Cloud Native Enthusiasts Weekly: NSA Issues Cybersecurity Guidelines

One week of cloud native news:

• Knative becomes CNCF Incubation Project
• Podman release v4.0.0
• Aeraki Mesh Joins CNCF Cloud Native Panorama
• Argo publishes fuzzing report
• Platform9 Releases Cloud Native Enterprise Trends Report
• Critical GitLab flaw could allow attackers to steal runners' registration tokens
• Open source project recommendation
• Article recommendation

The National Security Agency (NSA) is here again😅. The last time it released the "Kubernetes Security Hardening Guide", this time it released "Network Infrastructure Security Guide" , covering network design, device password management, remote login Management, security updates, key exchange algorithms, and key protocols such as NTP, SSH, HTTP and SNMP provide all organizations with the latest advice on how to protect their IT network infrastructure from cyberattacks.

Follow the official account: KubeSphere cloud native

Reply the password in the background and network to get the guide!

Cloud Native Dynamics

Knative became CNCF Incubation Project

A few days ago, the CNCF Technical Oversight Committee (TOC) has voted to accept Knative as a CNCF incubation project.

Knative is an open source platform based on Kubernetes for building, deploying and managing serverless and event-driven applications. It helps development teams manage, monitor and operate Kubernetes in a way that requires less technical knowledge and time.

Knative was created by Google in 2018 and subsequently developed in close collaboration with IBM, Red Hat, VMWare and SAP. The project has benefited from the collaboration and contributions of over 1800 different individuals in the community since its inception.

The project reached version 1.0 in November 2021, which means that all of its repositories are designated as stable and suitable for commercial use by the community. Its current version is 1.2, which is released every six weeks.

Podman released v4.0.0

A few days ago, Podman v4.0.0 was released. This release features over 60 new features with a focus on a complete rewrite of the networking stack to improve functionality and performance, but there are also many other changes, including improved Podman support for Mac and Windows, improved Pods, over 50 bug fixes, and More and more features.

The following are the main changes in this version:

• In addition to the existing CNI stack, Podman now supports new network stacks based on Netavak and Aardvark. The new stack has improved support for containers in multiple networks, improved IPv6 support, and improved performance.
• Support for Podman on Windows and OS X is also a top priority. Chief among them is support for installing Podman API sockets on the host system, allowing tools like Docker Compose to be used on the host system, rather than inside the podman machine virtual machine. Additionally, podman machines can now use WSL2 as a backend on Windows, greatly improving Podman's support for Windows.
• Podman Pods have added many new features to allow sharing of resources between containers in a pod.

The above changes are just the tip of the iceberg - there is much more in this release, see Release Notes for more information.

Aeraki Mesh joins CNCF cloud native panorama

Recently, Aeraki Mesh officially entered the CNCF cloud native panorama, under the Service Mesh category. Cloud native panorama (CNCF Landscape) is designed to help enterprises and developers quickly understand the overall picture of the cloud native system and help users choose appropriate software and tools for cloud native practice. .

Aeraki Mesh is an open source project in the field of service mesh. It solves the pain point that the current service mesh project only handles the HTTP/gRPC protocol and does not support other open source and private protocols.

Aeraki Mesh can help you manage any Layer 7 protocol in a service mesh. Currently, open source protocols such as Dubbo, Thrit, Redis, Kafka, ZooKeeper are supported. You can also use the MetaProtocol protocol extension framework provided by Aeraki Mesh to manage the seven-layer traffic of the private protocol.

Argo publishes fuzzing report

Security is a top priority for the Argo project. To improve security, Argo maintainers from Akuity, Red Hat, and Intuit recently partnered with Ada Logics on a CNCF (Cloud Native Computing Foundation) commissioned project to build Fuzzing (fuzzing) for the Argo project.

Fuzzing is a general-purpose technique for automatically identifying reliability and security issues. It is commonly used by security researchers to find vulnerabilities in systems, and the technique has been successfully used in various CNCF projects such as Kubernetes, Envoy, Helm, Linkerd2-proxy, and Fluent-bit. A general approach to fuzzing is to use a genetic algorithm combined with sophisticated program analysis and software instrumentation techniques to generate input that achieves a high level of code coverage in the target software. In the context of Argo, the purpose of this is to identify inputs that cause various system failures, such as crashes, panics, out-of-memory issues, and hangs.

The project established an ongoing fuzzing infrastructure that now runs as part of the project's cycle of work. A total of 41 fuzzers were developed and 10 bugs were found. All bugs found have been fixed (except two that were discovered at the end of the project) and are available in the latest project patchset. Full details are available in Argo fuzzing report .

Platform9 Releases Cloud Native Enterprise Trend Report

Platform9 conducted a survey between December 15, 2021 and January 8, 2022 to understand how enterprises are adopting cloud-native technologies, including their investment and hiring plans, expected challenges, concerns about cloud lock-in, and more. Respondents included 526 architects, DevOps and cloud platform engineers, managers and executives across 85 industries and 450 unique companies.

This research report, "Cloud Native Enterprise Trends 2022," details several key insights gleaned from the survey and 1:1 interviews. Some key findings include:

• Kubernetes dominates container management. Nearly 85% of respondents are either using Kubernetes or planning to deploy it within the next 6 months.
• Cloud-native hiring remains a priority. DevOps, cloud platform engineering, cloud native developers and security are the top hiring investments for 2022.
• Executives everywhere are looking for practical solutions to reduce vendor lock-in. While 61% of respondents have high or moderate concerns about vendor lock-in, 71% of advanced users with large deployments are even more concerned than early adopters.

Critical GitLab vulnerability could allow attacker to steal runner's registration token

The vulnerability, which affects all versions from 12.10 to 14.6.4, all versions from 14.7 to 14.7.3, and all versions from 14.8 to 14.8.1, was announced in GitLab's security advisory.

If exploited, an unauthorized user could use a quick action command to steal a registrant's registration token through an information disclosure vulnerability.

It has a CVSS score of 9.6 and has been patched in the latest releases: 14.8.2, 14.7.4 and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Open source project recommendation

TeslaMate

TeslaMate is a self-hosted Tesla log collection platform that collects, stores, and displays the owner's Tesla driving data, and easily supports Docker deployment. The data is stored in Postgres, and the dashboard is displayed through Grafana.

apko

apko is a new image building tool for building distroless images based on Alpine. It directly uses Alpine's package management tool apk to build the image, without using Dockerfile, only needs to provide a declarative configuration list. E.g:

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/edge/main
  keyring:
    - /etc/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
    - /etc/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
    - /etc/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
    - /etc/apk/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
    - /etc/apk/keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub
  packages:
    - alpine-baselayout
    - nginx

entrypoint:
  type: service-bundle
  services:
    nginx: /usr/sbin/nginx -c /etc/nginx/nginx.conf -g "daemon off;"

local-disk-manager

local-disk-manager is designed to simplify managing disks on nodes. It abstracts the disk into a resource that can be managed and monitored. It itself is a kind of Daemonset object, and each node in the cluster will run the service, which detects the existing disk and converts it into the corresponding resource LocalDisk.

KoolKits

KoolKits is a set of images for kubectl debug functions, which can be called by kubectl debug as a container in a Pod, sharing a namespace with business containers. Koolkits customizes specific debug images for several common languages. For example, debug JVM containers can use JVM-specific images:

$ kubectl debug -it <POD-NAME> --image=lightrun-platform/koolkits/koolkit-jvm --image-pull-policy=Never --target=<DEPLOYMENT-NAME>

Debug a Node.js container using a Node.js-specific image:

$ kubectl debug -it <POD-NAME> --image=lightrun-platform/koolkits/koolkit-node --image-pull-policy=Never --target=<DEPLOYMENT-NAME>

Awesome Twitter Communities for Engineers

Twitter added a Community section in the second half of last year, similar to the concept of a community, where you can tweet with people who share common interests. Once joined a community, users can tweet directly to other members rather than just their followers. Only community members can like or reply to tweets sent by other members. awesome-twitter-communities contains all kinds of communities created by engineers, including cloud native themes, Rust themes, Webassembly themes, etc. If you are a Twitter novice, don't know who are the big guys in your area of interest, don't be afraid Join the Community for a sneak peek.

CodeFever

CodeFever is a completely free and open source Git code hosting service that supports one-line command installation to your own server, without any restrictions on the number of repositories and usage. If you want to build your own Git repository, check out this project.

Article recommendation

The challenge of large-scale implementation of

eBPF has changed the game in the Linux world, allowing applications to safely interact with the kernel, but building applications compatible with various Linux distributions is still a huge challenge. If your users have various Linux distributions, different kernel versions, kernel configurations, and some distribution-specific configurations, what can you do to ensure that your eBPF-based applications work in as many environments as possible? This article provides a partial answer to this question.

High risk! ! Kubernetes new container escape vulnerability warning

The container environment is complex, especially for a distributed scheduling platform like Kubernetes. Each link has its own life cycle and attack surface, which easily exposes security risks. Container cluster administrators must pay attention to the security issues in every detail. In general, the security of containers in most cases depends on the security of the Linux kernel, so we need to keep an eye on any security issues and implement corresponding solutions as soon as possible.

Quickly deploy K8s and KubeSphere offline using KubeKey

KubeKey (hereinafter referred to as KK) is an open source lightweight tool for deploying Kubernetes clusters. It provides a flexible, fast, and convenient way to install only Kubernetes/K3s, or both Kubernetes/K3s and KubeSphere, as well as other cloud-native plugins. In addition to this, it is also an effective tool for scaling and upgrading clusters. This tutorial uses KK 2.0.0 as a deployment tool to implement the deployment of kubesphere cluster in an offline environment, helping you achieve the purpose of offline lightning delivery.

This article is published by the blog OpenWrite !