Hello from all of us here at Sysdig! August was another exciting month at Sysdig HQ, marking the release of Sysdig Secure 2.4 — a version rife with new features.
Ping us at @sysdig or on our open source Sysdig Slack group to share your feedback or to suggest topics we should include in future issues! You can find previous issues browsing the archive.
Sign up for our monthly Cloud-native News.
SECURITY
Container security: A look at rootless containers
No root, no exposures. Treat your host machines by further isolating your pods. Rootless docker remaps your root user, no need to change your images.
K8S releases updates to address CVE-2019-11247, CVE-2019-11249
CVE-2019-11247 gives users access to more resources than they should, and CVE-2019-11249 allows kubectl cp to write outside destination. Upgrade Kubernetes now!
Tools and methods for auditing Kubernetes RBAC policies
You did it! You have an awesome set of RBAC policies and your cluster is secure. Just in case, check everything works as expected with this set of tools and methods.
Integrating Gitlab CI/CD with Sysdig Secure.
Are your developers creating vulnerable images? GitLab CI/CD and Sysdig Secure image scanner can work together to prevent compromised images from reaching your deployments.
Kubernetes network policies 101
Network Policies are a great and simple tool to restrict pod’s network traffic. Learn the basics of Network Policies with these comprehensive examples and step by step explanations.
Open sourcing the Kubernetes security audit
Last year, the Cloud Native Computing Foundation started auditing their projects. Now you can read about the process and their findings.
Secure control of egress traffic in Istio, part 2
Attacks exploiting egress traffic are quite common. You can use Istio and mTLS to both control and secure egress traffic.
SYSDIG
Sysdig Secure 2.4 introduces runtime profiling for anomaly detection + new policy editor for enhanced security.
We are excited to announce the launch of Sysdig Secure 2.4. This release ships with some notable features like runtime profiling, Falco rule builder and Sysdig Secure vulnerability reporting.
Introducing the sew Sysdig Secure policy editor
One of the key features of Sysdig Secure 2.4 is the Sysdig Secure policy editor. This new and improved editor brings a better UX, tighter falco integration and extended rule builders.
Do not miss our online session: style=”text-decoration: underline;” href=”https://www.brighttalk.com/webcast/16287/366582?utm_source=container-newsletter-aug&utm_medium=email” target=”_blank” rel=”noopener noreferrer”>“The 5 must-do’s when implementing Cloud-Native security in Red Hat OpenShift →”.
Customer video: style=”text-decoration: underline;” href=”http://dig.sysdig.com/c/atpco-customer-video” target=”_blank” rel=”noopener noreferrer”>“ATPCO on deploying Red Hat OpenShift + Sysdig visibility and security platform →”.
If you prefer to watch our technical walkthroughs and product discussions at your own pace, check out Sysdig tech talks and webinars.
KUBERNETES+OPENSHIFT
Kubernetes pod autoscaler using custom metrics
Using the Kubernetes pod autoscaler and third party metrics you can dynamically scale your service in a way that is reliable, predictable and easy to configure.
Why Kubernetes will disappear
It’s the end of the cloud? Are we moving to the stars? Far from it, but let’s do an imagination exercise to see what will be the future of Kubernetes.
Running Apache Kafka over Istio – benchmark
What is the I/O toll for data-intensive apps like Kafka? Here’s a thorough benchmark with a methodical approach that is laid out alongside the raw numbers.
Writing a Kubernetes operator in Python without frameworks and SDK
The Go language has a ‘de facto’ monopoly when it comes to writing Kubernetes extensions. Can you write a Kubernetes operator using Python? Of course you can.
Kubernetes: What is “reconciliation”? [slides]
I’m sure you have heard about the “reconciliation loops” running inside the different Kubernetes controllers. Tim Hocking lays out this fundamental concept in a very approachable way.
OpenShift 4.1 bare metal install quickstart
OpenShift 4 introduces a new way of installing the platform that is automated, reliable and repeatable. Learn how to adapt the new installer to your own bare-metal infrastructure.
Garden, an application orchestrator for Kubernetes and cloud
Garden automates the repetitive parts of your workflow to make developing for Kubernetes and cloud faster and easier. Say goodbye to complicated and unstructured deployment scripts.
Build cloud-native apps faster for Kubernetes with Kabanero
Kabanero brings together Knative, Istio, and Tekton, with new open projects like Codewind, Appsody, and Razee into an opinionated end-to-end solution for your Kubernetes apps.
Increasing resilience in Kubernetes
What do you do when your cluster starts to become unstable and it looks like your ship is starting to sink? A real-life debugging session chasing an elusive resource exhaustion issue.
CLOUD PROVIDERS
Portable Kubernetes Applications with the IBM Cloud Operator
Sometimes you are forced to mix microservices with managed cloud services, IBM’s Cloud Operator lets you declare those managed services as resources in your Kubernetes cluster.
Happy birthday Knative!
Knative is one year old and Google is celebrating by taking us down memory lane to show how much they’ve accomplished in portable serverless computing. Happy birthday Knative!
rbIAM – AWS IAM & Kubernetes RBAC exploration tool
If your K8s cluster lives in AWS, rbIAM will help you explore your cluster and see how its translated to AWS resources, it’s main focus is helping you sync RBAC policies with IAM.
Running HA Kubernetes clusters on AWS using KubeOne
Fear of the blank page? The right tools can help you staring from scratch. Using Terraform and KubeOne you can bootstrap a new Kubernetes cluster on AWS in just a few steps.