Newsletter

May 2019 Container Newsletter.

Hello from all of us here at Sysdig! We are looking forward to meet you all at KubeCon Barcelona next week, waiting for you at booth P7 do not forget to pay us a visit!

So here is some reading to wet your appetite: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward to your contributions! You can also find previous newsletter editions in the Container Newsletter archive.


Stay up to date

Sign up for our newsletter to receive updates.



SECURITY

Effective secrets with Vault and Kubernetes

In this walk-through article you will learn how to authenticate, renew tokens and synchronize secrets making use of Golang helper tools to integrate Hashicorp’s Vault and Kubernetes.

MITRE ATT&CK framework for container runtime security with Falco

MITRE ATT&CK is a knowledge base of over 200 modern attack techniques. Sysdig Falco provides a set of MITRE ATT&CK detection rules focused on containerized environments.

Kubernetes identity management: Authentication

K8s is different from most other systems and applications in terms of user management and authentication. Deep dive on the k8s security and authentication model by example.

Testing Anchore with Ansible, k3s and Vagrant

Do you need a quick and offline way for testing your Anchore security deployment and custom policies directly from your laptop in no time? Get up and running in a few lines of code.

Detecting and preventing cgroups escape via SCTP

Learn how to detect and prevent CVE-2019-3874, a flaw in the Linux kernel where an attacker can circumvent cgroup memory isolation using the SCTP socket buffer.

Kubernetes auditing

An audit trail is an effective input to help fine-tune permissions or detect suspicious activity using a security rule engine. Kubernetes Audit policies define the level of data that you want to log.

SYSDIG

Announcing the Sysdig Cloud-Native Visibility + Security Platform 2.0

We are thrilled to announce version 2.0 of the Sysdig Cloud-Native Visibility + Security Platform. It provides a more powerful and significantly simpler way for enterprises to see the health, risk, and performance of their cloud-native environments in a single unified view.

Falco 0.15.0 released

This release incorporates a fix for the Falco CVE-2019-8339 capacity related vulnerability, CRI-O and containerd support, MITRE ATT&CK framework rules and performance improvements.

GKE security using Falco, Pub/Sub and Cloud Functions

Build a complete Falco and GKE security stack for anomaly and threat detection integrating Falco runtime security rules with Google Cloud Functions and Pub/Sub.

NIST SP 800-190 application container security with Sysdig Secure

NIST SP 800-190 documents security concerns associated with container technologies, image details and runtime security. Sysdig Secure provides container compliance and allows your images to adhere to the NIST SP 800-190 controls.

Tracing in Kubernetes: kubectl capture plugin

We have released a plugin which allows you to take captures using Sysdig in your Kubernetes cluster with just one simple command without even requiring a pre-existing Sysdig deployment.

Join our next webcast on 6/20: Celebrating Three Years of Falco-based Container Protection.

You can see other upcoming Sysdig sessions here.


KUBERNETES AND OPENSHIFT

What’s new in Kubernetes 1.14?

Kubernetes 1.14 is an outstanding release, bringing a ton of useful features to stable shape. Windows Server containers, kubeadm maturity, the Kustomize engine and much more!

Introducing kube-iptables-tailer

If a network policy is missing or declared incorrectly, the iptables rules will cause network packet drops between the affected Pods. kube-iptables-tailer is here to help you troubleshoot Kubernetes networks.

Kubernetes deployment strategies

Everything you ever wanted to know about the different deployment strategies in Kubernetes and when to use each: rolling deployment, recreation, blue/green deployments and canary.

Pod priority and preemption in Kubernetes

Pod priority and preemption is a scheduler feature made GA in Kubernetes 1.14 that allows you to achieve high levels of scheduling confidence for your critical workloads.

Boosting your kubectl productivity

If you work with Kubernetes, then kubectl is probably one of your most-used tools. Learning every little trick that streamlines and automates your workflow is a worthy investment.

Installing OpenShift 4 from start to finish

OpenShift 4 is almost ready for prime time! And one of its greatest upcoming features is the new installer which allows you to get up and running with a full OpenShift 4 cluster in just a few minutes.

Requesting and installing Let’s Encrypt certificates for OpenShift 4

Openshift4 install process will create self-signed certificates by default. Automate certificate issue for your external endpoints integrating Let’s Encrypt with your cluster router.

How to get Istio up and running

(And the crazy stuff you can get done once it is). A step by step concise demonstration on how to make your Kubernetes cluster enter the service mesh era, code examples included.

Popeye, a Kubernetes cluster sanitizer

Popeye is a utility that cruises Kubernetes cluster resources and reports potential issues with your configurations. These sanitizers is to pick up on misconfigurations like ports mismatch, dead or unused resources, etc.


CLOUD PROVIDERS

Google Anthos: A platform for managing multi-cloud applications

Anthos aims to facilitate the deploy of software workloads running on multiple clouds like GCE, AWS and Azure and on-prem hybrid platforms, alleviating cloud-vendor lock and added complexity.

Azure Container Registry now supports Singularity containers

Azure and Sylabs recently announced a new collaboration which enables Singularity container images to be stored in registries supporting the Open Container Initiative (OCI) Distribution Specification.

How to deploy to DigitalOcean Kubernetes with GitHub actions

You can build a simple continuous delivery pipeline that deploys an application to a DigitalOcean Kubernetes cluster just composing several Github Actions into a workflow.

Visibility and security for Google Cloud’s Anthos

Sysdig now provides support for Google Cloud’s Anthos, bringing the advantages of the Sysdig Cloud-Native Visibility and Security Platform across on-prem data centers and the cloud.

Google Kubernetes Engine cluster migration with Heptio Velero

With GKE “Clone Cluster” feature and Heptio Velero, you can successfully migrate your cluster without major complications or downtimes, including cluster configuration and resources.