June 2018 Container Newsletter.

Hello from all of us here at Sysdig! This month, you shouldn’t miss the 2018 update of our Docker usage report to find out how people are using Docker in real-world production environments ;-).

More exciting container news here: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.


Implementing Docker/Kubernetes runtime security

A public repository containing Falco default runtime security rulesets for the most popular Kubernetes and Docker images. Help us build the Docker and Kubernetes runtime security library!

Kubernetes security bulletin – Git remote code execution

CVE-2018-11235 is a serious security issue recently discovered in Git. It may allow escalation of privileges in Kubernetes if unprivileged users are allowed to create Pods with gitRepo volumes.

Isolation at different layers of the Kubernetes stack

You have several abstraction layers when deploying Kubernetes: pod, namespace, node, cluster, etc. Where to implement security depend on what you are running and who is accessing the data.

Docker tip: creating read only containers

Creating a read only container is actually pretty easy, yet it can drastically reduce the attack surface, impairing common vulnerability vectors.

Fact vs. fiction: 6 myths about container security

The container security area is still young and thus, battling with technology myths and misconceptions. Are containers secure? Less secure than VMs?

Automated TLS with cert-manager and letsencrypt for Kubernetes

Would you like to deploy free TLS certs that are automatically created and renewed when a new service shows up? Cert-manager will do exactly that for your K8S cluster.


Sysdig Secure 2.0 – vulnerability management, compliance checks and security analytics

With the beta release of Sysdig Secure 2.0 we’ve extended the capabilities of our platform by adding vulnerability management, 200+ compliance checks, security analytics and native CI/CD and registry integrations.

IBM & Sysdig collaborate on end-to-end cloud-native intelligence for IBM Cloud

We’re thrilled to announce our collaboration with IBM to support the Sysdig Cloud-Native Intelligence Platform in IBM Cloud. Sysdig solutions on IBM Cloud will enable developer teams to easily develop, deploy, and secure cloud-native apps

GKE security with Falco and Google Cloud Security Command Center

Last month we announced Sysdig partnership with Google to integrate Sysdig Secure with Google Cloud Security Command Center. Sysdig Falco, our open source project, can also send Kubernetes security events to Google Cloud Security Command Center.

Auditing container activity – a real example with wget and curl using Sysdig Secure

Step by step example to get started writing your first falco rules to audit the activity occurring inside containers. Learn how to use scope and container metadata to pinpoint network anomalies.

JOIN THE UPCOMING DEMO SESSION “Best practices for Forensics and Incident Response in Containers”.



Amazon EKS is generally available

Amazon EKS delivers Kubernetes as a managed service on AWS, with the promise of freeing the operators from infrastructure health and downtime worries.

Skaffold: happy Kubernetes workflows

Skaffold is quickly becoming a popular project inside the Kubernetes community. Automatically build and deploy your Kubernetes apps as you change the source code.

Introducing Play with Kubernetes

You have probably heard about Play With Docker, an awesome web learning and sandbox platform. You guessed it right! Now you can learn Kubernetes directly from your browser.

Get Kubernetes logs with EFK stack in 5 minutes

Kubernetes does not provide any cloud-scale solution to store and process your logs out of the box. This post will show you how to deploy your own in 5 minutes using the EFK stack.

The state of debugging microservices on Kubernetes

Back when we were developing monoliths, we could simply start our IDE of choice and add a couple of breakpoints. But, how do you debug microservices running on Kubernetes?

Simulating hundreds of IoT devices with Kubernetes

You can use Kubernetes StatefulSets to simulate multiple devices  –  sensors, vehicles, etc. Each application container in this tutorial is simulating a unique device.

Exploring upgrade strategies for StatefulSets in Kubernetes

And still on the subject of StatefulSets, there are different strategies to perform a software update over these entities, this post uses a Cassandra cluster to reproduce these scenarios.

Will Kubernetes collapse under the weight of its complexity?

With this thought-provoking title, this post reflects on KubeCon EU and the CNCF (huge) project landscape. Is this thing getting too complex already?

Hard multi-tenancy in Kubernetes

“Hard multi-tenancy” means that tenants do not trust each other and are assumed to be actively malicious and untrustworthy. In this model, the goal is to have the security boundary be the Kubernetes namespace object.


2018 Docker usage report

Here it is again: the 2018 Docker usage report from Sysdig. Check out the findings from our analysis of 90,000 Docker containers in production. Insight is always better than hindsight!

Docker EE 2.0 – top 12 questions

In this blog post, the Docker people will go over some of the most common questions about new features and how Docker Enterprise Edition is packaged and deployed.

Docker as a tool provider

Apart from cloud microservices, there’s another perfectly legitimate use case for Docker: building containers for tools. This is particularly useful in a Windows environment.

Advanced multi-stage build patterns

We have covered the basic features of multi-stage Docker builds before, this blogpost shows some more advanced patterns that go beyond copying files between a build and a runtime stage.

7 ways to improve your test suite with Docker

Docker makes it faster and easier to spin up services using a variety of configurations. This translates into a number of advantages when running your tests in Docker.

Working with Docker in Visual Studio Code

Whether you are a seasoned Docker developer or just getting started, Visual Studio Code makes it easy to author Dockerfile and docker-compose.yml files in your workspace.


OpenShift router sharding

This post shows how to deploy isolated development and production versions of an application on a single cluster by redirecting requests to the appropriate environment.

BOLT on Openshift: automating a continuous testing pipeline

BOLT is an automation platform that combines test automation and build automation. Using BOLT together with Openshift helps you scale testing efforts easily and quickly.

Deploying Kubernetes-as-a-Service on DC/OS

DC/OS frameworks are much more than just package installers, and the ability to run Kubernetes-as-a-Service is a great example. You can automatically manage an underlying Kubernetes cluster, in much the same way as Kubernetes manages applications.

Improving Java EE Security with DC/OS

DC/OS provides platform-level features that alleviate many of the security concerns that have troubled Java EE administrators from the beginning, and minimizes the burden of security management.