Cloud Native News - CNN21/39
4 min read

Cloud Native News - CNN21/39

About caching Container images on Kubernetes, why ElasticSearch isn't a good logging system, kernel pwning with eBPF, Apache Airflow on K8s at scale and zero trust supply chain security
Cloud Native News - CNN21/39

Editorial

I Don't Think ElasticSearch Is A Good Logging System
Colin has used ElasticSearch for seven years now. During that time, he used it for a few prominent use cases: A Search Engine, An APM Solution (after NewRelic started being stupidly expensive), a backend for Jaeger, and as a log storage system. In all of those use cases, he pushed ElasticSearch to its limits, with hundreds of terabytes of data across dozens of machines and tens of thousands of shards and in all that time, he found that it only works well for one of those situations.

App Engine to Google Kubernetes Engine - a journey
When IPinfo was considering better alternatives to Google AppEngine there were two big avenues to explore: going ahead with Compute Engine managed instance groups (GCE MIGs), or going ahead with Google Kubernetes Engine (GKE). They decided on the latter, GKE, due to the level of control on workload execution, autoscaling and options for how traffic gets routed. Here is their story.

Kubernetes Podcast from Google: Episode 164 - Podman, with Daniel Walsh and Brent Baude
Red Hat maintains a full set of container tools and libraries, bringing their pedigree in security and operating system engineering. The most notable of those tools, Podman, has had a surge in popularity this month, after Docker announced changes in their subscription model. Daniel Walsh leads the Red Hat containers team, and Brent Baude is the architect and primary maintainer of Podman.

Do your demos like a boss at KubeCon
What is the best live demo you've ever seen? Do you still remember it now? Learn how the best to do it and how to get an IP address that will travel with you.

Tools

Amazon Managed Service for Prometheus Is Now Generally Available with Alert Manager and Ruler
Amazon Managed Service for Prometheus automatically scales as your monitoring needs grow. It is a highly available service deployed across multiple Availability Zones (AZs) that integrates AWS security and compliance capabilities. The service offers native support for PromQL and the ability to ingest Prometheus metrics from over 150 Prometheus exporters maintained by the open source community.

Announcing Linkerd 2.11: Policy, gRPC retries, performance improvements, and more!
This release marks a significant step forward for Linkerd by introducing policy, a long-awaited feature that allows users to control which services can connect and send requests to each other.

Kube-fledged: Cache Container Images in Kubernetes
kube-fledged is designed and built as a general-purpose solution for managing an image cache in Kubernetes. Though the primary use case is to enable rapid Pod start-up and scaling, the solution supports a wide variety of use cases as mentioned below.

inguardians/peirates: Peirates - Kubernetes Penetration Testing tool
Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.

Other

Stupid Simple Service Mesh — What, When, Why
This blog tries to demystify the concept of Service Mesh using “Stupid Simple” explanations, diagrams, and examples to make this concept more transparent and accessible for everyone.

OpenEBS v3 release - Kubernetes storage simplified
OpenEBS 3.0 is a culmination of efforts geared towards laying the foundation for making it easier to onboard and accept community contributions, making each of the engine operators ready for future Kubernetes releases, making it easy to manage and troubleshoot various engines.

Tutorials

Kernel Pwning with eBPF: a Love Story
This blog post is intended to give a detailed overview of eBPF from the perspective of an exploit developer. Put simply, eBPF provides a way for a user mode application to run code in the kernel without needing to write a kernel module. The purported benefits of using eBPF versus a kernel module are ease of use, stability, and security.

How to Run Apache Airflow on Kubernetes at Scale
The Kubernetes Executor, introduced in Apache Airflow 1.10.0, can run all Airflow tasks on Kubernetes as separate Pods. The difference between Kubernetes executor and the KubernetesPodOperator is that KubernetesPodOperator can run a container as a task, and that container will be run inside a pod on a Kubernetes cluster.

Import AWS AMIs as KubeVirt Golden Images
The KubeVirt Cloud Import project explores the practicality of transitioning VMs from various cloud providers into KubeVirt. As of writing this, automation for exporting AMIs from EC2 into KubeVirt works, and it’s not all that complicated.

Zero Trust Supply Chain Security
Zero-trust architecture focuses on protecting assets, not perimeters. Services authenticate users against hardware instead of network endpoints. A Zero Trust Supply Chain moves artifact repositories out of the Trusted Compute Base. Individuals and build systems attest to source code and artifacts directly.

How to Handle Data Duplication in Data-Heavy Kubernetes Environments
This tutorial will show you how to utilize VolumeSnapshots to create data duplicates through externally prepared snapshots. In some use cases, you are required to have a similar data set so that you can test specific behavior like upgrading schemas, application logic, or other operations.

Community

Spotlight on SIG Node
In Kubernetes, a Node is a representation of a single machine in your cluster. SIG Node owns that very important Node component and supports various subprojects such as Kubelet, Container Runtime Interface (CRI) and more to support how the pods and host resources interact. This blog summarizes a conversation with Elana Hashman & Sergey Kanzhelev, who gives the various aspects of being a part of the SIG and share some insights about how others can get involved.

Photo by Jakob Kaltenborn on Unsplash