Cloud Native weekly highlights:
- Knative became the CNCF incubator project
- Podman release v4.0.0
- Aeraki Mesh is added to CNCF cloud native panorama
- Argo publishes the Fuzzing report
- Platform9 releases cloud native enterprise trends report
- A critical GitLab vulnerability could allow an attacker to steal a runner’s registration token
- Open Source Project Recommendation
- The article recommended
The U.S. National Security Agency (NSA) is here again 😅, last published is “Kubernetes Security Hardening Guide”, this issue is ** network infrastructure Security Guide, covering network design, device password management, remote login management, security updates, key exchange algorithms, And important protocols such as NTP, SSH, HTTP, and SNMP provide the latest advice for all organizations on how to protect their IT network infrastructure from cyber attacks.
Concern public number: KubeSphere cloud native
Background reply code network can get the guide!
Cloud native dynamics
Knative became the CNCF incubator project
Today, THE CNCF Technical Oversight Committee (TOC) has voted to accept Knative as an incubator project for CNCF.
Knative is an open source platform based on Kubernetes for building, deploying, and managing serverless and event-driven applications. It helps development teams manage, monitor, and operate Kubernetes in a way that requires less technical knowledge and time.
Knative was created by Google in 2018 and has since been developed in close collaboration with IBM, Red Hat, VMWare, and SAP. Since its inception, the program has benefited from the cooperation and contributions of more than 1,800 different individuals in the community.
The project reached version 1.0 in November 2021, meaning that all of its warehouses were designated by the community as stable and suitable for commercial use. It is currently in version 1.2 and is released every six weeks.
Podman release v4.0.0
Podman V4.0.0 was released today. This release features over 60 new features, focusing on a complete rewrite of the network stack to improve functionality and performance, but there are also many other changes, including improved Podman support for Mac and Windows, improved Pods, over 50 bug fixes, and much more.
Here are the major changes:
- Podman now supports new network stacks based on Netavak and Aardvark in addition to the existing CNI stack. The new stack offers improved support for containers on multiple networks, improved IPv6 support, and improved performance.
- Supporting Podman on Windows and OS X is also a top priority. Chief among these is support for installing Podman API sockets on host systems, allowing the use of tools such as Docker Compose on host systems rather than within the Podman machine virtual machine. In addition, Podman machines can now use WSL2 as a back end on Windows, greatly improving Podman support for Windows.
- Podman Pods have added a number of new features to allow sharing of resources between containers in Pods.
These changes are just the tip of the iceberg — there’s more to come in this release, see the release notes for more information.
Aeraki Mesh is added to CNCF cloud native panorama
Recently, Aeraki Mesh officially entered CNCF cloud native panorama under the category of Service Mesh. CNCF Landscape is designed to help enterprises and developers quickly understand the full picture of cloud native system and help users choose appropriate software and tools in cloud native practice. Therefore, it has attracted the attention and attention of developers and users.
Aeraki Mesh is an open source project in the field of Service Mesh. It solves the problem that current Service Mesh projects only deal with HTTP/gRPC protocol and do not support other open source and proprietary protocols.
Aeraki Mesh helps you manage any seven-layer protocol in a service grid. Dubbo, Thrit, Redis, Kafka, ZooKeeper and other open source protocols are supported. You can also use the MetaProtocol protocol extension framework provided by Aeraki Mesh to manage layer 7 traffic for proprietary protocols.
Argo publishes the Fuzzing report
Safety is a top priority for the Argo project. To improve security, Argo maintainers from Akuity, Red Hat, and Intuit recently worked with Ada Logics on a project commissioned by CNCF (Cloud Native Computing Foundation) to build Fuzzing (Fuzzy Testing) for the Argo project.
Fuzzing is a general-purpose technology designed to automatically identify reliability and security issues. It is commonly used by security researchers to find vulnerabilities in systems and has been successfully applied to various CNCF projects such as Kubernetes, Envoy, Helm, Linkerd2-Proxy and Fluent-Bit. Fuzzing’s general approach is to use genetic algorithms combined with sophisticated program analysis and software instrumentation techniques to generate inputs that achieve a high level of code coverage in the target software. In Argo’s environment, the goal is to identify inputs that cause various system failures, such as crashes, panics, memory overflow problems, and hangs.
The project established a continuous Fuzzing infrastructure that is now operating as part of the project cycle. A total of 41 Fuzzers were developed and 10 defects were found. All the bugs found have been fixed (except for two that were found at the end of the project) and are available in the latest project patch set. Full details are available in the Argo Fuzzing report.
Platform9 releases cloud native enterprise trends report
Platform9 conducted a survey between December 15, 2021 and January 8, 2022 to understand how businesses are adopting cloud native technology, including their investment and hiring plans, expected challenges, cloud lock-in concerns and more. The respondents included 526 architects, DevOps and cloud platform engineers, managers, and executives across 85 industries and 450 unique companies.
The study, “Cloud Native Enterprise Trends 2022,” details several key insights gleaned from surveys and 1:1 interviews. Some key findings include:
- Kubernetes dominates container management. Nearly 85% of respondents are using Kubernetes or plan to deploy it in the next six months.
- Cloud native hiring continues to be a priority. DevOps, cloud platform engineering, cloud native developers, and security are the top hiring investments for 2022.
- Executives everywhere are looking for practical solutions to reduce supplier lock-in. While 61% of respondents had high or moderate concerns about vendor lock-in, 71% of power users with large deployments were even more concerned than early adopters.
A critical GitLab vulnerability could allow an attacker to steal a runner’s registration token
The vulnerability affects all versions from 12.10 to 14.6.4, all versions from 14.7 to 14.7.3, and all versions from 14.8 to 14.8.1, announced in a GitLab security bulletin.
If exploited, an unauthorized user can use a quick action command to steal a registrant’s registration token through an information disclosure vulnerability.
It has a 9.6 CVSS score and has been patched in the latest releases: 14.8.2, 14.7.4 and 14.6.5 for GitLab Community (CE) and Enterprise (EE) editions.
Open Source Project Recommendation
TeslaMate
TeslaMate is a self-hosted Tesla log collection platform that can collect, store, and display tesla driving data from owners and easily support Docker deployment. The data is stored in Postgres and the monitor panel is displayed through Grafana.
apko
Apko is a new image-building tool for building Alpine distroless images. It uses Alpine’s package management tool APK directly to build the image, without using A Dockerfile and providing a declarative configuration list. Such as:
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
keyring:
- /etc/apk/keys/[email protected]
- /etc/apk/keys/[email protected]
- /etc/apk/keys/[email protected]
- /etc/apk/keys/[email protected]
- /etc/apk/keys/[email protected]
packages:
- alpine-baselayout
- nginx
entrypoint:
type: service-bundle
services:
nginx: /usr/sbin/nginx -c /etc/nginx/nginx.conf -g "daemon off;"
Copy the code
local-disk-manager
Local-disk-manager is designed to simplify managing disks on nodes. It abstracts the disk as a resource that can be managed and monitored. It is a Daemonset object, and each node in the cluster will run this service to detect the existing disks and convert them into the corresponding resource LocalDisk.
KoolKits
KoolKits are a set of mirrors for Kubectl debugging functions that can be called by Kubectl Debug as a container in a Pod that shares a namespace with a business container. Koolkits have tailored debug images for several common languages. For example, debugging JVM containers can use JVM-specific images:
$ kubectl debug -it <POD-NAME> --image=lightrun-platform/koolkits/koolkit-jvm --image-pull-policy=Never --target=<DEPLOYMENT-NAME>
Copy the code
Debug node.js containers using node.js proprietary images:
$ kubectl debug -it <POD-NAME> --image=lightrun-platform/koolkits/koolkit-node --image-pull-policy=Never --target=<DEPLOYMENT-NAME>
Copy the code
Awesome Twitter Communities for Engineers
Late last year, Twitter added a Community section, a concept that allows users to tweet with people who share common interests. Once a member of a community, users can tweet directly to other members, not just their followers. Only community members can like or reply to tweets sent by other members. Awesome-twitter-communities is a collection of communities created by engineers, including cloud native themes, Rust themes, Webassembly themes, and more. If you’re a Twitter nerd and don’t know what’s going on in your area of interest, Join Community for a sneak peek.
CodeFever
CodeFever is a free and open source Git code hosting service that supports one-line command installation to your own server without any limitation on the number of repositories or usage. If you want to build your own Git repository, check out this project.
The article recommended
Challenges of large-scale implementation of eBPF
EBPF has changed the game in the Linux world by allowing applications to safely interact with the kernel, but building applications that are compatible with various Linux distributions remains a huge challenge. If your users have a variety of Linux distributions, different kernel versions, kernel configurations, and some distribution-specific configurations, what can you do to ensure that your eBPF based application works in as many environments as possible? This article provides a partial answer to this question.
High risk!!!!! Kubernetes new container escape vulnerability alert
Container environment is complex, especially distributed scheduling platform like Kubernetes, each link has its own life cycle and attack surface, it is easy to expose security risks, container cluster administrators must pay attention to every detail of security issues. In summary, the security of the container depends on the security of the Linux kernel in most cases, so we need to keep an eye on any security issues and implement solutions as soon as possible.
Quickly deploy K8s and KubeSphere offline using KubeKey
KubeKey (KK) is an open source lightweight tool for deploying Kubernetes clusters. It provides a flexible, fast, and easy way to install Kubernetes/K3s only, or both with KubeSphere, and other cloud native plug-ins. In addition, it is an effective tool for extending and upgrading clusters. This tutorial uses KK 2.0.0 as a deployment tool to deploy the Kubesphere cluster in an offline environment to help you achieve offline lightning delivery.
This article is published by OpenWrite!