Cloud Native News - CNN21/15

CNCF & Community

Observability

  • Introducing OpenSearch
    Introducing the OpenSearch project, a community-driven, open source fork of Elasticsearch and Kibana. This initiative mainly driven by Amazon after the license change from Elastic should keep elasticsearch & kibana under a public and open source license, not restricting anyone what and where it can be used.

Networking

  • Simplifying multi-clusters in Kubernetes
    This article gives a very good introduction to multi-cluster K8s approaches and pros & cons of the different implementations. However, it focuses on Liqo: The idea behind Liqo is to make multi-cluster topology a single-step operation for cluster administrators. And it looks very promising.

Containers & Orchestration

  • How Flant upgraded 150+ of Kubernetes clusters from v1.16 to v1.19
    Flant describes their approach to upgrade over 150 K8s clusters from 1.16 to 1.19, the things they have learned and how they will proceed to move to the next upcoming versions.
  • Scaling Kubernetes with Assurance at Pinterest
    With the governance, resilience, and operability efforts, Pinterest was able to significantly reduce sudden usage surges of compute resources, control plane bandwidth, and ensure the stability and performance of the whole platform. The kube-apiserver QPS (mostly read) is reduced by 90% after optimization rollout, which makes kube-apiserver usage more stable, efficient, and robust. These are insane results, a must-read if you scale big!
  • Three Tenancy Models For Kubernetes
    "Tenancy" is more than multi-tenancy, that's why Kubernetes supports or allows various approaches: Namespaces, Clusters and Control Planes as a Service. The Kubernetes multi-tenancy workgroup introduces in this blog multiple approaches and guides you to find the right way for your use case.

Security

  • Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
    The CVE-2021-20291 medium-level vulnerability has been found in containers/storage Go library, leading to Denial of Service (DoS) when vulnerable container engines pull an injected image from a registry. Here is how to mitigate this CVE
  • Kubesploit: A New Offensive Tool for Testing Containerized Environments
    Kubesploit is a framework written in Golang and builds on top of the Merlin project (by Russel Van Tuyl), a cross-platform post-exploitation HTTP/2 Command & Control server and agent.
  • Defend the Core: Kubernetes Security at Every Layer
    "Containers are transforming software development. As the new foundation for CI/CD, containers give you a fast, flexible way to deploy apps, APIs, and microservices with the scalability and performance digital success depend on. But containers and container orchestration tools such as Kubernetes are also popular targets for hackers" - Understood the 5 layers you have to protect

Photo by Nick Fewings on Unsplash