Hello from all of us here at Sysdig! We’re just one month away from KubeCon San Diego, and you can feel the buzz in the Kubernetes community. Read the highlights in our selection of the latest cloud-native news.
Ping us at @sysdig or on our open source Sysdig Slack group to share your feedback or to suggest topics we should include in future issues! You can find previous issues browsing the archive.
Sign up for our monthly Cloud-native News.
SECURITY
How to keep your Kubernetes secrets secure in Git
You can use Kubernetes secrets to protect and manage credentials in your cluster, however, are you backing them up? Are you auditing them? Git can be a great help when combined with kubeseal, Helm or kamus.
More cp vulnerabilities in Kubernetes
The kubectl cp
is a needed tool, but it’s also a double edged sword, as it opens the door to dangerous scenarios. Latest vulnerability, CVE-2019-11251, can cause a file to be copied outside the destination with the aid of two symlinks. If using Kubernetes 1.15.3 or below, upgrade now!
Abusing Kubernetes defaults [presentation]
Kubernetes is not secure by default, get an overview of how it can be abused with this presentation from Ian Coldwater and Duffie Cooley.
Authentication at mesh level – Istio
The App Identity and Access Adapter in Istio allows you to abstract the authentication of your webapp. Learn how to use it to protect resources using any OAuth2/OIDC provider.
Kubernetes security best practices
If Kubernetes is not secure by default, where should you start securing it? You can use this list of technical best practices to avoid security vulnerabilities in your containers.
SYSDIG
Kubernetes runtime security (sketch series)
Kubernetes runtime security allows to detect abnormal behaviour and enables you to remediate automatically with response actions and notification triggers.
Cloud-native security with OpenShift and Sysdig Secure (video, 3min)
Lack of container visibility can create a security gap for dynamic microservices. Thankfully OpenShift security has boosted confidence in using containers. By pairing Sysdig Secure with OpenShift you can take your cloud-native security to the next level.
Ever wonder how Kubernetes and containers are being used in real environments?
Join our webcast to hear first-hand →.
Comprehensive Guide: 〝Securing Cloud Native Applications on OpenShift〞 →.
KUBERNETES+OPENSHIFT
CI/CD pipeline with Jenkins, Nexus, and Kubernetes
Continuous integration and continuous deployment are one of the cornerstones of Devops. Setting a CI/CD pipeline doesn’t have to be hard, you can use your existing Kubernetes cluster.
eBPF powered distributed Kubernetes performance analysis (video talk)
Of all the ways you can gather metrics from your Kubernetes nodes, eBPF may be the most powerful. Lorenzo Fontana teaches us how to use eBPF to collect all kinds of metrics and use them to do performance analysis.
What’s new in Kubernetes 1.16?
Kubernetes just released their 1.16 version, graduating custom resources to Stable, introducing ephemeral containers and much more. Check out what’s improved and what’s new in Kubernetes 1.16!
How to migrate from Helm v2 to Helm v3
Helm 3 is about to get released. Due to the internal architecture changes between major releases, a migration will be required to upgrade. Get prepared for this upcoming release by learning how to migrate to Helm v3.
Mistakes that cost thousands (Kubernetes, GKE)
What is the difference between setting up your Kubernetes cluster using 100 light nodes and using 6 powerful nodes? Spoilers: Easier resource distribution. Gajus Kuizinas research is full of tips you can use optimize your cluster.
OpenShift cluster nodes on steroids
So, you read the previous in this newsletter and your cluster is pretty much optimized for your load. With the OpenShift cluster node tuning operator you can go a step further, automatically applying configurations to your nodes if certain conditions are met.
Announcing Istio 1.3
A new version of Istio was released last month. The focus of Istio 1.3 is improving the user experience, both for new users and users debugging problems. It also brings support to more applications without the need of adding new specific configuration. Check out the release notes!
Isopod: Expressive DSL Kubernetes configuration
Traditional configuration tools like Helm or Kustomize might not be enough for complex deployments. Instead of scripts to generate config files, you will want to check Isopod instead. An open-source python framework to generate and maintain Kubernetes configuration.
Ping monitoring between Kubernetes nodes
There are some scenarios that are hard to debug, usually random behaviours that are difficult to replicate. Connectivity issues in your datacenter can cause many of those. Pinging between Kubernetes nodes can help debug such an issue.
CLOUD PROVIDERS
Continuous delivery for Google Kubernetes
Setting up your CI/CD pipeline is really easy with Semaphore and Google Cloud. This step by step guide is your best start.
Container-native load balancing on GKE
Some time ago Google announced container-native load balancing, with this feature traffic is routed directly to the proper node saving lots of inter-node traffic. Now this feature is generally available!
Scalability Tuning on a Tess.IO Cluster
Kubernetes officially claims it supports up to 5000 nodes, but getting there is not straightforward. In this analysis from Tess.IO (eBay’s cloud infrastructure) you can learn the main issues in scaling Kubernetes and how to solve them.
Windows containers on Google Kubernetes Engine
Kubernetes 1.14 announced support for Windows containers and nodes. Now you can run Windows containers on GKE, and they made it a really straightforward process.