that's something that I think will change the market, in my opinion, and it's coming really, really soon.

15:32 Miko Pawlikowski

And is that a free feature too? Or I guess the question is, you obviously have to pay yourself salaries from that. So I'm wondering which bits do you get from just the open source version? And which bits do you pay for?

15:50 Rotem Refael

So we're not doing it as a paid feature. We're just, you know, the open source is an open source at all. The pricing model is, you know, it depends on how many worker nodes you have. Up to 10 working nodes, it's free of charge, you can use the armo platform, the UI, everything, you know, that's for sure. After 10 working nodes, we have a pricing model that it's very fair, and working like that in the market. So that's I mean, the pricing model that we're up for, and again, it's free, send 10 working notes, then you can go ahead. I'm sure that most of us, you know, is people that are trying our Kubernetes cluster and don't have 10 working nodes at home in their laptop. That makes it great, and everyone can use it.

16:46 Miko Pawlikowski

Definitely. I'm curious if you maybe can give me like a short version. If you go to a managed Kubernetes offering, you go to Amazon or Google's and you just get the default cluster, how secure would it be, according to Kubescape? How happy with Kubescape be out of the box?

17:08 Rotem Refael

Well, we've checked that as well. It's pretty much secure unless you're trying to have some other application inside of it. I mean, they are operating the arbor, you know, as default as far as I know. But there are misconfiguration that relates to the cluster itself. Not like in high priority, they are pretty much low. But I would say that if you're getting some cluster from a managed service without anything on it, I mean, no application on it, you didn't apply anything on it. It's like, I would say it's very low risk. But we do find, I can say that we do found some Arbic violation. For example, I think six months ago, we opened a ticket for Google, they fixed it in the next version. It's really great, you know, but that's the thing that you can just see that visualizing. So, you know, that's easy to check.

18:20 Miko Pawlikowski

Speaking of easy to check, how does one get started? Do they install a random chart from the internet?

18:32 Rotem Refael

No, well, I mean, in order to install Kubescape, we do have a Helm chart, which is super easy to install. And then it's making the first scan I think, in one or one and a half minutes, you do have already data of misconfiguration and from abilities and also the arbitrary. So you know, just install the Helm chart, of course, all the codes are running and then it's it's in the UI, can sit in the UI. And also you can just run it as a curl. But I recommend to run it as a Helm chart. So you can see the visualizing in the UI and everything, it will be easier. And you know, all of us like UI.

19:16 Miko Pawlikowski

Oh, we do. We love UIs. Okay, fantastic. So I'm guessing they go to armosec.io and click the Kubescape button or maybe a look for Kubescape on GitHub directly. I see 8+ K stars, which should be enough to get people to trust it initially. One of the things that I just can't help myself but what's up with the space panda on the armo website?

19:51 Rotem Refael

This panda has a long way. When we created Kubescape then with that about have, you know, nice, I would say, nice marketing animal. Because animals are what people like. I like pandas, I like animals. And make it as a tool. Really, I would say, cute in some in some way. But it's not something that we said like, yeah, Kubescape. There is Panda underneath it. So we thought it was really nice to bond those together. And that's what we did. And then we took it really forward then make it space panda. And we will have a new design of a panda in the next Kubecon. So we have like a guard panda. And we had like an angry Panda, early stage and we're just, you know, playing around with this panda and it's really cute.

21:01 Miko Pawlikowski

We can all agree that pandas are objectively cute. But I do have the scene in my mind now where you are in a white room, and you wrote down some animals, and then you like no, panda. Panda it is, it's way too cute. So I'm guessing. I guess that's what must have happened.

21:21 Rotem Refael

They combined security with something cute, because you know, security sounds to people like rough thing, right? Like very hard. And it's so stressful. So let's make it a bit calmer. You will see your insight. And that's it. You'll see the nice panda around that.

21:43 Miko Pawlikowski

You sold me on that. Yeah, panda makes it definitely softer. And cuter. That explains everything. But tell me a bit more about ARMO in general. How did you end up working there? I think you mentioned a year and a half ago is that when the company started?

22:05 Rotem Refael

Well, we started a company a few years ago, we were into the were stealing to also the runtime security. That's how we're doing also the relevancy thing. I got to ARMO about one year and a half, approximately. I worked experience at my previous company, what I did there is basically make the transition all the applications there from running on VMs to Kubernetes. Now a newer Kubernetes is a need to convince people to us that. It was very, like it was fascinating to do that. And that's why I'm also here in ARMO because I'm so into detail. And when they told me you know, come join this startup, we'll make like great things together. And you know, I have two passions, you know, security, cybersecurity and Kubernetes in general and DevOps. Just combining those two together. I couldn't say no. So that's where I am. And yeah, I'm like, I'm really thrilled to be here. It's a great company to work at. People here are great, and they are very much familiar with Kubernetes, they are very professional. All the developers and all the people here are very, very professional.

23:32 Miko Pawlikowski

That's a good testimony. I'll make sure to send them the episode. How big are you?

23:42 Rotem Refael

Please, I love them.

23:43 Miko Pawlikowski

How many people?

23:51 Rotem Refael

Currently at ARMO we're around 45 people, something like that, still a small company.

24:01 Miko Pawlikowski

So for everybody who wants to learn more again. That's armosec.io Where else should they get their news from or should they follow?

24:16 Rotem Refael

Exactly, so you can also follow us on Twitter, you can also follow us on LinkedIn, just enter to Kubescape GitHub page and also get things from there. That's the main platforms that we are on, but going to armosec.io

24:41 Miko Pawlikowski

And for you personally Rotem, how do people follow your adventures? Twitter? LinkedIn?

24:52 Rotem Refael

Yeah, Twitter@Rotem_Refael27. And LinkedIn just find me. So I'm mostly there LinkedIn and Twitter.

25:05 Miko Pawlikowski

Perfect. And to close this off, I usually ask people a single question, but I'm actually gonna give you a choice of two questions. So your option A is, what's the skill or technology or language or tool, or something that you would focus on, or watch out for in 2023. Or option B would be if you were to choose one thing that you did for your career that you think, provided you with the most value, like a single item that you can think of that you did, it could be anything from learning something to buying a tool to reading a book, what would you choose? Option A or Option B? Oh, there we go.

26:02 Rotem Refael

I can answer both. But let's start with Option A and B, because it's, I can have it like that. Um, well, I was a developer for a lot of years.

26:16 Miko Pawlikowski

So sorry.

26:17 Rotem Refael

I developed Java, develop it develop in C Sharp and like some UI stuff. And then I got the option to move to a DevOps team, like infrastructure team, and I thought about it a lot. And, you know, it was like, what should I do with my career? Going that path or going that path, like, continue developing whatever I know, or start something fresh new, I was already 10 years in the industry, and it's really frightening, you know, to make that kind of a change. But I did, I did made it you know, and making that change make me who I am today. And you know, why I have to say is don't afraid of changes, right? It's really frightening at the beginning, but eventually, it can give you a lot more than you already know, and give you some more value. And it will, you know, you will get interesting life. And if not, they can always come back. So that's what I said. And that's what I'm always thinking about myself in my, you know, in my career, what have I done wrong? And what have I done right? I think that one, right. I won't get now the things I've got wrong. But that's yeah, that's my two cents.

27:41 Miko Pawlikowski

Really sorry about C sharp. What's the other? What's the answer to the other question?

27:53 Rotem Refael

15 years ago.

27:54 Miko Pawlikowski

Okay, perfect. And what's the answer to the other question?

28:06 Rotem Refael

Well, I do think that we need to pay attention of the AI, right. Everything's going on with the GPT and how we can embrace this technology to infrastructure. I mean, I don't think we're there yet. But I do think that if we need to take a take for 2024, then I think that GPT and AI combined with infrastructure...

28:38 Miko Pawlikowski

It's hard to miss, my Twitter feed at this stage is basically Chat GPT mixed up with GPT4. It seems to be everywhere.

28:54 Rotem Refael

Yeah, I think that the key will be that, you know, making tools based on GPT4. You do have TerraForm. And you do have automation tools to have like a whole environment. But just think about writing. Please run a Kubernetes cluster with this soundtrack, this soundtrack and that soudtrack running on AWS. And then you have like, a full sandbox running.

29:28 Miko Pawlikowski

So what you're saying is that instead of running Kubescape, you will be asking GPT, 'Hey, how bad is my cluster?' It will tell you instead.

29:44 Rotem Refael

Well, actually, we made something in our platform, we did embedded like the ChatGPT in in Kubescape in the UI so you can make your own tests like you can run in free language, please tell me if I have root access in my cluster. And then he will write it in rego which is the language that we are using, you know, for testing. And you can just run it on your cluster. And that's it. So we're getting there. That's just one and that one, we did like with the hackathon and something really nice here in there in the company in this one day. So I think that if we will have some more, not just here in Kubescape, right, like, all around if people will take the GPT and AI in general and combine it with automation for automation things. And that will change, I think, whatever we're doing today.

30:54 Miko Pawlikowski

That will be a scary day. Scary, but exciting. Alright. Fantastic. Okay. Rotem, it's been an absolute treat to have you on the podcast. Thank you so much for coming. I'm definitely going to try out Kubescape and I think a lot of people should too. If not for anything else, they should go and check out the panda. I'm currently looking at it. It has a helmet. It's on some kind of planet and it's planting a flag. And it's absolutely maximum cuteness in there. Thank you so much for coming. And for everybody else, once again, armosec.io. I think it was rotem_refael27 on Twitter. Thank you and see you next time.