Kubernetes security has "room for improvement"

The CNCF (Cloud Native Computing Foundation) has published the results of an "open source security audit" of the Kubernetes container orchestration framework. The actual results and reports are accessible in a public GitHub repository. Live testing Kubernetes environments were setup with Kops an...


IBM goes all in with OpenShift

Following the Red Hat acquisition IBM has announced that its software portfolio will be adapted to run on the OpenShift container platform. By now IBM has created more than 100 so called Cloud Paks that are optimized to run on Red Hat OpenShift which is a customized Kubernetes platform focused on us...


TiKV becomes a CNCF project

The TiKV distributed transactional key-value database is now an incubating project at the CNCF (Cloud Native Computing Foundation). TiKV is a distributed database that's similar to Google Spanner and HBase but claims to be easier to use. TiKV offers georeplication, horizontal scalability and consi...


WireGuard arrives at OpenBSD

The WireGuard VPN tool has been imported into the OpenBSD ports software collection. That means WireGuard can be easily installed by OpenBSD users.

WireGuard is a new implementation of a VPN that is much easier to configure than OpenVPN or IPsec. Since it has been included in the Linux kernel i...


Intel updates Clear Linux

Intel has released a new version of its Clear Linux distribution. While Clear Linux was initially branded as a distribution for cloud computing the current message is now that it is a distribution targeted at Linux developers. Still Clear Linux includes special machinery for working with containers....


GitHub starts Package Registry

GitHub has announced the beta launch of a new package registry for different formats such as npm, Maven, Nuget, RubyGems and Docker. After the free beta the terms of use are the same as with GitHub repositories: free for open source projects and different plans for commercials users. Prices have n...


Rook Storage reaches 1.0

The Rook storage distribution on top of Kubernetes has been released in version 1.0 that the developers consider a "major milestone".

Rook, that is basically a containerized version of the distributed storage software Ceph, now supports the latest development release "Nautilus" of Ceph. It sill...


WireGuard comes to Kubernetes

Gravitational has ported WireGuard to Kubernetes, that is to say that they created a network plugin for Kubernetes that uses the WireGuard VPN. It's an open source project called Gravitational Wormhole that can be found on GitHub.

The Kubernetes API is used to for the exchange of encryption key...


Fluentd is now a CNCF graduate

The Cloud Native Computing Foundation (CNCF) announced that Fluentd is its sixth project to "graduate", following Kubernetes, Prometheus, Envoy, CoreDNS and containerd. Where "graduation" means that a project has reached a certain stage the encompasses that it has completed an independent and third...


Cloudflare implements Wireguard VPN in Rust

BoringTun is an implementation of the WireGuard protocol designed for portability and speed. The executable "boringtun" is a userspace WireGuard implementation for Linux and macOS. The library "boringtun" can be used to implement fast and efficient WireGuard client apps on various platforms, incl...


Kubernetes 1.14 released

The first Kubernetes 1.14 in 2019 is ready. Version 1.14 comprises of 31 enhancements: 10 moving to stable, 12 in beta, and 7 new. The main themes of this release are extensibility and supporting more workloads on Kubernetes with three major features moving to general availability, and an important...


K3S is a lightweight Kubernetes alternative

Initiated by the folks of Rancher Labs there's a new stripped-down version of Kubernetes called K3S that is targeted to edge deployments with low resources or other installations which require lower operational complexity than plain Kubernetes. The name of the project is a play on the K8S, the usual...


Multistage builds on OpenShift 3.11

While working with OpenShift I did some research on multistage builds and stumbled upon a GitHub issue where people claimed that multistage builds on OpenShift actually worked and wondered why that was the case because OpenShift gets installed with Docker 1.13 and multi-stage builds were only intr...


Red Hat launches Operator Hub for Kubernetes

Together with AWS, Google Cloud and Microsoft the open source company Red Hat is launching OperatorHub.io, a new public registry for finding Kubernetes Operators.

Introduced by CoreOS in 2016 the Operator pattern is a way to automate infrastructure and application management tasks on Kubernetes o...


Purism introduces PureBoot high security boot process

Purism, makers of the Librem notebooks and smartphone, have introduced a secure boot mechanism that covers the whole chain of booting a device into the operating system. PureBoot comprises the following measures:

  • Neutralized and disabled Intel Management Engine where only the code essential for...

Containerd graduates within CNCF

Containerd is the fifth project to graduate within the CNCF (Cloud Native Computing Foundation) ecosystem, following Kubernetes, Prometheus, Envoy, and CoreDNS. To move from incubation status to graduation, projects must demonstrate "thriving adoption, diversity, a formal governance process,...


Root escalation bug in runc

A bug was found in the way the runc container runtime handles file descriptors when running containers. An attacker could use this bug to overwrite contents of the runc binary and run arbitrary commands on the container host with root privileges. To exploit this flaw the attacker needs to be able to...


Podman 1.0 can run Kubernetes pods

The Podman command line container management tool has reached version 1.0. The tool implements an almost Docker-compatible command line but uses that CRI-O container runtime. Originally it was developed as a test tool for CRI-O but has since then become a full container engine.

In addition to t...


Tumblr opensources some Kubernetes utilities

According to their announcement blog post Tumblr have been using Kubernetes for many tasks such as critical-path web requests handling for tumblr.com or background and scheduled jobs. Now the are releasing three of their Kubernetes Tools under an open source license.

Their sidecar connector can...


Bitnami presents Kubernetes Production Runtime

Bitnami has published its Kubernetes Production Runtime (BKPR), a bundle of the Kubernetes orchestration software and other services that are typically needed when operating a Kubernetes cluster, such as logging, monitoring, certificate management and automatic discovery of Kubernetes resources vi...


CNCF adopts etcd

The Cloud Native Computing Foundation (CNCF) has adopted the key-value store etcd that is a central (albeit distributed) component of Kubernetes. etcd has been developed by the CoreOS company that has been acquired by Red Hat in early 2018. It's a distributed key-value store similar to Apache Zookee...


Microsoft introduces Cloud Native Application Bundle (CNAB)

Deis Labs have published the specification of the new Cloud Native Application Bundle (CNAB) format. Its purpose is to help bundling, installing and managing container-native apps and their respective services.

Applications specified through CNAB will be cloud-agnostic and secured through the u...


TiDB 2.1 released

PingCAP, developers of the "NewSQL" database TiDB, have announced the general availability of TiDB 2.1. It's a Hybrid Transactional and Analytical Processing (HTAP) database that provides elastic horizontal scalability, strong consistency and high availability. TiDB has a MySQL-compatible interfac...


Privilege escalation security hole in Kubernetes

Darren Shepherd of Rancher Labs has found a severe security vulnerability in Kubernetes.

The vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), and send arbitrary requests...


Amazon releases Firecracker VM

AWS has released a new virtualization software called Firecracker that is aimed at serverless applications. According to Amazon it is already running in production on the AWS Lambda and Fargate services.

Firecracker is based on the Linux hypervisor KVM and optimzed for efficiency and security....


Envoy is now a CNCF graduate

The Envoy proxy has become the third project to "graduate" as a CNCF project, after the Kubernetes orchestration and the Prometheus monitoring software.

Envoy was developed by the carsharing startup Lyft and donated to the CNCF in 2017. It is a proxy as well as a "service mesh" for microservi...


Dive: a tool for exploring docker image layers

Dive is a command line gui tool that lets users explore the layers of a Docker image. The tool shows Docker image contents broken down by layer including changes in a specific layer or aggregated changes up to this layer.

Dive also provides a measure for what the developers call "image efficienc...


HTTP/3 will be QUIC

According to Daniel Stenberg, the author of the commandline tool curl, the next version of HTTP will be based on the QUIC protocol. Originally, QUIC had been developed as a UDP-based alternative to TCP by Google. Based on this, the IETF experts are working on a different protocol under this name (...


VMware acquires Heptio

At the VMworld Europe in-house show VMware announced that it will acquire startup Heptio. Heptio deals exclusively with the container orchestration software Kubernetes and was founded by the Kubernetes inventors Joe Beda and Craig McLuckie who were employed at Google at the time. Later,Kubernetes wa...


Stripe open-sources Skycfg, a configuration builder for Kubernetes

Skycfg is an extension library for the Starlark language (of Google's Bezel build tool) that adds support for constructing protobuf messages. Starlark is a dialect of Python. Like Python, it is a dynamically typed language with high-level data types, first-class functions with lexical scope, and ga...