Cloud Native News - CNN21/30
About signing and verifying containers with Cosign, the MITRE ATT&CK Framework for Cloud, the life of a container, Kubernetes 1.22, and a stable Ingress API...
CNCF Community & Industry
- Announcing Linkerd's Graduation
"Today we’re humbled and honored to announce that Linkerd is now a graduated project of the CNCF, joining Kubernetes, Prometheus, Envoy, and other projects at the foundation’s highest level of project maturity."
- Kubernetes 1.23 Release Team Shadow Application
The Release Team Shadow application for the Kubernetes 1.23 Release has been opened. The application will remain open until Friday, August 13th, 2021. If you are interested in contributing, you can read here about Release shadows and what they do. If you have questions, feel free to reach out to Christoph or Max, both are/were part of the release team.
Containers & Orchestration
- Kubernetes 1.22 – What’s new?
Kubernetes 1.22 is about to be released. It includes 56 exciting enhancements, among them a couple of APIs graduating to stable. So be prepared to adjust your manifests :)
- Updating NGINX-Ingress to use the stable Ingress API
"The upcoming Kubernetes 1.22 release will remove several deprecated APIs that are relevant to networking: the networking.k8s.io/v1beta1 API version of IngressClass all beta versions of Ingress: extensions/v1beta1 and networking.k8s.io/v1beta1 On a v1.22 Kubernetes cluster, you'll be able to access Ingress and IngressClass objects through the stable (v1) APIs, but access via their beta APIs won't be possible."
- Life of a Container
This is one of these "Create a container form scratch"-kinds of posts. If you never created a cgroup or only have a vague understanding of what a Linux namespace is, this post is a great resource to improve your knowledge!
- DevSpace - The Fastest Developer Tool for Kubernetes (open-source)
Building modern, distributed, and highly scalable microservices with Kubernetes is hard - and it is even harder for large teams of developers. DevSpace is the next-generation tool for fast cloud-native software development. Build, test and debug applications directly inside Kubernetes.
- Simple eBPF CO-RE Application
The second part of writing a simple eBPF application goes down to a short overview of BPF CO-RE and why it makes sense to use it to develop eBPF programs. CO-RE stands for Compile Once - Run Everywhere and has been in development for a while and was finally added to libbpf last year.
- Introducing kapp-controller as a Package Manager for Kubernetes
kapp-controller provides a Kubernetes native continuous delivery and package management experience through custom resource definitions.
- Connaisseur 2.0 - Verify Container Signatures in Kubernetes using Notary or Cosign
Connaisseur is a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster. To do so, it intercepts resource creation or update requests sent to the Kubernetes cluster, identifies all container images, and verifies their signatures against pre-configured public keys.
- What is the MITRE ATT&CK Framework for Cloud?
As it does for all platforms and environments, MITRE came up with an IaaS Matrix to map the specific Tactics, Techniques, and Procedures (TTPs) that advanced threat actors could use in their attacks on Cloud environments. Stefano from Sysdig highlights the 10TTPs you should know of.
- The Real-Life Story of the First Mainframe Container Breakout
"You've seen talks about container hacking. You've seen talks about mainframe hacking. But how often do you see them together? IBM decided to put containers on a mainframe, so a container hacker and a mainframe hacker decided to join forces and hack it." – super excited for this DefCon talk by Ian Coldwater and Chad Rikansrud. Both are famous for their contributions in the area of IT-Security.
- HTTP Security Headers: Why? How? What?
"Setting up HTTP security headers is the quickest, less expensive, and probably the most effective way to secure a web application today. Here is how."
Data & Storage
- Cosign 1.0!. And other Sigstore July Updates!
"The cosign project started in February 2021 with a goal of making it easy to sign and verify containers on any OCI registry today. [...] We’ve cut seven releases over six months and are now thrilled to declare our first general availability release, cosign 1.0, which is ready for production use!"
- backube/scribe: Asynchronous data replication for Kubernetes CSI storage
"Scribe asynchronously replicates Kubernetes persistent volumes between clusters using either rsync or rclone depending on the number of destinations."