Newsletter

August 2018 Container Newsletter

Hello from all of us here at Sysdig! August is supposed to be a slow news month, right? Wrong! :), take a break from your holidays and read the latest container news.

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.

SECURITY

How to Implement Open Source Container Security

Want to deploy an open source container security stack for Docker and Kubernetes? This two-parts guide covers everything from runtime security to Docker image scanning, together with deployment scripts.

Docker Security Best-Practices

An easy to read and brief Docker security illustrated checklist that will show you the main concepts, common errors and read more links you need to start hardening your environment.

Home Office Repo Security Scanner

Submitting private keys, an authorization token, a plain text password, etc to the git repo is a common human security error. With this tool you can scan for these kind of mistakes, even in the commit history.

Synchronizing Kubernetes Secrets with LastPass

This blog post explains how to use the LastPass cloud service as the source of truth for your Kubernetes cluster. Using LastPass CLI and secure notes, you won’t need to worry about your secret storage at rest anymore.

11 Ways (Not) to Get Hacked

Kubernetes security has come a long way since the project’s inception, but still contains some gotchas, here you have an updated list of handy tips to help you harden your clusters.

Protect Kubernetes External Endpoints with OAuth2 Proxy

Sometimes you just want to expose some services that don’t have any authentication mechanism. No problem, you can always leverage external authentication via OAuth.

SYSDIG

Amazon EKS Monitoring and Security with Sysdig

This is how you can use Sysdig in an Amazon EKS environment to monitor performance and security and also save time when performing troubleshooting for deployed microservices.

Learn to Program with Minecraft – Docker Edition

Sounds really cool, right? “Learn to Program with Minecraft” is an awesome book, but what if you get stuck setting the appropriate development environment? Docker can really smooth this setup up for you.

JOIN OUR ONLINE SESSION (AUG 28): “HOW TO MANAGE VULNERABILITIES IN CONTAINER ENVIRONMENTS”.
YOU CAN SEE OTHER UPCOMING SYSDIG SESSIONS HERE.

KUBERNETES

Build, Deploy and Manage Serverless Workloads Using Knative

The act of developing and managing services on Kubernetes can be complicated. Knative aims to bridge this gap exposing a serverless interface that will make developer’s life much easier.

Kubernetes: Core Concepts

Getting to grips with Kubernetes can be difficult, with so much information floating around on the seas of the Internet. Get the basic concepts and entities right before moving forward.

Move Your Certs to Helm

Setting up certificates is delicate and laborious work. You can automate this process using Helm if you just need a self-signed cert on the fly.

Feature Highlight: CPU Manager

The CPU Manager is a beta feature in Kubernetes at the time of writing. It enables better placement of workloads in the Kubelet by allocating exclusive CPUs to certain pod containers.

Horizontal Pod Autoscaler Kubernetes Operator

You can abstract away the process of configuring dedicated HPAs per deployment using custom annotations and the Kubernetes Operator SDK to build your own Horizontal Pod Autoscaler operator.

Resizing Persistent Volumes using Kubernetes

What happens if you made a capacity underestimation and then you realize the volumes for your stateful workloads are not big enough? Persistent volume expansion to the rescue.

Managing Memory and CPU Resources for Kubernetes Namespaces

Setting resource limits for a set of pods is a common task for a Kubernetes operator. If you want to implement multi tenancy, for example, you may want do the same at the namespace level.

Dynamic Kubelet Configuration

Kubernetes v1.10 made it possible to configure the Kubelet via a beta config file API. Now, with dynamic Kubelet configuration you can reconfigure the Kubelets in a live cluster using API requests.

NFS Persistent Volumes with Kubernetes

If you need to access a shared data volume from any number of pods, one of the most affordable and straightforward solutions is to use NFS. Learn how to configure NFS-backed Kubernetes Persistent Volumes.

DOCKER

Docker ENTRYPOINT & CMD

You regularly use the ENTRYPOINT and CMD directives in your Dockerfile(s), in this post you can learn some advanced tips and best practices defining the main executable and arguments for your containers.

How Docker Images Work: Union File Systems

Seems like magic, something that you just take for granted. Want to know more about this layered filesystems by running some examples yourself?

Running a Go API with Hot Reloading and Docker

Docker is not only about microservices, it can be a powerful tool for prototyping and testing new software. Learn how to deploy an API with hot reloading capabilities using docker-compose.

Things I Wish I Knew About Docker Before I Started Using It

What is a WORKDIR? How do I ssh into a container? … and several other frequently asked questions coming from people that is starting to use containers solved in this blogpost.

Making Compose Easier to Use with Application Packages

Docker Application Packages is an additional featureset on top of the docker-compose functionality, aiming to make your Docker server stacks easier to reuse, share and adapt to different execution environments.

MESOS & OPENSHIFT

Ingress Controllers to Expose Apps Running In Kubernetes On DC/OS

Mesosphere provides an easy option to provision Kubernetes onto DC/OS. Once your microservices-based apps are running, you’ll need to expose them to the outside world.

Run Everything-as-a-Service Everywhere

There is a trend taking place in systems architecture, an evolution from container orchestration to service orchestration. Learn what exactly is this service orchestration thing and how to deploy it on top of DC/OS.

Red Hat OpenShift Container Platform 3.10 is now available for download

In this release, OpenShift builds on prior work to strengthen its capabilities for running computationally-intensive workloads such as artificial intelligence or machine learning.

How to use GPUs with DevicePlugin in OpenShift 3.10

Device manager provides a solution to advertise resources to a Kubelet without writing custom Kubernetes code. This blog post will show this feature to use NVIDIA GPUs in OpenShift 3.10.