Cloud Native News - CNN21/02
3 min read

Cloud Native News - CNN21/02

About building a security response engine with Falco, Calico & Cilium egress filtering benchmark, Virtual Application Networks and a maturing Sonobuoy.
Cloud Native News - CNN21/02

CNCF & Community

Containers & Orchestration

  • Vertical Pod Autoscaling: The Definitive Guide
    Vertical Pod Autoscaling, increasing the resource capacity of pods, is commonly used for stateful applications or everywhere where horizontal scaling is not an option. Povilas Versockas gives an in-depth overview of what to consider when utilizing VPA in Kubernetes.
  • Sonobuoy 0.20: Going Beyond Conformance
    Announcing the release of Sonobuoy version 0.20 and looking ahead to 1.0. And it seems like there is a lot to come: "The Sonobuoy team envisions the project will continue to grow as a general cluster-readiness project. In the near future, we will introduce enhancements that make it easier for users to create and manage custom plugins."

Networking

Security

  • Falcosidekick + Kubeless = a Kubernetes Response Engine
    Building a Security Response Engine with Falco, FalcoSideKick, and Kubeless. With this approach, it is possible to, e.g., delete a pod once Falco detected a shell execution coming from this pod. It is a basic example, but it opens so many possibilities for other scenarios!
    There was also an introduction blog post about Kubernetes Security using Flaco.
  • Sysdig 2021 container security and usage report: Shifting left is not enough
    "[...] we can see that 74% of organizations are scanning container images in the build process. This indicates that container security is shifting left. However, if we look at the runtime scanning data, we see that the majority of images are still overly permissive with 58% of containers running as root. This indicates that while shifting left is a good start and might help catch vulnerabilities sooner, there is still a need for runtime scanning to detect when configuration errors occur.". I couldn't agree more, observing the same daily.
  • Hardening Docker and Kubernetes with seccomp
    By default, containers are way less secure than you might think. Seccomp can help to narrow down a lot of attack vectors. Unfortunately, though, in my daily work with clients, I don't see too much awareness for such topics :(

Development

  • Announcing CDK for Terraform 0.1
    CDK for Terraform now supports Java and C# and has new collaboration features on Terraform Cloud. This release brings us closer to a beta version of CDK for Terraform.
  • txn2/kubefwd
    "kubefwd is a command line utility built to port forward multiple services within one or more namespaces on one or more Kubernetes clusters. kubefwd uses the same port exposed by the service and forwards it from a loopback IP address on your local workstation. kubefwd temporally adds domain entries to your /etc/hosts file with the service names it forwards."
  • Build Your Kubernetes Operator With the Right Tool
    "A look at how developers are building their Kubernetes Operators, with stats on language usage."

Photo by Simon Berger on Unsplash