‹ Blogs

Kubernetes and the UK

Featured Image
Published on April 11, 2025
Author Niamh O'Loughlin

Kubernetes marked its 10th-anniversary last year, and the CNCF commemorates a decade of remarkable success this year. To celebrate, Open UK recently published a report to showcase the UK’s influence on the formation and growth of both the CNCF and Kubernetes. This blog post focuses on the part ControlPlane CEO Andrew Martin had to play.

From Containers to Cloud-Native Confidence: A Journey Through Kubernetes Security

In 2013, the first whispers of a revolution echoed across Hacker News. Docker had arrived. I was in East London, consulting for News International. Our project lead was excited. The rest of the team? Sceptical. “New technology means new security holes,” they said — and they weren’t wrong. But beneath the hesitation, a transformation in how we build and deploy software had begun.

The Container Spark

Soon after, working at Visa, building secure payments, we used Docker to test the development of payment flows. The catch? No regulated organisation would dream of running it in production—not yet. Everyone was waiting for someone else to battle-test its security model. After all, early adopters often face the sharpest edges. In 2014, British Gas took a bold step, deploying a full machine learning system on Docker v0.8. It predicted boiler issues and avoided costly home visits. But the ecosystem was still raw: no secrets management, temporary mounts, or Linux Security Module (LSM) support. Security was a fragmented puzzle of loosely connected tools.

CoreOS and Immutable Dreams

That same year, we discovered CoreOS, a container-focused operating system that preaches immutability and security. I met its visionary CEO, Alex Polvi, who pitched a dream: Secure the Internet. I was hooked.

CoreOS became the foundation for more secure containers, introducing key technologies like CoreOS Fleet (a distributed systemd) and eventually shipping the Sysdig Secure kernel module by default. We ran Docker, rkt, and CoreOS Fleet together — but the tooling was rough and inconsistent.

Enter Kubernetes

Having already used containers internally via Borg since 2008, Google open-sourced its learnings in the form of Kubernetes—finally, a path toward solving our distributed system woes. The orchestrator wars began: Kubernetes, Docker Swarm, Mesos, Nomad—all vying for dominance. Kubernetes offered both power and complexity. Events like Container Camp and the first KubeCon EU in 2016 spread distributed systems wisdom. But one question kept returning: how do we secure this?

A Mission Is Born

By 2016, I joined the UK Home Office to help deploy Kubernetes v1.2 for air-gapped, critical national systems. We hardened infrastructure to national security standards — and realised the glaring gap: Kubernetes had potential but not yet the practices to secure real-world deployments. ControlPlane was born in 2017 to fill that gap.

Building the Cloud Native Security Movement

As Kubernetes matured, so did the community. London’s Kubernetes Meetup flourished. GitOps, pioneered by WeaveWorks’ FluxCD, reshaped CI/CD: instead of pushing updates, systems pulled them, removing deployment secrets and improving auditability.

Security became an industry-wide concern—startups like KataCoda educated engineers. At KubeCon Seattle, ControlPlane shared lessons in securing Kubernetes pipelines. The CNCF’s Technical Advisory Group for Security (TAG Security) held its first meeting in a quiet side room. Fewer than ten people, but the spark had been lit.

Community, Collaboration, and Codifying Security

With leaders like Sarah Allen, JJ, Liz Rice, and Rory McCune, TAG Security began building the foundational knowledge for Kubernetes security. White papers, zero-day workshops, and CloudNativeSecurityCon emerged from this shared mission. ControlPlane contributed by:

  • Threat modelling Kubernetes for FS-ISAC to serve financial services

  • Building a Kubernetes CTF simulator to teach secure debugging

  • Collaborating on CIS Benchmarks for Kubernetes

We brought these lessons to the masses through conferences like BSides and KCD.

The Shift Left and the Secure Future

Security began to “shift left,” moving into DevSecOps pipelines, embedding itself in every layer from infrastructure to applications. Teams were restructured. New operational models emerged. Security became a shared responsibility.

As TAG Security co-chair, I helped review CNCF projects like Cilium, Flatcar, FluxCD, and Envoy. These reviews helped projects graduate, maturing the ecosystem.

We learned vital security lessons: avoid running containers as root, enforce network policies, scan containers — and critically make security understandable for developers. Kubernetes’ power lay in its enablement. Uniform tooling helped knowledge travel, reducing security gaps.

Drawing the Line

In 2022, I co-authored Hacking Kubernetes with O’Reilly. It brought together years of learning, community contributions, and real-world examples to demystify Kubernetes security. At KubeCon Valencia, I delivered one of my most pressure-packed talks, featuring live exploits, demos, and lessons.

Today, Kubernetes is a hardened, battle-tested orchestrator. It securely runs telecoms, governments, and financial services. That outcome wasn’t inevitable. It took persistent effort, deep community involvement, and a shared belief in making cloud-native secure by design.

What’s Next?

ControlPlane continues to drive security in Kubernetes and beyond. But we’re not done. There are always new challenges, attack vectors, and patterns to secure. The goal remains the same:

Empower developers. Secure systems. Protect the future of cloud-native.

To read the full report posted by Open UK, please click here.

We value your privacy

Cookies are used to enhance your browsing experience.