Ask Sendai

Now that we’ve finally caught our breath after a fantastic two days at the KubeCon + CloudNativeCon in Shanghai, let’s dive into some of the key highlights and news. The best part is we get to see so many of you so soon again at KubeCon + CloudNativeCon Seattle in December! The sold-out event with more than 2,500 attendees (technologists, maintainers and end users of CNCF’s hosted projects) was full of great keynotes, presentations, discussions and deep dives on projects including Rook, Jaeger, Kubernetes, gRPC, containerd – and many more!

I’ve been working with Kubernetes since filing my first commit in October 2016. I’ve had the chance to collaborate with the community on Kops, Kubicorn, and Kubeadm, but there’s one gap that has been nagging me for years: how to to create the right abstraction for bringing up a Kubernetes cluster and managing it once it’s online. As it turned out, I wasn’t alone. So begins the story of Cluster API. In 2017 I spent an afternoon enjoying lunch at the Google office in Seattle’s Fremont neighborhood meeting with Robert Bailey and Weston Hutchins. We had connected via open source and shared a few similar ideas about declarative infrastructure built on new primitives in Kubernetes.

Today we’re happy to announce we’re open sourcing our support for using DockerCompose on Kubernetes. We’ve had this capability in Docker Enterprise for a little while but as of today you will be able to use this on any Kubernetes cluster you choose. Why do I need Compose if I already have Kubernetes? The Kubernetes API is really quite large. There are more than 50 first-class objects in the latest release, from Pods and Deployments to ValidatingWebhookConfiguration and ResourceQuota. This can lead to a verbosity in configuration, which then needs to be managed by you, the developer.

Kubernetes has finally hit the worst milestone: their first major security flaw. This vulnerability allows any user to escalate their administrative privileges and attack any container running on the same pod. Even worse, there’s no simple way to tell if you’ve been affected. Grim news from Red Hat – Kubernetes has identified its first major security flaw. This vulnerability affecting Kubernetes 1.10 and higher was publicly disclosed on GitHub last week. Basically, the flaw allows any user to escalate their privileges to access administrative controls through the Kubernetes API server.

This GA release of kubeadm is an important event in the progression of the Kubernetes ecosystem, bringing stability to an area where stability is paramount. The goal of kubeadm is to provide a foundational implementation for Kubernetes cluster setup and administration. kubeadm ships with best-practice defaults but can also be customized to support other ecosystem requirements or vendor-specific approaches. kubeadm is designed to be easy to integrate into larger deployment systems and tools. To keep kubeadm lean, focused, and vendor/infrastructure agnostic, the following tasks are out of its scope: Infrastructure provisioning, for example, is left to other SIG Cluster Lifecycle projects, such as the Cluster API. Instead, kubeadm covers only the common denominator in every Kubernetes cluster: the control plane.

We’re pleased to announce the delivery of Kubernetes 1.13, our fourth and final release of 2018! Kubernetes 1.13 has been one of the shortest releases to date at 10 weeks. This release continues to focus on stability and extensibility of Kubernetes with three major features graduating to general availability this cycle in the areas of Storage and Cluster Lifecycle. Notable features graduating in this release include: simplified cluster management with kubeadm, Container Storage Interface (CSI), and CoreDNS as the default DNS. These stable graduations are an important milestone for users and operators in terms of setting support expectations. In addition, there’s a continual and steady stream of internal improvements and new alpha features that are made available to the community in this release.

I’ve been using EKS in production for a small number of months now and so far, so good. Really impressed by the simplicity of getting a cluster up and running and ready for workloads. AWS provide a greatGetting Started Guideon their website, which is super duper for getting your head around the components and glue required for getting EKS stood up. EKS is a very vanilla service, giving users a cluster that conforms to CNCF standards,which Kubernetes purists will be very happy with, however, don’t think that because AWS provides Kubernetes as a service, you no longer have to worry about getting your nodes optimised and ready for your heavy workloads. You should consider an EKS worker node to be the same as a standard, out of the box, EC2 node. If you commonly make optimisations or do hardening, or install software that your company requires for their standards, you should still do all that on EKS.

Today we’re announcing official support for Kubernetes. While many organizations have already been combining Drone and Kubernetes for their deployments, today we’re delivering a native integration for a better user experience. Now your CI/CD Pipelines are translated into native Pods, Secrets, and Services. We’ve been at the forefront of the containerization movement; we started support for Linux containers, and when Docker came around we fully embraced their container runtime. Since then we’ve seen the hyper growth of Kubernetes platforms and users like eBay, Reddit and The New York Times adopting Drone and Kubernetes together. We’ve heard from many of you, wanting a simpler, better experience with Kubernetes, we’ve listened and believe you’ll love the new service.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a CVSS 9.8 critical security hole. CVSS 9.8 critical security hole. With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend.

In the following tutorial we’ll walk you through provisioning a highly-available Hashicorp Vault and Consul cluster on Kubernetes with TLS. This is an intermediate-level tutorial. It assumes that you have basic working knowledge of Vault, Consul, Docker, and Kubernetes. Minikube is a tool used to run a single-node Kubernetes cluster locally. It’s designed to get a cluster up and running quickly so you can start interacting with the Kubernetes API locally.