Ole Lensmar
Hi, everyone. Welcome to today's episode of the Cloud Native Testing Podcast. I am thrilled and happy to be joined today by Joe Karlsson—or Karlsson, as we say in Sweden—who's at Cloud Query. Joe, it's great to have you here. Over to you.

Joe Karlsson
Hey, first of all, thanks for having me. Second, great intro. I always feel—I never know what to do with my hands. I know this is a podcast, audio medium, but I just feel awkward. But yes, I'm a developer advocate, software engineer, working in the cloud space forever. A lot of data space too, honestly—MongoDB, et cetera. But yeah, anyway...

This podcast that you guys are starting to ramp up here caught my eye. I was like, this is something I’ve been thinking about a lot recently, and I would love to come on and chat with you about it.

Ole Lensmar
I really appreciate that. I mean, just testing in cloud native—testing has obviously been around for a while. But when I talk to people or go to conferences, I hear very different takes. Some say testing in cloud native isn’t that different, while others say it’s completely different. I love hearing those perspectives, and I’m excited to get yours.

Joe Karlsson
Yeah, totally. It varies company to company. Like, can you deploy it locally at all? Or is it purely in the cloud? If it's purely in the cloud, that looks a lot different. I was even reading this morning about GitHub Actions best practices. I love GitHub Actions—they're super nice—but they’re also a pain to debug. I've been trying to figure out ways to run them more locally, just to get better insight. They're just breaking in the most random spots.

Ole Lensmar
I’ve seen more people wanting to shift left—to run tests locally during their dev loop. But also shift right—to run tests in more async pipelines. How does GitHub Actions fit into that?

Joe Karlsson
Exactly. And lately, I’ve been working a lot with companies that are integrating cloud governance testing into their CI/CD pipelines—or just testing pipelines in general. If you're new to cloud governance, it's basically a set of policies, controls, and compliance measures you put on your cloud. Most companies use it for security, FinOps (saving cloud spend), and operational efficiency. It's just guardrails around your cloud.

Ole Lensmar
Interesting.

Joe Karlsson
I'm seeing more and more companies bake those rules into their pipelines. And yeah—shifting left is important. Git hooks, GitHub integrations... I end up skipping some of those because they take forever. But we’re working on ways to make it faster and run earlier so you don’t blow things up.

Especially for companies with complex infrastructure, it’s easy to make a small YAML change that accidentally breaks compliance—like SOC 2. A lot of companies catch it after the fact, when it’s already too late. I want to avoid that.

Ole Lensmar
Yeah, super common. Testing after the disaster.

Joe Karlsson
Exactly. I used to work at Best Buy—at the time, one of the top three biggest e-commerce sites in the US. We used to just throw our code over the wall. Someone else would make sure it didn’t fall over. It would’ve been so much better to have guardrails earlier, especially when dealing with credit card or personal data.

Ole Lensmar
So if someone wants to get started with governance testing, where do they begin?

Joe Karlsson
Most clouds have best practices and frameworks—AWS has one, I think it’s called the Well-Architected Framework. And of course, there’s SOC 2, depending on what kind of data you’re handling. But the hard part is that everyone’s cloud setup is unique. And SOC 2 includes evaluating all third-party services—AWS tooling isn’t enough. You need something that gives you a full picture.

That’s why I joined Cloud Query. It pulls in data from all your cloud providers into one place, lets you query it with SQL, and integrate however you want. A lot of big companies use us for security checks, compliance, cloud drift, and cost management.

Ole Lensmar
So how does that work—are you deploying an agent?

Joe Karlsson
Nope, it’s read-only. We use APIs from cloud services and stream that data into a database. You can write SQL queries, set alerts, and compare snapshots. One customer used it to detect cloud drift—they’d compare each deployment against a known-good state and flag permission changes, exposed buckets, expired certs, etc. They even blocked deployments based on severity.

Ole Lensmar
All automated from the pipeline?

Joe Karlsson
Exactly. With GitHub Actions, they’d run those checks in the CI pipeline. It had to be fast, up to date, and easy to tweak. SQL made it flexible, especially for teams with complex infrastructure.

Ole Lensmar
What about governance earlier in the process—during development?

Joe Karlsson
That’s a great question. And honestly, this isn’t even a tech problem. It’s a culture one. If you’re not careful, governance becomes “someone else’s problem.” You need buy-in across engineering teams.

Creating visibility helps. Dashboards, alerts, heat maps of expensive resources—it’s about making people aware without slowing them down. If the checks take forever, people just disable them. It’s a delicate balance between developer speed and accountability.

Ole Lensmar
It goes back to culture, right?

Joe Karlsson
Absolutely. You need a quality-first mindset. But just talking about it in offsite meetings isn’t enough. There’s often a gap between what we say and what we do. We need systems that alert you to real issues, fast. No one wants to be publicly shamed—but they also need to see what went wrong and why it matters.

Ole Lensmar
Yeah, maybe we need a “benevolent dictator” approach—a system that gently enforces good behavior.

Joe Karlsson
Totally. It’s a constant negotiation—fixing bugs, paying off tech debt, managing business priorities. But it’s part of the job.

Also, we need better tools. Imagine linters for cloud compliance: “Here’s what you broke, here’s how to fix it.” Some tools are starting to do that. AI might help here too.

Ole Lensmar
We had a guest talk about using AI to read internal governance docs and flag policy violations at the PR level. Kind of a governance co-pilot.

Joe Karlsson
That’s the dream. I want a Jarvis for cloud compliance. A smart, read-only agent that understands your setup and suggests improvements—without taking over or being risky.

Ole Lensmar
The word “governance” scares some people. Feels like red tape.

Joe Karlsson
Yeah. Most people don’t think about governance until they feel the pain—especially with multi-cloud. Then they want to fix it. Start small, scale as needed.

Sometimes it’s as simple as: what’s keeping me up at 2 a.m.? Where am I flying blind? That’s where visibility tools like Cloud Query can help.

Ole Lensmar
Do you think the CNCF is ready for a “governance moment”?

Joe Karlsson
Maybe. It’s growing. More regulations. More SaaS sprawl. But I’m not seeing consolidation—everyone’s still using GitHub, AWS, GCP, etc. The need for visibility across all that isn’t going away.

Ole Lensmar
So when should a company start thinking about this?

Joe Karlsson
It depends. For startups, it’s often triggered by a specific concern: billing visibility, deprecated runtimes, SOC 2 audits. Others grow into it as their infrastructure becomes more complex. We see it across fintech, government, and high-regulation sectors.

Ole Lensmar
Makes sense. Joe, this was great. Thanks so much for joining us.

Joe Karlsson
Thank you! This was so fun.

Ole Lensmar
Thanks, everyone, for listening. Bye!