Cloud Native weekly highlights:

  • Istio 1.12 release
  • CentOS replacement Rocky Linux 8.5 is released
  • Prometheus introduced the Agent mode to accommodate new usage scenarios
  • The Linux Foundation and CNCF launch new online training courses
  • Antrea 1.4.0 release
  • Open Source Project Recommendation
  • The article recommended

Cloud native dynamics

Prometheus introduced the Agent mode to accommodate new usage scenarios

Prometheus released a new operating mode, Prometheus Agent, to accommodate new usage scenarios. This new model enables new workflows such as low-resource environments, edge networks and the Internet of Things. It uses significantly fewer resources and can efficiently forward data to centralized remote terminals while using the stable code base on which millions of Prometheus users rely.

Prometheus Agent is a dedicated pattern that focuses on three parts: service discovery, fetching, and remote writing. Prometheus Agent is built into Prometheus and behaves like a normal Prometheus Server: it is a pull-based mechanism that captures metrics and copies data to remote write endpoints over HTTP.

Prometheus Agent is now available in beta. See the Prometheus blog for more information.

see

Istio 1.12 release

Istio 1.12 has just been released. This is the last version for 2021. Istio 1.12.0 officially supports Kubernetes versions 1.19 through 1.22.

Here are some highlights of the release:

  • WebAssembly API: Istio 1.12 adds a first-class API to configure the WebAssembly plug-in WasmPlugin, which allows you to deploy custom plug-ins to a single agent or even an entire grid
  • Telemetry API: Istio 1.11 introduces a new Telemetry API that brings a standardized API for configuring tracing, logging, and metrics in Istio. Istio 1.12 extends support for API configuration metrics and access logging
  • Support for Helm: Istio 1.12 has improved installation support for Helm
  • Kubernetes Gateway API: Istio has added full support for the V1alpha2 version of the Kubernetes Gateway API. The API aims to unify the various apis used by Istio, Kubernetes Ingress, and other agents to define a powerful, extensible API for configuring traffic routing.
  • The default retry policy has been added to the Mesh Config

see

CentOS replacement Rocky Linux 8.5 is released

The Rocky Enterprise Software Foundation has released Rocky Linux 8.5, another free, open source CentOS alternative based on Red Hat Enterprise Linux.

Rocky Linux 8.5 introduces an important feature for mass adoption of a CentOS Linux alternative, secure startup support. In addition to secure startup support, Rocky Linux version 8.5 also switches to FastestMirror DNF plug-ins to provide users with the fastest mirroring during a network installation, which means no repository URL is required when using boot-only media.

see

Linux Foundation and CNCF launch online training courses — Kubernetes and Cloud Native Basics

The Linux Foundation and Cloud Native Foundation (CNCF) today announced that the Kubernetes and Cloud Native Associate (KCNA) exam, which was launched last month, is now open for registration.

In addition, a new online training course, Kubernetes and Cloud Native Essentials (LFS250), has been released to prepare individuals for entry-level Cloud positions and to take the KCNA exam.

The new training courses and KCNA certification are designed to prepare candidates to use cloud native technologies and earn additional CNCF certificates, These include certified Kubernetes Administrators (CKA), certified Kubernetes application Developers (CKAD), and certified Kubernetes Security Specialists (CKS). Specific knowledge to be tested in the KCNA exam includes:

  • Kubernetes Basics (46%)
    • This includes resources, architecture, apis, containers, and scheduling
  • Container Orchestration (22%)
    • Includes container choreography basics, runtime, security, networking, service grid, and storage
  • Cloud native architecture (16%)
    • These include cloud native architecture infrastructure, automatic scaling, serverless, community and governance, roles, and open standards
  • Cloud native observability (8%)
    • Telemetry and observability, Prometheus and cost management
  • Cloud native app delivery (8%)
    • Application delivery basics, GitOps, and CI/CD

see

Antrea 1.4.0 release

Antrea is an Open source Kubernetes CNI network solution based on Open vSwitch (OVS) designed to provide a more efficient and secure cross-platform network and security policy for the Kubernetes cluster. In April 2021, Antrea officially entered the CNCF sandbox.

Antrea has released a new version, V1.4.0. This includes the addition of AntreaProxy to support full replacement of Kubernetes native Kube-Proxy, more flexible IPAM mode, support for IPPool control of Pod IP allocation for Namespace, and other updates and modifications.

Here are some highlights of the new version:

  • Support full replacement of Kube-proxy: In Antrea V1.4.0, antrea-Agent adds antreaproxit. proxyAll. After this configuration is enabled, antreaProxy can completely replace all Service traffic of Kube-proxy.
  • Flexible IPAM mode: supports the IPPool used by a Namespace to control the allocation of Pod IP addresses
  • NodePortLocal: NodePortLocal has been upgraded from Alpha to Beta in this release and added UDP support to make it more robust.

see

Open Source Project Recommendation

Kubernetes Security Profiles Operator

Kubernetes’ SecComp feature will soon be GA, but the current experience of using SecComp is not good. The goal of the Kubernetes Security Profiles Operator project is to fill the gap in the use of Seccomp in Kubernetes, providing a better user experience on the one hand and a more secure installation on the other.

pwru

Pwru is an eBPF based tool for tracking network packets in the Linux kernel with advanced filtering capabilities.

Configurator

Configurator is a version control and synchronization service for keeping Kubernetes ConfigMaps and Secrets in sync with Deployment.

certinfo

Certinfo is a CLI tool for viewing X509 certificate information.

The article recommended

Chinese version of Distributed System Mode

Patterns of Distributed Systems is a series of articles by Unmesh Joshi on the implementation of Distributed Systems. This series of articles adopts the pattern format, introduced the distributed system such as Kafka, Zookeeper in the implementation process to adopt the common pattern, is the foundation of learning distributed system implementation.

Container escape was detected using Cilium and eBPF

Security is critical for cloud native workloads because these services may belong to multiple tenants and often need to be exposed to the public network. This article shows how an attacker with access to a Kubernetes cluster can perform container escape and continue to attack through stealth pods and fileless malware. And demonstrated how to detect vessel escape using the observability of Isovalent Cilium.

How do I access a file system in a container?

This article covers a number of ways to access a container’s internal file system, such as if the container is not running properly, by looking at the log files in the file system to detect the cause of the failure.

This article is published by OpenWrite!