Cloud Native News - CNN21/02
About building a security response engine with Falco, Calico & Cilium egress filtering benchmark, Virtual Application Networks and a maturing Sonobuoy.
CNCF & Community
- Cloud Native Computing Foundation: 2020 CNCF Annual Report
While published already at the end of last year, we thought it is worth it having a nice view back on the 2020 cloud-native landscape :) - Kubernetes Security Essentials Course Now Available
The Linux Foundation Training & Certification and the Cloud Native Computing Foundation announced the availability of LFS260 – a Kubernetes Security Essentials course. It aims to be the preparation course for the Certified Kubernetes Security Specialist (CKS).
Containers & Orchestration
- Vertical Pod Autoscaling: The Definitive Guide
Vertical Pod Autoscaling, increasing the resource capacity of pods, is commonly used for stateful applications or everywhere where horizontal scaling is not an option. Povilas Versockas gives an in-depth overview of what to consider when utilizing VPA in Kubernetes. - Sonobuoy 0.20: Going Beyond Conformance
Announcing the release of Sonobuoy version 0.20 and looking ahead to 1.0. And it seems like there is a lot to come: "The Sonobuoy team envisions the project will continue to grow as a general cluster-readiness project. In the near future, we will introduce enhancements that make it easier for users to create and manage custom plugins."
Networking
- Virtual Application Networks (VAN) for Multi-Cloud, Multi-Cluster, and Cloud-Edge Interconnect
"There are various reasons for deploying or replicating an application in multiple locations: geographically distributed applications for enhanced performance and availability, maintain compliance, connected vehicles, local breakouts in 5G, remote edge sites, etc. This requirement makes application-oriented multi-cloud and multi-cluster connectivity an inevitable trend of cloud computing." - Egress Filtering Benchmark Part 2: Calico and Cilium
In September, Kinvolk already published a Performance analysis of different egress filtering techniques on Linux. Now they went a step further and chose a more real-life scenario comparing the egress filtering performance of Calico and Cilium. Quite impressive: this gives insights about potential performance overhead by Kubernetes, the named CNI plugins against using the underlying Linux filtering mechanisms (IP sets and eBPF, respectively). - Manuel de Brito Fontes steps down from being ingress-Nginx maintainer
Manuel (Alejandro) de Brito Fontes, the creator of the NGINX Ingress Controller, is going to step down as maintainer of the project. While some volunteers have already expressed interest in succeeding him, a decision remains to be made. Created in 2015, NGINX Ingress Controller is part of the Kubernetes project and an Open Source implementation of an Ingress Controller for NGINX.
Security
- Falcosidekick + Kubeless = a Kubernetes Response Engine
Building a Security Response Engine with Falco, FalcoSideKick, and Kubeless. With this approach, it is possible to, e.g., delete a pod once Falco detected a shell execution coming from this pod. It is a basic example, but it opens so many possibilities for other scenarios!
There was also an introduction blog post about Kubernetes Security using Flaco. - Sysdig 2021 container security and usage report: Shifting left is not enough
"[...] we can see that 74% of organizations are scanning container images in the build process. This indicates that container security is shifting left. However, if we look at the runtime scanning data, we see that the majority of images are still overly permissive with 58% of containers running as root. This indicates that while shifting left is a good start and might help catch vulnerabilities sooner, there is still a need for runtime scanning to detect when configuration errors occur.". I couldn't agree more, observing the same daily. - Hardening Docker and Kubernetes with seccomp
By default, containers are way less secure than you might think. Seccomp can help to narrow down a lot of attack vectors. Unfortunately, though, in my daily work with clients, I don't see too much awareness for such topics :(
Development
- Announcing CDK for Terraform 0.1
CDK for Terraform now supports Java and C# and has new collaboration features on Terraform Cloud. This release brings us closer to a beta version of CDK for Terraform. - txn2/kubefwd
"kubefwd is a command line utility built to port forward multiple services within one or more namespaces on one or more Kubernetes clusters. kubefwd uses the same port exposed by the service and forwards it from a loopback IP address on your local workstation. kubefwd temporally adds domain entries to your /etc/hosts file with the service names it forwards." - Build Your Kubernetes Operator With the Right Tool
"A look at how developers are building their Kubernetes Operators, with stats on language usage."
Photo by Simon Berger on Unsplash