Newsletter

December 2018 Container Newsletter.

Hello from all of us here at Sysdig! We have been at AWS:Reinvent Vegas, DockerCon Barcelona and KubeCon Seattle, so this month’s newsletter practically writes itself, lots of fresh news and announcements.

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.


Stay up to date

Sign up for our newsletter to receive updates.


SECURITY

Kubernetes critical privilege escalation vulnerability

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses allows for specially crafted requests to bypass the privilege restrictions. Read the CVE-2018-1002105 details.

Critical #Kubernetes privilege escalation vulnerability, make sure you read this, check your clusters and update the affected versions.

Sysdig Secure 2.2: Kubernetes auditing, compliance and access control

Sysdig Secure 2.2 is the first security provider to tap the Kubernetes Audit Policy. And many other other security-by-default features like native integration with Kubernetes admission controllers.

Inject secrets directly into pods from Vault

Kubernetes services are stored in etcd by default, avoid placing a unencrypted secret in an intermediary location injecting the secrets directly from Vault.

How service automation helps Kubernetes

Lear how service automation allowed Mesosphere to ship an update of Kubernetes within 24 hours of the upstream patch release for CVE-2018-1002105.

Methods to audit Docker container security

Many open source tools such as Docker Bench, Clair, Cilium, Dagda and others exist to cover your back. One in particular—Anchore—boasts an impressive feature set and has a readily available integration with Falco.

Container security with Falco and Splunk Phantom

Responses to container security incidents can be automated in what is called security playbooks to improve scalability and avoid "alert fatigue". Falco and Splunk Phantom can be nicely integrated together to carry out this task.

SYSDIG

IBM Cloud monitoring with Sysdig

IBM and Sysdig have launched a fully managed enterprise-grade monitoring service for cloud-native applications on IBM Cloud. Sysdig monitoring is automatically provisioned and deployed while billing is unified within your IBM Cloud account.

Unveiling Sysdig Monitor Events

Ay Sysdig, we want to assist our users to quickly identify and categorize events. As part of this usability effort, we have released a new streamlined event feed that should help you triage your events more effectively.

How to identify malicious IP activity using Falco

In this post we will show how to leverage the Falco engine to identify malicious IP activity flagged by the reference security blacklists and stream these events to the Falco engine.

Dynamic DNS & Falco: detecting unexpected network activity

This post will show you how to use dynamic DNS-based Falco rules to control inbound and outbound traffic from your Kubernetes pods at runtime.

Container security as code with Sysdig Secure and Terraform

Define your container security as code, pushing it into a git repository to manage versions and make it automatically enforced across your infrastructure: Sysdig Secure and Terraform integrated!

KubeCon 2018 in Seattle was the premier Kubernetes event of the year! Watch key sessions and read more about our Sysdig KubeCon Highlights.

You can see other upcoming Sysdig sessions here.

KUBERNETES

What's new in Kubernetes 1.13!

From dynamic audit configuration (supported in Sysdig Secure 2.2) to kubectl diff, kubeadm promotion to stable and much more. So, what's new in Kubernetes 1.13?

RedHat contributes etcd to the CNCF

Red Hat recently announced the contribution of etcd, an open source project that is a key component of Kubernetes, and its acceptance into the Cloud Native Computing Foundation (CNCF).

DigitalOcean announces a Kubernetes managed service

DigitalOcean Kubernetes is available using the latest version of Kubernetes, v1.12.3, and integrates with existing DigitalOcean products, including Block Storage and Load Balancers.

Istio option available out of the box for GKE

Istio on GKE lets you easily manage the installation and upgrade of Istio as part of the GKE cluster lifecycle, automatically upgrading your system to the most recent GKE-supported version of Istio.

Kubernetes federation evolution

How to automatically deploy distributed apps to multiple Kubernetes clusters? So far, the answer to this question has not been so simple. The Kubernetes federation API is an evolving standard aiming to address this use case.

Introducing Traefik Enterprise Edition

Containous, the company behind Traefik, is announcing Traefik Enterprise Edition. Split into a control plane and a data plane, Traefik cluster nodes are easily deployed and operated using the TraefikEE CLI.

Enterprise Kubernetes: 5 Insights from KubeCon 2018

This post nicely summarizes the enterprise Kubernetes trends as experienced during KubeCon 2018: use cases, enterprise user profiles, hosting platforms, and adoption phase.

Benchmark: Kubernetes stateful workloads

The eternal question: Is Kubernetes up to speed for stateful I/O intensive workloads (aka databases)? Wonder no more, ROBIN has performed a detailed study comparing Kubernetes to bare-metal performance.

KubeCon 2018: The return of SQL

Several factors are driving the adoption of SQL in modern distributed databases. This has signaled the return of "traditional" SQL to distributed and containerized workloads in Kubernetes.

DOCKER

Introducing Docker Enterprise 2.1

The new Docker Enterprise version adds support for several Windows Server versions, features smaller image sizes, support for enhanced networking mesh capabilities and more.

Monitoring Java in Docker: Overcoming past limitations

Before the release of Java 9 and 10, there were several limitations to deploying and monitoring Java in Docker. That's no longer the case, and we can demonstrate it with live examples in this blog post.

Docker App and CNAB

CNAB is an open source, cloud-agnostic specification for packaging and running distributed applications. CNAB unifies the management of multi-service, distributed applications and Docker App is the first tool to implement this spec.

Trigger Docker builds with an AWS IoT button

One for the geeky home-lab hacker in all of us. The premise of this project is simple. Press the AWS IoT button with a result of building a Docker image automatically. Useful? maybe… Cool? definitely.

OPENSHIFT & MESOS

Getting started with KubeVirt containers and virtual machines together

Sometimes a virtual machine is needed by applications, or application components, to provide features such as kernel isolation. How do you get the benefits of a virtual machine and container together? One answer: KubeVirt.

Using the Redis Enterprise Operator on OpenShift

Operators are becoming a standard way of deploying complex stateful applications in Kubernetes. Redis Labs adopted the Operator Framework to enable their users to more efficiently deploy their Redis Enterprise clusters.

Maestro - A declarative, no-code approach to Kubernetes operations

Maestro project provides a declarative approach to building production-grade Kubernetes Operators covering the entire application lifecycle. Maestro includes a Universal Operator implementation that is based on a state machine, saving authors from reinventing the wheel.

The quick and easy way to orchestrate and manage Kubernetes

Managing multiple Kubernetes clusters requires a big time and resource investment. Check out Mesosphere latest infographic to learn more about Kubernetes, and tips to effectively orchestrate and manage for scale.