Newsletter

May 2018 Container Newsletter

Hello from all of us here at Sysdig! We just came back from KubeCon EU 2018 and… it’s been a blast! Touching base with the CNCF and Sysdig community, the Falco workshop, awesome talks and announcements. But, of course, we haven’t forgotten about you!

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.

SECURITY

Kubernetes security for Google Cloud Security Command Center

Sysdig Secure and Google Security Command Center can now work together. Using Sysdig Secure, security events in GCP or GKE are enriched with container and Kubernetes metadata before being sent to the Google CSCC for a single pane of glass of your security events across your entire infrastructure and apps.

Container security: running a tight ship with Kubernetes Engine 1.10

Fifth post in a series of blog posts on container security at Google. In this issue you will explore several cutting edge security features available in the last Kubernetes version, and also revisit classical ones like RBAC role design.

A hacker’s guide to Kubernetes security

A brief guide describing good practices and common Kubernetes attack vectors that you should mitigate to avoid becoming the “low hanging fruit” that malware bots are trying to pinpoint.

OpenShift and network security zones: coexistence approaches

Classical network segmentation and pod overlay networks are conflicting concepts, at least out of the box. This posts offers some OpenShift deployment options to achieve partial compatibility and coexistence.

Kubernetes runtime security: what happens if a container goes bad?

Runtime security is about mitigating damage done when part of your deployment is compromised. Do not miss this talk by the Google Cloud security team, specially their Falco-powered demo :).

SYSDIG

Suresh Vasudevan, joining the Sysdig family

Leading Nimble Storage from its youngest days through an IPO, Suresh has been named president and chief executive officer (CEO) of Sysdig. The founder of Sysdig, Loris Degioanni will continue to guide the company vision as CTO. Welcome on board!

Active Kubernetes security with Sysdig Falco, NATS, and Kubeless

Create an open source, real-time reporting solution for Kubernetes security. Sysdig Falco will detect abnormal behavior, send the events to a NATS processing queue where a Kubeless function will retrieve them and take mitigation actions.

Falco 0.10.0 released

We are happy to announce the release of Sysdig Falco 0.10.0. Some of the improvements include new behaviour rules, a better file structure to load user-defined rules or log rotation support.

Kubernetes security guide, chapter 3. Securing Kubernetes components

The third installment of the Kubernetes Security Guide focuses on the main moving parts of the Kubernetes software itself like the kubelet, etcd cluster or your private Docker registry.

Kubernetes security logging with Falco & Fluentd

Kubernetes security logging primarily focuses on orchestrator events. You can create a neat security event log collecting, processing and displaying the output from Sysdig Falco using Fluentd and ElasticSearch.

EAGER TO LEARN HOW DIFFERENT SECURITY TOOLS COMPARE? CHECK OUR ONLINE DEMO “20 DOCKER SECURITY TOOLS COMPARED”.

YOU CAN SEE OTHER UPCOMING SYSDIG SESSIONS HERE.

KUBERNETES

Kaniko: Build container images directly inside Kubernetes

Building images from a standard Dockerfile typically relies upon interactive access to a local Docker daemon. Kaniko can build and push Docker images, running as a pod itself, without requiring special privileges or permissions.

Jenkins X: a CI/CD solution for Kubernetes

We all know and love Jenkins and what it meant for CI/CD automation. Jenkins X builds on top of Jenkins but has a different focus: automating CI/CD for the cloud using Kubernetes, Helm, Git, etc.

Gitkube: build and deploy Docker images to Kubernetes using git push.

Want to deploy your Kubernetes workloads by simply running ‘git push’ of your YAML files to a special repository? Gitkube is the awesomely simple integration tool you are looking for.

Introducing Kubeflow 0.1

Kubeflow 0.1 provides a minimal set of packages to begin developing, training and deploying machine learning workflows. In just a few commands you can get TensorFlow, Argo, SeldonCore and friends.

Deploying multiple Traefik Ingresses with LetsEncrypt

Comprehensive article with plenty of diagrams and detail on how to configure automatic HTTPS endpoints for your Kubernetes services using Traefik and LetsEncrypt, as close to production-ready as possible.

Virtlet: run VMs as Kubernetes pods

Virtlet makes it possible to run VMs on Kubernetes clusters as if they were plain pods, enabling you to use standard kubectl commands to manage them.

5 things I wish I’d known about Kubernetes before I started

If you are just starting to use Kubernetes, take advantage and learn from other’s mistakes. Here’s some valuable advice on how to get started from a GitLab engineer.

Microservicing with Envoy, Istio and Kubernetes

From a technology perspective, building microservices means building distributed systems. And distributed systems are hard. Istio and Envoy will help you abstract away network complexities from the code running inside the pods.

Learn Kubernetes in under 3 hours

Intensive training at its finest. Have you been missing out on Kubernetes? Grab a double espresso and get your hands dirty with this impressive tutorial.

DOCKER

gVisor, a sandboxed container runtime

gVisor is a new kind of sandbox aiming to achieve a level of isolation more similar to virtual machines than traditional Linux containers, with its own kernel and virtualized devices.

Announcing Docker Enterprise Edition 2.0

Docker EE 2.0 brings several exciting improvements to the table: Enhanced Layer 7 routing for Swarms, better Kubernetes integration, secure image supply chain and simplified cluster management tasks, among others.

Arguments and variables in Docker

How do I get my variables into the build process? How do I get my secrets to the running application in my container? This article will illustrate the different parameterization methods currently available to you.

Docker support in Java 10

Java on Docker should no longer suck! Starting with this bold statement, this article details the huge integration efforts to make Java a first class citizen of the microservice-oriented world.

Docker vs CoreOS Rkt

Rocket (or rkt) claims to be the first credible challenger to Docker’s dominance in the container space. Want to know how these two technologies compare as a product as a codebase and as a community?

Nginx reverse proxy ‘unavailable upstreams’ in Docker

Are you familiar with the “unavailable upstream” error in Nginx? The ephemeral nature of containers make this problem more prevalent. This post will offer some valuable debugging and configuration advice. Using Sysdig Inspect, you can also generate a syscall capture and perform powerful troubleshooting on these CrashLoopBackOff and other Nginx errors.

OTHER ORCHESTRATORS

DC/OS and Confluent

Using the Confluent platform you can deliver Kafka as a service (KaaS?) as a standalone DC/OS service, alongside Kubernetes on DC/OS or using the new Confluent Operator.

DC/OS runs Java EE apps without Docker

Solving Java EE Nightmares! You can run traditional EE applications without packing them in a Docker container. The last entry in a series of posts focused around leveraging DC/OS features to modernize Java.

Introducing Nginx and Nginx plus routers for OpenShift

OpenShift “router” resources are a very similar concept to Kubernetes ingress, but slightly more mature and feature-rich. The Nginx router is included in the soon to be released OpenShift 3.10.

Unified container monitoring and security on OpenShift with Sysdig

As we mentioned in the last newsletter issue: the Sysdig Container Intelligence Platform is now offered as a Red Hat Certified Image!! Here you can learn more about DevSecOps and the rationale behind this technology integration.