Hello from all of us here at Sysdig! August is supposed to be a slow news month, right? Wrong! :), take a break from your holidays and read the latest container news.
So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.
We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.
SECURITY
How to Implement Open Source Container Security
Want to deploy an open source container security stack for Docker and Kubernetes? This two-parts guide covers everything from runtime security to Docker image scanning, together with deployment scripts.
Docker Security Best-Practices
An easy to read and brief Docker security illustrated checklist that will show you the main concepts, common errors and read more links you need to start hardening your environment.
Home Office Repo Security Scanner
Submitting private keys, an authorization token, a plain text password, etc to the git repo is a common human security error. With this tool you can scan for these kind of mistakes, even in the commit history.
Synchronizing Kubernetes Secrets with LastPass
This blog post explains how to use the LastPass cloud service as the source of truth for your Kubernetes cluster. Using LastPass CLI and secure notes, you won’t need to worry about your secret storage at rest anymore.
11 Ways (Not) to Get Hacked
Kubernetes security has come a long way since the project’s inception, but still contains some gotchas, here you have an updated list of handy tips to help you harden your clusters.
Protect Kubernetes External Endpoints with OAuth2 Proxy
Sometimes you just want to expose some services that don’t have any authentication mechanism. No problem, you can always leverage external authentication via OAuth.
SYSDIG
Amazon EKS Monitoring and Security with Sysdig
This is how you can use Sysdig in an Amazon EKS environment to monitor performance and security and also save time when performing troubleshooting for deployed microservices.
Learn to Program with Minecraft – Docker Edition
Sounds really cool, right? “Learn to Program with Minecraft” is an awesome book, but what if you get stuck setting the appropriate development environment? Docker can really smooth this setup up for you.
JOIN OUR ONLINE SESSION (AUG 28): “HOW TO MANAGE VULNERABILITIES IN CONTAINER ENVIRONMENTS”.
YOU CAN SEE OTHER UPCOMING SYSDIG SESSIONS HERE.
KUBERNETES
Build, Deploy and Manage Serverless Workloads Using Knative
The act of developing and managing services on Kubernetes can be complicated. Knative aims to bridge this gap exposing a serverless interface that will make developer’s life much easier.
Kubernetes: Core Concepts
Getting to grips with Kubernetes can be difficult, with so much information floating around on the seas of the Internet. Get the basic concepts and entities right before moving forward.
Move Your Certs to Helm
Setting up certificates is delicate and laborious work. You can automate this process using Helm if you just need a self-signed cert on the fly.
Feature Highlight: CPU Manager
The CPU Manager is a beta feature in Kubernetes at the time of writing. It enables better placement of workloads in the Kubelet by allocating exclusive CPUs to certain pod containers.
Horizontal Pod Autoscaler Kubernetes Operator
You can abstract away the process of configuring dedicated HPAs per deployment using custom annotations and the Kubernetes Operator SDK to build your own Horizontal Pod Autoscaler operator.
Resizing Persistent Volumes using Kubernetes
What happens if you made a capacity underestimation and then you realize the volumes for your stateful workloads are not big enough? Persistent volume expansion to the rescue.
Managing Memory and CPU Resources for Kubernetes Namespaces
Setting resource limits for a set of pods is a common task for a Kubernetes operator. If you want to implement multi tenancy, for example, you may want do the same at the namespace level.
Dynamic Kubelet Configuration
Kubernetes v1.10 made it possible to configure the Kubelet via a beta config file API. Now, with dynamic Kubelet configuration you can reconfigure the Kubelets in a live cluster using API requests.
NFS Persistent Volumes with Kubernetes
If you need to access a shared data volume from any number of pods, one of the most affordable and straightforward solutions is to use NFS. Learn how to configure NFS-backed Kubernetes Persistent Volumes.
DOCKER
Docker ENTRYPOINT & CMD
You regularly use the ENTRYPOINT and CMD directives in your Dockerfile(s), in this post you can learn some advanced tips and best practices defining the main executable and arguments for your containers.
How Docker Images Work: Union File Systems
Seems like magic, something that you just take for granted. Want to know more about this layered filesystems by running some examples yourself?
Running a Go API with Hot Reloading and Docker
Docker is not only about microservices, it can be a powerful tool for prototyping and testing new software. Learn how to deploy an API with hot reloading capabilities using docker-compose.
Things I Wish I Knew About Docker Before I Started Using It
What is a WORKDIR? How do I ssh into a container? … and several other frequently asked questions coming from people that is starting to use containers solved in this blogpost.
Making Compose Easier to Use with Application Packages
Docker Application Packages is an additional featureset on top of the docker-compose functionality, aiming to make your Docker server stacks easier to reuse, share and adapt to different execution environments.
MESOS & OPENSHIFT
Ingress Controllers to Expose Apps Running In Kubernetes On DC/OS
Mesosphere provides an easy option to provision Kubernetes onto DC/OS. Once your microservices-based apps are running, you’ll need to expose them to the outside world.
Run Everything-as-a-Service Everywhere
There is a trend taking place in systems architecture, an evolution from container orchestration to service orchestration. Learn what exactly is this service orchestration thing and how to deploy it on top of DC/OS.
Red Hat OpenShift Container Platform 3.10 is now available for download
In this release, OpenShift builds on prior work to strengthen its capabilities for running computationally-intensive workloads such as artificial intelligence or machine learning.
How to use GPUs with DevicePlugin in OpenShift 3.10
Device manager provides a solution to advertise resources to a Kubelet without writing custom Kubernetes code. This blog post will show this feature to use NVIDIA GPUs in OpenShift 3.10.