Hello from all of us here at Sysdig! In this edition of Cloud-native News, we have a lot of exciting content, including new players joining the Kubernetes world, recently discovered vulnerabilities, and fresh tools that just came out of the forge!
Ping us at @sysdig or on our open source Sysdig Slack group to share your feedback or to suggest topics we should include in future issues! You can find previous issues in the archive.
Sign up for our monthly Cloud-native News.
SECURITY
Netflix discovers severe HTTP/2 vulnerabilities.
These vulnerabilities are found in HTTP libraries and can enable DoS attacks. Kubernetes (go) is affected by CVE-2019-9512 (Ping Flood) and CVE-2019-9514 (Reset Flood). Upgrade now!
Verifying service mesh TLS in Kubernetes
With Ksniff and Wireshark you can inspect the traffic, test if your encryption is actually working and even check if your are using the latest TLS version.
Kubernetes security audit: What GKE and Anthos users need to know
The CNCF just published the first security audit on Kubernetes, now Google offers his thoughts about the results and some recommendations to their GKE and Anthos users.
Using Conftest and Kubeval with Helm
Config errors are easy to make and can be rather dangerous. If Helm is your package manager, you can use the Helm Kubeval plugin to check your configurations.
Policing through policy
Permissions or policies? Let’s take a drive and reflect on why policies are such a good fit for Kubernetes.
SYSDIG
Kubernetes security (sketch series)
There are a lot of moving parts in a Kubernetes security implementation at the platform level. Get a graphic overview on Kubernetes security and dig deeper into forensics and postmortem analysis.
Kubernetes threat landscape infographic
A number of enterprises are scaling Kubernetes in production, yet are not aware of the increasing number of attack vectors that require them to reconsider their security approach.
How does DevOps fit with a 100-year-old furniture company? What role does Kubernetes play? Watch the upcoming customer webcast style=”text-decoration: underline;” href=”https://www.brighttalk.com/webcast/16287/370949?utm_source=container-newsletter-sep&utm_medium=email” target=”_blank” rel=”noopener noreferrer”>‟Steelcase: Scaling IoT Services using Sysdig on Azure Kubernetes Service” →.
Webcast: style=”text-decoration: underline;” href=”https://www.brighttalk.com/webcast/16287/366582?utm_source=container-newsletter-sep&utm_medium=email” target=”_blank” rel=”noopener noreferrer”>‟The 5 must-do’s when implementing Cloud-Native security in Red Hat OpenShift” →.
If you prefer to watch our technical walkthroughs and product discussions at your own pace, check out Sysdig tech talks and webinars →.
KUBERNETES+OPENSHIFT
VMworld 2019: VMware doubles down on Kubernetes
After the acquisition of Heptio and Pivotal we knew VMWare was committing strongly to the cloud-native space. With the announcements of Tanzu and Project Pacific they just consolidated their position.
How does ‘kubectl exec’ work?
It’s one of the basic Kubernetes commands, but have you ever stopped to think how ‘kubectl exec’ really works?
Adopting Istio for a multi-tenant Kubernetes cluster
Managing a 100+ service cluster is a real challenge, adopting Istio in the whole cluster is a huge milestone with many lessons worth learning.
Provision k3s on the fly with k3sup
k3s is already 5 numbers simpler than Kubernetes, and it gets even better when you can provision new nodes in a few seconds with tools like k3sup.
Running Spark with Jupyter Notebook & HDFS on Kubernetes
Big data services like Spark often run huge sporadic queries, like monthly reports. Thanks to Kubernetes you can deploy new Spark workers on demand to handle demand bursts.
Local development tools series
The Garden article from last month is now a series. Simplify the local development of your containerized apps with one of these tools: Draft, Skaffold and Tilt.
CDC pipeline with Red Hat AMQ Streams and Red Hat Fuse
Red Hat AMQ Streams now ships with CDC features, and it takes just a few steps to setup a CDC pipeline for a MySQL database.
Running Kubernetes end-to-end tests with Kind and Github actions
Github actions integrates seamlessly with Docker, how awesome is that? KinD is just the missing link you need to run tests from Github on a Kubernetes cluster.
Hardware accelerated transcoding in Kubernetes
Compute intensive tasks like transcoding or machine learning benefit from specialized hardware. Thanks to these intel plugins you can hardware accelerate your pods.
CLOUD PROVIDERS
Bringing shielded VMs to GKE with Shielded GKE Nodes
Protecting your nodes is protecting your microservices, that’s why Google is starting to offer extended security protection in their GKE nodes.
How I moved my Kubernetes project to Amazon EKS in 4 hours
Moving between Kubernetes providers should be seamless, in practice it’s really easy although there are a few particularities to each service.
Bootstrapping Kubernetes on AWS with Cluster API
Cluster API aims to standardize processes between providers, so you could create a Kubernetes cluster in AWS without any AWS specific commands.
Deploying GitOps with Weave Flux and AWS EKS
Flux is now part of the CNCF Sandbox, let’s celebrate by showing how to use Flux to deploy into AWS EKS.