Hello from all of us here at Sysdig! Big focus on container and Kubernetes security this month with the detailed analysis of some recent CVEs and the integration of containerized workloads with CI/CD tooling.
So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.
We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.
Sign up for our monthly Cloud-native News.
SECURITY
Detecting exploits of CVE-2019-5736: runC container breakout
CVE-2019-5736, a major runC container breakout vulnerability was announced earlier this month. Learn how it works and how to be prepared to detect it using Falco rules.
CVE-2018-18264 privilege escalation through Kubernetes dashboard
A recently disclosed vulnerability in Kubernetes dashboard exposes secrets to unauthenticated users. Learn how to use the recently-added Kubernetes audit stream feature in Falco to spot it.
9 Kubernetes security best practices everyone must follow
Getting a little frightened reading about the last batch of Kubernetes vulnerabilities? Do something about it. Here are 9 fundamental practices to protect your cluster.
Managing secrets in Kubernetes
Kubernetes provides a built-in mechanism for storing configuration values that you would prefer to keep private. These secrets are stored in plaintext by default, but this post explores several secure options to safeguard your secrets better.
Kubernetes authorization via Open Policy Agent
Usually, every request to the Kubernetes API is authenticated and authorized using RBAC, but there are alternatives. This blog post explains how to implement advanced authorization policies using the Open Policy Agent project.
Researchers reveal Play-with-Docker security vulnerability
Security firm CyberArk reported on Jan. 14 that it discovered a security risk on the popular Play-with-Docker site that could have potentially enabled an attacker to get access to the host system’s resources.
SYSDIG
Integrating Sysdig Secure with Atlassian Bamboo CI/CD
Learn step-by-step how to perform Docker image scanning on Atlassian’s Bamboo CI/CD platform using Sysdig Secure.
Are you in love with Prometheus? We are too! style=”text-decoration: underline;” href=”http://info.sysdig.com/G0Z0Tz000s4IQ0hR0000QEN” target=”_blank” rel=”noopener noreferrer”>Sysdig and Prometheus for Enterprises.
You can see other upcoming Sysdig sessions here.
KUBERNETES
Kubernetes events explained
Kubernetes events are an invaluable, and often underused, resource when debugging issues in your Kubernetes cluster. You can use them for troubleshooting, but also to audit runtime security.
Creating your own admission controller in Kubernetes
This blog post walks through creating a simple validation controller which will enable you to influence the pod creation. Thoroughly documented content with code examples available.
APIServer dry-run and kubectl diff
As we previewed in our What’s new in Kubernetes 1.13 post, one of the most interesting new features is the ability review commited data model changes before persisting them to storage.
Why is storage on Kubernetes so hard?
A recurring topic for people and organizations transitioning to Kubernetes: persistent storage cannot be bound to the rules of dynamic creation and destruction. Not at easily as stateless pod, at least.
How to create a Kubernetes custom controller
Use client-go to develop your own custom business logic by watching events from Kubernetes API objects. Client-go is being used by Kubernetes as the official API client library.
Container Storage Interface (CSI) promoted to GA
Prior to CSI, Kubernetes volume plugins were “in-tree”, part of the Kubernetes code. With the adoption of the Container Storage Interface, the Kubernetes volume layer becomes truly extensible.
Developing microservices with Kubernetes and Telepresence
Telepresence is an open source tool that lets you run a single service locally, while connecting that service to a remote Kubernetes cluster. Sounds promising! Let’s try it.
Distributed load testing with Gatling and Kubernetes
Gatling it’s a powerful open source performance testing framework which, with only a few machines, allows you simulate hundreds of thousands of requests per second on your web application.
A crash course in running Istio
Istio is a consolidated Kubernetes player. Still don’t know much about it or how to deploy services meshes? Don’t worry, we have your back. Start by reading this Istio crash course by Namely.
DOCKER
Docker traffic control
The Docker traffic control tool allows to set a rate limit on the container network and can emulate network conditions like delay, packet loss, duplication, and corruption for the Docker containers.
Globally scoped platform ARG’s in Docker using BuildKit
With the new engine, 18.09, Docker supports the BuildKit backend allowing you to use ARG, a.k.a “build-time variables,” which can be used to pass a variable to the builder from the docker build command.
How to run lightweight Windows Containers on Windows 10
With the latest release of Docker Desktop on Windows 10, 1809, you can now run Windows Containers in process isolation mode. These containers are usually faster to start and consume less resources.
Getting started with ASP.NET Core & Docker
ASP.NET Core is a redesign of ASP.NET 4.x with architectural changes that result in a leaner, more modular framework. You can follow this simple tutorial to create and deploy a ASP.NET Core MVC website into a Docker container.
OPENSHIFT&MESOS
What’s the difference between OpenShift and Kubernetes?
This question gets asked often and the answer is not always that clear. Get the facts from a seasoned OpenShift expert and learn the differences between Kubernetes, OpenShift and OKD.
Controlling namespace configurations
Learn how to create a controller that allows the cluster administrator to specify namespace configurations (like Quotas or NetworkPolicies) that are persistent and cannot be modified by the team operating the pods in the namespace.
Cloudflare Argo Tunnels have arrived on DC/OS
Using Cloudflare Argo Tunnels you can easily plug in all your services to the Cloudflare network. Cloudflare Argo Tunnel is now available in the Mesosphere DC/OS Catalog, making it even easier to use the two in combination.
How CI/CD Works
CI: Developers Feel The Need For Speed. CD: Operators Feel The Need For Automation And Consistency. Here’s a quick crash course on continuous integration and continuous deployment by Mesosphere.