As hybrid cloud strategies go, the U.S. military certainly is taking a unique approach.
As military organizations are increasingly dependent on software, they are using an array of cloud tools that are open source like Kubernetes and Istio for their jobs. The US military has also taken a unique approach according to a presentation by Nicholas Chaillan, chief software officer for the U.S. Air Force, the KubeCon 2019 in San Diego. From weapons systems to even fighter planes, tools have to be deployed in some interesting places, And now, even F-16s are running Kubernetes based on the legacy hardware which is built into those jets.
According to Chaillan, “One point for the team was to demonstrate that it could be done,”. His challenge to the Air Force and its partners was to get Kubernetes up and running in 45 days on a jet. Though this was difficult, the team met the goal and there are three concurrent Kubernetes clusters now running on F16s. During his presentation at KubeCon, Chaillan explained that the Air Force and the remaining Department of Defence are betting on the containers, Kubernetes, and Istio. It’s a universal development platform which is flexible for software teams across the military.
Most military software teams were developing software following the old-fashioned waterfall process before this project was started about 18 months ago. This way it could have taken years to implement and with updates, testing and security reviews it could have relied heavily on human labor to complete tasks without any automation.
However, it becomes difficult for the military if they fall behind the mainstream when it comes to the technology application for its mission. Rivals could get an edge on the battlefield as they invest in their own software capabilities.
Chaillan states that it’s very important for the military to reduce the attack surface and also be able to mitigate threats.
The Department of Defense Enterprise DevSecOps
Chaillan along with his team have adopted open-source software as the foundation of their new development platform, called the DoD Enterprise DevSecOps Initiative. It is a combination of Istio, knative, Kubernetes and an internally developed specification that is for “hardening” containers. This comes with a strict set of security requirements as it is the default software development platform across the military.
Chaillan further added on during a press conference explaining that the team chose to use Kubernetes specifically, with other projects providing security for the networking layer of the DoD stack. The software teams in various regions can be discrete over how they use the tools available, but it must be constructed on the layer which is provided by the Platform One team of the Air Force. Also, here are several things the teams are not allowed to change. Interestingly, the entire stack was designed to run on Amazon Web Services’ GovCloud or Microsoft Azure.
There faced lots of challenges along the way. Kubernetes has not been designed for disconnected environments the military must use in many situations where data should not reach the internet. Chaillan says that the DoD will have a lot of suggestions for Kubernetes maintainers for this portion of the project, and this could pave the way for the use of Kubernetes in other sensitive operating environments.
“We’re very used to updating using the internet, and having connectivity to the internet, getting the updates directly from the internet,” he said.
An Open Source Stack at DoD Scale
The scale of operation of the DoD is unlike commercial operations and Chaillan had to train 100,000 people on the principles of DevSecOps, alongside the new tools. This is a reflection that the DoD is using this new development platform for plenty of unclassified applications. With more than 2 million people in the military, most of them are not flying F-16s running Kubernetes. Chaillan said that it’s a tiny piece of the rest of the work they are doing. They also have a lot of business systems that are moving to cloud-native environments, microservices, that are being built right from the get-go.
The entire DoD Enterprise DevSecOps Initiative stack is available for anyone to check and is open source.