Cloud Native News - CW16
CVE-2020-8835 privilige escalation through eBPF, CommunityBridge graduation and Q2 project application, Falco v0.22, read of the week: the open organization
CNCF & Community
- Fluentd Project Journey Report
The Fluentd Project Journey Report has been released (link to the report). It`s been a long ride since it has been created in 2011. Speaking of: Fluentd v1.10.2 has been released.
- What if it was a software bug/virus? Cyber vs. COVID-19: A thought experiment
What have a computer virus and a human virus like COVID-19 in common? More than you think! This thought experiment of Or Weis show you the similarities between both worlds. He also describe which solution we have already in the cyber world and how these can be developed in the bio engineering in the next years. It maybe sounds like Sci-Fi, but first approaches are in research.
- Launching CommunityBridge Mentorships Q2 2020
CommunityBridge is a platform that aims to sustain open source projects and through paid internships for developers to learn and contribute to open source communities. This week seven interns graduate from the programm, and the CommunityBridge launching its Mentorship for Q2, projects and interns apply now!
Processes / Guides / Articles
- Monitoring Kubernetes Workloads: The Sidecar Pattern
It is a standard pattern to solve problems you will definitely encounter while preparing your workloads for Kubernetes. Commonly used for monitoring containers in a pod, this article dives a bit deeper for this use case.
- A day in the life of a SRE at GitLab
A Front-End Devs experience report of shadowing a Site Reliability Engineer for one week. It is an invaluable opportunity to have a "look over the fence".
- CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification
New technology brings new risks for vulnerabilities. This is a writeup about exploiting a bug in eBPF allowing privilege escalation.
- Performing Image Scanning on Admission Controller with OPA
This post talks about using image scanning on admission controller to scan your container images on-demand, right before your workloads are scheduled in the cluster.
- Kubernetes the Hard Way - Deep Dive
I guess we do not need to explain what Kubernetes the Hard Way is. Though it's content and the inner workings of Kubernetes are still hard to learn. This tutorial series is following the guide including some explanations.
- Please don’t evict my pod; priority & disruption budget
This article covers the pod priority class, pod disruption budget and the relationship of these constructs with pod eviction. No idea what we are talking about? Consider reading this article :)
- Graceful shutdown in Kubernetes is not always trivial
Shutting down server applications should be treated with care. Connections need to be terminated, state persisted... a lot of things that can go wrong. This article gives some guidance with an PHP-FPM example.
- Kubernetes Node Local DNS Cache
If you are a Administrator of a self-hosted Kubernetes cluster, it probably doesn't take long until you fall into the Linux conntrack race issue, which causes 5s DNS request delays. I'm glad to see, that there are other/new approaches to mitigate this issue that do not require Kernel Patches or run CoreDNS on every worker node.
- Distill: Why do we need Flask, Celery, and Redis? (with McDonalds in Between)
I'm not a Python dev, but had to bring one or the other Python app to containers and had exactly the same question. This article givs a nice and graphical explanation!
- Is BGP safe yet?
Not many are aware, that something like a Border Gateway Protocol exists. Even less are aware, that it is - as the backbone of the internet - relatively unsecure, considering its importance. There are a few ideas to make it secure: RPKI is one. SCION is another - as an alternative to BGP.
- Falco 0.22 a.k.a. "the hard fixes release"
This release fixes some "longstanding tough bugs" but, brings some rule changes and also brings some features like synchronous CRI metadata fetch.
- Amazon launches Fargate platform v1.4.0
Still not quite the AWS-native container-platform we wish for. But Fargate brings some improvements like the ability to mount EFS volumes inside Fargate tasks, network metrics and ContainerD as container runtime.
Videos, Audios and Specials
Read of the Week
The Open Organization: Igniting Passion and Performance by Jim Whitehurst is meanwhile 5 years old, but never be more relevant than nowadays. He write in his book how RedHat build a open source software driven, healthy and visionary company, where openness is lived in every corner of the organization. It definitely worth to read or listen it!
Photo by Branden Harvey on Unsplash