One week of cloud native news:
- Istio 1.13 released
- CNCF Announces 2021 Cloud Native Survey Results
- Runtime security project Falco adds extensible plugin framework
- Grafana 8.3.6 released
- Open source project recommendation
- Article recommendation
The Kubernetes Security SIG released a Kubernetes policy management white paper that brings awareness to the importance of Kubernetes policy management for Kubernetes clusters and workloads, describes what problems Kubernetes policies can help solve, and how to implement Kubernetes policies.
Follow the official account "KubeSPhere Cloud Native", and reply to the secret code kpm in the background to get the white paper.
Cloud Native Dynamics
Istio 1.13 released
A few days ago, Istio 1.13 was released, which is the first Istio release in 2022.
Kubernetes releases officially support Istio 1.13.01.20 to 1.23.
Highlights of this release are as follows:
-
ProxyConfig configures the Istio sidecar proxy using the API Previous Istio versions allowed the use of the mesh-wide settings API to configure proxy-level Envoy options. In version 1.13, we have elevated this configuration to its open top-level custom resource ProxyConfig. Like other Istio configuration APIs, this CR can be configured globally, per namespace, or per workload.
-
Continued Improvements to the Telemetry API This release continues to refine the new Telemetry API introduced in Istio 1.11. In 1.13, support was added for logging OpenTelemetry, filtering access logs, and customizing trace service names. There are also tons of bug fixes and improvements.
-
Hostname-based load balancer with support for multiple network gateways
- So far, Istio has relied on knowing the IP address of the load balancer used between the two networks in an east-west configuration. Amazon EKS load balancers provide a hostname instead of an IP address, and the user must manually resolve this name and set the IP address as a workaround.
- In 1.13, Istio will now automatically resolve the gateway's hostname, and Istio can now automatically discover gateways for remote clusters on EKS.
Feature update:
-
The WorkloadGroup API feature, first introduced in Alpha in Istio 1.8, has been promoted to Beta in this release.
-
The operating mode of the authorization policy has also been upgraded from the experimental version to the Alpha version.
CNCF Announces 2021 Cloud Native Survey Results
A few days ago, CNCF announced the results of its 2021 Cloud Native Survey . The survey, which has been running for 6 years, shows that Kubernetes usage continues to grow to its highest level ever, with 96% of organizations using or evaluating the technology. Kubernetes is fully embraced by large enterprises and is even growing in emerging technology centers, such as Africa, where 73% of respondents use Kubernetes in production.
Key findings from the report include:
- Container adoption and Kubernetes have gone mainstream - usage has risen globally, especially in large organizations. SlashData reports that 5.6 million developers worldwide use Kubernetes, accounting for 31% of all backend developers.
- Kubernetes is going "under the hood" - more organizations are leveraging managed service and solution platforms. According to CNCF CTO Chris Aniszczyk, there is a growing lack of understanding that Kubernetes and containers are inherently a whole. Datadog reports that nearly 90 percent of Kubernetes users use cloud management services, and in 2020, that number is closer to 70 percent.
- Organizations are moving up the stack - companies are adopting less mature projects to solve more advanced challenges like monitoring and communications. For example, overall usage of the monitoring tool Prometheus in the last six months of 2021 has grown by 43%, according to New Relic.
Runtime security project Falco adds extensible plugin framework
The cloud native runtime security project Falco has released version 0.31.0. This release introduces a new plugin system for defining additional event sources and event extractors for Falco. The plugin system includes an SDK to simplify development, and this release comes with a new AWS CloudTrail plugin.
Falco can detect and warn about making Linux system calls. Falco's rules engine is able to detect unusual activity within applications, containers, hosts and container platforms. It utilizes Linux kernel facilities to monitor system calls from the kernel. Alerts can be triggered when specific system calls, parameters to those calls, or properties of the calling process are used. These rules include actions such as privilege escalation using privileged containers, namespace changes, read/write to well-known directories, or the creation of symbolic links.
The new plugin system added in this release aims to standardize how additional event sources (called source plugins) are added to the Falco engine. In addition to source plugins, extractor plugins can be written that focus on extracting fields from events generated by the core library or other plugins. Plugins can be written in almost any language as long as the plugin exports the required functionality. However, the preferred language for plugin development is Go, followed by C++, and SDKs have been released for both languages to simplify plugin development.
Grafana 8.3.6 released
A few days ago, Grafana 8.3.6 was released. Grafana is a feature-rich metrics dashboard and graph editor for analyzing and monitoring Graphite, Elasticsearch, OpenTSDB, Prometheus, and InfluxDB.
The new features and improvements of this version are as follows:
- Cloud Monitoring: Reduce request size when listing tags
- Explore: Display scalar data results in a table (previously in an icon)
- Snapshots: Update the default URL of the external snapshot server
- Table: make footer not overlap table content
- Tempo: Add request histogram to service graph data chain
- Tempo: Add time range to tempo search query after feature flag
- Tempo: When changing the query type, automatically clear the current query results
- Tempo: Show "start time" in search results as relative time
Bug fixes:
- Cloud Monitoring: Fix resource labels in query editor
- Cursor sync: Dashboards are not saved when applying settings
- LibraryPanels: fixed a bug when cleaning the library panel
- Logs Panel: fix timestamp parsing for string dates without timezone
- Prometheus: fix some warning queries using reduce/math operations
- TablePanel: fix temporary variables not working on default datasource
- Text Panel: fix alignment of elements
- Variables: fixed constant variables in self-referencing links
Click to view the update announcement .
Open source project recommendation
ValidKube
ValidKube is an online tool to improve the quality of Kubernetes configuration manifests. It integrates 3 open source tools, corresponding to 3 different functions.
Auto portforward
If you often forget to add the -p option when testing Docker containers, this tool can help you, it can automatically discover the ports that the container needs to expose, and update the forwarding ports to achieve the docker run -p LOCAL:REMOTEsame function as . In addition to supporting Docker, kubectl portforwardand .
Kubernetes Volume Autoscaler
For Kubernetes cluster administrators, when the capacity of a storage volume used by an application is about to be exhausted, it will be very painful to have to manually expand the capacity of the storage volume if there are thousands of applications. Kubernetes Volume Autoscaler This project includes a Kubernetes controller that automatically increases the capacity of a storage volume when it is nearly exhausted, supporting any Kubernetes cluster and cloud provider.
Article recommendation
Detecting container escapes with Cilium and eBPF
Through this article, you can learn how an attacker with access to the Kubernetes cluster can escape from the container. The general steps are as follows:
- Run a Pod with root privileges
- escape to the host
- Sustained Attacks with Stealth Pods and Fileless Execution
Quickly deploy using GitLab and build DevOps projects in K8s
For small partners in the open source community, through the DevOps capabilities provided by the GitLab Community Edition and the KubeSphere platform, you can actually try to build a similar DevOps platform to experience the charm of the GitOps system in the Kubernetes era. This article will work with you to practice deploying GitLab CE (Community Edition Community Edition) on KubeSphere and building a DevOps project linked to it.
Kubernetes Backup Disaster Recovery Service Product Experience Tutorial
Kubernetes clusters have their own self-healing function, but there are often unexpected situations that make the self-healing function ineffective. If there is no good backup tool and the habit of regular backup, it will undoubtedly be disastrous for both the development environment and the production environment. If there is a friendly visual backup tool at this time to help the cluster perform scheduled backups, your work will be multiplied with half the effort.
This article is published by OpenWrite , a multi-post blog platform !