November 2018 Container Newsletter.

Hello from all of us here at Sysdig! Falco project is on a roll lately: joining the CNCF and now a new release; but wait, there is much more happening on the container ecosystem that we don’t want you to miss.

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.

Sign up for our monthly Cloud-native News.


29 Docker security tools compared

A revamped edition of our 20 Docker security tools blogpost, by popular demand. We will keep updating this list to incorporate the latest and more relevant container security software out there, TBC…

Detecting the jQuery file upload vulnerability

Just a few days ago, a serious vulnerability was disclosed in a widely used jQuery component. Using Falco, you can detect the jQuery File Upload intrusion creating a rule aimed at detecting this specific attack.

Running and connecting to HashiCorp Vault on Kubernetes

If you’re serious about security, you need a secrets management tool that provides a single source of secrets and credentials. Vault is a powerful security solution that is also tightly integrated with Kubernetes.

Open Policy Agent v0.10 release

Some of the highlights for this version are: compiling OPA policies to webassembly binaries, improved test support, rule optimization and trace output for test failures.

Kubernetes policy controller

kubernetes-policy-controller is a mutating and a validating webhook that gets called for matching Kubernetes API server requests by the admission controller. It builds on top of the OPA project that we just mentioned.

Methods to audit Docker container security

Docker auditing engines focus on discovering common vulnerabilities and exposures (CVE), often utilizing benchmarks set in databases such as the NVD. Learn how to do some basic container auditing by example using the Anchore engine.


Falco 0.13.0 Released: Kubernetes audit events

We recently released Falco 0.13.0, which is probably the most exciting release since Falco’s 0.1.0 release. With 0.13.0, we’re adding support for a new event source — Kubernetes Audit Events.

Securing Amazon EKS using Lambda and Falco

Intrusion and abnormality detection are important tools for stronger run-time security. In this post we show how to use Sysdig Falco coupled with the Lambda service to secure Amazon EKS.

How to instrument Go code with custom expvar metrics

Golang expvar is the standard interface designed to instrument and expose custom metrics from a Go program via HTTP. Learn how to collect and tag all these expvar metrics with the Sysdig agent.

A Java troubleshooting guide

Network bottlenecks, memory leaks and thread locking tied to race conditions, three common Java debugging scenarios that you can troubleshoot using open source tools.

The architecture of the Sysdig container intelligence platform – style=”text-decoration: underline;” href=”” target=”_blank” rel=”noopener noreferrer”>whitepaper.
You can see other upcoming Sysdig sessions here.


gRPC load balancing on Kubernetes without tears

Many new gRPC users are surprised to find that Kubernetes default load balancing often doesn’t work out of the box with gRPC. You can find why this is the case and how to properly handle reading this blogpost.

Helm, from basics to advanced

The purpose of this post is to provide an accessible introduction to Helm by example. Go beyond that bunch of yaml files in a repo and create your own customizable Kubernetes charts.

Deploying Kubernetes clusters with kops and Terraform

Thanks to kops and it’s excellent integration with Terraform you can provision and manage your Kubernetes clusters in the same way that you manage the rest of your AWS infrastructure.

Spot instances in Kubernetes

AWS calls them Spot Instances, Azure Low-priority VM and Google Preemptible VM. If your orchestrator can really handle frequent node losses, you can save a lot of money with this option.

Blue/green deployments with Kubernetes and Istio

Managing several versions of the same service (blue and green) with Istio, you can drive the traffic selectively to either one of the deployments with no downtime.

Understanding resource limits in Kubernetes: memory

A thorough post covering how the memory requests and limits that you declare in your Kubernetes pods are really enforced and used to maximize cluster efficiency.

Introducing multicluster-controller

Multicloud architectures are becoming prevalent, and Kubernetes is not an exception. Admirality is releasing a library specifically designed to manage these workloads: the multicluster-controller.

The beginner’s guide to the CNCF landscape

The cloud native landscape can be complicated and confusing. This gentle introduction by one of its ambassadors will lay out the CNCF mission, internal processes and projects under its umbrella.

Spinnaker: the Kubernetes of continuous delivery

Continuous Delivery is a solved problem, but it has been a bit of a Frankenstein’s monster. Kubernetes and Spinnaker are very different technologies, but parallels can be drawn as they are both forces that drive technology convergence.


Introducing Docker Enterprise 2.1

The new release improves Windows Server support, provides better visibility and enhanced health status dashboards along with compliance checking and software audit capabilities.

Dive: explore any Docker Image

Dive lets you interactively explore any local Docker image, showing image contents broken by layer, so you can easily visualize changes and estimate the efficiency of your image build.

Build secrets in Docker 18.09

One of the complexities when using Dockerfiles has always been accessing private resources without leaking sensitive information into the resulting Docker images. Build secrets can be the solution you are looking for.

What can you do with Docker in Windows Server 2019 that you couldn’t do in WS 2016

Things like: accessing published ports on localhost, using named pipes to access the Docker API or volume mounts that can overwrite existing directories.


Integrating Vault with legacy applications

The third post of the Vault series focuses on enabling applications that cannot integrate directly with Vault. The only requirement of these applications is that they can read a file in which the secrets will be stored.

Announcing DC/OS 1.12

Together with the Mesosphere Kubernetes Engine (see below), but wait, there’s more: also in beta availability is the Mesosphere Jupyter Service, which accelerates machine learning projects at lower costs.

The state of Cloud Native ecosystems in 2018

Because beautiful infographics are not at odds with thorough research. This year’s release of the Mesosphere report reveals some notable trends that set forward-thinking companies apart

Introducing Mesosphere Kubernetes Engine (MKE)

Managing multiple Kubernetes clusters requires a big time and resource investment. Mesosphere Kubernetes Engine provides IT organizations with a centralized self-service control plane that automates this task.