Swan Data Lake
Swim through the flotsam to the best Cloud Native and Kubernetes news
I promised you links, and links I shall give you1. I also promised you a podcast2, so how about this one? Matt Ray and I talk about security, southern Santas, swans and the Sandbox.
I also promised myself lunch, so… let’s get to the news.
Conferences
The first stand-alone CloudNativeSecurityCon concluded last week. My apologies for not being able to make it, but my colleague Ben did such a remarkable job standing in for me that I’m probably going to send him to all my future engagements.
The word from people on the ground is that this felt like an obvious extension from what it had grown from: a co-located event, practitioner-driven, some years from the full vendor-fest that is KC & the SunshineBandCon3.
The only announcement from the CNCF was a Kubernetes Certified Security Associate certification coming in Q3; an entry-level course which is to CKS what KCNA is to CKA.
The videos are all up, so I have a lot of watching to do!
Today is the day we start hearing who got a talk accepted at KubeCon EU4. Time to warm up the Rejekts applications. CFPs are also still open for co-located events, including Istio Day
Another event moving from a co-lo to a larger event is GitOpsCon, which is joining cdCon (from sister org The CD Foundation5) to run a two-day event in Vancouver this May. The CFP is open for another couple of days.
Providers
As we said last week, OpenShift is doing big numbers for IBM and Red Hat. This week sees version 4.12 released, with the enhancement list reading “customers asked us for these things, so we built them”. VMware also released v2.1 of TKG, with an “edge-optimized runtime” weighing at a tiny 900MB.
Elliot Graebert tried to do the same thing on eight different managed Kubernetes providers. Number six shocked me! Not really, I made that last bit up. I was surprised at how slow it was to start a GKE cluster; that used to be more like 90 seconds. On one hand he says AKS is the best, but on the other hand he reports “the biggest downside of AKS is Azure”.
Meanwhile, Azure has moved from “please pay us 10c/hr for an SLA” to “you should do that as Standard”, renaming its Paid tier as such. While the free tier claims it may still support clusters up to 1,000 nodes, it comes with a warning that you should really only run up to 10 nodes on the free control plane.
Want an alternative to the top eight, and “being in Europe with bring your own nodes” is your leading requirement? Check out Flynnt6, which is seeking testers.
Want to know what you need to consider for security even if you’re using a top eight managed provider? My aforementioned colleague Ben shares his thoughts.
Datadog came under fire for allegedly blocking a third-party developer not to commit support for ingesting Datadog, erm, data, into OpenTelemetry. A year later, the PR was finally merged.
An report on an incident at CircleCI, caused by malware on a developer’s machine, and eventually leading to exfiltration of customer information. Don’t let this be you.
Projects
Podman Desktop keeps getting better at being a Docker replacement; v0.11 adds air-gapped installation mode and “UX/UI improvements”. As with most modern apps — Docker being no exception — the app feels like a web app in a container rather than a native app on whatever platform you have it on. We used to care about these things.
If you wondered if Kubernetes old-timer and Microsoft bigwig Brendan Burns still got his hands dirty; the answer is yes; he patched a CVE in the Kubernetes Java client, where loading specially-crafted YAML could lead to code execution.
AHOY!7 is a new release management tool from South African consultancy LSD. It’s written in Java, so I hope they patched.
Pour one out for Octant, which was officially deprecated by VMware. There’s always another dashboard, however: Komodor’s Helm Dashboard hit 1.0 this week.
Secure sandbox slow? Write a new filesystem. Why not? Ayush Ranjan and Fabricio Voznika from Google have written up LISAFS, the Linux Sandbox File System protocol, to speed up gVisor.
Security reviews were posted for Istio and KEDA, both paid for by the CNCF and arranged by OSTIF.
Now’s the time to apply if you want to be an LFX mentor (might I suggest this one?) for Q1. Now’s also the time to submit a CNCF project if you’re interested in mentoring with the Google Summer of Code. Why is mentoring important? The Linux Foundation has thoughts.
LF also published a report on fragmentation in open source development. Sponsored by Huawei, The New Stack’s BC Gain described it as critical of “outsized US influence on open source”, with a lot of new open source development coming from China.
Want an example? A layer 7 load balancer for the Kubernetes API server, recently released by TikTok creators ByteDance.
Want to control Kubernetes from
the toiletyour phone? Kubenav version 4 - a Flutter and Go rewrite - has hit the Google and Apple app stores. I appreciate that a 4.0.1 release followed soon after with a closed issue of “Make Sponsor Banner Less Annoying”. Honestly like that gets you straight into the news.
American fast-food chain Chick-fil-A have updated us on their Kubernetes edge computing deployment. The constraints are real — a k3s cluster in each shop, on low bandwidth — but so is the value. One assumes no cows were harmed in the deployment.
In the past 4 years, tools have popped up to support weird edge use cases like “a NUC in every branch of our chikin restaurant”. One such tool is Kairos, which released version 1.5 recently. Updates include a web UI and TPM support for user data encryption.
Surveys
This year’s Sysdig Cloud-Native Security and Usage Report steps up the pressure on vulnerabilities. Last year 75% of containers had a Critical or High vulnerability; that number is up to a “whopping” 87% in 2023. The good news is you’re unlikely to actually load all the dastardly containers you have lying around. You’re also unlikely to use your security roles: 90% of them weren’t used at all, according to Sysdig’s findings. Best go fix both of those issues. The full report will cost (and be delivered to) your e-mail.
Similar themes emerged in Fairwinds’ Kubernetes Benchmark report; 25% of their surveyed organisations have 90% of their workloads at risk. Configuration errors are “getting worse”, with 83% of users having less than 10% of their workloads with liveness or readiness probes8. Fill in your e-mail to see a copy.
The 2022 CNCF survey results are out: you can have this one without becoming a sales lead! Containers and WebAssembly are “the new normal”, but Linkerd and OPA adoption (or more accurately, intent to evaluate?) is down. I wouldn’t worry if I were those two projects: these surveys aggregate a lot of different things into one or two questions, and so I personally think it’s really hard to draw anything more than the most lightweight conclusions from them.
Lightning round
Turns out native ARM is faster than qemu-Intel-ARM. Alex Ellis’s latest project Actuated gave a 22x speedup to Parca’s GitHub builds. I also enjoyed Alex’s introduction on how to use GitHub Actions to write a SBOM.
Learn how Zendesk’s Sam Lockart made etcd 30% faster at writing to disk without even having to file a ticket.
Venafi has built Kubernetes (cert-manager) TLS certificate support into their commercial control plane for machine identity.
Dell acquired Israeli startup Cloudify and is installing Adam Glick as its new CEO. Not really, I made that last bit up.
Google Cloud has released a new GitOps observability dashboard for Elliott Graebert to be confused by.
Thanks, as always, for listening. Like and subscribe and ꜱᴍᴀꜱʜ ᴛʜᴀᴛ ʙᴇʟʟ. We’ll see you next time.
I didn’t promise you footnotes, but I am overjoyed that you notice them nonetheless
I should also note that, while I gave you one last week, I technically never promised you a rose garden.
Best of luck Ben!
A group originally set up to support those trying to sell copies of Monster.
The exclamation point is to be pronounced, as in ʏᴀʜᴏᴏ!
60% of the time, it works every time!