Cloud Native weekly highlights:
- Dockershim is about to be scrapped
- Dapr v1.5 release
- Warning: Attackers use SonarQube vulnerability to steal source code
- OpenELB enters the CNCF Sandbox
- Open Source Project Recommendation
- The article recommended
Cloud native dynamics
Dockershim is about to be officially scrapped
Kubernetes has announced that dockershim will be removed from the Kubernetes code base in favor of a runtime that supports direct use of the container runtime interface created for Kubernetes.
The current plan is that Dockershim will be removed in Kubernetes version 1.24, which is scheduled for release around April next year. For those developing or running alpha and beta releases, Dockershim will be removed at the start of the 1.24 release development cycle in December.
Kubernetes is collecting opinions through surveys to better understand how prepared users are to deal with the disuse of Dockershim. This survey will find out which version of Kubernetes users currently use and when they expect to adopt Kubernetes 1.24. All summary information about dockershim’s readiness for deprecation will be published.
Kubernetes is a mature project. This deprecation is another step in efforts to move away from permanent beta functionality and provide more stability and compatibility guarantees. By scrapping Dockershim, users will have more flexibility and a choice of container runtime capabilities, as well as less application dependence on specific underlying technologies. Please take the time to review the Dockershim migration documentation and consult the Kubernetes hosting provider (if any) about what containers are available at runtime.
see
Dapr v1.5 release
Recently, Dapr V1.5 was released, which is the fifth minor update since THE release of Dapr V1.0.
This release has the following highlights:
- The component is upgraded to Stable
- Query API for state management
- Configure the API building blocks
- Actors in the Go SDK
- Actors Reliability Improvement
- Support for ARM64 MAC (Preview)
- The new components
see
Warning: Attackers use SonarQube vulnerability to steal large amounts of source code from multiple organizations in the country
On October 22, 2021, cybernews, a well-known foreign media, posted that unknown attackers had attacked and infiltrated Boshiisite server and stolen the source code of the manufacturing giant’s 5G Internet of Things connection platform. The attackers claimed to have obtained the source code by exploiting SonarQube’s zero-day vulnerability, and provided screenshots of the breach and stolen source files.
The company is not the only one to suffer. Attackers claimed on The 25th that they had also stolen some of the source code from Mercedes-Benz China. On April 26, the attackers obtained the SRC source code of the Chinese public security system’s medical platform, insurance and personnel.
We do not know whether the attacks are continuing. What is known is that the attackers took advantage of SonarQube’s zero-day vulnerability and attacked our institutions and enterprises.
At present, the vulnerability (CNVD-2021-84502) has been included in the National Information Security Vulnerability Sharing Platform (CNVD), and disclosed the details of the vulnerability.
OpenELB enters the CNCF Sandbox
On November 10, Cloud Native Computing Foundation (CNCF) announced that OpenELB, an open source load balancer plug-in hosted by KubeSphere team of Qingyun Technology, officially entered the CNCF Sandbox.
The OpenELB project, previously named PorterLB, is a load balancer plug-in designed for bare-metal, Edge and privatized environments. Can be used as Kubernetes, K3s, KubeSphere LB plug-in to expose the “LoadBalancer” type service outside the cluster, the core functions include:
- Load balancing based on BGP and Layer 2 mode
- Load balancing based on router ECMP
- IP address pool management
- Use CRD to configure BGP
Open Source Project Recommendation
Krustlet
Krustlet is a Kubelet for natively running WebAssembly workloads on Kubernetes, developed in the Rust language. It listens to the Kubernetes API for new Pod requests, and once the Pod is scheduled to the node, the node’s Krustlet runs the WebAssembly workload. The user must generate WebAssembly binaries for the application and push them to the container image repository.
Rover
Rover is a Terraform visualization tool that generates a visual interface by parsing your Terraform configuration file.
composerize
Composerize is a CLI tool that converts docker run commands into docker-compose configuration listings.
It also provides a visual interface in addition to the CLI.
kube-lineage
Kube-lineage is a kubectl plug-in used to display all dependent or dependent resources of Kubernetes cluster resources. Such as:
$ kube-lineage pod coredns-5cc79d4bf5-xgvkc --dependencies NAMESPACE NAME READY STATUS AGE kube-system Pod/ COREDNS-5CC79D4BF5-XGVKC 1/1 Running 30M Flag ─ Node/ K3D-Server True KubeletReady 30M Flag ── PodSecurityPolicy/ System Unrestricted - PSP - 30M Kube-System ├─ ConfigMap/ CoreDNS - 30M Kube-System ├─ ReplicaSet/ COREDNS - 1 MB ├─ 01/0mb kube-system ├─ Secret/coredns - token - 6 vsx4-30 m kube - system │ └ ─ ─ ServiceAccount/coredns - 30 m │ ├ ─ ─ ClusterRoleBinding/system: basic - the user - 30 m │ │ └ ─ ─ ClusterRole/system: basic - the user - 30 m │ ├ ─ ─ ClusterRoleBinding/system: coredns - 30 m │ │ └ ─ ─ ClusterRole/system: coredns - 30 m │ ├ ─ ─ ClusterRoleBinding/system: discovery - 30 m │ │ └ ─ ─ ClusterRole/system: discovery - 30 m │ ├ ─ ─ ClusterRoleBinding/system: public - info - the viewer - 30 m │ │ └ ─ ─ ClusterRole/system: public - info - kube viewer - 30 m - system │ └ ─ ─ RoleBinding/system - unrestricted - SVC - acct - PSP - RoleBinding - 30 m │ └ ─ ─ ClusterRole/system - unrestricted - PSP - │ role - 30 m └─ PodSecurityPolicy/system-unrestricted pimp/sci-imp/sci-imp/Sci-impCopy the code
dstp
DSTP is a CLI tool for running regular network tests on web sites.
The article recommended
How does Kubernetes validate custom resources
In addition to the built-in API, Kubernetes can also create custom resources through CRD, API Server is not aware of the existence of custom resources before running, so it is very important to verify custom resources before running. This article takes a long look at the API Server’s validation process for custom resources through source code.
OIDC authentication is implemented using Istio
In addition to its core functionality, Istio supports extended configuration via Envoy. This article describes how to configure the OpenID Connect (OIDC) authentication process for applications in the service grid through Istio’s extended configuration to offload both authentication and authorization to Istio.
This article is published by OpenWrite!