Cloud Native News - CNN21/34
About increasing Kubernetes security with seccomp profiles, OpenTelemetry becoming a CNCF incubating project, WebAssembly in AWS Lambda, and rootkits being used to attack cloud-native infrastructure...
CNCF Community & Industry
- Which Managed Kubernetes Is Right for Me?
"This blog will compare on-premises, or self-hosted,Kubernetes clusters to managed ones, as well as outline your options for Kubernetes in the cloud. To do this, we’ll look at ease of use and set-up,custom node support, cost, release cycles, version support, and more." - also related: this updated cloud pricing comparison on managed Kubernetes services.
- OpenTelemetry becomes a CNCF incubating project
"The CNCF Technical Oversight Committee (TOC) has voted to accept OpenTelemetry as a CNCF incubating project. OpenTelemetry is an observability framework for cloud native software. It is a collection of tools, APIs, and SDKs that can be used to instrument, generate, collect, and export telemetry data – which includes metrics, logs, and traces – for analysis to better understand software performance and behavior." - if you are interested and looking for a starting point make sure also to check out the "Understand OpenTelemetry series" by NewRelic!
Containers & Orchestration
- WebAssembly serverless functions in AWS Lambda | Cloud Native Computing Foundation
WasmEdge running in a Docker container deployed on AWS can be used for performance-critical applications. An interesting use case for WasmEdge!
"This repository provides our opinionated point of view on how GitOps can be used to manage the infrastructure, services and application layers of K8s based systems. It takes into account the various personas interacting with the system and accounts for separation of duties."
- Auto-updating podman containers with systemd
Remember: sometimes, an orchestrator to run a couple of containers is just too much. However, this does not mean it's not possible to automate things such as updating images!
- Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit - Part 2
Chances are, you are already using FluentBit to forward your application logs. Why not reuse it also to do some intrusion detection via Falco?
- A Security Review of Docker Official Images: Which Do You Trust?
"The use of Docker official images is recommended for building secure containerized applications, this blog reveals some images that are not fully maintained, therefore risky." - remember: "official" is not a synonym for "secure"!
- Advanced Persistent Threat Techniques Used in Container Attacks
"Team Nautilus provides a deep analysis of an intensive campaign targeting cloud native environments that use advanced persistent threat (APT) techniques" - This blog post is an analysis of how rootkits are used to attack cloud-native environments. Scary!
- Mutating Kubernetes resources with Gatekeeper
Gatekeeper can be used to validate if resources match specific criteria and enforce them. There is a new feature allowing Gatekeeper to validate created Kubernetes resources and modify them based on defined mutation policies. This article gives a nice little intro to a topic with ever-growing relevance!
A few weeks ago, NSA and CISA released their Kubernetes Hardening Guide. kubescape is a tool for testing if Kubernetes is deployed as defined according to their guidelines.
- Managing Kubernetes seccomp profiles with security profiles operator
With Kubernetes 1.22, default seccomp profiles of your container runtime are activated per default. There is another interesting project simplifying the management of seccomp profiles for your workloads called Security-Profiles-Operator. While the project is still in its infancy, it promises interesting features such as recording seccomp profiles (as long as you use CRI-O as CRI).
- Send your metrics to a Prometheus Remote Write endpoint without Prometheus
Using OpenTelemetry Collector to send metrics to a Prometheus remote-write backend. 📈
- Writing a Kubernetes Validating Webhook using Python
Want to get your hands dirty with admission controllers? This article delivers a nice applied use case!
- An Introduction to JQ
Admittedly, a tool for processing YAML is not exactly a cloud-native topic. However, is there any cloud-native project not using jq that can benefit from such an article? ;)
- Why and How of Kubernetes Ingress (and Networking)
Kubernetes Networking is complicated enough that we find explanations, tutorials, and how-tos every week. Every once in a while, some articles are good enough to be listed here. What we especially like about this one: really nice graphics!
- A Kubernetes engineer's guide to mTLS
"mTLS is a hot topic in the Kubernetes world, especially for anyone tasked with getting "encryption in transit" for their applications. But what is mTLS, what kind of security does it provide, and why would you want it? In this guide, I'll walk you through exactly what mTLS is, how it relates to ordinary TLS, and why it's relevant to Kubernetes."
Photo by Marius Christensen on Unsplash