#47 April 3, 2019

Tekton, with Kim Lewandowski

Hosts: Craig Box, Adam Glick

Tekton brings Kubernetes-style resources for declaring CI/CD-style pipelines. Kim Lewandowski is the Google Cloud product manager who recently announced it. She talks to Adam about the project while Craig sneaks in some vacation at the cafes of New Zealand.

Do you have something cool to share? Some questions? Let us know:

Chatter of the week

News of the week

ADAM GLICK: Hi, and welcome to the Kubernetes Podcast from Google. I'm Adam Glick.

CRAIG BOX: And I'm Craig Box.


Last week, I said that there's a beautiful cafe in every small town in New Zealand. And the small town of question this week is Cable Bay, which is just north of Nelson, and we had a very lovely lunch at the Cable Bay Cafe. We'll probably put a couple of pictures in the show notes for those who are interested. You have the very New Zealand rural aspect of a bull just hanging out in the paddock over the road and an honesty box for honey. If you wanted honey, I'm sorry, it's probably hard for me to bring back to America in my luggage, but it would have been a nice thought.

ADAM GLICK: Been to any great meet-ups recently?

CRAIG BOX: I was the invited guest at the Kubernetes Auckland meet-up last week. I invited myself because I was speaking at the DevOps Talks Conference earlier that week, and I came along and said, I had a great chat here last year, I'd love to come and talk to you about Knative. And I chatted with the audience there. I must say, I did a very risky thing. I'm pretty sure you told me not to do this. But I asked the audience, how many of you listen to the podcast, and I was very pleasantly surprised by the number of hands that went up. So there were a number of stickers given away.

Thank you very much to everyone who came. I'd like to think that everyone there who didn't put their hand up is now a subscriber, and we'll see you all next time.

ADAM GLICK: That sounds great. I've not gotten a chance to get out as much, but had a chance to actually start enjoying a read this week. I am most of the way through at this point-- a Dan Brown novel following in the footsteps of "The Da Vinci Code," which I also enjoyed, a more recent book called "Origins." And true to form, it sucked my interest.

CRAIG BOX: How is renowned author Dan Brown these days?

ADAM GLICK: Well, I can't speak for him personally, but his writing certainly is engaging.

CRAIG BOX: Yes, I remember buying "The Da Vinci Code" in an airport, and I think that's where he fits in my literary filing system. He's definitely an airport kind of guy.

ADAM GLICK: Yeah. If you've got something you need to pass some time, it's a catchy story. He writes it well.


CRAIG BOX: We're getting ready for our live show at Google Cloud Next with our special guest, Professor Eric Brewer. It's now only one week away. For our listeners, we'll have a regular episode next Tuesday. The live show will be recorded on Wednesday, and you'll get to hear it the regular time the week afterwards. If you are lucky enough to be going to Next in person, there's a link in the show notes to register for the live show. Please make sure to sign up to make sure you get a space. You'll be able to walk up on the day if the room isn't full, but with a wonderful speaker and fantastic hosts, we wouldn't want anyone to be disappointed.

ADAM GLICK: Last week, we announced we had a small number of Next tickets to give away. We had such a great response and so many of you had written back that we went back to the Next team and managed to get another 10 codes. Congratulations to our lucky winners. You'll get an email from us in the next day or so. We'll also be recording a bunch of interviews at Next. So if you're going to be there and you work on something you think might be interesting to our listeners, please email us at KubernetesPodcast@Google.com to let us know.

CRAIG BOX: Let's get to the news.


After almost three years and 35 releases, Minikube, the VM service for running Kubernetes locally or in CI environments, has hit 1.0. The project has been stable for some time and decided to rev the version number after dependencies CRI-O and kubeadm were similarly stable. If you want to learn more about Minikube, listen to our interview with maintainer emeritus, Dan Lorenc in Episode 39. To celebrate this release, Ihor Dvoretskyi, developer advocate for the CNCF and guest on show 21, has started a series of articles on deployment options for Kubernetes on Linux, with Minikube as his first suggestion.

ADAM GLICK: Uber have open-sourced Peloton, the cluster management system they announced in November. Peloton is currently used in production at Uber for many kinds of batch workloads, and they're planning to migrate stateless services to it as well. The Uber team has been teasing Kubernetes integration and say they are working with the project on what integration would look like.

CRAIG BOX: The first service mesh day was held by Tetrate in San Francisco last week. So we bring you plenty of service mesh news.

Payments company Square wrote a blog post this week outlining the journey to adopting Envoy. They started down a Google-like route, building their own gRPC, a like framework called Sake, before gRPC was released. Looking to how they could move logic out of this framework and into a sidecar model, the gRPC support and Envoy bought them an option and a reason to migrate. And they built a control plane based on the Zookeeper service discovery system.

The migration will continue through 2019 and the story is worth reading if you have an interest in how service mesh technology works. Do be careful, though, because at service mesh day, they said that they gave app developers the ability to manage traffic flow, and one of them accidentally took down their internal SSO portal.

ADAM GLICK: AWS App Mesh, their proprietary Envoy-based service mesh, went GA last week. No new features were announced, though, an API change was made earlier this month to simplify the virtual router and listening model. Support for the Istio Mixer is now listed as upcoming.

CRAIG BOX: Tetrate, host of service mesh day, announced Tetrate Q, a new take on access control for modern infrastructure. It's based on the next generation access control model and encompasses the global state of a system, services, data, and users. Q draws information from the service registry and existing identity management systems to tell a service mesh whether a particular user should have access to a particular object at a particular time. All that said, there's not yet enough information to really narrow down what it does or where it plugs in. So we'll let you know as we learn more. No word on if John de Lancie will be making an appearance.

ADAM GLICK: Google Cloud continues its Istio blog series with a fifth article, this one written by developer programs engineer, Megan O'Keefe. In this posting, Megan talks about building a hybrid service mesh across two clusters in the same environment-- think dev test in production-- or two measures across two clusters in different environments-- think hybrid from on-prem to the cloud. She also covers adding VMs to the service mesh. The series is supported with code demos as well to help you build a similar environment or just to test it out, helping bring everyone closer to the hybrid deployments of the future.

CRAIG BOX: Speaking of hybrids, the OpenTracing and OpenCensus projects this week announced their intention to merge. The two projects are very similar in that they aim to unify app instrumentation and make observability a built in feature in every modern application, OpenTracing through distributed tracing and OpenCensus through metrics. A team formed of members of both projects has been looking at the technical viability of a merger for some time, and the change will be done in a fashion that is not disruptive to people using either project. It does mean that the number of CNCF projects will take a rare downward turn and the combined project is already looking for a new Greek name.

ADAM GLICK: We now return to your regularly scheduled Kubernetes security announcement. Two vulnerabilities this week, a directory traversal in the cube control CP command rated as high and in the port map plug-in for the container network interface rated medium. Look to upgrade if you use either feature, or make sure that your vendor is keeping you secure.

CRAIG BOX: The Deis acquisition continues to be the open source innovation hub for Microsoft, with Azure announcing Brigade 1.0 from that team. A CNCF sandbox project that is described as a tool for running scriptable automated tasks in the cloud as part of your Kubernetes cluster, Brigade gives you a way to use JavaScript to string together multiple steps in a similar fashion to AWS Step Functions, but running in Kubernetes and open source.

ADAM GLICK: Yongkun Gui from Google posted a blog this week on debugging kube-proxy. He recently dug into kube-proxy after seeing some intermittent connection resets, and his blog dives into what he learned. It explains one particular problem, but this post really shines in helping you understand how kube-proxy works generally.

CRAIG BOX: Interested to know more about the 1.14 Kubernetes released from last week? Members of the 1.14 release team are running a webinar on April the 23rd, 10:00 AM Pacific time to talk about the major new features. You can find the registration link in the show notes.

ADAM GLICK: Curious to know more about being a community ambassador? Couldn't get your fill of Paris Pittman from show number one? You're in luck. The CNCF has published an interview with Paris, along with an accompanying video. You can hear more about how Paris got involved in Kubernetes and her thoughts on where the community is going.

CRAIG BOX: Finally, are you looking to scale to a Kubernetes deployment and want to learn from those who have done it at a massive scale? Reda Benazir, CNCF ambassador and VP of engineering at Streamroot, has posted a blog with key tips on how to do massive scale with Kubernetes. He offers four main tips for being successful with your scaling, and these could help you be prepared for the future.

ADAM GLICK: And that's the news.


Kim Lewandowski is a product manager for Google Cloud, working on the Tekton project. Welcome to the show, Kim.

KIM LEWANDOWSKI: Thank you, Adam.

ADAM GLICK: Congratulations on the recent release. For those that are listening, can you help them understand, what is Tekton?

KIM LEWANDOWSKI: Tekton is a new open source project from Google that we recently announced at Open Source Leadership Summit a few weeks ago. So the name Tekton was inspired by a Greek word, tekton-- I'm not quite sure how to pronounce it-- which means artisan or craftsman, or so I'm told. So we also, of course, like the name because there's a K in it, and everything Kubernetes related needs a K, including my name.


KIM LEWANDOWSKI: So going back to what it is. So Tekton is a set of building blocks for building continuous integration and continuous delivery systems. You commonly hear the acronym CI/CD for this space. So Tekton itself runs on Kubernetes, but it will deploy code anywhere, whether that is Kubernetes itself, bare metal, IoT devices, mobile, et cetera.

ADAM GLICK: Is it an application?

KIM LEWANDOWSKI: It's really a platform. The idea being it's a lower level platform in which more applications and layers will be built on top of it.

ADAM GLICK: Gotcha. I've heard people talk about a relationship between Tekton and the Knative project. Can you talk about how those two are related?

KIM LEWANDOWSKI: Tekton really started out in a Knative repo. It was originally called Knative Pipelines. It will continue to support the Knative ecosystem as a first class target. And Tekton Pipelines will deploy to Knative environments. We decided to split this out from the Knative repo to make it clear to users that this was always intended to be independently useful from the rest of Knative, and not the only way to deploy to Knative. So like I said, we have a lot of other deployment targets that we're looking to support and not just Knative itself, and not just Kubernetes itself. There's a lot of people still running on legacy systems and still talking to bare metal and still need to solve the CI/CD problem, no matter where they're running.

ADAM GLICK: So is this a forked set of code out of the Knative project? Or are you shifting the code from the Knative project into Tekton, and then Knative will build on top of it?

KIM LEWANDOWSKI: Yeah, so we shifted the code right out. It's in a new repo on GitHub/TektonCD. The build concept still exists in Knative, and that's always been a part of it. And that still remains in Knative today.

ADAM GLICK: Why was Tekton created? Why did this need to be a separate project?

KIM LEWANDOWSKI: We've spent a lot of time talking to customers and developers about how they practice CI/CD of their organizations and how they're modernizing their current infrastructure. And what we constantly heard is that they're struggling to modernize and make tooling decisions for their CI/CD workflows, and there's just so many to choose from. But the goal with all these tools is always the same, help us get our source code from source code to production as fast and securely as possible. So for Tekton, we took a step back and really asked ourselves if we could do the same thing that Kubernetes did with containers to CI/CD.

So that is, could we collaborate with industry leaders in the open to define a course of building blocks in which CI/CD systems could then be built on top of and existing ones could be refactored onto? And so this is how Tekton project was born.

ADAM GLICK: Gotcha. So when you think about the CI/CD pipeline ecosystem, what particular problems within that does Tekton solve?

KIM LEWANDOWSKI: Its goal is really to establish agreed upon specifications and guidelines common to these CI/CD systems, and really provide these building blocks which developers can plug and play which components and tool they want to use. So it really gives them the benefits of having portable workflows that can run faster and are declarative and reproducible, and it allows interoperability between a lot of the different systems that you see out there today.

ADAM GLICK: So it sounds a little bit like-- I'd almost think of this as a network specification or interface specification of how things can work together. Is that a correct way to think about it?

KIM LEWANDOWSKI: Yeah, kind of. If we can all agree on what the nouns are and what those components are, like a pipeline versus what's a task in a pipeline, what are the results that a pipeline spits out, the artifacts that they produce. And so once we agree on those specifications, then all these toolings that become Tekton conformant, they can all talk to each other. So as an end customer developer, I could, if I'm using a system over here-- maybe it's Jenkins, and then I hear about something new, I can plug and play all these different components to get the solution that I need by still maintaining that portability feature and having things that are reproducible as well.

ADAM GLICK: So it's like a framework and a specification.


ADAM GLICK: Gotcha. I'll see if I can throw some more buzzwords out there.


So what technologies does Tekton work with? You mentioned that it's this underlying specification. So what tools can or do already build on top of this?

KIM LEWANDOWSKI: So Tekton's a fairly new project, but we do have a few different projects that have already started to integrate with it. So the folks at CloudBees have a demo of Jenkins X, and even legacy Jenkins, using Tekton pipelines underneath. And there's another team-- another company called TriggerMesh, who have just recently demoed a project that they're calling TriggerMesh Aktions, actions with a K--

ADAM GLICK: Of course.

KIM LEWANDOWSKI: Which can take a GitHub action and convert it into a Tekton workflow, which then can be run on your own Kubernetes cluster, if you choose.

ADAM GLICK: So if this is an underlying framework for these pieces, is there a reason not to just go use those tools themselves? Is this something for us end developers to go and build off of? Or is this something that people who are making the CI/CD tools to build on top of and will be transparent to those of us who are just building our own code pipelines?

KIM LEWANDOWSKI: Yeah, exactly. It's the latter of that. So Tekton is really the abstraction layer beneath the CI/CD tools that most will interact with. So we envision most customers will be using these tools that are a layer above. And that's the beauty of it all, is that when these tools are Tekton conformant, that we can mix and match different ones and different plugins and have them all work together.

ADAM GLICK: Cool. Why is there no single best practice on how to deploy apps to Kubernetes?


I think some of us wish there was. But in honesty, it's not really a one size fits all space. There are sets of best practices that apply to different customers and different scenarios. So startups iterating on an NVP do not need or even want the same kind of rigor that a bank or a large insurance company might need.

ADAM GLICK: What would be some of the examples of different ways that people are doing that today that you need to think about as you're building a framework that sits underneath these tools?

KIM LEWANDOWSKI: So for startups, it's common that they just push on master. So everything-- every code commit, they just roll it out to production, and there you have it. But large enterprises, they have such strong security rules in their pipelines and everything and want to make sure that-- they want to know who built what code, how did it get built, what versions is the software running, how do I trace back what's running in production all the way back to the source code from it with versioning. So yeah, a lot more rigor around their processes.

ADAM GLICK: And Tekton is not opinionated about how people construct those pieces, correct?

KIM LEWANDOWSKI: Correct. I think when we see these projects and tools build on top of Tekton, we'll all see a bit of opinionation above to really help end users, guide them along what they think is the best practice for getting the job done that they're doing.

ADAM GLICK: Do you think over the long term, eventually, there will become a standard that people will lock to you for that? Or do you think it will always be a heterogeneous environment?

KIM LEWANDOWSKI: We're going towards-- our vision is to have a common set of guidelines that people can follow. That's the goal and that's the vision. I think it'll be a long time before we can get everything along those lines. I think we'll always see unique snowflakes out there that need to do something their own way with lots and lots of bash scripting. But hopefully, we can all move in the same direction and not keep reinventing the wheel every week.

ADAM GLICK: Recently there was a blog post that people were looking at that was called "In Defense of YAML." It was saying that it doesn't matter the sense to define pipeline steps in YAML, that YAML is a language for structured configuration and pipeline steps are basically programming. What's your opinion on that?

KIM LEWANDOWSKI: OK. Yeah, I think I know which article you're talking about. So I think it made a lot of great points that YAML, like anything else in software, can be overused or used in places where it just doesn't make sense. Still, though, it does serve an important need as a universal data language. So it's accessible from all programming languages. And this is how we see Tekton's YAML being used. So pipeline steps do represent simple programs, but we've explicitly designed it not to be Turing complete.

So we don't support handling things like self-mutating pipelines, loops, recursions, et cetera. We think this makes pipelines predictable, understandable, and maintainable, and that's the boundary that helps make the YAML more palatable.

ADAM GLICK: And is that a goal that you have? Are those pillars of your design that you will never do those things? Or could you make a more Turing complete language part of the code that you're doing later on?

KIM LEWANDOWSKI: I think this will be the design we stick with. But again, I'm not the engineer. So--

ADAM GLICK: Learning never to say never.



ADAM GLICK: It feels like a good call in technology. So Tekton was announced and the repo is available right now. What's next for Tekton?

KIM LEWANDOWSKI: Like I hinted at before, a lot of our work right now is on our Tekton pipelines. So we've been working with folks, like from CloudBees, Pivotal, IBM. We have a bunch of new features in the works. We hold weekly meetings on Tuesday mornings where we discuss features and design, and so we're working through a lot of that. And we started designing more of the Tekton core components as well, such as source code access and artifact storage. And we're also really excited to start exploring more of helping the security problems that I had touched on earlier.

So a lot of large customers, they're just coming and looking for best practices, looking for ways that they can make sure that their software supply chains are secure and they are meeting audit requirements and everything. So this is one area that we're particularly excited about and excited to start getting working on soon.

ADAM GLICK: You've mentioned a number of partners who are working with you on the Tekton project and helping to build on top of that. Which partners would you love to have join you in this?


All of them. There's a lot. There's a lot of people in the CI/CD space. So we would love the large cloud providers to join us. A lot of the things that we're trying to do, I think we can only do it when everyone's working towards the same goals and visions. So we're welcoming everyone.

ADAM GLICK: Speaking of those who might be interested, if listeners want to get more involved with Tekton, where can they go to learn more and where can they go to contribute to the project?

KIM LEWANDOWSKI: So glad you asked. So Tekton is now actually owned by a new Linux Foundation called The Continuous Delivery Foundation. The Continuous Delivery Foundation is like a sister foundation to the CNCF, if you're familiar with that foundation. So there are a few different ways you can get involved. So if you're interested in continuous delivery and just want to follow along with everything that's happening in this space, I encourage you to check out the new CDF Foundation. There's a website, it's CD.Foundation, which I thought was pretty cool that we were able to secure that domain.

So there's a membership process similar to the CNCF, where you can simply sign up for the mailing list and just be an end user and follow along. And then for Tekton specifically, the best way to get involved is really to check out our community and contributing page. And so we have a GitHub repo-- probably the easiest way to find the GitHub repo link is go to Tekton.dev, which will redirect you there, and you'll find more information there about our working group meetings, Slack channel, things like that. If you're around at GCP Next, a bunch of us will be floating around the conference as well.

ADAM GLICK: Thank you. This is great information. I appreciate you coming on the show today, Kim.

KIM LEWANDOWSKI: Sure. Thank you, Adam.

ADAM GLICK: You can find Kim Lewandowski on Twitter at @kimsterv.


Thanks for listening. As always, if you enjoyed the show, please help us spread the word and tell a friend. If you have any feedback for us, you can find us on Twitter @KubernetesPod, or reach us by email at kubernetespodcast@Google.com.

CRAIG BOX: You can also check out our website at kubernetespodcast.com, where you can find show notes and transcripts, as well as that link to sign up for the "Kubernetes Podcast" live show at Google Cloud Next. Until next time, take care.

ADAM GLICK: Catch you next week.