April 2018 Container Newsletter.

Hello from all of us here at Sysdig! It’s a very exciting time for us: Sysdig received Red Hat OpenShift Container Platform certification, we just launched our brand new web UI for Sysdig Monitor… and have a lot of other exciting news to share with you.

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.


Fixing the subpath volume vulnerability in Kubernetes

On March 12, 2018, the Kubernetes Product Security team disclosed CVE-2017-1002101. It’s a serious security threat. The Kubernetes team has responded swiftly with software patches and mitigation advice.

Kubernetes security guide, part 1: RBAC and TLS

Don’t miss this in-depth guide to Kubernetes security. In the first chapter we are to cover Kubernetes security: RBAC and TLS.

Kubernetes security at the pod level: admission controllers, ContextSecurity and pod network policies

Part 2 of the Kubernetes security guide. Get to know the pod security features that Kubernetes puts at your disposal: admission controllers, pod security policies, pod network policies and more.

Sealed secrets: protecting your passwords before they reach Kubernetes

Sealed Secrets are a “one-way” encrypted secret that can be created by anyone, but can only be decrypted by the controller running in the target cluster. This way you don’t need to create an special repository just for sensitive data.


Prometheus monitoring and Sysdig monitor: a technical comparison

Still undecided whether to use Prometheus or Sysdig Monitor? Both are great but have different characteristics, read more at Prometheus Monitoring and Sysdig Monitor: A Technical Comparison.

Troubleshoot and fix Kubernetes CrashLoopBackOff events

What is a CrashLoopBackOff? They happen frequently and sometimes there are not that easy to debug. Learn how to alert, debug / troubleshoot and fix Kubernetes CrashLoopBackOff events.

Sending Kubernetes & Docker events to Elasticsearch and Splunk using Sysdig

The Sysdig platform provides you a set of standard interfaces to integrate with any third party application. In this article we cover the implementation of a webhook to aggregate Sysdig container data using Elasticsearch or Splunk.

Five changes containers bring to PCI compliance

The quick rise in container adoption is at a pace that’s hard to match on the compliance side. In this blog we’ll cover the main challenges and opportunities you need to be aware of to successfully manage Kubernetes and container PCI Compliance.

JOIN THE UPCOMING WEBINAR “Container Forensics & Troubleshooting with Sysdig Inspect”.



Kubernetes 1.10: stabilizing storage, security, and networking

There is no break time in Kubernetes land, 1.10 is here! It brings a beta version of the container storage interface, new cluster DNS implementation, pod security policies and much more.

Single sign-on for Kubernetes: the command line experience

Kubernetes does not provide a login process, it leaves it up to you to design the user login experience. One interesting solution is to delegate Kubernetes user authentication to a third party identity provider.

Skaffold, easy and repeatable Kubernetes development

When you are developing a new application that you need to re-test often, the Kubernetes deployment process can get in your way. Skaffold will detect changes in your source code and automatically build/push/deploy.

Set up a Drone CI/CD pipeline with Kubernetes

No, this is not about those flying devices. While Jenkins is the most used CI/CD tool, Drone is built from the ground up with containers and microservices in mind, learn how to deploy it on Kubernetes.

CRI-0 1.10 beta 1 released

Kubernetes supports other container formats besides Docker. This new CRI-O version brings shared pod process namespace, container log improvements and a new stats API.

Top 11 continuous delivery tools for Kubernetes

Who doesn’t love top lists? Achieve an end-to-end Continuous Integration/Continuous Delivery (CI/CD) pipeline adopting these tools.

Network policies for Kubernetes are generally available

Network policies are fully tested and supported for production workloads on Google Kubernetes Engine. Get started with them running the examples in our Kubernetes security guide.

Creating Kubernetes liveness and readiness probes

Thanks to Kubernetes, the self-healing software promise is one step closer. Learn about liveness and readiness probes with nice brief examples you can try right away.

What the data says about Kubernetes deployment patterns

Because data is better than opinions. Learn about Kubernetes adoption in relation with other stats like usage in public and private cloud platforms, alternative container tools or preferred ingress controllers.


Docker commands cheat sheet

Cheat sheets, immensely useful and straight to the point. Now, you can avoid having to search for these shortcuts every time you open your command console. Run, orchestrations, services, clean up and more.

LXC vs Docker

How these two container technologies relate is not always clear, both use the containerization features on the Linux kernel but have very different technological and philosophical approaches.

The best architecture with Docker and Kubernetes — myth or reality?

Suggestive title. Is it possible to build an architecture once and for all using these technologies?

A thorough study of container technology and what it brings to the table in terms of IT design and problem solving.

Test-Drive continuous integration pipeline using Docker, Jenkins & GitHub

For $0. Step by step and with all the code snippets, diagrams and screenshots you need to make following this example a really pleasurable and educative experience.

Docker turns 5: A look at how the technology popularized containers

Happy birthday, Docker! A retrospective summarizing some major events and paradigm shifts related with this really special piece of technology.

How to use a forwarding proxy with golang

Want to expose your awesome Docker microservices to the outside world? You can learn more about HTTP CONNECT analyzing this golang implementation.

Put the brakes on your containers

Deploying and scaling Docker containers has become really easy. Eventually you will need to limit resource usage to meet hardware constraints.

Debug Docker apps effectively using logs options, tail and grep

And another cheat-sheet-type article. This time on Docker logging: timestamping, following specific containers, combining logs, search and filtering, etc.

HypriotOS 1.8.0: Raspberry Pi 3 B+, Stretch and more

HypriotOS claims to be the fastest way to get Docker up and running on any Raspberry Pi. Now with enhanced security, smaller download size and better hardware support.


Unified container monitoring and security on OpenShift with Sysdig

Sysdig is now certified and publicly avaible in the Red Hat Container Catalog. Extend your OpenShift pipeline beyond deployment with Sysdig container-oriented monitoring and security.

Announcing the OpenShift Container Platform 3.9

OpenShift Container Platform 3.9 is generally available! Device-specific (GPU, FPGAs, etc) workload offloading, data persistence and local storage are just some of the highlighted features.

Announcing DC/OS 1.11

And DC/OS as well, wow, nice month for orchestrator releases. DC/OS 1.11 brings multi-cloud operations from a single control plane, Kubernetes-as-a-service and enhanced data security. You can learn more reading this nice product overview.