Guests: Kat Cosgrove | Billy Thompson
Companies: Minimus |Akamai
Show Name: KubeStruck
Topics: Kubernetes, Open Source

Most companies believe they’re being responsible open source citizens if they write a check. Sponsor a project. Put a logo on a website. Maybe fund a conference. Then move on.

That assumption is dangerously wrong.

In this clip, Kat Cosgrove, Kubernetes Release Team Subproject Lead and Head of Developer Advocacy at Minimus, makes a blunt point many executives don’t want to hear: money alone does not keep open source alive. People do. And when those people burn out, the software your business depends on can simply stop.

The External Secrets Operator (ESO) crisis is a clear example. ESO is a CNCF sandbox project used widely in production environments. Despite receiving financial sponsorship, its maintainers publicly warned they might stop releasing updates. The reason wasn’t drama or governance failure. It was exhaustion. There weren’t enough maintainers. Not enough reviewers. Not enough engineers contributing real time to the project.

That’s the uncomfortable reality of open source at scale. Even with foundation backing, funding often covers infrastructure, documentation, or marketing — not full-time engineering staff. Without companies dedicating engineers upstream, projects hit a wall.

Kat frames this not as charity, but as self-interest. If your commercial product makes money because an open source project exists, your business is exposed when that project becomes unsustainable. There is no legal requirement for maintainers to keep releasing software. There’s no obligation to issue a deprecation notice. Open source can simply go quiet.

Billy Thompson reinforces this with a simple analogy. Cooking for ten people alone is exhausting. Cooking with ten people sharing the work is manageable. Open source works the same way. A handful of burned-out volunteers supporting massive enterprise usage is not a scalable model.

What makes the situation worse is that many companies already have the skills open source projects desperately need. Engineering time. Documentation. Developer experience. Marketing. Executive communication. These are not heavy lifts for mature organizations, yet they’re often withheld due to internal policies or narrow ROI calculations.

Kat also points out that this isn’t about ignorance. The industry has already accepted that open source is safe, secure, and essential. Companies claiming they didn’t know they could contribute back are simply avoiding responsibility. The rules of open source are clear: anyone can contribute.

There was real progress for a while. Many companies built Open Source Program Offices (OSPOs) to formalize upstream contribution. But in recent years, OSPOs and DevRel teams have been among the first cut during layoffs — even as companies report record profits. That short-term thinking puts the entire ecosystem at risk.

The warning here is not theoretical. Kubernetes itself struggles with maintainer replacement and leadership succession. If a project that large is vulnerable, smaller “weird little projects” with three maintainers are even more fragile — despite being deeply embedded in production systems.

The takeaway is simple and uncomfortable. If companies don’t recommit to contributing real human effort upstream, not just money, open source will fail in places executives least expect. And when it does, it won’t fail gracefully.